[Chin] IP redirects @ Chin Blog

這篇我要介紹IP重導向功能，從路由繞送的角度來看它是一個方便的功能，卻也意味著危險，我透過下面的圖、設定，示範IP重導向。

Figure 1-1

1-1

在Cisco路由器，IP redirects預設被關閉，這是安全的。請見R1：

Example 1-1

1-3

在配置IP重導向前，「sh run int f0/0」會看到「no ip redirects」；而且「sh ip int f0/0」的輸出中某一行寫「ICMP redirects are never sent」。

介面指令「ip redirects」會啟動重導向功能，然後再「sh run int f0/0」，雖然runnning-config裡面看不到，但是「sh ip int f0/0」的輸出中某一行則寫「ICMP redirects are always」。

那麼要如何驗證效果？在這個lab中我使用ubuntu 18.04虛擬機，然後追蹤路由8.8.8.8，請見下圖：

Figure 1-2

1-4

ubuntu的IP是192.168.1.8 / 24，請注意！預設閘道被設定為192.168.1.1(R1)，但是追蹤8.8.8.8時，你能注意到第一跳是192.168.1.2(R2)。

為什麼？R1到R3是T1頻寬(1.5Mbps)、R2到R3是10 Gbps頻寬，R1、R2和R3跑路由協定(我用EIGRP)；網路收斂後，R1要去8.8.8.8的網路，它知道下一跳走192.168.1.2(R2)會比較好，而不走12.0.0.3。

不過IP重導向的封包不一定所有系統都能辨識，這次我用Windows 7虛擬機，追蹤路由8.8.8.8，請見下圖：

Figure 1-3

1-5

Windows 7的IP是192.168.1.7 / 24，預設閘道一樣被設為192.168.1.1(R1)，這次追蹤8.8.8.8，第1跳是192.168.1.1(R1)，第2跳才是192.168.1.2(R2)，但是一般情形下追蹤路由的每一跳應該要不同網段才有意義。

I will introduce a function for IP redirects. It is a convenient function when you are from routing point of view, but it mean dangerous. I will demo IP redirects by images, configuration.

Figure 1-1

Example 1-1

In Cisco routers, IP redirects function was default disable. It is safe. The R1：

Before set IP redirects, it have 「no ip redirects」 when input「sh run int f0/0」; And 「sh run int f0/0」 line of one of the reads 「ICMP redirects are never sent」.
Interface command 「ip redirects」 can enable function, and input 「sh run int f0/0」. Although you can't see in runnning-config. But 「sh run int f0/0」 line of one of the reads 「ICMP redirects are always」.

How to verify the effect? I use VM of ubuntu 18.04 in the lab, and tracepath 8.8.8.8. Next image:

Figure 1-2

The ubuntu's IP address is 192.168.1.8 / 24. Notice! default gateway was set 192.168.1.1(R1). Then tracepath 8.8.8.8 , you can see first hop is 192.168.1.2(R2).

Why? The connection with R1 to R3 that T1 bandwidth(1.5Mbps), the connection with R2 to R3 that 10 Gbps bandwidth.
R1, R2 and R3 are installed routing protocol for EIGRP; After network convergency, R1 wants go to network 8.8.8.8 . It know next hop for 192.168.1.2(R2) is better than 12.0.0.3.

However, any system don't necessarily recognize packet for IP redirects. I use VM of Windows 7 now, then tracert 8.8.8.8 . Next image:

Figure 1-3

Windows 7's IP address is 192.168.1.7 / 24, default gateway is 192.168.1.1(R1). And tracert 8.8.8.8 , first hop is 192.168.1.1(R1), second hop is 192.168.1.2(R2).
However, trace route for every hop are should different network generally. It make route meaningful.