02-14-2003 07:19 AM - edited 03-02-2019 05:06 AM
What is the purpose of issuing the "no ip redirects" command on a router interface?
02-14-2003 07:26 AM
It keeps the router from sending redirect messages to clients (ICMP). These are for when I router would know a more optimal path for a client to take rather than taking itself. It sends a ICMP Redirect to the client pointing it to another next-hop, rather than itself, for a given destination in hopes the client will take this new next hop to this destination.
Hope this helps,
Don
02-14-2003 07:35 AM
That helps.
Thanks
02-15-2003 03:14 PM
How does "no ip redirects" command issued on router interfaces improve network security, I have come across documentation stating that. Could also please explain why "ip unreachables" are turned off on serial interfaces and enabled on Ethernet or Fastethernet interfaces of routers?
Thanks,
RAJ
02-15-2003 11:42 PM
It improves security because if someone inserts another router on the network that the admins may not know about, it will not send the devices traffic to the other questionable device. The questionable device may have routes to outside networks that aren't approved, or doing other things wih the packets it receives. Turning off redirects (and proxy-arp) enforces routing policy also.
Serial interfaces don't really need to send unreachables... users traffic should go to a LAN interface as a next-hop and not a serial interface. You can also disable unreachables on a LAN interface if you want. This is a security item as well as a enforcement measure for good network design. there should be no unreachables sent if hosts are sending packets to known networks in your organization that are reachable.
03-19-2013 06:49 AM
HI all,
i just removed no ip unreachable from the dialer interface.
A serial interface had dialer interface as backup but the auto triggering of ISDN was not happening on the dialer interface.
When i removed this command then it started happening. Any one of you could tell me the issue.
Feel free to contact me on sukki151190@gmail.com
Sukesh Tandon
05-28-2013 08:18 PM
no ip redirects--this disables icmp redirect messages. Redirects happen when a router recognizes a packet arriving on an interface and the best route is out that same interface. In that case the router sends an icmp redirect back to the source telling them about a better router on the same subnet. Subsequent packets take the optimal path. If you disable this, the packets would have continued using the sub optimal path (in this scenario).
It also improves security because if someone inserts another router on the network that the admins may not know about, it will not send the devices traffic to the other questionable device.
02-13-2020 05:27 AM
You can take an example of DMVPN hub and spoke setup where all the traffic is being sent to hub from all the spokes now to make these spokes understand that they can send and receive traffic to each other, this command is configured in the hub router informing the spoke that they can have more optimal path.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide