On Dec 6, 2009, at 10:32 AM, Rob Janssen wrote: > Actually, your Cisco toys by default send an ICMP message back when you block > something using an access list.
You sure, Rob? Says here: http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i2g.html#wp1082329 > If the Cisco IOS software receives a nonbroadcast packet destined for itself > that uses a protocol it does not recognize, it sends an ICMP unreachable > message to the source. > > If the software receives a datagram that it cannot deliver to its ultimate > destination because it knows of no route to the destination address, it > replies to the originator of that datagram with an ICMP host unreachable > message. That doesn't sound like an ACL deny to me -- "cannot deliver...because it knows of no route to the destination" != "refuses to deliver". Tcpdump will always trump documentation, though, and this wouldn't be the first time to find somebody just kidding in the documentation... -- Glenn English [email protected] _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
