Route maps and set ip next-hop

Hey guys...been working on a real world solution using a route map and set ip next-hop. Here is the scenario. I've got a group of servers on a /24 subnet that all have the same default gateway (192.168.10.2) There are a few servers on this subnet that need to use 192.168.10.2 for private traffic but need to hit a firewall (192.168.10.1) to go out to the Internet.

I've written the route map and corresponding ACL to set the next hop only when the selected servers need to access the Internet. My concern is the possibility of a routing loop between the two gateways. Can I use route tagging to prevent this possibility similar to two way route redistribution?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

networker050184

I don't think a route tag would be of any use in this situation.

What makes you think there will be a loop? As long as the .1 device doesn't send the traffic back to the .2 device you should be ok.

It might just be easier to add routes on the server to point private address space to .1 and everything else to .2.

down77

If its just for a handful of servers it kind of sounds like you're over complicating the solution. At a previous environment we had a similar situation where all internal traffic had to use Gateway-1 and external traffic had to use Gateway-2. The solution we used was simple: create static routes on the server for all internal routes and set the default route to Gateway-2.

Example:

route add 192.168.1.0 mask 255.255.255.0 192.168.10.2
route add 192.168.2.0 mask 255.255.255.0 192.168.10.2
route add 0.0.0.0 mask 0.0.0.0 192.168.10.1

vinbuck

I'm still trying to verify that the two aren't pointed at each other and that there aren't any other routes that could cause a loop between the two. Both the router and the firewall carry an extremely large amount of public traffic with hundreds of entry/exit points, so sorting through it is taking a while.

Dual default routes on the servers aren't an option...can't really get into why without breaking NDA

networker050184

MississippiGuardsman wrote: »

Dual default routes on the servers aren't an option...can't really get into why without breaking NDA

You don't need dual defaults. Point private traffic at one and a single default to the other.

vinbuck

networker050184 wrote: »

You don't need dual defaults. Point private traffic at one and a single default to the other.

Let me re-phrase

can't be a server-side solution.

down77

networker050184 wrote: »

You don't need dual defaults. Point private traffic at one and a single default to the other.

Agreed. Private traffic to dedicated routes (Static or Dynamic mapping) and external traffic to the default route. Remembering one of the basic rules of routing "The longest match to a route prevails," this should work.

I'd still be more fun to attempt multiple default routes... gives you experience in troubleshooting packet loss as data is sent to the wrong default route. I learned this one the hard way many many years ago.