Re: BGP redist to EIGRP not working

Nathan Farrar · ‎06-28-2020

Hoping I am missing something simple here. I need to have a backup VPN connection work, but routing isn't propagating. My topology:

I have three locations, A, B, and C.

Site A is the main location and has an ASA and a 2921 router

Site B also as an ASA and a 2921 router.

Site C has just a single 2921 router

Addressing:

Site A - 192.168.1.0/24

Site B - 192.168.80.0/24

Site C - 192.168.22.0/24

VPN - 172.31.0.0/30

Test loopback at site A - 172.16.0.0/24

Goal: To have Site C use Site B to get to Site A IF the Site A 2921 connection fails. The VPN will be used as a backup...

All sites are connected together via a metro-E like connection (single broadcast domain). This Metro-E is connected to each of the 2921 routers.

Site A and B also have an Internet link connected to the ASAs. These ASAs have a VTI IPSec VPN connecting them.

Routing:

All sites are using EIGRP at the 2921s over the Metro-E connection, all in the same AS.

Site A and Site B ASAs are trading routes via BGP (EIGRP will not work over the VTI on an ASA). The ASAs are also participating in EIGRP.

At the ASAs, eBGP is being used between them (not sure if there is a benefit of iBGP here). EIGRP is being redistributed into BGP at both locations. BGP is also being redistributed into EIGRP.

What I am seeing:

At site B, I see the test 172.16.0.0/24 network in the BGP table. It is pointing to the tunnel IP on site A's ASA.

On the Site B 2921, I am seeing that the same route is showing up in the EIGRP topology table. The successor is still the direct path but at least I am seeing the routing knowing about the redistributed route.

Issue: on Site C. The topology table does not contain the path for 17216.0.0/24 via Site B. I only see the direct path that is not being redistributed.

Why is it that the router directly connected to the ASA see a viable backup path, but a direct neighbor to that router is not?

Here is a quick drawing of the network

Giuseppe Larosa · ‎06-28-2020

Hello @Nathan Farrar ,

EIGRP internal routes are preferred over EIGRP external routes this should explain what you see.

To see the backup EIGRP external route in action you should shut the router C2921 interface to metro Ethernet or you can make that interface passive in EIGRP.

At that point you should see a D EX route on site C router learned via site B router in EIGRP as the result of redistribution.

As an alternative to make the test you can:

avoid to advertise in EIGRP the test network 172.16.0.0/24 on site A router.

Have the ASA on site A to advertise the test network using a network command in BGP.

On site B you still redistribute BGP into EIGRP.

With this setup you should see directly the EIGRP D EX route on router of site C pointing to Site B via the metro ethernet,

Hope to help

Giuseppe

Nathan Farrar · ‎06-29-2020

Thanks for the input! I do understand what should be happening with AD (170 for external, 90 for internal). I'm just not seeing the redistributed routes go beyond site B 2921. Here's what I'm currently seeing:

At site A ASA, no redistribution. static advertisement of 172.16.0.0/24. I can see this in the BGP and routing table of the ASA at site B. I can also see at site B on the 2921 this route via the ASA AND via the MetroE circuit. It shows on the topology table at site B 2921 as an external route learned from BGP. So all looks good there.But neighbors to Site B 2921 ONLY see the direct route, not the backup.

Also important to note, not a split-horizon issue (I don't believe). Both the route to 172.16.0.0/24 should be out the same interface but from different neighbors. I don't know if this would cause an issue. Site B isn't learning the route over the same interface it is advertising it.

Here are some configs for context, we're only looking to test with 172.16.0.0/24:

Site A ASA:

router eigrp 10
 distribute-list EIGRP_IN in
 eigrp router-id 192.168.1.8
 network 172.31.0.0 255.255.255.252 <-- this is the site to site VPN tunnel network
 network 192.168.1.0 255.255.255.0. <-- This goes to the local 2921
!
router bgp 65000
 bgp log-neighbor-changes
 timers bgp 10 30 0
 address-family ipv4 unicast
  neighbor 172.31.0.2 remote-as 65001
  neighbor 172.31.0.2 activate
  network 172.16.0.0 mask 255.255.255.0 <-- this is the test network
  no auto-summary
  no synchronization
 exit-address-family

Site B ASA:

router eigrp 10
 network 172.31.0.0 255.255.255.252 <--This is the site to site VPN tunnel network
 network 192.168.80.0 255.255.255.0 <-- This goes to the local 2921
 redistribute bgp 65001 metric 10000 10 255 1 1500 route-map test-rm 
!
router bgp 65001
 bgp log-neighbor-changes
 timers bgp 10 30 0
 address-family ipv4 unicast
  neighbor 172.31.0.1 remote-as 65000
  neighbor 172.31.0.1 activate
  no auto-summary
  no synchronization
 exit-address-family

Topology table on site B 2921:

Can see both routes, route via MetroE (1st), and route via the ASA (2nd)

EIGRP-IPv4 Topology Entry for AS(10)/ID(10.254.63.7) for 172.16.0.0/24
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 131072
  Descriptor Blocks:
  192.168.254.1 (GigabitEthernet0/0/0.998), from 192.168.254.1, Send flag is 0x0 <--Route over MetroE
      Composite metric is (131072/130816), route is Internal
      Vector metric:
        Minimum bandwidth is 1000000 Kbit
        Total delay is 5020 microseconds
        Reliability is 255/255
        Load is 11/255
        Minimum MTU is 1500
        Hop count is 2
        Originating router is 10.254.206.136
  192.168.80.8 (GigabitEthernet0/0/1.80), from 192.168.80.8, Send flag is 0x0 <-- Route via ASA
      Composite metric is (258816/258560), route is External
      Vector metric:
        Minimum bandwidth is 10000 Kbit
        Total delay is 110 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 1
      External data:
        Originating router is 192.168.80.8
        AS number of route is 65001
        External protocol is BGP, external metric is 130816
        Administrator tag is 0 (0x00000000)

And lastly, here is site C:

It isn't showing the second route

IP-EIGRP (AS 10): Topology entry for 172.16.0.0/24
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 156416
  Routing Descriptor Blocks:
  192.168.254.1 (FastEthernet0/0.998), from 192.168.254.1, Send flag is 0x0 <-- Route over MetroE
      Composite metric is (156416/130816), Route is Internal
      Vector metric:
        Minimum bandwidth is 100000 Kbit
        Total delay is 5110 microseconds
        Reliability is 255/255
        Load is 189/255
        Minimum MTU is 1500
        Hop count is 2

This site SHOULD be seeing both routes, but it is not.

Giuseppe Larosa · ‎06-29-2020

Hello @Nathan Farrar ,

the Site B router C2921 sees :

an internal EIGRP route

an external EIGRP route for prefix 172.16.0.0/24.

Because the internal EIGRP is installed in the IP routing table and the external route it isn't , only the internal route is propagated. A router cannot advertise a route that is not using for its own routing ( this is even true for BGP).

This is why on Site C router you only see the internal route. However, if there is any change that would cause the EIGRP internal route to be not received anymore on site B router the external route would be propagated.

you should be able to check this by using a per interface (MEtro Ethernet ) distribute-list in that denies the test prefix.

Hope to help

Giuseppe