Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ICMP on Border Router

I have been doing some research on ICMP on border routers. From what I have read, common practice is to disable ICMP on the serial interface. How many trouble shooting problems does this present? Can I turn off ICMP timestamps on the serial int? Any help would be great, thanks.

~Shannon

2 REPLIES
Hall of Fame Super Silver

Re: ICMP on Border Router

Shannon

I would not agree that it is common practice to disable ICMP on border routers. I know that some people do this in the name of security but I do not think that it qualifies as common practice. For one thing doing this breaks Path MTU Discovery and may create problems as users in your network attempt to access some Internet resources. It may also create some issues if people outside of your network are enabled to access resources within your network.

In addition to issues with PMTUD turning off ICMP will deny you the ability to ping or traceroute as part of troubleshooting access issues from within your network to destinations outside your network. There are several ICMP messages which provide really useful information (things like Time Exceeded, Host Unreachable, or Network Unreachable come to mind).

You can decide whether you want to allow things like can someone outside ping into your network. And if you decide that you do not want to allow that you can deny that specific ICMP. But I believe that you lose more than you gain if you just deny all ICMP.

HTH

Rick

New Member

Re: ICMP on Border Router

Rick,

Thank you very much for the reply. I am against disabling ICMP for the same reasons you specified. For those ICMP reply, messages, such as Time Exceeded, etc.; Cant those provide info as far as whether or not the service is provided using programs like nMap?

289
Views
0
Helpful
2
Replies
CreatePlease login to create content