7

Here is a routing puzzle:

I'm working on a poorly documented network, and I'm trying to document things as I discover them. R1 is a core L3 switch. R2 is a router. The FW is a, well, firewall.

enter image description here

On R1, I see traffic (about 1Mbps) in and out on vlan 19, and it's fairly constant:

R1#sh int vl 19
Vlan19 is up, line protocol is up
  Hardware is EtherSVI, address is 0008.e3ff.fd90 (bia 0008.e3ff.fd90)
  Internet address is 10.76.85.3/24
<snip>
  5 minute input rate 1175000 bits/sec, 1770 packets/sec
  5 minute output rate 1161000 bits/sec, 1751 packets/sec

The only devices that are in the ARP table on that subnet are R1 and R2. The FW seems not to be receiving any traffic:

R1#sh arp | i 10.76.85
Internet  10.76.85.3              -   0008.e3ff.fd90  ARPA   Vlan19
Internet  10.76.85.6             13   00d7.8fcb.2400  ARPA   Vlan19

However, there is no route on R1 where the next hop is R2. There is only the connected interface:

R1#sh ip ro | i 10.76.85
C        10.76.85.0/24 is directly connected, Vlan19
L        10.76.85.3/32 is directly connected, Vlan19

So how to explain the outbound traffic?

R2 also has only two devices in its ARP table:

R2#sh arp | i 10.76.85
Internet  10.76.85.3             17   0008.e3ff.fd90  ARPA   TenGigabitEthernet0/0/0
Internet  10.76.85.6              -   00d7.8fcb.2400  ARPA   TenGigabitEthernet0/0/0

R2 Does have a route (static) with R1 as the next hop:

R2#sh ip ro | i 10.76.85
S        10.76.81.0/24 [1/0] via 10.76.85.3
C        10.76.85.0/24 is directly connected, TenGigabitEthernet0/0/0
L        10.76.85.6/32 is directly connected, TenGigabitEthernet0/0/0

This could explain one way traffic from R2 to R1, but I see outbound traffic from R1 to ...?

These are 10G interfaces, so I can't easily plug a sniffer in. I will eventually be able to span a port and look at the traffic, but until then I'm puzzled. Anyone have any theories?

Ron Trunk
  • 66,852
  • 5
  • 65
  • 126
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/134675/discussion-on-question-by-ron-trunk-where-is-the-traffic-going). – Ron Maupin Mar 10 '22 at 00:06

2 Answers2

2

If R3 can send packets to R1, but R1 cannot send to R3, maybe R1 just sends out replies to its default GW.

Flemming Richter
  • 71
  • 4
  • Routers are the gateway, so they do not have default gateways. They may or may not have a default route. – Ron Maupin Feb 07 '22 at 23:32
  • A default route is the same as default GW. Technically, one can argue that if it is the last routing, the next hop is the final destination and not a GW. – Flemming Richter Feb 08 '22 at 00:16
  • No, it is not. A default route may lead to a router, or it may lead to something lik a black hole interface on the same router. A PC has a default gateway, but routers do not. A router does not need a default route, but a PC needs a default gateway to use the public Internet. An Internet router can use BGP, and it would then be unlikely to have a default route. – Ron Maupin Feb 08 '22 at 00:22
  • Well... I have a computer which has its router as the default GW. That GW is behind another router/GW and so on. – Flemming Richter Feb 08 '22 at 00:34
  • 2
    The equipment in question was decommissioned and we're using a different topology. – Ron Trunk Feb 08 '22 at 02:28
0

If a router doesn't know a route to a certain IP, it would only forward it to a destination for which it has a default route. But with some devices you can also set to flood the traffic to a certain interface without a next-hop IP, so check if there is any sort of a default route set.

Elias
  • 266
  • 1
  • 6