RE: hsrp and icmp redirects [7:73972]
How do all incoming routes/gateway branchoffice routes look? Martijn -Oorspronkelijk bericht- Van: Robert Kimble [mailto:[EMAIL PROTECTED] Verzonden: donderdag 14 augustus 2003 16:57 Aan: [EMAIL PROTECTED] Onderwerp: hsrp and icmp redirects [7:73972] Ok. I'll try to explain what happened as best as I can. We have two 6509's each with an msfc and until last night we were only using the msfc on one of them. Last night I brought up the second msfc and set up hsrp between the two. everything worked great here in the office last night. However, this morning our branch offices had no connectivity to us. My boss went in and turned off icmp redirects on the vlan interfaces on the second msfc and everything was fine. 1. I thought icmp redirects were disabled automatically when you configure hsrp on an interface. 2. How did turning off the redirects fix the problem? (I would ask my boss but I probably look bad enough). Any way. Please let me know if you need more info to answer this question. -Bobby **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74005&t=73972 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
hsrp and icmp redirects [7:73972]
Ok. I'll try to explain what happened as best as I can. We have two 6509's each with an msfc and until last night we were only using the msfc on one of them. Last night I brought up the second msfc and set up hsrp between the two. everything worked great here in the office last night. However, this morning our branch offices had no connectivity to us. My boss went in and turned off icmp redirects on the vlan interfaces on the second msfc and everything was fine. 1. I thought icmp redirects were disabled automatically when you configure hsrp on an interface. 2. How did turning off the redirects fix the problem? (I would ask my boss but I probably look bad enough). Any way. Please let me know if you need more info to answer this question. -Bobby Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73972&t=73972 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
hsrp icmp redirects NEVERMIND [7:73974]
Wow. It must've been a late night last night. I figured out the problem. It had nothing to do with icmp. Thank you! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73974&t=73974 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: hsrp and icmp redirects [7:73972]
Can u provide a simple ascii diagram for your topology including the WAN connection to reach the remote branches. >From: "Robert Kimble" > >Ok. > >I'll try to explain what happened as best as I can. > >We have two 6509's each with an msfc and until last night we were only using >the msfc on one of them. > >Last night I brought up the second msfc and set up hsrp between the two. > >everything worked great here in the office last night. However, this morning >our branch offices had no connectivity to us. > >My boss went in and turned off icmp redirects on the vlan interfaces on the >second msfc and everything was fine. > >1. I thought icmp redirects were disabled automatically when you configure >hsrp on an interface. > >2. How did turning off the redirects fix the problem? (I would ask my boss >but I probably look bad enough). > >Any way. > >Please let me know if you need GroupStudy by purchasing from the GroupStudy Store: >http://shop.groupstudy.com >FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Add photos to your messages with MSN 8. Get 2 months FREE*. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73978&t=73972 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Re: ICMP Redirects
A couple of more thoughts on the issue of ICMP redirects. First, Edward Solomon had a pretty good concise analysis of the options available in the environment you have and the advantages and disadvantages to each: > (1) Proxy ARP > (2) ICMP Redirects > (3) ICMP Router Discovery Protocol > (4) Run a routing protocol on the workstations > (5) Hot Standby Router Protocol I will not replay the analysis, because it was right on track. There are still other issues involved. Muhammed Khalilullah correctly pointed out that you need to use the "no ip redirect" command in interface configuration mode to shut redirects off at the source (which I did not previously mention). I am not aware of a similar command for the CBOS based systems. Still, there is the final piece which has not been mentioned, namely the client side of this. I was curious how MS stood on these issues and I checked it out. Here is what they have to say: When a Windows-based computer is initialized, the route table normally contains only a few entries. One of those entries specifies a default gateway. Datagrams that have a destination IP address with no better match in the route table are sent to the default gateway. However, because routers share information about network topology, the default gateway may know a better route to a given address. When this is the case, then upon receiving a datagram that could take the better path, the router forwards the datagram normally. It then advises the sender of the better route, using an ICMP Redirect message. These messages can specify redirection for one host, a subnet, or for an entire network. When a Windows-based computer receives an ICMP redirect, a validity check is performed to be sure that it came from the first-hop gateway in the current route, and that the gateway is on a directly connected network. If so, a host route with a 10-minute lifetime is added to the route table for that destination IP address. If the ICMP redirect did not come from the first-hop gateway in the current route, or if that gateway is not on a directly connected network, the ICMP redirect is ignored. To answer your specific question, it will take ten minutes to purge the entry. Now you need to think about this a little bit. Is this a sort of "planned" behavior you want to see? That is your call. Another issue would probably focus on how to change the ten minute time. I have not found a registry key to do that. I have found the registry key to listen to redirects or ignore them. It is found here: HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services \Tcpip\Parameters NOTE: The above registry key is one path; it has been wrapped for readability. On the Edit menu, click Add Value, type EnableICMPRedirects, click REG_DWORD in the Data Type box, and then click OK. Type 0, and then click OK. NOTE: Setting this registry entry to a value of 1 enables ICMP Redirects. NOTE- All standard disclaimers apply on using the registry editor, namely you make changes at your own risk, and you may render your OS inoperable if you do it wrong. If you wanted to make the changes en masse, my best bet would be to put it in the netlogon directory and it will get implemented on the next login. I can't say which way is right for you. HTH, Paul Werner Get your own "800" number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Subject: ICMP Redirects
At 08:15 AM 3/14/01, John Neiberger wrote: >I don't mind the redirects, I just want to know by >what mechanism the hosts switch back to using the original default >gateway. Is there a timeout of some sort? Does it require a reboot? It does not require a reboot, but the exact behavior would depend on the OS and TCP/IP stack. My experience studying Windows and Macs shows that hosts revert to their default gateway very quickly. In fact some versions of Windows ignore ICMP redirects entirely. Others go back to the default when an application is restarted. Others when the TCP/IP stack is restarted. Some revert to the default gateway with every session, which means every click on a URL with TCP/HTTP. Can you study your own network with a sniffer? That would be the best way to tell. Priscilla > I >haven't read anywhere how things are adjusted back to normal after the >fact. > >Thanks, >John > > >>> "Paul Werner" <[EMAIL PROTECTED]> 3/13/01 11:47:04 PM >>> >A couple of thoughts here. This is clearly the territory that >HSRP was designed to address, namely failure of a primary >gateway and assumption of the backup gateway while the primary >is down. First, you may want to take a peek at this article >(watch wrap): > >http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/ >121newft/121t/121t3/dt_hsrpi.htm > >On the other hand, you could block any ICMP redirects with a >simple access list(which creates other problems). It seems >that it might be more beneficial to get hardware that will >ultimately do the job you are trying to do via HSRP. > >Regarding the issue of HSRP support for CBOS based platforms >(600 series Cisco devices) you are correct, the support is not >there. OTOH, I don't know if your flavor of DSL will fit the >profile, but have you considered using a 1720-ADSL router? It >*appears* that with the WIC-1ADSL installed, support is there >for HSRP. 1720's go new in the $700-$800 range. the WIC- >1ADSL can be had for approximately $500 new. Of course, you >could probably get them both used for a lot less. > >HTH, > >Paul Werner > > > > When a host receives an ICMP redirect, it's my understanding >that it > > places a host route in the routing table for that >destination. How long > > does that route typically stay in the table? If the route is >being > > used, would it stay there indefinitely? Here's why I ask... > > > > We have a 2620 and a 675 attached to the same remote LAN. >The 675 is > > there in case the frame relay circuit to the building goes >down. > > Because they are on the same subnet, I noticed that the 2620 >began > > sending redirects to the users. If the circuit were to come >back up, > > how would the hosts know to start using their original >default gateway? > > > > The 675 and 2620 are not speaking a routing protocol to each >other, > > we're using static routes only. Proxy ARP isn't an option >because we > > want the PCs to always use the frame relay T1 if it is >available. HSRP > > is not an option because the 675 does not support it. > > >Get your own "800" number >Voicemail, fax, email, and a lot more >http://www.ureach.com/reg/tag > >_ >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > >_ >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP Redirects
You've really only got a few options available: (1) Proxy ARP (2) ICMP Redirects (3) ICMP Router Discovery Protocol (4) Run a routing protocol on the workstations (5) Hot Standby Router Protocol Of these, (4) is probably the least desirable, (3) is the least widely supported and (5), as you said, is out of the question. So, you really don't have a lot of choice, as I see it. If you want it to be dynamic, there is a limited number of things you can do, and running a routing protocol on the workstations, though viable, is probably not desirable as that would almost certainly involve running RIP v1. As I see it, you're down to choosing between Proxy ARP and ICMP Redirects, though neither one is really desirable. HSRP would be a perfect fit, were it supported. So there you have it. -- Edward Solomon CCNA, CCSI (ICND, BSCN, BCRAN, BCMSN) Senior I/T Specialist Networking Solutions IBM Canada Ltd. - Learning Services Tel.: (905) 316-3241 Fax: (905) 316-3101 E-mail: [EMAIL PROTECTED] Internet: http://www.can.ibm.com/services/learning/net_internet.html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Subject: ICMP Redirects
It appears that we are going to be installing the ADSL WICs in our 2600s in the future, but for now we're going to have about 30 locations with either a 675 or 678. I don't mind the redirects, I just want to know by what mechanism the hosts switch back to using the original default gateway. Is there a timeout of some sort? Does it require a reboot? I haven't read anywhere how things are adjusted back to normal after the fact. Thanks, John >>> "Paul Werner" <[EMAIL PROTECTED]> 3/13/01 11:47:04 PM >>> A couple of thoughts here. This is clearly the territory that HSRP was designed to address, namely failure of a primary gateway and assumption of the backup gateway while the primary is down. First, you may want to take a peek at this article (watch wrap): http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/ 121newft/121t/121t3/dt_hsrpi.htm On the other hand, you could block any ICMP redirects with a simple access list(which creates other problems). It seems that it might be more beneficial to get hardware that will ultimately do the job you are trying to do via HSRP. Regarding the issue of HSRP support for CBOS based platforms (600 series Cisco devices) you are correct, the support is not there. OTOH, I don't know if your flavor of DSL will fit the profile, but have you considered using a 1720-ADSL router? It *appears* that with the WIC-1ADSL installed, support is there for HSRP. 1720's go new in the $700-$800 range. the WIC- 1ADSL can be had for approximately $500 new. Of course, you could probably get them both used for a lot less. HTH, Paul Werner > When a host receives an ICMP redirect, it's my understanding that it > places a host route in the routing table for that destination. How long > does that route typically stay in the table? If the route is being > used, would it stay there indefinitely? Here's why I ask... > > We have a 2620 and a 675 attached to the same remote LAN. The 675 is > there in case the frame relay circuit to the building goes down. > Because they are on the same subnet, I noticed that the 2620 began > sending redirects to the users. If the circuit were to come back up, > how would the hosts know to start using their original default gateway? > > The 675 and 2620 are not speaking a routing protocol to each other, > we're using static routes only. Proxy ARP isn't an option because we > want the PCs to always use the frame relay T1 if it is available. HSRP > is not an option because the 675 does not support it. Get your own "800" number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Subject: ICMP Redirects
A couple of thoughts here. This is clearly the territory that HSRP was designed to address, namely failure of a primary gateway and assumption of the backup gateway while the primary is down. First, you may want to take a peek at this article (watch wrap): http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/ 121newft/121t/121t3/dt_hsrpi.htm On the other hand, you could block any ICMP redirects with a simple access list(which creates other problems). It seems that it might be more beneficial to get hardware that will ultimately do the job you are trying to do via HSRP. Regarding the issue of HSRP support for CBOS based platforms (600 series Cisco devices) you are correct, the support is not there. OTOH, I don't know if your flavor of DSL will fit the profile, but have you considered using a 1720-ADSL router? It *appears* that with the WIC-1ADSL installed, support is there for HSRP. 1720's go new in the $700-$800 range. the WIC- 1ADSL can be had for approximately $500 new. Of course, you could probably get them both used for a lot less. HTH, Paul Werner > When a host receives an ICMP redirect, it's my understanding that it > places a host route in the routing table for that destination. How long > does that route typically stay in the table? If the route is being > used, would it stay there indefinitely? Here's why I ask... > > We have a 2620 and a 675 attached to the same remote LAN. The 675 is > there in case the frame relay circuit to the building goes down. > Because they are on the same subnet, I noticed that the 2620 began > sending redirects to the users. If the circuit were to come back up, > how would the hosts know to start using their original default gateway? > > The 675 and 2620 are not speaking a routing protocol to each other, > we're using static routes only. Proxy ARP isn't an option because we > want the PCs to always use the frame relay T1 if it is available. HSRP > is not an option because the 675 does not support it. Get your own "800" number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP Redirects
You can use the command 'no ip redirects' command on the Interface configuration mode. Muhammad Khalilulah CCNP, MCSE --- John Neiberger <[EMAIL PROTECTED]> wrote: > When a host receives an ICMP redirect, it's my > understanding that it > places a host route in the routing table for that > destination. How long > does that route typically stay in the table? If the > route is being > used, would it stay there indefinitely? Here's why > I ask... > > We have a 2620 and a 675 attached to the same remote > LAN. The 675 is > there in case the frame relay circuit to the > building goes down. > Because they are on the same subnet, I noticed that > the 2620 began > sending redirects to the users. If the circuit were > to come back up, > how would the hosts know to start using their > original default gateway? > > The 675 and 2620 are not speaking a routing protocol > to each other, > we're using static routes only. Proxy ARP isn't an > option because we > want the PCs to always use the frame relay T1 if it > is available. HSRP > is not an option because the 675 does not support > it. > > Thanks, > John > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ICMP Redirects
When a host receives an ICMP redirect, it's my understanding that it places a host route in the routing table for that destination. How long does that route typically stay in the table? If the route is being used, would it stay there indefinitely? Here's why I ask... We have a 2620 and a 675 attached to the same remote LAN. The 675 is there in case the frame relay circuit to the building goes down. Because they are on the same subnet, I noticed that the 2620 began sending redirects to the users. If the circuit were to come back up, how would the hosts know to start using their original default gateway? The 675 and 2620 are not speaking a routing protocol to each other, we're using static routes only. Proxy ARP isn't an option because we want the PCs to always use the frame relay T1 if it is available. HSRP is not an option because the 675 does not support it. Thanks, John _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP redirects
On 9 Oct 2000 16:04:13 -0400, Priscilla Oppenheimer <[EMAIL PROTECTED]> wrote: :At 01:59 AM 10/9/00, Paul Werner wrote: : :>Listed above is what the Internet Standard specifies for proper :>operation. Let's bounce that against reality as we know it: :> :>http://support.microsoft.com/support/kb/articles/Q243/4/27.ASP : :What does it mean to plumb host routes? I couldn't decode what Microsoft is :attempting to say in this article. If you can explain it, that would be :great. (The other articles did make sense. Thanks for the URLs.) I would assume they mean "connect", perhaps the term refers to the UNIX "plumb" argument for interface configuration. For what it's worth, I first saw the term "plumb" with respect to TCP/IP in a Sun manual page for "ifconfig", having to do with configuring an interface on a Solaris box. From "man ifconfig" in Solaris 2.7: plumb Open the device associated with the physical interface name and set up the streams needed for TCP/IP to use the device. Before this is done, the interface will not show up in the output of ifconfig -a. unplumb Destroy any streams associated with this device and close the device. After this command is executed, the device name should not show up in the output of ifconfig -a. Sun no longer supports mobile homes on their interfaces, no doubt because of problems with their plumbing. Also from "man ifconfig": trailersThis flag previously caused a non-standard encapsulation of inet packets on certain link levels. Drivers supplied with this release no longer use this flag. It is pro- vided for compatibility, but is ignored. -trailers Disable the use of a "trailer" link level encapsulation. -- Jay Hennigan - Network Administration - [EMAIL PROTECTED] NetLojix Communications, Inc. NASDAQ: NETX - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323 **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: ICMP redirects
On Mon, 09 Oct 2000, Priscilla Oppenheimer ([EMAIL PROTECTED]) wrote: > What does it mean to plumb host routes? I couldn't decode what Microsoft is attempting to say in this article. If you can explain it, that would be great. (The other articles did make sense. Thanks for the URLs.)< I was hoping you wouldn't ask that :-) In all seriousness, I was more than just a little confused by their terminology. Of course, this has to be taken in the proper context, coming from an organization that refers to TCP as the "Transport Control Protocol" ;-) I did a quick search at MS to see if there were any tell tale clues. These links seem to be indicative of a methodology of software engineering to inject a portion of code to solve a given problem: http://support.microsoft.com/support/kb/articles/q265/1/12.asp http://msdn.microsoft.com/library/periodic/period98/extreme0598. htm http://msdn.microsoft.com/library/welcome/dsmsdn/rivard_qa.htm Of course, I wasn't 100% satisfied that it was totally correct, so I did a little bit more hunting and came up with the word usage from Paul Maritz, an old timer from MS :-) He left me with the impression that "re-plumbing" is the fine art of going in and fixing code to make it well again: http://www.microsoft.com/PressPass/exec/paul/09-13webdev.asp Undeterred, I pressed on...I then started to realize, maybe this was bigger than MS. Maybe this was somehow an open standards based term that I had not heard about previously. With cursor in hand, I went to the Internet Encyclopedia at this location and did a word search for "plumb" : http://www.freesoft.org/CIE/search.htm Finally, the end was in sight. There were three hits and out of a hunch, I opted in for the hit that yielded "100%". What do you know, but this was the the final definitive word on the subject. Quoting from RFC 2324, "Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)": 7. Security Considerations Anyone who gets in between me and my morning coffee should be insecure. Unmoderated access to unprotected coffee pots from Internet users might lead to several kinds of "denial of coffee service" attacks. The improper use of filtration devices might admit trojan grounds. Filtration is not a good virus protection method. Putting coffee grounds into Internet plumbing may result in clogged plumbing, which would entail the services of an Internet Plumber [PLUMB], who would, in turn, require an Internet Plumber's Helper. Checking paragraph 9 of the same RFC yielded the reference for PLUMB. It was indeed Bob Metcalfe, the consummate Internet Plumber and prognisticator of all things networking. In short and to recap; I have absolutely no idea what they meant 8-) v/r, Paul Werner p.s. When I get a free moment, I want to share a story for the group about the use of subnet zero on Internet hosts and Internet Gateways and mention why it is *still* a good idea *not* to use subnet zero on Internet host addressing. Get your own "800" number - Free Free voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP redirects
I beleive that plumb-ing is the act of populating the route table, as opposed to plumbing, which (at least in my house) is the act of causing water and other fluids to exit through tiny holes and connecting points in the pipes that would otherwise carry them to their intended destinations had I simply left them alone. Dale [=`) >From: Priscilla Oppenheimer <[EMAIL PROTECTED]> >Reply-To: Priscilla Oppenheimer <[EMAIL PROTECTED]> >To: Paul Werner <[EMAIL PROTECTED]>,"[EMAIL PROTECTED]" ><[EMAIL PROTECTED]> >Subject: Re: ICMP redirects >Date: Mon, 09 Oct 2000 13:00:11 -0700 > >At 01:59 AM 10/9/00, Paul Werner wrote: > >>Listed above is what the Internet Standard specifies for proper >>operation. Let's bounce that against reality as we know it: >> >>http://support.microsoft.com/support/kb/articles/Q243/4/27.ASP > >What does it mean to plumb host routes? I couldn't decode what Microsoft is >attempting to say in this article. If you can explain it, that would be >great. (The other articles did make sense. Thanks for the URLs.) > >Thanks > >Priscilla > > >>http://support.microsoft.com/support/kb/articles/Q195/6/86.ASP >> >>http://support.microsoft.com/support/kb/articles/Q225/3/44.ASP >> >>As a matter of practice, ICMP redirects have taken the form of >>a DoS attack today (at least as implemented in Winthings). >> >>HTH, >> >>Paul Werner >> >>- who envies the serenity of an Oregon sunset. >> >> >>Get your own "800" number - Free >>Free voicemail, fax, email, and a lot more >>http://www.ureach.com/reg/tag >> >>**NOTE: New CCNA/CCDA List has been formed. For more information go to >>http://www.groupstudy.com/list/Associates.html >>_ >>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >>FAQ, list archives, and subscription info: http://www.groupstudy.com >>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > >Priscilla Oppenheimer >http://www.priscilla.com > >**NOTE: New CCNA/CCDA List has been formed. For more information go to >http://www.groupstudy.com/list/Associates.html >_ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP redirects
At 01:59 AM 10/9/00, Paul Werner wrote: >Listed above is what the Internet Standard specifies for proper >operation. Let's bounce that against reality as we know it: > >http://support.microsoft.com/support/kb/articles/Q243/4/27.ASP What does it mean to plumb host routes? I couldn't decode what Microsoft is attempting to say in this article. If you can explain it, that would be great. (The other articles did make sense. Thanks for the URLs.) Thanks Priscilla >http://support.microsoft.com/support/kb/articles/Q195/6/86.ASP > >http://support.microsoft.com/support/kb/articles/Q225/3/44.ASP > >As a matter of practice, ICMP redirects have taken the form of >a DoS attack today (at least as implemented in Winthings). > >HTH, > >Paul Werner > >- who envies the serenity of an Oregon sunset. > > >Get your own "800" number - Free >Free voicemail, fax, email, and a lot more >http://www.ureach.com/reg/tag > >**NOTE: New CCNA/CCDA List has been formed. For more information go to >http://www.groupstudy.com/list/Associates.html >_ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ICMP redirects
> Paul, > > Thanks for your reply. How about helping me with this one: > > When are ICMP redirects used in EIGRP? Cisco routers do not trigger an ICMP redirect based upon which routing protocol is in use. They have a defined set of criteria that is based upon the following parameters: http://www.cisco.com/warp/public/105/43.html ICMP redirects are in explained in reasonable detail here (watch wrap): http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ip.htm# xtocid2236313 The real issue of ICMP redirects is less concerned with Internet gateways and more concerned with Internet hosts. The governing RFC here is RFC 1122. It states in para. 3.2.2.2: 3.2.2.2 Redirect: RFC-792 A host SHOULD NOT send an ICMP Redirect message; Redirects are to be sent only by gateways. A host receiving a Redirect message MUST update its routing information accordingly. Every host MUST be prepared to accept both Host and Network Redirects and to process them as described in Section 3.3.1.2 below. A Redirect message SHOULD be silently discarded if the new gateway address it specifies is not on the same connected (sub- ) net through which the Redirect arrived [INTRO:2, Appendix A], or if the source of the Redirect is not the current first-hop gateway for the specified destination (see Section 3.3.1). Listed above is what the Internet Standard specifies for proper operation. Let's bounce that against reality as we know it: http://support.microsoft.com/support/kb/articles/Q243/4/27.ASP http://support.microsoft.com/support/kb/articles/Q195/6/86.ASP http://support.microsoft.com/support/kb/articles/Q225/3/44.ASP As a matter of practice, ICMP redirects have taken the form of a DoS attack today (at least as implemented in Winthings). HTH, Paul Werner - who envies the serenity of an Oregon sunset. Get your own "800" number - Free Free voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP Redirects
I understand your point, but our primary reason for having a backup line is in case the main circuit goes down, not in case the actual router goes down. I was attempting to figure out a way to do poor-man's HSRP. For DSL, we'll be using a Cisco 675 which can't do HSRP. Thanks, John > On Tue, 29 Aug 2000, John Neiberger wrote: > > > We have a situation where ICMP redirects might be very helpful, but I have a > > practical question about them. In our situation, we'll have two routers > > connected to a switch, the first having a T-1 connection, the second being a > > backup router with DSL. All PCs will have the main router as their default > > gateway. If the main circuit goes down, that router should send ICMP > > redirects to the PCs to divert traffic to the other router, right? > > no. icmp redirects don't work like "hey he is down, send it to > me"instead they work like "don't send it to me, so and so is a > better route". In other words they originate from your next-hop and point > to a better hop. If your next-hop is down, then its not going to be > originating much of anything is it? > > HSRP is what you want/need to use here. That is the best way to acomplish > this. > > > > > If that's the case, how do the hosts know when the main circuit comes back > > up? I don't see how there would be any way for them to know to resume > > sending traffic to the original default gateway. The way I see it, when the > > With HSRP this can be accomplished using preempt > > > main line goes down the hosts would start to use the DSL route, and would > > continue to use that route even after the main route becomes available. > > > > any thoughts? > > > > TIA, > > John > > > > > > > > > > > > ___ > > Say Bye to Slow Internet! > > http://www.home.com/xinbox/signup.html > > > > ___ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > --- > Brian Feeny, CCNA, CCDA [EMAIL PROTECTED] > Network Administrator > ShreveNet Inc. (ASN 11881) > ___ Say Bye to Slow Internet! http://www.home.com/xinbox/signup.html ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP Redirects
You could install different metric's in the routing tables so that if the T-1 comes backup that route will be used Duck - Original Message - From: John Neiberger <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 29, 2000 11:23 AM Subject: ICMP Redirects > We have a situation where ICMP redirects might be very helpful, but I have a > practical question about them. In our situation, we'll have two routers > connected to a switch, the first having a T-1 connection, the second being a > backup router with DSL. All PCs will have the main router as their default > gateway. If the main circuit goes down, that router should send ICMP > redirects to the PCs to divert traffic to the other router, right? > > If that's the case, how do the hosts know when the main circuit comes back > up? I don't see how there would be any way for them to know to resume > sending traffic to the original default gateway. The way I see it, when the > main line goes down the hosts would start to use the DSL route, and would > continue to use that route even after the main route becomes available. > > any thoughts? > > TIA, > John > > > > > > ___ > Say Bye to Slow Internet! > http://www.home.com/xinbox/signup.html > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP Redirects
I think HSRP could really handle this well - but with redirect - I haven't tried this, but... : static route out T1, floating static to other router, so it is only in the route table when the T1 goes down, if it sends out the same interface it will forward the packet & send back ICMP redirect. So far, easy. On the router with the DSL, static route to the other end of the T1 (don't use ip address of next hop, use the same ip address for this static route to the T1 in the router that has the T1). floating static out the DSL. the router will do a recursive lookup & send to the router with the T1 when the T1 comes back up & send back ICMP redirect. When the T1 is down, the recursive will fail & the DSL route is used. And of course, the exercise is only useful if the IP stack on the client can do something useful with the ICMP redirect. To my knowledge, some stacks will just happily keep sending to thier default gateway. In this case, just the 1st router config handles that. >>> John Neiberger <[EMAIL PROTECTED]> 08/29 11:23 AM >>> We have a situation where ICMP redirects might be very helpful, but I have a practical question about them. In our situation, we'll have two routers connected to a switch, the first having a T-1 connection, the second being a backup router with DSL. All PCs will have the main router as their default gateway. If the main circuit goes down, that router should send ICMP redirects to the PCs to divert traffic to the other router, right? If that's the case, how do the hosts know when the main circuit comes back up? I don't see how there would be any way for them to know to resume sending traffic to the original default gateway. The way I see it, when the main line goes down the hosts would start to use the DSL route, and would continue to use that route even after the main route becomes available. any thoughts? TIA, John ___ Say Bye to Slow Internet! http://www.home.com/xinbox/signup.html ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP Redirects
Why not just use a floating static route or HSRP instead? >From: John Neiberger <[EMAIL PROTECTED]> >Reply-To: John Neiberger <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: ICMP Redirects >Date: Tue, 29 Aug 2000 11:23:42 -0700 (PDT) > >We have a situation where ICMP redirects might be very helpful, but I have >a >practical question about them. In our situation, we'll have two routers >connected to a switch, the first having a T-1 connection, the second being >a >backup router with DSL. All PCs will have the main router as their default >gateway. If the main circuit goes down, that router should send ICMP >redirects to the PCs to divert traffic to the other router, right? > >If that's the case, how do the hosts know when the main circuit comes back >up? I don't see how there would be any way for them to know to resume >sending traffic to the original default gateway. The way I see it, when >the >main line goes down the hosts would start to use the DSL route, and would >continue to use that route even after the main route becomes available. > >any thoughts? > >TIA, >John > > > > > >___ >Say Bye to Slow Internet! >http://www.home.com/xinbox/signup.html > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP Redirects
HSRP didn't even occur to me, but since the DSL router we're using is a 675 that can't do HSRP, that isn't even an option. Bummer! That would have worked very well in this situation. Thanks John > > Well, it's true, there is really no way for them to know that the link came > back up. However, depending on the host, there is also no guarantee that > they will ever heed the redirect in the first place. You really cannot count > on them for fault tolerance. > > An HSRP solution would probably work better in this scenario. The hosts > would all send to the virtual IP address, which would be served by the > primary router (with the T-1 interface). With interface tracking enabled, if > the T-1 link fails, the secondary router (with the DSL connection) would > take over and the hosts would not need to know anything about it. When the > T-1 link comes back up, that router will become primary again and will take > over traffic sent to the virtual IP address. Again, the hosts need know > nothing about this. > > I hope this helps... > > Dale > [=`) > > >From: John Neiberger <[EMAIL PROTECTED]> > >Reply-To: John Neiberger <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: ICMP Redirects > >Date: Tue, 29 Aug 2000 11:23:42 -0700 (PDT) > > > >We have a situation where ICMP redirects might be very helpful, but I have > >a > >practical question about them. In our situation, we'll have two routers > >connected to a switch, the first having a T-1 connection, the second being > >a > >backup router with DSL. All PCs will have the main router as their default > >gateway. If the main circuit goes down, that router should send ICMP > >redirects to the PCs to divert traffic to the other router, right? > > > >If that's the case, how do the hosts know when the main circuit comes back > >up? I don't see how there would be any way for them to know to resume > >sending traffic to the original default gateway. The way I see it, when > >the > >main line goes down the hosts would start to use the DSL route, and would > >continue to use that route even after the main route becomes available. > > > >any thoughts? > > > >TIA, > >John > > > > > > > > > > > >___ > >Say Bye to Slow Internet! > >http://www.home.com/xinbox/signup.html > > > >___ > >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > >FAQ, list archives, and subscription info: http://www.groupstudy.com > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > Share information about yourself, create your own public profile at > http://profiles.msn.com. > ___ Say Bye to Slow Internet! http://www.home.com/xinbox/signup.html ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP Redirects
Well, it's true, there is really no way for them to know that the link came back up. However, depending on the host, there is also no guarantee that they will ever heed the redirect in the first place. You really cannot count on them for fault tolerance. An HSRP solution would probably work better in this scenario. The hosts would all send to the virtual IP address, which would be served by the primary router (with the T-1 interface). With interface tracking enabled, if the T-1 link fails, the secondary router (with the DSL connection) would take over and the hosts would not need to know anything about it. When the T-1 link comes back up, that router will become primary again and will take over traffic sent to the virtual IP address. Again, the hosts need know nothing about this. I hope this helps... Dale [=`) >From: John Neiberger <[EMAIL PROTECTED]> >Reply-To: John Neiberger <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: ICMP Redirects >Date: Tue, 29 Aug 2000 11:23:42 -0700 (PDT) > >We have a situation where ICMP redirects might be very helpful, but I have >a >practical question about them. In our situation, we'll have two routers >connected to a switch, the first having a T-1 connection, the second being >a >backup router with DSL. All PCs will have the main router as their default >gateway. If the main circuit goes down, that router should send ICMP >redirects to the PCs to divert traffic to the other router, right? > >If that's the case, how do the hosts know when the main circuit comes back >up? I don't see how there would be any way for them to know to resume >sending traffic to the original default gateway. The way I see it, when >the >main line goes down the hosts would start to use the DSL route, and would >continue to use that route even after the main route becomes available. > >any thoughts? > >TIA, >John > > > > > >___ >Say Bye to Slow Internet! >http://www.home.com/xinbox/signup.html > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ICMP Redirects
We have a situation where ICMP redirects might be very helpful, but I have a practical question about them. In our situation, we'll have two routers connected to a switch, the first having a T-1 connection, the second being a backup router with DSL. All PCs will have the main router as their default gateway. If the main circuit goes down, that router should send ICMP redirects to the PCs to divert traffic to the other router, right? If that's the case, how do the hosts know when the main circuit comes back up? I don't see how there would be any way for them to know to resume sending traffic to the original default gateway. The way I see it, when the main line goes down the hosts would start to use the DSL route, and would continue to use that route even after the main route becomes available. any thoughts? TIA, John ___ Say Bye to Slow Internet! http://www.home.com/xinbox/signup.html ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
