[c-nsp] setting source address for icmp messages
Dale Shaw
dale.shaw+cisco-nsp at gmail.com
Thu Feb 5 23:50:42 EST 2009
Hi,
When I read the OP I figured he was talking about automatically
generated ICMP messages (e.g. unreachables, source quench), not pings
send for administrative purposes (or IP SLAs or whatever).
I don't personally know of an elegant way to achieve this. One
potentially undesirable option might be to disable unreachables ("no
ip unreachables") on the privately-addressed interfaces. Why are the
messages being generated anyway? no route? ACL violation?
Sending the messages sourced with an address of anything but the
interface where the packet landed probably violates some RFC. I _can_
see why you (Mike) want to do this.
Such packets (sourced with RFC1918 addresses) should be explicitly
nailed at the perimeter anyway.
cheers,
Dale
On Fri, Feb 6, 2009 at 3:19 PM, Hill, Matt W
<hill.matt.w at edumail.vic.gov.au> wrote:
> Hi Mike,
>
> Try this:
>
> Ping ip
> <follow prompts>
> Extended commands <- press "y"
>
> Then you can specify the source.
>
> Cheers,
> Matt
>
> --
> Matt Hill
> CCIE #22386
> p: +61 3 9637 3509 | m: +61 4 1330 3635 | f: +61 3 96372600 | e: hill.matt.w at edumail.vic.gov.au
> Data Communications Consultant | Infrastructure Engineering | ITD | DEECD
> Level 2 East, 2 Treasury Place, East Melbourne, Victoria, Australia, 3002
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
> Sent: Friday, 6 February 2009 3:08 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] setting source address for icmp messages
>
> Hello,
>
> I'm trying to learn how to get my 7204vxr to not send icmp messages with
> the source ip of interface the message is being sent out. I have a
> public ip on my loopback and thought this was what ios preferred if it
> exists? I have some other interfaces which have 10.x.x.x addresses and
> icmp messages like host unreachable and such are sourced from this which
> is undesirable due to inbound filtering at many sites at their gateways
> for rfc1918 and other bogon addresses.
>
> Am I being silly to want this or is there something I can do to get my
> way here?
>
> Tks.
>
> Mike-
More information about the cisco-nsp
mailing list