Static route next-hop

Static routes are a much loved and well used configuration staple but this post will highlight a possible misconfiguration step and explore the behaviour.

In cisco IOS a static route is defined by:

!
ip route <destination_prefix> <destination_mask> <interface> <next-hop>
!

While it may be common to omit the the outgoing interface, it is also possible to specify the outgoing interface but omit the next-hop. Luckly IOS tries to warn you about potential problems:

Router(config)#ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
%Default route without gateway, if not a point-to-point interface, may impact performance

…but lets imagine you are just pasting in commands or you have inherited this configuration in a production evironment, what is the implication? Although Gi0/0 in this topology is already configured with the correct Layer3 information which would normally be sufficient to determine whether a destination address was off-link and needed to be sent via subnet gateway, this mechanism is not used. Instead the router considers all destination IP addresses which are within the range of the route to be directly connected. The consequence of this is that it will ARP for every destination IP address.

By browsing the internet on the Linux VM and running debug arp on the vIOS router we can see all of the these ARP requests:

Router#debug arp
*Jan 10 21:41:06.624: IP ARP: creating incomplete entry for IP address: 212.58.237.252 interface GigabitEthernet0/0
*Jan 10 21:41:06.625: IP ARP: sent req src 10.10.0.2 5000.0003.0000, dst 212.58.237.252 0000.0000.0000 GigabitEthernet0/0
*Jan 10 21:41:11.607: IP ARP: rcvd req src 10.10.1.1 5000.0002.0000, dst 10.10.1.254 GigabitEthernet0/1
*Jan 10 21:41:11.608: IP ARP: sent rep src 10.10.1.254 5000.0003.0001, dst 10.10.1.1 5000.0002.0000 GigabitEthernet0/1
*Jan 10 21:41:15.131: IP ARP: creating incomplete entry for IP address: 212.58.233.252 interface GigabitEthernet0/0
*Jan 10 21:41:15.131: IP ARP: sent req src 10.10.0.2 5000.0003.0000, dst 212.58.233.252 0000.0000.0000 GigabitEthernet0/0
*Jan 10 21:41:18.168: IP ARP: sent req src 10.10.0.2 5000.0003.0000, dst 212.58.233.252 0000.0000.0000 GigabitEthernet0/0
*Jan 10 21:41:22.359: IP ARP: sent req src 10.10.0.2 5000.0003.0000, dst 212.58.233.252 0000.0000.0000 GigabitEthernet0/0
*Jan 10 21:41:30.553: IP ARP: sent req src 10.10.0.2 5000.0003.0000, dst 212.58.233.252 0000.0000.0000 GigabitEthernet0/0
*Jan 10 21:41:46.688: IP ARP: sent req src 10.10.0.2 5000.0003.0000, dst 212.58.233.252 0000.0000.0000 GigabitEthernet0/0
*Jan 10 21:42:19.193: IP ARP: creating incomplete entry for IP address: 212.58.233.252 interface GigabitEthernet0/0
*Jan 10 21:42:19.194: IP ARP: sent req src 10.10.0.2 5000.0003.0000, dst 212.58.233.252 0000.0000.0000 GigabitEthernet0/0
*Jan 10 21:42:24.310: IP ARP: rcvd req src 10.10.1.2 5000.0002.0000, dst 10.10.1.254 GigabitEthernet0/1
*Jan 10 21:42:24.311: IP ARP: sent rep src 10.10.1.254 5000.0003.0001, dst 10.10.1.1 5000.0002.0000 GigabitEthernet0/1

The output shows the ARP requests being sent but no replies being received, resulting in incomplete ARP entires:

Router#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  1.1.1.1                 0   Incomplete      ARPA   GigabitEthernet0/0
Internet  10.10.0.2               -   5000.0003.0000  ARPA   GigabitEthernet0/0
Internet  10.10.0.3               5   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  10.10.1.1               0   5000.0002.0000  ARPA   GigabitEthernet0/1
Internet  10.10.1.254             -   5000.0003.0001  ARPA   GigabitEthernet0/1
Internet  34.120.208.123          0   Incomplete      ARPA
Internet  52.88.248.168           0   Incomplete      ARPA
Internet  212.58.237.252          0   Incomplete      ARPA
Internet  216.58.212.234          0   Incomplete      ARPA

Solutions

There are three fixes which can be used to get this topology to work:

  • Statically configrued ARP entries on the vIOS router.

For each destination IP address create a static ARP entry specifying the Layer2 address of the edge_router Gi0/1 interface.

!
arp 212.58.237.252 5000.0001.0001 arpa
arp 216.58.212.234 5000.0001.0001 arpa
!

Clearly this is not a scalable solution when dealing with a default route, and should not be explored further for this topology.

  • Proxy ARP configured on edge_router Gi0/1 
!
int Gi0/1
 ip proxy-arp
!

Proxy ARP is a feature which is enabled by default in IOS, however disabling it on all interfaces is a good baseline configuration stance. Proxy ARP works by allowing an enabled interface to respond to ARP requests for IP addresses which it does not have configured on the receiving interface. This allows machines which are ARP’ing for off-link IP addresses to install the Proxy ARP routers interface MAC adderess in their ARP table for those addresses. We can see the edge_router receiving and responding to these ARP requests once proxy ARP has been enabled:

*Jan 10 22:01:55.322: IP ARP: sent rep src 172.217.169.8 5000.0001.0001, dst 10.10.0.2 5000.0003.0000 GigabitEthernet0/1
*Jan 10 22:01:55.655: IP ARP: rcvd req src 10.10.0.2 5000.0003.0000, dst 35.244.174.68 GigabitEthernet0/1
*Jan 10 22:01:55.656: IP ARP: sent rep src 35.244.174.68 5000.0001.0001, dst 10.10.0.2 5000.0003.0000 GigabitEthernet0/1
*Jan 10 22:01:55.982: IP ARP: rcvd req src 10.10.0.2 5000.0003.0000, dst 91.228.74.134 GigabitEthernet0/1no
*Jan 10 22:01:55.983: IP ARP: sent rep src 91.228.74.134 5000.0001.0001, dst 10.10.0.2 5000.0003.0000 GigabitEthernet0/1
*Jan 10 22:01:56.057: IP ARP: rcvd req src 10.10.0.2 5000.0003.0000, dst 13.224.241.42 GigabitEthernet0/1
*Jan 10 22:01:56.058: IP ARP: sent rep src 13.224.241.42 5000.0001.0001, dst 10.10.0.2 5000.0003.0000 GigabitEthernet0/1
*Jan 10 22:01:56.079: IP ARP: rcvd req src 10.10.0.2 5000.0003.0000, dst 13.224.130.68 GigabitEthernet0/1
*Jan 10 22:01:56.079: IP ARP: sent rep src 13.224.130.68 5000.0001.0001, dst 10.10.0.2 5000.0003.0000 GigabitEthernet0/1
*Jan 10 22:01:56.231: IP ARP: rcvd req src 192.168.1.46 0c89.107a.ea58, dst 192.168.1.250 GigabitEthernet0/0
*Jan 10 22:01:56.260: IP ARP: rcvd req src 10.10.0.2 5000.0003.0000, dst 216.58.213.13 GigabitEthernet0/1
*Jan 10 22:01:56.260: IP ARP: sent rep src 216.58.213.13 5000.0001.0001, dst 10.10.0.2 5000.0003.0000 GigabitEthernet0/1

vIOS router, now has a complete ARP table for the off-link IP addresses:

Router#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  1.1.1.1                22   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  2.19.61.48              1   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  10.10.0.2               -   5000.0003.0000  ARPA   GigabitEthernet0/0
Internet  10.10.1.1               2   5000.0002.0000  ARPA   GigabitEthernet0/1
Internet  10.10.1.254             -   5000.0003.0001  ARPA   GigabitEthernet0/1
Internet  13.224.130.68           0   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  13.224.241.42           0   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  13.224.241.55           1   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  23.4.209.147            1   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  34.120.208.123          1   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  35.244.174.68           0   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  52.85.70.115            1   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  52.88.248.168           0   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  54.163.236.63           1   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  54.192.227.140          1   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  91.189.91.38           22   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  91.228.74.134           0   5000.0001.0001  ARPA   GigabitEthernet0/0

For each off-link destination address that is accessed, a corresponding ARP entry will be required on the vIOS router. The potential for this table to grow quite rapidly combined with the default 4 hour ARP table entry timeout will result in an unnecessary load on the router.

  • Correctly specify the next-hop IP address on vIOS router
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.10.0.3
!

This being the correct solution this gives the desired output:

Router#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.0.2               -   5000.0003.0000  ARPA   GigabitEthernet0/0
Internet  10.10.0.3               1   5000.0001.0001  ARPA   GigabitEthernet0/0
Internet  10.10.1.1               1   5000.0002.0000  ARPA   GigabitEthernet0/1
Internet  10.10.1.254             -   5000.0003.0001  ARPA   GigabitEthernet0/1

It is worth highlighting that on point-to-point network interfaces where there is only one possible next-hop address, the router will only ever ARP for that address. It is therefore not strictly required to specify a next-hop in the ip route statement. For broadcast and multi-point networks the above behaviour will be observed and it is recommended to include the next-hop address in the ip route statement.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: