Mental model
IP itself is dumb — it routes packets and that’s it. When something goes wrong (no route, dropped packet, looped traffic), IP doesn’t know how to tell you. ICMP is the channel IP uses to send those error messages.
It’s also the protocol behind two universal diagnostics:
ping— sends ICMP Echo Request, gets ICMP Echo Reply, measures round-trip timetraceroute— sends packets with increasing TTL values, gets ICMP TTL Exceeded back from each hop, builds the path
So when you “ping a host” or “traceroute to a server,” you’re using ICMP. When your router says “Destination host unreachable,” that’s an ICMP packet.
Message types you should know
| Type | Code | Name | When you’ll see it |
|---|---|---|---|
| 0 | 0 | Echo Reply | ”Pong” — the reply to a ping |
| 3 | 0 | Net Unreachable | Router has no route to the destination network |
| 3 | 1 | Host Unreachable | Reached the destination subnet but the specific host doesn’t answer |
| 3 | 3 | Port Unreachable | Reached the host, but nothing’s listening on that UDP port |
| 3 | 4 | Fragmentation Needed | The packet’s too big for the next link, DF bit set — Path MTU Discovery uses this |
| 5 | 0 | Redirect | ”Use a different gateway for that destination” |
| 8 | 0 | Echo Request | ”Ping” — the question half |
| 11 | 0 | TTL Exceeded in Transit | Traceroute hears this from each hop |
For CCNA, focus on: 0 (Echo Reply), 3 (Unreachable), 8 (Echo Request), 11 (TTL Exceeded).
How ping actually works
PC Target
│ ─── Echo Request (type 8) ──► │
│ │
│ ◄──── Echo Reply (type 0) ───── │
If the round-trip succeeds, ping prints the latency. If it fails:
- No reply at all → host might be down, ICMP blocked, or routing is broken
- Destination unreachable → a router along the path returned an ICMP type 3
- TTL expired → routing loop somewhere; the packet bounced until TTL reached 0
How traceroute actually works
Hop 1: Send packet with TTL=1
Router 1 decrements to 0, drops, sends back ICMP type 11
Now you know hop 1's IP.
Hop 2: Send packet with TTL=2
Router 1 decrements to 1, forwards. Router 2 decrements to 0, drops, sends back ICMP type 11.
Now you know hop 2's IP.
...repeat until you reach the destination, which replies normally.
Linux/Mac traceroute uses UDP probes by default. Windows tracert uses ICMP Echo Requests by default. Both work, slightly different behavior at the destination.
Commands
Ping from a Cisco router
R1# ping 8.8.8.8
R1# ping 8.8.8.8 size 1500 df-bit ! larger packet, set Don't Fragment
R1# ping 8.8.8.8 source GigabitEthernet0/0
Extended ping (interactive prompt) gives you more options:
R1# ping
Protocol [ip]:
Target IP address: 8.8.8.8
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: GigabitEthernet0/0
Traceroute
R1# traceroute 8.8.8.8
R1# traceroute 8.8.8.8 source GigabitEthernet0/0
Block specific ICMP types with ACL
ip access-list extended FILTER-ICMP
deny icmp any any redirect ! block type 5
deny icmp any any echo ! block inbound pings (controversial)
permit icmp any any ! allow everything else
Should you block ICMP at the firewall?
This is a debate that’s been going on for 25 years. Short version:
Blocking ALL ICMP is wrong. It breaks:
- Path MTU Discovery (causes packet loss with no good error message)
- Traceroute (useful diagnostic for users + ops)
- Network diagnostics generally
Blocking SOME ICMP is reasonable. Block:
- Echo Request from the internet → your hosts (stops trivial host scanning)
- Redirect messages (avoid being misdirected by attackers)
- Timestamp Request/Reply (legacy, rarely needed)
Always allow:
- Type 3 (Destination Unreachable) — including code 4 (Fragmentation Needed) for PMTUD
- Type 11 (TTL Exceeded) — so traceroute works inbound
Common mistakes
-
“My ping doesn’t work, the network is broken.” A target host might be configured to ignore ICMP without any actual network issue. Always test with multiple tools (ping + curl + nc) before declaring outage.
-
Blocking ICMP entirely at the perimeter. Breaks PMTUD silently. Users will report intermittent loading of large files / HTTPS pages and you’ll waste hours debugging.
-
Confusing TTL with timeout. TTL is in hops, not seconds. A packet doesn’t “expire after N seconds” — it expires after N routers decrement it to zero. Default TTL is 64 (Linux/macOS) or 128 (Windows).
-
Trusting ICMP source addresses. ICMP error messages can be spoofed. Don’t make critical routing decisions based on unauthenticated ICMP.
-
Confusing ICMP and ICMPv6. IPv6 has its own ICMPv6, which is much more important — it carries Neighbor Discovery (the ARP replacement), Router Advertisements (SLAAC), and Multicast Listener Discovery. Never block ICMPv6 at routers — IPv6 won’t function.
Lab to try tonight
- From your laptop:
ping google.com. Use Wireshark to confirm the packets are ICMP type 8 (request) and type 0 (reply). traceroute google.com(ortracerton Windows). Note the hops increasing in TTL.- From a Cisco router:
ping 8.8.8.8 size 1500 df-bit. If you get “M.M.M.M.M” output, fragmentation is required but Don’t Fragment bit is set — your path has an MTU smaller than 1500. - Configure an ACL that blocks inbound Echo Request on a router interface. Verify pings now fail from outside but the host is still reachable on other protocols.
- Remove the ACL. Confirm pings work again.
Cheat strip
| Concept | Plain English |
|---|---|
| ICMP | IP’s error/diagnostic channel |
| Type 0 / 8 | Echo Reply / Request (ping) |
| Type 3 | Destination Unreachable (with sub-codes) |
| Type 11 | TTL Exceeded (traceroute uses this) |
| TTL | Hop count, not seconds. Default 64 or 128. |
| PMTUD | Path MTU Discovery — needs ICMP type 3 code 4 |
ping | Uses ICMP type 8 / 0 |
traceroute | Uses TTL trick to map hops |
| Never block all ICMP | Breaks the network in subtle ways |