03
- January
2012
Posted By : Gom Jabbar
Cisco ASA – Administrative Distance and Metric

Family Christmas dinner at my oldest customer’s house. The experience is what you’d expect if George Carlin incorporated Gosford Park into one of his standup routines. Posh yet subversive. All the guests are aging counter-culture types. Hippies who run eco-friendly business empires. Artists who made it big with corporate patrons. Telling shaggy dog stories that get shaggier with every round of drinks.

As we stand around the kitchen, polishing off a particularly strong bottle of port, we participate in what appears to be the family tradition of Embarrass My Customer With Stories From His Misspent Youth. “Did you ever meet his fifth ex-wife? No? Well, let me tell you about how they met.” Everybody knows a slightly different version of the story. Everyone chimes in at different points in the story with contradictory details, embellished by alcohol, half-remembered rumors and just plain hyperbole.

The picture that emerges is not quite Dorian Gray. More like those grainy mugshots of celebrities on thesmokinggun.com. An alternate reality. An evil twin. A teenage Bill Gates grinning at the camera. My customer, assiduously bent over a tray of Oysters Rockefeller, is pink with suppressed laughter and embarrassment. In his novelty Christmas apron, he is the center of this warm little world. He’s lived a fascinating life, if you believe the stories.

The routing table on the Cisco ASA is a similar sort of information accretion. It builds a picture of the network, based on various different sources of information. Some vague, some specific. Some reliable, some more unreliable than Uncle Gerald who has been hitting the eggnog all afternoon.

Administrative Distance

Routing Protocol
Administrative Distance
Connected Interface
0
Static Route
1
EIGRP Summarized
5
Internal EIGRP
90
OSPF
110
RIP
120
External EIGRP
170
Unknown
255

If the ASA is configured for one or more routing protocols, the ASA can learn about different routes to the same destination. In which case, the ASA will prefer routes from the routing protocol with the lowest administrative distance. If a single routing protocol provides multiple routes to the same destination, the ASA will then look at the metric of each of those routes, and select the one with the lowest metric.

Lowest administrative distance first, then lowest metric.

So let’s say all the guests at the Christmas party are different routing protocols. Some are stone cold sober and utterly humorless. They talk the most sense and therefore have the lowest administrative distance. Some people are drunk off their ass and seeing pink elephants. They have the highest administrative distance.

But even the most sober of the guests might have heard various versions of the family legend of how my customer met ex-wife number five, and they may believe one version of the story more than the other versions. That’s like a routing protocol (the guest) knowing multiple routes to the same destination (multiple versions of the same story) and preferring the route with the shortest metric (believing the most likely story).

Static Routes

Let’s look at static routes and the metric parameter. Despite the name, the metric parameter in the route command actually refers to administrative distance.

For reference, the diagram below is the high-level topology of my test lab which I used in my last two posts, and is referenced in the commands below:

SLA Monitoring
SLA Monitoring

On my ASA, I have configured two static routes to the 6.6.6.0/24 network. I prefer to send the traffic via the outside interface, so I’ve configured a lower administrative distance (1) on the route that uses the outside interface, and a higher administrative distance (2) on the route that uses the redundantisp interface.

ciscoasa(config)# show running-config route
route outside 6.6.6.0 255.255.255.0 2.2.2.2 1
route redundantisp 6.6.6.0 255.255.255.0 5.5.5.2 2

For the 6.6.6.0 route, the ASA picks the route with the lower administrative distance and places it in the routing table.

ciscoasa(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
C    127.0.0.0 255.255.0.0 is directly connected, cplane

The numbers inside the square brackets refer to [administrative distance/metric]. The metric for static routes is 0, but you can set the administrative distance.

If the outside interface goes down, the route that uses the outside interface is no longer available. So the ASA removes it from the routing table, and the route that uses the redundantisp interface is put in the routing table instead.

ciscoasa(config)# int g 0/0
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.6.6.0 255.255.255.0 [2/0] via 5.5.5.2, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane

When the outside interface comes back up, the route that utilizes the outside interface is reinstated in the routing table because it uses a lower administrative distance than the route that utilizes the redundantisp interface.

ciscoasa(config-if)# int g 0/0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
C    127.0.0.0 255.255.0.0 is directly connected, cplane

If I add a route to the 6.0.0.0/8 network, the ASA considers that to be a different destination, and will place that in the routing table along with the 6.6.6.0/24 route.

ciscoasa(config-if)# route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2
ciscoasa(config)# show running-config route
route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 1
route outside 6.6.6.0 255.255.255.0 2.2.2.2 1
route redundantisp 6.6.6.0 255.255.255.0 5.5.5.2 2
ciscoasa(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.0.0.0 255.0.0.0 [1/0] via 5.5.5.2, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
C    127.0.0.0 255.255.0.0 is directly connected, cplane

The ASA only compares the administrative distance for routes that specify the exact same destination, with the same subnet mask. That’s when the administrative distance and metric matters.

So, with two possible ways of reaching 6.6.6.2, both with the same administrative distance, the route with the longest subnet mask is used to make routing decisions.

ciscoasa(config)# debug icmp trace
debug icmp trace enabled at level 1
ciscoasa(config)# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
ICMP echo request from 2.2.2.1 to 6.6.6.2 ID=4388 seq=24571 len=72
!ICMP echo reply from 6.6.6.2 to 2.2.2.1 ID=4388 seq=24571 len=72
ICMP echo request from 2.2.2.1 to 6.6.6.2 ID=4388 seq=24571 len=72
ICMP echo reply from 6.6.6.2 to 2.2.2.1 ID=4388 seq=24571 len=72
!ICMP echo request from 2.2.2.1 to 6.6.6.2 ID=4388 seq=24571 len=72
!ICMP echo reply from 6.6.6.2 to 2.2.2.1 ID=4388 seq=24571 len=72
ICMP echo request from 2.2.2.1 to 6.6.6.2 ID=4388 seq=24571 len=72
!ICMP echo reply from 6.6.6.2 to 2.2.2.1 ID=4388 seq=24571 len=72
ICMP echo request from 2.2.2.1 to 6.6.6.2 ID=4388 seq=24571 len=72
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

As you can see, the ASA sends the traffic via the outside interface (2.2.2.1). If I shut down the outside interface, this is what the routing table looks like:

ciscoasa(config)# int g 0/0
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.6.6.0 255.255.255.0 [2/0] via 5.5.5.2, redundantisp
S    6.0.0.0 255.0.0.0 [1/0] via 5.5.5.2, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane

And the ping is sent via the redundantisp interface (5.5.5.1).

ciscoasa(config)# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
ICMP echo request from 5.5.5.1 to 6.6.6.2 ID=4388 seq=3061 len=72
ICMP echo reply from 6.6.6.2 to 5.5.5.1 ID=4388 seq=3061 len=72
!ICMP echo request from 5.5.5.1 to 6.6.6.2 ID=4388 seq=3061 len=72
ICMP echo reply from 6.6.6.2 to 5.5.5.1 ID=4388 seq=3061 len=72
!ICMP echo request from 5.5.5.1 to 6.6.6.2 ID=4388 seq=3061 len=72
!ICMP echo reply from 6.6.6.2 to 5.5.5.1 ID=4388 seq=3061 len=72
ICMP echo request from 5.5.5.1 to 6.6.6.2 ID=4388 seq=3061 len=72
!ICMP echo reply from 6.6.6.2 to 5.5.5.1 ID=4388 seq=3061 len=72
ICMP echo request from 5.5.5.1 to 6.6.6.2 ID=4388 seq=3061 len=72
ICMP echo reply from 6.6.6.2 to 5.5.5.1 ID=4388 seq=3061 len=72
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Remember, the metric parameter in the route command is really the administrative distance for that static route. So if the ASA is learning routes to that same destination from other routing protocols, you can tell the ASA to prefer the static route by giving it a lower administrative distance (via the metric parameter).

So, let’s say I enable RIP on my ASA. It starts picking up other advertised routes from its RIP neighbors. You can see the 7.0.0.0 network in its routing table below, marked with an “R” code. Note that RIP has an administrative distance of 120.

ciscoasa(config-router)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.0.0.0 255.0.0.0 [1/0] via 5.5.5.2, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:18, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:18, redundantisp

Note that the ASA still has that static route to the 6.0.0.0 network in the third line of its routing table:

S    6.0.0.0 255.0.0.0 [1/0] via 5.5.5.2, redundantisp

But if I remove that static route, the ASA replaces it with a route that it had learned via RIP. (That route is now marked with an “R” and has an administrative distance of 120.)

ciscoasa(config-router)# no route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 1
ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
R    6.0.0.0 255.0.0.0 [120/1] via 5.5.5.2, 0:00:16, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:16, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:16, redundantisp

If I add that route back with an administrative distance of 121, which is (duh) higher than 120, the ASA will still prefer the route learned via RIP because it prefers the route with a lower administrative distance.

ciscoasa(config)# route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 121
ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
R    6.0.0.0 255.0.0.0 [120/1] via 5.5.5.2, 0:00:03, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:03, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:03, redundantisp

However, if I give that static route an administrative distance of 119, the ASA places it in the routing table.

ciscoasa(config)# no route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 121
ciscoasa(config)# route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 119
ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.0.0.0 255.0.0.0 [119/0] via 5.5.5.2, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:08, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    10.10.10.0 255.255.255.0 is directly connected, inside
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:08, redundantisp

So what if I give that static route an administrative distance of 120? That’s the same administrative distance as RIP. Which route will the ASA use?

ciscoasa(config-router)# no route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 119
ciscoasa(config)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
R    6.0.0.0 255.0.0.0 [120/1] via 5.5.5.2, 0:00:01, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:01, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:01, redundantisp
ciscoasa(config)# route redundantisp 6.0.0.0 255.0.0.0 5.5.5.2 120
ciscoasa(config)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    2.2.2.0 255.255.255.0 is directly connected, outside
C    5.5.5.0 255.255.255.0 is directly connected, redundantisp
S    6.0.0.0 255.0.0.0 [120/0] via 5.5.5.2, redundantisp
S    6.6.6.0 255.255.255.0 [1/0] via 2.2.2.2, outside
R    7.0.0.0 255.0.0.0 [120/3] via 5.5.5.2, 0:00:21, redundantisp
C    127.0.0.0 255.255.0.0 is directly connected, cplane
R*   0.0.0.0 0.0.0.0 [120/1] via 5.5.5.2, 0:00:21, redundantisp

The static route is inserted in the routing table instead of the RIP route because it has a lower metric. Notice the second number in the square brackets. That is the metric. The static route to 6.0.0.0 is designated with [120/0] whereas the RIP route to 6.0.0.0 is designated with [120/1]. Both routes have an administrative distance of 120. The static route has a metric of 0, which is lower than the RIP route’s metric of 1.

Lowest administrative distance first, then lowest metric.

Additional Information:

show running-config route command in the Cisco ASA 8.4 and 8.5 Command Reference.

interface command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

ping command in the Cisco ASA 8.4 and 8.5 Command Reference.

show route command in the Cisco ASA 8.4 and 8.5 Command Reference.

route command in the Cisco ASA 8.4 and 8.5 Command Reference.

debug icmp command in the Cisco ASA 8.4 and 8.5 Command Reference.