We just discovered a weird problem on our network. We have a /19 cut down in several .248 and .240
Now we connect to a provider, he puts in our routes in the BGP and assigns it to our port.
On our side we have a ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx that sends everything we dont have to the provider.
Now, the problem is the subnets of .248 and .240 which are NOT presently used seem to be creating a loop because of the following
if someone pings or has an old IP configured on his server which he is not supposed to have and for which the router has no route configuration this is what happens TTL EXPIRED IN TRANSIT. If we do a traceroute we see that the packet goes from the PROVIDER to US back to PROVIDER, back to US etc... etc...
How to prevent this? Do we need to assign the current unused subnets in a generic vlan as secondaries or something like that? so that it shows a REQUEST TIMED OUT instead or something??
What is the solution to this??
Create statics pointing to null0 on the router holding the default route for networks that are not presently used. This way, the traffic won't be sent to the provider and you don't have to bother the provider by changing their BGP advertisement.
ip route 192.168.15.0 255.255.255.248 null0
is IP ROUTE the best way to do it? What if we want a minimal routing table..
Would adding all of them as secondaries in a same VLAN we name NULLROUTE or something like that the same thing ??
Adding those subnets as secondary under an unused VLAN would have the same side effect as those routes will be in the routing table. You need the routes in the RIB so you can drop those packets or send the packets somewhere else.
You can summarize contiguous subnets with the ip route command, to minimize the size of the routing table.
ok thank you for the answer.
now, is it normal that for the routes under a 3550 EMI when I do a "show ip route" I see ALL the routes (static) and the ones directly attached to VLANs as IP addresses BUT on the Cisco 6509 with a SUP 720, it does not show ANYTHING, not even the default 0.0.0.0 route which is in fact in the configuration...
Seems to show only one route which is the default IP to connect to the switch (which has the RJ45 connected directly inside the SUP 720 in one of its uplinks)...
Why doesnt the 6509 show the ip routes ??
1. there is no way to enable IP ROUTING... I researched it on google and it says it is enabled by default on that kind of switch ... is that true?
2. part of the output
vlan39 xx.xx.xx.49 YES NVRAM down down
Vlan40 xx.xx.xx.57 YES NVRAM down down
Vlan41 xx.xx.xx.65 YES NVRAM down down
Vlan42 xx.xx.xx.73 YES NVRAM down down
Vlan43 xx.xx.xx.81 YES NVRAM down down
Vlan44 xx.xx.xx.89 YES NVRAM down down
Vlan45 xx.xx.xx.97 YES NVRAM down down
Vlan46 xx.xx.xx.105 YES NVRAM down down
Vlan47 xx.xx.xx.113 YES NVRAM down down
Vlan48 xx.xx.xx.121 YES NVRAM down down
Please let me know. thanks
From what you've shown so far, all Vlans are down/down. Vlans need to be up/up in order for them to show up in the routing table.
Can you post the show ip route along with the show module output?
If you provide the output I ask, we can get to the resolution a lot quicker.
Rather than individual statics to null0, try creating one static for th entire /19 to null0. More specific routes, if available will appear in the routing table and any not matching a more specific will route to the null0.
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX XXXXX
2 8 8 port 1000mb ethernet WS-X6408-GBIC XXXXXX
5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE XXXXXXX
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 0015.c67d.8dc8 to 0015.c67d.8df7 2.5 12.2(14r)S5 12.2(18)SXF1 Ok
2 0030.9610.8c18 to 0030.9610.8c1f 2.7 5.4(2) 8.5(0.46)RFW Ok
5 000d.2910.6108 to 000d.2910.610b 3.5 8.4(2) 12.2(18)SXF1 Ok
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- -------
1 Centralized Forwarding Card WS-F6700-CFC XXXXXXXXXX 4.1 Ok
5 Policy Feature Card 3 WS-F6K-PFC3A XXXXXXXXXXX 2.3 Ok
5 MSFC3 Daughterboard WS-SUP720 XXXXXXXXXXX 2.8 Ok
Mod Online Diag Status
SwitchGW1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, GigabitEthernet5/2
bs6825 proposed one big /19 to null0 and more specific routes will still work.
So if I understand, if I have my .248 assigned to each vlan for every server which are IP's part of that same /19 only in much smaller .248 subnets (8 IP's). All the non-used IP's will autmatically be routed to null0 and the ones attached to a vlan will work??
isn't it normally that the direct static ip routes entered as "ip route" have precedence??
1) Your switch has a PFC3A, so you have routing capabilities. The output provided reinforces that 'ip routing' is running on the device. The reason you don't see the other subnets is because the virtual interfaces are in down/down state.
To bring a virtual interface to up/up state, a switchport must be associated to that Vlan (switchport access vlan x) and that switchport must be up/up. You can also bring that virtual interface up, by having a trunk port (switchport mode trunk) in forwarding state.
2) Bruce's suggestion is useful but you need to make sure the device where you applied the /19 route to null0 also contains the routes for the current valid subnets pointing to the internal network either by static or connected routes. Else this device will drop the return traffic from the Service Provider device to the internal network.
I'm assuming SwitchGW1 is not this device since it contains no routes. Can you post the routing table from the device holding the default route towards the Service Provider device?
What's the function of SwitchGW1 in your network?
SwitchGW1 will be our NEW CORE network equipement. There is no routing table because we put those ports DOWN so they do not interefere with the current network.
SwitchGW1 will hold ALL the routing table and BGP in the future. It is the equipement which connects to the ISP's directly and which has all the difference vlans for the servers and subnets...
So I am guessing your suggestion would work in this case ?
Based on the information you've provided, Bruce's suggestion seems to be the best one thus far.
If you add a /19 route to null0 on this switch. It will drop routes from subnets that you aren't using and will continue to route towards your internal network for valid subnets and at the same time avoid the loop you are experiencing now.