I would add a couple of comments to the good suggestion that Daniel makes.
First is to confirm that if you want to eliminate or deny ICMP then an inbound acl is what you need to use. Second I would emphasize something that is subtly present in Daniel's answer: eliminating ALL ICMP may be counter-productive. There are messages in ICMP that are helpful and you want to let them through (like unreachable and time-exceeded).
Third I would point out that if you apply the acl as Daniel suggests it (inbound on your Internet interface) you will deny all TCP traffic, all UDP traffic, any routing protocols, etc. You need to permit other traffic after you have dealt with ICMP.
i wanted to telnet/ssh this router, but i should not ping this router from the internet.currently what daniel has suggested works fine, but telnet is not happening. also if required i also wanted to access http/https the router.
actually you have mentioned for a particular router IP where i should be able to telnet or ssh the router, but my requirement, i don't wanted to ping my router, but i should able to telnet or ssh the router from any internet PC
I'd suggest you get over the commonly mistaken idea that ICMP is an inherently bad intentioned protocol and that it's supression makes your device invisible. As rburts pointed out there are several necessary error codes provided by icmp : ttl exceeded, fragmentation needed but df set, etc. Furthermore, if you accept ssh from any arbitary host on the internet you're going to expose yourself to incessant login attempts from all the ssh scan bots, which are in no way are dependent on icmp.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...