Table of Contents
Advertisement
Chapter 4
Edit Interface/Connection
IP Route Cache-Flow
IP Redirects
IP Mask-Reply
IP Unreachables
QoS
OL-4015-08
This option enables the Cisco IOS NetFlow feature. Using NetFlow, you can
determine packet distribution, protocol distribution, and current flows of data on
the router. This is valuable data, particularly when searching for the source of a
spoofed IP address attack.
ICMP redirect messages instruct an end node to use a specific router as its path to
a particular destination. In a properly functioning IP network, a router will send
redirects only to hosts on its own local subnets, no end node will ever send a
redirect, and no redirect will ever be traversed more than one network hop.
However, an attacker may violate these rules; some attacks are based on this.
Disabling ICMP redirects will cause no operational impact to the network, and it
eliminates this possible method of attack.
ICMP mask reply messages are sent when a network devices must know the
subnet mask for a particular subnetwork in the internetwork. ICMP mask reply
messages are sent to the device requesting the information by devices that have
the requested information. These messages can be used by an attacker to gain
network mapping information.
ICMP host unreachable messages are sent out if a router receives a nonbroadcast
packet that uses an unknown protocol, or if the router receives a packet that it is
unable to deliver to the ultimate destination because it knows of no route to the
destination address. These messages can be used by an attacker to gain network
mapping information.
You can associate a QoS policy with an interface in this tab, or dissociate a policy
from an interface.
Cisco Router and Security Device Manager Version 2.2 User's Guide
QoS
4-15
Advertisement
Table of Contents
Troubleshooting
