I'm sorry guys, I seem to be the one confusing you here.

The default route points to the firewall - ip route 0.0.0.0 0.0.0.0 10.17.127.200

As you might have noticed theough there is another default route configured as I am trying to implement reliant static routing backup using object tracking. This default route points to one of our ISP routers and this interface is tracked so traffic can be routed through a LES if the ISP goes down.

I dont know if this is messing something up but the Cisco documentation suggested this could be done (i.e have two default routes) or am I missing something here.

The primary default route and the static routes all point to the firewall to which the switch is directly connected.

I hope this helps clarify things.

Please let me know if my tracking is causing me the problems obviously I now know the ip classless would have caused issues before but I have rectified that. I do not want to have the static routes in my config if it can be helped.

Cheers,

Martha.

Martha

I am guessing that the problem does involve the multiple default routes that are configured.

It is certainly possible to have 2 static default routes. And in fact you have configured 3 static default routes, with one of them a floating static default route. Let us be clear what the resulting behavior will be. I am inserting the configured routes as a point of reference:

ip route 0.0.0.0 0.0.0.0 X.X.X.X track 1

ip route 0.0.0.0 0.0.0.0 10.17.127.200

ip route 0.0.0.0 0.0.0.0 192.168.51.16 254

There are 2 normal default routes with one of them specifying next hop of 10.17.127.200, a second default route with next hop of x.x.x.x which is tracked, and a floating static default with next hop of 192.168.51.16.

So there are 2 active default routes and the behavior of the 3750 is to use both of them in a load sharing manner. The 3750 uses the default route when it is forwarding to a destination whose subnet does not appear in the routing table. So some traffic for these subnets will be forwarded to 10.17.127.200 (which is obviously a private address) and some of the traffic will be forwarded to x.x.x.x and your comment is that this is an ISP router. I believe that this means that you are forwarding some of your traffic with private addresses to your ISP router. Does the ISP router know how to route that traffic? For example there is a static route for 10.190.64.0/25. Is that one that you added to make some destination work? If you remove the static route then traffic to that destination could be sent to the ISP router. Can the ISP router get that traffic to the correct destination?

There is much about your environment that I do not understand. But it looks to me like you need some way to distinguish in your routing logic how to route to destinations that are within your enterprise and make sure that they are not sent to the ISP router.

HTH

Rick

Hi Rick,

Thanks for your very comprehensive response, I really appreciate it.

You are right, there is much in our environmnt that you do not understand.

The tracked interface is as I mentioned is the ISP gateway and what I want to acheive is for the outbound (Internet) traffic to go via the next hop router - 192.168.51.16 which is the LES switch connecting the site to a sister site so all traffic will go through that site in the event of an ISP outage.

I expect you are probably confused by all the private IP addresses floating around but its because we are in the public sector and the ISP is aware of and routes these subnets accordingly.

I really just want to have the default route - 0.0.0.0/0 via 10.17.127.200 which is the firewall and on which we have all the defined the rules for sending the specified traffic.

I however also need to have the tracked interface defined so the gateway of the ISP is tracked.

floating default route pointing to my LES switch would mean it would only use this as a default route if the tracked interface was unavailable.

I am a tad confused to be honest as I believe these multiple default routes are causing me the problems but cant figure out a way around it.

I think for now, I might remove all the default routes except for the one pointing to the firewall and deal with the tracking issue when I understand it more unless otherwise advised here.

Thanks for all the help so far, any further advice and direction will be much appreciated.

Cheers,

Martha.

Martha

I will start with these 2 statements from your post:

I really just want to have the default route - 0.0.0.0/0 via 10.17.127.200 which is the firewall and on which we have all the defined the rules for sending the specified traffic.

I however also need to have the tracked interface defined so the gateway of the ISP is tracked.

Perhaps you can explain for me why the tracked interface needs to have a default route pointed to it?

Then I will attempt to explain what I think is the major problem. First let me review a couple of basic concepts:

- a default route is configured to tell the router where to send traffic when the destination address of a packet can not be found in the routing table.

- it is certainly possible to configure two static default routes. but when we do configure two static default routes it is assumed that both of the next hops will have equivalent knowledge of how to route packets whose destination address is not found in the routing table.

- it seems pretty obvious that the default route pointing to the firewall gets you one set of results and that the default route pointing to the ISP router gets you different (and problematic results).

- in that case two static default routes is problematic.

How to solve the problem is difficult to figure out since so much of your topology and your environment is not known to us. I would suggest that it seems that both default routes work ok when the destination is in the Internet. Is that correct?

If so then the real problem is what to do when the unknown destination is an address that is within your Enterprise rather than being in the Internet. One way to resolve this is to configure static routes that summarize the address space that is within your Enterprise. In looking at what you posted it seems that many of the static routes are for subnets of network 10. So I would suggest that a static route like this:

ip route 10.0.0.0 255.0.0.0 10.17.127.200

would allow you to remove all the "extra" static routes that fall within network 10.

HTH

Rick

Thanks again Rick, I was trying to put in a acommand that will track the ISP gateway and in the event of an outage pass all traffic to the LES, I will remove the 2nd static default route and review this setup.

I wish it was as simplistic as me sending all 10/16 address to the firewall but its not possible as some 10 network addresses do not traverse the firewall.

Anyhow, I really aprreciate your help and I'll remove the 2nd static default route pointed to the tracked interface and let you know how I get on.

Cheers,

Martha.