cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2232
Views
0
Helpful
1
Replies

IP Redirects & Same Interface Switching in Nexus 7000

shakeelahmadch
Level 1
Level 1

Hi,

Following is the topology:

NK7 Server VLAN1:

     Source: 10.1.1.10

     Mask: 255.255.255.0

     GW: 10.1.1.1

NK7 Route:

     192.168.0.0/24 gw 10.1.1.2

Both networks are sitting on the same switch with a trunk going to N7K. At the moment, we've been putting static routes in the servres to directly go towards 10.1.1.2 for 192.168.0.0/24 but now we want to get rid of static routes and also need to disable IP Redirects on the SVI. What I don't understand is that, if we disable IP redirects (using "no ip-redirect" command on SVI) - how would the low level packet delivery look like ? As the traffic would be entering/exiting the same interface - would it be fast switched or would need any additional command to make it happen (such as "ip route-cache same-interface" which doesn't seem applicable to N7K platform).

Any insight to this would be much appreciated.

thanks

1 Reply 1

It improves security because if someone inserts another router on the network that the admins may not know about, it will not send the devices traffic to the other questionable device. The questionable device may have routes to outside networks that aren't approved, or doing other things wih the packets it receives. Turning off redirects (and proxy-arp) enforces routing policy also.

Serial interfaces don't really need to send unreachables... users traffic should go to a LAN interface as a next-hop and not a serial interface. You can also disable unreachables on a LAN interface if you want. This is a security item as well as a enforcement measure for good network design. there should be no unreachables sent if hosts are sending packets to known networks in your organization that are reachable.

Review Cisco Networking for a $25 gift card