Solved: Re: ICMP Redirect

bfrericks · ‎06-13-2006

Is there a case when ICMP redirect would be acceptable? Basically we have a core router that all devices (with a few exceptions) are GW'd to. We also have our Internet Gateway and a VPN Concentrator. Problem is, when a PC want's to talk to the internet, they go to the core router and the core issues and ICMP redirect to the Internet GW. Also if a client needs to talk with a device that is on the VPN concentrator, the core router will ICMP redirect them to the VPN concentrator.

My questions: Is this acceptable or is there a better way to performing the routing?

Richard Burts · ‎06-13-2006

Blake

I agree with Martin about not trying to fix something that is not broken. And as I understand your environment I think it is not broken.

I think that there are reasonable explanations for both kinds of traffic. If a PC is trying to get to some remote address on the Internet, it is appropriate that it forward to its default gateway. If the default gateway is going to forward to the Internet router (which is on the same subnet) then it is appropriate that the default gateway send an ICMP redirect to the PC. You could "fix" that by making the PC default gateway to be the address of the Internet router. But then traffic from the PC to addresses of other subnets within your network would generate redirects from the Internet router. So probably not much of an improvement.

Also if the PC is sending something to a device connected through the Concentrator it will treat the destination as a remote address and forward it the PC's default gateway. If the router has a routing entry that the pool of addresses for the concentrator has a next hop on the same subnet the router will generate a redirect. I do not see this as a problem.

So in both cases the ICMP redirect is an optimization to traffic flow in the network and I believe that there are good reasons for the ICMP redirect to be generated. I think this is quite acceptable and appropriate behavior and does not need to be "fixed".

HTH

Rick

HTH

Rick

View solution in original post

mheusinger · ‎06-13-2006

Hello,

depending on your client operating system you could add static routes. With MS it should look like:

route ADD 10.0.0.0 MASK 255.0.0.0 192.168.1.1 -p

route ADD 172.16.0.0 MASK 255.255.0.0 192.168.1.2 -p

The -p makes the routes persistent.

Other than that: What is wrong the way it is working?

Hope this helps! Please rate all posts.

Regards, Martin

bfrericks · ‎06-13-2006

I just want to be sure that I am doing this the best way possible. I know I can add routes to the client, but that seems to defeat the purpose of centralized management and creating a dynamic environment. Would it be best to disable ICMP redirects @ the router as to not duplicate frames on the network?

dave.keith · ‎06-13-2006

I do not believe that all packets are routed to the DG, then redirected to the Internet Router, only the first one. The ICMP updated route is cached on the PC for some time (10 minutes in NT). So only one packet gets duplicated on the LAN until the route times out, then the better route will get relearned via ICMP Redirect at the expense of one more duplicated packet. This is normal operation, and is implimented to make host configurations less complicated.

Dave

Richard Burts · ‎06-13-2006

Blake

A little more information about your topology would be helpful. Are the PCs in a single VLAN where this happens or are they in multiple VLANs? Are you using secondary addressing on the core router?

The fact that the core router is sending ICMP redirect would seem to indicate that the router, the Internet Gateway, and the Concentrator are in the same subnet as the PC. If that is the case, why are the PCs going to the core router and not ARPing for the Internet or for the Concentrator?

To answer your more general question about whether ICMP redirect is acceptable or not, I would say that in general redirect was designed into the protocol for a reason (to inform end stations that there is a better way to get to the destination than to go through the router which originally received the packet) and as such I would say it is generally acceptable. There are some environments where local policy indicates that redirect should be disabled. And HSRP disables redirects. Do any of these situations apply to you? Otherwise I would think that it is acceptable.

HTH

Rick

HTH

Rick

bfrericks · ‎06-13-2006

Yes, the Internet GW, Core Router and VPN are all on the same subnet but the devices that our clients are talking to are on the other end therefore I wouldn't think an ARP request would be necessary, the client would just send the packet to it's DG. Please correct me if I am wrong.

Thanks for your help!

Blake

mheusinger · ‎06-13-2006

Hi Blake,

I agree, all clients would first consult their own IP routing table and then send everything non-local to the DG. No need for any other ARP than for the DG.

This is the reason I wsuggested to modify the client IP routing table in the first place, as then the DG would never have to deal with IP packets destined to another box on the same LAN.

Once the ICMP redirect is received, the clients should ARP for the redirected IP and forward the packets there.

In case you do not experience performance degradation or other side effects you could very well leave the situation unchanged.

NB: If it is not broken: Don?t fix it!

Hope this helps! Please rate all posts.

Regards, Martin

Richard Burts · ‎06-13-2006

Blake

I agree with Martin about not trying to fix something that is not broken. And as I understand your environment I think it is not broken.

I think that there are reasonable explanations for both kinds of traffic. If a PC is trying to get to some remote address on the Internet, it is appropriate that it forward to its default gateway. If the default gateway is going to forward to the Internet router (which is on the same subnet) then it is appropriate that the default gateway send an ICMP redirect to the PC. You could "fix" that by making the PC default gateway to be the address of the Internet router. But then traffic from the PC to addresses of other subnets within your network would generate redirects from the Internet router. So probably not much of an improvement.

Also if the PC is sending something to a device connected through the Concentrator it will treat the destination as a remote address and forward it the PC's default gateway. If the router has a routing entry that the pool of addresses for the concentrator has a next hop on the same subnet the router will generate a redirect. I do not see this as a problem.

So in both cases the ICMP redirect is an optimization to traffic flow in the network and I believe that there are good reasons for the ICMP redirect to be generated. I think this is quite acceptable and appropriate behavior and does not need to be "fixed".

HTH

Rick

HTH

Rick

johndennison · ‎06-15-2006

Presumeably you have networks behind that gateway router that those local hosts may need to communicate with. They may even be accessed over WAN links. In the event a link to a remote network goes down and a local host tries to access it, that gateway router is going to send an ICMP redirect to that host telling him to use the internet gateway. This obviously is incorrect. If the outage was minor, only lasting for a couple of minutes, then the effect of the redirect could well be more impactful than the network outage itself.

Someone stated that NT hosts hold onto redirects for 10 minutes. What about other types of hosts? We've run into issues where a redirect is held onto for quite a long time and we had to reboot the system or drop the route manually on the host.

One way to help mitigate this is to run a dynamic routing protocol among the three possible gateway devices so that they will each know when to accept and forward a packet and when to send an ICMP redirect.

Please feel free to comment, I would be curious to know what others think.