[nsp] Routing decisions on a PIX?
Voralt
peder at voralt.net
Tue Jun 10 11:54:35 EDT 2003
> PIX will do most specific matching, but on equal matches, it will go by
> metric value to decide one interface over another.
That's not my experience. I had:
route inside 172.16.0.0 255.255.0.0
and several LANtoLAN VPN's connecting with numbers like 172.16.1.0
255.255.255.0 and 172.16.2.0 255.255.255.0. These did not work until I
removed the "route inside" and replaced it with specific routes to the
inside networks, like:
route inside 172.16.10.0 255.255.255.0
route inside 172.16.11.0 255.255.255.0
route inside 172.16.12.0 255.255.255.0
To me, that means that it does NOT do most specific matching. Either it
goes by first match (like an access-list) or it gives VPN connections a
lower metric and metric has a higher precedence than match length.
This is not consistent with routers, which always give precedence to longest
match. A static of 172.16.0.0 255.255.0.0 with a metric of 1 will never be
preferred over 172.16.1.0 255.255.255.0 with a metric of 250.
More information about the cisco-nsp
mailing list