Next Hop Selection Process; Configuring Static And Default Routes - Cisco 7604 Configuration Manual

Configuring Static and Default Routes

Therefore, for regular dynamic outbound NAT, initial outgoing packets are routed using the route table
and then create the XLATE. Incoming return packets are forwarded using existing XLATEs only. For
static NAT, destination-translated incoming packets are always forwarded using existing XLATE or
static translation rules.

Next Hop Selection Process

After selecting egress interface using any method described above, an additional route lookup is
performed to find out suitable next hop(s) that belong to previously selected egress interface. If there are
no routes in routing table that explicitly belong to selected interface, the packet is dropped with level 6
error message 110001 "
that belongs to different egress interface. If the route that belongs to selected egress interface is found,
the packet is forwarded to corresponding next hop.
Load sharing on FWSM is possible only for multiple next-hops available using single egress interface.
Load sharing cannot share multiple egress interfaces.
This is not ture if the following conditions exists:
•
•
This issue has a high probability in same-security-traffic configuration, where virtually any traffic may
be either source-translated or destination-translated, depending on direction of initial packet in the flow.
When this issue occurs after a route flap, it can be resolved manually by using the clear xlate command,
or automatically resolved by an XLATE timeout. XLATE timeout may be decreased if necessary. To
ensure that this rarely happens, make sure that there is no route flaps on FWSM and around it. That is,
ensure that destination-translated packets that belong to the same flow are always forwarded the same
way through FWSM.
Configuring Static and Default Routes
This section describes how to configure static and default routes on FWSM.
Multiple context mode does not support dynamic routing, so you must use static routes for any networks
to which FWSM is not directly connected; for example, when there is a router between a network and
FWSM.
You might want to use static routes in single context mode in the following cases:
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
8-2
no route to host
If dynamic routing is in use on FWSM and route table changes after XLATE creation, for example
a route flap happens, then destination-translated traffic is still forwarded using old XLATE, not via
route table, until XLATE times out. It may be either forwarded to wrong interface or dropped with
message 110001 "
no route to host
to another one by routing process.
The same problem may happen when there is no route flaps on FWSM itself, but some routing
process is flapping around it, sending source-translated packets that belong to the same flow through
FWSM using different interfaces. Destination-translated return packets may be forwarded back
using the wrong egress interface.
Your networks use a different router discovery protocol from RIP or OSPF.
Your network is small and you can easily manage static routes.
You do not want the traffic or CPU overhead associated with routing protocols.
Chapter 8
", even if there is another route for a given destination network
" if old route was removed from the old interface and attached
Configuring IP Routing and DHCP Services
OL-20748-01