Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4664
Views
0
Helpful
3
Replies

Default Gateway & IP Redirects

ejaro
Level 1
Level 1

‎04-11-2013 11:20 AM - edited ‎03-07-2019 12:45 PM

I have a bit of a mystery on my hands. I had a whole campus of Cisco 3750's cache a new default gateway. Example

Cisco3750#sh ip redirects
Default gateway is 10.10.10.1

Host               Gateway           Last Use    Total Uses  Interface
172.16.0.5      10.10.101.179        0:00        185749  Vlan1
172.16.0.76     10.10.101.179        0:01         47254  Vlan1
192.168.0.154     10.10.101.179        0:00        183090  Vlan1

My question is what generates a IP Redirect packet or how does the switch know what to change the gateway to? As in my case the changed gateway was a dead IP address. So I am at lose how this happened. I this case the Host IP's are network management servers conducting polling.

Labels:
0 Helpful
3 Replies 3

Velimir Filipov
Level 1
Level 1

‎04-11-2013 12:39 PM

ICMP redirect packets are generated when a packet enters and interface and has to be routed back via the very same interface.

In your case the default router (10.10.10.1) tells your 3750 L3 switch: "hey, why don't you just send your packet destined to 172.16.0.5 directly to 10.10.101.179, don't waste my bandwidth, arghh"

So the 3750 builds up ip redirect table and knows that if he needs to send packets to 172.16.0.5, 172.16.0.76, 192.168.0.154, he can send them directly to 10.10.101.179.

But you say that the redirects are pointing to a dead IP, that would mean any of the below:

1) Your default gateway is blackholing these IPs on purpose and pointing to a dead IP and giving you redirects.

2) Maybe your gateway have a mask of /16, but the switches got mask of /24 for example, so they fail to allocate the redirected address

10.10.101.179 since its not in the same subnet.

3) It's also possible that someone is ICMP redirect poisoning your 3750s.

A router would listen to icmp redirects only coming from the currently provided next hop for the specific destination IP, but a simple IP spoofing would do the job.

It's best for you to turn off ip redirects by issuing no ip redirects command on the particular interface I think vlan1 in your case. This way your 3750 will stop listen and send redirects on that interface.

Good article to read.

https://learningnetwork.cisco.com/thread/44485

Best regards.

0 Helpful

ejaro
Level 1
Level 1
In response to Velimir Filipov

‎04-11-2013 12:57 PM

Ok I am following your answer. But why would a router send a dead or unused IP address to the L3 switches for just those three IP addresses?

I am trying to identify the cause. I realize and have taken the corrective action of issueing the command no ip redirects on the management vlan interface.

0 Helpful

Velimir Filipov
Level 1
Level 1
In response to ejaro

‎04-11-2013 01:06 PM

Maybe its not just those 3 IP's, but at that time traffic was trying to reach them, so it created ip redirected route just for them.

I explained you above the 3 possible reason for that.

Maybe a good old packet sniffing would do the job.

Put a PC in vlan1 and try route some traffic to those IPs and see if you get redirects from 10.10.10.1.

If you receive redirects from 10.10.10.1 then considering reviewing its configuration and see the routing for the redirected IPs.

If you don't receive redirects from 10.10.10.1 when you initiate traffic to any of the redirected IPs, then I rely the problem on a redirect poisoning by someone.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card