|
Posted by on August 13, 2007, 9:47 am
If you were Registered and logged in, you could reply and use other advanced thread options
darrenfgreen@tiscali.co.uk writes:
> I have a router that has a 10.0.0.0/8 route pointing at a firewall.
>
> The same router has a connection to another router on one of it's
> interfaces. When I do a route lookup to a remote subnet say 10.1.10 /
> 24 the restult is:
>
> #sh ip route 10.1.1.0
> Routing entry for 10.0.0.0/8
> Known via "static", distance 1, metric 0
> Routing Descriptor Blocks:
> * 192.168.1.254 (the firewall)
> Route metric is 0, traffic share count is
Note that this command shows you the routing table entry that would be
in effect for traffic to 10.1.1.0/32 only.
A more specific route that applies to 10.1.1.254 would not be displayed.
If you want to see the route that applies to 10.1.1.254 then you
would want to use: # show ip route 10.1.1.254
[If you do a "show ip route" for the all zeroes host of a classful
network (e.g. 10.0.0.0, 172.16.0.0, 192.168.1.0, etc) IOS will tell you
about all subnet routes within the classful network. But doing a
"show ip route" for something other than the all zeroes host will
just show you the single most specific matching route. Since 10.1.1.0
is not the all zeroes host on a classful network, the displayed output
will show a single route only]
> The route to the remote subnet shoudl follow the above static route.
As above, not neccessarily.
> However, when I traceroute to the above subnets router, it follow a
> path via the attached router.
>
> #trace 10.1.1.254
>
> Type escape sequence to abort.
>
> Tracing the route to 10.3.25.254
>
> 1 10.0.1.11 0 msec 0 msec 0 msec
>
> 2 10.1.1.254 40 msec * 40 msec
>
> Is this beacause of ICMP redirects ?
That seems highly unlikely. An ICMP redirect generated by a gateway
in the 192.168.1 subnet would create a host route through a different
gateway in the 192.168.1 subnet.
[An ICMP redirect is sent if the source IP, the first hop gateway and
the first hop's next hop gateway are all on the same IP subnet and will
result in the source skipping the first hop and going straight for
the second on all subsequent traffic]
What is somewhat plausible is that the 192.168.1.254 firewall interface
has a secondary IP address of 10.0.1.11 on the same NIC and that it
uses this for replies to hosts in the 192.168.1 space.
It is also possible that the 192.168.1.x interface on your router
is a secondary IP address and that your primary interface address
is in the 10.0.1.11 subnet. This would better explain why the first
hop gateway used a 10.0.1.11 address when generating its response
to you. And that could, in turn, make it possible for an ICMP
redirect to actually work.
If you source your traceroute from the router's 192.168.1.x address,
does anything change? (just type "trace" without an IP to bring up
prompts for things like source address).
Does the firewall have a 10.0.1.11 address?
Does your router have a 10.0.1.x address?
Does any other piece of equipment on your 192.168.1 segment have
a 10.0.1.11 address?
Does your router have a route more specific than a /8 for 10.0.1.11?
Does your router have a route more specific than a /8 for 10.1.1.254?
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map