STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco IOS Switch RTR Security Technical Implementation Guide

V-220433

CAT II (Medium)

The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.

Rule ID

SV-220433r856235_rule

STIG

Cisco IOS Switch RTR Security Technical Implementation Guide

Version

V3R3

CCIs

CCI-002385

Discussion

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Switches automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.

Check Content

Review the configuration to verify the no ip unreachables command has been configured on all external interfaces as shown in the configuration example below: 

interface GigabitEthernet0/1 
 ip address x.x.x.x 255.255.255.0 
 no ip unreachables 

If ICMP unreachable notifications are sent from any external or null0 interface, this is a finding. 

Alternative - DODIN Backbone: 

Verify that the PE switch is configured to rate limit ICMP unreachable messages as shown in the example below: 

ip icmp rate-limit unreachable 60000 
ip icmp rate-limit unreachable DF 1000 

Note: In the example above, packet-too-big message (ICMP Type 3 Code 4) can be sent once every second, while all other destination unreachable messages can be sent once every minute. This will avoid disrupting Path MTU Discovery for traffic traversing the backbone while mitigating the risk of an ICMP unreachable DoS attack. 

If the PE switch is not configured to rate limit ICMP unreachable messages, this is a finding.

Fix Text

Step 1: Disable ip unreachables on all external interfaces. 

SW1(config)#int g0/1 
SW1(config-if)#no ip unreachables 

Step 2: Disable ip unreachables on the Null0 interface if it is used to backhole packets. 

SW1(config-if)#int null 0 
SW1(config-if)#no ip unreachables 

Alternative - DODIN Backbone: 

Configure the PE switch to rate limit ICMP unreachable messages as shown in the example below: 

SW1(config)#ip icmp rate-limit unreachable df 100 
SW1(config)#ip icmp rate-limit unreachable 100000 
SW1(config)#end 

Alternative - Non-DODIN Backbone: 

An alternative for non-backbone networks (e.g., enclave, base, camp, etc.) is to filter messages generated by the switch and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps: 

Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below: 

SW1(config)#ip access-list ext ICMP_T3C1C13 
SW1(config-ext-nacl)#permit icmp any any host-unreachable 
SW1(config-ext-nacl)#permit icmp any any administratively-prohibited 
SW1(config-ext-nacl)#exit 

Step 2: Create a route-map to forward these ICMP messages to the Null0 interface. 

SW1(config)#route-map LOCAL_POLICY 
SW1(config-route-map)#match ip address ICMP_T3C1C13 
SW1(config-route-map)#set interface Null0 
SW1(config-route-map)#exit 

Step 3: Configure no ip unreachables on the Null0 interface. 

SW1(config)#int null 0 
SW1(config-if)#no ip unreachables 
SW1(config-if)#exit 

Step 4: Apply the policy to filter messages generated by the switch. 

SW1(config)#ip local policy route-map LOCAL_POLICY 
SW1(config)#end