Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2546
Views
5
Helpful
9
Replies

Do all packets go through Router?

Go to solution
mriksman
Level 1
Level 1

‎11-09-2019 01:37 AM

Hi,

 

We have a network like below;

Capture.JPG

A PC (172.16.8.100) and an ASA (172.16.8.101) sit on the same Cisco Switch. The PC wants to communicate to a device on the outside interface (10.3.117.0/24) of the ASA. As it's a different subnet, the PC sends the packet to the default gateway/router, which has a static route - that to get to 10.3.117.0/24 it goes via 172.16.8.101.

 

So;

* Does EVERY packet go via the Router?

* If the Router gets disconnected/goes offline - is there no locally stored route table on the PC/Cisco Switch to manage this?

 

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-09-2019 02:07 AM - edited ‎11-09-2019 02:11 AM

 

Just to add to Leo's response. 

 

Every packet from the PC to the outside device goes via the router but the return packets don't, they go direct from the ASA to the device because they are in the same subnet .

 

This is called asymmetric traffic. 

 

In addition if you have icmp redirects enabled on the router you may find that the router informs the PC to use the ASA as the default gateway instead because the router realises it is having to forward the traffic out of the same interface it received it on which is not optimal in terms of routing.

 

Jon

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎11-09-2019 01:46 AM

1. Yes.
2. No because of routing.
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-09-2019 02:07 AM - edited ‎11-09-2019 02:11 AM

 

Just to add to Leo's response. 

 

Every packet from the PC to the outside device goes via the router but the return packets don't, they go direct from the ASA to the device because they are in the same subnet .

 

This is called asymmetric traffic. 

 

In addition if you have icmp redirects enabled on the router you may find that the router informs the PC to use the ASA as the default gateway instead because the router realises it is having to forward the traffic out of the same interface it received it on which is not optimal in terms of routing.

 

Jon

0 Helpful

Go to solution
mriksman
Level 1
Level 1
In response to Jon Marshall

‎11-09-2019 02:23 AM

@Jon Marshall wrote:

 

Just to add to Leo's response. 

 

Every packet from the PC to the outside device goes via the router but the return packets don't, they go direct from the ASA to the device because they are in the same subnet .

 

This is called asymmetric traffic. 

 

In addition if you have icmp redirects enabled on the router you may find that the router informs the PC to use the ASA as the default gateway instead because the router realises it is having to forward the traffic out of the same interface it received it on which is not optimal in terms of routing.

 

Jon

 

This last bit; that’s what I was hoping it would do. Seems like the smart thing to do. But does it? How can I check? 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mriksman

‎11-09-2019 02:38 AM

 

Assuming they have not been disabled on the router you can check the PC's routing table.

 

Be aware though that the PC may have a firewall blocking them and they may not necessarily use the redirect even if it is not blocked. 

 

A lot depends on the OS. 

 

Jon

0 Helpful

Go to solution
mriksman
Level 1
Level 1
In response to Jon Marshall

‎11-09-2019 06:59 AM

Nice one.

Watching Wireshark while I perform a ping;

  1. 1st packet gets sent to the MAC address of the gateway/router (R1).
  2. The router responds with a ICMP Redirect, informing the HOST to use the new gateway address (R2; the ASA).
  3. 2nd packet is sent directly to the ASA (R2)

Untitled.png

The default firewall rule (Echo-Request - ICMPv4-In) only includes the ICMP Code for 'Echo Request'. So you'll need to create a new Firewall rule, go to the Protocols and Ports tab, click Customize, and select all of them (or just the Redirect).

 

It's no solution for a long term connection fault. It seems the HOST is back to going to R1 and getting another ICMP Redirect within about 5 minutes. So it's more designed to avoid a HOST routing every packet via R1; instead it starts at R1 and then continues with R2 directly after that.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to mriksman

‎11-09-2019 09:55 AM

"It seems the HOST is back to going to R1 and getting another ICMP Redirect within about 5 minutes."

Yea, timeouts are common for such, to insure you don't keep using information that's stale. This is similar to ARPing for the IP's MAC. It too will age out (when not being actively used).

In the case of the redirect, consider the router had another, "better", path that didn't hairpin back onto the host network. It was sending your traffic using that path, but the path goes down, i.e. the ASA path is "backup". Your host gets redirected, but then the primary path comes back on-line.

Your host might have an option somewhere to determine how long to "hold" the redirect information.
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎11-09-2019 09:48 AM

"In addition if you have icmp redirects enabled on the router you may find that the router informs the PC to use the ASA as the default gateway . . ."

Jon, I don't recall an ICMP redirect passing the default route or indicating any change to the host's default gateway. Are you sure on that?

I believe it will always pass back the destination IP. If so, the sending host will fill its local route table with a set of host routes, each destination, via the ASA, using the ASA as the next hop. (Much like a Cisco router with a default route to just an egress interface.) For a typical host, this shouldn't be a problem, but if the host were something like a busy "public" web server, it might be a problem. (Just as it sometimes is on Internet facing Cisco routers, configured as just noted.)

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎11-09-2019 10:26 AM

 

Hi Joe 

 

Bad wording on my behalf. 

 

I should have said use the ASA as the gateway for that specific host because obviously the router may well have other interfaces and other routes not pointing to the ASA. 

 

Jon

0 Helpful

Go to solution
cisc0.ameer
Level 1
Level 1

‎11-10-2019 09:19 AM

hello for a while i've seen your topology to realize DG is router

but my question is Why?

if this is a sample Lab why NOT ASA is your DG

your approach in translating PC's IP to outside's IP is NAT

but why you pointing your gateway to Router

did you want to do something like PROXY ? as you wanted more security layer which we have in WSA and we have this method also from router to gateway .....

this topology

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card