No IP Unreachable
Overview
The "no ip unreachable" feature in networking devices is a configuration used to enhance network security and efficiency by disabling the generation of Internet Control Message Protocol (ICMP) unreachable messages. Normally, these messages are sent by routers and other network devices in response to packets that cannot be delivered to their intended destination for various reasons.
When the "no ip unreachable" command is enabled, the network device stops sending these ICMP unreachable messages.
The supported ICMP Unreachable Codes
Table 2 shows the codes used in ICMPv6 Unreachable.
Code | Message | Description |
|---|---|---|
0 | Destination network unreachable | |
1 | Destination host unreachable | |
2 | Destination protocol unreachable | |
3 | Destination port unreachable | The destination network is not reachable from the current router. |
4 | Fragmentation needed and DF flag set | The specific destination host within a reachable network is not accessible. |
5 | Source Route Failed | The protocol specified in the packet is not supported by the destination. |
6 | Destination Network Unknown | The destination port is not open or not listening on the destination device. |
7 | Destination Host Unknown | NA |
8 | Source Host Isolated | NA |
9 | Network Administratively Prohibited | NA |
10 | Network Administratively Prohibited | NA |
11 | Network Unreachable for TOS | NA |
12 | Host Unreachable for TOS | NA |
13 | Communication Administratively Prohibited | NA |
14 | Host Precedence Violation | NA |
15 | Precedence Cutoff in Effect | NA |
The supported ICMPv6 Unreachable Codes
Table 3 shows the codes used in ICMPv6 Unreachable.
Codes | Description |
|---|---|
0 | No route to destination |
1 | Communication with destination administratively prohibited |
2 | Beyond scope of source address |
3 | Address unreachable |
4 | Port unreachable |
5 | Source address failed ingress/egress policy |
6 | Reject route to destination |
Feature Characteristics
The "no ip unreachable" feature is used to prevent a device from sending ICMP unreachable messages. These messages are typically generated when a router cannot forward a packet because the destination is unreachable. Disabling these messages can enhance network performance and security.
Benefits
The advantages of utilizing a No IP Unreachables:
• Enhanced Security
• Performance Optimization
• Simplified Troubleshooting.
Configuration
To configure "no ip unreachable," enter interface configuration mode on the device, select the outgoing interface, and apply the "no ip unreachable" command. This prevents the device from sending ICMP unreachable messages for packets sent through that interface, thereby enhancing network security.
Example for Suppressing the ICMP Destination Host Unreachable Message
With the configuration shown in the diagram, R2 is set to drop ICMP unreachable messages for packets exiting from interface ge10. The following steps describe how it operates. The procedures in this section use the topology in Figure 6-50
No IP Unreachable
1. Packet Reception: R2 receives a packet that it needs to forward to a destination.
2. Routing Decision: R2 checks its routing table to determine the next hop for the packet.
3. Unreachable Destination: If there is no valid route to reach the destination 20.1.1.3, R2 would normally generate an ICMP unreachable message, indicating Destination Host Unreachable.
4. Suppression of ICMP Message: With the "no ip unreachable" command enabled on R2's interface ge10, R2 suppresses outgoing ICMP messages from interface ge10, effectively dropping the packet without notifying the sender. In this case, R2 drops the Destination Host Unreachable message.
Example for Suppressing the ICMP Destination Network Unreachable Message
With the configuration shown in the diagram, R2 is set to drop ICMP unreachable messages for packets going out from interface ge10. The following steps describe how it operates. The procedures in this section use the topology in Figure 6-50
1. Packet Reception: R2 receives a packet that it needs to forward to a destination.
2. Routing Decision: R2 checks its routing table to determine the next hop for the packet.
3. Unreachable Destination: If there is no valid route to reach the destination network 30.1.1.1, R2 would normally generate an ICMP unreachable message, indicating Destination Network Unreachable.
4. Suppression of ICMP Message: With the "no ip unreachable" command enabled on R2's interface ge10, R2 suppresses outgoing ICMP messages from interface ge10, effectively dropping the packet without notifying the sender. In this case, R2 drops the "Destination Network Unreachable" message.
Example for Suppressing the ICMP Fragmentation Needed Message
With the configuration shown in the diagram, R2 is set to drop ICMP unreachable messages for packets going out from interface ge10. The following steps describe how it operates. The procedures in this section use the topology in Figure 6-50
1. Packet Reception: R2 receives a packet that it needs to forward to a destination.
2. Routing Decision: R2 checks the data size of the packet to transmit to the next hop. In this case, the data size is 1328 bytes.
3. Unreachable Destination: Since the maximum transmission unit (MTU) on R2 is set to 1200 bytes, R2 would normally generate an ICMP unreachable message, indicating "Fragmentation needed but DF is set."
4. Suppression of ICMP Message: With the "no ip unreachable" command enabled on R2's interface ge10, R2 suppresses outgoing ICMP messages from interface ge10, effectively dropping the packet without notifying the sender. In this case, R2 drops the "Fragmentation needed" message.
Topology
The procedures in this section use the topology in Figure 6-51
No IPv6 Unreachable
Configurations
This configuration suppresses ICMP messages from being sent out of the interface. Perform the following steps to configure no ip unreachable functionality for R2.
No IP Unreachable Configuration
• Supports all type of nodes.
Configuring No IP/IPv6 Unreachable
1. Enter the interface configuration mode.
R2(config)#interface ge10
R2(config)#interface ge10
• Assign an IPv6 address to the interface using the ipv6 address command followed by the desired IPv6 address and subnet mask.
(ipv6 address 1000::1/64)
(ipv6 address 1000::1/64)
2. Disable the No IP/IPv6 Unreachable.
R2(config-if)#no ip unreachable
R2(config-if)#no ipv6 unreachable
3. To commit the changes exit.
R2(config)#commit
R2(config)#exit
Snippet configuration on R1 router is as follows:
!
interface ge10
ip address 10.1.1.1/24
!
Snippet configuration on R2 router is as follows:
!
interface ge10
ip address 10.1.1.2/24
no ip unreachable
!
Validation
To verify that the no ip unreachables command has been applied to the interface, you can use the following command:.
R1:
OcNOS#ping 20.1.1.3
Press CTRL+C to exit
PING 20.1.1.3 (20.1.1.3) 100(128) bytes of data.
From 10.1.1.2 icmp_seq=1 Destination Host Unreachable
From 10.1.1.2 icmp_seq=2 Destination Host Unreachable
From 10.1.1.2 icmp_seq=3 Destination Host Unreachable
From 10.1.1.2 icmp_seq=4 Destination Host Unreachable
From 10.1.1.2 icmp_seq=5 Destination Host Unreachable
From 10.1.1.2 icmp_seq=6 Destination Host Unreachable
--- 20.1.1.3 ping statistics ---
7 packets transmitted, 0 received, +6 errors, 100% packet loss, time 142ms
pipe 3
OcNOS#
No IP Unreachable Unconfiguration
To revert the suppression of ICMP messages to the original configuration, follow the steps.
1. Enter the global configuration mode.
R2#configure terminal
2. Configure the interface ge10.
R2(config)#interface ge10
3. Re-enable ICMP unreachable messages.
R2(config-if)#ip unreachable
4. To commit the changes exit.
R2(config)#commit
R2(config)#exit
Validation
R1:
OcNOS#ping 20.1.1.3
Press CTRL+C to exit
PING 20.1.1.3 (20.1.1.3) 100(128) bytes of data.
--- 20.1.1.3 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 167ms
OcNOS#
No IPv6 Unreachable Unconfiguration
To revert the suppression of ICMPv6 messages to the original configuration, follow the steps.
1. Enter the global configuration mode.
R2#configure terminal
2. Configure the interface ge10.
R2(config)#interface ge10
3. Re-enable ICMP unreachable messages.
R2(config-if)#ipv6 unreachable
5. To commit the changes exit.
R2(config)#commit
R2(config)#exit
CLI Commands
The no ip unreachable introduces the following configuration commands:
no ip unreachable
This command to suppress the ICMP messages going out from the interface.
Remove the no form of this command to allow ICMP messages going out from the interface.
Command Syntax
no ip unreachable
ip unreachable
Parameters
None
Default
None
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 6.5.2.
Examples
#configure terminal
(config)# interface ge0
(config-if)#no ip unreachable
no ipv6 unreachable
This command to suppress the ICMPv6 messages going out from the interface.
Remove the no form of this command to allow ICMPv6 messages going out from the interface.
Command Syntax
no ipv6 unreachable
ipv6 unreachable
Parameters
None
Default
None
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 6.5.2.
Examples
#configure terminal
(config)# interface ge0
(config-if)#no ipv6 unreachable
Glossary
The following provides definitions for key terms or abbreviations and their meanings used throughout this document:
Key Terms/Acronym | Description |
|---|---|
ICMP | Internet Control Message Protocol (ICMP) is a fundamental protocol used in networking to relay error messages and operational information. |