Re: Help with biasing traffic

AlexFer · ‎08-28-2019

Hi Experts,

I need to direct bidirectional traffic is preferred way. I've simplified actual topology to clarify the requirement.

As per diagram, ASA is connected to L3 switch sw1 using "switchport mode access" port on vlan X and there are SVIs on this VLAN in both switches. ASA is using EIGRP to learn routes.

I need to prefer using sw2 for both ingress and egress to the ASA.

I've assigned a high EIGRP delay to svi in sw1 but that is only preferring Intranet-to-ASA traffic (via sw2) but not ASA-to-Intranet path. So, now I got asymmetric path.

What can I do to prefer also ASA-to-Intranet path via sw2?

R's, Alex

PS. There are other devices connected to sw1 and sw2 - their routing must be unaffected.

Giuseppe Larosa · ‎09-01-2019

Hello Alex,

I guess you have increased delay on SW1 SVI interface Vlan X.

Doing so make the path via SW2 preferred in the direction Intranet to ASA as the cumulative delay from Intranet to ASA via SW1 will be greater then cumulative delay from Intranet to ASA via SW2.

For the opposite direction the possible options are :

a) increase delay on SW1 to R1 routed link . Warning : this can impact all possible traffic.

b) use an offset-list to make delay higher for ASA IP subnets only on SW1 to R1 routed link.

This allows you a more specific granular control on what routes are made less desirable via SW1 in the ASA to Intranet direction.

I think option b) using offset-list should be able to satisfy your requirements.

For a configuration example see the following document:

https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/13673-14.pdf?dtid=osscdc000283

Final note : if SW2 is to be the preferred path it would be better to connect the ASA directly to a SW2 port. I can understand that the ASA might be located close to SW1 and this is why you have this setup.

Hope to help

Giuseppe

AlexFer · ‎09-01-2019

Hi Giuseppe,

> I guess you have increased delay on SW1 SVI interface Vlan X.

Is this correct?

SW1# access-list 99 permit 0.0.0.0 0.0.0.0
SW1# router eigrp 1
SW1# offset-list 99 out 20 vlan X
SW1# end

I'd still need to keep EIGRP delay to svi in sw1, for advertisements (received from ASA and) sent out of 10.1.1.2, correct?

R's, Alex

Giuseppe Larosa · ‎09-02-2019

Hello Alex,

I have assumed that the interface delay is changed on SVI vlan X on switch SW1 and you keep it.

For the opposite direction of traffic you can use an offset-list out of the routed link between SW1 and R1 according to your network diagram.

So I don't think the following config example is good for you:

SW1# access-list 99 permit 0.0.0.0 0.0.0.0
SW1# router eigrp 1
SW1# offset-list 99 out 20 vlan X
SW1# end

First of all, the offset-list should be applied out routed link between SW1 and R1 and not out of Vlan X, that for my understanding connects to the ASA (this direction is tuned using the interface delay on Vlan X SVI on SW1).

Second, the ACL 99 matches only network 0.0.0.0/0 written in this way that is the default route.

See the following example from the document I have linked in my previous post:

Configure an offset-list on R4 that increases (by 20) the delay for any route starting with10.1.3.x

R4# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

R4(config)# access-list 99 permit 10.1.3.0 0.0.0.255

R4(config)# router eigrp 1

R4(config-router)# offset-list 99 out 20 e0/0

R4(config-router)# end

Hope to help

Giuseppe

AlexFer · ‎09-04-2019

Hi Giuseppe,

may I ask you to clarify - what kind of interface can I specify in "offset-list" command?

I assumed it must be a L3 type - one that can be a EIGRP neighbor - either routed or SVI (ie. VLAN interface). Or.. can it be a L2 interface (ie. switchport) on which EIGRP advertisements are sent/received (ie. the downstream one on sw1 connected to ASA)?

Note: my ASA currently sees both SVIs, 10.2.1.1 and 10.2.1.3 as its EIGRP neighbors.

R's, Alex

Giuseppe Larosa · ‎09-04-2019

Hello Alex,

>> may I ask you to clarify - what kind of interface can I specify in "offset-list" command?

L3 interface only in the direction to the intranet if using the out direction.

>> Note: my ASA currently sees both SVIs, 10.2.1.1 and 10.2.1.3 as its EIGRP neighbors.

Yes this is correct.

>> I assumed it must be a L3 type - one that can be a EIGRP neighbor - either routed or SVI

It has to be a L3 interface where there is at least one EIGRP neighbor up otherwise it is useless.

>> r.. can it be a L2 interface (ie. switchport) on which EIGRP advertisements are sent/received (ie. the downstream one on sw1 connected to ASA)?

No L3 only as explained above

if increasing the interface delay on SW1 SVI Vlan X you have achieved a preference for path via SW2 in one direction Intranet to ASA I suppose.

Now, the offset-list has to be applied on SW1 interface pointing in the opposite direction towards the intranet to achieve the effect also in the other direction.

It is more clear now ?

EIGRP sums the delays on path, EIGRP metric is cumulative in the delay this is the reason why we manipulate delay and not bandwidth.

The offset-list feature allows you to increase delay only for a subset of routes that matches the invoked IP ACL.

It provides granular control that changing interface delay does not provide (this increases delay for ALL routes)

Hope to help

Giuseppe

Georg Pauwen · ‎09-01-2019

Hello,

on a side note, I guess you could also use PBR (policy based routing) on sw1, which would just redirect all traffic coming from the ASA towards R1.

Which switch model do you have ?