Some time in the past, I wrote a weblog put up explaining why we must always (largely) disable ICMP redirects, triggering a collection of feedback discussing the foundation reason behind ICMP redirects. Just a few of these blamed static routes, together with:
Put one other means, the presence or absence of ICMP Redirects is a crimson herring, normally pointing to architectural/design points as an alternative. On this instance, utilizing vPC Peer Gateway or, higher but, working a minimal IGP as an alternative of counting on static routes eliminates ICMP Redirects from each the issue and resolution areas concurrently.
Sadly, that’s not the case. You may get ICMP redirects in well-designed networks working multiple routing protocol.
Earlier than going into the main points, please keep in mind that a router generates an ICMP redirect each time it has to ahead a packet again by means of the ingress interface – a transparent indication that the packet sender has suboptimal routing data that the ICMP redirect is attempting to reinforce.
Now let’s get again to the easy knowledge middle community that triggered the dialogue, and picture that:
- E1 and E2 are routers linked to the worldwide Web. For no matter cause they’ve the complete BGP desk.
- C1 and C2 are core switches. They don’t seem to be costly sufficient to have the ability to set up the whole BGP desk into the forwarding ASIC.
Layer-3 connectivity
You might use a number of mechanisms to make C1 and C2 work with suboptimal data. Typically, you’d run an IGP between the 4 units, maintain the complicated stuff restricted to E1/E2, and promote the default route from E1 and E2 towards C1/C2.
The site visitors despatched by means of C1/C2 towards the Web will generally land on the incorrect edge router – the core switches merely don’t have sufficient data to pick out the optimum forwarding path. The sting router receiving such site visitors has to ahead it to the opposite edge router. There are a number of methods you can meet that requirement:
- Use the shared VLAN between E1, E2, C1, and C2 to ahead the misdirected site visitors;
- Add one other VLAN connecting E1 and E2.
Should you use the shared VLAN to ahead the misdirected site visitors between E1 and E2, the egress interface on the first-hop edge router matches the ingress interface, and that router will generate ICMP redirects (except you turned them off).
Takeaways:
- ICMP redirects don’t have anything to do with static routes
- Whereas it’s doable to design networks that keep away from ICMP redirects, they might occur in well-thought-out designs.
- Disable ICMP redirects on all segments that don’t have directly-connected hosts, and in all places you employ a first-hop redundancy protocol or anycast gateway.
