OcNOS SP : System Management Guide : Security Management Configuration : No IP Unreachable
No IP Unreachable
Overview
The "no ip unreachable" feature in networking devices is a configuration used to enhance network security and efficiency by disabling the generation of Internet Control Message Protocol (ICMP) unreachable messages. Normally, these messages are sent by routers and other network devices in response to packets that cannot be delivered to their intended destination for various reasons.
When the "no ip unreachable" command is enabled, the network device stops sending these ICMP unreachable messages.
The supported ICMP Unreachable Codes
Table 1 shows the codes used in ICMPv6 Unreachable.
 
Table P-1: ICMP Unreachable Codes
Code
Message
Description
0
Destination network unreachable
 
1
Destination host unreachable
 
2
Destination protocol unreachable
 
3
Destination port unreachable
The destination network is not reachable from the current router.
4
Fragmentation needed and DF flag set
The specific destination host within a reachable network is not accessible.
5
Source Route Failed
The protocol specified in the packet is not supported by the destination.
6
Destination Network Unknown
The destination port is not open or not listening on the destination device.
7
Destination Host Unknown
NA
8
Source Host Isolated
NA
9
Network Administratively Prohibited
NA
10
Network Administratively Prohibited
NA
11
Network Unreachable for TOS
NA
12
Host Unreachable for TOS
NA
13
Communication Administratively Prohibited
NA
14
Host Precedence Violation
NA
15
Precedence Cutoff in Effect
NA
 
 
 
The supported ICMPv6 Unreachable Codes
Table 2 shows the codes used in ICMPv6 Unreachable.
 
Table P-2: ICMPv6 Unreachable Codes
Codes
Description
0
No route to destination
1
Communication with destination administratively prohibited
2
Beyond scope of source address
3
Address unreachable
4
Port unreachable
5
Source address failed ingress/egress policy
6
Reject route to destination
Feature Characteristics
The "no ip unreachable" feature is used to prevent a device from sending ICMP unreachable messages. These messages are typically generated when a router cannot forward a packet because the destination is unreachable. Disabling these messages can enhance network performance and security.
Benefits
The advantages of utilizing a No IP Unreachables:
Enhanced Security
Performance Optimization
Simplified Troubleshooting.
Configuration
To configure "no ip unreachable," enter interface configuration mode on the device, select the outgoing interface, and apply the "no ip unreachable" command. This prevents the device from sending ICMP unreachable messages for packets sent through that interface, thereby enhancing network security.
Example for Suppressing the ICMP Destination Host Unreachable Message
With the configuration shown in the diagram, R2 is set to drop ICMP unreachable messages for packets exiting from interface ge10. The following steps describe how it operates. The procedures in this section use the topology in Figure 6-15
No IP Unreachable
1. Packet Reception: R2 receives a packet that it needs to forward to a destination.
2. Routing Decision: R2 checks its routing table to determine the next hop for the packet.
3. Unreachable Destination: If there is no valid route to reach the destination 20.1.1.3, R2 would normally generate an ICMP unreachable message, indicating Destination Host Unreachable.
4. Suppression of ICMP Message: With the "no ip unreachable" command enabled on R2's interface ge10, R2 suppresses outgoing ICMP messages from interface ge10, effectively dropping the packet without notifying the sender. In this case, R2 drops the Destination Host Unreachable message.
Example for Suppressing the ICMP Destination Network Unreachable Message
With the configuration shown in the diagram, R2 is set to drop ICMP unreachable messages for packets going out from interface ge10. The following steps describe how it operates. The procedures in this section use the topology in Figure 6-15
1. Packet Reception: R2 receives a packet that it needs to forward to a destination.
2. Routing Decision: R2 checks its routing table to determine the next hop for the packet.
3. Unreachable Destination: If there is no valid route to reach the destination network 30.1.1.1, R2 would normally generate an ICMP unreachable message, indicating Destination Network Unreachable.
4. Suppression of ICMP Message: With the "no ip unreachable" command enabled on R2's interface ge10, R2 suppresses outgoing ICMP messages from interface ge10, effectively dropping the packet without notifying the sender. In this case, R2 drops the "Destination Network Unreachable" message.
Example for Suppressing the ICMP Fragmentation Needed Message
With the configuration shown in the diagram, R2 is set to drop ICMP unreachable messages for packets going out from interface ge10. The following steps describe how it operates. The procedures in this section use the topology in Figure 6-15
1. Packet Reception: R2 receives a packet that it needs to forward to a destination.
2. Routing Decision: R2 checks the data size of the packet to transmit to the next hop. In this case, the data size is 1328 bytes.
3. Unreachable Destination: Since the maximum transmission unit (MTU) on R2 is set to 1200 bytes, R2 would normally generate an ICMP unreachable message, indicating "Fragmentation needed but DF is set."
4. Suppression of ICMP Message: With the "no ip unreachable" command enabled on R2's interface ge10, R2 suppresses outgoing ICMP messages from interface ge10, effectively dropping the packet without notifying the sender. In this case, R2 drops the "Fragmentation needed" message.
Topology
The procedures in this section use the topology in Figure 6-16
No IPv6 Unreachable
Configurations
This configuration suppresses ICMP messages from being sent out of the interface. Perform the following steps to configure no ip unreachable functionality for R2.
No IP Unreachable Configuration
Supports all type of nodes.
Configuring No IP/IPv6 Unreachable
1. Enter the interface configuration mode.
R2(config)#interface ge10
Assign an IPv6 address to the interface using the ipv6 address command followed by the desired IPv6 address and subnet mask.
(ipv6 address 1000::1/64)
2. Disable the No IP/IPv6 Unreachable.
R2(config-if)#no ip unreachable
R2(config-if)#no ipv6 unreachable
3. To commit the changes exit.
R2(config)#commit
R2(config)#exit
Snippet configuration on R1 router is as follows:
!
interface ge10
ip address 10.1.1.1/24
!
Snippet configuration on R2 router is as follows:
!
interface ge10
ip address 10.1.1.2/24
no ip unreachable
!
Validation
To verify that the no ip unreachables command has been applied to the interface, you can use the following command:.
R1:
OcNOS#ping 20.1.1.3
Press CTRL+C to exit
PING 20.1.1.3 (20.1.1.3) 100(128) bytes of data.
From 10.1.1.2 icmp_seq=1 Destination Host Unreachable
From 10.1.1.2 icmp_seq=2 Destination Host Unreachable
From 10.1.1.2 icmp_seq=3 Destination Host Unreachable
From 10.1.1.2 icmp_seq=4 Destination Host Unreachable
From 10.1.1.2 icmp_seq=5 Destination Host Unreachable
From 10.1.1.2 icmp_seq=6 Destination Host Unreachable
 
--- 20.1.1.3 ping statistics ---
7 packets transmitted, 0 received, +6 errors, 100% packet loss, time 142ms
pipe 3
OcNOS#
No IP Unreachable Unconfiguration
To revert the suppression of ICMP messages to the original configuration, follow the steps.
1. Enter the global configuration mode.
R2#configure terminal
2. Configure the interface ge10.
R2(config)#interface ge10
3. Re-enable ICMP unreachable messages.
R2(config-if)#ip unreachable
4. To commit the changes exit.
R2(config)#commit
R2(config)#exit
Validation
R1:
OcNOS#ping 20.1.1.3
Press CTRL+C to exit
PING 20.1.1.3 (20.1.1.3) 100(128) bytes of data.
 
--- 20.1.1.3 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 167ms
OcNOS#
No IPv6 Unreachable Unconfiguration
To revert the suppression of ICMPv6 messages to the original configuration, follow the steps.
1. Enter the global configuration mode.
R2#configure terminal
2. Configure the interface ge10.
R2(config)#interface ge10
3. Re-enable ICMP unreachable messages.
R2(config-if)#ipv6 unreachable
5. To commit the changes exit.
R2(config)#commit
R2(config)#exit
CLI Commands
The no ip unreachable introduces the following configuration commands:
no ip unreachable
This command to suppress the ICMP messages going out from the interface.
Remove the no form of this command to allow ICMP messages going out from the interface.
Command Syntax
no ip unreachable
ip unreachable
Parameters
None
Default
None
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 6.5.2.
Examples
#configure terminal
(config)# interface ge0
(config-if)#no ip unreachable
no ipv6 unreachable
This command to suppress the ICMPv6 messages going out from the interface.
Remove the no form of this command to allow ICMPv6 messages going out from the interface.
Command Syntax
no ipv6 unreachable
ipv6 unreachable
Parameters
None
Default
None
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 6.5.2.
Examples
#configure terminal
(config)# interface ge0
(config-if)#no ipv6 unreachable
Glossary
The following provides definitions for key terms or abbreviations and their meanings used throughout this document:
 
Key Terms/Acronym
Description
ICMP
Internet Control Message Protocol (ICMP) is a fundamental protocol used in networking to relay error messages and operational information.