At 10:43 PM 09-10-02 -0700, Steve Francis wrote:
>[EMAIL PROTECTED] wrote: >>My personal pet peeve is the opposite - we'll try to use pMTU, some >>provider >>along the way sees fit to run it through a tunnel, so the MTU there is >>1460 >>instead of 1500 - and the chuckleheads number the tunnel endpoints out >>of >>1918 space - so the 'ICMP Frag Needed' gets tossed at our border >>routers, >>because we do both ingress and egress filtering. >That's not terribly hard to overcome - allow icmp unreachables (from any >source) in your acl, then deny all traffic from RFC 1918 addresses, then >the rest of the ACL. > >Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up with >all the functionality, and almost none of the bogus traffic. CAR should not be used to rate-limit but instead use the MQC police command which basically does the same thing. CAR is not going to be around much longer and is not being developed anymore: Have a look at: http://www.cisco.com/warp/public/105/cbpcar.html http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt8/qcfmcli2.htm for more information. -Hank
