Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
827
Views
0
Helpful
3
Replies

icmp redirect issue

ita_hsieh
Level 1
Level 1

‎09-18-2006 08:34 AM - edited ‎03-03-2019 05:05 AM

hi guys:

We have firewall that connect to the internet.We also have a 6509 switch connect to the internal lan. The client PC,6509 interface and firewall are on the same subnet. Client's gateway is on 6509. When client try to access internet, the 6509 switch should send icmp redirect to client telling them to go to firewall for internet access. However,I've found that some client were not receiving icmp redirect,therefore internet traffic send to 6509 then to fireawll.From the 6509 debug we saw it sending icmp redirect once or twice per second.Is this a security feature to prevent msfc from DOS attack?If so is there any way yo override it?Thanks for help.

regards

Labels:
0 Helpful
3 Replies 3

gpulos
Level 8
Level 8

‎09-18-2006 09:12 AM

do you just have the pix and pc connected to the same subnet and have the pc default gateway point to the MSFC and have the MSFC default gateway point to the pix??

this would allow for the pc to get to the internet and the icmp redirect sent to the pc to inform it of the better route.

how is your icmp redirect configured? can you post configuration of switch/msfc?

do you have 'no ip redirects' command configured on the MSFC SVI for the pc vlan? if so, use the 'ip redirects' command on the MSFC SVI (vlan) that the pc connects to.

this will allow the MSFC SVI to be able to send icmp redirects.

please see the following link for more info on icmp redirects:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to gpulos

‎09-18-2006 10:44 AM

Hi,

ICMP redirects are enabled by default on most Cisco layer 3 devices. You can turn off this feature by configuring 'no ip redirects' under the layer 3 interface in your switch.

AFAIK, the reason for icmp redirects is to tell the client to use a shorter route to get to the destination. One occassion where the feature may have to be turned off on the router is when the client doesn't accept ICMP redirects.

HTH

Sundar

0 Helpful

ita_hsieh
Level 1
Level 1
In response to gpulos

‎09-18-2006 05:18 PM

hi

The ip redirect is enabled by default.What I was wondering is why some clients are receiving icmp redirect and others don't for a given destination.It seems msfc is rate-limiting the icmp redirect to the client.

0 Helpful
Customers Also Viewed These Support Documents