I am about to do an EIGRP configuration but I would like to hear some feedback from the experts.
This is my layout:
Inet RT -- ASA -- 3550 core -- 2651XM (voice)
The 2651XM is connected to another office in Texas with the same layout using a point-to-point connection.
I am thinking to configure EIGRP as follows:
Option 1: Configure SLA tracking on the ASA so I can track when the outside interface of the Inet RT is down. The ASA will propagate the Inet RT path as default route to the 3550 L3 switch. On the 3550 (core), I will configure a static floating route with an AD higher than the path advertised by the ASA. This static floating route will point out to our office in Texas. When the Inet RT interface is down, the ASA will remove the route and the static floating route will be added as default route in the routing table of the 3550 sending all the traffic out the 2651XM.
Option 2: Configure Texas route in Miami's devices and do redistribution.
I would like to hear some feedback from you guys. Thanks for your time.
What code you are running on ASA.
ASA doesnot support EIGRP, it supports only RIP and OSPF at this point of time. How would you propogate the default route to 3550. In order to pass EOGRP accross the ASA, you might have to do GRE tunnel over IP, between Inet RT and 2651XM. Which might work but it will bring in a lots of complexity.
Probably you can look for using the OSPF in your topology and running OPSF between all the devices and tracking the static default route.
HTH,Please rate if it does.
Your statement about the ASA not supporting EIGRP is no longer true (it used to be true until the introduction of 8.0 code). here is a quote from the release notes for 8.0:
This section lists the new features for Version 8.0(2). All new features are supported in ASDM Version 6.0.
ASA Feature Type
The adaptive security appliance supports EIGRP or EIGRP stub routing.
here is the link if you want more information:
Thanks Guys..I didnt check the new available version... 8.0 for ASA and its features enhancement.... My bad....
Thanks Rick,Rafael for updating...
I recommend configuring RIP or OSPF between these 3 devices with the ASA propagating a conditional default-information originate.
Both routing protocols support this option while EIGRP does not.
Configure the current default gateway for your network with a static route with a metric higher than your current routing protocol pointing to the Texas' network, in case the ASA stops announcing the default route
Not sure what your configuration for devices in Miami is, but I would recommend establishing a GRE Tunnel between the 2651 and another GRE-capable device.
GRE is frequently used for being able to perform dynamic routing across distances (e.g. GRE over IPSec tunnels).
Routing your internal networks through firewalls is a nasty thing, especially when you don't consider your fw as a core/internal device (since it truly bridges the outside/inside).
Simply enable EIGRP between 3550 and 2651, and then enable EIGRP on the GRE subnet between sites. This works like an absolute charm.
In conjunction with what was said above, you can simply configure floating-static routes on your core (AD set high enough) and then route-tracking (SLA tracking, whatever you call it) on the ASA for being able to route back to the inside through the tunnel -- have the tunnel IP address be the tracked object.
Long-winded answer, but your ideal situation (in my opinion) is SLA tracking on fw + GRE between sites.
Thank you all for your reply.
mwasserman I do have one question for you:
Why should I use GRE when I have a dedicated point-to-point between sites?
Just to clarify, I am not using the ASA to to route any internal network. I will just use the SLA tracking feature to determine whether serial int of the Internet router is up or down. When it is down, the ASA will remove that route; therefore, my core switch will remove it as well.
I have been discussing this with some local engineer and they believe that a simple EIGRP configuration will work just fine. They stated that Miami will have Texas route as the only alternate choice and vice versa; therefore, if the Internet router interface is down all the traffic will be routed out to Texas.
What do you think?
ahh i am sorry -- i didn't realize it was point-to-point (mis-read and assumed you have an MPLS connection or so). in that case, since your routers are already directly adjacent, you don't need GRE.
however, i think this is a poor design to have the firewall participating as a factor in the core switch's routing decision process.
all you have to do is have routes from miami come in through the serial interface (thus, EIGRP's next hop for those routes will be the serial interface). if that interface goes down, the routes will be invalidated at the 2651 and then at the 3550. there is absolutely no need to involve the firewall here...