How to disable ICMP redirect packets in Cisco IOS?
On a real IOS, the command to disable icmp redirects is somewhat misleading as it's under the "ip" submenu, but the help clarifies the trouble :
router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#int f1/0
router(config-if)#no ip ?
Interface IP configuration subcommands:
<snip>
redirects Enable sending ICMP Redirect messages
router(config-if)#no ip redirects
router#sh run int f1/0
!
interface FastEthernet1/0
description --- WAN
ip address dhcp
no ip redirects <<<
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
end
Here interface configuration is shown with some other useful options for an "insecure" interface.
Btw, PacketTracer is great to learn the IOS commandline, but I found its behavior way too much different from a true IOS to be useful.
You may take a look at dynamips/dynagen/gns3, or even quagga. Dynamips, and its frontend gns3 are used to realistic labs, as they use a real IOS image, and quagga is an IOS-like routing daemon for unixes.
Related videos on Youtube
02 : 31
04 : 33
09 : 37
05 : 14
09 : 03
JCCyC
Some fun things I did over the years: A multiuser/multitasking DOS-compatible OS... which ran on PC-XTs! A distributed inventory/orders system for a computer store chain. Online updates of MDB database content AND structure. In 1997. Access control system for an ISP. Kinda Rube Goldberg-ish. Lots of scripts that manipulate iptables to turn users to the login page, dhcpd to give thep IPs, cbq to assign them bandwidth etc. A security system for MS-DOS, implementing somewhat-Unix-style accounts and permissions. Clustering Asterisk PBXs for call centers and other Asterisk hacking. Autodialers with detection of human / answering machine / busy / bad number for (I'm going to Hell for this) active telemarketing. Please forgive me. A driver to integrate Skype into Asterisk. Even more Rube Goldberg-ish than the ISP login thing. Energy consumption billing through a proprietary board that "ticked" a bit in a parallel interface whenever X watts-hours had gone through path Y. Linux system-restore CDs. Satellite image acquiring through yet another proprietary expansion board, for Brazil's National Space Research Institute. REST services with Django. Remote system audits in C# using the OVAL language. For the retrocomputing fans out there: https://sourceforge.net/projects/cachars Lots more I sure forget about now. Oh, and I also learned CUDA and Greenplum. They're neat. But I didn't get to use either in any project so far. :-/ Things I like for fun: Formula One and Indy racing. Reading in general, mostly nonfiction. Retrocomputing and retrogaming. Traveling, preferably overseas. Sci-fi in general, and Star Trek in particular.
Updated on September 18, 2022Comments
-
JCCyC over 1 year
I'm studying a "good practices" document for Cisco IOS, and one of its controls tells me to disable ICMP Redirect packets in the router. Sounds reasonable. So I go test it in Cisco Packet Tracker (a nifty little network emulator program). In my virtual router's IOS CLI, I type the following:
jcios01#config term Enter configuration commands, one per line. End with CNTL/Z. jcios01(config)#interface GigabitEthernet9/0 jcios01(config-if)#no ip mask-reply ^ % Invalid input detected at '^' marker.I'm puzzled. That's what the document told to do. enable, "config term", "interface " and then "no ip mask-reply". Am I forgetting something?
Yes, I'm a Cisco newbie.
-
JCCyC almost 13 yearsYeah, in the end it was PacketTracer's problem. Even the alternative syntax I tried first (no ip mask-reply) worked. I hooked up an old 2511 we had lying around and everything went just fine. Thanks!
-
SpacemanSpiff almost 13 yearsThis is good reading about redirects :) packetattack.org/2011/05/26/…
