No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Differences of the Next-hop IP Address and Local Interface in the Static Route

Publication Date:  2012-07-25 Views:  2 Downloads:  0
Issue Description
The following figure shows the network topology:
PC(192.168.0.2)---(E1/0/1_192.168.0.1)|USG|(E0/0/0_200.1.1.1)---[Internet (200.1.1.2) |Router|I ---100.1.1.1]
Case 1: If you run the ip route-static 0.0.0.0 0.0.0.0 Ethernet0/0/0 command on the USG to specify the route, the PC can ping through 200.1.1.2, but not 100.1.1.1 (that is, the PC can access 200.1.1.2, but not the public network).
Case 2:
If you specify run the route ip route-static 0.0.0.0 0.0.0.0 200.1.1.2 command on the USG, the PC can ping through 200.1.1.2 and 100.1.1.1 (that is, the PC can access 200.1.1.2 and the public network).
Alarm Information
None.
Handling Process
Modify the next hop of the route. Use the peer IP address as the next-hop route.
Root Cause
Case 1:
If the local router interface is adopted during the configuration of the static route, the router is identified as the direct route.
The format of the packets on the Ethernet is destination MAC address|Source MAC address|Destination IP address|Source IP address|.
The format of the packet that is sent by the PC to the USG is as follows:
Destination MAC address: indicates the MAC address of the USG interface E1/0/1.
Source MAC address: indicates the MAC address of the PC.
Destination IP address: 100.1.1.1
Source IP address: 192.168.0.2.
When the packet arrives at the firewall, its route is identified as the direct route and it goes through the interface E0/0/0. The firewall delivers the ARP broadcast from the interface E0/0/0, requesting the MAC address whose destination IP address is 100.1.1.1. Since the ARP broadcast is the Layer-2 packet, the ARP broadcast cannot arrive at 100.1.1.1. The firewall cannot receive the reply packet, and cannot encapsulate data packets based on the destination MAC address.
However, if the peer interface IP address (200.1.1.2) is pinged through, the firewall can receive the ARP reply packet during the ARP broadcast In this case, the firewall can encapsulate the data packet based on the destination MAC address to arrive at the peer.
Case 2:
The format of the packet that is sent by the PC to the USG is as follows:
Destination MAC address: indicates the MAC address of the USG interface E1/0/1.
Source MAC address: indicates the MAC address of the PC.
Destination IP address: 100.1.1.1
Source IP address: 192.168.0.2.
When the packet arrives at the packet and after its route is checked, this packet should be sent to 200.1.1.2. Interface E0/0/0 is on the same network segment as that of 200.1.1.2. The firewall delivers the ARP broadcast from interface E0/0/0, requesting the MAC address whose destination IP address is 200.1.1.2. This broadcast packet can arrive at 200.1.1.2. 200.1.1.2 sends a ARP reply packet in unicast mode, notifying the firewall of its MAC address. Then the firewall encapsulates the data packet according the MAC address and sends the data packet to 200.1.1.2.
The format of the packet that is sent by the firewall to the router is as follows:
Destination MAC address: indicates the MAC address of the interface through which the router connects to the firewall.
Source MAC address: indicates the MAC address of the interface E0/0/0.
Destination IP address: 100.1.1.1
Source IP address: 192.168.0.2.
Suggestions
1. The format of the static route is as follows:
ip  route-static  ip_address   mask  interface_name | gateway_address  [ preference ]
The interface_name is filled in only when the interface where the next hop resides is a P2P (such as PPP and HDLC) interface; otherwise, gateway_address must be filled in.
2. Differences between PPP and HDLC links and the Ethernet link are as follows:
The format of the PPP protocol frame: (HDLC frame and PPP frame).

Address: indicates the address field. Its value is in binary mode. 11111111 indicates that this frame is accepted by all stations. It is a standard broadcast address (note: private station address is not allocated for PPP communication).
In the scenario where PPP and HDLC links specify routes and local egresses are directly specified, after data packets that meet the requirements arrive, the firewall checks the route table and then transfers the IP packet to the interface.
The interface directly encapsulates the IP packet into the information field, forming a Layer-2 frame. Then the IP packet is sent through the interface, received, and encapsulated by the peer end.

END