Default route

darmstrong · ‎04-18-2005

Hello, I have a Cisco Cat 6503 switch/router with multiple VLANs.I have 3 ways that users can connect out to the internet via 3 firewalls. I would like to specify what order my users should connect out to the internet via these 3 FW.

Can this be done via a default route? Someone suggested using weighted routes, but I don’t know what that means??????

Please help, thank you in advanced...

Richard Burts · ‎04-18-2005

I believe that the weighted routes that they mentioned are what many of us call floating static routes. Normally a static route has a very attractive Administrative Distance of 1 which makes it more attractive than anything other than a connected interface. There is a feature in IOS to create a static route and assign an Administrative Distance greater than the default of 1. These static routes with AD greater than 1 are called floating static routes.

The way that you might use floating static routes would be something like this:

first create a static default route which would use firewall A:

ip route 0.0.0.0 0.0.0.0

then create a floating static default route which would use firewall B and have an AD greater than the first route:

ip route 0.0.0.0 0.0.0.0 10

the 10 after the next hop address is the AD.

Then create another floating static default route which would use firewall C and have an AD greater than the second route:

ip route 0.0.0.0 0.0.0.0 15

If you do this, then user traffic to outside will be directed to firewall A. And if that route fails, then traffic will be directed to firewall B. And if both of them fail then traffic will be directed to firewall C.

The weakness of this approach is in defining what kind of failure will cause the route to be withdrawn from the routing table. On an Ethernet interface the interface protocol must go down to force the route to be withdrawn from the table. So a situation could happen where there was a problem on firewall A and you really want traffic to go to B, but the switch still thinks that the route to A is ok and uses it. There is a solution for this in recent versions of IOS which is called static routes with object tracking. There are some good articles on it on the Cisco web site. This URL is one of them. Look particularly at sample configuration #2.

http://www.cisco.com/en/US/about/ac123/ac114/ac173/Q2-04/department_techtips.html

HTH

Rick

HTH

Rick

darmstrong · ‎04-18-2005

Thanks Rick that helps out allot, what is the command to see what the current AD is for all my default routes? show ip route???

Richard Burts · ‎04-19-2005

Delmar

I am glad that my answer is helpful.

Yes the command to see AD is show ip route. When you look at the display after the prefix are two numbers in square brackets like this [90/5012736] The first number is the AD and the second number is the metric.

Note that in some cases (especially for connected routes) the normal show ip route may not show the AD. But if your do show ip route it will show the distance.

HTH

Rick

HTH

Rick

darmstrong · ‎04-19-2005

Thanks Rick, I apologize for being so green when it comes to the Cisco IOS and asking you these basic questions. I don’t understand the ' ' part, what would be the exact command be? My address for the FW is 10.1.1.103.

Also when I issue the command

ip route 0.0.0.0 0.0.0.0 10.1.1.103

then

ip route 0.0.0.0 0.0.0.0 10.1.1.101 10 (this disappears when I issues the show ip route command)

Thanks again for all your help.

Richard Burts · ‎04-19-2005

Delmar

Being green is ok. We all have to start somewhere and this forum is a good place to ask this kind of question.

First let me explain that the behavior you are seeing (that the second static route (the floating static route) disappears - or does not show up in the routing table) is normal. The idea of floating static routes is that the static without specific AD will be put into the routing table and used. If that static route fails and is removed from the table, then the floating static to that destination with the next best AD will be inserted into the table. So in your case the route through 10.1.1.103 will be used and if it fails then the route through 10.1.1.101 will be placed into the routing table.

I am not sure that there is a command that will show the floating statics, other than the show running-config command which will show that they have been defined.

HTH

Rick

HTH

Rick

darmstrong · ‎04-19-2005

Thanks Rick, so what would be the exact command to show the AD for each of my default routes? What does this mean ( )????? Attached are my options when I issue the show ip route?

Thanks again.

konigl · ‎04-19-2005

Delmar,

"Specific prefix" is just another way of referring to a particular network route and subnet mask combination or entry in a routing table.

"Show IP route" and just hit [Enter] will show you all the routes in the active routing table. Administrative Distances, if any, are shown in the output. It will not show you the AD of all the floating static routes, though, just the active one. To see the AD of the floating routes, look at your running-config for duplicate routes to the same destination, and note the metric after the next-hop IP address. "Show run | begin ip route " will do this for you. (Don't forget the space after the word "route " to begin at where the static routes are listed.)

If you're looking to selectively control which VLANs can go out to the Internet via what firewall(s) and in what order, what you might want to look into is Policy-Based Routing (PBR). This lets you route not only based on destination IP address, but also based on source IP address, or just about any other criteria that you can specify in an ACL. And you can specify next-hop information that forces the router to send traffic to a destination that is different from where it would normally send it based on info in the routing table.

darmstrong · ‎04-19-2005

I got it, thank you I really appreciate it.