Most Common Issues with Routing

Started by Fred, January 03, 2015, 08:08:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Fred

January 03, 2015, 08:08:44 PM
Seems we are frequently asked questions that have the same answer.  This might save you some time.

Frequent Solution #1: Remember Routing Goes Both Ways
Often, an engineer will post a question along the lines of, "I'm unable to ping a from b. I've checked my routes and they're all there."  Most frequently, the cause is that the routes are unidirectional.  That is, while there is routing from a to b, there are no routes back from b to a. 

A common scenario is when you've got a home lab, and you're pinging an Internet host.  Pinging works from the router that's connected to your home lan, but nothing inside can access the Internet.  In this case, you'll need to add static routes (or a routing protocol!) to your home internet gateway.

Frequent Solution #2: Access-lists need to account for return traffic
When you apply an ACL to an interface, you're often thinking about what traffic needs to be allowed through that interface. For a locked down home network, you may want to allow HTTP, HTTPS, and DNS, but deny everything else.  You may have implemented something like this:
Code Select
ip access-list extended INTERNET-OUT
permit tcp any any eq 80
permit tcp any any eq 443
permit udp any any eq 53
int fa0/0
description INTERNET PORT
ip address dhcp
ip nat outside
ip access-group INTERNET-OUT out
If you stop here, and you have NAT and DHCP configured correctly, things will work.  But you also want to block inbound traffic, so you add:
Code Select

ip access-list extended INTERNET-IN
remark block those dirty hackers
deny ip any any
int fa0/0
ip access-group INTERNET-IN in

And now everything breaks.  The reason is that your INTERNET-IN ACL deny's all return traffic.  That is, your computer makes a connection to google, and it's allowed outbound, but when google replies, INTERNET-IN blocks that reply traffic.  The solution is to allow that traffic with something like this:
Code Select

ip access-list extended INTERNET-IN
remark Allow return traffic
permit tcp any eq 80 any
permit tcp any eq 443 any
permit udp any eq 53 any
remark block those dirty hackers
deny ip any any

Better alternatives would be to use reflexive ACL's, or better yet, Zone-based firewall.

Frequent Solution #3: You're blocking DHCP
The configuration in #2 above will work for an indeterminate period of time, but then will stop working.  Eventually, fa0/0's DHCP lease will expire and it will be unable to renew it.

To solve this, you need to add bootpc and bootps to your ACL's, both inbound and out.  I leave the 'exactly how' as an exercise for the reader.

----

Feel free to add other frequent solutions.

Print
Go Up Pages1
User actions