Symmetric and Asymmetric Routing — With Example
What is Asymmetric Routing?
In Asymmetric routing, a packet traverses from a source to a destination in one path and takes a different path when it returns to the source. This is commonly seen in Layer-3 routed networks.
Issues to Consider with Asymmetric Routing
Asymmetric routing is not a problem by itself, but will cause problems when Network Address Translation (NAT) or firewalls are used in the routed path. For example, in firewalls, state information is built when the packets flow from a higher security domain to a lower security domain. The firewall will be an exit point from one security domain to the other. If the return path passes through another firewall, the packet will not be allowed to traverse the firewall from the lower to higher security domain because the firewall in the return path will not have any state information. The state information exists in the first firewall.
Designs Options for Support of Asymmetric Routing in Firewalls
- Symmetric routing flow through the firewall
Keep the traffic flow symmetric through the firewall infrastructure. Here, the packet flow from one security domain to another will be through a single firewall. Redundancy for the flow is achieved via firewall redundancy (failover configuration). - Support of the Asymmetric routing feature
TOPOLOGY:
In this topology, we configured HSRP on R1 and R2. In this case R2 will act as active router and R1 will become standby router. In this topology, when VPC5 will ping to 2.2.2.2 the traffic or ICMP request will go from R2 to R3 but the reply of ICMP request will come from R3 to R1 i.e. the incoming traffic is different and outgoing traffic path is different in order to reach same network.
Configurations:
R1:
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex half
standby 1 ip 10.1.1.5
standby 1 priority 200
standby 1 preempt
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
!
interface FastEthernet2/0
ip address 2.2.2.1 255.255.255.0
duplex half
!
ip route 3.3.3.0 255.255.255.0 2.2.2.2
R2:
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex half
standby 1 ip 10.1.1.5
standby 1 priority 240
standby 1 preempt
!
interface FastEthernet1/0
ip address 3.3.3.1 255.255.255.0
!
ip route 2.2.2.0 255.255.255.0 3.3.3.2
R3:
interface FastEthernet1/0
ip address 3.3.3.2 255.255.255.0
duplex half
!
interface FastEthernet2/0
ip address 2.2.2.2 255.255.255.0
!
ip route 10.1.1.0 255.255.255.0 2.2.2.1
ip route 10.1.1.0 255.255.255.0 3.3.3.1 20
Verification:
VPC5(A):
