Configuring static routes on the gateway
Static routing allows you to direct the flow of data traffic from the gateway to a specific interface or destination IP address. The gateway provides the ability to configure up to 64 static routes.
This section describes:
- The gateway routing domains, and where to use static routes
- Types of static routes (network, host, and default)
- The CLI commands for:
- Configuring static routes
- Displaying the current configuration of static routes
- Removing a static route
About gateway routing domains
The Blue Cedar gateway has two routing domains, but you can only apply static routing to one of them:
Tunneled or secure client traffic.
Refers to all external data that reaches the gateway through a secure tunnel. Static routes do not apply to this domain nor its data traffic, and all decrypted tunnel traffic uses the physical interface configured with a security level of "private".
To configure a physical interface with a security level of "private":
BASH% set ports name_of_interface security privateNon-tunneled traffic (which includes the gateway-generated traffic).
Refers to data that is generated from authentication requests, syslog data, or certificate enrollment from the gateway.
By default, gateway-generated traffic uses the physical interface configured with a security level of "private". A static route can send specific gateway-generated traffic to a particular network or physical interface. Depending on how you have configured a network's security zones, this network or physical interface may be a more secure (trusted) "management" network.
Types of static routes
The gateway supports three types of static routes:
network: A route where the number of bits in the netmask describes the network that should be routed to a specified next hop. In this example, dest-ip and netmask determine the network where traffic is routed using the outgoing-interface.
BASH% set system routes inet route 2 dest-ip 10.10.0.0 netmask 255.255.0.0 outgoing-interface ethernet0host: A route where a specific host address should be routed to a specified next hop or physical interface. In this example, the netmask is given as all bits set (255.255.255.255) and outgoing-interface=ethernet0 specifies that the host address should be routed to the physical interface ethernet0.
BASH% set system routes inet route 2 dest-ip 10.10.0.50 netmask 255.255.255.255 outgoing-interface ethernet0default: A route where data traffic should be sent when the traffic destination does not match any connected network or configured route. In this case, the netmask is given as no bits set (0.0.0.0), the destination IP address as 0.0.0.0 (unspecified), and next-hop and outgoing-interface as appropriate values.
BASH% set system routes inet route 4 dest-ip 0.0.0.0 netmask 0.0.0.0 next-hop 192.168.31.2 outgoing-interface ethernet0
Configuring static routes
To set a a static route on the gateway, use this template. To enforce routed traffic to use a specific interface, be sure to set the outgoing-interface here.
% set system routes inet route number dest-ip ip-address netmask netmask-address next-hop ip-address metric number enabled boolean outgoing-interface interface-name| Element | Description |
|---|---|
| inet | Designates Internet Protocol version 4 |
| route number | The static route being configured. Valid values: 1–64. |
| dest-ip ip-address | The destination IP address where the packets are routed to. |
| netmask netmask-address | The 32-bit mask for dividing the IP address into subnets and specifying the available hosts on the network. |
| next-hop ip-address | The IP address of the next closest router that the data packet goes through. |
| metric number | A value associated with a route. A lower value means a higher probability that a route is chosen for data traffic to pass through. |
| enabled boolean | true: turn on static route false: turn off static route |
| outgoing-interface interface-name | Gateway interface where the data packet exits. If you omit this parameter, the gateway tries to pick a suitable outgoing interface. |
Example
% set system routes inet route 1 dest-ip 4.0.0.2 next-hop 5.0.0.1 netmask 255.0.0.0 enabled true
% commit
Commit succeeded.If you add a static route to a network that is not reachable by the gateway, the commit command still succeeds and the route is still added to the gateway configuration. However, in the gateway logs, a message indicates that the addition of the route failed:
addRoute: route add returned code '1' for add route -net 4.0.0.2 netmask 255.0.0.0 gw 5.0.0.1 metric 0
(route: netmask and route address conflict)If you see this message, delete the failed static route; it is not functional.
After you “commit” the changes for creating a static route, confirm that the routes are what you expect them to be:
> show status operational context default routesDisplaying current configuration settings for a static route
To display the current configuration settings for a route:
> show status operational context default routes
routes 1 {
source 192.168.3.124;
destination *;
gateway 192.168.3.1;
mask *;
flags UG;
interface ethernet0;
metric 0; }
Deleting a static route
To remove all static routes:
% delete system routes inetThe inet element refers to IPv4-supported static routes.
To remove a single static route, specify the route number (1–64):
% delete system routes inet route number