Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3710
Views
25
Helpful
10
Replies

Route same subnet but to two different sub-interfaces on ASA?

Go to solution
CiscoBrownBelt
Level 6
Level 6

‎08-25-2020 07:49 PM

So I am trying to add an additional route for subnet 10.10.10.0 which points to another sub-interface.

Existing route statement is let's say route Outside_1 10.10.10.0 255.255.255.0 5.5.5.1 and I try to add:

route Outside_2 10.10.10.0 255.255.255.0 6.6.6.1 however receive the error " Cannot add route entry, conflict with existing routes".

Obviously there is a conflict however the 5.5.5.1 is an SVI on Catalyst switch assigned to VRF_A and 6.6.6.1 is SVI assigned to VRF_B which both are used to route to same customer. Customer wants this second subnet reachable via their secondary connection which the VRF_B is used for. Are there any workarounds to do this since the ASA won't let me add another route for same subnet and does not support VRFs?

0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to CiscoBrownBelt

‎08-26-2020 07:48 PM

Let's assume g0/1 and g0/2 are your interfaces and the zone name would be test:

zone test
!
interface gigabitethernet0/1
zone-member test
interface gigabitethernet0/2
zone-member test

Then you can have multiple same prefix routes (ECMP) configured.

To have 2 different routes with different AD and sla monitor, you don't need the zone. Here a official doc showing how it works and how to implement: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to CiscoBrownBelt

‎08-28-2020 03:25 PM

You can always try to build an SLA to track an IP on that subnet.

If you don't want to do that and want to have 2 routes with equal cost then zone will be the best solution.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to CiscoBrownBelt

‎09-01-2020 08:15 PM

You could do some nat config but it will be more complex than playing with zone or a simple sla.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to CiscoBrownBelt

‎09-03-2020 04:28 PM

You can have a access-list per interface without pb.

Adding a 2nd route towards the same interface will work if the next hop is reachable through that same interface and also ASA must know that 6.6.6.1 is reachable through the outside_1 interface


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

10 Replies 10

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎08-25-2020 08:39 PM

Hi

ECMP isn't supported on different interfaces on asa.
Do you want the second route to be active only when primary is down? If yes, you can attach a sla monitor to three 1st route and configure the second route with a higher AD.

If you want them to be active at the same time, then you need to create a zone under which you'll sign these 2 interfaces and finally you'll be able to implement ECMP in a zone (limitation is 3 interfaces max per zone for ECMP).

If you need help on configuration example, let me know.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Francesco Molino

‎08-26-2020 06:25 AM

Yes if you don't mind could you give me examples of the ip sla and zone configs that way I know I can get my stuff right? Appreciate all your help!
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to CiscoBrownBelt

‎08-26-2020 07:48 PM

Let's assume g0/1 and g0/2 are your interfaces and the zone name would be test:

zone test
!
interface gigabitethernet0/1
zone-member test
interface gigabitethernet0/2
zone-member test

Then you can have multiple same prefix routes (ECMP) configured.

To have 2 different routes with different AD and sla monitor, you don't need the zone. Here a official doc showing how it works and how to implement: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Francesco Molino

‎08-27-2020 12:01 PM

Awesome thanks

0 Helpful

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Francesco Molino

‎08-27-2020 12:58 PM

Question, what if I don't really have a pingable IP to track on the customer's end to track the primary connection if I choose to do SLA. If I don't use the SLA and just add another route destined for different interface but using just a higher AD that would never get used correct? My only other option would be to implement zones correct?

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to CiscoBrownBelt

‎08-28-2020 03:25 PM

You can always try to build an SLA to track an IP on that subnet.

If you don't want to do that and want to have 2 routes with equal cost then zone will be the best solution.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Francesco Molino

‎09-01-2020 08:12 AM

Also, could I also accomplish this by batting? Perhaps natting that destination ip as it enters that 2nd interface or no?

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to CiscoBrownBelt

‎09-01-2020 08:15 PM

You could do some nat config but it will be more complex than playing with zone or a simple sla.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Francesco Molino

‎09-03-2020 06:03 AM - edited ‎09-03-2020 06:22 AM

Thanks.

One other question:

Each zone still uses the ACL/policies configured for the interface it is assigned to correct? Basically I only want that particular customer subnet 10.10.10.0 to be reachable via those two interfaces/zones and nothing else.

 

Without creating zones, could I just create another route statement but point to use the same interface, but change the destination to the VRF_B interface on the switch:

so I would have route Outside_1 10.10.10.0 255.255.255.0 5.5.5.1 (5.5.5.1 is VRF_A)

route Outside_1 10.10.10.0 255.255.255.0 6.6.6.1 (VRF_B)

 

Would that work properly without using SLA? I am not sure it would if the customer only plans to use their other connection that VRF_B has connectivity to as a backup or something if their primary goes down.

 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to CiscoBrownBelt

‎09-03-2020 04:28 PM

You can have a access-list per interface without pb.

Adding a 2nd route towards the same interface will work if the next hop is reachable through that same interface and also ASA must know that 6.6.6.1 is reachable through the outside_1 interface


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card