11-21-2012 01:13 PM - edited 03-07-2019 10:11 AM
Hello expert,
I trying to install a static route to my head office from spoke router using the name of the interface as the next hop router but this is not working because of arp resolution issues.
When i tried to use the ip address of the wan interface (10.30.XX.24) as the next hop the following error message is displayed
next hop ip address matches with the router's interface ip address
I want the traffic between my spoke and hub ( central office) to remain encrypted, hence I did not use the next hop address as the ip Address of the central router (10.30.xx.11)
I know if i do so the packets from spoke thru the default route will not be encrypted.
HOW CAN I USE MY SPOKE ROUTER WAN IP ADDRESS AS THE NEXT HOP INSTEAD OF THE NAME OF THE INTERFACE SO AS TO PREVENT THE ARP ISSUES
the default route below Is what i would like to achieve.
I ip route 0.0.0.0 0.0.0.0 10.30.XX.24 permanent
SPOKE ROUTER WAN INTERFACE
--------------------------------------
interface FastEthernet0/1
description P2P Interface$ETH-WAN$
ip address 10.30.XX.24 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_2
Regards
11-21-2012 03:56 PM
Hello,
The static IP route with the next-hop IP address you are trying to configure is not valid because it points back to the same router you are configuring. If the router accepted this static route, it would cause a routing loop. It is logical, then, that the router refuses to accept your command.
However, you should be able to use the IP of 10.30.XX.11 as the next-hop address without any problems. You are saying that you want the traffic to remain encrypted. Rest assured - it will remain encrypted. The encryption in your configuration is controlled by a crypto map placed on the Fa0/1 interface. As long as the traffic is routed out that interface, regardless of what exact data the routing table contains, it will be encrypted according to the SDM_CMAP_2 crypto map configuration.
Best regards,
Peter
11-21-2012 09:01 PM
Hi jomo,
Adding my two cents to what Peter has said,
You can write a static route basing upon the next hop ip address or the exit interface, both of them are fine. In static routing make sure that you have a complete topology known.
When matter comes to encryption:
Crypto map—This is a Cisco IOS software configuration entity that performs two primary functions. First, it selects data flows that need security processing. Second, it defines the policy for these flows and the crypto peer that traffic needs to go to.
A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but was expanded for IPsec.
Now as said by Peter:
The encryption in your configuration is controlled by a crypto map placed on the Fa0/1 interface. As long as the traffic is routed out that interface, regardless of what exact data the routing table contains, it will be encrypted according to the SDM_CMAP_2 crypto map configuration.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
http://www.cisco.com/en/US/docs/ios/11_2/security/configuration/guide/2cencryp.html
Links provide may be useful to you.
Please dont forget to rate the helpful posts.
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
11-22-2012 03:29 AM
Hello Muhammad,
You can write a static route basing upon the next hop ip address or the exit interface, both of them are fine.
From the routing standpoint, this is true. However, if you specify a static route only using exit interface and that interface is a multiaccess interface like Ethernet, you get into problems: the router will treat the route as directly connected and will ARP for each destination IP address. This will result in large ARP tables and large ARP traffic, and ultimately, if the next hop router is not running ProxyARP, the ARP queries sent by your router won't be replied to and the routing will fail. This is what Jomo has probably indicated in his original post.
I often point this out. We've even see threads here on CSC where people complained about their routers rebooting intermittently, and the cause was basically memory exhaustion caused by excessive ARP tables because their default route was pointing out Ethernet interface without specifying next hop IP.
Best regards,
Peter
11-22-2012 03:39 AM
Dear Peter,
I would like to thank you for the information provided. I will consider this as one of the important this which I have learnt from the community.
I mean it.
While posting the information some where in my mind pointing towards what you have explained so the reason I wrote
In static routing make sure that you have a complete topology known along with what I have included.
Thanks once again
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide