Cisco 877 Load Balancing with external router

pcdoctorsg · ‎08-06-2011

Hi,

I have a cisco 877, internet connection is on ATM0.1. I have a LAMP server running on my LAN, using NAT to point the public IP. I also have 3 IP camera and one DVR on NAT.

I wish to connect another external router which is running on 3G Wireless WAN. It is currently connected to FastEthernet3 and i config the IP on the external router to 192.168.2.9

I need advice on how to use both WAN to load balance?

My current config below (external IP not actual):

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$UZcu$egNFkzSWzYU.TR3XDnzGp0

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-3618654819

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3618654819

revocation-check none

rsakeypair TP-self-signed-3618654819

!

crypto pki certificate chain TP-self-signed-3618654819

certificate self-signed 01

3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33363138 36353438 3139301E 170D3032 30333031 30303236

32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36313836

35343831 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100D70B 2129541B 89EF90DD 86FF5B51 74B529BC 35019050 DE383281 76BBCA53

50E29597 E685A860 4DFC952B C1D14C10 7A6B5B28 B4138B08 A4499897 44FEBEF1

B19C0604 FCFF62C0 750D7DEF 6FD5A908 83366275 BAD1CEAC 3C1CC19E 1B234370

63DE1C2A E0F8E481 A0C208DF 3B24D0D6 E82651D6 3BF528E3 5727B503 6DE75223

B94F0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

301F0603 551D2304 18301680 141919D9 350BB2E1 75759D21 281DBD38 F0CAFF17

2B301D06 03551D0E 04160414 1919D935 0BB2E175 759D2128 1DBD38F0 CAFF172B

300D0609 2A864886 F70D0101 04050003 81810083 5EBE06E7 1C2AEF1E 3D172F90

9161162E 620CDA9C 2739D7FB 90D34052 8E003F03 AD4DD9BE 3407B16C DB742FC4

A83EEFB8 B9916676 3B17C3E3 ACD76910 31B9D6D9 379DF8F6 2515A8F5 B10AD5A0

F69164BF 0A3660FD 1E3986AF 941C9D89 102C3F44 2ECF2DC4 309A5E06 C5F1F492

B936D118 81871C75 573D7767 4B4D2194 5810E5

quit

dot11 syslog

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.9

ip dhcp excluded-address 192.168.2.51 192.168.2.254

!

ip dhcp pool ccp-pool1

import all

network 192.168.2.0 255.255.255.0

dns-server 8.8.8.8 165.21.83.88

default-router 192.168.2.1

!

ip port-map user-protocol--1 port tcp 3000

ip port-map user-SMTP587 port tcp 587

ip port-map user-RTSP port tcp 555

ip port-map user-AVcontrol port tcp 4321

ip port-map user-Kloxo2 port tcp 7778

ip port-map user-ezvpn-remote port udp 10000

ip port-map user-Kloxo port tcp 7777

ip port-map user-AVcontrol2 port tcp 4322

no ip bootp server

ip domain name yourdomain.com

ip name-server 8.8.8.8

ip name-server 165.21.83.88

!

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

parameter-map type regex ccp-regex-nonascii

pattern [^\x00-\x80]

password encryption aes

!

username admin privilege 15 secret 5 $1$U3/u$NMwNX.O3w0Jw7Ec0XbZAq1

username vpnuser privilege 15 secret 5 $1$.htH$f5yUSEZwT31bAwANxkm/R/

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

group 2

!

crypto isakmp client configuration group vpnuser

key 6 fPgXAHFIIH]fHeLOBKcOMHP`BaCTIMJLe

pool SDM_POOL_1

acl 100

crypto isakmp profile ciscocp-ike-profile-1

match identity group vpnuser

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 7

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 43200

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1

connect auto

group vpnuser key 6 Gd`eaCVaRCeIGQSPhZaP\\KKdViK^TdBE

mode client

peer 203.121.240.119

virtual-interface 8

xauth userid mode interactive

!

crypto ctcp port 10000

archive

log config

hidekeys

!

ip ftp username sedap.me

ip ftp password 7 115E4F51151705

ip tcp synwait-time 10

!

class-map type inspect match-all sdm-nat-http-4

match access-group 103

match protocol http

class-map type inspect imap match-any ccp-app-imap

match invalid-command

class-map type inspect match-all sdm-nat-http-1

match access-group 102

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 105

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-http-2

match access-group 103

class-map type inspect match-all sdm-nat-http-3

match access-group 104

match protocol http

class-map type inspect smtp match-any ccp-app-smtp

match data-length gt 5000000

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect http match-any ccp-app-nonascii

match req-resp header regex ccp-regex-nonascii

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1

match protocol http

match protocol user-RTSP

match protocol user-AVcontrol

match protocol user-AVcontrol2

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

match protocol user-ezvpn-remote

class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT

match class-map SDM_EASY_VPN_REMOTE_TRAFFIC

match access-group 107

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any WebServer

match protocol imap

match protocol imaps

match protocol pop3

match protocol pop3s

match protocol smtp

match protocol ftp

match protocol ftps

match protocol http

match protocol https

match protocol ddns-v3

match protocol dns

match protocol dnsix

match protocol icmp

match protocol user-Kloxo

match protocol user-Kloxo2

match protocol user-SMTP587

class-map type inspect match-all sdm-nat--1

match access-group 106

match class-map WebServer

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect pop3 match-any ccp-app-pop3

match invalid-command

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 101

class-map type inspect http match-any ccp-app-httpmethods

match request method bcopy

match request method bdelete

match request method bmove

match request method bpropfind

match request method bproppatch

match request method connect

match request method copy

match request method delete

match request method edit

match request method getattribute

match request method getattributenames

match request method getproperties

match request method index

match request method lock

match request method mkcol

match request method mkdir

match request method move

match request method notify

match request method options

match request method poll

match request method post

match request method propfind

match request method proppatch

match request method put

match request method revadd

match request method revlabel

match request method revlog

match request method revnum

match request method save

match request method search

match request method setattribute

match request method startrev

match request method stoprev

match request method subscribe

match request method trace

match request method unedit

match request method unlock

match request method unsubscribe

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect http match-any ccp-http-blockparam

match request port-misuse im

match request port-misuse p2p

match request port-misuse tunneling

match req-resp protocol-violation

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect match-all ccp-protocol-smtp

match protocol smtp

class-map type inspect match-all ccp-protocol-http

match protocol http

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-http-1

inspect

class type inspect sdm-nat-http-2

inspect

class type inspect sdm-nat-http-3

inspect

class type inspect sdm-nat-user-protocol--1-1

inspect

class type inspect sdm-nat--1

inspect

class type inspect sdm-nat-http-4

inspect

class class-default

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

log

reset

class type inspect http ccp-app-httpmethods

log

reset

class type inspect http ccp-app-nonascii

log

reset

class class-default

policy-map type inspect smtp ccp-action-smtp

class type inspect smtp ccp-app-smtp

reset

class class-default

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

log

reset

class class-default

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

log

reset

class class-default

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

service-policy http ccp-action-app-http

class type inspect ccp-protocol-smtp

inspect

service-policy smtp ccp-action-smtp

class type inspect ccp-protocol-imap

inspect

service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

inspect

service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-im

drop log

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

pass

class type inspect SDM_EASY_VPN_REMOTE_PT

pass

class class-default

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

pass

class class-default

drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

!

interface Null0

no ip unreachables

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

ip address 203.121.240.119 255.255.255.252

ip verify unicast reverse-path

no ip redirects

no ip unreachables

ip nat outside

ip virtual-reassembly

zone-member security out-zone

pvc 8/35

protocol ip 203.121.240.118 broadcast

encapsulation aal5snap

!

crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template7 type tunnel

ip unnumbered ATM0.1

no ip redirects

no ip unreachables

zone-member security ezvpn-zone

ip route-cache flow

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Virtual-Template8 type tunnel

no ip address

no ip redirects

no ip unreachables

zone-member security ezvpn-zone

ip route-cache flow

tunnel mode ipsec ipv4

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.2.1 255.255.255.0

no ip redirects

no ip unreachables

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow201.41.146.99

ip tcp adjust-mss 1452

crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1 inside

!

ip local pool SDM_POOL_1 192.168.2.10 192.168.2.50

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 ATM0.1 2

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface ATM0.1 overload

ip nat inside source static tcp 192.168.2.201 80 201.41.146.39 80 extendable

ip nat inside source static tcp 192.168.2.211 80 201.41.146.39 81 extendable

ip nat inside source static tcp 192.168.2.250 80 201.41.146.39 82 extendable

ip nat inside source static tcp 192.168.2.200 3000 201.41.146.39 3000 extendable

ip nat inside source static 192.168.2.240 201.41.146.99

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 192.168.2.0 0.0.0.255

access-list 2 deny any

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip 203.120.242.224 0.0.0.3 any

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.2.201

access-list 103 remark CCP_ACL Category=0

access-list 103 permit ip any host 192.168.2.211

access-list 104 remark CCP_ACL Category=0

access-list 104 permit ip any host 192.168.2.250

access-list 105 remark CCP_ACL Category=0

access-list 105 permit ip any host 192.168.2.200

access-list 106 remark CCP_ACL Category=0

access-list 106 permit ip any host 192.168.2.240

access-list 107 remark CCP_ACL Category=128

access-list 107 permit ip host 203.121.240.118 any

no cdp run

!

control-plane

!

banner exec

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you

want to use.

-----------------------------------------------------------------------

banner login Authorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

rparames · ‎08-13-2011

Hello,

What I understand your setup would look like this

|---------------------- Router 1 ------- ISP 1

LAN------- |

-----Router 2 --------- ISP 2

I would have 2 default routes on Router 1 (877)

along with the one you have , include "ip route 0.0.0.0 0.0.0.0 192.168.2.9 0"

(since you first static route next hop not specified and you use directly connected interface I have configured admin distance to be 0)

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094195.shtml

Now you need to have similar NAT translations on Router 2.

Note : We have to make sure the load balancing on 877 is per destination and not per packet

By default I think it is per destination

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094820.shtml

Regards,

Rahul

cadet alain · ‎08-13-2011

Hi,

The AD of a static route is always 1 whether the route points to an interface or a next-hop. AD of 0 is for directly connected routes.You can only set AD of static route between 1 and 255.If you could set it to 0 it would have been less than the actual route and so would have overidden the first route with a higher AD which would only appear when this one with lower AD was down.

Regards.

Alain.

Don't forget to rate helpful posts.

rparames · ‎08-13-2011

Hi,

When you include a static route , without the next hop IP but specify the exit interface, its admin distance is equal to 0, its treated like a directly connected interface

Rack05R3#sh run | i ip route

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

Rack05R3#sh ip route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C 10.1.1.0 is directly connected, Serial0/0/0

S* 0.0.0.0/0 is directly connected, Serial0/0/0

I change the route and specify next hop IP rather than exit interface

Rack05R3#sh running-config | i ip route

ip route 0.0.0.0 0.0.0.0 10.1.1.2

Rack05R3#show ip route

Gateway of last resort is 10.1.1.2 to network 0.0.0.0

C 10.1.1.0 is directly connected, Serial0/0/0

S* 0.0.0.0/0 [1/0] via 10.1.1.2 ----> SEE THE ADMIN DISTANCE IS 1

One thing I was wrong here is that you cannot specify a admin distance of 0 when you configure a static route.

So " ip route 0.0.0.0 0.0.0.0 192.168.2.9 0 " is not a valid command - Thanks for poiniting out

Couple of interesting observations I made

Scenario 1)

Rack05R3#sh run | i ip route

ip route 0.0.0.0 0.0.0.0 10.1.1.2 10

ip route 0.0.0.0 0.0.0.0 Serial0/0/1 10

One of the routes has next hop, other has exit interface

Gateway of last resort is 10.1.1.2 to network 0.0.0.0

20.0.0.0/30 is subnetted, 1 subnets

C 20.1.1.0 is directly connected, Serial0/0/1

10.0.0.0/30 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, Serial0/0/0

S* 0.0.0.0/0 [10/0] via 10.1.1.2

is directly connected, Serial0/0/1

Black holes the traffic as gateway is 10.1.1.2 is rechable via S0/0/0 , but routing table shows

S* 0.0.0.0/0 [10/0] via 10.1.1.2

is directly connected, Serial0/0/1

Seanario 2)

Rack05R3(config)#do sh run | i ip route

ip route 0.0.0.0 0.0.0.0 Serial0/0/1 10

ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10

Both use exit interface

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Serial0/0/1

is directly connected, Serial0/0/0

Which will work

Senario 3)

Both static route point to next hop IP

ip route 0.0.0.0 0.0.0.0 10.1.1.2

ip route 0.0.0.0 0.0.0.0 20.1.1.2

Gateway of last resort is 20.1.1.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 20.1.1.2

[1/0] via 10.1.1.2

This works fine as well

Conclusion : We cannot have 2 static default gateway, one pointing next hop IP and another exit interface

Coming to the original question as to how we can achieve load balancing

The only way it would work is when you have 2 static routes

1) pointing the existing defaulty gateway to next hop IP

ip route 0.0.0.0 0.0.0.0 X.X.X.X

2) Add another static route pointing to new router

ip route 0.0.0.0 0.0.0.0 192.168.2.9

Exit interface with ethernet is not recommended because the router will send out arp request for every new destination IP and the gateway must proxy reply for every destination

Regards,

Rahul

cadet alain · ‎08-13-2011

Hi Rahul,

I disagree with you and you made the proof with scenario 1:

S* 0.0.0.0/0 [10/0] via 10.1.1.2

is directly connected, Serial0/0/1

This means you have the 2 routes installed so they have the same AD which is one.

If you disable CEF as well as fast-switching you'll see per-packet load balancing with debug ip packet.

Your conclusion is not correct imho because all the scenarios you did install both routes in the routing table and a route pointing to a next-hop must do a recursive lookup to find the correct interface.

Exit interface with ethernet is not recommended because the router will send out arp request for every new destination IP and the gateway must proxy reply for every destination Totally agree a static route pointing to interface should only be configured for point-to-point links, in the case of frame-relay this is still worse because there is no proxy inARP.

Regards.

Alain.

Don't forget to rate helpful posts.

rparames · ‎08-14-2011

Hi Alain,

I misread the output in senario 1

I remembered reading while preparing for my certification that when a static route points out of an exit interface rather than a next hop IP, it would select exit interface as that had AD equal to that of connected interface. But it looks like both have same AD and both are programmed.

Verified it in my lab

Thanks Again

-Rahul