Lately I stumbled upon a Cisco 877 security hardening guide. The suggestion is to block (via source IP) private, reserved and unallocated IP ranges. I will explain why this is a bad idea and how to properly block malicious traffic.
When you have two or more 3750 in a Stack Configuration and need to upgrade the image, you will have a long service disruption (it can take about 7 – 10 minutes, because – depending on the image – the bootloader will be upgraded too and POST tests also take their time). However, if you have a redundant configuration, you can limit the downtime to a few seconds.
In this post I will talk about ICMP unreachables, the security concerns about them and why you shouldn’t disable it on your routing boxes.