Solved

cisco 2940 - traceroute issue

Posted on 2014-02-20
13
503 Views
Last Modified: 2014-02-21
I have an older Cisco 2940 that is sending packets directly to the firewall (traceroute / snmp) instead of the default gateway specified on the switch.

default-gateway 192.168.1.1

int vlan 10
  ip address 192.168.1.10
  no ip route-cache


firewall = 192.168.1.254


If I do a traceroute to a public IP, it will show 192.168.1.254 as the first hop.  If I test this from all other switches it will hit 192.168.1.1 first.    

I turned on route-cache on the interface and tested a traceroute.  This worked, but quickly changed to using the firewall as the first hop.

Not sure if there is anyway around this type of behavior with this model of switch.
0
Comment
Question by:tiptechs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39876524
First I am assuming your subnet mask is 255.255.255.0 (a /24).  If that is correct then the 2940's svi is on the same subnet as the firewall and you don't go through a router when you are on the same subnet.

Routers are only used to forward traffic between hosts that are on different subnets.
0
 

Author Comment

by:tiptechs
ID: 39876629
Thanks giltjr.  Can you expain this a little bit further?   Yes it is a /24 subnet.  

When sending SNMP traps out to a public IP from this switch, they need to hit the router (192.168.1.1) as it sends these traps out a different interface rather than to the firewall (192.168.1.254).   The default-gateway on the switch is set to the router .1.    The switch is sending the traffic directly to the firewall IP when looking at a traceroute.


Thanks again
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39876710
Does 192.168.1.1 have the correct route to the external public IP address you are trying to send the SNMP trap too?  It sounds like it does not.

Say 192.168.1.10 wants to talk to "public.10".  It will use its route table to find the next hop to talk to "public.10"

If it finds it should use the default, it will forward the data to 192.168.1.1.   Now 192.168.1.1 does the same thing.  It looks in its route table to see what the next hop for "public.10" is.

If it (192.168.1.1) finds that the next hop is 192.168.1.254, it will notice that the "previous" hop was on the same subnet.  So 192.168.1.1 will send a ICMP redirect to 192.168.1.10 saying, hey  you really want to just forward this to 192.168.1.254.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Expert Comment

by:giltjr
ID: 39876727
Do you have IP routing enabled?  Issue the command "show ip route".  

If you have enable ip routing, then the default-gateway is ignored and the default route from that routing table is used.
0
 

Author Comment

by:tiptechs
ID: 39876823
There is the correct route in the router as 20 other switches are working fine.  The issue is isolated to this switch and this is also the only cisco switch.

The 2940 doesn't do routing so "show ip route" is not a valid command.
0
 

Author Comment

by:tiptechs
ID: 39876830
giltjr,  with the icmp redirect that you mentioned.  Would this be for a specific public address or all traffic in general.    In the router I just have one route to the public snmp server and a nat setup.   all other traffic from the SVI of the switch to a public address (which shouldn't be anything else) will go to the firewall from the router.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 39876870
.. "The 2940 doesn't do routing so "show ip route" is not a valid command. "

Depending on which IOS you have it can do some limiting routing.  

The icmp redirect is done for any IP address where one router determines that another router on the same subnet  as the "source" should be used.

Say your router is on the 192.168.1.0/24 subnet and on 10.10.10.0/24 subnet.  It's IP address in the "10" network is 10.10.10.1 and it has an adject router of 10.10.10.2 that is connected to 4 other subnets.  It's (192.168.1.1) default route is 192.168.1.254, but you have the following specific routes:

172.16.1.0/24 --> 10.10.10.2
172.16.3.0/24 --> 10.10.10.2
192.168.44.0/24 --> 10.10.10.2
10.100.20.0/24 --> 10.10.10.2

Now 192.168.1.10 has the default route of 192.168.1.1 and that is it only route.

When it want to talk to ANYTHING it will first forward to 192.168.1.1.  If the destination host is in any of the 4 subnets above then 192.168.1.1 will forward to 10.10.10.2.  

However if the destination is to any other subnet than the 4 above, since 192.168.1.1 default is 192.168.1.254 and 192.168.1.10 is in the same subnet, then 192.168.1.1 will send a ICMP redirect.  This is so the traffic takes the "shortest" path to get to the destination.
0
 

Author Comment

by:tiptechs
ID: 39876881
I am messing with disabling the IP redirects now to see if that is my issue.  

Do you know if ip redirects are cached in the switch and if so where would I clear that cache.   I ran a traceroute to an IP that I know will go out the firewall and I haven't sent any traffic to and the first hop is now showing the router and second hop being the firewall.


I don't think the 2900 switches can do any routing no matter which IOS.
0
 

Author Comment

by:tiptechs
ID: 39876883
I didn't do any searching before sending you the response.

The command is "clear ip redirect"
0
 

Author Comment

by:tiptechs
ID: 39876892
The IP redirects was the problem.  It now seems to be working.  Thanks.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39876947
Just remember if you have any other hosts on the 192.168.0/24 network that has 192.168.1.1 as their default route, then any traffic originating from them that really need to through your firewall, will end up physically going through 192.168.1.1 and then to 192.168.1.254

That may not be an issue, because I don't know how much traffic you may have on your 192.168.1.0/24 network that needs to go through your firewall.

I know on a 2960 in IOS 12.2(55)SE Cisco  enabled limited IP routing functions.  I read something that lead me to believe that they added this to the 2940's and 2950's at some IOS level.  However, I don't have any 2940's at all and no 2950's to play with.  

Glad to see everything is working out.

Don't know what router you had, but there should have been a way to create a route on 192.168.1.1 to handle this.
0
 

Author Comment

by:tiptechs
ID: 39876982
I will have to test that on a 2960.  I thought all the 29xx were layer 2 with no routing.  The 2960 does allow for multiple SVIs, unlike the 2940, 2950.  

The redirects were taken off the 192.168.1.1 int on the router.   That router is a router on a stick with multiple subinterfaces.    The "mgmt" vlan is the only network that gets redirected for the most part to the firewall.

Thanks again.
0
 
LVL 40

Expert Comment

by:noci
ID: 39877047
Take into account that disabling the redirects mean that all traffic goes throught the 192.168.1.1 interface twice, first into the router then back out again to the firewall.
So you will at least halve your bandwidth.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question