The following topics describe how routing behaves within the FTD device. Routing is the act of moving information across a network from a source to a destination. Along the way, at least one intermediate node is typically encountered. Routing involves two basic activities: determining optimal routing paths and transporting packets through a network.
The Routing Table and Route Selection
When NAT translations (xlates) and rules do not determine the egress interface, the system uses the routing table to determine the path for a packet.
Routes in the routing table include a metric called “administrative distance” that provides a relative priority to a given route. If a packet matches more than one route entry, the one with the lowest distance is used. Directly connected networks (those defined on an interface) have the distance 0, so they are always preferred. Static routes have a default distance of 1, but you can create them with any distance between 1-254.
Routes that identify a specific destination take precedence over the default route (the route whose destination is 0.0.0.0/0 or ::/0).
How Forwarding Decisions Are Made
Forwarding decisions are made as follows:
If the destination does not match an entry in the routing table, the packet is forwarded through the interface specified for the default route. If a default route has not been configured, the packet is discarded.
If the destination matches a single entry in the routing table, the packet is forwarded through the interface associated with that route.
If the destination matches more than one entry in the routing table, then the packet is forwarded out of the interface associated with the route that has the longer network prefix length.
For example, a packet destined for 192.168.32.1 arrives on an interface with the following routes in the routing table:
192.168.32.0/24 gateway 10.1.1.2
192.168.32.0/19 gateway 10.1.1.3
In this case, a packet destined to 192.168.32.1 is directed toward 10.1.1.2, because 192.168.32.1 falls within the 192.168.32.0/24 network. It also falls within the other route in the routing table, but 192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes are always preferred over shorter ones when forwarding a packet.
Existing connections continue to use their established interfaces even if a new similar connection would result in different behavior due to a change in routes.
Routing Table for Management Traffic
Equal-Cost Multi-Path (ECMP) Routing
The Firepower Threat Defense device supports Equal-Cost Multi-Path (ECMP) routing.
You can have up to 8 equal cost static or dynamic routes per interface. For example, you can configure multiple default routes on the outside interface that specify different gateways.
route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.2 route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.3 route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.4
In this case, traffic is load-balanced on the outside interface between 10.1.1.2, 10.1.1.3, and 10.1.1.4. Traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses, incoming interface, protocol, source and destination ports.