• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1289
  • Last Modified:

IP redirect Cisco 1811

I need a little knowledge about ip redirect.
First of all, are Cisco 1811 capable of ip redirect?
I have a relatively large network with 10 subnets.
These subnets each have their Cisco 1811 router and this ofcourse slows down my network very much.
I have singlemode fiber connections between all these routers, through gigabit converters.
I have the idea that I could put a Catalyst 3750 in the middle, configure layer 3 routing on it and then configure ip redirect on the 9 Cisco 1811 routers.
The 1811 routers all have their own internet connection and this is also what I want in the future, so I´ll let the 1811 continue to route to the adsl interface, unless traffic is meant for any of my other subnets, in that case, it should redirect to the same port with the local ip on the layer 3 switch port instead. I think its called router on a stick.
I think this will work and bypass my 1811 routers if traffic is meant for my other subnets, but I´m unsure of what happens when a client tries to speak to another subnet.
I have WinXP and some Windows 7 clients and some 2008 servers on each subnet.
Will these OS´s have icmp redirect enabled from default or do I need to make changes to them first?
I think what happens is that the client connects to it´s default gateway the first time it tries to send something to the other subnets. The router looks in it´s routing table and discover that there is another route to the subnet in it´s routing table. It then forwards the packet to the ip of the layer 3 switch AND sends the client information that in the future it should go directly that way. The client then stores this information in it´s local routing table and voila, I have gigabit instead of the slow speed of the 1811´s:)
Is it really that simple?
To list my qestions in a simple manner, here goes...

1. Does XP, windows 7 and server 200x understand ip redirect from a cisco router and automatically update it´s local routing table accordingly?
2. Does the Cisco 1811 routers support icmp redirect?
3. Do I need to do anything else than configure the new ip route and the line "ip redirect" on the 1811´s?(After I configured the 3750, that is.)
4. Will this work?:)
0
Ducknaldi
Asked:
Ducknaldi
  • 12
  • 11
  • 5
  • +2
1 Solution
 
QuoriCommented:
Yes your Cisco kit will support ICMP Redirect, as does Windows XP. Don't use this solution.

Use the 3750 as a gateway for all your clients, configure a static default (or advertise one from a dynamic routing protocol) on the 3750 to the 1811, then configure statics (or again advertise) the ranges available via the fibre to the fibre port.
0
 
DucknaldiAuthor Commented:
This has also crossed my mind, since the most important and speed demanding traffic is over the fiber connections. I´d like to continue to use static routes as my network is... well static:D
But is it possible to configure static routes on the 3750 for each port?
I´d like each subnet to continue to use their own adsl.
0
 
QuoriCommented:
Can you provide a network diagram please? Getting a bit hung up on your topology.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Istvan KalmarCommented:
hi,

Icmp redirect not need, plese configure all VLAN default gw the 3750, ip redirect not good opinion
0
 
DucknaldiAuthor Commented:
Hmm. I´m not at work right now, I´ll try to find something in my mailbox now, but otherwise  tomorrow I´ll post one.
But i´s a star topology with the 3750 in the middle of the 9 fiber connections and 9 Cisco 1811´s at the other end of each fiber connection. These 1811´s have 3 interfaces as it is now, one for adsl, one for the fiber connection and one for local lan.
I want to plug the fiber connection directly in the lan at each site and create ip redirects on the sites routers to bypass them when traffic is meant for the other subnets.
0
 
QuoriCommented:
That won't be the case if you've got no other network devices between the other end of the fibre and the 1811.
0
 
DucknaldiAuthor Commented:
But if I configure the layer 3 as the default gateway for all clients, then all clients will also use the same internet connection also.
They should keep their own internet connections, because it´s critical that they have internet access even if the fiber is broken somewhere.
0
 
memo_tntCommented:
hi

first of all i need to clarify that by default, Cisco routers send ICMP redirects,,
The interface sub command ""no ip redirects"" can be used to disable ICMP redirects.

plus ICMP redirects are disabled by default if Hot Standby Router Protocol (HSRP) is configured on the interface ..

Cisco routers send ICMP redirects when all of these conditions are met:  
- The interface on which the packet comes into the router is the same interface on which the packet gets routed out.
 
- The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.
 
- The datagram is not source-routed .

so ::

3- no nothing else is needed
2- yes by default The kernel is configured to send redirects ..
1- yes they do ..
4- it'll work once every thing is configured well ..


0
 
Istvan KalmarCommented:
forget ituse always the strongest device for lan routing, and use dynamic routing protocoll to advertize subnets for other L3 devices
0
 
mr_dirtCommented:
Your solution (and use case) sound interesting.

You solution should work:

1.  Windows accepts ICMP redirects.
2.  Routers support ICMP redirect by default:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
3.  See the link in "2", you don't need to configure ICMP redirects on the routers.  As for adding the new route, isn't there an existing route that ties the sites together?  The network should already be applying ICMP redirect if a host needs to go to one of the other sites.
4.  I don't see why it wouldn't work.

I sort of wonder if there's a better way to do this.  How did this design come to be?
0
 
QuoriCommented:
"But if I configure the layer 3 as the default gateway for all clients, then all clients will also use the same internet connection also.
They should keep their own internet connections, because it´s critical that they have internet access even if the fiber is broken somewhere."

If the only device you have at the remote ends is the 1811 then this won't be an issue, just configure more specific routes. But with this many devices I'd suggest a dynamic routing protocol to save a lot of overhead.
0
 
DucknaldiAuthor Commented:
@ikalmar
But the strongest device will be doing the routing after the clients update their routing tables as I see it, unless windows OS has some problems with ip redirect, I dont see the problem in this solution..

@memo_tnt
Ok, good to know that ip redirect is default. On my 1811´s it´s actually disabled then, but I´ll enable it just by feeding them the line "ip redirect" then and the new route. Do you also think this a a bad idea?
0
 
Istvan KalmarCommented:
clients not nedd to update routing tables if the L3 switch the default GW, and don't forget icmp redirect eat your processor time....
0
 
Istvan KalmarCommented:
Please read this pdf about router performance:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

If you use L3 switch for L3 routing it able to router it via wirespeed!
0
 
DucknaldiAuthor Commented:
@iKalmar

I understand this very well.
This is why I want the 3750 under all circumstances.
What I dont quite understand is how I´d continue to route all the subnets internet traffic through their own 1811 if the central 3750 is gateway for all of them.
Do I use some kind of source-network rule on the 3750 on the specific ports, to make the sites adsl traffic go through their local 1811´s?
0
 
Istvan KalmarCommented:
there is two way:

1. PBR: it watch the source address and send the right gateway

2. VRF-lite: use virtual routing table for all network...
0
 
QuoriCommented:
Again, if the remote ends of the fibre only have the 1811 then this isn't an issue. Need more detail on how the network is laid out and the devices at each endpoint.
0
 
DucknaldiAuthor Commented:
@Quori

Excuse me for not understanding how this could not be an issue.
I´ll try to explain it a but better without the diagrams.
I have a central network in the range 172.21.0.0/24, this is where I´ll put the 3750.
I have 9 different sites with their own subnet in the range 192.168.0.1/22, 192.168.4.0/22, 192.168.8.0/22 and so on up to 192.168.32.0/22, which make 9 subnets/sites.
Each of these sites has only 1 router, this is a 1811.
These 1811 have 3 interfaces, one for the adsl, one for local lan 192.168.x.x/22 and one for he fiber connection 172.21.0.x/24
0
 
DucknaldiAuthor Commented:
By the way. I convert the fiber at each location through a procurve v-lan, but it is sent directly into the 1811 interface witout contact with the local lan.
0
 
DucknaldiAuthor Commented:
@ikalmar
It seems I was on the right track then.
Policy based routing and vfr-lite will also create overhead, or?
0
 
QuoriCommented:
Okay, so they are separate sites (one of the issues - site vs same building). That being the case then you have no issue. On the 1811's at the remote sites simply configure a default pointing out the ADSL link and then more specific routes out the fibre link.
At the central site, do the same.
0
 
DucknaldiAuthor Commented:
@Quori
I cant configure a default pointing out to the adsl on the 1811´s, unless the 1811´s are default gateway for the clients, in which case I´d still ned the ip redirect, or?
0
 
QuoriCommented:
No, you wouldn't. Yes, you should have the 1811's as the default gateway as its the first point of layer 3 transit. No you wouldn't need IP redirect. IP redirect is foolish and insecure, not to mention flaky. Thats what the more specific routes are for.

If you configure static routes out the interface the fibre is connected to then those will be preferred over the default. This has the benefit of being able to point an additional default out the fibre link with a higher metric/distance in the event the internet is down at the specific 1811's.
0
 
DucknaldiAuthor Commented:
@Quori
Thank you for being so patient with me, I just want to be sure I understand you correct:)
If I do this, will the clients update their routing table and bypass the router after reading the rule?
Cause otherwise the routing would still be done by the 1811 and result in the slow routing speed of those as I see it.
0
 
QuoriCommented:
They won't need to. The clients will have their gateway as the device that will handle the path selection.

Slowness at the remote sites will always be the case. An 1811 can only do limited throughput even CEF switched. This is a hardware limitation and not a routing issue. Even with IP redirect as the only path for the remote sites is through the 1811. If you put a layer 3 switch at each remote site then you could have it to the routing, just like at the central site, and its throughput would have far fewer limitations.
0
 
memo_tntCommented:
Hi

if your routers are connected to each other through the fiber link are internally as i understood from your post and not appears to external internet;
 then there is no vulnerability due the ip redirect on the direct connected interfaces ..
and so there is no fair from security hole here except the interfaces you want to configure the ip redirect to are connected to the external world (internet)
then as Quori said it's not recommend to use the ip redirect ..

at this point you can use the ip default gateway instead ..



0
 
DucknaldiAuthor Commented:
I´m not really sure if everybody is aware that the main purpose of this is to bypass the 1811 routers, and use the 3750 to do the routing instead, because I will have much higher speed.
Speed is ths issue here and I dont think Quori´s solution solves the speed problem.
The interfaces that will have ip redirect configured are only internal.
I will read about the pbr solution and maybe go that way or suggest management to get rid of the 1811 routers and use only one central internet access.
This would also solve the speed problem.
If management agree I could also use IP redirect temporarily until I can get rid of the 1811´s.
0
 
QuoriCommented:
I've asked before what infrastructure is at these remote sites and you provided no detail. I've since read back a bit and you mentioned a ProCurve - what model is this?
0
 
memo_tntCommented:
since all interfaces are internal then , go through the ip redirect can serve your purpose at the moment  ..


0
 
DucknaldiAuthor Commented:
I´m sorry if I haven´t been specific enough.
The procurves at the sites are mainly 2650, but I dont think this really matters, since the fiber is sent directly into a fiber gigabit module and out of a rj45 gigabit module in a closed v-lan without access to the sites own subnet.
The network at all the fiber cables is the 172.21.0.0 network and only after the 1811 routers the subnet starts.
0
 
QuoriCommented:
Actually, it matters a great deal.

For IP Redirect to solve your issue there needs to be an alternate path down the fibre link. If there is no alternate layer 2 path ie the site VLAN can't get into the VLAN that the ports related to fibre are on without going through the 1811 then you're going to have the same issue.

That said, you have two options (still):

#1 - Use IP redirect, enable layer 3 routing on the ProCurve and configure appropriate layer 3 information on the Procurve
#2 - Set default gateway of all clients to the ProCurve, enable layer 3 routing and add static routes as mentioned
0
 
QuoriCommented:
Sorry I meant no alternate layer 3 path.
0
 
memo_tntCommented:
Hi
 
 please update status regarding this issue ..
 
 is it solved ??
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 12
  • 11
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now