Worley, Dale R wrote:
I'm no expert in this, but isn't this what ICMP Redirect messages
are for? Aren't routers required to generate them in these cases?
Unfortunately, ICMP redirects are often broken. It is a well-known issue
that the introduction of Windows XP SP2 (a while ago) and the Windows
Firewall did that.
The typical setup was a network with multiple subnets/VLANs and a
firewall/NAT/VPN box. The default gateway for the Internet and remote
VPN tunnels was the firewall, the default gateway for other VLANs was
the L3 switch that was doing the inter-VLAN routing.
In theory, the host would send the traffic for a given destination, if
the traffic was an inside VLAN the firewall would send the redirect to
the host, forward the traffic to the L3 switch, and further traffic
would go directly to the L3 switch as the result of the ICMP redirect.
Before XP SP2 this was straightforward, a "route print" on the host
would indeed show the new route installed by the ICMP redirect.
In practice after XP SP2, the result was that the firewall indeed sent
the redirect to the host but since the host ignored it and kept sending
traffic to the wrong gateway, a large amount of firewall-to-L3switch was
present, effectively clogging the network at times.
Maintaining a correct routing table in hosts has always been the
Achilles' heel of networks with multiple gateways, which is why many
enterprise network operators tend to design a one-gateway solution.
Michel.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf