Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5225
Views
10
Helpful
17
Replies

OSPF/EIGRP Redistribution Frustration

Go to solution
m.glosson
Level 1
Level 1

‎02-05-2015 06:11 AM - edited ‎03-05-2019 12:43 AM

I am having trouble with a secondary connection. Attached is the topology. Everything is reachable (no tunnel problems, etc). This post will focus on the SiteA-2911 router.

The problem is that the ClinicWAN router (as well as the internal L3-switches, etc) sees and favors the EIGRP routes through the backup DMVPN connection. I have taken steps to make this not be the case (even steps that I considered unnecessary) but still the EIGRP gets favored. I know that the administrative distance of OSPF is 110 and EIGRP's is 90 for internal routes and 170 for external routes. I had that in mind, so instead of simply advertising the routes from the SiteA router in the normal way (with "network" commands), I did a redistribute connected so they would get assigned an admin distance of 170 right away.

What I'm actually seeing from the SiteA router is that the MPLS/OSPF connection is being favored (e.g., 10.10.0.0/16). What I see from the VpnBackup and ClinicWAN routers is that routes to 10.50.0.0/16 are sent over the DMVPN. That means that it's doing asynchronous routing. If I purposely kill the MPLS connection (or do a "passive-interface ..." command on the SiteA router, everything goes over the DMVPN without issue. If I take down the EIGRP on the SiteA router ("passive-interface Tu0") everything routes fine over the MPLS/OSPF.

I have done this in the past multiple times, but it was always done with eBGP in the MPLS, which has an administrative distance of 20 and I haven't had to do any tricks, etc. Converting the sites to BGP is possible, I suppose, but would be a bit of a pain, plus where's the fun in that? The real fun is figuring out THIS problem.  :)

Here are some of the relevant configs:

VpnBackup2821

VpnBackup2821#sh run | s ^router
router eigrp 100
 passive-interface GigabitEthernet0/0
 network 10.0.0.0
 no auto-summary

VpnBackup2821#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1         10.10.10.252    YES NVRAM  up                    up
Loopback1                  69.xxx.yyy.zzz  YES NVRAM  up                    up
Tunnel0                    10.0.250.1      YES NVRAM  up                    up

ClinicWAN

ClinicWan#sh ip int br | e down
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.10.10.250    YES NVRAM  up                    up
GigabitEthernet0/1         192.168.0.2     YES NVRAM  up                    up
Loopback0                  10.1.254.254    YES NVRAM  up                    up

ClinicWan#sh run | s ^router
router eigrp 100
 redistribute ospf 100 metric 50000 50 255 1 1500
 passive-interface GigabitEthernet0/1
 network 10.1.254.254 0.0.0.0
 network 10.10.0.0 0.0.255.255
 no auto-summary
router ospf 100
 router-id 10.10.10.250
 domain-id 0.0.0.0
 log-adjacency-changes
 redistribute static subnets route-map REDISTATIC
 redistribute eigrp 100 subnets
 passive-interface GigabitEthernet0/0
 passive-interface Serial1/0
 network 10.1.254.254 0.0.0.0 area 0
 network 162.97.109.200 0.0.0.3 area 0
 network 192.168.0.0 0.0.0.3 area 0
 default-information originate

SiteA-2911

SiteA-2911#sh ip int br | e down
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0.50      10.50.1.250     YES NVRAM  up                    up
GigabitEthernet0/0.950     10.90.50.250    YES NVRAM  up                    up
GigabitEthernet0/2         69.xxx.yy.zzz   YES NVRAM  up                    up
Multilink1                 67.xx.yyy.zzz   YES NVRAM  up                    up
Tunnel0                    10.0.250.50     YES NVRAM  up                    up

SiteA-2911#sh run | s ^router
router eigrp 100
 network 10.0.250.0 0.0.0.255
 redistribute connected metric 3000 30000 255 1 1500 route-map EIGRP-DISTRIBUTE-RMAP
 distance eigrp 125 170
 passive-interface default
 no passive-interface Tunnel0
router ospf 100
 domain-id 0.0.0.0
 passive-interface default
 no passive-interface Multilink1
 network 10.50.0.0 0.0.255.255 area 50
 network 10.90.50.0 0.0.0.255 area 50
 network 67.xx.yyy.zzz 0.0.0.3 area 0

SiteA-2911#sh run | s ^(ip pref|route-map)
ip prefix-list EIGRP-DISTRIBUTE-PREFIX seq 5 permit 10.50.0.0/16
ip prefix-list EIGRP-DISTRIBUTE-PREFIX seq 10 permit 10.90.50.0/24
route-map EIGRP-DISTRIBUTE-RMAP permit 10
 match ip address prefix-list EIGRP-DISTRIBUTE-PREFIX

What happens is this: if the MPLS goes down, everything switches over to the DMVPN. When the MPLS comes back up, traffic from SiteA goes back to MPLS as desired, but return traffic never switches back to the MPLS until we intentionally kill the DMVPN connection.

Let me know what other output you might like to see (show commands, etc).

Labels:
Preview file
203 KB
0 Helpful
17 Replies 17

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to m.glosson

‎02-09-2015 10:49 AM

Matt

Yes, Peter as usual was being a bit modest :-).

I wasn't even considering the PE side of things until he mentioned that and then it kind of clicked because this is a common issue as he said.

The simple answer to your problem is yes you need to filter the branch routes from being advertised to the MPLS network otherwise your failover will never reliably work.

I would use a route map with the EIGRP to OSPF redistribution and just allow only the networks behind the Clinic router.

That should fix the issue.

In terms of redistributing the other way it's not creating a problem and it may be needed for the MPLS only sites at the moment.

It's difficult to say without knowing more about the branches and the DMPVN ie.

do they have local internet ?

is this a hub and spoke only or is it a spoke to spoke as well ?

But yes, the immediate issue is to stop the advertisement of branch networks back to the MPLS PE from the Clinic router.

Happy to discuss further if you want to.

Jon

0 Helpful

Go to solution
m.glosson
Level 1
Level 1
In response to Jon Marshall

‎02-09-2015 08:59 PM

That seems to have solved it. Instead of saying "only the things behind ClinicWan go through," I denied the dual-connected WAN subnets to similar effect. Here is the current relevant configuration on the ClinicWan router:

ip prefix-list DMVPN-SITES seq 5 permit 10.50.0.0/16
! (etc)
ip prefix-list DMVPN-SITES seq 50 permit 10.90.0.0/16 le 24

route-map EIGRP->OSPF deny 10
 match ip address prefix-list DMVPN-SITES
route-map EIGRP->OSPF permit 20

router ospf 100
 router-id 10.10.10.250
 redistribute eigrp 100 subnets route-map EIGRP->OSPF
 passive-interface default
 no passive-interface GigabitEthernet0/1
 network 192.168.0.0 0.0.0.3 area 0
 default-information originate

This was fun and I learned some good stuff. I feel like I'm living in the bible... Peter and John working together...  :)  Thanks a lot!

 

 

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to m.glosson

‎02-11-2015 09:46 AM

Edit - wrong post :-)

Jon

0 Helpful
Customers Also Viewed These Support Documents