Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

VRRP and static routes


VRRP and static routes


One question about VRRP. I will setup VRRP on two 5406. I need to add static routes to different networks (PIXs with VPN connections). Is it possible to add them on one of the 5406, and get them replicated to the other 5406? Or do I need to manual have them syncronized ?

Best Regards, Magnus
Matt Hobbs
Honored Contributor

Re: VRRP and static routes

It's possible if you use a dynamic routing protocol like RIP or OSPF. If you configure your static routes on one 5400 and use the 'redistribute static' option, then enable RIP/OSPF on both routers the second router will learn the static routes.

I'm not familiar with the PIX's but if you could enable RIP/OSPF on them that would be ever better.
Mohieddin Kharnoub
Honored Contributor

Re: VRRP and static routes


Usually Firewalls in general has Dynamic routing like RIP and OSPF.

So, enabling RIP on both sides will do the job as Matt's suggestion.

One more thing, why you want to add it to one of the 5400, since you have VRRP, then you are looking for redundancy, so i assume you have a firewall (with multiple interfaces) connected to one of the 5400.

Adding another interface to from the Firewall to the second 5400 will give more redundancy, especially you have dual firewalls.

Good Luck !!!
Science for Everyone
Ben Dehner
Trusted Contributor

Re: VRRP and static routes

You started with "a question about VRRP" but VRRP and route propagation are really completely seperate. You can have one without the other. As others mentioned, if you want route redistribution, you need to run a routing protocol like RIP or OSPF.

If you do use a dynamic protocol, there are two basic ways, depending on the capabilities of the equipment. One is to add the static route into the 5406, and have that broadcast the route, or to have the PIX device also take part in the routing protocol. In the latter case, you don't have to configure any static routes, the underlying protocol is doing the job for you.
Trust me, I know what I'm doing