Disabling Added Ascendancy Alike Activities
Obviously some ascendancy alike activities cannot be disabled, alike for admission ports (for
example, ICMP bulletin generation, IEEE 802.1X, CDP, and IPv6 forwarding).
Generating ICMP Messages
ICMP aloof letters are generated by the axial processor and can advance to a DoS
attack if the axial processor spends its time aloof accomplishing ICMP generation. This notably
includes the following:
• Administratively prohibited. Occurs back an ACL drops a packet.
• TTL expired. Occurs back an IP packet with Time to Live (TTL) according to 0 or 1
requires forwarding.
• Fragmentation required. Occurs back an IP packet is forwarded to an interface
whose best manual assemblage (MTU) is abate than the packet admeasurement and the
Don’t Fragment bit is set in the IP advance (typically acclimated for Path MTU Discovery).
This ICMP bulletin is important for Path MTU Discovery, but because the about-face has
a absence MTU of 1500 bytes on all interfaces (or alike beyond for high-speed
Ethernet—the acclaimed colossal frames), this bearings should never happen. Using
another Layer 2 encapsulation, such as MPLS or IEEE 802.1Q in 802.1Q, can reduce
the MTU, but these configurations are almost rare; the best way to handle them is
to use colossal frames.
• Destination unreachable. Occurs back the packet cannot be forwarded because the
destination abode is not reachable. (For example, it is not in the acquisition table.) An
ICMP bulletin is never generated if the Layer 3 about-face has a absence avenue to a valid
next hop. The afield addressed IP packet is artlessly anesthetized downstream, and it is
up to the after router or about-face to try to advanced this packet. If the downstream
node has a hardware-assisted CoPP, it resists a DoS attack.
All added cases of ICMP bulletin bearing ability appear normally. It is bigger to ratelimit
than absolutely block this bearing because those ICMP letters are appropriate for
normal arrangement operation. Alas, if CoPP does not abide in hardware, the ICMP amount absolute is
mostly done in software and is abundant beneath efficient.
The afterward command banned the bearing of ICMP unreachables to—at most—once
every 10 msec. ICMP bulletin bearing can additionally be absolutely disabled on a perinterface
basis:
IOS(config)# ip icmp rate-limit aloof 10
The afterward command alone prevents ICMP bulletin generation; the axial processor
still receives the packets acute the manual of an ICMP message. So, although this
command is helpful, it won’t consistently be accouterments activated and, therefore, it won’t always
be efficient:
IOS(config)# interface vlan 100
IOS(config-if)# no ip unreachables