Solved: L3 Switch - drop packet when interface is down instead of using default route

jacques_henry696 · ‎02-01-2011

Hello,

I have a basic problem with my level 3 switch.

Below you'll find a drawing which is worth more than a thousand words:

Let's say that hosts on the LAN (below) are sending syslog messages to the syslog server.

The switch is configured as shown above: The VLAN 100 is associated to the physical interface to the LAN 10.0.0.0/24. So when showing the routing table of the switch, we see that the network 10.0.0.0/24 is directly connected to the interface.

Let's assume that the interface on the switch (with the vlan 100) is down, the routing table does not contain the network 10.0.0.0/24 anymore so all syslog messages are taking the default route to the firewall. But the firewall is not supposed to get these packets and drop them. The trick is that the firewall itself is sending messages which will then be re-routed to itself by the switch, and so on, indefinitely!!

How am I supposed to solve this? Is it possible to configure the switch so that the packets are dropped if the interface is down and does not take the default route? Using ACLs would be a solution but this is a network issue, not a security one?

Do you have any idea?

Thanks in advance!

Shashank Singh · ‎02-01-2011

Hi,

You can add a static route for the 10.0.0.0/24 network as follows:

ip route 10.0.0.0 255.0.0.0 Null0

This route will have a AD of 1; so as long as your connected route is present (AD=0), it will be used. As soon as connected route goes off, static route will be used and packets will get dropped.

Another option is to configure a regular static route and use 'permanent' keyword after the route so it does not get flushed out in case next hop is unreachable.

ip route 10.0.0.0 255.0.0.0 gix/y permanent

ip route 10.0.0.0 255.0.0.0 next hop ip permanent

Hope this helps,

Shashank

P.S. Please rate the helpful post

View solution in original post

Shashank Singh · ‎02-01-2011

Hi,