Switch not passing unknon subnets to default gateway

Unanswered Question
Apr 17th, 2009
User Badges:

Hi guys,

I have set up a couple of 3750's as edge switches replacing an HP device. However even though I have specified a default route 0.0.0.0 to the firewall for all unknown subnets, the switch does not seem to be passing the traffic to the firewall and I have now had to configure a load of static route statement point various subnets to the firewall to get people working, internet traffic appears to be fine though.


It kinda defeats the purpose of implementing dynamic routing if I still have a stack of static routes on my devices!!


Any advice would be much appreciated.


Cheers,

Martha.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Firstly - for a switch to pass unknown traffic, the traffic has to be handled by a layer 3 interface that sits in the same IP subnet of the LAN.


The switches must be able to see the firewall - but REMEMBER if you are NOT running a dynamic routing protocol, you will then be working on a hop by hop basis.


So for all default traffic from the edge - your next hop to the internet is the next layer 3 capable device that is closer to the firewall - basic routing.


HTH>

mfawehin Fri, 04/17/2009 - 03:21
User Badges:

Thanks for the response Andrew.

Perhaps I should clarify, the switch is an L3 switch - a 3750 -, it is running OSPF but not on the firewall and it has a direct connection to the firewall albeit on L2 (this connecting interface is on an outside vlan created for the firewall, the edge devices and other outside facing kit) so the switch can definitely see the firewall.

Any advice on what to do?


Thanks again,

Martha.

glen.grant Fri, 04/17/2009 - 03:32
User Badges:
  • Purple, 4500 points or more

If you do a show ip route do you see all the connected subnets in the routing table along with your defualt static route ? If so then it should be working . If its going to a firewall then he has to have routes pointing inward also so it has a path back . Did you keep the exact same addressing as the old HP switch ?

mfawehin Fri, 04/17/2009 - 03:55
User Badges:

Thanks Glen for the response. When I do a sh ip route I see a bunch of ospf discovered routes, my defailt static route and now all the static routes I've had to add because users were complaining they could no longer connect to various places since the old HP had been decomissioned. The addressing on the HP switch was retained and all static routes (there were only very few) were copied over.

Somehow on the HP, the default route statement was working better and we did not have to specifically put the routes in to send the traffic to the firewall as I have had to do on this Cisco switch.

The firewall side is fine as nothing changed and simply adding a static route to these networks via the firewall is fixing the users problem but this is not ideal and there might be several more that will call over the next few days that have routes set up on the firewall.


Cheers,

Martha.

Richard Burts Fri, 04/17/2009 - 09:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Martha


Is it possible that your switch configuration includes the command no ip classless? Having this command in the config could produce the symptoms that you are experiencing. If you find that command change it to ip classless and see if the issue improves.


HTH


Rick

mfawehin Sun, 04/19/2009 - 22:41
User Badges:

Hi Rick,


Thanks I've checked and one of the edge switches did indeed contain the no ip classless command, I've changed that and will test and get back to you as soon as possible.


Cheers,

Martha.

Richard Burts Mon, 04/20/2009 - 08:09
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Martha


Thanks for confirming that one of the edge switches did have the no ip classless in its config. That command can produce the symptoms that you describe. With the normal default of ip classless in the config a layer 3 device (router or switch) will forward packets with destination address in an unknown subnet to the default route. But with no ip classless the layer 3 device adopts a classful approach to forwarding traffic. And in the classful approach the device assumes that if it has some subnets of a network in its routing table that it knows ALL of the valid subnets of that network. So if it is attempting to forward a packet and the destination address is an a subnet of some network and the device knows some subnets of that network but not the subnet of the destination, then the device assumes that the destination is invalid and discards the packet and does not forward to the default route.


HTH


Rick

mfawehin Thu, 04/23/2009 - 21:46
User Badges:

Hi Rick,


Thanks for your detailed explanation. I have changed the command but the users were unable to connect once the static routes were removed.

Do I need to reboot the switch for the command to take effect (difficult as its in a production environment) or is there a way to reset the switch to get the command to work without taking the switch down?


Cheers,

Martha.

mfawehin Fri, 04/24/2009 - 00:25
User Badges:

Thanks for your response Andrew, please see attached config.


As you can see, I have changed the ip classless command but the routes don't work till I have added the static.


Cheers,

Martha.



Attachment: 
Giuseppe Larosa Fri, 04/24/2009 - 00:41
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Martha,


do


ip classless


no ip route


clear ip route *


Hope to help

Giuseppe


mfawehin Fri, 04/24/2009 - 01:18
User Badges:

Thanks Giuseppe,


So just to clarify if removing this static route - 10.13.4.0/24 which points towards the firewall, I will type as below:


ip classless

no ip route 10.13.4.0 255.255.255.0 firewall ip address


clear ip route *


What is the impact of doing a clear ip route * which clears all routes, on a device in a production network? Dare I do it now during working hours with no negative impact on the network?


Cheers,

Martha.

Giuseppe Larosa Fri, 04/24/2009 - 01:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Martha,

I think Andrew is right.


your new primary default route points to some other device x.x.x.x


so you need to leave the static routes configured to achieve the desired result.


It is not only a question of ip classless, it is an issue that if pointing to different next hops the specific static routes cannot be removed


Sorry for the misleading suggestion


Hope to help

Giuseppe


mfawehin Fri, 04/24/2009 - 05:57
User Badges:

I'm sorry guys, I seem to be the one confusing you here.


The default route points to the firewall - ip route 0.0.0.0 0.0.0.0 10.17.127.200


As you might have noticed theough there is another default route configured as I am trying to implement reliant static routing backup using object tracking. This default route points to one of our ISP routers and this interface is tracked so traffic can be routed through a LES if the ISP goes down.


I dont know if this is messing something up but the Cisco documentation suggested this could be done (i.e have two default routes) or am I missing something here.


The primary default route and the static routes all point to the firewall to which the switch is directly connected.

I hope this helps clarify things.


Please let me know if my tracking is causing me the problems obviously I now know the ip classless would have caused issues before but I have rectified that. I do not want to have the static routes in my config if it can be helped.


Cheers,

Martha.

Richard Burts Fri, 04/24/2009 - 09:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Martha


I am guessing that the problem does involve the multiple default routes that are configured.


It is certainly possible to have 2 static default routes. And in fact you have configured 3 static default routes, with one of them a floating static default route. Let us be clear what the resulting behavior will be. I am inserting the configured routes as a point of reference:

ip route 0.0.0.0 0.0.0.0 X.X.X.X track 1

ip route 0.0.0.0 0.0.0.0 10.17.127.200

ip route 0.0.0.0 0.0.0.0 192.168.51.16 254

There are 2 normal default routes with one of them specifying next hop of 10.17.127.200, a second default route with next hop of x.x.x.x which is tracked, and a floating static default with next hop of 192.168.51.16.


So there are 2 active default routes and the behavior of the 3750 is to use both of them in a load sharing manner. The 3750 uses the default route when it is forwarding to a destination whose subnet does not appear in the routing table. So some traffic for these subnets will be forwarded to 10.17.127.200 (which is obviously a private address) and some of the traffic will be forwarded to x.x.x.x and your comment is that this is an ISP router. I believe that this means that you are forwarding some of your traffic with private addresses to your ISP router. Does the ISP router know how to route that traffic? For example there is a static route for 10.190.64.0/25. Is that one that you added to make some destination work? If you remove the static route then traffic to that destination could be sent to the ISP router. Can the ISP router get that traffic to the correct destination?


There is much about your environment that I do not understand. But it looks to me like you need some way to distinguish in your routing logic how to route to destinations that are within your enterprise and make sure that they are not sent to the ISP router.


HTH


Rick


mfawehin Sun, 04/26/2009 - 03:26
User Badges:

Hi Rick,


Thanks for your very comprehensive response, I really appreciate it.


You are right, there is much in our environmnt that you do not understand.

The tracked interface is as I mentioned is the ISP gateway and what I want to acheive is for the outbound (Internet) traffic to go via the next hop router - 192.168.51.16 which is the LES switch connecting the site to a sister site so all traffic will go through that site in the event of an ISP outage.


I expect you are probably confused by all the private IP addresses floating around but its because we are in the public sector and the ISP is aware of and routes these subnets accordingly.


I really just want to have the default route - 0.0.0.0/0 via 10.17.127.200 which is the firewall and on which we have all the defined the rules for sending the specified traffic.


I however also need to have the tracked interface defined so the gateway of the ISP is tracked.

floating default route pointing to my LES switch would mean it would only use this as a default route if the tracked interface was unavailable.


I am a tad confused to be honest as I believe these multiple default routes are causing me the problems but cant figure out a way around it.


I think for now, I might remove all the default routes except for the one pointing to the firewall and deal with the tracking issue when I understand it more unless otherwise advised here.


Thanks for all the help so far, any further advice and direction will be much appreciated.


Cheers,

Martha.

Richard Burts Sun, 04/26/2009 - 12:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Martha


I will start with these 2 statements from your post:

I really just want to have the default route - 0.0.0.0/0 via 10.17.127.200 which is the firewall and on which we have all the defined the rules for sending the specified traffic.


I however also need to have the tracked interface defined so the gateway of the ISP is tracked.


Perhaps you can explain for me why the tracked interface needs to have a default route pointed to it?



Then I will attempt to explain what I think is the major problem. First let me review a couple of basic concepts:

- a default route is configured to tell the router where to send traffic when the destination address of a packet can not be found in the routing table.

- it is certainly possible to configure two static default routes. but when we do configure two static default routes it is assumed that both of the next hops will have equivalent knowledge of how to route packets whose destination address is not found in the routing table.

- it seems pretty obvious that the default route pointing to the firewall gets you one set of results and that the default route pointing to the ISP router gets you different (and problematic results).

- in that case two static default routes is problematic.


How to solve the problem is difficult to figure out since so much of your topology and your environment is not known to us. I would suggest that it seems that both default routes work ok when the destination is in the Internet. Is that correct?


If so then the real problem is what to do when the unknown destination is an address that is within your Enterprise rather than being in the Internet. One way to resolve this is to configure static routes that summarize the address space that is within your Enterprise. In looking at what you posted it seems that many of the static routes are for subnets of network 10. So I would suggest that a static route like this:

ip route 10.0.0.0 255.0.0.0 10.17.127.200

would allow you to remove all the "extra" static routes that fall within network 10.


HTH


Rick

mfawehin Sun, 04/26/2009 - 22:54
User Badges:

Thanks again Rick, I was trying to put in a acommand that will track the ISP gateway and in the event of an outage pass all traffic to the LES, I will remove the 2nd static default route and review this setup.


I wish it was as simplistic as me sending all 10/16 address to the firewall but its not possible as some 10 network addresses do not traverse the firewall.

Anyhow, I really aprreciate your help and I'll remove the 2nd static default route pointed to the tracked interface and let you know how I get on.


Cheers,

Martha.

Actions

This Discussion