Hello Guys,
I’ve been tasked to finish the Nullification of redirected packets.
I’ve been trying different things but to no avail…. packets get to machines not listed on the permit list...
I’ve included snippets and configs of the three switches involved.
Could you please peruse the configs and tell me if i’ve implemented the Null correctly? Perhaps you can get a PC6248 engineer to have a look also.
Is the PC6248 capable of dropping such traffic? It’s manual says:
NOTE: For a static reject route, the next hop interface value is Null0. Packets to the network address specified in static reject routes are intentionally dropped.
I appreciate you all looking into this matter.
Thanks,
Roy
A VLT port channel 2 is set up between the cores and the pc6248. VLT pair has near identical configurations...
ip route 0.0.0.0/0 10.10.20.2
ip route 5.5.5.0/24 192.168.2.8
ip redirect-list permit68to97
seq 10 permit ip 192.168.68.0/24 host 192.168.97.100
seq 20 permit ip 192.168.68.0/24 host 192.168.97.31
seq 30 permit ip 192.168.68.0/24 host 192.168.97.18
seq 40 permit ip 192.168.68.0/24 host 192.168.97.80
seq 50 permit ip 192.168.68.0/24 host 192.168.97.20
seq 80 redirect 5.5.5.5 ip any any
force10-01-1A#show ip route all
Gateway of last resort is 10.10.20.2 to network 0.0.0.0
Destination Gateway Dist/Metric Last Change
----------- ------- ----------- -----------
*S 0.0.0.0/0 via 10.10.20.2, Vl 1020 1/0 38w0d
S 5.5.5.5/32 via 192.168.2.8, Vl 2 1/0 00:00:14
C 10.10.20.0/29 Direct, Vl 1020 0/0 38w0d
C 192.168.2.0/24 Direct, Vl 2 0/0 1w6d
C 192.168.30.0/24 Direct, Vl 30 0/0 80w5d
C 192.168.31.0/24 Direct, Vl 31 0/0 80w5d
C 192.168.68.0/24 Direct, Vl 68 0/0 8w5d
C 192.168.86.0/24 Direct, Vl 86 0/0 47w2d
C 192.168.87.0/24 Direct, Vl 87 0/0 45w1d
C 192.168.90.0/24 Direct, Vl 90 0/0 58w6d
C 192.168.95.0/24 Direct, Vl 95 0/0 80w5d
C 192.168.97.0/24 Direct, Vl 97 0/0 80w5d
C 192.168.98.0/24 Direct, Vl 98 0/0 80w5d
C 192.168.102.0/24 Direct, Vl 102 0/0 53w6d
C 192.168.103.0/24 Direct, Vl 103 0/0 52w6d
force10-01-1A#
force10-01-1A#ping 192.168.2.8
Type Ctrl-C to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.8, timeout is 2 seconds:
!!!!!
Success rate is 100.0 percent (5/5), round-trip min/avg/max = 0/0/0 (ms)
force10-01-1A#
force10-01-1A# show ip redirect-list permit68to97
IP redirect-list permit68to97:
Defined as:
seq 10 permit ip 192.168.68.0/24 host 192.168.97.100
,
seq 20 permit ip 192.168.68.0/24 host 192.168.97.31
,
seq 30 permit ip 192.168.68.0/24 host 192.168.97.18
,
seq 40 permit ip 192.168.68.0/24 host 192.168.97.80
,
seq 50 permit ip 192.168.68.0/24 host 192.168.97.20
,
seq 80 redirect 5.5.5.5 ip any any, Next-hop reachable (via Vl 2), ARP resolved
,
Applied interfaces:
Vl 68
force10-01-1A#
——>>>AND from it’s vlt peer: <<<<-------------------
force10-00-1B#show ip redirect-list permit68to97
IP redirect-list permit68to97:
Defined as:
seq 10 permit ip 192.168.68.0/24 host 192.168.97.100
,
seq 20 permit ip 192.168.68.0/24 host 192.168.97.31
,
seq 30 permit ip 192.168.68.0/24 host 192.168.97.18
,
seq 40 permit ip 192.168.68.0/24 host 192.168.97.80
,
seq 50 permit ip 192.168.68.0/24 host 192.168.97.20
,
seq 80 redirect 5.5.5.5 ip any any, Next-hop reachable (via Vl 2), ARP resolved
,
Applied interfaces:
Vl 68
Her are snippets from the PC6248:
PC6248 Switch with Null:
vlan database
vlan 2,98
vlan routing 98 1
vlan routing 2 2
exit
ip address 10.1.12.11 255.255.255.0
ip routing
ip route 5.5.5.5 255.255.255.255 Null
ip route 0.0.0.0 0.0.0.0 192.168.98.1
interface vlan 2
routing
ip address 192.168.2.8 255.255.255.0
exit
interface vlan 98
routing
ip address 192.168.98.8 255.255.255.0
exit
nullspacedell#show ip route
S 0.0.0.0/0 [1/0] via 192.168.98.1, vlan 98
S 5.5.5.5/32 [1/0] directly connected, Null0
C 192.168.2.0/24 [0/1] directly connected, vlan 2
C 192.168.98.0/24 [0/1] directly connected, vlan 98
nullspacedell#
We need the PC6248 because the S4810 does not have a method to drop packets (yet).
The packets destined for other than those listed in the permit statements get through.
Any insight would be appreciated!