10 Replies Latest reply on May 16, 2012 12:53 PM by jokes54321

    Router on a stick?

    jokes54321 New Member

      I've acquired a network that is running Adtran 4305 routers. We are migrating to another MPLS provider and a new router and firewall are in place to support this connectivity going forward. Currently all the hosts (192.168.0.x/24) behind the Adtran 4305(192.168.0.1) have the Adtran set as their default gateway, which makes sense, since the bulk of the remote subnets are still accessed via this Adtran. For the one new remote location, I added a route on the Adtran to forward the traffic to an ASA 5505 on the same subnet (192.168.0.2.)

       

      I tried pinging a host on the remote subnet from a server on the 192.168.0.x subnet and all were lost. I added an entry to the server's routing table to route directly to the ASA for this remote subnet and I started receiving ping replies.

       

      It seems to indicate the 4305 isn't forwarding the traffic out the same interface it came in on. Does the Adtran 4305 not support router on a stick?

       

      Thanks,

       

      Denny

        • Re: Router on a stick?
          Employee

          Denny,

           

          The 4305 is able to support 'router on a stick'. Generally, this is done by setting up intervlan routing on the 4305. More information regarding how to do this can be found in the link below:

           

          https://supportforums.adtran.com/docs/DOC-2281

           

          I would be more than happy to review your configuration to attempt to determine why adding the route to the Adtran did not work for you. If you attach your configuration, please be sure to remove any sensitive information regarding your network from the file.

           

          Please do not hesitate to let us know if you have any questions.

           

          Thanks,

          Noor

            • Re: Router on a stick?
              jokes54321 New Member

              Hi Noor,

               

              Thank you for responding. I did read that article but was hoping I wouldn't have to setup VLAN's to pull this off. Eventually the ASA will become the default gw for the clients one we finish migrating the remaining circuits to the new router.

               

              Is this the ONLY way to get the Adtran to perform 'router on a stick' routing?

               

              Denny

                • Re: Router on a stick?
                  Employee

                  Denny,

                   

                  Typically, the term 'router on a stick' refers to intervlan routing. However, in your case, it seems there was an issue with general routing. To troubleshoot further, it would be helpful to see

                  the following:

                   

                  - Route table of the 4305 with the new route in place.

                  - Are you able to ping 192.168.0.2 from the 4305 (assuming the ASA allows pings)?

                  - Are there any other routes on the 4305 using 192.168.0.2 as the next hop that are functioning?

                  - An output to a traceroute from the server while it is using the 4305 as its default gateway. If this is not possible, then a traceroute from the CLI of the 4305 will work as well.

                   

                  Let us know if you have any questions.

                   

                  Thanks,

                  Noor

                    • Re: Router on a stick?
                      jokes54321 New Member

                      Hi Noor,

                       

                      I appreciate the offer to help troubleshoot my configs. All I'm really looking for is confirmation on whether or not the Adtran will route out the same interface the traffic came in on? I know the Cisco ASA won't unless you issue a command to tell it to allow this. I'm wondering if the Adtran is similar.

                       

                      I can ping the ASA from the Adtran

                      I can ping the remote from the Adtran

                       

                      Denny

                        • Re: Router on a stick?
                          levi Employee

                          jokes54321:

                           

                          Yes, the ADTRAN will route traffic out the same interface that traffic came in on, as long as there is a route to that destination out that interface.  A caveat to this is if the firewall is configured to discard or NAT, or policy-based routing is configured to manipulate the routing that arrives on the interface.  If you would like to attach a copy of the configuration, I will be happy to review it for you.

                           

                          Levi

                  • Re: Router on a stick?
                    bcrinehart Past_Featured_Member

                    By default, Adtran routers prevent "router on a stick" operation. You can enable it via the command line:

                     

                    RTR> enable

                    RTR# config t

                    RTR(config) ip firewall check reflexive-traffic

                     

                    Be aware that this is turned off by default as a network security measure.

                    You can read more about this in the AOS V18 manual.

                     

                    Brad

                    • Re: Router on a stick?
                      bcrinehart Past_Featured_Member

                      Additional info from Brad...

                      This command allows the firewall to process traffic from one subnet to another on the same interface through the firewall. It uses the access policy on that interface to determine what actions to take. You may have to create and apply an access policy on that interface if you do not already have one.

                        • Re: Router on a stick?
                          levi Employee

                          bcrinehart:

                           

                          Thank you for participating in this post.  I would like to add clarification to the ip firewall check reflexive-traffic command. When the AOS firewall receives the first packet in a new flow, it performs a route lookup on the destination IP address.  If the destination interface for the packet is the same as the ingress interface, the unit will classify the traffic as reflexive traffic.  Such traffic only receives further firewall and access-policy processing if ip firewall check reflexive-traffic is enabled. If the check is disabled (which it is by default), such traffic is forwarded without further processing from the firewall. 

                           

                          The command is not needed to route traffic that arrives on an interface back out that interface to another subnet when firewall processing is not necessary.

                           

                          Note:  If the firewall is on, you will need to make the appropriate configurations to allow traffic that comes in one port and is routed back out the same port.

                           

                          Please, let me know if you have any questions about this command.  I will be happy to "branch" this to another discussion if necessary.

                           

                          Levi

                        • Re: Router on a stick?
                          levi Employee

                          jokes54321:


                          I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

                           

                          Levi