Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1232
Views
0
Helpful
6
Replies

Exclude static routing from BGP an EIGRP

ukaszquz
Level 1
Level 1

‎12-15-2017 01:06 AM - edited ‎03-05-2019 09:39 AM

 

Hello, 

I have ASA 5508X where i redistribute the EIGRP (company network) to BGP (vpn s2s networks - branches). On ASA i have tunnels beetwen sites with VTI with BGP routing. On EIGRP i have default routing to company network. Eigrp must redistribute default gateway to BGP and here is problem. On ASA i have static default routing to ISP provider, and default static routing from ASA is repleaced in EIGRP and next in BGP on ASA. How can i exclude the ASA static default routing from EIGRP and BGP on ASA? Route map? On BGP should be only default routing from EIGRP. 

My configuration on ASA:

 

 

router eigrp 20
 eigrp router-id 17.17.17.17
 network 10.10.3.0 255.255.255.248
 passive-interface default
 no passive-interface MENet
 redistribute bgp 65510 metric 1000 10 255 1 1500
!
router bgp 65510
 bgp log-neighbor-changes
 bgp router-id 10.10.10.10
 address-family ipv4 unicast
  neighbor 10.10.17.6 remote-as 65510
  neighbor 10.10.17.6 timers 5 20 20
  neighbor 10.10.17.6 activate
  neighbor 10.10.17.70 remote-as 65510
  neighbor 10.10.17.70 timers 5 20 20
  neighbor 10.10.17.70 activate
  neighbor 10.10.17.70 default-originate
  network 10.10.3.0 mask 255.255.255.0
  network 10.10.17.0 mask 255.255.255.192
  network 10.10.17.64 mask 255.255.255.192
  bgp redistribute-internal
  redistribute eigrp 20
  no auto-summary
  no synchronization
 exit-address-family

route outside 0.0.0.0 0.0.0.0 213.216.110.XXX 1

Result of sh route on ASA, where is static default route is to ISP.

 

sh route eigrp 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 213.216.110.XXX to network 0.0.0.0

D        10.10.2.0 255.255.255.0 [90/28160256] via 10.10.3.1, 1d20h, MENet
D        10.10.4.0 255.255.255.0 [90/1405440] via 10.10.3.1, 1w1d, MENet
sh route bgp 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 213.216.110.XXX to network 0.0.0.0

B        10.10.21.0 255.255.255.192 [200/0] via 10.10.17.70, 19:46:26
B        10.10.21.64 255.255.255.192 [200/0] via 10.10.17.6, 1d12h

Please help me. 

Labels:
0 Helpful
6 Replies 6

Francesco Molino
VIP Alumni
VIP Alumni

‎12-15-2017 07:48 PM

Hi

To exclude the default route to redistributed you can use Prefix-list with route-map:

prefix-list DEFAULT seq 5 permit 0.0.0.0/0
!
route-map DEFAULT deny 10
match ip address prefix-list DEFAULT
route-map DEFAULT permit 20

Then use it with the redistribute command:
redistribute eigrp route-map DEFAULT

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

ukaszquz
Level 1
Level 1
In response to Francesco Molino

‎12-16-2017 05:03 AM

Hello, 

 

Thanks.I tested it and doesnt work. 

I removed the static default routing from ASA:

 

route outside 0.0.0.0 0.0.0.0 213.216.110.XXX 1

And i added on ASA only routing directly to one site:

 

route outside 195.150.12.XX 255.255.255.248 213.216.110.XXX 1

And now i recieved correct default routing (D.EX) from EIGRP. It is correct default routing for me sites. 

sh route eigrp                                    

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.10.3.1 to network 0.0.0.0

D*EX     0.0.0.0 0.0.0.0 [170/26880512] via 10.10.3.1, 00:00:03, MENet
D        10.10.2.0 255.255.255.0 [90/28160256] via 10.10.3.1, 3d00h, MENet

If i add default routing on ASA to ISP. My default routing D*EX is removed, and static default routing to ISP have higher priority. And gateway is reported from static. 

sh route eigrp 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 213.216.110.XXX to network 0.0.0.0

D        10.10.2.0 255.255.255.0 [90/28160256] via 10.10.3.1, 3d00h, MENet

I need have two default routings. For vlans on ASA is required default static routing to ISP. For my VPN tunnels sites is required EIGRP D*EX defualt routing.

Can i limit it with route-maps?

 

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to ukaszquz

‎12-16-2017 05:22 AM

Sorry i don't get you. You to remove default route or to advertise default route. What i gave you was to not redistribute the default route as you mentioned you wanted to exclude it.

Maybe can you be more specific and share config to see where you are?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

ukaszquz
Level 1
Level 1
In response to Francesco Molino

‎12-16-2017 08:08 AM

Hello Francesco, 

 

Thank you for your replay. I describe my problem again.

I have corporate network where have one default gateway. The default gateway is set on EIGRP. I want to connect two new branches to corporate network by ASA. I have ASA 5508X with 9.7 version. On ASA i configured VPN site to site to the new branches with VTI interfaces. VPN s2s its working. 

ASA is connected to ISP provider with static default route to the internet on outside interface. On the ASA i have connected guests network, dmz, and corporate etc. ASA must have access to the internet. 

On the second interface on ASA i configured access to the corpotate network: MENet. Because ASA 9.7 support only BGP with IPSEC tunnel i configured BGP for VPN sites. 

On ASA i redistributed networks from EIGRP to BGP. All networks are redistributed without default network from EIGRP. Each site on VPN tunnel have to use default routing from corporate network (redistributed from EIGRP).

On ASA device, static default routing to ISP delete default routing from EIGRP. And here is the problem. 

I tested: If i deleted default routing to ISP from ASA. The default routing from EIGRP correct redistribute default routing to VPN sites by EIGRP and next to BGP. 

Problem is here: ASA delete eigrp default routing, because is set static default routing on ASA to ISP. I dont know why.

 

My configuration on ASA:

 

interface GigabitEthernet1/1
 duplex full
 nameif outside
 security-level 0
 ip address 213.216.110.XXX 255.255.255.248 

interface GigabitEthernet1/8
 description Corporate network
 speed 1000
 duplex full  
 nameif MENet
 security-level 100
 ip address 10.10.3.2 255.255.255.248 
 authentication key eigrp 20 ***** key-id 1
 authentication mode eigrp 20 md5

interface Tunnel10
 description Branch2
 nameif BRN-VPN
 ip address 10.10.17.5 255.255.255.192 
 tunnel source interface outside
 tunnel destination 89.235.31.XX
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile BRN_OFFICE
!
interface Tunnel11
 description Branch1
 nameif LEG-VPN
 ip address 10.10.17.71 255.255.255.192 
 tunnel source interface outside
 tunnel destination 195.150.12.XX
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile BR_OFFICE

route outside 0.0.0.0 0.0.0.0 213.216.110.XXX 1


router bgp 65510
 bgp log-neighbor-changes
 bgp router-id 10.10.10.10
 address-family ipv4 unicast
  neighbor 10.10.17.6 remote-as 65510
  neighbor 10.10.17.6 description BRANCH2
  neighbor 10.10.17.6 timers 5 20 20
  neighbor 10.10.17.6 activate
  neighbor 10.10.17.70 remote-as 65510
  neighbor 10.10.17.70 description BRANCH1
  neighbor 10.10.17.70 timers 5 20 20
  neighbor 10.10.17.70 activate
  neighbor 10.10.17.70 default-originate
  network 10.10.3.0 mask 255.255.255.0
  network 10.10.17.0 mask 255.255.255.192
  network 10.10.17.64 mask 255.255.255.192
  bgp redistribute-internal
  redistribute eigrp 20
  no auto-summary
  no synchronization
 exit-address-family
!
router eigrp 20
 eigrp router-id 17.17.17.17
 network 10.10.3.0 255.255.255.248
 passive-interface default
 no passive-interface MENet
 redistribute bgp 65510 metric 1000 10 255 1 1500
!

sh route eigrp 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 213.216.110.XXX to network 0.0.0.0

D        10.10.2.0 255.255.255.0 [90/28160256] via 10.10.3.1, 3d03h, MENet
D        10.10.4.0 255.255.255.0 [90/1405440] via 10.10.3.1, 1w3d, MENet
D        10.10.6.0 255.255.255.128 [90/1405440] via 10.10.3.1, 5d06h, MENet
D        10.10.6.128 255.255.255.128 [90/1405440] via 10.10.3.1, 1w3d, MENet
D        10.10.18.0 255.255.255.192 [90/1405184] via 10.10.3.1, 3d03h, MENet

If ASA have static default routing in sh route eigrp i see: "Gateway of last resort is 213.216.110.XXX to network 0.0.0.0" For the test, if i delete ISP static default route from ASA, default routing from EIGRP (D*EX) for VPN its working properly. 

Let`s see:

 

sh route eigrp 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.10.3.1 to network 0.0.0.0

D*EX     0.0.0.0 0.0.0.0 [170/26880512] via 10.10.3.1, 00:00:06, MENet
D        10.10.2.0 255.255.255.0 [90/28160256] via 10.10.3.1, 3d03h, MENet
D        10.10.4.0 255.255.255.0 [90/1405440] via 10.10.3.1, 1w3d, MENet
D        10.10.6.0 255.255.255.128 [90/1405440] via 10.10.3.1, 5d06h, MENet
D        10.10.6.128 255.255.255.128 [90/1405440] via 10.10.3.1, 1w3d, MENet
D        10.10.18.0 255.255.255.192 [90/1405184] via 10.10.3.1, 3d03h, MENet 

 Why the static default routing on ASA delete my EIGRP default roiting? Can i set it by route maps? 

0 Helpful

ukaszquz
Level 1
Level 1
In response to ukaszquz

‎12-16-2017 01:07 PM

Hello, 

I think problem is with metric beetwen static default routing on ASA - is 1 and metric default routing from EIGRP - is 70. Default static routing have value 1 and delete the default routing with metric 70. 

 

My question is, if i delete the static routing to ISP from ASA, can i set the special route-map with default routing with next-hop to ISP gateway for outside interface? The static default routing on ASA to ISP is used only by outside interface.  

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to ukaszquz

‎12-16-2017 03:15 PM

OK you want to redistribute your default static route into bgp?

If so, if you have only the default route as static route, just do a redistribute static.

If you have more than 1, user route-map and redistribute static route-map.
The route-map will looks like:

prefix-list DEFAULT seq 5 permit 0.0.0.0/0
!
route-map DEFAULT permit 10
match ip address prefix-list DEFAULT


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card