Redirecting ICMP with HSRP

Problem

You want to enable ICMP redirects with HSRP.

Solution

In older IOS releases, when you enable HSRP on an interface, the router will automatically disable ICMP redirection. However, starting with IOS Version 12.1(3)T, Cisco has changed how ICMP redirection works with HSRP, and it is now enabled by default.

You can explicitly enable ICMP redirects on HSRP-enabled interfaces with the following commands:

Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#interface FastEthernet 1/0 Router2(config-if)#standby redirects enable Router2(config-if)#exit Router2(config)#end Router2#

The following commands prevent the router from the sending ICMP redirects on HSRP-enabled interfaces:

Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#interface FastEthernet 1/0 Router2(config-if)#no ip redirects Router2(config-if)#standby redirects disable Router2(config-if)#exit Router2(config)#end Router2#

The unknown keyword allows you to use ICMP redirection to nonHSRP routers:

Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#interface FastEthernet 1/0 Router2(config-if)#standby redirects unknown Router2(config-if)#exit Router2(config)#end Router2#

 

Discussion

When a router receives a packet from a LAN interface, but the route to the destination points to another router on the same LAN segment, the router will send an ICMP Redirect message. This is a single packet that includes information about the better route for this destination. The router will also forward the original packet over to the other router. When the end device receives the ICMP Redirect packet, it updates its own internal routing table so that all future packets for this destination use the better router.

But ICMP redirection is not usually a good idea with HSRP because it will cause the end device to update its internal routing table to use the real IP address and MAC address of one of the routers when it tries to communicate with a particular remote segment. If this router were to fail, all communication to this remote segment would stop. However, the new functionality resolves this problem by using only the virtual IP and MAC addresses if the other router is running HSRP. If the other router doesn't run HSRP, then it must use the physical addresses, of course.

This also implies that you will never see an ICMP redirect to an HSRP router that is not in the active state, because the standby router doesn't have a virtual MAC address.

Категории