08-14-2012 08:16 AM - edited 03-04-2019 05:16 PM
Hi,
We currently have two routing protocols that we use in our DCs. Internally we use EIGRP, and externally we use BGP. Each of DC's has an internet link and an MPLS link.
To redistribute between the EIGRP instance and the BGP instance in the DC, we use a route map that matches internal routes.
I have an ASA firewall that is connected to the core switch, this firewall is the Internet firewall, and is part of the EIGRP AS. There are site to site tunnels, the default route, and client vpn subnets that the firewall advertises to EIGRP.
Those routes are not getting redistributed into BGP, which is a huge issue. The routes coming from the firewall are all showing as external, so BGP is not advertising them.
Here's the configuration of the edge MPLS router (the one that needs to redistribute between the two):
router eigrp 50
network x.x.x.x 0.0.63.255
redistribute bgp 50 route-map BGP-TO-EIGRP
!
router bgp 50
bgp log-neighbor-changes
network y.y.y.y mask 255.255.255.255
aggregate-address y.y.y.y 255.255.192.0 summary-only
timers bgp 30 90 90
redistribute eigrp 50 route-map EIGRP-TO-BGP
neighbor z.z.z.z remote-as 50
<output ommitted>
!
route-map EIGRP-TO-BGP permit 10
match route-type internal
!
route-map BGP-TO-EIGRP permit 10
set metric 10000 100 255 1 1500
!
Here's a sample route from one of the networks that the firewall is advertising:
xxx-3925-01#sh ip route 150.175.49.3
Routing entry for 150.175.49.3/32
Known via "eigrp 50", distance 170, metric 3328, type external
Redistributing via eigrp 50, bgp 50
Last update from 10.34.0.73 on GigabitEthernet0/0, 00:45:12 ago
Routing Descriptor Blocks:
* 10.34.0.73, from 10.34.0.73, 00:45:12 ago, via GigabitEthernet0/0
Route metric is 3328, traffic share count is 1
Total delay is 30 microseconds, minimum bandwidth is 1000000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2
xxx-3925-01#sh ip bgp neighbors x.x.x.x advertised-routes <--- ISP MPLS Peer
BGP table version is 121306, local router ID is x.x.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> x.x.0.0/18 0.0.0.0 32768 i
Total number of prefixes 1
Looking at that output from the show route it seems it's being redistributed, but I'm not seeing it anywhere else and it doesn't show as being advertised out.
Any ideas?
Thanks,
Sami
Solved! Go to Solution.
08-14-2012 12:16 PM
Yes, the redistribution causes the route to be external. Matching on internal routes won't work in this case and you'll either need to have them also match on external routes, or they should be able to tie it down to just that routing protocol (if you have more than bgp/eigrp on this router).
route-map EIGRP permit 10
match route-type internal
route-map EIGRP permit 20
match route-type external
match source-protocol eigrp
You can't do much with the ASA in regards to tagging routes (at least in the older versions). Otherwise, I would say tag your statics during redistribution and then match on the tag.
HTH,
John
08-14-2012 08:55 AM
Sami,
You should be able to do one of two things, but they both depend on your situation. Your route map is only matching internal routes, so you could add match external as well "match route-type internal external". I'm curious as to how the router is getting an external route from EIGRP though from the ASA. Are you running different process numbers between the 2 devices? There has to be a redistribution somewhere before (maybe static routes on the ASA being redistributed into the eigrp process?) it hits the bgp router for there to be an external route. Either way, you can change the "match route-type internal" to what I stated above or you can remove the internal from the route-map (depends on what you're wanting to do).
HTH,
John
** Please rate useful posts **
08-14-2012 10:04 AM
John,
I'm not sure what exactly the whole reasoning behind the network team deciding to use the (match route-type internal), but the intention was to reduce the routes it accepts or something like that (change for the sake of change).
The ASA is on the same AS# as the core switch and router, but it does do the (redistribute static) and those routes are all static. Is the problem here due to the fact that when you do redistribute static it tags them as external? and if so, is there a way around that? I doubt the ASA can really manipulate routing that much as it just does basic stuff.
Thanks,
Sami
08-14-2012 12:16 PM
Yes, the redistribution causes the route to be external. Matching on internal routes won't work in this case and you'll either need to have them also match on external routes, or they should be able to tie it down to just that routing protocol (if you have more than bgp/eigrp on this router).
route-map EIGRP permit 10
match route-type internal
route-map EIGRP permit 20
match route-type external
match source-protocol eigrp
You can't do much with the ASA in regards to tagging routes (at least in the older versions). Otherwise, I would say tag your statics during redistribution and then match on the tag.
HTH,
John
08-14-2012 12:52 PM
John,
I had set this up on our Hong Kong DC last year, and I added the permit 20 to match a prefix-list which contained all the routes from the firewall, i'll just do that.
Like i said i'm not sure what the idea behind this (redistribute internal) as the LAN/WAN decided to do that and i'm part of the security team.
Thank you for explaining why the routes were external (the redistribute static), that was really what i wanted.
Thanks,
Sami
08-14-2012 12:53 PM
Thank you for the rating and good luck! We'd like to hear how it turns out
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide