ICMP message type 3 is an unreachable message. Within this message type are a number of "codes" which define various types of messages. This table is from IANA and shows the various types:
3 Destination Unreachable [RFC792]
0 Net Unreachable [RFC792]
1 Host Unreachable [RFC792]
2 Protocol Unreachable [RFC792]
3 Port Unreachable [RFC792]
4 Fragmentation Needed and Don't [RFC792]
Fragment was Set [RFC792]
5 Source Route Failed [RFC792]
6 Destination Network Unknown [RFC1122]
7 Destination Host Unknown [RFC1122]
8 Source Host Isolated [RFC1122]
9 Communication with Destination [RFC1122]
Network is Administratively Prohibited
10 Communication with Destination Host is [RFC1122]
11 Destination Network Unreachable for Type [RFC1122]
12 Destination Host Unreachable for Type of [RFC1122]
13 Communication Administratively Prohibited [RFC1812]
14 Host Precedence Violation [RFC1812]
15 Precedence cutoff in effect [RFC1812]
As you can see the Fragmentation Needed but Do Not Fragment is one of those. So yes PMTUD will be impacted when you configure no unreachables.
Also since the Cisco/Unix traceroute is based on sending UDP packets and looking for the Port Unreachable message to indicate that the probe has reached the destination, then disabling unreachables will break the traceroute.
From a security standpoint when you harden a device you want to minimize the amount of information that the device provides about itself to others and disabling unreachables helps achieve this. But from the standpoint of things that help our network work better the unreachable is helpful.
So you have two different points of view and their position on unreachables. So which is more important hardening devices with reducing information that they provide or helping the network to run better?
 for anyone who would be interested here is a link to the ICMP message types and codes:
I find it unfortunate that disabling unreachables impacts the things that it does. A part of me would like to keep them enabled. But several of my customers have policies that as a standard we should disable unreachables. And from the standpoint of wanting to tighten up security I agree with the position of no ip unreachable.
Yes, Rick. However, I suppose that this decision is based on the domain of interest.
For instance, when private peering is involved it would be interesting to have unreachables enabled, until end-to-end network reachability is validated. Later on, one can think of hardening the device(security).
With in the domain of Internet routing, I'm not quite sure whether there's a standard practice. As you've mentioned already this may be dependent on the policies of each AS admin.
Disabling ICMP unreachables can have an adverse effect in VPN scenarios. VPNs have extra packet overhead due to encryption so the source needs to know to send smaller packets if the packet size becomes too large to be sent over WAN. Here PMTUD comes in handy. If it is disabled along the path on any of the routers then the source will never know what packet size to send and the packets will get dropped. This is a Black Hole Router problem. Same can be said about the non-VPN traffic too. Most badly hit applications due to this problem over VPN are Citrix and MS Outlook. Best way to avoid this on VPNs is to adjust IP MTU and TCPMSS on the VPN gateway device where the tunnels are terminated. Usually all Providers have ICMP Unreachables enabled. It is good to have it enabled to avoid the problems discussed. I have experienced these problems a lot.
P.S. Some one has rated one of the posts with 1. In my opinion, the poster has misunderstood the original query and should not have been rated. It would have been better if he/she had been just clarified regarding the same, rather than rating as "Not helpful".
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...