Hi All, We have PBR which drops 92 bytes icmp echo/echo-reply applied on our enterprise backbone(Catalyst 6500/Sup7203BXL) links and all customer access VLANs. There are several issues, icmp echo/echo-reply are punted to cpu, it breaks windows tracert/ping, and it's harder to implement the Control Plane Policing(CoPP) regarding the icmp messages. Is is still necessary to keep the PBR in place nowadays?
Cisco Security Notice:�Nachi Worm Mitigation Recommendations http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml Policy Based Routing for Cisco IOS Software The Nachi worm detects the availability of a node by sending ICMP type 8 (echo request) packets before trying to exploit the RPC vulnerability. The size of the ICMP packet is 92 bytes including the IP header. This Policy Based Routing (PBR) configuration can be used to match and drop the ICMP type 8 and type 0 packets that are 92 bytes long. The ICMP type 8 packets generated by the ping utility on other operating systems, such as Cisco IOS Software, Windows 2000, Linux, and Solaris, have different packet sizes than 92 bytes. This configuration should not filter the packets that are generated by the ping utility on those operating systems. caution Caution:�Once applied, this configuration may cause all packets to be process switched on hardware switching platforms, such as the Catalyst 6500 series and Cisco 12000 GSR, or PBR may not be supported on these platforms. This may significantly impact the performance of those devices and it is therefore not recommended to use this method on hardware switching platforms. caution Caution:�Enabling PBR may effect the performance of your throughput. It is recommended to enable CEF for improved performance. If CEF is not enabled on the router, it is recommended to have the ip route-cache policy command on the interface. This increases the performance of PBR. warning Warning:�Microsoft Windows tracert utility uses 92-byte sized ICMP packets. Using PBR to filter those packets causes the tracert utility not to work. Thanks, Schilling _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/