Skip to main content
Skip table of contents

Configuring static routes on the gateway

Static routing allows you to direct the flow of data traffic from the gateway to a specific interface or destination IP address. The gateway provides the ability to configure up to 64 static routes.

This section describes:

  • The gateway routing domains, and where to use static routes 
  • Types of static routes (network, host, and default)
  • The CLI commands for:
    • Configuring static routes
    • Displaying the current configuration of static routes
    • Removing a static route

About gateway routing domains

The Blue Cedar gateway has two routing domains, but you can only apply static routing to one of them:

  • Tunneled or secure client traffic.

    Refers to all external data that reaches the gateway through a secure tunnel. Static routes do not apply to this domain nor its data traffic, and all decrypted tunnel traffic uses the physical interface configured with a security level of "private". 

    To configure a physical interface with a security level of "private":

    BASH
    % set ports name_of_interface security private
  • Non-tunneled traffic (which includes the gateway-generated traffic).

    Refers to data that is generated from authentication requests, syslog data, or certificate enrollment from the gateway. 

    By default, gateway-generated traffic uses the physical interface configured with a security level of "private". A static route can send specific gateway-generated traffic to a particular network or physical interface. Depending on how you have configured a network's security zones, this network or physical interface may be a more secure (trusted) "management" network.

Types of static routes

The gateway supports three types of static routes:

  • network: A route where the number of bits in the netmask describes the network that should be routed to a specified next hop. In this example, dest-ip and netmask determine the network where traffic is routed using the outgoing-interface.

    BASH
    % set system routes inet route 2 dest-ip 10.10.0.0 netmask 255.255.0.0 outgoing-interface ethernet0
  • host: A route where a specific host address should be routed to a specified next hop or physical interface. In this example, the netmask is given as all bits set (255.255.255.255) and outgoing-interface=ethernet0 specifies that the host address should be routed to the physical interface ethernet0.

    BASH
    % set system routes inet route 2 dest-ip 10.10.0.50 netmask 255.255.255.255 outgoing-interface ethernet0
  • default: A route where data traffic should be sent when the traffic destination does not match any connected network or configured route. In this case, the netmask is given as no bits set (0.0.0.0), the destination IP address as 0.0.0.0 (unspecified), and next-hop and outgoing-interface as appropriate values.

    BASH
    % set system routes inet route 4 dest-ip 0.0.0.0 netmask 0.0.0.0 next-hop 192.168.31.2 outgoing-interface ethernet0

Configuring static routes

To set a a static route on the gateway, use this template. To enforce routed traffic to use a specific interface, be sure to set the outgoing-interface here. 

BASH
% set system routes inet route number dest-ip ip-address netmask netmask-address next-hop ip-address metric number enabled boolean outgoing-interface interface-name


ElementDescription
inetDesignates Internet Protocol version 4
route numberThe static route being configured. Valid values: 1–64.
dest-ip ip-addressThe destination IP address where the packets are routed to.
netmask netmask-addressThe 32-bit mask for dividing the IP address into subnets and specifying the available hosts on the network.
next-hop ip-addressThe IP address of the next closest router that the data packet goes through.
metric numberA value associated with a route. A lower value means a higher probability that a route is chosen for data traffic to pass through.
enabled boolean

true: turn on static route

false: turn off static route

outgoing-interface interface-nameGateway interface where the data packet exits. If you omit this parameter, the gateway tries to pick a suitable outgoing interface.

Example

BASH
% set system routes inet route 1 dest-ip 4.0.0.2 next-hop 5.0.0.1 netmask 255.0.0.0 enabled true
% commit
Commit succeeded.


If you add a static route to a network that is not reachable by the gateway, the commit command still succeeds and the route is still added to the gateway configuration. However, in the gateway logs, a message indicates that the addition of the route failed:

BASH
addRoute: route add returned code '1' for add route -net 4.0.0.2 netmask 255.0.0.0 gw 5.0.0.1 metric 0 
 (route: netmask and route address conflict)


If you see this message, delete the failed static route; it is not functional.

After you “commit” the changes for creating a static route, confirm that the routes are what you expect them to be:

BASH
> show status operational context default routes

Displaying current configuration settings for a static route

To display the current configuration settings for a route:

BASH
> show status operational context default routes
routes 1 {
  source 192.168.3.124;
  destination *;
  gateway 192.168.3.1;
  mask *;
  flags UG;
  interface ethernet0;
  metric 0; }


Deleting a static route

To remove all static routes:

BASH
% delete system routes inet

The inet element refers to IPv4-supported static routes.

To remove a single static route, specify the route number (1–64):

BASH
% delete system routes inet route number 
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.