magic routing ?

saidap · ‎03-07-2005

=)

- Catalyst 4506

- multiple vlans

- ip route 0.0.0.0 0.0.0.0 to a pix515 for internet traffic control

issue : an linksys router with independent internet access was connected, for some reason the catalyst 4506 now send the trafic for the linksys

"sh ip route" command it does not show a route that send the traffic to the linksys

how I can avoid this ?

thanks for any help

dgahm · ‎03-07-2005

Does your default route 0/0 point at the interface or the next hop address? If the interface, the Linksys may be quicker to answer an ARP than the PIX. Try using the next hop:

ip route 0.0.0.0 0.0.0.0 X.X.X.X

saidap · ‎03-08-2005

Thanks for answering ....

this is the route that i am using

ip route 0.0.0.0 0.0.0.0 10.0.1.211

10.0.1.211 = pix515

dgahm · ‎03-08-2005

That is strange.

Look at your ARP cache in the 4506, and confirm that the entry for 10.0.1.211 shows the MAC address of the Linksys

show arp | include 10.0.1.211

If it does, try a 'clear arp' and check it again.

Do pings to the PIX and Linksys work OK?

I am no Linksys guru, but does it have a proxy ARP setting that could be disabled?

saidap · ‎03-09-2005

the MAC address from the Linksys and PIX515 is not the same in arp table in the 4506

ping from internet is supply from Linksys

This is the test:

pix515 10.0.1.211

Linksys 10.0.0.74

cat4506#

cat4506#ping 200.23.18.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.23.18.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/38/48 ms

cat4506#

cat4506#ping 10.0.1.211

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.1.211, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

cat4506#

cat4506#ping 10.0.0.74

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.74, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

cat4506#

cat4506#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.0.0.5 0 00e0.183e.0a8f ARPA Vlan100

Internet 10.1.21.6 9 000e.35a9.5da1 ARPA Vlan21

Internet 10.0.0.60 35 0011.931b.6e68 ARPA Vlan100

Internet 10.0.0.74 0 000f.663f.ae86 ARPA Vlan100

Internet 10.0.1.211 73 0012.7fe0.a265 ARPA Vlan100

cat4506#

cat4506#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static rout

o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.1.211 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 17 subnets, 2 masks

C 10.1.11.0/24 is directly connected, Vlan12

C 10.1.10.0/24 is directly connected, Vlan11

C 10.1.9.0/24 is directly connected, Vlan10

C 10.1.8.0/24 is directly connected, Vlan9

C 10.3.1.0/24 is directly connected, Vlan14

C 10.1.3.0/24 is directly connected, Vlan4

C 10.2.1.0/24 is directly connected, Vlan13

C 10.1.2.0/24 is directly connected, Vlan3

C 10.10.10.0/24 is directly connected, Vlan1

C 10.1.1.0/24 is directly connected, Vlan2

C 10.0.0.0/16 is directly connected, Vlan100

C 10.1.7.0/24 is directly connected, Vlan8

C 10.1.6.0/24 is directly connected, Vlan7

C 10.1.5.0/24 is directly connected, Vlan6

C 10.1.4.0/24 is directly connected, Vlan5

C 10.1.21.0/24 is directly connected, Vlan21

C 10.1.20.0/24 is directly connected, Vlan20

S* 0.0.0.0/0 [1/0] via 10.0.1.211

cat4506#

dgahm · ‎03-09-2005

Looks correct. Is it possible that the PIX thinks the best route to the Internet is through the Linksys? So the 4506 sends the packets to the PIX, and the PIX sends them to the Linksys?

It seems like the only rational explanation for outbound Internet packets using the Linksys. Inbound might be another story.

Richard Burts · ‎03-09-2005

As I read this thread I wonder if the problem is incoming traffic more so than outgoing traffic. Perhaps Said could clarify what the problem is.

And for a better test I would suggest using traceroute more so than ping.

HTH

Rick

HTH

Rick

joyride_us · ‎03-10-2005

Hi,I agree a 'traceroute' will tell us a lot!

It looks like the PIX is redirecting the traffic towards the Linksys.

amikat · ‎03-10-2005

Hi,

It would be nice to see your PIX config. Would you mind to post at least "sh route", "sh routing" and "sh arp" PIX outputs please.

Thanks & Regards,

Antonin

saidap · ‎03-10-2005

for all the interested ones

ok,

unfortunately at this moment the problem no longer exists, i do not understand, i try to reproduce the problem but it was not possible

at the moment of the problem, the traceroute in the 4506 shows clearly how the traffic to internet go out by the linksys,

i disconnected the network cable from the inside interface in the pix, but the problem persisted

this really I happen to me, I am not crazy !

thank you very much to all the answers, in case of a new issue I will use another post in this forum

P.D the linksys really makes things strange