Step 1: Disable ip unreachables on all external interfaces.
SW1(config)#int g0/1
SW1(config-if)#no ip unreachables
Step 2: Disable ip unreachables on the Null0 interface if it is used to backhole packets.
SW1(config-if)#int null 0
SW1(config-if)#no ip unreachables
Alternative – DODIN Backbone:
Configure the PE switch to rate limit ICMP unreachable messages as shown in the example below:
SW1(config)#ip icmp rate-limit unreachable df 100
SW1(config)#ip icmp rate-limit unreachable 100000
SW1(config)#end
Alternative – Non DODIN Backbone.
An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the switch and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:
Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below:
SW1(config)#ip access-list ext ICMP_T3C1C13
SW1(config-ext-nacl)#permit icmp any any host-unreachable
SW1(config-ext-nacl)#permit icmp any any administratively-prohibited
SW1(config-ext-nacl)#exit
Step 2: Create a route map to forward these ICMP messages to the Null0 interface.
SW1(config)#route-map LOCAL_POLICY
SW1(config-route-map)#match ip address ICMP_T3C1C13
SW1(config-route-map)#set interface Null0
SW1(config-route-map)#exit
Step 3: Configure no ip unreachables on the Null0 interface.
SW1(config)#int null 0
SW1(config-if)#no ip unreachables
SW1(config-if)#exit
Step 4: Apply the policy to filter messages generated by the switch.
SW1(config)#ip local policy route-map LOCAL_POLICY
SW1(config)#end