ICMP Redirect on Cisco IOS

This topic is to discuss the following lesson:

Hi Rene,
How to disable the ip redirect (receive) in Router acting as a host?

Thanks ,
Srini

1 Like

Hi Srini,

Hmm good question, I’m not sure if there is a command for it to disable this. You might be able to filter the incoming ICMP redirect message with an access-list, that could do the trick.

This is an exception situation btw, IP routing has to be disabled on the router which is not a common thing to do.

Rene

1 Like

Thanks Rene.

Hi Rene,

The IP redirect only redirect ICMP? Any other protocol will redirect other than this?

Davis

Hi Davis,

When you receive an ICMP redirect then it will apply to all IPv4 traffic.

Rene

Got it. Thanks Rene.

Davis

Thanks Rene. You have got 100 out of 100 .So Normally we will keep Disable ICMP redirect as its has security vulnerability but enable it when Meet the criteria below only :

1.The IP packet should be received and transmitted on the same interface.
2.The source IP address of the incoming packet should be on the same subnet as the new next hop IP address.

Please correct me if I am wrong :slight_smile:

br//
zaman

Hi Zaman,

It’s best to disable ICMP redirect completely. This example is great to demonstrate it but it has a design issue. The hosts should use R2 as their default gateway, you won’t need ICMP redirects then :slight_smile:

Rene

Hi Sir,

The line " R2 only has a static route for 3.3.3.3 with R2 as its next hop" but the conf shows 23.3 as next hop then it must be R3

Or R2 having next hop as R2 I m confused. Can you explain here

Hi Subbu,

This was a typo, it should be R3. Just fixed it, thanks!

Hello Rene,
I have a question and I am going to use the below diagram as a reference for my question.

image

From this switch when I was trying to reach 10.10.20.20, I was not able to reach it. However, other IP addresses from the same subnet such as 10.10.20.1 or 10.10.20.50 is reachable from the switch.
After doing some research, I found this:

Switch#show ip redirects
Default gateway is 192.168.115.10

Host                      Gateway           Last Use    Total Uses       Interface
10.10.20.20         192.168.115.1         0:00        4912               Vlan20

Clearing the redirect cache resolved the issue and now 10.10.20.20 is reachable from the switch.

Switch#clear ip redirect
Switch#show ip redirects
Default gateway is 192.168.115.10

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty

Would you please explain why?

Thanks in advance.

Best Regards,
Azm Uddin

Hello Azm

To understand why this happened, it’s first important to understand what IP Redirects are and how they work. IP Redirects are ICMP messages that are sent by routers that inform hosts of more appropriate gateways to use to get to a destination. The following documentation explains it excellently, however I will summarise below:

Take a look at the following topology:
image
First of all, notice that R1, R2 and Host H are all on the same subnet. Host H sends information to the remote branch office host. Host H is configured to use R1 as the default gateway. R1 examines its routing table and sees that the next hop should be R2. It also realises that Host H and the next hop are on the same subnet, so it sends an ICMP redirect to Host H informing it that it should send all future packets with a destination of the remote branch office host to R2. This entry is added to the IP redirect cache of the host.

Now, if the network topology changes such that the remote branch host can only be reached via R1 and no longer via R2, the IP redirect entry that has been provided will tell host H to go via R2 which is no longer valid, and the communication will fail.

This is what I believe has happened in your case. 10.10.20.20 was reachable at some point via the firewall at 192.168.115.10 and that was actually a better gateway to use for that destination so the switch was informed by an ICMP redirect message from the router that 192.168.115.1 is a better gateway choice and the switch maintained that info in its IP redirect cache. Your topology then changed somehow and 10.10.20.20 was no longer accessible via the firewall, however, the IP redirect was still valid and was trying to send the packets that way. Once you cleared the IP redirect list, the configured default gateway was being used and connectivity was restored.

I hope this as been helpful!

Laz

Hi Rene ,

Just as always it is so useful to read through your thorough workouts.
So I think there is still another typo to be corrected :smile:
when the linux host is pinging 3.3.3.3 , in the message for the ICMP redirect new Nexthop should it not be 192.168.12.2 ?

sorry if I am mistaken .

Also I tried to reproduce the same on the on GNS3 3725 platform with IOS c3725-adventerprisek9-mz.124-15.T7.image…and I configured static route on all the routers . So on the default gateway I did have the static route

PC-1> ping 3.3.3.3
3.3.3.3 icmp_seq=1 timeout
3.3.3.3 icmp_seq=2 timeout
84 bytes from 3.3.3.3 icmp_seq=3 ttl=62 time=59.972 ms
84 bytes from 3.3.3.3 icmp_seq=4 ttl=62 time=47.914 ms
84 bytes from 3.3.3.3 icmp_seq=5 ttl=62 time=50.978 ms

PC-1> trace 3.3.3.3
trace to 3.3.3.3, 8 hops max, press Ctrl+C to stop
 1   192.168.12.1   4.952 ms  9.991 ms  9.042 ms
 2   3.3.3.3   9.929 ms  21.004 ms  10.019 ms
 3   192.168.12.2   8.982 ms  31.034 ms  9.045 ms
 4   192.168.23.1   21.917 ms

the autu secure feature is there and is not in effect so ip redirect is not disabled.

My question is since icmp part of ip if ip redirect is not disabled by default then PC1 should get the message right ? But then it is no proper host …a simulated one.
And not sure why the 2nd hop is 3.3.3.3 on my traceroute from the pc1 ?
The ip route on R1 is as follows

R1(config-if)#do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 1.1.1.2 to network 0.0.0.0

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     1.0.0.0/30 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
     3.0.0.0/32 is subnetted, 1 subnets
S       3.3.3.3 [1/0] via 192.168.12.2
S*   0.0.0.0/0 [1/0] via 1.1.1.2
R1(config-if)#

I have found that ‘no ip icmp redirect’ is available on the router for use.

It will be good to get your feedback please ?

Kind regards,

Sutandra

Also is multicast routing techniques a kind of source routing as ICMP redirect messages if enabled do not work if IP packets use source routing …trying to get what is that

Hello Sutandra

Yes you are correct, I’ll let Rene know about that…

Laz

Hello Sutandra

Yes it will get the message. It doesn’t matter that the “host” is actually a router. The behaviour of the ICMP protocol will be the same for either a PC or a router.

Hmm, that is quite interesting. My hunch is that traceroute sends the first ICMP packet with a TTL of 1 to the gateway of 192.168.12.1, which is the first response we see. Then R1 sends a redirect back to the host informing it of the “better” gateway. The host sends an ICMP packet with a maximum TTL with the new gateway to see if it gets a response which it does. It then proceeds to continue the trace using increasing TTLs to R2 and R3.

This is just a hunch, but a wireshark trace of something like this would be very beneficial… I suggest you give it a try and share your results.

I hope this has been helpful!

Laz

1 Like

Hello Sutandra

I’m not sure I understand completely, but multicast routing is something somewhat independent of ICMP redirect. For more information about multicast routing, take a look at the following lesson:

I hope this has been helpful!

Laz

1 Like