I have been doing some research on ICMP on border routers. From what I have read, common practice is to disable ICMP on the serial interface. How many trouble shooting problems does this present? Can I turn off ICMP timestamps on the serial int? Any help would be great, thanks.
I would not agree that it is common practice to disable ICMP on border routers. I know that some people do this in the name of security but I do not think that it qualifies as common practice. For one thing doing this breaks Path MTU Discovery and may create problems as users in your network attempt to access some Internet resources. It may also create some issues if people outside of your network are enabled to access resources within your network.
In addition to issues with PMTUD turning off ICMP will deny you the ability to ping or traceroute as part of troubleshooting access issues from within your network to destinations outside your network. There are several ICMP messages which provide really useful information (things like Time Exceeded, Host Unreachable, or Network Unreachable come to mind).
You can decide whether you want to allow things like can someone outside ping into your network. And if you decide that you do not want to allow that you can deny that specific ICMP. But I believe that you lose more than you gain if you just deny all ICMP.
Thank you very much for the reply. I am against disabling ICMP for the same reasons you specified. For those ICMP reply, messages, such as Time Exceeded, etc.; Cant those provide info as far as whether or not the service is provided using programs like nMap?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...