cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2190
Views
0
Helpful
11
Replies

SG300-52. Prefers to send traffic to default gateway rather than static route? Network halts if I disable ICMP redirects.

Jonathan Fisher
Level 1
Level 1

I have 4 switches, each act as their own subnet with a /26 mask. They have static routes for every other switch. The firewall has a static route to every switch. If I unplug the LAN interface of the firewall, traffic stops flows from the switches. If I block ICMP redirects on the LAN side of the firewall, traffic also stalls out.

So if you're connected to this switch, lets say you pull an ip of 192.168.122.20. Your gateway is the switch 192.168.122.62. If you try and access a server 192.168.127.142, the SG300 sends your traffic to 192.168.127.254 to get an ICMP redirect, instead of just contacting 192.168.127.50 directly.

 

My "core" network is 192.168.127.0/24 vlan1 and the firewall is 192.168.127.254

Here's the routing table off one of my switches (which owns 192.168.122.0/26 and the ports run on vlan122)

 

Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static


S   0.0.0.0/0 [1/1] via 192.168.127.254, 73:48:13, vlan 1        
C   192.168.122.0/26 is directly connected, vlan 122                       
S   192.168.123.0/26 [1/1] via 192.168.127.123, 73:48:13, vlan 1           
S   192.168.124.0/26 [1/1] via 192.168.127.124, 73:48:13, vlan 1           
S   192.168.125.0/26 [1/1] via 192.168.127.125, 73:48:14, vlan 1           
C   192.168.127.0/24 is directly connected, vlan 1       

Anyway what gives? Why would the switch first try to send the flow to the firewall?

 

EDIT: Here's the routing table of the server:

jonathan.fisher@wiki:~$ ip route show
default via 192.168.127.254 dev eth0 
192.168.122.0/26 via 192.168.127.122 dev eth0 
192.168.123.0/26 via 192.168.127.123 dev eth0 
192.168.124.0/26 via 192.168.127.124 dev eth0 
192.168.125.0/26 via 192.168.127.125 dev eth0 
192.168.127.0/24 dev eth0  proto kernel  scope link  src 192.168.127.142

 

1 Accepted Solution

Accepted Solutions

Hi Jonathan,

I am sorry. I misunderstood the routing table you are trying to accomplish. Your concern seems to be relevant since the most matching rule should be chosen rather than the first one: page 275 http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf

 

..."When routing traffic, the next hop is decided on according to the longest prefix match (LPM algorithm). A destination IPv4 address may match multiple routes in the IPv4 Static Route Table. The device uses the matched route with the highest subnet mask, that is, the longest prefix match. "...

 

So go ahead and report this to support team so guys can do the lab, confirm this and report further: 

http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Regards,

Aleksandra

View solution in original post

11 Replies 11

Aleksandra Dargiel
Cisco Employee
Cisco Employee

Hi Jonathan,

Routes that identify a specific destination take precedence over the default route unless the interface is down.

Please let me know what is the firmware version and boot code on the switch. Also we might need to look into your network topology and switch configuration file specifically.  Thus I would recommend you to open ticket with Small Business Support Team:

http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Regards,

 

Aleksandra

 

Thanks adargiel... we just replaced our firewall on our network and added a pair of SG200s to connect all of the SG300s on the edges of our network. We're going to do some packet captures and make sure the ICMP redirects aren't happening anymore. 

I suspect this still may be happening... or something even more strange is happening. We were running the Feb 2014 release of boot/firmware... haven't upgraded to the Aug 2014 yet.

 

The topology is client-[vlan124]->sg300-[vlan0]->sg200-[vlan0]->firewall.

 

The sg300 is doing the L3 routing... I suspect where we would want to pcap is on the sg200 to watch if the firewall replies with an ICMP redirect, correct? 

Tom Watts
VIP Alumni
VIP Alumni

Hi, this is not running a routing protocol, therefore the most specific route is not "advertised" as you may expect with a multiple routes available. The first default route is how the traffic is trying to be routed since it covers all subnets.

 

You may want to remove the default-gateway statement off the switch system configuration and that I think will solve your problem.

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

If remove the default gateway... then how will the clients in the subnet access the internet?

Hi Jonathan,

I do not think you would be able to avoid getting dual wan router for ISP service redundancy or two switches which a capable of VRRP for hardware and ISP service redundancy.

You need not only load balance the routes but also some mechanism which would detect network service failure which might occur on not directly connected links.

Regards,

Aleksandra

 

How does a dual router solve the problem??

 

Here's the bug I've determined:

 

If an SG300 needs to route traffic to a server (192.168.127.29) on a /24 interface, and it's default gateway (192.168.127.254) is in the same /24 subnet, it sends the traffic to the default gateway (192.168.127.254) rather than just directing sending the traffic directly to the server (192.168.127.129).

 

The default gateway in this case is responding with an ICMP redirect.  It's pretty easy to reproduce :/

 

Hi Jonathan,

I am sorry. I misunderstood the routing table you are trying to accomplish. Your concern seems to be relevant since the most matching rule should be chosen rather than the first one: page 275 http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf

 

..."When routing traffic, the next hop is decided on according to the longest prefix match (LPM algorithm). A destination IPv4 address may match multiple routes in the IPv4 Static Route Table. The device uses the matched route with the highest subnet mask, that is, the longest prefix match. "...

 

So go ahead and report this to support team so guys can do the lab, confirm this and report further: 

http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Regards,

Aleksandra

So I opened a ticket with Cisco, and they had me put in firewall rules to log an ICMP traffic flowing through the firewall out the same interface. Great idea, don't know why I didn't think of that.

 

The problem has since gone away however... Not sure how it got fixed, but I've run all week without a peep in my logs. Maybe a switch got into a bad state and just needed to be restarted... who knows, but I'm glad it's not happening anymore.

 

Thank you everyone!

Hi Jonathan,

Great news! thanks for an update.

Aleksandra

Jonathan Fisher
Level 1
Level 1

Isn't that bass ackwards? What the heck is the point of putting additional routes into a device if it's going to use the most general route first?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X