01-10-2013 03:55 AM - edited 03-04-2019 06:39 PM
I have router where the SVI interfaces are not responding with TTL expired. This includes null 0 as well.
01-10-2013 04:07 AM
Hi,
can you explain further please.
Regards.
Alain
Don't forget to rate helpful posts.
01-10-2013 05:04 AM
assume a scenario where i have three routers A ->B->C. OSPF is running in all the routers and all P-P interfaces are part of area 0. C's SVI interface has the IP segment 10.241.3.1/24(this is a part of area 3). C is summarising(area range command ) this as 10.241.0.0/16 and advertising. In this case when i do a trace from router A to the destination 10.241.3.1(active interface in router C) the trace gets dropped at router C. Whereas when i do a trace to a non active IP 10.241.54.1 from A it gets dropped at router B.
If the same is done replacing router C. In the 1st case where i trace 10.241.3.1 the trace gets completed at router C(in previous case it comes till here after which i get * * *). In the 2nd case where i trace 10.241.54.1 its comes till router C and gets dropped(in previous case it drops at router B).
01-10-2013 01:00 PM
ashvanth
OSPF is running in all the routers and all P-P interfaces are part of area 0
C's SVI interface has the IP segment 10.241.3.1/24(this is a part of area 3
Can you post your config for the 3 routers?
res
Paul
01-10-2013 10:40 PM
Sorry Im not allowed to share the complete configuration. Hope the below configurations help. Since rotuer 2 is PE I dont have its configuration
ROUTER 3:
!
interface Vlan4
ip address 10.241.3.1 255.255.255.0
no ip unreachables
no ip proxy-arp
end
router ospf 1
nsf
area 3 nssa no-summary
area 3 range 10.241.0.0 255.255.0.0
network 10.241.3.0 0.0.0.255 area 3
network 117.211.128.128 0.0.0.3 area 0
!
interface GigabitEthernet3/1
ip address 117.211.128.129 255.255.255.252
no ip unreachables
no ip proxy-arp
ip ospf network point-to-point
ip ospf mtu-ignore
speed 100
duplex full
end
ROUTER 1:
router ospf 1
nsf
network 117.212.128.128 0.0.0.3 area 0
interface GigabitEthernet3/1
ip address 117.212.128.129 255.255.255.252
no ip unreachables
no ip proxy-arp
ip ospf network point-to-point
ip ospf mtu-ignore
speed 100
duplex full
end
01-11-2013 07:23 AM
Traceroutes aren't working because you've disable ICMP unreachables via the "no ip unreachables" interface commands.
01-11-2013 09:12 AM
You have disabled ICMP unreachable, here is little information to help you understand ICMP unreachable.
This table is from IANA and shows the various types:
3 Destination Unreachable [RFC792]
Codes:
0 Net Unreachable [RFC792]
1 Host Unreachable [RFC792]
2 Protocol Unreachable [RFC792]
3 Port Unreachable [RFC792]
4 Fragmentation Needed and Don't [RFC792]
Fragment was Set [RFC792]
5 Source Route Failed [RFC792]
6 Destination Network Unknown [RFC1122]
7 Destination Host Unknown [RFC1122]
8 Source Host Isolated [RFC1122]
9 Communication with Destination [RFC1122]
Network is Administratively Prohibited
10 Communication with Destination Host is [RFC1122]
Administratively Prohibited
11 Destination Network Unreachable for Type [RFC1122]
of Service
12 Destination Host Unreachable for Type of [RFC1122]
Service
13 Communication Administratively Prohibited [RFC1812]
14 Host Precedence Violation [RFC1812]
15 Precedence cutoff in effect [RFC1812]
As you can see the Fragmentation Needed but Do Not Fragment is one of those. So yes PMTUD will be impacted when you configure no unreachables.
Also since the Cisco/Unix traceroute is based on sending UDP packets and looking for the Port Unreachable message to indicate that the probe has reached the destination, then disabling unreachables will break the traceroute.
From a security standpoint when you harden a device you want to minimize the amount of information that the device provides about itself to others and disabling unreachables helps achieve this. But from the standpoint of things that help our network work better the unreachable is helpful.
So you have two different points of view and their position on unreachables. So which is more important hardening devices with reducing information that they provide or helping the network to run better?
Best Regards,
Manouchehr
01-16-2013 05:34 AM
But if you see trace to 10.241.3.1 gets completed. Only trace to non existing segments in the 10.241.0.0/16 range get dropped.
01-16-2013 05:48 AM
Hello,
Can you post the exact outputs of the traceroute command? The verbal description of "what gets dropped where" is not very precise - the outputs will be hopefully more definitive.
Best regards,
Peter
01-17-2013 02:50 AM
A#traceroute 10.241.3.1
Type escape sequence to abort.
Tracing the route to 10.241.3.1
1 117.212.128.130 4 msec 0 msec 4 msec
2 117.211.128.129 0 msec 4 msec 0 msec
3 * * *
----------------------------------------------------------------------
A#traceroute 10.241.6.1
Type escape sequence to abort.
Tracing the route to 10.241.6.1
1 117.212.128.130 4 msec 0 msec 0 msec
2 *
-------------------------------------------------------------
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide