10-14-2022 07:15 AM
I'm working on a previously configured environment and trying to understand some of the flow of what is setup while reviewing Cisco documentation. Some of my confusion is on the relationships that "route-map" and "route" (static route) commands have to each other.
In the instance I'm looking there is an access-list defined for when to use the route-map. (NOTE: The IPs are example IPs to sanitize what is posted online.)
access-list USE-OUTBOUNDA extended permit ip any 10.0.0.0 255.255.255.0
Which then later has is associated with a route-map.
I'm sure I'm not understanding a lot of what is configured here. I also find it odd that there are no track commands present on the static route options. However, I believe the part that confuses me the most is if the "route-map" takes precedence over the "route" parameters given there is no Metric defined.
I've been reading through this Cisco documentation trying to understand the relationships and precedence: https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/route-maps.html
Any guidance to help me understand this would be appreciated. Thanks!
10-14-2022 05:54 PM
Is there a policy route command on an interface in the asa run configuration?
10-14-2022 09:04 PM
The parts of the config posted suggest that this is an implementation of Policy Based Routing. Static routes are part of the normal establishment of routing logic for traffic being forwarded by the device. PBR provides a way to supercede the normal routing logic for certain traffic. Probably there is an ip policy configured on some interface that references this route map. The PBR would apply to traffic received on this interface that matches the acl used in the route map. Traffic received on other interfaces would not be affected by the PBR and would use the static routes.
10-15-2022 12:49 AM
Your main question was about how the access list/route map/PBR could provide an over ride of normal routing logic. And I focused on that in my first response. As I continue to think about your question it is interesting that both of the static routes specify an Administrative Distance (95 and 100) which suggests that the ASA might be learning a route to the network (10.0.0.0/24 or whatever it really is) via a dynamic routing protocol and that the static routes are to provide failover if the primary/dynamically learned route is removed from the routing table. Could that be the case?
10-17-2022 06:15 AM
The route-map is applied to multiple interfaces covering various VLANs as you suspected.
A "router ospf 1" is defined which I must admit I have no experience with. In my previous environment, we always let the ISPs manage their routers and we handled our firewalls with multi-ISP fail-over, concurrent traffic rules, bandwidth shaping, etc. as I stopped using Cisco ASAs years ago and switched over to Sophos. This new environment I am in has an interesting mix of things going on as well as other MSP equipment that throw a lot more complexity into the picture. This is definitely a different ballpark and I'm trying to play catch up figuring out what was configured before.
Reviewing the following documentation, I would think the "ospf" keyword would exists elsewhere on the interfaces.
https://www.networkstraining.com/how-to-configure-ospf-on-cisco-asa-firewall/
Given this is a MSP managed device, I have no CLI access to this device to even see what a "show ospf neighbor" command would produce without submitting a ticket to them.
10-15-2022 03:12 AM - edited 10-15-2022 07:51 AM
the link you share explain a lot,
now route-map is not use only for routing but also for
redistribute between two different routing protocol, we can use route-map to select which prefix redistribute and which not, also we can by using route-map adj the metric type ...etc.
change some attribute in BGP update message, we can use route-map to adj attribute like LP, weight AS_PATH ..etc.
in your link there is static route but the route-map use for redistribute into EIGRP.
when you use route-map under interface to forward traffic it called PBR.
10-15-2022 07:46 AM - edited 10-15-2022 07:53 AM
You can use a route map to control distribution of routes into a dynamic routing protocol. But that is not the same as using PBR. PBR is used to provide an over ride on normal routing decisions. PBR is not used to control redistributing routes into a dynamic routing protocol or for changing attributes of the advertised routes. PBR is applied using the command ip policy under an interface or using ip local policy. How would you apply PBR to a routing protocol?
10-17-2022 10:53 AM
10-18-2022 09:04 AM
Thanks for the additional information. It is interesting that you have only very limited access to this ASA, and no ability to make changes on it. So let me try to put what we have discussed into some perspective. We have established that this ASA is doing PBR, that it has some static routes, and that (probably) it is running OSPF. A layer 3 device like this ASA can get routing information from multiple sources and generally there is a precedence about which route will be used. Many routes will be learned from a dynamic routing protocol running on the device (like OSPF) and those routes may be placed in the routing table. There may also be some routes learned from static routes that are configured. In general if the same route is learned by dynamic routing protocol and by static route then the static route is preferred and the route learned by the dynamic routing protocol is removed from the routing table. PBR provides a way to over ride the normal routing logic. If a packet to be forwarded matches the route map/access list used by PBR then the packet is forwarded by PBR and not by the routing table entry.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide