A couple of more thoughts on the issue of ICMP redirects.
First, Edward Solomon had a pretty good concise analysis of the
options available in the environment you have and the
advantages and disadvantages to each:
> (1) Proxy ARP
> (2) ICMP Redirects
> (3) ICMP Router Discovery Protocol
> (4) Run a routing protocol on the workstations
> (5) Hot Standby Router Protocol
I will not replay the analysis, because it was right on track.
There are still other issues involved. Muhammed Khalilullah
correctly pointed out that you need to use the "no ip redirect"
command in interface configuration mode to shut redirects off
at the source (which I did not previously mention). I am not
aware of a similar command for the CBOS based systems. Still,
there is the final piece which has not been mentioned, namely
the client side of this. I was curious how MS stood on these
issues and I checked it out. Here is what they have to say:
When a Windows-based computer is initialized, the route table
normally contains only a few entries. One of those entries
specifies a default gateway. Datagrams that have a destination
IP address with no better match in the route table are sent to
the default gateway. However, because routers share information
about network topology, the default gateway may know a better
route to a given address. When this is the case, then upon
receiving a datagram that could take the better path, the
router forwards the datagram normally. It then advises the
sender of the better route, using an ICMP Redirect message.
These messages can specify redirection for one host, a subnet,
or for an entire network. When a Windows-based computer
receives an ICMP redirect, a validity check is performed to be
sure that it came from the first-hop gateway in the current
route, and that the gateway is on a directly connected network.
If so, a host route with a 10-minute lifetime is added to the
route table for that destination IP address. If the ICMP
redirect did not come from the first-hop gateway in the current
route, or if that gateway is not on a directly connected
network, the ICMP redirect is ignored.
To answer your specific question, it will take ten minutes to
purge the entry. Now you need to think about this a little
bit. Is this a sort of "planned" behavior you want to see?
That is your call. Another issue would probably focus on how
to change the ten minute time. I have not found a registry key
to do that. I have found the registry key to listen to
redirects or ignore them. It is found here:
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services
\Tcpip\Parameters
NOTE: The above registry key is one path; it has been wrapped
for readability.
On the Edit menu, click Add Value, type EnableICMPRedirects,
click REG_DWORD in the Data Type box, and then click OK.
Type 0, and then click OK. NOTE: Setting this registry entry to
a value of 1 enables ICMP Redirects.
NOTE- All standard disclaimers apply on using the registry
editor, namely you make changes at your own risk, and you may
render your OS inoperable if you do it wrong. If you wanted to
make the changes en masse, my best bet would be to put it in
the netlogon directory and it will get implemented on the next
login.
I can't say which way is right for you.
HTH,
Paul Werner
________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
