Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1538
Views
0
Helpful
5
Replies

Cisco 3850 using 192.168.1.2

donnie
Level 1
Level 1

‎03-15-2018 07:54 AM - edited ‎03-08-2019 02:16 PM

Hi,

 

I notice very strange traffic in my environment, in my firewall logs I can see my cisco 3850 switch using 192.168.1.2 trying to traverse my firewall to access 192.168.1.1 via icmp. It is very strange as the ip address configured on my switch is a 172.16.x.x and my environment does not use 192.168.x.x, secondly why does access from 192.168.1.2 to 192.168.1.1 need to traverse my firewall? I confirmed that 192.168.1.2 is used by my cisco 3850 through pcap obtained frm my firewall. Anyone come across such wierd traffic? Pls advise. TIA!

1 person had this problem
Labels:
0 Helpful
5 Replies 5

brselzer
Cisco Employee
Cisco Employee

‎03-15-2018 08:00 AM

Hello,

 

That does sound strange. How did you confirm that the 3850 is using that ip address from your capture? Since you don't use the 192.168.1.x subnet in your network, does the 3850 have a default route point to the firewall that this traffic would hit?

 

It sounds like you have some device on your network that is using 192.168.1.2 trying to reach 192.168.1.1. It hits the 3850 and he sends it to your firewall because of a default route (assuming you have one). Remember, once the 3850 routes a packet, it will change the source mac of the packet to its own mac. This does not mean that the 3850 originally sourced the traffic, it just means it was the last hop. 

 

You could do a span of your downlinks on the 3850 to see if that packet is coming in from somewhere else. 

 

Hope that helps!

-Bradley Selzer
CCIE# 60833
0 Helpful

donnie
Level 1
Level 1
In response to brselzer

‎03-15-2018 08:10 AM

Hi Bradley,

My switch is configured with "ip default gateway" (which points to my firewall which received the weird traffic) but not "ip routing" hence my switch is not a layer 3 switch.
0 Helpful

brselzer
Cisco Employee
Cisco Employee
In response to donnie

‎03-15-2018 08:11 AM

Hello Donnie,

 

And the traffic coming in has the source mac of the 3850? Thanks!

-Bradley Selzer
CCIE# 60833
0 Helpful

donnie
Level 1
Level 1
In response to brselzer

‎03-15-2018 11:20 PM

Hi Bradley,

Yes with reference to the pcap, the source mac address of 192.168.1.2 belong to my switch whose only configured ip address is 172.16.x.x.
0 Helpful

brselzer
Cisco Employee
Cisco Employee
In response to donnie

‎03-24-2018 08:14 AM

Hello Donnie,

 

Sorry for the delay in response. Was traveling. This does sound strange. I would need to see your configuration and packet capture at this point because this doesn't sound expected. Feel free to post what information you want or open a ticket with TAC to get assistance. 

 

Hope that helps!

-Bradley Selzer
CCIE# 60833
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card