Documentation

Back to Home
July 4, 2025

Static Routing with Failover: Fortigate Primary, Cisco Backup

What is Static Routing?

Static routing is when you manually set up routes on a router. You tell the router where to send traffic for a specific network and which next-hop IP or interface to use.

1. Simple Static Routing (Directly Connected)

Simple static routing happens when the next-hop IP is directly connected to the router. The router can forward packets immediately without needing additional lookups. You must configure static routes on every router involved in the forwarding path, but routers not handling this traffic don't need the route.

Example:

ip route 192.168.20.0 255.255.255.0 10.10.10.1

Advantages:

  • Faster forwarding because no recursive lookup is needed.
  • More stable since it doesn’t depend on other routes.
  • Suitable for small networks or point-to-point connections.

Disadvantages:

  • Not flexible if the next-hop is not directly connected.
  • Less efficient in networks with many indirect routes.

2. Recursive Static Routing

Recursive routing happens when the next-hop IP is not directly connected. The router needs to check its routing table again to figure out how to reach that next hop.

Example:

ip route 192.168.20.0 255.255.255.0 172.168.10.2 
ip route 172.168.10.2 255.255.255.255 10.10.10.1

Advantages:

  • More flexible for complex networks with multiple hops.
  • Easier to configure when many routes share the same gateway.

Disadvantages:

  • Slower forwarding due to recursive lookup.
  • Risk of routing failure if the route to the next-hop disappears.
  • Not recommended for latency-sensitive applications like VoIP or real-time traffic.

3. Static Route Load Balancing (50:50 Traffic Sharing)

  • Equal-Cost Multi-Path (ECMP) Routing Load balancing works only when multiple static routes to the same destination have the same metric and administrative distance (AD).
  • Supported on Cisco, Juniper, and most enterprise-grade routers.

Example:

ip route 192.168.20.0 255.255.255.0 10.10.10.1 
ip route 192.168.20.0 255.255.255.0 10.10.20.2

4. Floating Static Routes

A floating static route is a static route that is used only when the primary route fails.

"Float" a static route by assigning it a higher administrative distance (AD) than the primary route this way, it stays in the routing table only if the better route is unavailable.

Primary Route (Preferred Path)

This is the default route used by the router because it has the lowest Administrative Distance (AD).

Default AD values:

  • Directly connected interface – AD = 0
  • Static route with next-hop IP – AD = 1
  • Static route with outgoing interface – AD = 0

Floating Static Route (Backup Path)

A floating static route is a backup route with a higher AD. It only appears in the routing table if the primary route is no longer available.

Typical backup AD ranges:

  • 5–99: For local preference or secondary links
  • 100–200: For backup ISP or WAN links
  • 250: Cisco's recommended value for last-resort failover

Activation Mechanism

A floating static route becomes active only when no better route (lower AD) exists. This usually happens when:

  • The primary route’s interface goes down (physically or administratively)
  • A tracking object fails (e.g., using IP SLA)
  • The router no longer has a valid path to the next-hop IP (in recursive static)

Key Behavior Notes

  • Floating routes stay inactive as long as a lower-AD route exists
  • They do not revert automatically when the primary comes back — unless tracking is configured
  • Recursive static routes may fail if the next-hop route becomes unreachable

Example Configuration

ip route 192.168.20.0 255.255.255.0 10.10.10.1 
ip route 192.168.20.0 255.255.255.0 10.10.20.2 250

In this example:

  • The router will use 10.10.10.1 to reach 192.168.20.0/24 as long as it's available.
  • If the primary route is removed from the routing table, the router will switch to the backup via 10.10.20.2

//

Note: If you shut down the next-hop interface but the ARP entry is still cached, the router may continue using the main route. It is better to shut down the main route’s interface to ensure proper failover. For the best configuration and more reliable failover, I recommend using IP SLA tracking.

//

4. IP SLA + Tracking: Smart Static Route Failover

Static routes are simple—but they don’t detect outages on their own. That’s where IP SLA and tracking come in.

IP SLA (Service Level Agreement)

A built-in tool that actively checks network reachability (via ping, HTTP, TCP, etc.).

  • Runs background tests continuously.
  • Can monitor critical destinations (e.g., an ISP gateway, DNS server, or cloud IP).

Tracking Object

Connects the result of an IP SLA test to routing decisions.

  • If the SLA test fails, the tracked route is automatically removed.
  • When the test succeeds again, the route is reinstalled.

IP SLA + Tracking used for

  • Monitors if a remote IP (like your ISP's gateway or 8.8.8.8) is reachable.
  • Automatically switches to a backup route if the primary path fails.
  • Automatically restores the primary when it becomes available again.

Create an IP SLA

This will send periodic pings to a monitored IP:

ip sla 1 
    icmp-echo 192.168.20.0  #network destination 
    source-interface GigabitEthernet0/0 ! Interface to send pings from 
    frequency 5
    timeout 5000  
ip sla schedule 1 start-time now 
track 1 ip sla 1 reachability

Apply Tracking to a Static Route

ip route 192.168.20.0 255.255.255.0 10.10.10.1 track 1
ip route 192.168.20.0 255.255.255.0 10.10.20.2 250

MikroTik has a similar feature called Netwatch or Routing Rules with Check Gateway 

/tool netwatch add host=172.168.10.1 timeout=2s interval=5s \
  up-script="/ip route set [find dst-address=192.168.10.0/29 gateway=172.168.10.1] disabled=no" \
  down-script="/ip route set [find dst-address=192.168.10.0/29 gateway=172.168.10.1] disabled=yes"

When to Use Static Routing

Use static routing when:

  • The network is small or simple
  • You don’t need routes to change automatically
  • You want full control

Best Practices

  • Test routes with ping or traceroute
  • Use comments in your config
  • Set up floating routes for backups
  • Watch for recursive route issues
  • Check your routes regularly

Here's the video where I configured static routing with floating routes and failover  | Cisco AD, IP SLA & MikroTik Script

Instead of using netwatch that turn of route i using script fot failover include turn of interafce 

/system script add name="auto-failover" source="\
    :local fortigateInterface \"ether1\"\n\
    :local primaryRoute [/ip route find dst-address=192.168.10.0/29 gateway=172.168.10.1]\n\
    :local backupRoute [/ip route find dst-address=192.168.10.0/29 gateway=172.168.20.2]\n\
    \n\
    :if ([/ping 172.168.10.1 count=5 interval=100ms] = 0) do={\n\
        /interface ethernet set \$fortigateInterface disabled=yes\n\
        /ip route set \$primaryRoute disabled=yes\n\
        /ip route set \$backupRoute disabled=no\n\
        :log info \"FAILOVER: Disable ether1 dan enable backup route\"\n\
    } else={\n\
        /interface ethernet set \$fortigateInterface disabled=no\n\
        /ip route set \$primaryRoute disabled=no\n\
        /ip route set \$backupRoute disabled=yes\n\
        :log info \"Ping: Enable ether1 dan main route\"\n\
    }"