route
Enter a static or default route for the specified interface.
[no] route if_name ip_address netmask gateway_ip [metric]
clear route [if_name ip_address [netmask gateway_ip]]
show route
Syntax Description
if_name Internal or external network interface name. ip_address Internal or external network IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0. netmask Specify a network mask to apply to ip_address. gateway_ip Specify the IP address of the gateway router (the next hop address for this route). metric Specify the number of hops to gateway_ip. If you are not sure, enter 1. a network administrator can supply this information or you can use a traceroute command to obtain the number of hops. The default is 1 if a metric is not specified.
Usage
Configuration mode.Use the route command to enter define routing. You can enter default or static routes. To enter a default route, set ip_address and netmask to 0.0.0.0, or the shortened form of 0. Static routes access networks connected outside a router.
Here is an example of setting a static route:
route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1
The route command creates a route statement entry in the routing table that is not deleted until you run "clear route".
If the route command statement uses the IP address from one of the firewall's interfaces as the gateway IP address, the firewall will derive the IP address from packets using ARP for the destination IP address in the instead of ARPing for the gateway IP address.
The following steps show how firewall handles routing:
- The firewall receives a packet from the inside interface destined to IP address X.
- Because a default route is set to itself, the firewall sends out an ARP for address X.
- Any router on the outside interface LAN which has a route to address X (Cisco IOS software has proxy ARP enabled by default) replies back to the firewall with its own MAC address as the next hop.
- The firewall sends the packet to router (just like a default gateway).
- The firewall adds the entry to its ARP cache for IP address X with the MAC address being that of the router.
The CONNECT route entry is supported. (This identifier appears when you use the show route command.) The CONNECT identifier is assigned to an interface's local network and the interface IP address, which is in the IP local subnet. The firewall will ARP for the destination address. The CONNECT identifier cannot be removed, but changes when you change the IP address on the interface.
If you enter duplicate routes with different metrics for the same gateway, the firewall changes the metric for that route and updates the metric for the route.
For example, the following command statement is in a configuration:
route inside 10.0.0.0 255.0.0.0 10.0.0.2 2 OTHERIf you enter the following statement:
route inside 10.0.0.0 255.0.0.0 10.0.0.2 3The firewall converts the command statement to the following:
route inside 10.0.0.0 255.0.0.0 10.0.0.2 3 OTHER
Examples
Specify one default route command statement for the outside interface, which in this example, is for the router on the outside interface that has an IP address of 209.165.201.1:
route outside 0 0 209.165.201.1 1For static routes, if two networks, 10.1.2.0 and 10.1.3.0 connect via a hub to the dmz1 interface router at 10.1.1.4, add these static route command statements to provide access to the networks:
route dmz1 10.1.2.0 255.0.0.0 10.1.1.4 1
route dmz1 10.1.3.0 255.0.0.0 10.1.1.4 1
Create a Default Route
Run show route to view the default route. Run no route to remove a route command. If the outside router is at 192.150.50.3, you would use:route outside 0 0 192.150.50.2 1This command states that the default router is on the outside interface. The 0 0 information is an IP address of 0.0.0.0 and mask of 0.0.0.0, which the firewall assoicates with the default route. The route command could be read as "if I have a packet intended for IP address 0.0.0.0, send it to 192.150.50.2 instead." The 1 at the end is the number of hops that the router is from the firewall. Hops are routers, so 1 hop is the router nearest the firewall.