Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ICMP question

Hello:

I just wanted to ask opinion, would denying ICMP from host inside the network to the Internet be considered a Best Practice? If so, could someone tell me why.

Thanks

Amin

2 REPLIES
Hall of Fame Super Silver

Re: ICMP question

Amin

I do not believe that a blanket deny of all ICMP is ever a best practice. If there are some ICMP messages that you believe are security weaknesses then block those specific messages. But there are many ICMP messages that have useful (sometimes almost necessary) information that you would give up if you did a deny icmp any any. For example blocking the ICMP message about Fragmentation required but DF set is what frequently breaks Path MTU Discovery.

HTH

Rick

New Member

Re: ICMP question

I would think this would not be a best practice. How would you troubleshoot connectivity issues? For example, you can't connect to www.cisco.com. Is Cisco's site down, is you LAN down, is your WAN down, is your ISP down, is your DNS server down? How would you answer these questions if you deny ICMP? If you are thinking of just blocking ICMP for Joe user, I don't think that you would gain anything. You can put QOS on routers to throttle icmp traffic, maybe that is the route :) to go. Or, you need to be looking at bandwidth issues from Skype, Bit Torrent, and other application-layer filtering.

123
Views
0
Helpful
2
Replies
CreatePlease to create content