Table of Contents
Advertisement
IP A
P
DDRESSING AND
ROTOCOL
IP UNREACHABLES
ip unreachables
Overview
Use this command to enable ICMP (Internet Control Message Protocol) type 3,
destination unreachable, messages.
Use the no variant of this command to disable destination unreachable messages.
This prevents an attacker from using these messages to discover the topology of a
network.
ip unreachables
Syntax
no ip unreachables
Default
Destination unreachable messages are enabled by default.
Mode
Global Configuration
Usage notes
When a device receives a packet for a destination that is unreachable it returns an
ICMP type 3 message, this message includes a reason code, as per the table below.
An attacker can use these messages to obtain information regarding the topology
of a network. Disabling destination unreachable messages, using the no ip
unreachables command, secures your network against this type of probing.
NOTE
traceroute and Path MTU Discovery (PMTUD), which depend on these messages to
operate correctly.
Table 22-2: ICMP type 3 reason codes and description
C613-50644-01 Rev B
C
OMMANDS
: Disabling ICMP destination unreachable messages breaks applications such as
Code
Description [RFC]
0
Network unreachable [RFC792]
1
Host unreachable [RFC792]
2
Protocol unreachable [RFC792]
3
Port unreachable [RFC792]
4
Fragmentation required, and DF flag set [RFC792]
5
Source route failed [RFC792]
6
Destination network unknown [RFC1122]
7
Destination host unknown [RFC1122]
8
Source host isolated [RFC1122]
9
Network administratively prohibited [RFC768]
10
Host administratively prohibited [RFC869]
11
Network unreachable for Type of Service [RFC908]
12
Host unreachable for Type of Service [RFC938]
13
Communication administratively prohibited [RFC905]
Command Reference for IE220 Series
AlliedWare Plus™ Operating System - Version 5.5.3-0.x
858
Advertisement
Table of Contents
