Understanding ICMP Unreachable Messages for Static Routes Sent on Null Interfaces

You can handle undesired traffic by sending data packets to the null interface. The null interface is automatically created by the router, is always up, cannot be deleted, and acts as a data sink. The null interface cannot forward or receive traffic. However, the command-line interface (CLI) does enable you to access the null interface. You can configure a static route using the ip route command and direct traffic to the null interface by specifying the null 0 keyword with this command, instead of a next-hop or destination address. You can also use access control lists to filter undesired traffic.

When a ping or traceroute packet from a subscriber reaches the null 0 interface configured with a static route, it is discarded in the forwarding plane. You can configure the router to either send or not send Internet Control Message Protocol (ICMP) unreachable messages to the subscriber for such discarded packets. An advantage of this feature is that it enables synchronization of the RADIUS configuration of the client environment with the network topology.

You can use the reject keyword with the ip route command to cause the router to send ICMP unreachable messages to the originator from which ping and traceroute packets are received on the null 0 interface with a static route. The switch route processor (SRP) module drops these ping and traceroute packets destined for null 0 interface without further processing and sends ICMP unreachable messages to the originator.

For ICMP unreachable messages to be sent from the router for packets that are received from clients on the static routes configured on null 0 interfaces, you must configure the router to enable generation of ICMP unreachable messages for IPv4 (ping and traceroute) that the router cannot deliver using the ip unreachables command in Interface Configuration mode.

The option to send ICMP unreachable messages is available for all IPv4 static routes in a virtual router that are configured with null 0 interface as the next-hop. The Denial of Service (DoS) protection feature can be enabled to monitor the ping and traceroute packets that are discarded from flooding the network. A new DoS type is used to apply a rate-control limit on these packets.

By default, generation of ICMP unreachable messages is enabled on an interface. If the capability to generate ICMP unreachable messages is disabled on the interface, you must enable this functionality using the ip unreachables command in Interface Configuration mode to send ICMP unreachables for packets that reached null 0 interfaces with static routes and were discarded.

If you disable generation of ICMP unreachable messages for null interfaces on the router using the no ip unreachables command, ICMP unreachable messages are not sent for packets that are dropped or not processed by such interfaces, even if you configure static routes for such interfaces to send ICMP unreachables (using the reject keyword with the ip route command).

To enable backward compatibility with versions of JunosE software in which functionality is not available, the default behavior is to discard the ping and traceroute packets destined for null 0 interfaces at the forwarding layer without the transmission of ICMP unreachable messages to the originator.

You can use the output of the show ip static command to determine whether the sending of ICMP unreachable messages is enabled on each interface for which static routes are configured. The ICMP Unreach field in the output of these commands specifies whether the reject or discard keyword is configured for each static route on the router interface.