Solved

cisco 2940 - traceroute issue

Posted on 2014-02-20
13
495 Views
Last Modified: 2014-02-21
I have an older Cisco 2940 that is sending packets directly to the firewall (traceroute / snmp) instead of the default gateway specified on the switch.

default-gateway 192.168.1.1

int vlan 10
  ip address 192.168.1.10
  no ip route-cache


firewall = 192.168.1.254


If I do a traceroute to a public IP, it will show 192.168.1.254 as the first hop.  If I test this from all other switches it will hit 192.168.1.1 first.    

I turned on route-cache on the interface and tested a traceroute.  This worked, but quickly changed to using the firewall as the first hop.

Not sure if there is anyway around this type of behavior with this model of switch.
0
Comment
Question by:tiptechs
  • 7
  • 5
13 Comments
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
First I am assuming your subnet mask is 255.255.255.0 (a /24).  If that is correct then the 2940's svi is on the same subnet as the firewall and you don't go through a router when you are on the same subnet.

Routers are only used to forward traffic between hosts that are on different subnets.
0
 

Author Comment

by:tiptechs
Comment Utility
Thanks giltjr.  Can you expain this a little bit further?   Yes it is a /24 subnet.  

When sending SNMP traps out to a public IP from this switch, they need to hit the router (192.168.1.1) as it sends these traps out a different interface rather than to the firewall (192.168.1.254).   The default-gateway on the switch is set to the router .1.    The switch is sending the traffic directly to the firewall IP when looking at a traceroute.


Thanks again
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Does 192.168.1.1 have the correct route to the external public IP address you are trying to send the SNMP trap too?  It sounds like it does not.

Say 192.168.1.10 wants to talk to "public.10".  It will use its route table to find the next hop to talk to "public.10"

If it finds it should use the default, it will forward the data to 192.168.1.1.   Now 192.168.1.1 does the same thing.  It looks in its route table to see what the next hop for "public.10" is.

If it (192.168.1.1) finds that the next hop is 192.168.1.254, it will notice that the "previous" hop was on the same subnet.  So 192.168.1.1 will send a ICMP redirect to 192.168.1.10 saying, hey  you really want to just forward this to 192.168.1.254.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Do you have IP routing enabled?  Issue the command "show ip route".  

If you have enable ip routing, then the default-gateway is ignored and the default route from that routing table is used.
0
 

Author Comment

by:tiptechs
Comment Utility
There is the correct route in the router as 20 other switches are working fine.  The issue is isolated to this switch and this is also the only cisco switch.

The 2940 doesn't do routing so "show ip route" is not a valid command.
0
 

Author Comment

by:tiptechs
Comment Utility
giltjr,  with the icmp redirect that you mentioned.  Would this be for a specific public address or all traffic in general.    In the router I just have one route to the public snmp server and a nat setup.   all other traffic from the SVI of the switch to a public address (which shouldn't be anything else) will go to the firewall from the router.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
Comment Utility
.. "The 2940 doesn't do routing so "show ip route" is not a valid command. "

Depending on which IOS you have it can do some limiting routing.  

The icmp redirect is done for any IP address where one router determines that another router on the same subnet  as the "source" should be used.

Say your router is on the 192.168.1.0/24 subnet and on 10.10.10.0/24 subnet.  It's IP address in the "10" network is 10.10.10.1 and it has an adject router of 10.10.10.2 that is connected to 4 other subnets.  It's (192.168.1.1) default route is 192.168.1.254, but you have the following specific routes:

172.16.1.0/24 --> 10.10.10.2
172.16.3.0/24 --> 10.10.10.2
192.168.44.0/24 --> 10.10.10.2
10.100.20.0/24 --> 10.10.10.2

Now 192.168.1.10 has the default route of 192.168.1.1 and that is it only route.

When it want to talk to ANYTHING it will first forward to 192.168.1.1.  If the destination host is in any of the 4 subnets above then 192.168.1.1 will forward to 10.10.10.2.  

However if the destination is to any other subnet than the 4 above, since 192.168.1.1 default is 192.168.1.254 and 192.168.1.10 is in the same subnet, then 192.168.1.1 will send a ICMP redirect.  This is so the traffic takes the "shortest" path to get to the destination.
0
 

Author Comment

by:tiptechs
Comment Utility
I am messing with disabling the IP redirects now to see if that is my issue.  

Do you know if ip redirects are cached in the switch and if so where would I clear that cache.   I ran a traceroute to an IP that I know will go out the firewall and I haven't sent any traffic to and the first hop is now showing the router and second hop being the firewall.


I don't think the 2900 switches can do any routing no matter which IOS.
0
 

Author Comment

by:tiptechs
Comment Utility
I didn't do any searching before sending you the response.

The command is "clear ip redirect"
0
 

Author Comment

by:tiptechs
Comment Utility
The IP redirects was the problem.  It now seems to be working.  Thanks.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Just remember if you have any other hosts on the 192.168.0/24 network that has 192.168.1.1 as their default route, then any traffic originating from them that really need to through your firewall, will end up physically going through 192.168.1.1 and then to 192.168.1.254

That may not be an issue, because I don't know how much traffic you may have on your 192.168.1.0/24 network that needs to go through your firewall.

I know on a 2960 in IOS 12.2(55)SE Cisco  enabled limited IP routing functions.  I read something that lead me to believe that they added this to the 2940's and 2950's at some IOS level.  However, I don't have any 2940's at all and no 2950's to play with.  

Glad to see everything is working out.

Don't know what router you had, but there should have been a way to create a route on 192.168.1.1 to handle this.
0
 

Author Comment

by:tiptechs
Comment Utility
I will have to test that on a 2960.  I thought all the 29xx were layer 2 with no routing.  The 2960 does allow for multiple SVIs, unlike the 2940, 2950.  

The redirects were taken off the 192.168.1.1 int on the router.   That router is a router on a stick with multiple subinterfaces.    The "mgmt" vlan is the only network that gets redirected for the most part to the firewall.

Thanks again.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Take into account that disabling the redirects mean that all traffic goes throught the 192.168.1.1 interface twice, first into the router then back out again to the firewall.
So you will at least halve your bandwidth.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now