Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3120
Views
0
Helpful
2
Replies

command no ip unreachable

Go to solution
czrussel
Level 1
Level 1

‎07-19-2004 08:09 AM - edited ‎03-02-2019 05:10 PM

I running version 12.3(9) on a 1751 router. If, I understand the command, it should stop successful trace routes to this interface, correct? If so , it's not working. I can trace route to this interface with the command enabled or disabled, but if I stop icmp echo's to this interface I can't trace to it at all, with command enabled or disabled. Can any explain this.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎07-19-2004 12:17 PM

Hello,

the ´no ip unreachables´command in itself does not prevent successful traceroutes. All it does is that, if traceroutes are prevented by an access-list, it does not send a ´port unreachable message´ to the router initiating the traceroute.

If you have access to two routers in a test environment, try the following to see what the command does:

On one router, block ICMP traceroute traffic:

access-list 101 deny icmp any any eq traceroute

access-list 101 permit ip any any

Then apply the access list to the interface where you have the command ´no ip unreachables´ configured:

interface Ethernet0

no ip unreachables

ip access-group 101 in

Turn on debugging for ICMP on both routers and start the traceroute:

debug ip icmp

term mon

With the command ´no ip unreachables´ configured, the traceroute is blocked but nothing is sent to the originating router.

With ´ip unreachables´ configured, the router that is blocking the traceroute sends a ´port unreachable´ message back to the originating router, it looks similar to this:

3w5d: ICMP: dst (135.13.20.2) port unreachable sent to 135.13.20.1

HTH,

Georg

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Georg Pauwen
VIP
VIP

‎07-19-2004 12:17 PM

Hello,

the ´no ip unreachables´command in itself does not prevent successful traceroutes. All it does is that, if traceroutes are prevented by an access-list, it does not send a ´port unreachable message´ to the router initiating the traceroute.

If you have access to two routers in a test environment, try the following to see what the command does:

On one router, block ICMP traceroute traffic:

access-list 101 deny icmp any any eq traceroute

access-list 101 permit ip any any

Then apply the access list to the interface where you have the command ´no ip unreachables´ configured:

interface Ethernet0

no ip unreachables

ip access-group 101 in

Turn on debugging for ICMP on both routers and start the traceroute:

debug ip icmp

term mon

With the command ´no ip unreachables´ configured, the traceroute is blocked but nothing is sent to the originating router.

With ´ip unreachables´ configured, the router that is blocking the traceroute sends a ´port unreachable´ message back to the originating router, it looks similar to this:

3w5d: ICMP: dst (135.13.20.2) port unreachable sent to 135.13.20.1

HTH,

Georg

0 Helpful

Go to solution
czrussel
Level 1
Level 1

‎07-19-2004 01:02 PM

Thanks,

This link really answered for me. It helped to understand the difference how Cisco, Linux and Windows handle traceroute, which I didn't know there are different way of doing it.

http://cisco.com/en/US/tech/tk364/tk871/technologies_tech_note09186a00801ae32a.shtml

0 Helpful
Customers Also Viewed These Support Documents