d.fraser Tue, 06/19/2007 - 12:41
User Badges:

I don't think that will help..

I want to use a static route pointing to a firewall as a next hop. But I only want the static route to work if the firewall is alive. So I think I have to 'track' the firewall state using either CDP or ICMP, like http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d1e95.html

but I am having trouble getting it going.

If I don't use this method then any ideas are welcome.

JORGE RODRIGUEZ Tue, 06/19/2007 - 13:14
User Badges:
  • Green, 3000 points or more

we'll work with subnet as users segment and the firewall being ,, and will be alternate routes if is down etc..

1- crteate your access list

access-list 1 permit ( per host )

access-list 1 permit ( per host )

access-list 1 permit ( per host )


access0list 1 permit ( per subnet )

create a route map


route-map alternate-routes permit 10

match ip address 1

set ip next-hop

set ip next-hop

set ip next-hop

set ip next-hop verify-availability ( verify next hop is a cdp neighbor )

the PBR will try the next available hop , your next hop is firewall and if that hop is down

it will try as an alternate route and so on.

Apply the route map to the interface

interface vlan 169

ip policy route-map alternate-routes

HTH, rate if this helps


d.fraser Tue, 06/19/2007 - 13:45
User Badges:

I understand your solution but I have a more complex problem.

The firewall is managed by another provider. I have asked if it will supply CDP or respond to ICMP, I have not heard but I will assume it will for now.

There are two loactions, a hot and a cold site. Each site has a firewall attached to my switch (MSFC). There are approx 10,000 people behind the swicths who want to talk through the host swicth/firewall if it is alive, or through the cold swicth/firewall if the hot one is dead.

Hence I want to inject the hot firewll into OSPF as a next hop only if it is alive.

I tried creating a static

ip route

Creating an ACL

access-list 10 per

Biulding the route map

route-map FIREWALL per 10

match ip add 10

set next hop

set next-hop ver-avail

But this seems to be mixing features, PBR on the vlan interfcae, and injecting into OSPF based on the same route-map.

I am starting to think that the best way to do it is make the interface between my swicth and the firewall a L3 interfcae, then I can use a static route pointing to the local swicth L3 interfcae. That way if the switch Ethernet is down, the static won't inject into ospf.

ip route Gig3/8

JORGE RODRIGUEZ Tue, 06/19/2007 - 13:59
User Badges:
  • Green, 3000 points or more

I don't know, perhaps would'nt that be possibly by implemeting two default routes at your core-MSFC?

that is :

say both sites are up, hot and cold.

ip route (hot site)

ip route (cold site)

perhaps place and admin distance for route preference .

under ospf

redistribute static

sundar.palaniappan Tue, 06/19/2007 - 14:13
User Badges:
  • Green, 3000 points or more


Jorge's recommendation with an additional feature, Reliable static route using object tracking, should help you achieve what you are trying to do.

With this feature you can track the firewall IP address and when the it becomes unreachable the router would remove the primary default route and start using the backup default route (floating static) to route the traffic.

Have a look at this link to configure this feature.




d.fraser Tue, 06/19/2007 - 17:34
User Badges:

My 12.2(17a) IOS may limit me here.

I think I have to use the MSFC interfcae as the next hop, with the caveats that is must be a L3, and I wear the ARP problem as specified. I can poit to multiple /26's behind the firewall, which will limit the ARP issue.

I can redistribute static will differnt costs etc...no brainer.



This Discussion