Thursday, 4 February 2016

ICMP Re-Directs


ICMP Redirects – Why we don’t want them

Recently while troubleshooting a switching/inter-vlan routing issue I stumbled across an excessive amount of ICMP re-directs being sent. Now, this wasn’t the first time I had heard of ICMP re-directs, over the course of my CCNP studies I of course covered them, but it’s like a lot of things you learn, yeah… that’s a ICMP re-direct, yeah… I can see why they are bad.. move on. It’s not until something pops up and causes a problem that you sit up and take notice. To be painfully honest ICMP redirects are caused by poor network design, yup that rights, if you got them it’s because you didn’t do your job right (or the person before you), but in this case I was the guy who designed the network, sooo I guess I gotta take the blame L Also, since the packet gets generated by the router (my case switch) its control plane traffic, which means its dealt with in software as opposed to hardware, so it has the probability to increase CPU utilization, not to mention generating trash talk on your network which isn’t needed, and has the potential to cause delay.
The root cause of ICMP re-directs are suboptimal routing. If a router (or any L3 gateway) receives a packet and the routing table determines the best route for the destination is located on the same subnet as the source of the packet it sends a ICMP redirect to notify the source to use the alternate gateway rather than itself. It my case I had the devices on the same subnet as the firewall, but rather than using the firewall as their gateway they were configured to use the L3 switch that was providing inter-vlan routing. A simple, but in my opinion not optimal solution would be to change dhcp to hand out the firewall as the gateway, instead on the switch. Which would work fine in this scenario since all traffic is north bound, but what happens when device A (on vlan1) wants to talk to device B (on vlan2)? It would send the packet to the firewall, which would then send an ICMP redirect to tell the host to use the switch as the gateway. It is the lesser of two evils, but since I gotta fix this why not do it right. The best solution in my opinion would is to isolate the link between the firewall and the L3 switch on its own subnet, so that all traffic must route through the switch. Not only would this fix my problem, but, it also forces all traffic through the switch, which I hope to someday use as a Netflow collector.
If you want to know if this is something that might be affecting you.  Use the command
“show ip traffic”, look for the number of sent icmp redirects.



Also you can run the command “debug ip icmp” which will show you the icmp redirects being sent in real time.





Anyway.. That’s my ramble of the day. See the link below if you want to read the “professionals” explanation.

http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)