Re: Default Route, IP Redirect and Duplicate Packets

bfrericks · ‎09-20-2006

I have a singe Cisco 1700 Series router. All Windows PC point to it as DG. I also have PIX 515 for "main" internet connection and another PIX 508 for site-to-site VPNs. Problem I am seeing, if I turn redirects off and one of my PC's communicates to INET, packets are sent to both DG and the PIX 515. Same holds true when server communicates with device on VPN, server points to 1700 as DG, packets are sent to both DG and the 508 for site-to-site traffic.

Is this a design flaw on my part? If so, what is the best way to resolve. Would like to centralize all routing and avoid route statements on PC or is that the only thing that will correct this?

gpulos · ‎09-20-2006

you see this due to ip redirects are turned off.

if ip redirects are turned on, then when the DG gets the packet and finds it has to forward it to the PIX out the same interface that the packet just came in on, it will also send an 'ip redirect' to the host telling it that there is a better route and provide the PIX ip address as that better route.

with ip redirects off, all packets will be sent to the DG and then the PIX.

(it is a good idea to enable ip redirects on the 1700 ethernet interface in this case from what you've stated so far)

please see the following link for more info on ip redirects:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d163.html#wp1081518

sundar.palaniappan · ‎09-20-2006

Blake,

When ip redirect is turned off on the router(DG), the router would forward the traffic to the PIXes and wouldn't advise the PC/server on the LAN to send packet directly to the PIXes. In other words, the router (DG) would forward traffic it receives from the host back out the same interface to the PIXes. This isn't an optimal routing setup and that's probably why Cisco has 'ip redirect' feature enabled by default.

However, there may be situations where you would be constrained to turn off ip redirects and one such situation would be when the host(s) are unable to process/accept ip/icmp redirect packets.

Hope this helps!

Sundar

bfrericks · ‎09-20-2006

Thanks for the help and that's what I thought and it makes sense. Is there a better design that I should be looking at?

sundar.palaniappan · ‎09-20-2006

Hi,

I assume you had problems when ip redirects were enabled. Hence, what you have done is the correct way to go. Now that you understand how ip redirects work, should there be a problem then you know where to focus your troubleshooting on and have it taken care of.

Good Luck!!

Sundar

bfrericks · ‎09-20-2006

Nope no real problems, I was doing a trace for something else and noticed it. I have since enable the redirect but my main concern is the design of the network. Is is appropriate to have a core router routing this traffic to different gateways as I do with redirects enabled?

sundar.palaniappan · ‎09-20-2006

If redirects are enabled then I don't see how the core router would forward traffic to the other gateways on the same multi-access segment as the router should be sending redirect messages to the LAN hosts. How's that you saw the core router forwarding to the other gateways, with redirects enabled?

bfrericks · ‎09-20-2006

Actually there were not enabled before so that explains why the duplicate packets were there. I just enabled them.

My real question though is is this is the best network design, having a core router routing PC's to different GW's depending on their destination.