k-melton wrote:
This makes me want to ask then about EIGRP.  I understand that it is a bit overkill for this little network, however because it is link state would it not suffice?  I think that all the devices will support it on the ASA side leading to the Internet (Border Router, ASA Outside, DMZ switch which is a 3550 model, and Inside ASA?
If the Border router loses its Ethernet facing outside, then would EIGRP propogate the loss since it is a topology change down the line until it reached the Core Router?
Thanks Jon
Kevin

Kevin

DMZ 3550 switch, if this is L2 then it doesn't need to support EIGRP. If L3 then you need EMI image on it.

You would have a default-route on the border router pointing to the next-hop ISP address and redistribute this into EIGRP. This will then be an EIGRP external route with an AD of 170 so make sure your floating static has a higher AD.

Once the route is removed from the border router then yes it will propogate all the way back to your 4500 and it will be removed and so the floating static you have configured on your 4500 to the other ASA will then be used. The only thing i'm not 100% sure about is will the route be removed if the interface goes down and i'm not sure it will because you are not receiving this route from your ISP, you are actually originating it on the border router.

So it will need testing. If i have time tomorrow i will lab it up for you.

Edit - actually if the interface goes down the route will be removed. It's more a question of what happens if the remote ISP router goes down that needs testing. What connectivity is there between your border router and the ISP router ie. is it ethernet or serial ?

Jon

Jon

Sorry for the delay in my response. 

We have a Metro Ethernet connection to the ISP...

Is the command that I use to redistribute the static

router eigrp 100

redistribute static ( i am not sure of the rest)  seems the options are route-map or metric

Thanks Jon

Kevin

Because I have static routes on the Border router which point to the client inside network addresses, I had to write the following route-map and ACL

route-map static permit 10
match ip address 20

bhigw2#sho access-list 20
Standard IP access list 20
    10 permit 0.0.0.0 (2 matches)
    20 deny   any (28 matches)

Once I did this, I could see the 0 route advertised out.  What I am not seeing is the 0 route in the ASA (his EIGRP neighbor) route table. The only 0 route is the static configured on it... 

thx

Kevin

I ran the command "sho eigrp top all-links" as you had indicated.  This showed

the learned routes just as you had indicated (way to go Jon!).

Here is a snapshot:

bhiasaop# sho eigrp top all

EIGRP-IPv4 Topology Table for AS(100)/ID(206.248.224.2)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 0.0.0.0 0.0.0.0, 0 successors, FD is Inaccessible, serno 0
        via 206.248.224.1 (33280/30720), Ethernet0/0
P 192.168.5.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.3 (30720/28160), Ethernet0/1
P 172.16.1.0 255.255.255.0, 1 successors, FD is 28160, serno 2
        via Connected, Ethernet0/1
P 206.248.224.2 255.255.255.255, 0 successors, FD is Inaccessible, serno 0
        via 206.248.224.1 (30720/28160), Ethernet0/0
P 206.248.224.0 255.255.255.0, 1 successors, FD is 28160, serno 3
        via Connected, Ethernet0/0

For some reason, the ASA is not propogating these routes inward towards the DMZ switch.  I have tried toggling auto-summary on the ASA and receive these messages while running debug on the DMZ switch:

bhiedge#
Jan 26 16:18:59.672: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(100) 100: Neighbor 172.16.1.2 (Vlan1) is down: peer restarted
Jan 26 16:19:00.140: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(100) 100: Neighbor 172.16.1.2 (Vlan1) is up: new adjacency
Jan 26 16:19:01.680: EIGRP-IPv4(Default-IP-Routing-Table:100): 172.16.1.0/24 - do advertise out Vlan1
Jan 26 16:19:01.680: EIGRP-IPv4:(100): Int 206.248.224.0/24 M 28416 - 25600 2816 SM 28160 - 25600 2560
Jan 26 16:19:01.680: EIGRP-IPv4(Default-IP-Routing-Table:100): 206.248.224.0/24 routing table not updated thru 172.16.1.2
Jan 26 16:19:01.688: EIGRP-IPv4(Default-IP-Routing-Table:100): 172.16.1.0/24 - do advertise out Vlan1
Jan 26 16:19:01.688: EIGRP-IPv4:(100): Int 206.248.224.0/24 M 28416 - 25600 2816 SM 28160 - 25600 2560
Jan 26 16:19:01.700: EIGRP-IPv4:(100): Int 206.248.224.0/24 M 28416 - 25600 2816 SM 28160 - 25600 2560

What am I missing Jon?

Kevin

Raj

Dont feel like you are barging in.  I welcome your help with this.  John has been very gracious with his expertise on this and other posts.

To answer your questions

the dmz switch bhiedge is layer 3 ?

  Yes it is L3.  I have the one VLAN configured on it and it has an ip address on it that functions as the default gateway for the 4 servers in our DMZ.

Can you please give "show ip eigrp neighbor" on the ASA bhiasaop firewall to check if it has a neighbor relation with bhiedge switch ?

bhiasaop# sho eigrp nei
EIGRP-IPv4 neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   172.16.1.7              Et0/1            13     1d02h 3    200   0   44
2   172.16.1.3              Et0/1            14     1d02h 1    200   0   72
0   206.248.224.1           Et0/0            12     1d02h 6    200   0   41
bhiasaop#

Why dont u have a direct eigrp neighborship with bhiasaip instead of having the switch in between (on L3) ?

I think they are neighbors too?..

incase the dmz switch has eigrp configured, make sure you dont have passive interface configured for the layer 3 vlan ip subnets..

I dont have it configured as passive.  See below:

bhiedge#sho run | begin router
router eigrp 100
network 172.16.0.0

Thanks Raj.  Like I said, any input is welcome.

Kevin

Hi Kevin

Even if the DMZ switch isnt L2, it should learn the routes propagated by bhiasaop.. as Jon said, give a "no auto-summary" on the eigrp process to make sure it can support classless routing.. the outputs on asa bhiasaop looks good.. can you give us the output on bhiedge switch and bhiasaip of the EIGRP topology database ? show ip eigrp topology ? are these networks being advertised back from bhipix ??

can you make sure you have the internal network 172.16.1.0 on the switch and bhiasaip pix ? have no auto-summary on all switches and PIX running EIGRP...

lastly - you can run debug eigrp neigbor to check if the routes are being received on the dmz switch ?

note - if you want to make bhiedge a layer 3 switch, you should probably split up the broadcast domain between bhiasaop and bhiasaip... have seperate /30 networks between the switch and the firewalls, so that there are prominant eigrp neighbors defined...

Hope this helps.. all the best

Raj

Raj

I made sure that auto summary is turned off everywhere.  Here are the outputs from bhiedge switch in the DMZ and bhiasaip (inside Firewall)

bhiedge#sho ip eigrp top all
EIGRP-IPv4 Topology Table for AS(100)/ID(172.16.1.7)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 206.248.224.0/24, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (28416/28160), Vlan1
P 192.168.5.0/24, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.3 (28416/28160), Vlan1
P 172.16.1.0/24, 1 successors, FD is 2816, serno 1
        via Connected, Vlan1
bhiedge#

bhiasaip#   sho ei top all

EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.10.20)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 192.168.10.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.11.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.5.0 255.255.255.0, 1 successors, FD is 28160, serno 1
        via Connected, Ethernet0/1
P 172.16.1.0 255.255.255.0, 1 successors, FD is 28160, serno 2
        via Connected, Ethernet0/0
P 198.100.100.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 206.248.224.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (30720/28160), Ethernet0/0
bhiasaip#

When i turn on debugging on the Edge switch, I do not see anything happening with respect to EIGRP.  No routes or anything else..

bhiedge#debug ip eigrp
IP-EIGRP Route Events debugging is on
bhiedge#debug ip eigrp top
% Incomplete command.

bhiedge#debug ip eigrp top ?
  WORD  Topology instance name

bhiedge#debug ip eigrp top 100
IP-EIGRP Route Events debugging is on
bhiedge#

Thanks Raj

Kevin

No issues with reachability Raj.  I have static routes configured for all networks everywhere.  This is a milestone as I am

attempting for the first time to implement some dynamic routing on the network in order to facilitate the ability to failover to a different route to 0.0.0.0 if the main Internet connection fails.  This is pretty well documented within the earlier parts of this chain between John and I.

I am simply trying to get the 0.0.0.0 route advertised by the Border Router to propogate down the line via EIGRP until it makes it into our Core Router.

I can post the route tables when I get onsite tomorrow if necessary.  But the main focus and next step should be why the 0 route is not making it from the bhiasaop device to the bhiedge switch, as EIGRP ought to be shipping it to the switch from the Firewall.  I am not sure why this is not happening.

Thanks

Kevin

Jon

I can put these routing tables in later if necessary, but I can definitely tell you that all routes are configured statically at this point.  This is how the network was first built.  It was simple and we did not see the need to run any dynamic protocol.  Now we are at a point where we can see how it would be beneficial to have the ability to fail over with respect to Internet access (we have many processes at this customer that depend on the Internet fo transactions) to keep things up.

This was not really an option before as the alternate Internet connection was a DSL connection that was only at 1 mg or some small figure.  It has since been upgraded to a 10 mg pipe.

Thanks Jon

Kevin