09-18-2006 08:34 AM - edited 03-03-2019 05:05 AM
hi guys:
We have firewall that connect to the internet.We also have a 6509 switch connect to the internal lan. The client PC,6509 interface and firewall are on the same subnet. Client's gateway is on 6509. When client try to access internet, the 6509 switch should send icmp redirect to client telling them to go to firewall for internet access. However,I've found that some client were not receiving icmp redirect,therefore internet traffic send to 6509 then to fireawll.From the 6509 debug we saw it sending icmp redirect once or twice per second.Is this a security feature to prevent msfc from DOS attack?If so is there any way yo override it?Thanks for help.
regards
09-18-2006 09:12 AM
do you just have the pix and pc connected to the same subnet and have the pc default gateway point to the MSFC and have the MSFC default gateway point to the pix??
this would allow for the pc to get to the internet and the icmp redirect sent to the pc to inform it of the better route.
how is your icmp redirect configured? can you post configuration of switch/msfc?
do you have 'no ip redirects' command configured on the MSFC SVI for the pc vlan? if so, use the 'ip redirects' command on the MSFC SVI (vlan) that the pc connects to.
this will allow the MSFC SVI to be able to send icmp redirects.
please see the following link for more info on icmp redirects:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
09-18-2006 10:44 AM
Hi,
ICMP redirects are enabled by default on most Cisco layer 3 devices. You can turn off this feature by configuring 'no ip redirects' under the layer 3 interface in your switch.
AFAIK, the reason for icmp redirects is to tell the client to use a shorter route to get to the destination. One occassion where the feature may have to be turned off on the router is when the client doesn't accept ICMP redirects.
HTH
Sundar
09-18-2006 05:18 PM
hi
The ip redirect is enabled by default.What I was wondering is why some clients are receiving icmp redirect and others don't for a given destination.It seems msfc is rate-limiting the icmp redirect to the client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide