tiptechs
asked on
cisco 2940 - traceroute issue
I have an older Cisco 2940 that is sending packets directly to the firewall (traceroute / snmp) instead of the default gateway specified on the switch.
default-gateway 192.168.1.1
int vlan 10
ip address 192.168.1.10
no ip route-cache
firewall = 192.168.1.254
If I do a traceroute to a public IP, it will show 192.168.1.254 as the first hop. If I test this from all other switches it will hit 192.168.1.1 first.
I turned on route-cache on the interface and tested a traceroute. This worked, but quickly changed to using the firewall as the first hop.
Not sure if there is anyway around this type of behavior with this model of switch.
default-gateway 192.168.1.1
int vlan 10
ip address 192.168.1.10
no ip route-cache
firewall = 192.168.1.254
If I do a traceroute to a public IP, it will show 192.168.1.254 as the first hop. If I test this from all other switches it will hit 192.168.1.1 first.
I turned on route-cache on the interface and tested a traceroute. This worked, but quickly changed to using the firewall as the first hop.
Not sure if there is anyway around this type of behavior with this model of switch.
ASKER
Thanks giltjr. Can you expain this a little bit further? Yes it is a /24 subnet.
When sending SNMP traps out to a public IP from this switch, they need to hit the router (192.168.1.1) as it sends these traps out a different interface rather than to the firewall (192.168.1.254). The default-gateway on the switch is set to the router .1. The switch is sending the traffic directly to the firewall IP when looking at a traceroute.
Thanks again
When sending SNMP traps out to a public IP from this switch, they need to hit the router (192.168.1.1) as it sends these traps out a different interface rather than to the firewall (192.168.1.254). The default-gateway on the switch is set to the router .1. The switch is sending the traffic directly to the firewall IP when looking at a traceroute.
Thanks again
Does 192.168.1.1 have the correct route to the external public IP address you are trying to send the SNMP trap too? It sounds like it does not.
Say 192.168.1.10 wants to talk to "public.10". It will use its route table to find the next hop to talk to "public.10"
If it finds it should use the default, it will forward the data to 192.168.1.1. Now 192.168.1.1 does the same thing. It looks in its route table to see what the next hop for "public.10" is.
If it (192.168.1.1) finds that the next hop is 192.168.1.254, it will notice that the "previous" hop was on the same subnet. So 192.168.1.1 will send a ICMP redirect to 192.168.1.10 saying, hey you really want to just forward this to 192.168.1.254.
Say 192.168.1.10 wants to talk to "public.10". It will use its route table to find the next hop to talk to "public.10"
If it finds it should use the default, it will forward the data to 192.168.1.1. Now 192.168.1.1 does the same thing. It looks in its route table to see what the next hop for "public.10" is.
If it (192.168.1.1) finds that the next hop is 192.168.1.254, it will notice that the "previous" hop was on the same subnet. So 192.168.1.1 will send a ICMP redirect to 192.168.1.10 saying, hey you really want to just forward this to 192.168.1.254.
Do you have IP routing enabled? Issue the command "show ip route".
If you have enable ip routing, then the default-gateway is ignored and the default route from that routing table is used.
If you have enable ip routing, then the default-gateway is ignored and the default route from that routing table is used.
ASKER
There is the correct route in the router as 20 other switches are working fine. The issue is isolated to this switch and this is also the only cisco switch.
The 2940 doesn't do routing so "show ip route" is not a valid command.
The 2940 doesn't do routing so "show ip route" is not a valid command.
ASKER
giltjr, with the icmp redirect that you mentioned. Would this be for a specific public address or all traffic in general. In the router I just have one route to the public snmp server and a nat setup. all other traffic from the SVI of the switch to a public address (which shouldn't be anything else) will go to the firewall from the router.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am messing with disabling the IP redirects now to see if that is my issue.
Do you know if ip redirects are cached in the switch and if so where would I clear that cache. I ran a traceroute to an IP that I know will go out the firewall and I haven't sent any traffic to and the first hop is now showing the router and second hop being the firewall.
I don't think the 2900 switches can do any routing no matter which IOS.
Do you know if ip redirects are cached in the switch and if so where would I clear that cache. I ran a traceroute to an IP that I know will go out the firewall and I haven't sent any traffic to and the first hop is now showing the router and second hop being the firewall.
I don't think the 2900 switches can do any routing no matter which IOS.
ASKER
I didn't do any searching before sending you the response.
The command is "clear ip redirect"
The command is "clear ip redirect"
ASKER
The IP redirects was the problem. It now seems to be working. Thanks.
Just remember if you have any other hosts on the 192.168.0/24 network that has 192.168.1.1 as their default route, then any traffic originating from them that really need to through your firewall, will end up physically going through 192.168.1.1 and then to 192.168.1.254
That may not be an issue, because I don't know how much traffic you may have on your 192.168.1.0/24 network that needs to go through your firewall.
I know on a 2960 in IOS 12.2(55)SE Cisco enabled limited IP routing functions. I read something that lead me to believe that they added this to the 2940's and 2950's at some IOS level. However, I don't have any 2940's at all and no 2950's to play with.
Glad to see everything is working out.
Don't know what router you had, but there should have been a way to create a route on 192.168.1.1 to handle this.
That may not be an issue, because I don't know how much traffic you may have on your 192.168.1.0/24 network that needs to go through your firewall.
I know on a 2960 in IOS 12.2(55)SE Cisco enabled limited IP routing functions. I read something that lead me to believe that they added this to the 2940's and 2950's at some IOS level. However, I don't have any 2940's at all and no 2950's to play with.
Glad to see everything is working out.
Don't know what router you had, but there should have been a way to create a route on 192.168.1.1 to handle this.
ASKER
I will have to test that on a 2960. I thought all the 29xx were layer 2 with no routing. The 2960 does allow for multiple SVIs, unlike the 2940, 2950.
The redirects were taken off the 192.168.1.1 int on the router. That router is a router on a stick with multiple subinterfaces. The "mgmt" vlan is the only network that gets redirected for the most part to the firewall.
Thanks again.
The redirects were taken off the 192.168.1.1 int on the router. That router is a router on a stick with multiple subinterfaces. The "mgmt" vlan is the only network that gets redirected for the most part to the firewall.
Thanks again.
Take into account that disabling the redirects mean that all traffic goes throught the 192.168.1.1 interface twice, first into the router then back out again to the firewall.
So you will at least halve your bandwidth.
So you will at least halve your bandwidth.
Routers are only used to forward traffic between hosts that are on different subnets.