Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
490
Views
0
Helpful
3
Replies

RFC-1918 unknown subnet loop

PeterLin09157
Level 1
Level 1

‎03-30-2020 12:05 AM - edited ‎03-30-2020 12:25 AM

Hi everyone,

 

We have ASA firewalls which routes all private subnets (RFC-1918) to our Nexus-9000 switches. These switches have a default route for unknown traffic to our firewalls.

 

We see that sometimes traffic is sent to unknown private subnets, which then loops, because the firewall sends it to the N9K which doesn't know it, and then sends it back to the firewall.. TTL is at default to 128, so that's quite a few loops. 

 

What would you suggest we do?

 

Thank you.

 

Best regards

Peter

0 Helpful
3 Replies 3

Cristian Matei
VIP Alumni
VIP Alumni

‎03-30-2020 01:03 AM

Hi,

 

   The first question you should ask is who's sending traffic to unknown private subnets? What is your overall architecture? Do you use static routing from ASA-Nexus, or do you use any kind of dynamic routing to advertise your internal, private subnets? Also, the ASA should not, by default be able to receive an send traffic back out the same interface; so in case you don't need this functionality, you could quickly break the "loop" by configuring "no same-security-level permit intra-interface".

 

Regards,

Cristian Matei.

0 Helpful

pieterh
VIP
VIP

‎03-30-2020 01:30 AM

seems obvious, either in the ASA or in the switch you need to block unwanted traffic.

 

of course the ASA would be a logical point to block traffic,
but I interpret "firewalls" as multiple devices(?), so blocking here would mean more management if the list of subnets needs to be changed, and more change on errors is one firewall is omitted from this change.

 

My suggestion would be the N9K, the default route here would be intended for internet traffic (so to public subnets) ?
- block unknown private networks,
- then allow all other trafic to follow the default route
you can either block (using an ACL) or blackhole (using a route to NULL0) all unwanted private subnets.

 

you can also consider implementing a dynamic routing protocol for known private subnets.

0 Helpful

paul driver
VIP
VIP

‎03-30-2020 01:54 AM

Hello

@PeterLin09157 wrote:

Hi everyone,

We have ASA firewalls which routes all private subnets (RFC-1918) to our Nexus-9000 switches. These switches have a default route for unknown traffic to our firewalls.

 

We see that sometimes traffic is sent to unknown private subnets, which then loops, because the firewall sends it to the N9K which doesn't know it, and then sends it back to the firewall.. TTL is at default to 128, so that's quite a few loops. 

Most simplitic solution would to append null statics for the unknown subnets this way any query for a host on a none use subnet will get dropped by the FW

 

route null 0 192.168.X.0 255.255.255.0
route null 0 172.168.0.0 255.255.0.0
route null 0 10.0.0.0 255.0.0.0


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card