It keeps the router from sending redirect messages to clients (ICMP). These are for when I router would know a more optimal path for a client to take rather than taking itself. It sends a ICMP Redirect to the client pointing it to another next-hop, rather than itself, for a given destination in hopes the client will take this new next hop to this destination.
How does "no ip redirects" command issued on router interfaces improve network security, I have come across documentation stating that. Could also please explain why "ip unreachables" are turned off on serial interfaces and enabled on Ethernet or Fastethernet interfaces of routers?
It improves security because if someone inserts another router on the network that the admins may not know about, it will not send the devices traffic to the other questionable device. The questionable device may have routes to outside networks that aren't approved, or doing other things wih the packets it receives. Turning off redirects (and proxy-arp) enforces routing policy also.
Serial interfaces don't really need to send unreachables... users traffic should go to a LAN interface as a next-hop and not a serial interface. You can also disable unreachables on a LAN interface if you want. This is a security item as well as a enforcement measure for good network design. there should be no unreachables sent if hosts are sending packets to known networks in your organization that are reachable.
no ip redirects--this disables icmp redirect messages. Redirects happen when a router recognizes a packet arriving on an interface and the best route is out that same interface. In that case the router sends an icmp redirect back to the source telling them about a better router on the same subnet. Subsequent packets take the optimal path. If you disable this, the packets would have continued using the sub optimal path (in this scenario).
It also improves security because if someone inserts another router on the network that the admins may not know about, it will not send the devices traffic to the other questionable device.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.