03-30-2020 12:05 AM - edited 03-30-2020 12:25 AM
Hi everyone,
We have ASA firewalls which routes all private subnets (RFC-1918) to our Nexus-9000 switches. These switches have a default route for unknown traffic to our firewalls.
We see that sometimes traffic is sent to unknown private subnets, which then loops, because the firewall sends it to the N9K which doesn't know it, and then sends it back to the firewall.. TTL is at default to 128, so that's quite a few loops.
What would you suggest we do?
Thank you.
Best regards
Peter
03-30-2020 01:03 AM
Hi,
The first question you should ask is who's sending traffic to unknown private subnets? What is your overall architecture? Do you use static routing from ASA-Nexus, or do you use any kind of dynamic routing to advertise your internal, private subnets? Also, the ASA should not, by default be able to receive an send traffic back out the same interface; so in case you don't need this functionality, you could quickly break the "loop" by configuring "no same-security-level permit intra-interface".
Regards,
Cristian Matei.
03-30-2020 01:30 AM
seems obvious, either in the ASA or in the switch you need to block unwanted traffic.
of course the ASA would be a logical point to block traffic,
but I interpret "firewalls" as multiple devices(?), so blocking here would mean more management if the list of subnets needs to be changed, and more change on errors is one firewall is omitted from this change.
My suggestion would be the N9K, the default route here would be intended for internet traffic (so to public subnets) ?
- block unknown private networks,
- then allow all other trafic to follow the default route
you can either block (using an ACL) or blackhole (using a route to NULL0) all unwanted private subnets.
you can also consider implementing a dynamic routing protocol for known private subnets.
03-30-2020 01:54 AM
Hello
@PeterLin09157 wrote:
Hi everyone,
We have ASA firewalls which routes all private subnets (RFC-1918) to our Nexus-9000 switches. These switches have a default route for unknown traffic to our firewalls.
We see that sometimes traffic is sent to unknown private subnets, which then loops, because the firewall sends it to the N9K which doesn't know it, and then sends it back to the firewall.. TTL is at default to 128, so that's quite a few loops.
Most simplitic solution would to append null statics for the unknown subnets this way any query for a host on a none use subnet will get dropped by the FW
route null 0 192.168.X.0 255.255.255.0
route null 0 172.168.0.0 255.255.0.0
route null 0 10.0.0.0 255.0.0.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide