Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
0
Helpful
7
Replies

Firewall Routing Question

NetworkGuy!
Level 1
Level 1

‎10-18-2018 08:37 AM

Hi

I have a question here

Imagine I have a firewall and a switch both running eigrp 1

 

firewall-----------EIGRP on 10.100.1.x subnet-------Switch--------------------Internal Link

10.1.x.x                                                            192.168.1.x

10.2.x.x                                                             192.168.2.x

10.3.x.x                                                              192.168.3.x 

10.100.1.1                                                         10.100.1.2                                                                          

 

Now the default route on firewall is 0.0.0.0 0.0.0.0 (outside interface)

on the switch its 0.0.0.0 0.0.0.0 10.100.1.1, the switch also has eigrp relationship on 10.100.1.x

 

Question?

I have a SLA on the firewall to track the outside and if the outside link fails, then to route it internally through the switch to "Internal Link" however I dont want all subnets to be routed that way - for example, If i didnt want only 10.1.x.x to be routed internally and want 10.2.x.x and 10.3.x.x to be routed internally when the outside link of the firewall fails, how do I do this?

 

 

Labels:
0 Helpful
7 Replies 7

lespejel
Level 3
Level 3

‎10-18-2018 01:31 PM

@NetworkGuy!

 

All routing decisions are local and affecting local traffic, meaning, you cannot set a default route for some subnets and a different for others; maybe a PBR could do the job, but EIGRP cannot do it as you imagine the solution.

CCIE 52804
0 Helpful

NetworkGuy!
Level 1
Level 1

‎10-18-2018 01:41 PM

thanks, if I set passive Interface for 10.1.x.x on the firewall, will that do the trick? So basically will it not send the traffic inward and other two subnets since they are not in passive mode, traffic sent to "Internal link" when IP SLA fails?

0 Helpful

lespejel
Level 3
Level 3
In response to NetworkGuy!

‎10-18-2018 01:47 PM

Passive means routers won't form adjacency, however, from routing perspective if a packet arrives to the device, then it should forward it using routing table, and in this case a default route will affect all traffic with a destination that is not matching any other route.

 

regards.

CCIE 52804
0 Helpful

NetworkGuy!
Level 1
Level 1
In response to NetworkGuy!

‎10-18-2018 01:59 PM

Ok thanks, I was thinking of the same relating to passive interface

 

Imagine a situation like this

 

Firewall1-----|

                      |----------Switch--------------Internal Link

Firewall 2----|

 

 

 

 

Firewall 1 has a default route using outside 0.0.0.0 0.0.0.0 ISP1 1 track 1

Firewall 2 has a default route using Outside 0.0.0.0 0.0.0.0 ISP2 1 track 1

 

Now Firewall1 and 2 has eigrp and Switch has eigrp as well. if track 1 fails it will send through internal network which is ok 

The issue is, So If i look on the switch it seems to load  balance between Firewall 1 and 2 since its equal metric. I want firewall 1 as default route but firewall 2 should be used only for subnets defined on firewall 2 (For example, I want all user vlans on switch to pass through firewall 1 and image firewall 2 is only used for LAB or any DMZ, then I want DMZ traffic only trough Firewall 2 (not user traffic from switch to firewall 2) - How can I acheive this - its happening because both of them are advertising equal metrics - I tried changing metric of firewall 2 to 100 instead of 1 but no joy!

0 Helpful

lespejel
Level 3
Level 3
In response to NetworkGuy!

‎10-18-2018 02:45 PM

when redistributing on firewalls I guess you use default metrics, you can change the metric with something like:

 

router eigrp 1

redistribute static route-map STATIC 

 

 

ip prefix-list DEFAULT permit 0.0.0.0/0

route-map STATIC

 match ip address prefix DEFAULT

 set metric 500000 

 

In this way you'll have a worse metric prefix, both are learned over EIGRP and once the track 1 removes Fw1's, then Fw2's will be installed at Sw.

 

you can check with show ip eigrp topology 0.0.0.0/0

and you will see both prefixes from firewalls, and then you'll know what is the metric to increase.

 

you said you changed metrics, how?

Another way is to set a filter per neighbor IP in the switch, this will reduce locally (only in the switch) the Administrative Distance for routes in the ACL.

 

ip access-list standard 15

permit 0.0.0.0

 

router eigrp 1

distance 80 10.x.x.x 0.0.0.0 15

CCIE 52804
0 Helpful

NetworkGuy!
Level 1
Level 1
In response to lespejel

‎10-20-2018 01:31 PM

HI

 

i tried changing the metric but didnt work and I dont want to complicate it too much changing eigrp distance value as there are already loads of route maps etc so want to keep it simple

 

Imagine I have two firewalls and a switch all running eigrp and have their own default route (the firewall) which injects to the switch. How do I control the Firewall1 default route is better than Firewall 2's? 

 

I tried using AD value but doesnt seem to work?

0 Helpful

lespejel
Level 3
Level 3
In response to NetworkGuy!

‎10-22-2018 07:47 AM

I'm guessing from your explanation, I need to see evidence.

You mentioned you have several route-maps, perhaps your prefixes are hitting one and then setting same metrics, invalidating your previous metrics.

you have to take a look into topology links at your switch to compare values.

CCIE 52804
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card