Cisco IOS Routers support both static and dynamic routes. In small networks (2 to 5 routers) I would suggest to configure only static routes, especially if the network is not going to change much over time. Of course dynamic routing (using dynamic routing protocols such as RIP, OSPF, EIGRP) is much more flexible and scalable (for larger networks) but gets a little bit tricky to troubleshoot in case of problems. There is also the option to mix static and dynamic routing if needed, but you need to take into consideration issues such as route redistribution (you will usually need to redistribute static routes into the dynamic protocol).

In this post I will try to illustrate static routing using a small network scenario (see picture below) and explain also some other issues related with ICMP Redirects and Cisco ASA firewall.

Network Description

From the example network above, we have a Cisco ASA firewall (ASA1) protecting our internal networks from the Internet. LAN1 is a Class C network subnet (10.1.1.0/24) which has user computers connected (this might be the headquarters LAN of the Enterprise). There is also a Router (R1) serving as a WAN router to connect a distant remote office over a WAN link.

At the other side of the WAN link we have R2 which serves as the Hub router having two spokes (R3, R4). There are also two more LAN networks with user computers (LAN2 connected to R3 and LAN3 connected to R4).

The IP addresses assigned to the network are as following:

ASA1 Internal IP: 10.1.1.254

R1 IP on LAN1 network: 10.1.1.253
R1 IP on the WAN link: 192.168.1.1

R2 IP on the WAN link: 192.168.1.2
R2 IP connected with R3: 192.168.2.2
R2 IP connected with R4: 192.168.3.2

R3 IP connected with R2: 192.168.2.1
R3 IP on LAN2 network: 10.2.1.254

R4 IP connected with R2: 192.168.3.1
R4 IP on LAN3 network: 10.2.2.254

LAN1 network: 10.1.1.0/24
LAN2 network: 10.2.1.0/24
LAN3 network: 10.2.2.0/24

Traffic Flow Requirements

We need to have the following communication between networks:

• LAN1 computers need to access the Internet through the ASA and also must be able to communicate with users and servers on LAN2 and LAN3.
• LAN1 users should be able to communicate also with “transit subnets” for troubleshooting and management purposes (“transit subnets” are the point-to-point networks connecting routers between them). These “transit subnets” are 192.168.1.0/30, 192.168.2.0/30, 192.168.3.0/30.
• LAN2 and LAN3 computers need to access the Internet through the ASA and also must be able to communicate with LAN1 network.

Configuration of Static Routing

The intention of this article is to explain static routing only, so I will not get into the full configuration details of all devices in the network. I will just show snippets of commands for static routes.

The general format of a static route command on a Cisco router is:

Router(config)# ip route [destination network] [mask] [gateway address]

The command above tells the router the following information: “if you want to send a packet to the following “destination network”, then send it to this “gateway address”.

The format of a static route command on a Cisco ASA firewall is:

ASA(config)# route [interface name] [destination network] [mask] [gateway]

Now let’s see the commands needed for each router. It’s more convenient to start from the bottom up:

Router R3:

R3(config)# ip route 0.0.0.0 0.0.0.0 192.168.2.2

We just need a default route on this router to send ALL traffic towards R2 gateway address (192.168.2.2).

Router R4:

R4(config)# ip route 0.0.0.0 0.0.0.0 192.168.3.2

Similar with R3, we just need a default route on this router to send ALL traffic towards R2 gateway address (192.168.3.2).

Router R2:

! Default route
R2(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1

! Static routes to reach LAN2 and LAN3
R2(config)# ip route 10.2.1.0 255.255.255.0 192.168.2.1
R2(config)# ip route 10.2.2.0 255.255.255.0 192.168.3.1

This is a little tricky. We need both a default route (to send all upwards traffic, including traffic to the Internet, towards R1) and also we need two specific static routes to reach LAN2 and LAN3 network. The two specific static routes (two last lines) are needed for the reply packets from LAN2 and LAN3 and also for LAN1 to be able to reach LAN2/LAN3.

Router R1:

! Default Route towards ASA for Internet Traffic
R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.254

! Static routes to reach LAN2 and LAN3
R1(config)# ip route 10.2.1.0 255.255.255.0 192.168.1.2
R1(config)# ip route 10.2.2.0 255.255.255.0 192.168.1.2

! Static routes to reach transit point-to-point networks
R1(config)# ip route 192.168.2.0 255.255.255.252 192.168.1.2
R1(config)# ip route 192.168.3.0 255.255.255.252 192.168.1.2

Firewall ASA1:

ASA1(config)# route outside 0.0.0.0 0.0.0.0 [asa gateway IP]

! Static routes to reach LAN2 and LAN3
ASA1(config)# route inside 10.2.1.0 255.255.255.0 10.1.1.253
ASA1(config)# route inside 10.2.2.0 255.255.255.0 10.1.1.253

The ASA will need a default route towards its default gateway IP (assigned by the ISP), and also two static routes to reach the distant LAN2 and LAN3 networks. You DO NOT need a static route for LAN1 network because it is directly connected to the ASA.

Default Gateway for LAN1 computers

As we said before, one of the traffic flow requirements was to access LAN2 and LAN3 networks from LAN1 computers. If I ask you what should be the default gateway address configured on LAN1 computers, most of you would answer “The ASA internal address 10.1.1.254”. However, this is WRONG. Let me explain why.

Assume you configure the default gateway address for LAN1 hosts to be the ASA address 10.1.1.254. If HostA on LAN1 wants to send traffic to the Internet, then it will send it to its default gateway address (ASA firewall) which will forward the packet to the Internet. So far so good.

However, if HostA wants to send traffic to LAN2 or LAN3 hosts, it will again send the traffic to the ASA which is supposed to send an ICMP Redirect to HostA and tell him “hey, you should really be using 10.1.1.253 to get to LAN2 or LAN3”. However, the Cisco ASA is NOT ABLE to send an ICMP Redirect like it should. Therefore, HostA will never be able to communicate with LAN2/LAN3. If the ASA was a router instead, everything would work fine because routers actually are able to send ICMP Redirects.

So, the correct answer is to configure all hosts on LAN1 network to have Default Gateway address the IP of R1 (10.1.1.253). This way, they will be able to access both the Internet and the other internal LAN networks (LAN2/LAN3).

For any questions or comments please fill out the comment form below.

GNS3 is a graphical network simulator that allows simulation of complex networks.

To allow complete simulations, GNS3 is strongly linked with :

* Dynamips, the core program that allows Cisco IOS emulation.
* Dynagen, a text-based front-end for Dynamips.
* Qemu, a generic and open source machine emulator and virtualizer.

GNS3 is an excellent complementary tool to real labs for network engineers, administrators and people wanting to pass certifications such as CCNA, CCNP, CCIP, CCIE, JNCIA, JNCIS, JNCIE.

It can also be used to experiment features of Cisco IOS, Juniper JunOS or to check configurations that need to be deployed later on real routers.

This project is an open source, free program that may be used on multiple operating systems, including Windows, Linux, and MacOS X.
Features overview

* Design of high quality and complex network topologies.
* Emulation of many Cisco IOS router platforms, IPS, PIX and ASA firewalls, JunOS.
* Simulation of simple Ethernet, ATM and Frame Relay switches.
* Connection of the simulated network to the real world!
* Packet capture using Wireshark.

Important notice: users have to provide their own IOS/IPS/PIX/ASA/JunOS to use with GNS3.

More Info: http://www.gns3.net/

On June 17th, the IEEE has ratified the 802.3ba standard for Ethernet connections with speeds of 40 and 100 Gbps. Both Cisco and Juniper have been supplying high performance network equipment which support the above standard. Cisco for example supports the 100Gbps Ethernet card on its CRS-3 router, while Juniper supports its 100Gbps PIC card on its T1600 Core Router.

As its name suggests, the IEEE 802.3ba standard allows for Ethernet services of 40 and 100 Gbps in both LAN and WAN implementations. The initial plan for the fastest Ethernet ever was to develop the technology for the 40 Gbps to support high-speed connections between switches and core servers, while for the 100 Gbps speed the plan was to support transport trunks for Internet and Video over IP. Both standards are applicable for the transport of packets in optical fiber networks.

Of course, as in previous cases, the new standard maintains backward compatibility with the rest of the Ethernet family.

It is beyond discussion that the full implementation of IPv6 in all Internet services and infrastructures will take place sooner or later. However, a harsh reality has knocked our door a few months ago. The Number Resource Organization (NRO) has warned that the available free IPV4 address space has fallen below 10%, which is considered a critical level.

From this information, the organization has considered the implementation of IPv6 vital if we need to continue with the development of the Internet.

IPv4 addresses, with a length of 32 bits, helped to define the Internet address space that we have been using so far, and have 4,294,967,297 possible IP addresses. In January 2010 the barrier of less than 430 million IP addresses not yet allocated is what has caused this warning.

If we run out of IPv4 addresses this means a halt to the spread of the Internet which has grown in a steady pace since 1989, and that is the main business infrastructure in today’s technology. The key to overcoming this limitation: the global adoption of IPv6.

However, many experts argue that implementing NAT may extend the life of IPv4 a few more years. Personally, I believe that further delaying the full migration to IPv6 simply postpones the implementation of a technology that has long been awaiting implementation, which will enable significant improvements in the operation of the Internet while offering new services. The implementation of NAT at the ISP level will only result in limiting the services available, and also hinder the seamless operation of the Internet when IP addresses are translated.

Moreover, major Internet sectors are already operating with IPv6 (China, Japan, parts of Europe and USA), and Internet infrastructure design is ready to support the migration: there is an international backbone running in IPv6, DNS services have updated their record structure etc… in fact, there is already a fully operational IPv6 www. The full migration will simply allow further evolution of the Internet.

Of course, more important than the hardware requirements that the implementation of IPv6 will impose, are the training requirements for networking professionals. IPv6 will bring another opportunity for professionals to train and grow. There are many resources available to start learning about IPV6, some of them are listed below.

http://www.ipv6forum.com/
Number Resource Organization
http://www.ipv6actnow.org/

V5V4TGKX7PVG