最近,我正在对我的一台服务器上的防火墙问题进行故障排除,并注意到有很多 ICMP 重定向流量被拒绝(应该如此)。但这让我开始思考为什么我会收到这些重定向消息。经过一番调查,我发现我们的中央交换机正在将它们发送出去,因为感觉我们分支机构和 Internet 的流量应该由防火墙路由,而不是由防火墙路由。我们的网络布局如下:
Switch 1 Switch 2
Server ----- Cisco 3560 ---- Cisco 3560 ---- Firewall ---- Internet/Branch Office VPN
No Routing IP Routing
防火墙在一个端口上直接连接到 Cisco 交换机,来自服务器的流量从另一个端口进入交换机。
交换机 2 为我们做了很多 VLAN 间路由,这就是为什么它是我们网络上所有设备的当前默认网关。可以在服务器/工作站/设备等上设置到各种 VLAN 的静态路由,并将所有其他流量直接路由到防火墙,但这看起来工作量很大,添加新网络时很麻烦,等等.另外,从我读过的内容来看,只有当交换机必须将数据包转发回它们到达的同一端口以到达正确的目的地(这不是我的情况)时,才应该发送重定向消息) 所以我不确定为什么我会收到重定向。
那么,首先,路由到防火墙而不是“路由器”是否存在性能/安全问题?其次,为什么我会收到 ICMP 重定向?
编辑:
交换机 2 配置(删除了安全信息并且端口列表仅限于我们感兴趣的两个):
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname Switch2
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa session-id common
clock timezone EST -5
system mtu routing 1500
ip routing
ip domain-name caymanport.com
ip name-server 172.16.112.6
ip name-server 172.16.112.23
ip name-server 172.16.112.9
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/43
description fw-gcm eth1/8 (VL16-INETGUEST)
switchport access vlan 16
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/44
description fw-gcm eth1/1 (VL01)
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/46
description fw-gcm eth1/6 (VL06-Guest)
switchport access vlan 6
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/47
description fw-gcm eth1/7 (VL10-DMZ)
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
description BillingSwitch MM-F
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface Vlan1
ip address 172.16.112.1 255.255.240.0
!
interface Vlan2
ip address 172.16.129.5 255.255.255.0
!
interface Vlan3
ip address 172.16.130.5 255.255.255.0
!
interface Vlan4
ip address 172.16.140.1 255.255.255.0
!
interface Vlan5
ip address 172.16.150.1 255.255.255.0
!
interface Vlan6
no ip address
!
interface Vlan7
ip address 172.16.170.1 255.255.255.0
!
interface Vlan8
ip address 172.16.180.1 255.255.255.0
!
interface Vlan11
ip address 172.16.161.1 255.255.255.0
!
interface Vlan12
no ip address
!
interface Vlan15
ip address 172.16.240.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.112.254
ip http server
ip http secure-server
!
end
交换机 2 路由表:
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.16.112.254 to network 0.0.0.0
172.16.0.0/16 is variably subnetted, 9 subnets, 2 masks
C 172.16.180.0/24 is directly connected, Vlan8
C 172.16.170.0/24 is directly connected, Vlan7
C 172.16.161.0/24 is directly connected, Vlan11
C 172.16.150.0/24 is directly connected, Vlan5
C 172.16.140.0/24 is directly connected, Vlan4
C 172.16.129.0/24 is directly connected, Vlan2
C 172.16.130.0/24 is directly connected, Vlan3
C 172.16.240.0/24 is directly connected, Vlan15
C 172.16.112.0/20 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 172.16.112.254
防火墙路由表:
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 162.211.139.1 10 A S ethernet1/3
74.222.73.100/30 74.222.73.102 0 A C ethernet1/8
74.222.73.102/32 0.0.0.0 0 A H
77.222.73.100/30 77.222.73.101 10 A S ethernet1/8
162.211.139.0/29 162.211.139.2 0 A C ethernet1/3
162.211.139.2/32 0.0.0.0 0 A H
172.16.10.0/24 172.16.10.0 10 A S tunnel.3
172.16.11.1/32 0.0.0.0 0 A H
172.16.100.0/24 172.16.100.10 10 A S tunnel.4
172.16.112.0/20 172.16.112.1 10 S ethernet1/1
172.16.112.0/20 172.16.112.254 0 A C ethernet1/1
172.16.112.254/32 0.0.0.0 0 A H
172.16.129.0/24 172.16.129.254 0 A C ethernet1/1.2
172.16.129.254/32 0.0.0.0 0 A H
172.16.130.0/24 172.16.130.254 0 A C ethernet1/1.3
172.16.130.254/32 0.0.0.0 0 A H
172.16.140.0/24 172.16.140.254 0 A C ethernet1/1.4
172.16.140.254/32 0.0.0.0 0 A H
172.16.150.0/24 172.16.150.254 0 A C ethernet1/1.5
172.16.150.254/32 0.0.0.0 0 A H
172.16.160.0/24 172.16.160.254 0 A C ethernet1/6
172.16.160.254/32 0.0.0.0 0 A H
172.16.170.0/24 172.16.170.254 0 A C ethernet1/1.7
172.16.170.254/32 0.0.0.0 0 A H
172.16.180.0/24 172.16.180.254 0 A C ethernet1/1.8
172.16.180.254/32 0.0.0.0 0 A H
172.16.190.0/24 172.16.190.254 0 A C ethernet1/1.9
172.16.190.254/32 0.0.0.0 0 A H
172.16.200.0/24 172.16.200.254 0 A C ethernet1/7.10
172.16.200.254/32 0.0.0.0 0 A H
192.168.1.0/24 192.168.1.1 10 A S tunnel.2
192.168.10.0/24 192.168.1.1 10 A S tunnel.2
192.168.40.0/24 192.168.1.1 10 A S tunnel.2
192.168.50.0/24 192.168.1.1 10 A S tunnel.2
192.168.70.0/24 192.168.1.1 10 A S tunnel.2
total routes shown: 35