ICMP Redirects – Why we don’t want them
Recently while troubleshooting a switching/inter-vlan
routing issue I stumbled across an excessive amount of ICMP re-directs being
sent. Now, this wasn’t the first time I had heard of ICMP re-directs, over the
course of my CCNP studies I of course covered them, but it’s like a lot of
things you learn, yeah… that’s a ICMP re-direct, yeah… I can see why they are
bad.. move on. It’s not until something pops up and causes a problem that you
sit up and take notice. To be painfully honest ICMP redirects are caused by
poor network design, yup that rights, if you got them it’s because you didn’t
do your job right (or the person before you), but in this case I was the guy who
designed the network, sooo I guess I gotta take the blame L Also, since the packet
gets generated by the router (my case switch) its control plane traffic, which
means its dealt with in software as opposed to hardware, so it has the probability
to increase CPU utilization, not to mention generating trash talk on your
network which isn’t needed, and has the potential to cause delay.
The root cause of ICMP re-directs are suboptimal routing. If
a router (or any L3 gateway) receives a packet and the routing table determines
the best route for the destination is located on the same subnet as the source
of the packet it sends a ICMP redirect to notify the source to use the alternate
gateway rather than itself. It my case I had the devices on the same subnet as
the firewall, but rather than using the firewall as their gateway they were
configured to use the L3 switch that was providing inter-vlan routing. A
simple, but in my opinion not optimal solution would be to change dhcp to hand
out the firewall as the gateway, instead on the switch. Which would work fine
in this scenario since all traffic is north bound, but what happens when device
A (on vlan1) wants to talk to device B (on vlan2)? It would send the packet to
the firewall, which would then send an ICMP redirect to tell the host to use
the switch as the gateway. It is the lesser of two evils, but since I gotta fix
this why not do it right. The best solution in my opinion would is to isolate
the link between the firewall and the L3 switch on its own subnet, so that all
traffic must route through the switch. Not only would this fix my problem, but,
it also forces all traffic through the switch, which I hope to someday use as a
Netflow collector.
If you want to know if this is something that might be
affecting you. Use the command
“show ip traffic”, look for the number of sent icmp
redirects.
Also you can run the command “debug ip icmp” which will show
you the icmp redirects being sent in real time.
Anyway.. That’s my ramble of the day. See the link below if
you want to read the “professionals” explanation.
