101
0/228
Loading content...
Imagine you're in a foreign city, trying to find a specific address. You know your immediate neighborhood well, but for destinations outside your familiar zone, you simply head toward the main road that leads to the city center—from there, you can figure out the rest.
Routers face the same challenge. A typical router might know hundreds or thousands of local routes explicitly, but the Internet contains millions of destinations. No router can (or should) maintain explicit routes to every possible destination. Instead, routers rely on a default route—a route of last resort that says, "If you don't know where to send this, send it here."
The default route is arguably the most important route in any routing table. It's the escape hatch, the universal fallback, the bridge from local networks to the global Internet. Understanding default routes is essential for every network professional.
By the end of this page, you will understand what default routes are, why they exist, how to configure them, how they integrate with routing protocols, and their role in hierarchical network design. You'll also learn common default route configurations and troubleshooting approaches.
What is a Default Route?
A default route is a routing table entry that matches any destination IP address not covered by a more specific route. It's expressed as:
A default route matches ALL destinations with the least specific prefix (length 0). Any packet without a more specific match will follow the default route.
Why 0.0.0.0/0?
The prefix 0.0.0.0/0 means:
But wait—doesn't this conflict with specific routes? No, because of longest prefix matching. A packet destined for 10.1.1.5 will prefer a route to 10.1.1.0/24 (24-bit match) over 0.0.0.0/0 (0-bit match). The default route only applies when no better match exists.
| Destination | Route 10.0.0.0/8 | Route 10.1.0.0/16 | Route 0.0.0.0/0 | Used Route |
|---|---|---|---|---|
| 10.1.2.3 | Match (8 bits) | Match (16 bits) | Match (0 bits) | 10.1.0.0/16 ✓ |
| 10.2.3.4 | Match (8 bits) | No match | Match (0 bits) | 10.0.0.0/8 ✓ |
| 192.168.1.1 | No match | No match | Match (0 bits) | 0.0.0.0/0 ✓ |
| 8.8.8.8 | No match | No match | Match (0 bits) | 0.0.0.0/0 ✓ |
Gateway of Last Resort
In Cisco IOS terminology, the default route's next hop is called the Gateway of Last Resort. This appears at the top of show ip route output:
Router# show ip route
Codes: C - connected, S - static, ...
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.0.0.1
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
...
The asterisk (*) next to S* indicates this is the candidate default route.
No Default Route Scenario
Router# show ip route
Gateway of last resort is not set
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
What happens to traffic for 8.8.8.8?
→ No matching route
→ Router sends ICMP 'Destination Network Unreachable'
→ Packet is discarded
Every device with IP connectivity needs either explicit routes to all destinations OR a default gateway. Your laptop, phone, and smart thermostat all have a default gateway configured—the router they send all non-local traffic to. Without it, they couldn't reach the Internet.
Default routes can be configured several ways depending on the network design and requirements.
Method 1: Static Default Route
The most common method for small networks and edge devices:
! Cisco IOS - Static default route to specific next-hop
ip route 0.0.0.0 0.0.0.0 192.168.1.1
! Linux - Static default route
ip route add default via 192.168.1.1
! With outgoing interface (point-to-point links)
ip route 0.0.0.0 0.0.0.0 Serial0/0
! With both next-hop and interface (recommended for Ethernet)
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.1.1
Method 2: Default Route via Routing Protocol
Routing protocols can advertise and propagate default routes:
! OSPF - Generate and advertise default route
router ospf 1
default-information originate
! OSPF - Always advertise default (even if no local default)
router ospf 1
default-information originate always
! BGP - Advertise 0.0.0.0/0 to neighbor
router bgp 65000
neighbor 10.1.1.2 default-originate
! EIGRP - Redistribute a static default
router eigrp 100
redistribute static
! (requires 'ip route 0.0.0.0 0.0.0.0 ...' to exist)
Floating Static Default Route
A floating static is a backup default route with higher administrative distance:
! Primary default via ISP1 (AD=1)
ip route 0.0.0.0 0.0.0.0 10.1.1.1
! Backup default via ISP2 (AD=200, only used if primary fails)
ip route 0.0.0.0 0.0.0.0 10.2.2.1 200
Behavior:
- Normal operation: Traffic flows via 10.1.1.1 (AD=1 wins)
- If 10.1.1.1 interface goes down: Route to 10.1.1.1 removed
- Backup route (AD=200) becomes active
- Traffic now flows via 10.2.2.1
- When primary recovers, it takes over again (AD=1 < AD=200)
Tracked Default Route
More reliable failover using IP SLA:
! Monitor primary ISP reachability
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
frequency 5
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
! Primary default tied to track object
ip route 0.0.0.0 0.0.0.0 10.1.1.1 track 1
! Backup default (always present, lower priority)
ip route 0.0.0.0 0.0.0.0 10.2.2.1 10
Now failover occurs if:
- Interface to 10.1.1.1 goes down, OR
- IP SLA probe fails (ISP is up but Internet is unreachable)
The ISP router (10.1.1.1) might be reachable even when the ISP's upstream connection is broken. By probing an external destination (like 8.8.8.8), you verify true Internet reachability, not just next-hop availability.
In enterprise and service provider networks, default routes must be propagated from Internet-connected routers to downstream routers. Each routing protocol handles this differently.
OSPF Default Route Propagation
Topology:
[Internet] ─── [Edge Router] ─── [Distribution] ─── [Access]
│
Has default route
Must propagate to others
Edge Router Configuration:
router ospf 1
default-information originate always metric 10 metric-type 1
Parameters:
- 'originate': Create and advertise a default route
- 'always': Advertise even if no default exists locally
- 'metric 10': Set the default route's metric
- 'metric-type 1': Use E1 (adds to internal cost) vs E2 (external cost only)
Result in Distribution Router:
O*E2 0.0.0.0/0 [110/10] via 10.0.0.1, 00:02:15, GigabitEthernet0/0
│
└── E2 = External Type 2 (OSPF external route)
OSPF Not-So-Stubby Areas (NSSA) and Default Routes
OSPF stub areas automatically receive a default route from the ABR:
Stub Area Behavior:
- Stub: ABR injects default route; no external routes allowed
- Totally Stubby: ABR injects default route; no external OR inter-area routes
- NSSA: ABR injects default route via Type-7 LSA
! ABR Configuration for stub area
router ospf 1
area 10 stub
! For totally stubby
area 10 stub no-summary
! All routers in area 10 see:
O*IA 0.0.0.0/0 [110/1] via [ABR IP], ...
| Protocol | Originate Command | Propagation Method | Notes |
|---|---|---|---|
| OSPF | default-information originate | Type-5 LSA (external) | Requires ASBR |
| EIGRP | redistribute static | Redistributed default | Or ip summary-address |
| BGP | neighbor X default-originate | Per-neighbor basis | Can be conditional |
| RIP | default-information originate | Regular RIP route | Simple but inefficient |
| IS-IS | default-information originate | IS-IS route | Similar to OSPF |
BGP Default Route Behavior
BGP has nuanced default route handling:
! Advertise default to specific neighbor
router bgp 65000
neighbor 10.1.1.2 default-originate
! Conditional default (only if specific prefix exists)
router bgp 65000
neighbor 10.1.1.2 default-originate route-map CHECK_UPSTREAM
route-map CHECK_UPSTREAM permit 10
match ip address prefix-list DEFAULT_EXISTS
ip prefix-list DEFAULT_EXISTS permit 8.8.8.0/24
Logic:
- If 8.8.8.0/24 exists in BGP table → Advertise default to neighbor
- If 8.8.8.0/24 disappears → Stop advertising default
- Use case: Don't advertise default if upstream connectivity is lost
Injecting default routes into routing protocols requires careful consideration. A router advertising a default becomes responsible for all unknown traffic. If that router can't actually reach the Internet, you've created a black hole. Always ensure the originating router has genuine Internet connectivity.
Default routes are fundamental to hierarchical network design, enabling scalability while simplifying edge router configurations.
The Hierarchy Principle
In a well-designed network:
As you move toward the network edge, knowledge decreases and reliance on defaults increases.
Hierarchical Network Design:
┌─────────────────────────────────────────────────────┐
│ INTERNET │
│ Full BGP Table │
│ (~1 million routes) │
└─────────────────────┬───────────────────────────────┘
│
┌─────────────────────┴───────────────────────────────┐
│ CORE / BACKBONE │
│ Full Internal + BGP Routes │
│ (~10,000+ routes) │
│ ▼ │
│ Advertises default route downward │
└─────────────────────┬───────────────────────────────┘
│
┌─────────────────────┴───────────────────────────────┐
│ DISTRIBUTION │
│ Regional Internal Routes + Default │
│ (~1,000 routes) │
│ ▼ │
│ Advertises default route downward │
└─────────────────────┬───────────────────────────────┘
│
┌─────────────────────┴───────────────────────────────┐
│ ACCESS │
│ Local Routes + Default Route Only │
│ (~10-100 routes) │
│ ▼ │
│ Provides default gateway to hosts │
└─────────────────────┬───────────────────────────────┘
│
┌─────────────────────┴───────────────────────────────┐
│ END HOSTS │
│ Default Gateway Only │
│ (1 route) │
└─────────────────────────────────────────────────────┘
Stub Networks
A stub network is one with only a single exit point. Stub networks are ideal candidates for default-route-only configurations:
┌───────────────────┐
│ Stub Site │
│ │
│ [R1]──[R2]──[R3] │
│ │ │
│ │ │
│ [R4] │
└───────┬─────────┘
│ Single exit
┌───────┴──────────┐
│ Distribution │
│ Router │
└──────────────────┘
Stub Site Configuration:
- R1, R2, R3, R4 run IGP (OSPF, EIGRP) for internal connectivity
- All have default route pointing toward the exit
- No knowledge of external network topology needed
- Any packet for non-local destination → sent to exit → forwarded by Distribution
Sites with multiple ISP connections (multi-homed) typically need more than a default route. They need to receive full or partial Internet routes to make intelligent path selection decisions. A default-only site can't optimize for specific destinations.
Default routes have significant security implications that network engineers must understand.
The Default Route Attack Vector
If an attacker can inject a false default route, they can:
Protection Mechanisms
BGP Default Route Filtering
! Only accept default from trusted peer
router bgp 65000
neighbor 10.1.1.1 prefix-list ACCEPT_DEFAULT in
neighbor 10.2.2.2 prefix-list DENY_DEFAULT in
ip prefix-list ACCEPT_DEFAULT permit 0.0.0.0/0
ip prefix-list DENY_DEFAULT deny 0.0.0.0/0
ip prefix-list DENY_DEFAULT permit 0.0.0.0/0 le 32 ! All other routes OK
OSPF Default Information Protection
! Control which routers can originate defaults
router ospf 1
! Only process default from specific routers
distribute-list prefix NO_EXTERNAL_DEFAULT in
ip prefix-list NO_EXTERNAL_DEFAULT deny 0.0.0.0/0
ip prefix-list NO_EXTERNAL_DEFAULT permit 0.0.0.0/0 le 32
! Better: Use stub areas - cannot originate defaults from within
router ospf 1
area 10 stub
A rogue device on your network advertising a default route via DHCP or routing protocol can hijack all outbound traffic. This is why network segmentation, 802.1X, and routing protocol authentication are critical. Never trust default routes from untrusted sources.
Default Route and Black Hole Mitigation
DDoS mitigation often involves injecting specific routes to black hole attack traffic:
Scenario: DDoS attack targeting 203.0.113.50
Black hole implementation:
! Create route to Null0
ip route 203.0.113.50 255.255.255.255 Null0
! Advertise to upstream via BGP community
router bgp 65000
network 203.0.113.50 mask 255.255.255.255 route-map BLACKHOLE
route-map BLACKHOLE permit 10
set community 65000:666 ! Community recognized by ISP for black-holing
Result:
- ISP drops traffic to 203.0.113.50 at their edge
- Attack traffic never reaches your network
- Collateral damage: Legitimate traffic to 203.0.113.50 also dropped
Note: This is intentional—black hole is a last resort for severe attacks.
Default routes have subtle behaviors that can cause confusion. Understanding these edge cases prevents troubleshooting headaches.
Multiple Default Routes (ECMP)
What if you have two equal-cost defaults?
Configuration:
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.2.1
Result:
- Both routes installed (same AD, same prefix)
- Traffic load-balanced across both
- Per-flow hashing determines which path
- Provides redundancy and bandwidth aggregation
show ip route 0.0.0.0:
S* 0.0.0.0/0 [1/0] via 192.168.1.1
[1/0] via 192.168.2.1
Recursive Default Route
A default route can have a recursive next-hop:
ip route 0.0.0.0 0.0.0.0 10.100.100.1
! Where 10.100.100.1 is learned via:
O 10.100.100.0/24 [110/20] via 192.168.1.2
Resolution:
1. Lookup 0.0.0.0/0 → next-hop 10.100.100.1
2. Lookup 10.100.100.1 → via 192.168.1.2 via Gi0/0
3. Final: Forward via 192.168.1.2 Gi0/0
Caveat: If OSPF route to 10.100.100.0/24 disappears,
the default route becomes invalid.
| Scenario | Behavior | Solution/Consideration |
|---|---|---|
| Two equal AD defaults | ECMP load balancing | Intentional for redundancy |
| Static and dynamic default | Lower AD wins (static usually) | May need floating static for backup |
| Recursive default next-hop | Works if IGP path exists | Ensure IGP stability |
| Default to disconnected interface | Route remains if interface exists | Use track objects |
| BGP default not in RIB | Not advertised downstream | Use 'always' keyword |
| OSPF stub with no ABR | No default generated | Need at least one ABR |
The "Gateway of Last Resort is not set" Condition
Several scenarios can cause this:
1. No default route configured
- Simply add: ip route 0.0.0.0 0.0.0.0 [next-hop]
2. Default route exists but next-hop unreachable
- Verify interface is up
- Verify next-hop is pingable
- Check: show ip route [next-hop-ip]
3. OSPF 'default-information originate' without 'always'
- Requires a local default to exist before advertising
- Add: ip route 0.0.0.0 0.0.0.0 Null0 (creates a local default)
- Or use: default-information originate always
4. BGP next-hop not reachable
- iBGP next-hop must be in IGP
- Use 'next-hop-self' or ensure IGP covers peering
Use 'debug ip routing' cautiously to see route installations and removals. 'show ip route 0.0.0.0' shows default route details. 'show ip cef 0.0.0.0/0' shows how the FIB handles the default. For BGP, 'show ip bgp 0.0.0.0/0' shows BGP-specific attributes.
Modern network architectures—cloud, SD-WAN, and Zero Trust—have changed how we think about default routes.
Cloud/Hybrid Default Routing
In cloud environments, default routes determine Internet breakout:
Scenario: Hybrid cloud with VPN to on-premises
Option 1: Hairpin through on-premises (Traditional)
┌────────────────┐ ┌────────────────┐
│ Cloud VPC │ │ On-Premises │
│ │ │ │
│ Default: ─────┼──── VPN ────▶│ Firewall/ │
│ On-prem GW │ │ Internet │
│ │ │ │
└────────────────┘ └────────────────┘
Pros: Central security policy, single Internet exit
Cons: Latency, bandwidth bottleneck
Option 2: Direct cloud Internet breakout (Modern)
┌────────────────┐ ┌────────────────┐
│ Cloud VPC │ │ On-Premises │
│ │ │ │
│ Default: ─────┼──▶ Cloud VPN: Specific │
│ Cloud IGW │ Internet │ routes only │
│ │ │ │
└────────────────┘ └────────────────┘
Pros: Lower latency, cloud-native security
Cons: Multiple security perimeters
SD-WAN Default Route Handling
SD-WAN changes default routing fundamentally:
Traditional:
- Default route = single Internet path
- Backup = floating static to second ISP
- Decision: routing protocol level
SD-WAN:
- Default route often = SD-WAN overlay
- Actual path selected per-application
- VoIP → Low-latency path (MPLS)
- Bulk transfer → High-bandwidth path (Internet)
- SaaS → Direct Internet (cloud breakout)
The 'default route' becomes:
ip route 0.0.0.0 0.0.0.0 [SD-WAN-VPN-Interface]
All traffic enters the SD-WAN fabric, which then
makes intelligent per-flow path decisions.
In modern architectures, the simple concept of 'one default route to the Internet' is giving way to more nuanced traffic steering. However, the underlying principle remains: traffic with no specific route must go somewhere, and that 'somewhere' is still determined by default routing—just with more intelligence above it.
The default route is simple in concept but profound in impact—it determines where unknown traffic goes. Let's consolidate what we've learned:
What's Next
We've discussed routing decisions and defaults, but how does a router choose between multiple paths to the same destination? The answer lies in routing metrics—the numerical measures that quantify path quality. The next page examines metrics in detail, understanding how different protocols measure and compare path quality.
You now understand default routes comprehensively—their purpose, configuration, propagation, security implications, and role in modern networks. This knowledge enables you to design and troubleshoot connectivity to external networks and the Internet.