Solved: Thanks Mark

Carl Ratcliffe · ‎04-13-2016

Hi Support Community

We have an issue with one of our layer 2 switch stacks and we are not quite sure what is going on. The switch stack is layer 2 only and confirmed that no ip routing is enabled however when we do a show ip route we see the entries pasted below. All of the hosts that it lists are IP addresses that we have in the switch config relating to things like SNMP, NTP etc

The default gateway of 172.22.128.1 is the Layer 3 core switch is correct yet these specific entries have a gateway of 172.22.128.7 which is a Fortigate firewall in the same VLAN which would be the destination hop after the layer 3 switch however this indicates that for these specific entries it will send direct to the Fortigate firewall and not the Layer 3 switch.

Now the issue is we have had to change the IP address of the Fortigate 172.22.128.7 address, everything is working fine with routing except for the IP addresses below. They still exist when you do a show ip route and therefore these addresses are not accessible.

Any help would be appreciated.

CCDOH_FL13_AS01#show ip route
Default gateway is 172.22.128.1

Host               Gateway           Last Use    Total Uses Interface
172.20.40.182      172.22.128.7          0:08        180439 Vlan4
172.22.40.190      172.22.128.7          0:10         26707 Vlan4
172.20.41.203      172.22.128.7          0:00       9845500 Vlan4
172.20.255.254     172.22.128.7          0:06         26638 Vlan4
172.17.255.254     172.22.128.7          0:11         26507 Vlan4
172.22.41.86       172.22.128.7          0:09         49602 Vlan4

Thanks, Carl Ratcliffe

Preston Lancashire England

Mark Malone · ‎04-13-2016

Yes that would of been my next guess clear the redirect :) ,if the source mac is responsible for sending the traffic the icmp redirect wont time out from what i remember , its a hard one to say exactly without seeing whats happening on the wire with a span or something that shows why the redirect is kicking in

This is a good doc i had saved on redirects , they can be useful but can cauise issues klike this as well

http://www.cymru.com/gillsr/documents/icmp-redirects-are-bad.htm

View solution in original post

Mark Malone · ‎04-13-2016

Thats your icmp redirect cache at L2 telling you it knows a better path , that the gateway is not the best path but the fortinet , try clear ip route *

Carl Ratcliffe · ‎04-13-2016

Hi Mark

Thanks for your response.

clear ip route didn't work but clear ip redirect did the trick.

Im still confused why it only seemed to cache routes for specific IP addresses and only ones that seem to be defined in the switch configuration ? Also not sure why they wouldn't time out ?

Thanks, Carl Ratcliffe

Preston Lancashire England

Mark Malone · ‎04-13-2016

Yes that would of been my next guess clear the redirect :) ,if the source mac is responsible for sending the traffic the icmp redirect wont time out from what i remember , its a hard one to say exactly without seeing whats happening on the wire with a span or something that shows why the redirect is kicking in

This is a good doc i had saved on redirects , they can be useful but can cauise issues klike this as well

http://www.cymru.com/gillsr/documents/icmp-redirects-are-bad.htm

Carl Ratcliffe · ‎04-13-2016

Thanks Mark

On most of our Layer 3 switches we have no ip redirects configured which is why we haven't come across this before.

Nice document , thanks.

Carl Ratcliffe

Preston Lancashire England

Cisco 3750/3850 Layer 2 "show ip route"