Archives for category: Uncategorized

Disabling ICMP unreachable messages will break Path MTU discovery with legacy IP, that is IPv4.

Operators often disable generating ICMP unreachable messages in order to protect the router’s CPU. This technique to protect the router’s control plane is rather obsolete and dangerous. Namely, IPv4 router will use ICMP message type 3, code 4 (The datagram is too big. Packet fragmentation is required but the ‘don’t fragment’ (DF) flag is on.) to signal the sender that the packet he is sending is too big to forward and has to be fragmented. This is a crucial message in Path MTU discovery process for IPv4. By the way, in IPv6 this is not the case – the Packet too big ICMPv6 message is not of the “unreachable” kind. Read the rest of this entry »

Advertisements

Using Cisco ACLs to match routing prefixes or just to mystify the configuration?

A decade ago route classification or filtering in Cisco IOS was commonly done with the help of access control lists (ACLs). You will still find this method in some (very) old configurations and Cisco trainings (no matter how advanced they are ;-)). I’ve run into this legacy stuff recently and I was forced once again to understand how it works. It is confusing but rather simple.

An entry in the extended IPv4 ACL has the following meaning:

permit|deny ip <network> <wildcard mask of network> <subnet mask> <wildcard mask of subnet mask>

The “source” part of the rule selects the prefixes and the “destination” part selects prefix masks (prefix lengths). Read the rest of this entry »