2501 no ip unreachables

2501 no ip unreachables

Post by Phil Howa » Fri, 19 Jan 1996 04:00:00



In the UniverCD, "no ip unreachables" says it will not send the ICMP
Host Unreachable if there is no route found for the address.  But the
access-list indicates it would be sent if the packet is denied.

This is ambiguous, since each does not refer to the other, and either
behaviour (if I do both, does ICMP Host Unreachable get sent?) fits
the documentation.

To further complicate things, there is NO WAY (really really weird)
to delete an access-list entry or re-order them.  So I need to do it
right the first time, with not even a testing opportunity (so therefore
asking in advance is essential).  The documentation even says there
is no way (although I have not read it all yet, clearly if there turns
out to be a hidden way, that's a contradiction).

Fortunately, I don't need to do really sophisticated IP packet filtering
at the 2501 since the inside subnet goes on through another filter router
before reaching our network, and this subnet between them is considered
to be our DMZ part of the firewall.  But this does knock out any chance
of replacing that 2nd router (a Livingston IRX that has reached its limit)
with a 2514 unless the documentation turns out to be wrong (I can hope,
and this is not without reason since I've seen many products in the
computer and network field with grossly incorrect documentation).

The UniverCD I have is "Vol. 1, No. 2 Rev. BO".  The one cool thing about
is it that I could install it under a web server and read it elsewhere.
--
Phil Howard KA9WGN      +-------------------------------------------------+
Unix/Internet/Sys Admin |    When freedom is outlawed....                 |
CLR/Fast-Tax            |            ....only outlaws will be free!       |

 
 
 

2501 no ip unreachables

Post by Barton F. Bruce / C » Sat, 20 Jan 1996 04:00:00


...

Quote:> To further complicate things, there is NO WAY (really really weird)
> to delete an access-list entry or re-order them.  So I need to do it
> right the first time, with not even a testing opportunity (so therefore
> asking in advance is essential).  The documentation even says there
> is no way (although I have not read it all yet, clearly if there turns
> out to be a hidden way, that's a contradiction).

Keep the evolving list on a tftp server, and have the first line be:

NO ACCESS-LIST 101

followed by all your

ACCESS-LIST 101 ...

lines.

Just keep editing them, and from the router suck in the new version
using CONFIG NET each time. That initial NO... kills the current
one and the following lines puts the new version in place.

Very fast and very simple.

 
 
 

2501 no ip unreachables

Post by Greg Christ » Sun, 21 Jan 1996 04:00:00


Quote:> In the UniverCD, "no ip unreachables" says it will not send the ICMP
> Host Unreachable if there is no route found for the address.  But the
> access-list indicates it would be sent if the packet is denied.

> This is ambiguous, since each does not refer to the other, and either
> behaviour (if I do both, does ICMP Host Unreachable get sent?) fits
> the documentation.

The "Usage Guidelines" in the "ip unreachables" section of the 11.0
Router Configuration Guide from the current UniverCD says the
following:

"This command affects all kinds of ICMP unreachable messages."

Quote:

> To further complicate things, there is NO WAY (really really weird)
> to delete an access-list entry or re-order them.  So I need to do it
> right the first time, with not even a testing opportunity (so therefore
> asking in advance is essential).  The documentation even says there
> is no way (although I have not read it all yet, clearly if there turns
> out to be a hidden way, that's a contradiction).

At the present time, one must delete and then recreate the entire
access-list to change an entry.  It's quite common for users to reload
an access list via tftp with the "copy tftp running-config"
command. The file should look something like this:

!
! Temporarily remove access lists from appropriate interfaces
! to prevent the implicit deny from cutting us off from the tftp
! server while loading the new list.
!
int <xxx>
no ip access-group <aaa> [in/out]
int <yyy>
no ip access-group <aaa> [in/out]
!
! Delete old list and load new one
!
no access-list <aaa>
access-list <aaa>  ...
access-list <aaa>  ... (etc.)
!
! Reestablish access-lists
!
int <xxx>
ip access-group <aaa> [in/out]
int <yyy>
ip access-group <aaa> [in/out]
end

Quote:

> Fortunately, I don't need to do really sophisticated IP packet filtering
> at the 2501 since the inside subnet goes on through another filter router
> before reaching our network, and this subnet between them is considered
> to be our DMZ part of the firewall.  But this does knock out any chance
> of replacing that 2nd router (a Livingston IRX that has reached its limit)
> with a 2514 unless the documentation turns out to be wrong (I can hope,
> and this is not without reason since I've seen many products in the
> computer and network field with grossly incorrect documentation).

> The UniverCD I have is "Vol. 1, No. 2 Rev. BO".  The one cool thing about
> is it that I could install it under a web server and read it elsewhere.

I would suggest obtaining a newer version as this is quite old. The
current version is Vol. 3, No. 1.

Greg

 
 
 

2501 no ip unreachables

Post by Craig A. Hueg » Sun, 21 Jan 1996 04:00:00



>In the UniverCD, "no ip unreachables" says it will not send the ICMP
>Host Unreachable if there is no route found for the address.  But the
>access-list indicates it would be sent if the packet is denied.

access-list denies vs. no route unreachables are different.  Starting
with 10.3(4), I belive, access-list packet denials cause an ICMP
unreachable type 13 to the source.  Most systems/routers do not know this
code yet, but it means "administratively denied".

Obviously, unreachables generated by having no route are not the same.

Maybe cisco people can shed light on whether or not the no unreachables
option also works for type 13 administratively denied packets.

/cah

----

Communications Engineer                 Fax:   (408) 428-8513
Electronic Data Systems / Pyramid Technology Corporation
Mail Stop SJ1-1-107, 3860 North First Street, San Jose, CA 95134

 
 
 

2501 no ip unreachables

Post by Tony L » Tue, 23 Jan 1996 04:00:00


   Maybe cisco people can shed light on whether or not the no unreachables
   option also works for type 13 administratively denied packets.

Yes, access list violations will not generate administrative unreachables
if you disable unreachables on that interface.

Tony

 
 
 

1. Cisco 2501 to 2501 Async TCP/IP Async

Hello,

I have a situation that I need to test and determine the best
solution..

The situation is this.....

Async from a Tandem encapsulate in IP, de-capsulate from ip, back to
async for dumb terminals and some proprietary equipment.  I was
thinking either terminal servers that support PPP, or A Cisco
2509/2511 etc....  What would be the best solution...The connection in
most cases is just 56k at most.... The IP/Wan will be used for other
IP services, and the frame speed will be between 128k-256k.  Any
ideas?  Need more info?

Thanks,

Rick HArdy

2. Terminal services

3. IP/IP NOS tunnel failed

4. urlmap.exe and IE "bindings"....

5. secondary addresses and no ip redirects and no ip unreachables

6. Setting up FP webs on a Linux Server

7. difference between Cisco 2501 and Cisco pro 2501?

8. Which CD-ROM works on a SGI Indy

9. Cisco 2501/Cisco Pro 2501, what's the difference?

10. csu/dsu <-> 2501 <-> 2501 question

11. CPA 2501 versus Cisco 2501 ??

12. BGP on 2501 , Max.Mem 4 2501 , and affects of incomplete BGP table

13. tunnel mode nos vs tunnel mode gre ip