cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
521
Views
25
Helpful
18
Replies

NX-OS (n7k) EIGRP outbound distribute-list with route-map tag setting

hrtendrup
Beginner
Beginner

Hello,

I'm having a seemingly basic problem that is frustrating me. I'm certain this worked on classic IOS, but I'm missing whether this is just unsupported on NX-OS, or if this is a bug, or something else.

I want to use an outbound distribute-list with a

route map

to set a tag on selected routes before advertising to its peer.

hrtendrup_0-1661956945954.png

NX01 - 
kickstart: version 8.4(2)
system: version 8.4(2)

NX02-
kickstart: version 8.3(2)
system: version 8.3(2)

There is an Inbound distro-list on NX01:eth1/2 to tag routes learned from VPN endpoint. This seems to work:

 

interface Ethernet1/2

medium p2p
ip address 192.168.255.53/31
ip router eigrp PROC1
ip distribute-list eigrp PROC1 route-map TAG-VPN-ROUTES in
no ip passive-interface eigrp PROC1
no shutdown
!
route-map
TAG-VPN-ROUTES permit 10
set tag 350


!
NX01# show ip route 100.100.100.100

IP Route Table for VRF "default"

100.100.100.0/24, ubest/mbest: 1/0 time
*via 192.168.255.52, Eth1/2, [90/3072], 10:40:46, eigrp-PROC1, internal, tag 350

 

Then, I'm trying to deny routes with tag 350 and further tag anything else with 340 with a outbound

route-map

on NX01:eth1/3:


interface Ethernet1/3
mtu 9150
udld aggressive
ip address 192.168.255.57/31
ipv6 address use-link-local-only
ipv6 router eigrp PROC1
ip router eigrp PROC1
ip authentication mode eigrp PROC1 md5
ip authentication key-chain eigrp PROC1 KEY-EIGRP
ip distribute-list eigrp PROC1 route-map RMAP-DCI-DIST out
no ipv6 passive-interface eigrp PROC1
no ip passive-interface eigrp PROC1
ip pim sparse-mode
no shutdown
!

route-map RMAP-DCI-DIST deny 10
description deny routes from VPN endpoints
match tag 350
route-map RMAP-DCI-DIST permit 20
description permit and tag all other routes
set tag 340
!



When I check the routes on NX02, I do NOT see the routes tagged with 350, BUT the other routes are NOT tagged with 340 either:

 

NX02# show ip route 100.100.100.0
IP Route Table for VRF "default"

0.0.0.0/0, ubest/mbest: 1/0 time
*via 192.168.250.2, Eth5/1, [170/25920], 16w1d, eigrp-PROC1, external, tag 210
!
NX02# show ip route 10.0.10.0
IP Route Table for VRF "default"

10.0.10.0/24, ubest/mbest: 1/0 time
*via 192.168.255.57, Eth5/8, [90/3328], 10:50:53, eigrp-PROC1, internal
!
NX02# show ip eigrp topology 10.0.10.0/24

IP-EIGRP (AS 2020): Topology entry for 10.0.10.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 3328
Routing Descriptor Blocks:
192.168.255.57 (Ethernet1/3), from 192.168.255.57, Send flag is 0x0
Composite metric is (3328/3072), Route is Internal
Vector metric:
Minimum bandwidth is 1000000 Kbit
Total delay is 30 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 2
Internal tag is 0
!



The config, is pretty simple, right? This seems like something that should be just working...

 

Edit: I updated the masked route in the

show

outputs that I had forgotten about and probably caused confusion. I'm not sure why I masked an RFC1918 route to begin with, it's not particularly special. Furthermore, I chose not to mask/change the transit networks/IPs which would be arguably more important than the advertised route in question. ¯\_( ͡° ͜ʖ ͡°)_/¯ 

Edit: Updated with NX## running versions

1 Accepted Solution

Accepted Solutions

hrtendrup
Beginner
Beginner

So, this turns out to be a problem of my own making (as so many are).

I had forgotten about the fact that INTERNAL EIGRP routes can only carry a tag of up to 255 by default. The EIGRP RFC 7868 indicate that there is an extended metric that can carry larger administrator tags which would be valid for internal routes. You can also view the classic internal and external EIGRP packet formats and see that the Internal admin tag field is only 8bits long while the external is 32.

This doc Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide, Release 6.x - Configuring Route Policy Manager [Cisco Nexus 9000 Series Switches] - Cisco mentions this limitation, but I'm unclear how to specifically configure EIGRP to use the wide metric TLVs.

After reconfiguring the outbound

route-map

to set something less than 255, the tag is set and received by the peer EIGRP speaker.


Lastly, as a matter of curiosity, I set the tagging in my classic IOS lab, running 15.5, and the nodes also successfully set and transmitted the maximum tag of 4294967295. It seems that this version automatically uses the wide metric TLVs and can attach admin tags larger than 255. I believe this wasn't the case in earlier versions of IOS, but I would have to confirm.

View solution in original post

18 Replies 18

David Ruess
Rising star
Rising star

Hello,

 

Can you apply that

route-map

and distribute list (in) on NX02 to see if it will block and tag incoming routes since you say the ingress on NX01 works. Just for testing.

 

-David

Yes, i CAN apply the

 route-map

on ingress on NX02 and the 350 tagged routes are blocked while 340 tags are applied. This is, in fact, my plan B if i get too close to the project drop dead date. I am still wondering, however, why this doesn't seem to apply on egress. Maybe someone else has seen this too?

Good to know. Can you try one more thing for me? You are using EIGRP named mode but put the config on the interface.

Some interface EIGRP commands

may not work or function correctly this way. Can you go into the Named EIGRP mode on NX01 and make the distribute list there under the

topology base

command of the interface pointing to NX02 and let us know the results?

 

I did it on IOS router and used the command below:*

router eigrp PROC1

address-family ipv4 unicast autonomous-system ##

distribute-list route-map RMAP-DCI-DIST** out ethernet1/3

* you might have to get the correct syntax for the NX devices.

**with the route map like you configured

Thank you

 

-David

So in NXOS things like distribute lists, offset lists, passive interfaces, [probably more], are set at the interface level and not at the protocol level. There is no option to configure a distribute list under the router eigrp address-family, for example.

I thought that might be the case as I have not yet worked with those. Another thing I would try is take the policy (distribute list and route map on the ingress interface of NX01 from the VPN network and apply it outbound to NX02 and set it outbound. Check NX02 to see if that tagged the routes accordingly. If that doesn't work then I want to say there is an issue with the "outbound" part of the distribute list. 

see my comment below 

hrtendrup
Beginner
Beginner

I should probably also post this:



NX01 - 
kickstart: version 8.4(2)
system: version 8.4(2)

NX02-
kickstart: version 8.3(2)
system: version 8.3(2)

""You can only tag routes that EIGRP has learned from another routing protocol. As we saw when talking about route tags with RIP, EIGRP does not use these tags directly; it only distributes them. You would use these tags at network boundaries when redistributing routes into another routing process.""

I check and check, and do small lab, the EIGRP can not tag route learn from peer in same AS, so this is not NSK it EIGRP protocol issue. 
so for my lab 


R1-R2-R3
the R2 config EIGRP 100 with R1 
the R2 config EIGRP 200 with R3 
and I tag one loopback in R1 with distribute-list out with tag 1000
then I modify the tag in R2 and success 
R3 receive LO with modify tag not original one.

 

I finally had a chance to test this. I set up a similar lab (on classic IOS): R100-R200-R300
put all

interfaces in eigrp 100
set up Lo100 on R100 - 10.100.100.0/24
configured outbound distribute-list on R100 to set tag to 100
configured outbound distribute-list on R200 to set tag to 200

on R200, 10.100.100.0/24 has tag 100
on R300, 10.100.100.0/24 has tag 200

R200#show ip route 10.100.100.0
Routing entry for 10.100.100.0/24
Known via "eigrp 100", distance 90, metric 409600
Tag 100, type internal
Redistributing via eigrp 100
Last update from 10.0.12.1 on Ethernet0/0, 00:02:19 ago
Routing Descriptor Blocks:
* 10.0.12.1, from 10.0.12.1, 00:02:19 ago, via Ethernet0/0
Route metric is 409600, traffic share count is 1
Total delay is 6000 microseconds, minimum bandwidth is 10000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
Route tag 100

R300#show ip route 10.100.100.0
Routing entry for 10.100.100.0/24
Known via "eigrp 100", distance 90, metric 435200
Tag 200, type internal
Redistributing via eigrp 100
Last update from 10.0.23.2 on Ethernet0/1, 00:00:15 ago
Routing Descriptor Blocks:
* 10.0.23.2, from 10.0.23.2, 00:00:15 ago, via Ethernet0/1
Route metric is 435200, traffic share count is 1
Total delay is 7000 microseconds, minimum bandwidth is 10000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2
Route tag 200




This is what I expected and what I've been able to do on classic IOS for years (closer to decades)
I have not tested this on IOS-XE, so I'm not sure if this behavior carries over. But I have not been able to carry this behavior to NX-OS (on the version I have available to me)


You are right but we talk about IN not out, 
in your later example you use distribute-list OUT in each router 
in original you use distribute-list IN and that I mention you can not done between routers in same EIGRP. 
not to test tag you need redistribute between different EIGRP process. 

on NX-OS inbound works, outbound does not.
on classic IOS inbound and outbound both work

just make double check, 
same your lab R100-R200-R300
do distribute-list IN in R200 and set tag and see if it effect or not?
waiting you 

That is correct:


R100:
interface Ethernet0/0
ip address 10.0.12.1 255.255.255.0
!
interface Loopback100
ip address 10.100.100.1 255.255.255.0
!
route-map 100-200-out permit 10
set tag 100
!
router eigrp 100
distribute-list route-map 100-200-out out Ethernet0/0
network 0.0.0.0
!
!!!!!!!!!!!!!!!!!!!
R200:
interface Ethernet0/0
ip address 10.0.12.2 255.255.255.0
!
interface Ethernet0/1
ip address 10.0.23.2 255.255.255.0
!
route-map 100-200-in permit 10
set tag 200
route-map 200-300-out permit 10
set tag 201
!
router eigrp 100
distribute-list route-map 100-200-in in Ethernet0/0
distribute-list route-map 200-300-out out Ethernet0/1
network 0.0.0.0
!!!!!!!!!!!!!!!!!!!
R300:
interface Ethernet0/1
ip address 10.0.23.3 255.255.255.0
!
router eigrp 100
network 0.0.0.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

on R200, I can see 10.100.100.0/24 with a 200 tag, the inbound tag applied:
R200#show ip route 10.100.100.0
Routing entry for 10.100.100.0/24
Known via "eigrp 100", distance 90, metric 409600
Tag 200, type internal
Redistributing via eigrp 100
Last update from 10.0.12.1 on Ethernet0/0, 00:08:08 ago
Routing Descriptor Blocks:
* 10.0.12.1, from 10.0.12.1, 00:08:08 ago, via Ethernet0/0
Route metric is 409600, traffic share count is 1
Total delay is 6000 microseconds, minimum bandwidth is 10000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
Route tag 200

on R300, I see tag 201, the outbound tag applied by R200:
R300#show ip route 10.100.100.0
Routing entry for 10.100.100.0/24
Known via "eigrp 100", distance 90, metric 435200
Tag 201, type internal
Redistributing via eigrp 100
Last update from 10.0.23.2 on Ethernet0/1, 00:09:17 ago
Routing Descriptor Blocks:
* 10.0.23.2, from 10.0.23.2, 00:09:17 ago, via Ethernet0/1
Route metric is 435200, traffic share count is 1
Total delay is 7000 microseconds, minimum bandwidth is 10000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2
Route tag 201

If I remove the distribute list from eth0/0 on R200, I see the tag 100, applied by R100 in outbound direction:
Routing entry for 10.100.100.0/24
Known via "eigrp 100", distance 90, metric 409600
Tag 100, type internal
Redistributing via eigrp 100
Last update from 10.0.12.1 on Ethernet0/0, 00:00:01 ago
Routing Descriptor Blocks:
* 10.0.12.1, from 10.0.12.1, 00:00:01 ago, via Ethernet0/0
Route metric is 409600, traffic share count is 1
Total delay is 6000 microseconds, minimum bandwidth is 10000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
Route tag 100

This shows that both inbound and outbound distribution-list with

 route-maps 

work on classic IOS within the same AS, which is largely a moot point because classic IOS is EoL. I'm just trying to point out that this DID work back when I started in networking. I've not had to build an EIGRP network from scratch on NX-OS , so I've not run into this problem before. IMO outbound distribute-lists with route-map tagging should work. This seems like a bug with NX-OS. I'm just wondering if it's version specific or some functionality difference of NX-OS, in which case, I would hope it's documented as such.

can you check 


show ip eigrp topology x.x.x.x mask 


check the internal tag 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers