Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Best place for a default route

What is the best place in a network to redistribute a default route from?

Distribution, Edge distribution, Core?

Right now we have our two routers attached to a distribution and sending a default inside. We are thinking to move them and attach them to the core. Is it good place? from other side they are attached to a firewalls, firewalls point to our Internet routers. They get a default from ISP routers. But those routers do not redistribute that default. Only those on our distribution. What is the recommendation and best practice for sending a default from ?

Super Bronze

Re: Best place for a default route

A bit unclear whether you're asking where the default should be distributed, logically or physically. I think you're asking about physically. However, logically, best distribution point usually is the router closest to the default path and "knows" whether such path is good. (In your example, those connected to the FWs.)

Physically, I would try to have the shortest physical path (fewest router hops) to/from the default path for hosts that are using it. Placement, though, would be impacted by many other possible considerations, which can range from "politics" (i.e. who maintains particular devices) to I've run out of ports on the device I desire to use.

Hall of Fame Super Silver

Re: Best place for a default route

Hello Mateuz,

the border routers with the eBGP sessions with the ISPs would be the better choice but there are the firewalls that are likely blocking any IGP routing protocol messages.

Cisco appliances like ASA support OSPF or EIGRP routing if used in single context mode.

A possible solution could be GRE tunnels from edge routers to inside routers.

The problem of the chain :

router -FW -- border router is the fault detection part if using static routes.

Where to connect internet connections / default routes connection point:

in some campus network design the internet block connects to its own distribution nodes that then connect to the core.

Of course it can be possible to connect them to core directly.

The underlying idea is that core nodes have to do only L3 forwarding without ACLs for traffic or even route filters that are left to distribution.

As I said I would be more concerned of checking that the design is really fault tolerant: able to detect remote failures the point where these internal routers connect is less important in comparison.

Hope to help


CreatePlease to create content