Notes on testing ICMP rate-limiting
ICMP rate-limiting is applied to the available bandwidth on an interface.
If the total bandwidth requested by all ICMP traffic is less than
the available, configured maximum rate, no ICMP rate-limit can be
applied. That is, an interface must be receiving more inbound ICMP
traffic than the configured bandwidth limit allows. If the interface
is configured with both rate-limit all
and rate-limit icmp
, the ICMP limit can be met or exceeded
only if the rate limit for all types of inbound traffic has not already
been met or exceeded. Also, to test the ICMP limit you need to generate
ICMP traffic that exceeds the configured ICMP rate limit. Using the
recommended settings—1% for edge interfaces and 5% maximum for core
interfaces—it is easy to generate sufficient traffic. However, if
you are testing with higher maximums, you need to ensure that the
ICMP traffic volume exceeds the configured maximum.
When testing ICMP rate-limiting where inbound ICMP traffic on a given interface has destinations on multiple outbound interfaces, the test results must be based on the received outbound ICMP traffic.
ICMP rate-limiting is not reflected in counters monitoring inbound traffic because inbound packets are counted before the ICMP rate-limiting drop action occurs.