10-10-2002 04:53 PM - edited 03-02-2019 01:59 AM
I am trying to setup static default route for internet access. Router A has an fa0/0 interface (10.0.0.6) and a serial interface (10.0.3.202). We have a Pix, 10.0.0.1 which handles all of our internet access. So I have a static route (ip route 0.0.0.0 0.0.0.0 10.0.0.1) and this works fine. What I would like to do is setup a second route to point to 10.0.3.201 which is the other side of the serial interface, that router has an internet connection as well, in case the ethernet interface on our pix goes down to connect to the internet over the serial link. So what i did was added another static route with a higher metric (ip route 0.0.0.0 0.0.0.0 10.0.3.201 200). This didn't work because the router still tried to send the traffic to 10.0.0.1.
Anyone have any ideas on how to resolve this. BTW we are running eigrp on all of our routers.
Thanks!!
10-10-2002 07:31 PM
Can you input some of the relevant configs, and also update us with the topology a bit more. How many routers are there in your network. Does the PIX outside interface connect to a router (internet gateway) running EIGRP ?? Please provide more details, along with the IOS versions.
10-11-2002 08:02 AM
Answers to your Questions:
We have approx 30 routers on our network, 26 connect to the internet via Pix B and the other 4 (Router B and the 3 routers connecting to the s0/0 sub-interfaces .10, .11, .12)
You can see from the topology below that the outside interface on the Pix is connected to the internet gateway. THat router is not running EIGRP, it is just using static routes.
Here is the topology:
Internet
|
Router A (serial x.x.x.93, ethernet x.x.x.193, IOS ver 11.2)
|
Pix A (Outside x.x.x.196, inside 10.0.0.1, PIX OS 6.2.2)
|
Router B (Serial 0/0.1 10.0.3.201, FA0/0 10.0.0.6 IOS ver 12.2.6g)
|
Router C (Serial0/0.15 10.0.3.202, E0/0 10.0.22.6 IOS ver 12.2.6g)
|
Pix B (Outside x.x.x.84, inside 10.0.22.1, PIX OS 6.2.2)
|
Router D (fa0/0 x.x.x.83, serial0/0 x.x.x.34, IOS unknow this is a managed router we do not have access to.)
|
Internet
Router B Relevant Config
interface FastEthernet0/0
ip address 10.0.0.6 255.255.255.0
no ip directed-broadcast
duplex auto
speed auto
!
interface Serial0/0
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description S0/0.1: DLCI 201 to RTRAKR01 S0/0.15 DLCI 30
bandwidth 256
ip address 10.0.3.202 255.255.255.252
no ip directed-broadcast
frame-relay interface-dlci 30 IETF
!
interface Serial0/0.10 point-to-point
description s0/0.10: DLCI 201 to RTRMEX01MX S0/0.1 DLCI 210
bandwidth 64
ip address 10.0.3.205 255.255.255.252
no ip directed-broadcast
frame-relay interface-dlci 210 IETF
!
interface Serial0/0.11 point-to-point
description s0/0.11: DLCI 201 to RTRGUA01MX S0/0.1 DLCI 211
ip address 10.0.3.209 255.255.255.252
no ip directed-broadcast
frame-relay interface-dlci 211 IETF
!
interface Serial0/0.12 point-to-point
description s0/0.12: DLCI 201 to RTRMON01MX S0/0.1 DLCI 212
bandwidth 64
ip address 10.0.3.213 255.255.255.252
no ip directed-broadcast
frame-relay interface-dlci 212 IETF
!
router eigrp 500
redistribute static
network 10.0.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 0.0.0.0 0.0.0.0 10.0.3.201 200
ip route 10.0.242.0 255.255.255.0 10.0.0.1
ip tacacs source-interface FastEthernet0/0
no ip http server
Router C Relevant Config
ip subnet-zero
ip cef
ip cef accounting per-prefix non-recursive
!
!
interface Ethernet0/0
ip address 10.0.22.6 255.255.255.0
ip helper-address 10.0.22.14
no ip redirects
ip load-sharing per-packet
full-duplex
!
interface Serial0/0
description : DLCI 30 at Corporate
bandwidth 1544
no ip address
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
cdp enable
!
interface Serial0/0.15 point-to-point
bandwidth 256
ip address 10.0.3.201 255.255.255.252
frame-relay interface-dlci 201 IETF
!
router eigrp 500
redistribute static
passive-interface FastEthernet1/0
network 10.0.0.0
no auto-summary
eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.22.1
ip route 0.0.0.0 0.0.0.0 10.0.3.202 200
ip route 10.0.241.0 255.255.255.0 10.0.22.1
ip route 192.168.1.0 255.255.255.0 10.0.22.1
Thank you!!
10-11-2002 08:11 AM
Hi,
Change your second default route as follows.
on router B,
ip route 0.0.0.0 0.0.0.0 10.0.3.202 200 (you have given 10.0.3.201 (router B itself) as nexthop)
on router C,
ip route 0.0.0.0 0.0.0.0 10.0.3.201 200 (you have given 10.0.3.202 (router C itself) as nexthop)
This should work.
10-11-2002 08:55 AM
This didn't work... In the router when i type 'sh ip route 0.0.0.0' is shows:
RTRSAN01MX#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0, candidate default path
Redistributing via eigrp xxx
Advertised by eigrp
Routing Descriptor Blocks:
* 10.0.0.1
Route metric is 0, traffic share count is 1
It shows this wether or 10.0.0.1 is available or not. I though if it is not avail if should go to the route with the next highest metric. Correct???...
Thanks!
10-11-2002 09:05 AM
I didnt understand your last question ?
10-11-2002 09:15 AM
I made the changes you suggested...
When i pulled the plug on the Pix the traffic did not reroute to the serial interface, 10.0.3.202. From what I can see the reason being is that the 10.0.0.6 router still had the 10.0.0.1 as the default route in its routing table, even though 10.0.0.1 was not available. When it should have sent the traffic to 10.0.3.202.
Is this clearer?
10-11-2002 09:19 AM
HI,
try this instead.
ip route 0.0.0.0 0.0.0.0 ethernet 0 (of router B)
ip route 0.0.0.0 0.0.0.0 serial 0 200 (of router B)
Note that i have changed the next hop ip address, to next hop interface. This should work.
10-11-2002 09:27 AM
This will not work because it will just send the traffic out the e0 interface but won't know where to go from there, ie it doesn't know how to get to the pix...
10-11-2002 09:41 AM
It will work, because, router just cannot send the packet out the ethernet interface. It will first send an ARP request, PIX will respond back, and then only send the frame(packet) to PIX. Check this configuration out.
Also a very important point to note, is with the way you are testing it.
http://www.cisco.com/en/US/tech/tk13/tk133/technologies_tech_note09186a008009457d.shtml
Check this link out. There is a note on this link saying - "Note: When the primary route is a static route, the primary interface line protocol must go down for the floating static route to be used."
10-11-2002 09:49 AM
Try putting in a default-network statement on Router A and set a static route with a higher metric to that default network pointing towards 10.0.3.201. Shut fa0/0 down on Router A and see if your gateway of last resort changes in your routing table to the default-network.
10-15-2002 09:45 AM
Your problem is EIGRP, EIGRP has a weight of 90 so when your static route is down EIGRP takes control. You need to reduce the weight from 200 to 50 and it should work.
10-15-2002 06:17 PM
This is a common problem. The static route to 10.0.0.1 will only go away if the router does not have a path to 10.0.0.1, but as long as the router A's fa0/0 interface is up, router A thinks it has a path to the PIX. There is no way to solve this by adjusting route metrics. This is the same problem frequently discovered by users of frame relay networks, cable modems, VPNs, GRE tunnels, and other network channels where communications can be down even though the link layer protocol is up.
There are two general solutions to the problem. You can use a link layer protocol which can detect the situation (such as end-to-end keepalives on frame relay) or run a routing protocol through the link to detect if the link is working. In your case, there is no link protocol available for Ethernet which you can configure so you will need to use a routing protocol.
Your next choice is to determine what device Router A should run a routing protocol with. From the diagrams you have posted, you could run RIP with the PIX or run BGP through the PIX to your external router. The former is easier, albeit less robust, the latter allows you to switch to your backup route not only if the PIX dies (not very likely), but also if the external router fails, or if you set it up right, even if the external router's link to your ISP fails.
I personally am strongly against running any routing protocol on a firewall (dynamic routing and security tend to be in opposition), but if all you do is have the PIX broadcast a default route and filter router A to only accept a default route from the PIX via RIP, the security impact might be acceptable, but that depends upon your security policy. Be forewarned that a BGP-based solution, while more robust and less prone to security problems, requires a good knowledge of BGP routing principles, tricks and techniques. On the other hand, the BGP-based approach can protect you from any failure condition that your external router can detect, which could include connectivity problems inside your ISP if you are running BGP between your external router and your ISP.
See the white paper on configuring redundant firewalls on my web site for an extreme example of how you can route through firewalls without degrading your security. Lurkers should note that the same approach can also be used through IPSec tunnels. There is also a brief white paper discussing the various ways an external router can connect to an ISP to provide varying levels of protection against typical failure modes.
Good luck and have fun!
VIncent C Jones
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide