This topic is to discuss the following lesson:
How to disable the ip redirect (receive) in Router acting as a host?
Hmm good question, I’m not sure if there is a command for it to disable this. You might be able to filter the incoming ICMP redirect message with an access-list, that could do the trick.
This is an exception situation btw, IP routing has to be disabled on the router which is not a common thing to do.
The IP redirect only redirect ICMP? Any other protocol will redirect other than this?
When you receive an ICMP redirect then it will apply to all IPv4 traffic.
Got it. Thanks Rene.
Thanks Rene. You have got 100 out of 100 .So Normally we will keep Disable ICMP redirect as its has security vulnerability but enable it when Meet the criteria below only :
1.The IP packet should be received and transmitted on the same interface.
2.The source IP address of the incoming packet should be on the same subnet as the new next hop IP address.
Please correct me if I am wrong
It’s best to disable ICMP redirect completely. This example is great to demonstrate it but it has a design issue. The hosts should use R2 as their default gateway, you won’t need ICMP redirects then
The line " R2 only has a static route for 18.104.22.168 with R2 as its next hop" but the conf shows 23.3 as next hop then it must be R3
Or R2 having next hop as R2 I m confused. Can you explain here
This was a typo, it should be R3. Just fixed it, thanks!
I have a question and I am going to use the below diagram as a reference for my question.
From this switch when I was trying to reach 10.10.20.20, I was not able to reach it. However, other IP addresses from the same subnet such as 10.10.20.1 or 10.10.20.50 is reachable from the switch.
After doing some research, I found this:
Switch#show ip redirects Default gateway is 192.168.115.10 Host Gateway Last Use Total Uses Interface 10.10.20.20 192.168.115.1 0:00 4912 Vlan20
Clearing the redirect cache resolved the issue and now 10.10.20.20 is reachable from the switch.
Switch#clear ip redirect Switch#show ip redirects Default gateway is 192.168.115.10 Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty
Would you please explain why?
Thanks in advance.
To understand why this happened, it’s first important to understand what IP Redirects are and how they work. IP Redirects are ICMP messages that are sent by routers that inform hosts of more appropriate gateways to use to get to a destination. The following documentation explains it excellently, however I will summarise below:
Take a look at the following topology:
First of all, notice that R1, R2 and Host H are all on the same subnet. Host H sends information to the remote branch office host. Host H is configured to use R1 as the default gateway. R1 examines its routing table and sees that the next hop should be R2. It also realises that Host H and the next hop are on the same subnet, so it sends an ICMP redirect to Host H informing it that it should send all future packets with a destination of the remote branch office host to R2. This entry is added to the IP redirect cache of the host.
Now, if the network topology changes such that the remote branch host can only be reached via R1 and no longer via R2, the IP redirect entry that has been provided will tell host H to go via R2 which is no longer valid, and the communication will fail.
This is what I believe has happened in your case. 10.10.20.20 was reachable at some point via the firewall at 192.168.115.10 and that was actually a better gateway to use for that destination so the switch was informed by an ICMP redirect message from the router that 192.168.115.1 is a better gateway choice and the switch maintained that info in its IP redirect cache. Your topology then changed somehow and 10.10.20.20 was no longer accessible via the firewall, however, the IP redirect was still valid and was trying to send the packets that way. Once you cleared the IP redirect list, the configured default gateway was being used and connectivity was restored.
I hope this as been helpful!
Hi Rene ,
Just as always it is so useful to read through your thorough workouts.
So I think there is still another typo to be corrected
when the linux host is pinging 22.214.171.124 , in the message for the ICMP redirect new Nexthop should it not be 192.168.12.2 ?
sorry if I am mistaken .
Also I tried to reproduce the same on the on GNS3 3725 platform with IOS c3725-adventerprisek9-mz.124-15.T7.image…and I configured static route on all the routers . So on the default gateway I did have the static route
PC-1> ping 126.96.36.199 188.8.131.52 icmp_seq=1 timeout 184.108.40.206 icmp_seq=2 timeout 84 bytes from 220.127.116.11 icmp_seq=3 ttl=62 time=59.972 ms 84 bytes from 18.104.22.168 icmp_seq=4 ttl=62 time=47.914 ms 84 bytes from 22.214.171.124 icmp_seq=5 ttl=62 time=50.978 ms PC-1> trace 126.96.36.199 trace to 188.8.131.52, 8 hops max, press Ctrl+C to stop 1 192.168.12.1 4.952 ms 9.991 ms 9.042 ms 2 184.108.40.206 9.929 ms 21.004 ms 10.019 ms 3 192.168.12.2 8.982 ms 31.034 ms 9.045 ms 4 192.168.23.1 21.917 ms
the autu secure feature is there and is not in effect so ip redirect is not disabled.
My question is since icmp part of ip if ip redirect is not disabled by default then PC1 should get the message right ? But then it is no proper host …a simulated one.
And not sure why the 2nd hop is 220.127.116.11 on my traceroute from the pc1 ?
The ip route on R1 is as follows
R1(config-if)#do show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 18.104.22.168 to network 0.0.0.0 C 192.168.12.0/24 is directly connected, FastEthernet0/0 22.214.171.124/30 is subnetted, 1 subnets C 126.96.36.199 is directly connected, Loopback0 188.8.131.52/32 is subnetted, 1 subnets S 184.108.40.206 [1/0] via 192.168.12.2 S* 0.0.0.0/0 [1/0] via 220.127.116.11 R1(config-if)#
I have found that ‘no ip icmp redirect’ is available on the router for use.
It will be good to get your feedback please ?
Also is multicast routing techniques a kind of source routing as ICMP redirect messages if enabled do not work if IP packets use source routing …trying to get what is that
Yes you are correct, I’ll let Rene know about that…
Yes it will get the message. It doesn’t matter that the “host” is actually a router. The behaviour of the ICMP protocol will be the same for either a PC or a router.
Hmm, that is quite interesting. My hunch is that traceroute sends the first ICMP packet with a TTL of 1 to the gateway of 192.168.12.1, which is the first response we see. Then R1 sends a redirect back to the host informing it of the “better” gateway. The host sends an ICMP packet with a maximum TTL with the new gateway to see if it gets a response which it does. It then proceeds to continue the trace using increasing TTLs to R2 and R3.
This is just a hunch, but a wireshark trace of something like this would be very beneficial… I suggest you give it a try and share your results.
I hope this has been helpful!
I’m not sure I understand completely, but multicast routing is something somewhat independent of ICMP redirect. For more information about multicast routing, take a look at the following lesson:
I hope this has been helpful!