Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8325
Views
5
Helpful
4
Replies

how to add static route using the router's wan interface ip address as the next hop

jomo frank
Level 1
Level 1

‎11-21-2012 01:13 PM - edited ‎03-07-2019 10:11 AM

Hello expert,

I trying to install a static route to my head office from spoke router using the name of the interface as the next hop router but this is not working because of arp resolution issues.

When i tried to use the ip address of the wan interface (10.30.XX.24) as the next hop the following error message is displayed

next hop ip address matches with the router's interface ip address

I want the traffic between my spoke and hub ( central office) to remain encrypted, hence I did not use the next hop address as the ip Address of the central router (10.30.xx.11)

I know if i do so the packets from spoke thru the default route will not be encrypted.

HOW CAN I USE MY SPOKE ROUTER WAN IP ADDRESS AS THE NEXT HOP INSTEAD OF THE NAME OF THE INTERFACE SO AS TO PREVENT THE ARP ISSUES

the default route below Is what i would like to achieve.

I ip route 0.0.0.0 0.0.0.0 10.30.XX.24 permanent

SPOKE ROUTER WAN INTERFACE

--------------------------------------

interface FastEthernet0/1

description P2P Interface$ETH-WAN$

ip address 10.30.XX.24 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

no mop enabled

crypto map SDM_CMAP_2

Regards

Labels:
0 Helpful
4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

‎11-21-2012 03:56 PM

Hello,

The static IP route with the next-hop IP address you are trying to configure is not valid because it points back to the same router you are configuring. If the router accepted this static route, it would cause a routing loop. It is logical, then, that the router refuses to accept your command.

However, you should be able to use the IP of 10.30.XX.11 as the next-hop address without any problems. You are saying that you want the traffic to remain encrypted. Rest assured - it will remain encrypted. The encryption in your configuration is controlled by a crypto map placed on the Fa0/1 interface. As long as the traffic is routed out that interface, regardless of what exact data the routing table contains, it will be encrypted according to the SDM_CMAP_2 crypto map configuration.

Best regards,

Peter

0 Helpful

Muhammad Thanveer
Level 5
Level 5
In response to Peter Paluch

‎11-21-2012 09:01 PM

Hi jomo,

Adding my two cents to what Peter has said,

You can write a static route basing upon the next hop ip address or the exit interface, both of them are fine. In static routing make sure that you have a complete topology known.

When matter comes to encryption:

Crypto map—This is a Cisco IOS software configuration entity that performs two primary functions. First, it selects data flows that need security processing. Second, it defines the policy for these flows and the crypto peer that traffic needs to go to.

A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but was expanded for IPsec.

Now as said by Peter:

The encryption in your configuration is controlled by a crypto map placed on the Fa0/1 interface. As long as the traffic is routed out that interface, regardless of what exact data the routing table contains, it will be encrypted according to the SDM_CMAP_2 crypto map configuration.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

http://www.cisco.com/en/US/docs/ios/11_2/security/configuration/guide/2cencryp.html

Links provide may be useful to you.

Please dont forget to rate the helpful posts.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Muhammad Thanveer

‎11-22-2012 03:29 AM

Hello Muhammad,

You can write a static route basing upon the next hop ip address or the exit interface, both of them are fine.

From the routing standpoint, this is true. However, if you specify a static route only using exit interface and that interface is a multiaccess interface like Ethernet, you get into problems: the router will treat the route as directly connected and will ARP for each destination IP address. This will result in large ARP tables and large ARP traffic, and ultimately, if the next hop router is not running ProxyARP, the ARP queries sent by your router won't be replied to and the routing will fail. This is what Jomo has probably indicated in his original post.

I often point this out. We've even see threads here on CSC where people complained about their routers rebooting intermittently, and the cause was basically memory exhaustion caused by excessive ARP tables because their default route was pointing out Ethernet interface without specifying next hop IP.

Best regards,

Peter

Muhammad Thanveer
Level 5
Level 5
In response to Peter Paluch

‎11-22-2012 03:39 AM

Dear Peter,

I would like to thank you for the information provided. I will consider this as one of the important this which I have learnt from the community.

I mean it.

While posting the information some where in my mind pointing towards what you have explained so the reason I wrote

In static routing make sure that you have a complete topology known along with what I have included.

Thanks once again

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card