A LinkedIN Question.- What is the use of this commands????

Hello,

for this question, I believe that is nothing better than the routers to see the

no ip redirects (A)

no ip proxy arp (B)

no ip unreachables (C)

commands working.

R1 has in his routing table the following routes,

R1(config-router)#do show ip route conn
1.0.0.0/32 is subnetted, 4 subnets
C 1.1.1.1 is directly connected, Loopback0
C 1.3.1.1 is directly connected, Loopback2
C 1.2.1.1 is directly connected, Loopback1
C 1.4.1.1 is directly connected, Loopback3
 10.0.0.0/24 is subnetted, 1 subnets
C 10.2.12.0 is directly connected, FastEthernet0/0

I am going to start with commands no ip proxy arp and no ip unreachables, to move then to the no ip redirects

(B) For the NO IP PROXY ARP Command

R2#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip route 0.0.0.0 0.0.0.0 f0/0
R2(config)#do show arp
Protocol; Address Age (min) Hardware Addr Type Interface
Internet 10.2.12.1 0 000b.5fdf.0ee0 ARPA FastEthernet0/0
Internet 10.2.12.2 - 000b.5f88.de00 ARPA FastEthernet0/0
R2(config)#do ping 1.2.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R2(config)#do show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 1.2.1.1 0 000b.5fdf.0ee0 ARPA FastEthernet0/0
Internet 10.2.12.1 0 000b.5fdf.0ee0 ARPA FastEthernet0/0
Internet 10.2.12.2 - 000b.5f88.de00 ARPA FastEthernet0/0

See that we now have the MAC address to, Reach destination 1.2.1.1 of R1  000b.5fdf.0ee0

lets try another one

R2(config)#do ping 1.3.1.1 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.3.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R2(config)#do show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 1.3.1.1 0 000b.5fdf.0ee0 ARPA FastEthernet0/0
Internet 1.2.1.1 0 000b.5fdf.0ee0 ARPA FastEthernet0/0
Internet 10.2.12.1 1 000b.5fdf.0ee0 ARPA FastEthernet0/0
Internet 10.2.12.2 - 000b.5f88.de00 ARPA FastEthernet0/0

Same here but for another destination.

You can disable these behaviour on R1 using the no ip proxy arp command under the f0/0

Lets show how it works

@R1

R1#conf ter
R1(config)#int f0/0
R1(config-if)#no ip proxy-arp
R1(config-if)#do show run int f0/0
Building configuration...

Current configuration : 111 bytes
!
interface FastEthernet0/0
ip address 10.2.12.1 255.255.255.0
no ip proxy-arp
duplex auto
speed auto
end

R1(config-if)#

@R2

R2#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.2.12.1 0 000b.5fdf.0ee0 ARPA FastEthernet0/0
Internet 10.2.12.2 - 000b.5f88.de00 ARPA FastEthernet0/0
R2#ping 1.3.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.3.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

With this command we avoid that . one of its interfaces facing a different network but graciously replied to the host’s ARP request with its MAC address.

R2#ping 1.3.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.3.1.1, timeout is 2 seconds:

*Apr 18 07:26:37.608: IP ARP: creating incomplete entry for IP address: 1.3.1.1 interface FastEthernet0/0
*Apr 18 07:26:37.608: IP ARP: sent req src 10.2.12.2 000b.5f88.de00,
 dst 1.3.1.1 0000.0000.0000 FastEthernet0/0.

(C) For the NO IP UNREACHABLE Command:

Say that R1 has an input access-list denying traffic towards route 1.1.1.1

On R1 we configured the following

R1(config)#access-list 101 deny ip any host 1.1.1.1
R1(config)#access-list 101 permit ip any any
R1(config)#int f0/0
R1(config-if)#ip access-gr 101 in

Now on R1 we try to ping that destination.

R2#show ip route 1.1.1.1
% Network not in table
R2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.U
*Apr 18 07:32:03.176: ICMP: dst (10.2.12.2) administratively prohibited unreachable rcv from 10.2.12.1.U
*Apr 18 07:32:05.176: ICMP: dst (10.2.12.2) administratively prohibited unreachable rcv from 10.2.12.1.
Success rate is 0 percent (0/5)

As you can see R1 is reporting via ICMP that there is something configured (ACL) preventing that any traffic reached 1.1.1.1, for security reason you might want to disable this, in order to avoid R1 responding to that traffic.

On R1 we configure the following

R1(config-if)#no ip unreachables

And R2 is now not showing R1´s IP Address

R2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#show deb
Generic IP:
 ICMP packet debugging is on

With this configured people can not now find what IP address of Routers that could probably have an ACL Configured.

now for the last command (A) no ip redirects

Assume that R3 has the following route configured

R3#conf te
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip route 1.1.1.1 255.255.255.255 10.2.12.2
R3(config)#

we know that R2 uses the F0/0 in order to reach that destination that is reachable via R1

R2#show ip route 1.1.1.1
Routing entry for 1.1.1.1/32
 Known via "ospf 1", distance 110, metric 2, type intra area
 Last update from 10.2.12.1 on FastEthernet0/0, 00:05:28 ago
 Routing Descriptor Blocks:
 * 10.2.12.1, from 1.1.1.1, 00:05:28 ago, via FastEthernet0/0
 Route metric is 2, traffic share count is 1

Same Bcast domain as R2 and R3

R3#deb ip icmp
ICMP packet debugging is on

on this router and ping the Destination 1.1.1.1

R3#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

*Apr 22 11:22:08.799: ICMP: redirect rcvd from 10.2.12.2-- for 1.1.1.1 use gw 10.2.12.1.
*Apr 22 11:22:10.795: ICMP: redirect rcvd from 10.2.12.2-- for 1.1.1.1 use gw 10.2.12.1.
*Apr 22 11:22:12.799: ICMP: redirect rcvd from 10.2.12.2-- for 1.1.1.1 use gw 10.2.12.1.
*Apr 22 11:22:14.799: ICMP: redirect rcvd from 10.2.12.2-- for 1.1.1.1 use gw 10.2.12.1.
*Apr 22 11:22:16.795: ICMP: redirect rcvd from 10.2.12.2-- for 1.1.1.1 use gw 10.2.12.1.
Success rate is 0 percent (0/5)

we get that!

now lets disable that behavior on R2

R2#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int f0/0
R2(config-if)#no ip redirects
R2(config-if)#

lets try the ping again

R3#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#

no more ICMP redirect

I hope this helps

Victor Cappuccio.-

Advertisements

3 thoughts on “A LinkedIN Question.- What is the use of this commands????

  1. aaaaaaaaaah!
    wish i could understand this IT geek stuff
    but alas i don’t – i can’t stand not understanding what i’m looking at! 🙂
    all the best
    remeber to get out and about too!
    cheers

  2. Just landed on this place via Google research. I love it. This situation change my perceptual experience and I am getting the RSS feeds. Cheers Up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s