ip forward-protocol nd??

Answered Question
Aug 27th, 2010

Hi,

I am using 3600 Router ther is in SHOW RUNNING COnfigurection one line is mention i.e. "ip forward-protocol nd" what is that??

Pls help us to provide the details.   

I have this problem too.
0 votes
Correct Answer by Richard Burts about 3 years 7 months ago

Peter

So we do not agree (and people with differing outlooks and opinions is part of what makes the forum so excellent). My advice was based on these factors:

- I believe that the command is harmless. Assuming that your research is correct (and I do believe that it is) then there will be no ND traffic on the network and the presence of forward-protocol nd will have no effect.

- IOS inserts the statement into the running config. I do not know why (do you)? Perhaps there are occasional instances where IOS inserts a command that does nothing, but I believe that most of the time when IOS inserts a command that it is there for a reason. Since I am not sure about this particular command I tend to not want to mess with IOS and leave the command alone.

- it has been my experience that sometimes when IOS inserts a command that it really does not want that command to be removed. I do not remember the specifics but I do remember an experience where there was some command that had appeared in the running config and I decided to remove it. To my surprise I could enter no but the command was still there.

So if I believe that the command is harmless, if I believe that it might be there for some purpose that we do not understand, and if I am not sure that it will really come out, then my advice is to just ignore it. Your advice is different, and that is ok. Now Abhinay has a decision to make. If he chooses to remove the command I hope that he will post back to the forum indicating what the results might have been.

HTH

Rick

Correct Answer by Giuseppe Larosa about 3 years 7 months ago

Hello Abhinay,

see command reference

http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1108053

nd

Forwards Network Disk (ND) packets. This protocol is used by older diskless Sun workstations.

the command works in conjuction with ip helper-address and tells for what protocols the relay function should be performed

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (4 ratings)
Correct Answer
Giuseppe Larosa Fri, 08/27/2010 - 06:36

Hello Abhinay,

see command reference

http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1108053

nd

Forwards Network Disk (ND) packets. This protocol is used by older diskless Sun workstations.

the command works in conjuction with ip helper-address and tells for what protocols the relay function should be performed

Hope to help

Giuseppe

Richard Burts Fri, 08/27/2010 - 07:03

Abhinay

Just to add a little to the good explanation by Giuseppe of what it is:

- where did the command come from? The IOS inserted that command into the configuration. I am not sure why, but there are a number of releases where IOS does insert that command.

- does the command have any impact? No that command does not have any impact on the router or its performance.

- should you try to remove the command? No you should not try to remove it, just ignore it.

HTH

Rick

Peter Paluch Fri, 08/27/2010 - 07:54

Rick,

should you try to remove the command? No you should not try to remove it, just ignore it.

Actually, I would recommend just the opposite. The ND protocol is obviously so ancient that I was not even able to find any specifications about it (I've done my Google job) - just bits and pieces suggesting that it was used even before the Network File System (in early 80's). In my opinion, there is no need to have the ND protocol forwarded by means of an UDP helper unless the user knows for sure that he/she is using the ND protocol, and so I would disable the forwarding of ND packets here.

Best regards,

Peter

Correct Answer
Richard Burts Fri, 08/27/2010 - 08:38

Peter

So we do not agree (and people with differing outlooks and opinions is part of what makes the forum so excellent). My advice was based on these factors:

- I believe that the command is harmless. Assuming that your research is correct (and I do believe that it is) then there will be no ND traffic on the network and the presence of forward-protocol nd will have no effect.

- IOS inserts the statement into the running config. I do not know why (do you)? Perhaps there are occasional instances where IOS inserts a command that does nothing, but I believe that most of the time when IOS inserts a command that it is there for a reason. Since I am not sure about this particular command I tend to not want to mess with IOS and leave the command alone.

- it has been my experience that sometimes when IOS inserts a command that it really does not want that command to be removed. I do not remember the specifics but I do remember an experience where there was some command that had appeared in the running config and I decided to remove it. To my surprise I could enter no but the command was still there.

So if I believe that the command is harmless, if I believe that it might be there for some purpose that we do not understand, and if I am not sure that it will really come out, then my advice is to just ignore it. Your advice is different, and that is ok. Now Abhinay has a decision to make. If he chooses to remove the command I hope that he will post back to the forum indicating what the results might have been.

HTH

Rick

Nagaraja Thanthry Fri, 08/27/2010 - 08:52

Hello,

ND is the legacy SUN protocol to boot diskless workstations.

http://www.netbsd.org/docs/network/netboot/intro.html

So, if we have a system that uses ND protocol, then it is a good idea to

leave it that way. If not, it can be removed without any harm. On the other

hand, this command is not put in by the IOS, it has to be manually

configured. So, somebody should have configured it on the switch

(knowingly/unknowingly). So, if it is not hurting, it is OK to leave it or

if you want a cleaner configuration and is not needed (for sure), then you

can remove it as well.

Regards,

NT

Peter Paluch Fri, 08/27/2010 - 09:32

Hello Nagaraja,

On the other hand, this command is not put in by the IOS, it has to be manually configured. So, somebody should have configured it on the switch (knowingly/unknowingly).

I disagree with this statement. The ip forward-protocol nd command is the default and is put in by the IOS - it is just not displayed in all IOS versions. It started appearing in the IOS configuration automatically somewhere around 12.4 (or perhaps even 12.3T).

Best regards,

Peter

Peter Paluch Fri, 08/27/2010 - 09:27

Hello Rick,

I am very thankful for your thoughts, and I also appreciate having different opinions - that, if discussed appropriately, moves things forward!

Regarding your ideas: I agree that there is no regular ND traffic to be found in today's networks so having that command present does no immediate harm. That also has an opposite side to it: if there is any ND traffic in today's networks, either incidentally or by malicious intent, this command will make the router forward it which could be considered undesirable. In my opinion, having an unused feature activated is actually a potential waste of system resources, and at the same time, a potential security hole (be it any unused service, no matter how harmless).

Regarding a command being inserted into configuration automatically by Cisco, I tend to be careful about it if no sensible information can be found but in this case, the purpose of the command seems to be pretty clear. Why it is visible in the configuration and why it was not visible previously can be a matter of debate. However, what I've read somewhere that if a default value of a command (usually invisible in a config) is to be changed in upcoming IOS versions, it is done in a couple of steps, one of them being making that command in its current version visible in the configuration so that people are actually aware of it being active, and then changing it to the opposite value and perhaps making the opposite form invisible after a time. Now, the ip forward-protocol nd is the default value even in older IOS versions (tested on 12.3 IOS for 3620 series routers), it just isn't visible in the configuration. The 12.4 and newer IOSes simply display that command visibly but they only display its default value. As the Network Disk protocol (IP protocol 77 from what I have been able to dig out in the meantime) is obviously largely unused, I can image this command being right in the period of transition to the inactive state.

Best regards,

Peter

lcaruso Thu, 07/07/2011 - 14:23

what about this...the IOS inserts this as well.

ip source-route

I believe I read in 1999 ip source route was a bad idea, a security hole.

Actions

Login or Register to take actions

This Discussion

Posted August 27, 2010 at 6:00 AM
Stats:
Replies:8 Avg. Rating:5
Views:49934 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,725
4 7,083
5 6,742
Rank Username Points
165
82
69
65
55