Cisco IOS: Case Study regarding the difference between static route using next-hop IP and using outgoing interface

Nico EismaSenior Network Engineer
CERTIFIED EXPERT
Published:
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outgoing interface.

For this test we are going to use the simple network setup shown in the diagram below:
Network-Diagram.pngStatic Route using outgoing interface.
Let's configure R1 as follows:
R1(config)#int FastEthernet0/0
                      R1(config-if)#ip address 1.1.1.1 255.255.255.0
                      R1(config-if)#no shut
                      R1(config-if)#exit
                      R1(config)#ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
                      R1(config)#end
                      R1#wr
                      Building configuration...
                      
                      *Mar  1 00:15:23.571: %SYS-5-CONFIG_I: Configured from console by console[OK]
                      R1#

Open in new window

We then try to send a couple of pings from R1 and look at the ARP table:

R1#ping 2.2.2.2 re 3
                      
                      Type escape sequence to abort.
                      Sending 3, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
                      .!!
                      Success rate is 66 percent (2/3), round-trip min/avg/max = 68/74/80 ms
                      R1#ping 3.3.3.3 re 3
                      
                      Type escape sequence to abort.
                      Sending 3, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
                      .!!
                      Success rate is 66 percent (2/3), round-trip min/avg/max = 68/68/68 ms
                      R1#ping 4.4.4.4 re 3
                      
                      Type escape sequence to abort.
                      Sending 3, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
                      .!!
                      Success rate is 66 percent (2/3), round-trip min/avg/max = 72/82/92 ms
                      R1#ping 5.5.5.5 re 3
                      
                      Type escape sequence to abort.
                      Sending 3, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
                      .!!
                      Success rate is 66 percent (2/3), round-trip min/avg/max = 68/70/72 ms
                      R1#
                      R1#show ip arp
                      Protocol  Address          Age (min)  Hardware Addr   Type   Interface
                      Internet  5.5.5.5                 0   c002.28b4.0000  ARPA   FastEthernet0/0
                      Internet  4.4.4.4                 0   c002.28b4.0000  ARPA   FastEthernet0/0
                      Internet  3.3.3.3                 0   c002.28b4.0000  ARPA   FastEthernet0/0
                      Internet  2.2.2.2                 0   c002.28b4.0000  ARPA   FastEthernet0/0
                      Internet  1.1.1.1                 -   c001.1b8c.0000  ARPA   FastEthernet0/0
                      R1#

Open in new window

And here is the Wireshark packet capture during the ping test.
Wireshark-of-ARP-due-to-static-route-usi
  • Notice that for every ping we are sending out Fa0/0 due to the default static route, an address resolution protocol (ARP) request is being made for that particular destination IP.
  • Also, every first ping packet is dropped because every time we send traffic for the first time, ARP needs to resolve first the next-hop MAC address.
  • Looking into the ARP table, for each IP an ARP entry is being made. So if we sent out traffic to 100 destinations, the ARP table will include 100 entries.
  • With this being a default route to the Internet and depending on the number of users in your network accessing various stuff on the Internet, this can easily populate your ARP table unnecessarily.
Static Route using next-hop IP.
Same setup:
  • We remove the previous static route using outgoing interface
  • Add the new static route using next-hop IP
  • Then clear the ARP-cache
  • Send some pings and check the ARP table again.
R1(config)#do show run int FastEthernet0/0 | inc interface|ip address
                      interface FastEthernet0/0
                       ip address 1.1.1.1 255.255.255.0
                      R1(config)#
                      R1(config)#no ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
                      R1(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2
                      R1(config)#
                      R1(config)#end
                      R1#
                      *Mar  1 00:26:12.919: %SYS-5-CONFIG_I: Configured from console by console
                      R1#
                      R1#clear arp-cache
                      R1#
                      R1#show ip arp
                      Protocol  Address          Age (min)  Hardware Addr   Type   Interface
                      Internet  1.1.1.1                 -   c001.1b8c.0000  ARPA   FastEthernet0/0
                      R1#
                      R1#ping 2.2.2.2 re 2
                      
                      Type escape sequence to abort.
                      Sending 2, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
                      .!
                      Success rate is 50 percent (1/2), round-trip min/avg/max = 92/92/92 ms
                      R1#ping 3.3.3.3 re 2
                      
                      Type escape sequence to abort.
                      Sending 2, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
                      !!
                      Success rate is 100 percent (2/2), round-trip min/avg/max = 64/66/68 ms
                      R1#ping 4.4.4.4 re 2
                      
                      Type escape sequence to abort.
                      Sending 2, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
                      !!
                      Success rate is 100 percent (2/2), round-trip min/avg/max = 68/98/128 ms
                      R1#ping 5.5.5.5 re 2
                      
                      Type escape sequence to abort.
                      Sending 2, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
                      !!
                      Success rate is 100 percent (2/2), round-trip min/avg/max = 60/86/112 ms
                      R1#
                      R1#show ip arp
                      R1#show ip arp
                      Protocol  Address          Age (min)  Hardware Addr   Type   Interface
                      Internet  1.1.1.1                 -   c001.1b8c.0000  ARPA   FastEthernet0/0
                      Internet  1.1.1.2                 0   c002.28b4.0000  ARPA   FastEthernet0/0
                      R1#

Open in new window

And here is the Wireshark capture during the ping test.
Wireshark-of-ARP-due-to-static-route-usi
  • Notice that only the first packet for the first traffic is dropped because the ARP needs to be resolved first for 1.1.1.2 as seen on line 33 of the Wireshark capture.
  • Subsequent traffic does not require an ARP request and first packet drops does not occur.
  • The ARP table only shows values for 1.1.1.1 and 1.1.1.2.

Further Analysis and food for thought
  • Who is replying to the ARP queries from R1?
Answer: Thats easy: the upstream router since R1 is directly connected to only one device upstream.
  • Why is the upstream router replying to the ARP queries, even though those IP addresses are not of the upstream router (those IP address can be well further upstream beyond across the Internet)?
Answer: This is due to proxy-ARP. By default proxy-ARP is enabled on all IOS device interfaces, so even though the IP address does not belong to the router itself it replies to the ARP queries.
  • What happens when proxy-ARP is disable on the upstream router or upstream device is not capable of proxy-ARP? Will R1 still be able to send out traffic?
Answer: No, it will not be able to send traffic, since ARP resolution is needed to identify the next-hop MAC address that will be used in the Layer 2 frame header when encapsulating the packet.
Internet#show run int fa0/0 | inc interface|ip address|proxy
                      interface FastEthernet0/0
                       ip address 1.1.1.2 255.255.255.0
                       no ip proxy-arp
                      
                      
                      R1#ping 2.2.2.2 re 3
                      
                      Type escape sequence to abort.
                      Sending 3, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
                      ...
                      Success rate is 0 percent (0/3)
                      R1#
                      R1#
                      R1#ping 2.2.2.2 re 3
                      
                      Type escape sequence to abort.
                      Sending 3, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
                      ...
                      Success rate is 0 percent (0/3)
                      R1#ping 3.3.3.3 re 3
                      
                      Type escape sequence to abort.
                      Sending 3, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
                      ...
                      Success rate is 0 percent (0/3)
                      R1#
                      R1#
                      R1#
                      R1#show ip arp
                      Protocol  Address          Age (min)  Hardware Addr   Type   Interface
                      Internet  1.1.1.1                 -   c001.1b8c.0000  ARPA   FastEthernet0/0
                      R1#

Open in new window

No-proxy-ARP.png

  • If you have two upstream device connected on a LAN to R1 as shown below. Which upstream device will R1 use in case a static default route was configured using an outgoing interface?
Two-upstream-router.png
Answer: Whichever one replies to the ARP queries first. Very undesirable.

Summary and conclusion.
  • Static route configuration using outgoing interface will generate an ARP request for every packet sent out through the interface. This can then populate your ARP table unnecessarily. Depending on the load of the router, router capabilities, number of users and traffic passing, a very populated ARP table can cause issues on the router. Consider an Internet router running a border gateway protocol, a virtual private network, and an internal gateway protocol. An over-populated ARP table can cause a negative impact on the router CPU and memory load that could have been avoided.
  • Static route configuration using outgoing interface relies heavily on proxy-ARP. With proxy-ARP disabled or upstream device is not capable of proxy-ARP, static routes using outgoing interface will not work. Lastly in case of two upstream device replying to ARP queries, this can cause undeterministic results on which route traffic will take.
4
2,749 Views
Nico EismaSenior Network Engineer
CERTIFIED EXPERT

Comments (1)

Jody LemoineNetwork Architect
CERTIFIED EXPERT

Commented:
There is actually a third method that combines the two.

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 1.1.1.2

This has all of the same benefits as routing to the next-hop address, but ensures that the traffic doesn't use another interface regardless of the routing table's data for the next hop. It also has other applications, such as statically leaking routes between VRF instances.

Good write-up.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.