Re: Static routes

jason-linden · ‎10-10-2002

I am trying to setup static default route for internet access. Router A has an fa0/0 interface (10.0.0.6) and a serial interface (10.0.3.202). We have a Pix, 10.0.0.1 which handles all of our internet access. So I have a static route (ip route 0.0.0.0 0.0.0.0 10.0.0.1) and this works fine. What I would like to do is setup a second route to point to 10.0.3.201 which is the other side of the serial interface, that router has an internet connection as well, in case the ethernet interface on our pix goes down to connect to the internet over the serial link. So what i did was added another static route with a higher metric (ip route 0.0.0.0 0.0.0.0 10.0.3.201 200). This didn't work because the router still tried to send the traffic to 10.0.0.1.

Anyone have any ideas on how to resolve this. BTW we are running eigrp on all of our routers.

Thanks!!

thisisshanky · ‎10-10-2002

Can you input some of the relevant configs, and also update us with the topology a bit more. How many routers are there in your network. Does the PIX outside interface connect to a router (internet gateway) running EIGRP ?? Please provide more details, along with the IOS versions.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jason-linden · ‎10-11-2002

Answers to your Questions:

We have approx 30 routers on our network, 26 connect to the internet via Pix B and the other 4 (Router B and the 3 routers connecting to the s0/0 sub-interfaces .10, .11, .12)

You can see from the topology below that the outside interface on the Pix is connected to the internet gateway. THat router is not running EIGRP, it is just using static routes.

Here is the topology:

Internet

|

Router A (serial x.x.x.93, ethernet x.x.x.193, IOS ver 11.2)

|

Pix A (Outside x.x.x.196, inside 10.0.0.1, PIX OS 6.2.2)

|

Router B (Serial 0/0.1 10.0.3.201, FA0/0 10.0.0.6 IOS ver 12.2.6g)

|

Router C (Serial0/0.15 10.0.3.202, E0/0 10.0.22.6 IOS ver 12.2.6g)

|

Pix B (Outside x.x.x.84, inside 10.0.22.1, PIX OS 6.2.2)

|

Router D (fa0/0 x.x.x.83, serial0/0 x.x.x.34, IOS unknow this is a managed router we do not have access to.)

|

Internet

Router B Relevant Config

interface FastEthernet0/0

ip address 10.0.0.6 255.255.255.0

no ip directed-broadcast

duplex auto

speed auto

!

interface Serial0/0

no ip address

no ip directed-broadcast

encapsulation frame-relay IETF

no ip mroute-cache

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

description S0/0.1: DLCI 201 to RTRAKR01 S0/0.15 DLCI 30

bandwidth 256

ip address 10.0.3.202 255.255.255.252

no ip directed-broadcast

frame-relay interface-dlci 30 IETF

!

interface Serial0/0.10 point-to-point

description s0/0.10: DLCI 201 to RTRMEX01MX S0/0.1 DLCI 210

bandwidth 64

ip address 10.0.3.205 255.255.255.252

no ip directed-broadcast

frame-relay interface-dlci 210 IETF

!

interface Serial0/0.11 point-to-point

description s0/0.11: DLCI 201 to RTRGUA01MX S0/0.1 DLCI 211

ip address 10.0.3.209 255.255.255.252

no ip directed-broadcast

frame-relay interface-dlci 211 IETF

!

interface Serial0/0.12 point-to-point

description s0/0.12: DLCI 201 to RTRMON01MX S0/0.1 DLCI 212

bandwidth 64

ip address 10.0.3.213 255.255.255.252

no ip directed-broadcast

frame-relay interface-dlci 212 IETF

!

router eigrp 500

redistribute static

network 10.0.0.0

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.1

ip route 0.0.0.0 0.0.0.0 10.0.3.201 200

ip route 10.0.242.0 255.255.255.0 10.0.0.1

ip tacacs source-interface FastEthernet0/0

no ip http server

Router C Relevant Config

ip subnet-zero

ip cef

ip cef accounting per-prefix non-recursive

!

interface Ethernet0/0

ip address 10.0.22.6 255.255.255.0

ip helper-address 10.0.22.14

no ip redirects

ip load-sharing per-packet

full-duplex

!

interface Serial0/0

description : DLCI 30 at Corporate

bandwidth 1544

no ip address

encapsulation frame-relay IETF

no ip mroute-cache

no fair-queue

cdp enable

!

interface Serial0/0.15 point-to-point

bandwidth 256

ip address 10.0.3.201 255.255.255.252

frame-relay interface-dlci 201 IETF

!

router eigrp 500

redistribute static

passive-interface FastEthernet1/0

network 10.0.0.0

no auto-summary

eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.22.1

ip route 0.0.0.0 0.0.0.0 10.0.3.202 200

ip route 10.0.241.0 255.255.255.0 10.0.22.1

ip route 192.168.1.0 255.255.255.0 10.0.22.1

Thank you!!

thisisshanky · ‎10-11-2002

Hi,

Change your second default route as follows.

on router B,

ip route 0.0.0.0 0.0.0.0 10.0.3.202 200 (you have given 10.0.3.201 (router B itself) as nexthop)

on router C,

ip route 0.0.0.0 0.0.0.0 10.0.3.201 200 (you have given 10.0.3.202 (router C itself) as nexthop)

This should work.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jason-linden · ‎10-11-2002

This didn't work... In the router when i type 'sh ip route 0.0.0.0' is shows:

RTRSAN01MX#sh ip route 0.0.0.0

Routing entry for 0.0.0.0/0, supernet

Known via "static", distance 1, metric 0, candidate default path

Redistributing via eigrp xxx

Advertised by eigrp

Routing Descriptor Blocks:

* 10.0.0.1

Route metric is 0, traffic share count is 1

It shows this wether or 10.0.0.1 is available or not. I though if it is not avail if should go to the route with the next highest metric. Correct???...

Thanks!

thisisshanky · ‎10-11-2002

I didnt understand your last question ?

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jason-linden · ‎10-11-2002

I made the changes you suggested...

When i pulled the plug on the Pix the traffic did not reroute to the serial interface, 10.0.3.202. From what I can see the reason being is that the 10.0.0.6 router still had the 10.0.0.1 as the default route in its routing table, even though 10.0.0.1 was not available. When it should have sent the traffic to 10.0.3.202.

Is this clearer?

thisisshanky · ‎10-11-2002

HI,

try this instead.

ip route 0.0.0.0 0.0.0.0 ethernet 0 (of router B)

ip route 0.0.0.0 0.0.0.0 serial 0 200 (of router B)

Note that i have changed the next hop ip address, to next hop interface. This should work.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jason-linden · ‎10-11-2002

This will not work because it will just send the traffic out the e0 interface but won't know where to go from there, ie it doesn't know how to get to the pix...

thisisshanky · ‎10-11-2002

It will work, because, router just cannot send the packet out the ethernet interface. It will first send an ARP request, PIX will respond back, and then only send the frame(packet) to PIX. Check this configuration out.

Also a very important point to note, is with the way you are testing it.

http://www.cisco.com/en/US/tech/tk13/tk133/technologies_tech_note09186a008009457d.shtml

Check this link out. There is a note on this link saying - "Note: When the primary route is a static route, the primary interface line protocol must go down for the floating static route to be used."

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

forbesl · ‎10-11-2002

Try putting in a default-network statement on Router A and set a static route with a higher metric to that default network pointing towards 10.0.3.201. Shut fa0/0 down on Router A and see if your gateway of last resort changes in your routing table to the default-network.

d.scallion · ‎10-15-2002

Your problem is EIGRP, EIGRP has a weight of 90 so when your static route is down EIGRP takes control. You need to reduce the weight from 200 to 50 and it should work.

vcjones · ‎10-15-2002

This is a common problem. The static route to 10.0.0.1 will only go away if the router does not have a path to 10.0.0.1, but as long as the router A's fa0/0 interface is up, router A thinks it has a path to the PIX. There is no way to solve this by adjusting route metrics. This is the same problem frequently discovered by users of frame relay networks, cable modems, VPNs, GRE tunnels, and other network channels where communications can be down even though the link layer protocol is up.

There are two general solutions to the problem. You can use a link layer protocol which can detect the situation (such as end-to-end keepalives on frame relay) or run a routing protocol through the link to detect if the link is working. In your case, there is no link protocol available for Ethernet which you can configure so you will need to use a routing protocol.

Your next choice is to determine what device Router A should run a routing protocol with. From the diagrams you have posted, you could run RIP with the PIX or run BGP through the PIX to your external router. The former is easier, albeit less robust, the latter allows you to switch to your backup route not only if the PIX dies (not very likely), but also if the external router fails, or if you set it up right, even if the external router's link to your ISP fails.

I personally am strongly against running any routing protocol on a firewall (dynamic routing and security tend to be in opposition), but if all you do is have the PIX broadcast a default route and filter router A to only accept a default route from the PIX via RIP, the security impact might be acceptable, but that depends upon your security policy. Be forewarned that a BGP-based solution, while more robust and less prone to security problems, requires a good knowledge of BGP routing principles, tricks and techniques. On the other hand, the BGP-based approach can protect you from any failure condition that your external router can detect, which could include connectivity problems inside your ISP if you are running BGP between your external router and your ISP.

See the white paper on configuring redundant firewalls on my web site for an extreme example of how you can route through firewalls without degrading your security. Lurkers should note that the same approach can also be used through IPSec tunnels. There is also a brief white paper discussing the various ways an external router can connect to an ISP to provide varying levels of protection against typical failure modes.

Good luck and have fun!

VIncent C Jones

www.networkingunlimited.com