cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
724
Views
2
Helpful
11
Replies

general problem with bypass routing without routing protocol

Marsupilani
Level 1
Level 1

I need same help for understanding...

The configuration:

RT1 and RT2 are layer 3 switches
FW is a Layer3 Firewall

RT1 holds networks (Range-1) of the range 10.0.0.0/17 and the connection to internet (default way)
RT2 holds networks (Range-2) of the range 10.128.0.0/17

Each Switch RT1 and RT2 have only 1 physical interface in VLAN B.
This interfaces are directly connected.

The network which is used fo VLAN B is part of the Range-2!

There are 2 Ways between RT1 and RT2:

Way 1 (through the firewall):
0.0.0.0/0 <-> FW1 ... IP-Range 10.0.0.0/17 <-> RT1 <-> VLAN A <-> FW2 <-> VLAN C <-> RT2 <-> IP-Range 10.128.0.0/17

Way 2 (Firewall bypass - should only used temporary):
0.0.0.0/0 ... IP-Range 10.0.0.0/17 <-> RT1 <-> VLAN B(direct cable) <-> RT2 <-> IP-Range 10.128.0.0/17

Target solution:
The goal is to be able to bypass the FW2 by simply install the direct attach cable in VLAN B, without to need any further changes.

FW2:
int vlan A
ip 10.0.1.1 255.255.255.248
int vlan C
ip 10.128.2.1 255.255.255.248


RT1:
int vlan A
ip 10.0.1.2 255.255.255.248
int vlan B
ip 10.128.2.1 255.255.255.248

int VLAN Range-1(example)
ip 10.0.255.1 255.255.255.0

ip route 10.128.0.0 255.255.128.0 10.0.1.1 20 name by_FW_to_RT2
ip route 10.128.0.0 255.255.128.0 10.128.2.2 10 name FW_bypass


RT2:
int vlan C
ip 10.128.2.2 255.255.255.248
int vlan B
ip 10.128.2.2 255.255.255.248

int VLAN Range-2(example)
ip 10.128.255.1 255.255.255.0

ip route 0.0.0.0 255.255.128.0 10.128.1.1 20 name by_FW_to_RT1
ip route 0.0.0.0 255.255.128.0 10.128.2.1 10 name FW_bypass

The problem:
As long, as the bypass is connected, every thing work.
But when I disconnect the bypass in one side, the ethernet interface(s) and the VLAB B go down, but the route of that way is still in the routing table.
Inside the routing table of RT1, the route to 10.128.0.0/17 still exist over 10.128.2.2!
As far as I understand it, the router tells me, that it still have a way to 10.128.2.2, because of his static route 10.128.0.0/17 via 10.128.2.2.

The question:
The question is, is there a way to force the router to remove routes from the forwarding table is case the directly connected network of the next hop is down?
The only idea I have so far is to use tracking of the interface, but is there a simpler way?

 

11 Replies 11

Sorry can you draw topolgy 

Thanks 

MHM

Marsupilani_0-1715851437473.png

Here is a quick draw...

you use static, and static not like other IGP protocol using Hello message 
so the only solution here is using IP SLA tracking in both L3SW to prevent blackhole when far link down 

MHM

Because of the direct cable, when I disconnect it on one side, the other side goes down, too. Even the VLAN on both sides. So why will the route not be removed?

in RT2 the IP SLA track VLAN A, and this track use in static route (vlan C)
this way if the far VLAN A is down the RT detect it and shift traffic toward VLAN B 

and same for RT1 the IP LSA track VLAN C and this track use in the static route (vlan A)

this way both RT1/2 detect far end down link and shit traffic to vlan B

Marsupilani_0-1715851437473.png

Still wating your reply ?

MHM

I will do several tests next week. If the hint with 'interface routing' will work, it will be the simples solution.

update me

Thanks

MHM

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @Marsupilani ,

you can try to add Vlan-B in each of the static routes used for bypass by specifying the interface and the IP next-hop you should be able to achieve the desired behaviour.

Warning: this has to be checked performing tests .

Hope to help

Giuseppe

 

andrewsjerry432
Level 1
Level 1

Thanks for the understanding 

Yoh take about which staitc route' the one via ftd or direct?

MHM

Review Cisco Networking for a $25 gift card