12-29-2009 11:33 AM - edited 03-06-2019 09:06 AM
I have a 4500 switch which is in the center of one of my customers networks. The 4500 effectively routes between all the production VLAN's for the customer.
I have a PIX connected to the switch in VLAN 1. I have just configured RIP v1 as follows on the PIX:
rip outside passive version 1
rip inside passive version 1
rip inside default version 1
I used a sniffer and captured the RIP updates between the 4500 and the PIX. I see the pix sending out a RIP update for the default route. However I do not ever see the 4500 update it routing table to reflect it
It is unclear to me why the 4500 wont update it route table with the default route from the PIX. I want this to be a secondary default route in case the Main static route goes down.
Thanks
Kevin
Solved! Go to Solution.
12-29-2009 11:50 AM
k-melton wrote:
Jon
You did not misunderstand. I have one static route configured for default and currently it provides the only path out to the Internet. Since we do have a 2nd DSL connection for the client, I wanted to have a backup default route so that if something happens to the main one, I wont loose connectivity to the Internet.
The static route configured on the 4500 for default points to an ASA. I guess I need to turn on RIP on the ASA as well and then remove the static route from the 4500 altogether? Will I see both default routes on the ASA then, Jon?
Thanks
Kevin
Kevin
You don't necessarily need to run RIP on anything. You could actually have a floating static route on the 4500 ie,
ip route 0.0.0.0 0.0.0.0
the 200 is important because that is the AD. So your existing default-route is still the ASA, If the ASA is lost then the static route will be removed and the floating static used. If the ASA comes back online then the original static route will be used again.
Sounds great but because they are ethernet connections you would need to track the availability of the next-hop ie. the ASA internal interface. You do this with IP SLA which your switch may or may not support - depends on IOS version.
Alternatively you could -
1) have a floating static default-route
ip route 0.0.0.0 0.0.0
2) remove the other default route that points to the ASA
3) turn on RIP on the ASA and advertise a default route to the 4500.
Because RIP has a lower AD than 200 which is the AD of your floating static the RIP route would be used. If the ASA failed it would no longer advertise the route and then the floating static would be used.
This would be a simpler solution if you are happy to turn on RIP on your ASA.
Out of interest any reason why RIP, is this what you run internally ?. I ask because the ASA supports OSPF and as of v8.x code EIGRP.
Jon
01-05-2010 08:30 AM
k-melton wrote:
John
I am experimenting with using a floating static default route here at this client as one of the options which you had recommended.
Here is a snapshot of the ip routes as configured on the core switch:
bhicore#sho run | i ip route
ip route 0.0.0.0 0.0.0.0 192.168.5.8
ip route 0.0.0.0 0.0.0.0 198.100.100.81 200
The 192.168.5.8 address is the inside interface of the ASA and leads to our Primary Metro Ethernet connection.
The 198.100.100.81 address is the inside interface of the PIX and leads to our Secondary DSL connection.
For testing: If I unplug the inside interface of the ASA, will the router know it is not there? How will it know to roll over to the Secondary connection.
Thanks
Kevin
Kevin
That's one of the problems with ethernet ie. the router may not realise the ASA has gone. That is why i suggested using a floating static on the router/switch pointing to the pix and then use the dynamic routing protocol for the ASA. EIGRP/RIP/OSPF will all have lower ADs than 200 so it should be used unless the ASA fails and then the route will not be sent to the switch.
If you want to use 2 static routes you will need to track the state of the ASA interface using IP SLA which your switch may or may not support.
Jon
01-26-2010 11:47 AM
k-melton wrote:
Jon
Sorry for the delay in my response.
We have a Metro Ethernet connection to the ISP...
Is the command that I use to redistribute the static
router eigrp 100
redistribute static ( i am not sure of the rest) seems the options are route-map or metric
Thanks Jon
Kevin
Kevin
You don't need to specify a metric when you redistribute static routes into EIGRP (altho you do need a metric for redistributing everything else into EIGRP !!).
The route-map would be used if you had a number of static routes on the device and you only wanted to redistributed some of them.
So "redistribute static" should do the trick for you.
Jon
01-26-2010 12:38 PM
k-melton wrote:
Because I have static routes on the Border router which point to the client inside network addresses, I had to write the following route-map and ACL
route-map static permit 10
match ip address 20bhigw2#sho access-list 20
Standard IP access list 20
10 permit 0.0.0.0 (2 matches)
20 deny any (28 matches)Once I did this, I could see the 0 route advertised out. What I am not seeing is the 0 route in the ASA (his EIGRP neighbor) route table. The only 0 route is the static configured on it...
thx
Kevin
Kevin
If you have a statically configured default route on the ASA then a default route learnt from EIGRP will not replace it or be entered into the routing table. You would need to remove the statically configured route and then the EIGRP route would be used.
Presumably the default route from EIGRP is using the same next-hop as the statically configured default route on the ASA ?
Before you do this run this command on the ASA "sh eigrp topology all-links". You should see the EIGRP routes learnt from your border router and hopefully the default route will be there.
Jon
01-26-2010 01:39 PM
It is such an interesting post, and thought of barging in... i was reading the entire post for the past 20 mins and have a fair idea .. Sorry if i misunderstood something or asking questions which have already been answered here..
the dmz switch bhiedge is layer 3 ? I saw in some posts before that it was layer 2 ? are the L3 DMZ terminating on the bhiasaop firewall or the bhiedge switch (for the VLANs 172.16.1.x) ? can you please give "show ip eigrp neighbor" on the ASA bhiasaop firewall to check if it has a neighbor relation with bhiedge switch ? Why dont u have a direct eigrp neighborship with bhiasaip instead of having the switch in between (on L3) ? incase the dmz switch has eigrp configured, make sure you dont have passive interface configured for the layer 3 vlan ip subnets..
Raj
01-27-2010 05:49 PM
Hi kevin
I do see the routes for 206.248.224.0/24 on the dmz and bhiasaip firewall.... these are the routes which are propagated from the bhiasaop firewall right ? I see the following:
P 206.248.224.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
via 172.16.1.2 (30720/28160), Ethernet0/0
can you give a show ip route on dmz and bhiasaip firewall and confirm if these routes are installed in the routing table ? are you having issues with reachability ?
Regards
Raj
01-28-2010 04:22 AM
k-melton wrote:
Raj
I made sure that auto summary is turned off everywhere. Here are the outputs from bhiedge switch in the DMZ and bhiasaip (inside Firewall)
bhiedge#sho ip eigrp top all
EIGRP-IPv4 Topology Table for AS(100)/ID(172.16.1.7)Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia StatusP 206.248.224.0/24, 0 successors, FD is Inaccessible, serno 0
via 172.16.1.2 (28416/28160), Vlan1
P 192.168.5.0/24, 0 successors, FD is Inaccessible, serno 0
via 172.16.1.3 (28416/28160), Vlan1
P 172.16.1.0/24, 1 successors, FD is 2816, serno 1
via Connected, Vlan1
bhiedge#bhiasaip# sho ei top all
EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.10.20)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia StatusP 192.168.10.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.11.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.5.0 255.255.255.0, 1 successors, FD is 28160, serno 1
via Connected, Ethernet0/1
P 172.16.1.0 255.255.255.0, 1 successors, FD is 28160, serno 2
via Connected, Ethernet0/0
P 198.100.100.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
via 192.168.5.1 (28416/2816), Ethernet0/1
P 206.248.224.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
via 172.16.1.2 (30720/28160), Ethernet0/0
bhiasaip#When i turn on debugging on the Edge switch, I do not see anything happening with respect to EIGRP. No routes or anything else..
bhiedge#debug ip eigrp
IP-EIGRP Route Events debugging is on
bhiedge#debug ip eigrp top
% Incomplete command.bhiedge#debug ip eigrp top ?
WORD Topology instance namebhiedge#debug ip eigrp top 100
IP-EIGRP Route Events debugging is on
bhiedge#Thanks Raj
Kevin
Kevin
I think we need to see all the routing tables from the relevant devices as Raj requested.
Can we have routing tables from border router/outside firewall (op), DMZ switch, inside firewall ip.
Also can you post relevant config from each of the above devices for any static routes that you have added.
Some routers are showing as FD inaccessible which often means that there is a better route available such as a static i think we need to see exactly what is configured on each device.
Jon
01-29-2010 10:53 AM
k-melton wrote:
One more thing
In response to:
2) if ethernet then we could use IP SLA with object-tracking. If we have to insert another route when we remove the default route we can simply use a dummy route. An additional fail safe would be to use a route-map when we redistribute the statics into EIGRP on the border router. We only allow the default route to be redistributed so whatever dummy route we added would not be redistributed to your ASA.
I think I have object tracking configured,,, did you see this on a post from earlier this morning? I am pinging the ISP GW from the Border router using IP SLA (perhaps object tracking is different, I will research).
Also I had created a route map on the Border router as you had recommended this earlier. It is only allowing the default route and denying all others..
see below:
route-map static permit 10
match ip address 20
bhigw2#sho access-list 20
Standard IP access list 20
10 permit 0.0.0.0 (3 matches)
20 deny any (42 matches)
bhigw2#Hope this helps
Kevin
Kevin
You have configured the IP SLA but but you need to tie that into the static route and i'm not aware you have done that altho you may have. Have a look at this link which explains it all -
The route-map does help thanks. It means if we have to insert a dummy route there is no possibility of it getting past the border router.
Jon
01-31-2010 01:07 PM
k-melton wrote:
Jon
I read the article entitled "Reliable Static Routing Backup Using Object Tracking" that you had sent the link for. Here is the config I have so far based on what it said to do:
ip sla monitor 1
type echo protocol ipIcmpEcho 209.145.88.29
frequency 30
ip sla monitor schedule 1 life forever start-time now
track 123 rtr 1 reachability
ip local policy route-map ipsla
access-list 150 permit icmp host 209.145.88.30 host 209.145.88.29
access-list 150 deny icmp any any
route-map ipsla permit 150
match ip address 150
set interface GigabitEthernet0/1
ip route 0.0.0.0 0.0.0.0 209.XXX.88.XX track 123
ip route 0.0.0.0 0.0.0.0 123.456.789.123 254
Here is the output from the sho ip route track table command:
bhigw2#sho ip route track-tab
ip route 0.0.0.0 0.0.0.0 209.xxx.88.xx track 123 state is [up]
bhigw2#I am hoping this may be all we need. If you can look this over and tell me what you think.
Have a splendid weekend!
Kevin
Kevin
Had a spare half hour Sunday evening so did a quick lab. Apologies for this but reliable static routing with object tracking is actually overkill for what we need. All you actually need to do is track the route so full config -
ip sla monitor 1
type echo protocol ipIcmpEcho 209.145.88.29
frequency 30
track 123 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 209.145.88.29 track 123
and that's all you need to add. I tested this by shutting down the ethernet interface on the upstream router ie. the 209.145.88.29 router and once the IP SLA failed on bhigw2 the static route was removed. Once removed it was no longer being redistributed into EIGRP and so was not passed back down the line to the 4500. The 4500 then used it's floating static route pointing to the other gateway. Note, i think i have already mentioned this but make your floating static AD 200 or above.
Once i brought the interface back up and the IP SLA succeeded the route was reinstalled on bhigw2 and then redistributed all the way back to the 4500.
So i think we are there. Let me know if you have any other queries.
Jon
12-29-2009 11:43 AM
k-melton wrote:
I have a 4500 switch which is in the center of one of my customers networks. The 4500 effectively routes between all the production VLAN's for the customer.
I have a PIX connected to the switch in VLAN 1. I have just configured RIP v1 as follows on the PIX:
rip outside passive version 1
rip inside passive version 1
rip inside default version 1
I used a sniffer and captured the RIP updates between the 4500 and the PIX. I see the pix sending out a RIP update for the default route. However I do not ever see the 4500 update it routing table to reflect it
It is unclear to me why the 4500 wont update it route table with the default route from the PIX. I want this to be a secondary default route in case the Main static route goes down.
Thanks
Kevin
Kevin
Could you clarify something ?
You have a static default-route configured on the 4500 and you have the pix advertising a default-route to the 4500 with RIP and you don't see the RIP route in the routing table on the 4500 - is that what you are saying ?
If so, you won't see it until the static route that you have configured is removed because the static configured route will have a lower AD and so be the one entered into the routing table.
If i have misunderstood please let me know.
Jon
12-29-2009 11:47 AM
Jon
You did not misunderstand. I have one static route configured for default and currently it provides the only path out to the Internet. Since we do have a 2nd DSL connection for the client, I wanted to have a backup default route so that if something happens to the main one, I wont loose connectivity to the Internet.
The static route configured on the 4500 for default points to an ASA. I guess I need to turn on RIP on the ASA as well and then remove the static route from the 4500 altogether? Will I see both default routes on the ASA then, Jon?
Thanks
Kevin
12-29-2009 11:50 AM
k-melton wrote:
Jon
You did not misunderstand. I have one static route configured for default and currently it provides the only path out to the Internet. Since we do have a 2nd DSL connection for the client, I wanted to have a backup default route so that if something happens to the main one, I wont loose connectivity to the Internet.
The static route configured on the 4500 for default points to an ASA. I guess I need to turn on RIP on the ASA as well and then remove the static route from the 4500 altogether? Will I see both default routes on the ASA then, Jon?
Thanks
Kevin
Kevin
You don't necessarily need to run RIP on anything. You could actually have a floating static route on the 4500 ie,
ip route 0.0.0.0 0.0.0.0
the 200 is important because that is the AD. So your existing default-route is still the ASA, If the ASA is lost then the static route will be removed and the floating static used. If the ASA comes back online then the original static route will be used again.
Sounds great but because they are ethernet connections you would need to track the availability of the next-hop ie. the ASA internal interface. You do this with IP SLA which your switch may or may not support - depends on IOS version.
Alternatively you could -
1) have a floating static default-route
ip route 0.0.0.0 0.0.0
2) remove the other default route that points to the ASA
3) turn on RIP on the ASA and advertise a default route to the 4500.
Because RIP has a lower AD than 200 which is the AD of your floating static the RIP route would be used. If the ASA failed it would no longer advertise the route and then the floating static would be used.
This would be a simpler solution if you are happy to turn on RIP on your ASA.
Out of interest any reason why RIP, is this what you run internally ?. I ask because the ASA supports OSPF and as of v8.x code EIGRP.
Jon
12-29-2009 12:22 PM
Jon
I did not realize until your reply that the ASA supports EIGRP. I am running 8.2.1 and checked it out and right you are. I may try to configure that instead.
RIP was just a lowest common denominator that I was going to use. I had forgotten about floating static routes.
Thanks for your help. I will keep you posted.
01-05-2010 08:19 AM
John
I am experimenting with using a floating static default route here at this client as one of the options which you had recommended.
Here is a snapshot of the ip routes as configured on the core switch:
bhicore#sho run | i ip route
ip route 0.0.0.0 0.0.0.0 192.168.5.8
ip route 0.0.0.0 0.0.0.0 198.100.100.81 200
The 192.168.5.8 address is the inside interface of the ASA and leads to our Primary Metro Ethernet connection.
The 198.100.100.81 address is the inside interface of the PIX and leads to our Secondary DSL connection.
For testing: If I unplug the inside interface of the ASA, will the router know it is not there? How will it know to roll over to the Secondary connection.
Thanks
Kevin
01-05-2010 08:30 AM
k-melton wrote:
John
I am experimenting with using a floating static default route here at this client as one of the options which you had recommended.
Here is a snapshot of the ip routes as configured on the core switch:
bhicore#sho run | i ip route
ip route 0.0.0.0 0.0.0.0 192.168.5.8
ip route 0.0.0.0 0.0.0.0 198.100.100.81 200
The 192.168.5.8 address is the inside interface of the ASA and leads to our Primary Metro Ethernet connection.
The 198.100.100.81 address is the inside interface of the PIX and leads to our Secondary DSL connection.
For testing: If I unplug the inside interface of the ASA, will the router know it is not there? How will it know to roll over to the Secondary connection.
Thanks
Kevin
Kevin
That's one of the problems with ethernet ie. the router may not realise the ASA has gone. That is why i suggested using a floating static on the router/switch pointing to the pix and then use the dynamic routing protocol for the ASA. EIGRP/RIP/OSPF will all have lower ADs than 200 so it should be used unless the ASA fails and then the route will not be sent to the switch.
If you want to use 2 static routes you will need to track the state of the ASA interface using IP SLA which your switch may or may not support.
Jon
01-05-2010 12:11 PM
Jon
I am including a network diagram with the addresses striken for you to take a look at. I am not so much concerned that the ASA may fail, but rather that my Metro Ethernet connection will fail. I think I actually am going to have to set up a dynamic routing protocol between my Border router (bhigw2), my Outside PIX (bhiasaop) and my Inside ASA (bhiasaip). Otherwise I am not sure how the Inside ASA would ever know that the default route is missing off of the Border router.
If you could please confirm that in fact I will have to turn on dynamic routing updates on the mentioned devices I would appreciate it.
I think this will make sense to you once you look at the attached drawing.
Thanks Jon
Kevin
01-05-2010 02:38 PM
Kevin
Apologies but i can't read visios on my laptop. Can you post it as a .jpg/.png file instead ?
Jon
01-05-2010 03:35 PM
01-05-2010 04:47 PM
k-melton wrote:
Jon
I am including a network diagram with the addresses striken for you to take a look at. I am not so much concerned that the ASA may fail, but rather that my Metro Ethernet connection will fail. I think I actually am going to have to set up a dynamic routing protocol between my Border router (bhigw2), my Outside PIX (bhiasaop) and my Inside ASA (bhiasaip). Otherwise I am not sure how the Inside ASA would ever know that the default route is missing off of the Border router.
If you could please confirm that in fact I will have to turn on dynamic routing updates on the mentioned devices I would appreciate it.
I think this will make sense to you once you look at the attached drawing.
Thanks Jon
Kevin
Kevin
You are right although it is a little more complicated than that. You could use IP SLA tracking on your 4500 and check the reachability of the next-hop from your border router ie. where you border sends traffic to after it leaves your LAN.
Or as you say you can use a routing protocol but note you still need to use IP SLA tracking but this time on the border router. Because it is ethernet you need to track the next-hop from the border router. If that is up then advertise the default-route into your routing protocol which will then get propogated to your pix and ASA. If it is not up then the border router should not advertise it to the pix -> asa -> 4500. Then the floating static on the 4500 will kick in and it should go via the other link.
Note if you are going to run dynamic routing between border router/pix/asa make sure you use authentication and that the border router is secure.
Either way involves a fair bit of extra config
1) IP SLA on 4500, if supported (need to know IOS and feature set). You would need to allow ICMP through both firewalls and the border router to get to the next-hop you are checking for reachability
2) IP SLA on border router (will be supported) - you need to enable routing protocol on all intermediate devices
Jon
01-12-2010 10:37 AM
Jon
the current IOS running on my 4500 Sup II+ module is Version 12.2(46)SG, RELEASE SOFTWARE (fc1)
How can we tell if this will support IP SLA.
I have the following available in the IOS I know from using context sensative help:
bhicore#conf t
Enter configuration commands, one per line. End with CNTL/Z.
bhicore(config)#ip sla ?
key-chain Use MD5 authentication for IP SLAs control message
responder Enable IP SLAs Responder
bhicore(config)#ip sla
thanks Jon
Kevin
01-12-2010 12:17 PM
k-melton wrote:
Jon
the current IOS running on my 4500 Sup II+ module is Version 12.2(46)SG, RELEASE SOFTWARE (fc1)
How can we tell if this will support IP SLA.
I have the following available in the IOS I know from using context sensative help:
bhicore#conf t
Enter configuration commands, one per line. End with CNTL/Z.
bhicore(config)#ip sla ?
key-chain Use MD5 authentication for IP SLAs control message
responder Enable IP SLAs Responderbhicore(config)#ip sla
thanks Jon
Kevin
Kevin
What feature set are you running ?
Jon
01-12-2010 01:43 PM
IP Base?.. here is the sho ver output
bhicore#sho ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(46)SG, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 27-Jun-08 16:56 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x11ABEC24
ROM: 12.2(20r)EW1
Dagobah Revision 226, Swamp Revision 34
thx
Kevin
01-12-2010 02:07 PM
k-melton wrote:
IP Base?.. here is the sho ver output
bhicore#sho ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(46)SG, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 27-Jun-08 16:56 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x11ABEC24ROM: 12.2(20r)EW1
Dagobah Revision 226, Swamp Revision 34thx
Kevin
Kevin
Bad news unfortunately. You need Enterprise Services to run PBR but there is no Enterprise Services for the SupII+. I think PBR is only supported on Supervisor IV upwards on the 4500 switches.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide