10-04-2017 06:16 PM - edited 03-05-2019 09:14 AM
Hi,
I have a 3850 with a static default route to the ISP.
This 3850 has a eBGP neighbour with a downstream FTD 2110. The ISP and firewall are in the same IP range for the outside interface but I can't have a static route on the firewall because of a bug that the Cisco development team is troubleshooting.
Basically what I can do in the short term is try and give the firewall a default route through BGP from the 3850 but instead of the 3850 being the next hop, I need the ISP to be the next hop. This is to avoid asymmetric routing to and from the ISP.
I'm thinking it would look something like this on the 3850.
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
ip route 0.0.0.0 0.0.0.0 ISP
route-map MAP
match ip address 101
set ip next hop ISP
router bgp 1001
redistribute static MAP
Would this work?
Thanks,
Waqas
10-04-2017 07:15 PM
If the static route has the correct next hop you shouldn't need "set ip next hop ISP".
10-04-2017 07:35 PM
Thanks Philip,
This is because I don't want traffic to go through the 3850 when going out to the internet.
Would I still need the route map on the redistribute command?
10-04-2017 07:38 PM
If the 3850 is doing the routing itself - no - because the static route will take precendence.
10-04-2017 07:45 PM
The 3850 has the static route. The firewall cannot have a static route configured on it because of a bug, it can only take a default route dynamically from the 3850.
10-04-2017 07:47 PM
10-04-2017 07:51 PM
But will my configuration give the default route to the firewall with the correct next hop (being the ISP)?
The next hop for the firewall cannot be the 3850.
10-04-2017 07:52 PM
It will redistribute it with whatever the next hop that the static route has.
10-04-2017 07:55 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: