Routing Overview
The following topics describe how routing behaves within the FTD device. Routing is the act of moving information across a network from a source to a destination. Along the way, at least one intermediate node is typically encountered. Routing involves two basic activities: determining optimal routing paths and transporting packets through a network.
The Routing Table and Route Selection
When NAT translations (xlates) and rules do not determine the egress interface, the system uses the routing table to determine the path for a packet.
Routes in the routing table include a metric called “administrative distance” that provides a relative priority to a given route. If a packet matches more than one route entry, the one with the lowest distance is used. Directly connected networks (those defined on an interface) have the distance 0, so they are always preferred. Static routes have a default distance of 1, but you can create them with any distance between 1-254.
Routes that identify a specific destination take precedence over the default route (the route whose destination is 0.0.0.0/0 or ::/0).
How Forwarding Decisions Are Made
Forwarding decisions are made as follows:
-
If the destination does not match an entry in the routing table, the packet is forwarded through the interface specified for the default route. If a default route has not been configured, the packet is discarded.
-
If the destination matches a single entry in the routing table, the packet is forwarded through the interface associated with that route.
-
If the destination matches more than one entry in the routing table, then the packet is forwarded out of the interface associated with the route that has the longer network prefix length.
For example, a packet destined for 192.168.32.1 arrives on an interface with the following routes in the routing table:
-
192.168.32.0/24 gateway 10.1.1.2
-
192.168.32.0/19 gateway 10.1.1.3
In this case, a packet destined to 192.168.32.1 is directed toward 10.1.1.2, because 192.168.32.1 falls within the 192.168.32.0/24 network. It also falls within the other route in the routing table, but 192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes are always preferred over shorter ones when forwarding a packet.
Note |
Existing connections continue to use their established interfaces even if a new similar connection would result in different behavior due to a change in routes. |
Routing Table for Management Traffic
As a standard security practice, it is often necessary to segregate and isolate Management traffic from data traffic. To achieve this isolation, the FTD uses a separate routing table for management-only traffic vs. data traffic. Separate routing tables means that you can create separate default routes for data and management as well.
Through-the-device traffic always uses the data routing table.
From-the-device traffic, depending on the type, uses either the management routing table or the data routing table by default. If a match is not found in the default routing table, it checks the other routing table.
Management table from-the-device traffic includes features that open a remote file using HTTP, SCP, TFTP, and so on.
Data table from-the-device traffic includes all other features like ping, DNS, DHCP, and so on.
If you need from-the-box traffic to go out an interface that isn't in its default routing table, then you might need to specify that interface when you configure it, rather than relying on the fall back to the other table. The FTD checks the correct routing table for routes for that interface. For example, if you need a ping to go out a management-only interface, then specify the interface in the ping function. Otherwise, if there is a default route in the data routing table, then it will match the default route and never fall back to the management routing table.
The management routing table supports dynamic routing separate from the data interface routing table. A given dynamic routing process must run on either the management-only interface or the data interface; you cannot mix both types.
Management-only interfaces include any Management x/x (named "diagnostic") interfaces as well as any interfaces that you have configured to be management-only.
Note |
This routing table does not affect the special FTD Management logical interface that it uses to communicate with the FMC; that interface has its own routing table. The Diagnostic logical interface, on the other hand, uses the management-only routing table described in this section. |
Note |
This routing table does not affect the special FTD Management virtual interface that it uses to communicate with the licensing server or for database updates; that interface has its own routing table. The Diagnostic physical interface, on the other hand, uses the management-only routing table described in this section. |
Equal-Cost Multi-Path (ECMP) Routing
The Firepower Threat Defense device supports Equal-Cost Multi-Path (ECMP) routing.
You can have up to 3 equal cost static or dynamic routes per interface. For example, you can configure multiple default routes on the outside interface that specify different gateways.
route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.2
route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.3
route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.4
In this case, traffic is load-balanced on the outside interface between 10.1.1.2, 10.1.1.3, and 10.1.1.4. Traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses, incoming interface, protocol, source and destination ports.
ECMP is not supported across multiple interfaces, so you cannot define a route to the same destination on a different interface. The following route is disallowed when configured with any of the routes above:
route for 0.0.0.0 0.0.0.0 through outside2 to 10.2.1.1