cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


1443
Views
0
Helpful
11
Replies

SG300-52. Prefers to send traffic to default gateway rather than static route? Network halts if I disable ICMP redirects.

I have 4 switches, each act as their own subnet with a /26 mask. They have static routes for every other switch. The firewall has a static route to every switch. If I unplug the LAN interface of the firewall, traffic stops flows from the switches. If I block ICMP redirects on the LAN side of the firewall, traffic also stalls out.

So if you're connected to this switch, lets say you pull an ip of 192.168.122.20. Your gateway is the switch 192.168.122.62. If you try and access a server 192.168.127.142, the SG300 sends your traffic to 192.168.127.254 to get an ICMP redirect, instead of just contacting 192.168.127.50 directly.

 

My "core" network is 192.168.127.0/24 vlan1 and the firewall is 192.168.127.254

Here's the routing table off one of my switches (which owns 192.168.122.0/26 and the ports run on vlan122)

 

Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static


S   0.0.0.0/0 [1/1] via 192.168.127.254, 73:48:13, vlan 1        
C   192.168.122.0/26 is directly connected, vlan 122                       
S   192.168.123.0/26 [1/1] via 192.168.127.123, 73:48:13, vlan 1           
S   192.168.124.0/26 [1/1] via 192.168.127.124, 73:48:13, vlan 1           
S   192.168.125.0/26 [1/1] via 192.168.127.125, 73:48:14, vlan 1           
C   192.168.127.0/24 is directly connected, vlan 1       

Anyway what gives? Why would the switch first try to send the flow to the firewall?

 

EDIT: Here's the routing table of the server:

jonathan.fisher@wiki:~$ ip route show
default via 192.168.127.254 dev eth0 
192.168.122.0/26 via 192.168.127.122 dev eth0 
192.168.123.0/26 via 192.168.127.123 dev eth0 
192.168.124.0/26 via 192.168.127.124 dev eth0 
192.168.125.0/26 via 192.168.127.125 dev eth0 
192.168.127.0/24 dev eth0  proto kernel  scope link  src 192.168.127.142

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi Jonathan,I am sorry. I

Hi Jonathan,

I am sorry. I misunderstood the routing table you are trying to accomplish. Your concern seems to be relevant since the most matching rule should be chosen rather than the first one: page 275 http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf

 

..."When routing traffic, the next hop is decided on according to the longest prefix match (LPM algorithm). A destination IPv4 address may match multiple routes in the IPv4 Static Route Table. The device uses the matched route with the highest subnet mask, that is, the longest prefix match. "...

 

So go ahead and report this to support team so guys can do the lab, confirm this and report further: 

http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Regards,

Aleksandra

View solution in original post

11 REPLIES 11
Highlighted
Cisco Employee

Hi Jonathan,Routes that

Hi Jonathan,

Routes that identify a specific destination take precedence over the default route unless the interface is down.

Please let me know what is the firmware version and boot code on the switch. Also we might need to look into your network topology and switch configuration file specifically.  Thus I would recommend you to open ticket with Small Business Support Team:

http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Regards,

 

Aleksandra

 

Highlighted

Thanks adargiel... we just

Thanks adargiel... we just replaced our firewall on our network and added a pair of SG200s to connect all of the SG300s on the edges of our network. We're going to do some packet captures and make sure the ICMP redirects aren't happening anymore. 

Highlighted

I suspect this still may be

I suspect this still may be happening... or something even more strange is happening. We were running the Feb 2014 release of boot/firmware... haven't upgraded to the Aug 2014 yet.

 

The topology is client-[vlan124]->sg300-[vlan0]->sg200-[vlan0]->firewall.

 

The sg300 is doing the L3 routing... I suspect where we would want to pcap is on the sg200 to watch if the firewall replies with an ICMP redirect, correct? 

Highlighted
Advocate

Hi, this is not running a

Hi, this is not running a routing protocol, therefore the most specific route is not "advertised" as you may expect with a multiple routes available. The first default route is how the traffic is trying to be routed since it covers all subnets.

 

You may want to remove the default-gateway statement off the switch system configuration and that I think will solve your problem.

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Highlighted

If remove the default gateway

If remove the default gateway... then how will the clients in the subnet access the internet?

Highlighted
Cisco Employee

Hi Jonathan,I do not think

Hi Jonathan,

I do not think you would be able to avoid getting dual wan router for ISP service redundancy or two switches which a capable of VRRP for hardware and ISP service redundancy.

You need not only load balance the routes but also some mechanism which would detect network service failure which might occur on not directly connected links.

Regards,

Aleksandra

 

Highlighted

How does a dual router solve

How does a dual router solve the problem??

 

Here's the bug I've determined:

 

If an SG300 needs to route traffic to a server (192.168.127.29) on a /24 interface, and it's default gateway (192.168.127.254) is in the same /24 subnet, it sends the traffic to the default gateway (192.168.127.254) rather than just directing sending the traffic directly to the server (192.168.127.129).

 

The default gateway in this case is responding with an ICMP redirect.  It's pretty easy to reproduce :/

 

Highlighted
Cisco Employee

Hi Jonathan,I am sorry. I

Hi Jonathan,

I am sorry. I misunderstood the routing table you are trying to accomplish. Your concern seems to be relevant since the most matching rule should be chosen rather than the first one: page 275 http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf

 

..."When routing traffic, the next hop is decided on according to the longest prefix match (LPM algorithm). A destination IPv4 address may match multiple routes in the IPv4 Static Route Table. The device uses the matched route with the highest subnet mask, that is, the longest prefix match. "...

 

So go ahead and report this to support team so guys can do the lab, confirm this and report further: 

http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Regards,

Aleksandra

View solution in original post

Highlighted

So I opened a ticket with

So I opened a ticket with Cisco, and they had me put in firewall rules to log an ICMP traffic flowing through the firewall out the same interface. Great idea, don't know why I didn't think of that.

 

The problem has since gone away however... Not sure how it got fixed, but I've run all week without a peep in my logs. Maybe a switch got into a bad state and just needed to be restarted... who knows, but I'm glad it's not happening anymore.

 

Thank you everyone!

Highlighted
Cisco Employee

Hi Jonathan,Great news!

Hi Jonathan,

Great news! thanks for an update.

Aleksandra

Highlighted

Isn't that bass ackwards?

Isn't that bass ackwards? What the heck is the point of putting additional routes into a device if it's going to use the most general route first?