This topic is to discuss the following lesson:
https://networklessons.com/cisco/ccie-routing-switching/icmp-redirect-on-cisco-ios/
Hi Rene,
How to disable the ip redirect (receive) in Router acting as a host?
Thanks ,
Srini
1 Like
Hi Srini,
Hmm good question, Iām not sure if there is a command for it to disable this. You might be able to filter the incoming ICMP redirect message with an access-list, that could do the trick.
This is an exception situation btw, IP routing has to be disabled on the router which is not a common thing to do.
Rene
2 Likes
Thanks Rene.
Hi Rene,
The IP redirect only redirect ICMP? Any other protocol will redirect other than this?
Davis
Hi Davis,
When you receive an ICMP redirect then it will apply to all IPv4 traffic.
Rene
1 Like
Got it. Thanks Rene.
Davis
Thanks Rene. You have got 100 out of 100 .So Normally we will keep Disable ICMP redirect as its has security vulnerability but enable it when Meet the criteria below only :
1.The IP packet should be received and transmitted on the same interface.
2.The source IP address of the incoming packet should be on the same subnet as the new next hop IP address.
Please correct me if I am wrong 
br//
zaman
Hi Zaman,
Itās best to disable ICMP redirect completely. This example is great to demonstrate it but it has a design issue. The hosts should use R2 as their default gateway, you wonāt need ICMP redirects then
Rene
1 Like
Hi Sir,
The line " R2 only has a static route for 3.3.3.3 with R2 as its next hop" but the conf shows 23.3 as next hop then it must be R3
Or R2 having next hop as R2 I m confused. Can you explain here
Hi Subbu,
This was a typo, it should be R3. Just fixed it, thanks!
Hello Rene,
I have a question and I am going to use the below diagram as a reference for my question.
From this switch when I was trying to reach 10.10.20.20, I was not able to reach it. However, other IP addresses from the same subnet such as 10.10.20.1 or 10.10.20.50 is reachable from the switch.
After doing some research, I found this:
Switch#show ip redirects
Default gateway is 192.168.115.10
Host Gateway Last Use Total Uses Interface
10.10.20.20 192.168.115.1 0:00 4912 Vlan20
Clearing the redirect cache resolved the issue and now 10.10.20.20 is reachable from the switch.
Switch#clear ip redirect
Switch#show ip redirects
Default gateway is 192.168.115.10
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
Would you please explain why?
Thanks in advance.
Best Regards,
Azm Uddin
Hello Azm
To understand why this happened, itās first important to understand what IP Redirects are and how they work. IP Redirects are ICMP messages that are sent by routers that inform hosts of more appropriate gateways to use to get to a destination. The following documentation explains it excellently, however I will summarise below:
Take a look at the following topology:
First of all, notice that R1, R2 and Host H are all on the same subnet. Host H sends information to the remote branch office host. Host H is configured to use R1 as the default gateway. R1 examines its routing table and sees that the next hop should be R2. It also realises that Host H and the next hop are on the same subnet, so it sends an ICMP redirect to Host H informing it that it should send all future packets with a destination of the remote branch office host to R2. This entry is added to the IP redirect cache of the host.
Now, if the network topology changes such that the remote branch host can only be reached via R1 and no longer via R2, the IP redirect entry that has been provided will tell host H to go via R2 which is no longer valid, and the communication will fail.
This is what I believe has happened in your case. 10.10.20.20 was reachable at some point via the firewall at 192.168.115.10 and that was actually a better gateway to use for that destination so the switch was informed by an ICMP redirect message from the router that 192.168.115.1 is a better gateway choice and the switch maintained that info in its IP redirect cache. Your topology then changed somehow and 10.10.20.20 was no longer accessible via the firewall, however, the IP redirect was still valid and was trying to send the packets that way. Once you cleared the IP redirect list, the configured default gateway was being used and connectivity was restored.
I hope this as been helpful!
Laz
2 Likes
Hi Rene ,
Just as always it is so useful to read through your thorough workouts.
So I think there is still another typo to be corrected 
when the linux host is pinging 3.3.3.3 , in the message for the ICMP redirect new Nexthop should it not be 192.168.12.2 ?
sorry if I am mistaken .
Also I tried to reproduce the same on the on GNS3 3725 platform with IOS c3725-adventerprisek9-mz.124-15.T7.imageā¦and I configured static route on all the routers . So on the default gateway I did have the static route
PC-1> ping 3.3.3.3
3.3.3.3 icmp_seq=1 timeout
3.3.3.3 icmp_seq=2 timeout
84 bytes from 3.3.3.3 icmp_seq=3 ttl=62 time=59.972 ms
84 bytes from 3.3.3.3 icmp_seq=4 ttl=62 time=47.914 ms
84 bytes from 3.3.3.3 icmp_seq=5 ttl=62 time=50.978 ms
PC-1> trace 3.3.3.3
trace to 3.3.3.3, 8 hops max, press Ctrl+C to stop
1 192.168.12.1 4.952 ms 9.991 ms 9.042 ms
2 3.3.3.3 9.929 ms 21.004 ms 10.019 ms
3 192.168.12.2 8.982 ms 31.034 ms 9.045 ms
4 192.168.23.1 21.917 ms
the autu secure feature is there and is not in effect so ip redirect is not disabled.
My question is since icmp part of ip if ip redirect is not disabled by default then PC1 should get the message right ? But then it is no proper host ā¦a simulated one.
And not sure why the 2nd hop is 3.3.3.3 on my traceroute from the pc1 ?
The ip route on R1 is as follows
R1(config-if)#do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
C 192.168.12.0/24 is directly connected, FastEthernet0/0
1.0.0.0/30 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
3.0.0.0/32 is subnetted, 1 subnets
S 3.3.3.3 [1/0] via 192.168.12.2
S* 0.0.0.0/0 [1/0] via 1.1.1.2
R1(config-if)#
I have found that āno ip icmp redirectā is available on the router for use.
It will be good to get your feedback please ?
Kind regards,
Sutandra
Also is multicast routing techniques a kind of source routing as ICMP redirect messages if enabled do not work if IP packets use source routing ā¦trying to get what is that
Hello Sutandra
Yes you are correct, Iāll let Rene know about thatā¦
Laz
Hello Sutandra
Yes it will get the message. It doesnāt matter that the āhostā is actually a router. The behaviour of the ICMP protocol will be the same for either a PC or a router.
Hmm, that is quite interesting. My hunch is that traceroute sends the first ICMP packet with a TTL of 1 to the gateway of 192.168.12.1, which is the first response we see. Then R1 sends a redirect back to the host informing it of the ābetterā gateway. The host sends an ICMP packet with a maximum TTL with the new gateway to see if it gets a response which it does. It then proceeds to continue the trace using increasing TTLs to R2 and R3.
This is just a hunch, but a wireshark trace of something like this would be very beneficialā¦ I suggest you give it a try and share your results.
I hope this has been helpful!
Laz
2 Likes
Hello Sutandra
Iām not sure I understand completely, but multicast routing is something somewhat independent of ICMP redirect. For more information about multicast routing, take a look at the following lesson:
I hope this has been helpful!
Laz
2 Likes