Default Gateway Exit Interface

Answered Question
Mar 19th, 2009

Hi All,

Can you explain to me how does default routing out of the exit interface work? for example ip route 0.0.0.0 0.0.0.0 f0/0. I know that if you use the next hop IP address in the default router configuration (ip route 0.0.0.0 0.0.0.0 192.168.1.1), router can resolve the next hop IP to the MAC Address to put in the data link frame as destination. How does router know what to put in data link frame as the destination address if it has no IP address to resolve? How does it work? Thanks a lot

Correct Answer by Richard Burts about 7 years 11 months ago

It certainly does allow you to specify an Ethernet interface as the exit in a static route, including a static default route. There are several things that make this a problematic thing to do:

- it means that the router will send an ARP request for EVERY layer 3 destination address, so it is generating lots of traffic.

- it will only be successful in the next hop router has enabled proxy-arp, and increasingly some organizations regard proxy-arp as a security weakness and disable it. This means that now the success of your routing is dependent on something that you may not control.

- if the next hop router does enable proxy-arp then the MAC address gets added to the ARP table which contains ALL of the destination IP addresses to which the router has forwarded, so the ARP table gets very large, consuming memory and CPU cycles to maintain it.

So the best advice is that static routes specifying the exit interface are ok if the exit interface is some point to point link like HDLC, PPP, Frame Relay but otherwise it is much better to specify the nex hop address.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Paolo Bevilacqua Thu, 03/19/2009 - 16:21

Hi, the data-link destination address never changes. In your example, will be always the mac address for 192.168.1.1.

CriscoSystems Thu, 03/19/2009 - 16:23

Zdrast, Anatoliy!!

If the outgoing interface is multiaccess, it can use the broadcast address.

If it's a point-to-point interface, there doesn't really need to be a laye 2 destination specified since there's only one host at the other end of the link.

In the case of frame relay (where the frames do need a layer 2 value (DLCI) specified), it will use the DLCI that is assigned (via either LMI or static config) to the interface you specified in your ip route statement.

petnetsolutionions Thu, 03/19/2009 - 16:30

Spasibo! So let me clarify, if you set the default gateway as exit interface, the data link layer will just use broadcast (on multiaccess network) as the destination address instead of resolving next hop IP as in the case if we configured next hop IP as the default gateway?

Paolo Bevilacqua Thu, 03/19/2009 - 17:04

If the outgoing interface is multiaccess, it can use the broadcast address.

Actually that never happens, unless the L3 dst address is subnet bcast, in which case router will use a L2 bcase, or is multicast, in which case router will map to L2 mcast address.

Dasvidania.

CriscoSystems Thu, 03/19/2009 - 17:10

But then wait a minute - that just underlines Anatoliy's question. If it's going out an Ethernet interface, the router's got to put _something_ in the destination address field of the Ethernet frame, doesn't it?

Stolichnaya.

petnetsolutionions Thu, 03/19/2009 - 17:16

That is exactly what I want to know. What does the router put in the destination address in the frame. We don't have the gateway IP to resolve since we are using the exit interface instead.

Jon Marshall Thu, 03/19/2009 - 18:01

Well if the route points to an exit interface the router will arp out for every single destination.

On a multi-access network it really isn't a good idea to do this as you may get multiple replies.

As Paolo said the 192.168.1.1 router may well respond with it's own mac-address.

Jon

Jon Marshall Thu, 03/19/2009 - 18:10

I mean the router sends an arp request to get the mac-address of the next-hop. When it gets a response it can then send the packet.

But it doesn't actually broadcast out the data packet. It uses the arp response to unicast the packet to the next hop.

Jon

CriscoSystems Thu, 03/19/2009 - 18:14

But, what next-hop? Anatoliy's scenario is a gateway-of-last-resort scenario, with an INTERFACE, not a host, specified in the ip route statement.

petnetsolutionions Thu, 03/19/2009 - 18:24

Exactly, how does the router know where the next hop is? Can somebody explain it to me please, I has been bothering me all day.

CriscoSystems Thu, 03/19/2009 - 18:11

Jon do you mean it well send an arp query on the L3 address that is the packet's FINAL destination? Doesn't that furthermore mean that if the packet's final destination isn't on the same subnet as the default-exit-interface, the packet is blackholed?

'Cause the whole (or at least major) point of having default gateways is for the packet to transit to a place that has (or might have) sturdier routing for it.

Jon Marshall Thu, 03/19/2009 - 18:18

"Jon do you mean it well send an arp query on the L3 address that is the packet's FINAL destination ?"

Edit - actually yes i do mean that't what it does. See below for proxy-arp details.

It's to do with proxy-arp. If none of the routers accessible from the router interface are running proxy-arp then no router would respond with it's mac-address and the arp would fail.

This is why on a multi-access network like ethernet you should never use the exit interface as the next-hop. You should only do this on P2P links.

Jon

Jon Marshall Thu, 03/19/2009 - 18:21

Just as an addition. I have never actually tested whether a router will allow you to use an ethernet interface as next-hop. Assume it would and if anoher router is using proxy-arp it would respond but perhaps i should test it sometime :-)

Jon

Correct Answer
Richard Burts Fri, 03/20/2009 - 04:17

It certainly does allow you to specify an Ethernet interface as the exit in a static route, including a static default route. There are several things that make this a problematic thing to do:

- it means that the router will send an ARP request for EVERY layer 3 destination address, so it is generating lots of traffic.

- it will only be successful in the next hop router has enabled proxy-arp, and increasingly some organizations regard proxy-arp as a security weakness and disable it. This means that now the success of your routing is dependent on something that you may not control.

- if the next hop router does enable proxy-arp then the MAC address gets added to the ARP table which contains ALL of the destination IP addresses to which the router has forwarded, so the ARP table gets very large, consuming memory and CPU cycles to maintain it.

So the best advice is that static routes specifying the exit interface are ok if the exit interface is some point to point link like HDLC, PPP, Frame Relay but otherwise it is much better to specify the nex hop address.

HTH

Rick

petnetsolutionions Fri, 03/20/2009 - 04:30

So proxy-ARP is how it is possible. In my scenario I had 3 1841s hooked up through the Ethernet interfaces (1841----1841----1841) and one of the edge routers had default gateway set as an interface and it worked fine. So is proxy ARP enabled by default because I didn't enable anything for it to work.

Richard Burts Fri, 03/20/2009 - 04:43

Yes proxy-arp is enabled by default in IOS. This means that a static route specifying only the exit interface can work. But note that just because something can be done does not necessarily mean that it should be done.

If you set this up as you describe and if you ping 50 remote addresses you wind up with 50 entries in your arp cache. If you ping 500 remote addresses you wind up with 500 entries in your arp cache. If you ping 5000 remote addresses you wind up with 5000 entries in your arp cache. Give it a test.

Another thing to think about: how long do the entries stay in the arp cache? You might want to test for this also.

HTH

Rick

petnetsolutionions Fri, 03/20/2009 - 04:51

Thanks Richard! I think it makes more sense now. I am actually not going to use this scenario in production. In production we are using ADSL set up with PPPoE which is a point to point link so setting the default gateway as the interface should be just fine. I wanted to test a few things in the lab so thats why I set up the default gateway on the Ethernet interface.

Richard Burts Fri, 03/20/2009 - 08:29

I am glad that it makes more sense now. Some times things work and we do not look closely to see how they work and whether there are implications that we should be aware of in how they work. Setting things up in the lab and testing is a very good way to learn how they really work.

HTH

Rick

rpfinneran Sun, 03/22/2009 - 04:11

One other issue that you may run into. If you have unicast reverse-path forwarding enabled on the egress interface, then setting a static-default route to the interface will fail. I ran into this a while back and it really bugged me...

Actions

This Discussion