Get creative: Is anyone using a default route?

I've got a great question from one of my readers: I have two central sites (primary data center and a disaster recovery data center) and I've inherited a situation where there was a lot of static routing and a default route pointing from the primary campus to the DRC. I've replaced most of the static routing with dynamic routing protocol, but as the documentation is scarce, I am afraid to remove the default static route (which I would need for proper Internet access). Is there a way to figure out whether the default route is still used?

Obviously, there are two types of solutions:

  • The deterministic one: inspect the IP routing tables on primary router and DRC router and identify any IP prefix on the DRC router that has no matching or less specific prefix on the primary router.
  • The non-deterministic ones: try to figure out if any packet is using the default route
    • This is where you can get really creative: how would you figure out if a packet going from the primary data center to the DRC site is using the default route?

8 comments:

  1. Router#sh ip cef detail
    [...]
    Adjacency Table has 12 adjacencies
    0.0.0.0/0, version 248, epoch 0, per-destination sharing
    160777106 packets, 56855775898 bytes
    via ...

    ReplyDelete
  2. The same as above but less noise:

    Router#sh ip cef 0.0.0.0 0.0.0.0 detail

    ReplyDelete
  3. Don't forget to actually enable CEF accounting! ;o)

    ip cef accounting per-prefix

    ReplyDelete
  4. I enable it on every router as part of standard configuration procedure. Exactly it is

    ip cef accounting per-prefix non-recursive prefix-length

    ReplyDelete
  5. But another entry ipressed me much more

    Router>sh ip cef 127.0.0.0 det
    127.0.0.0/8, version 18, epoch 0, attached, per-destination sharing
    5 packets, 500 bytes
    via Null0, 0 dependencies
    valid null adjacency
    0 packets, 0 bytes switched through the prefix
    tmstats: external 0 packets, 0 bytes
    internal 0 packets, 0 bytes
    30 second output rate 0 Kbits/sec

    ReplyDelete
  6. That's cool - but it doesn't work very well if you have *multiple* default routes in the CEF table:

    router#sh ip cef 0.0.0.0 0.0.0.0 detail
    0.0.0.0/0, version 232, epoch 0, per-destination sharing
    366708 packets, 46049248 bytes
    via 192.168.2.4, Ethernet0, 0 dependencies
    traffic share 1
    next hop 192.168.2.4, Ethernet0
    valid adjacency
    via 192.168.2.5, Ethernet0, 0 dependencies
    traffic share 1
    next hop 192.168.2.5, Ethernet0
    valid adjacency
    via 192.168.2.1, Ethernet0, 0 dependencies
    traffic share 1
    next hop 192.168.2.1, Ethernet0
    valid adjacency
    217765 packets, 33377773 bytes switched through the prefix
    tmstats: external 0 packets, 0 bytes
    internal 217765 packets, 33377773 bytes
    30 second output rate 0 Kbits/sec
    router#

    so, all three are installed on the CEF table, and a sh ip route:

    O*E2 0.0.0.0/0 [110/1] via 192.168.2.4, 00:00:09, Ethernet0
    [110/1] via 192.168.2.5, 00:00:09, Ethernet0
    [110/1] via 192.168.2.1, 00:00:09, Ethernet0

    so, how many packets are going thru each one? Anybody's guess . . . .

    ReplyDelete
  7. Its a bit of a kludge, but if your route table isn't very big or dynamic you could create an access-list with permit statements matching your route table and a permit ip any any at the end, and check the numbers of matches. It would also allow you to log those packets to know where they're coming from or going.

    ReplyDelete
  8. I realize I'm late to the game here being that it's almost November. And this is certainly not the quickest/easiest, but it may be the dirtiest with the most overkill with potential to offer a lot more insight into the network.

    How about slapping ntop on a linux box and enabling netflow on the interface? A quick glance at the source/destination pairs would show you if it's going to one of the DR subnets or elsewhere (assuming you don't have more than a dozen or so DR subnets). And once you've answered that question, enable netflow around the rest of the network and you've got yourself quite a resource for troubleshooting/forensics/etc.

    Of course if you don't have a spare linux box and/or aren't familiar with ntop, well, cef or the access-list thing sound good too.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.