routing loop between core and firewall

[hawhian]

simple question, my default route on my core points to the firewall. The firewall has static routes stating that 172.16.0.0 in on the inside interface (which it is).

when I traceroute to a non-valid 172.16.0.0 IP, I get a loop between my core and the firewall.

Now the question, who should have the more specific routes? The firewall or the router? We don't use all of the 172.16.0.0 obviously.

 

[ADB100]

This is quite common. There are a couple of solutions I can think of.

1. Remove the 172.16.0.0/12 route on the Firewall and add only the specific routes you are using.

2. Run a routing protocol between your internal network and the Firewall.

3. On your internal routers add a summary route to Null0 so any unknown 172.16.0.0/12 routes are dropped (ip route 172.16.0.0 255.240.0.0 null0)

HTH

Andy

 

[hawhian]

option 1 is the ideal...but firewall bozo's don't want to change, they want this resolved on the router.

with option 3, would a route of 172.16.0.0/12 to null0 mean anything 172.16.0.0 thru 172.31.0.0 would get blackholed? Unless I use all of the /12 I would still get loops on the subnets that weren't being used correct?

Thanks for your help...

 

[lgarner]

Yes, option 3 would blackhole the private 172 addresses. You wouldn't get loops because nothing would get sent to the firewall for that address range. You'd have more specific routing entries for parts of that address space, if necessary.

Let's say you have a nonconnected network 172.17.1.0/24 and no dynamic routing protocol. You'd do something like this:

ip route 172.16.0.0 255.255.240.0 null0
ip route 172.17.1.0 255.255.255.0 <remote gateway>
ip route 0.0.0.0 0.0.0.0 <firewall>

1. Traffic to 172.17.1.0/24-> remote router
2. Any other traffic to 172.16.0.0/12-> dropped
3. Everything else->firewall

The more specific routing statement is used if multiple ones apply.