EIGRP Implementation guidelines/best pratice

ALIAOF_ · ‎09-06-2012

I am in the process of configuring EIGRP on my 4948E switch, posting config below and would like some feed back on the best pratice, some guide lines etc, thank you in advance:

I have 6 VLAN interfaces configured

Then I have some VLAN's that do not have interfaces but have interfaces on another L3 switch

Vlan1 192.168.0.49

Vlan5 10.1.5.2

Vlan9 172.16.1.249

Vlan48 10.1.48.249

Vlan200 10.1.200.249

Vlan250 10.1.250.249

- When I configure EIGRP on the other L3 switch I can have the same AS number on that as well right?

- For the EIGRP config am I missing anything below?

- We also have an ASA firewall for the VPN's so on that firewall I will setup reverse route injection on all the crypto maps, but I am assuming I need to add all the networks in this access list as well?

key chain EIGRP_KEY

key 10

key-string 7 xxxxxxxxxxxxxxxxxxxx

!

interface Vlan1

ip authentication mode eigrp 10 md5

ip authentication key-chain eigrp 10 EIGRP_KEY

!

So on for rest of the VLAN's

!

router eigrp 10

distribute-list 10 in

!

access-list 10 permit 10.1.200.0 0.0.0.255

access-list 10 permit 10.1.250.0 0.0.0.255

access-list 10 permit 10.1.160.0 0.0.0.255

access-list 10 permit 10.1.150.0 0.0.0.255

access-list 10 permit 10.1.136.0 0.0.3.255

access-list 10 permit 10.1.132.0 0.0.3.255

access-list 10 permit 10.1.128.0 0.0.3.255

access-list 10 permit 10.1.48.0 0.0.0.255

access-list 10 permit 10.1.14.0 0.0.0.255

access-list 10 permit 10.1.13.0 0.0.0.255

access-list 10 permit 10.1.8.0 0.0.0.255

access-list 10 permit 10.1.7.0 0.0.0.255

access-list 10 permit 10.1.5.0 0.0.0.255

access-list 10 permit 10.1.4.0 0.0.0.255

access-list 10 permit 192.168.0.0 0.0.0.255

Richard Burts · ‎09-06-2012

If you want the two switches to exchange EIGRP routing updates then they must both use the same AS number. If they use different AS numbers then they will not form EIGRP neighbor relationship and will not advertise to each other.

Your access list 10 includes entries for the local subnets. This is not necessary. The access list used in the distribute list is to permit advertisement of subnets to this switch/router. The local subnets are knows as local and will not be advertised (and if there were advertised the advertisement would not be used because a local connected subnet is always more preferable than an EIGRP learned subnet).

One thing that you might consider is whether to make some of the interfaces passive in EIGRP. You want a network statement for each interface/subnet that you want to advertise. And this will result in EIGRP sending hello messages and possibly routing updates out each of those interfaces. But if there is no EIGRP neighbor connected on that interface then there is no need to send EIGRP packets out that interface. When you make an interface passive then EIGRP will still advertise the subnet but will not send EIGRP packets out that interface.

HTH

Rick

HTH

Rick

ALIAOF_ · ‎09-06-2012

Thank you for the reply, I understand the same AS number part.

So I can remove the local subnets from access-list 10 and add the networks that are on the second L3 switch for instance and vice versa. For instance on the second L3 switch there is a VLAN 10.1.128.0 255.255.252.0. So on this switch I will add that in ACL # 10 (in).

Now to advertise the networks I can create another ACL # 20 for instance and do "distribute-list 20 out"?

About making interfaces passive, there will be another switch connected to this 4948 E switch in GLBP configuration so I believe because of that I should not make the interfaces passive am I on the right track with that?

This is what I did:

router eigrp 10

distribute-list 10 in

distribute-list 20 out

!

** all these interfaces are on the 3750x L3 Switch **

access-list 10 permit 10.1.160.0 0.0.0.255

access-list 10 permit 10.1.150.0 0.0.0.255

access-list 10 permit 10.1.136.0 0.0.3.255

access-list 10 permit 10.1.132.0 0.0.3.255

access-list 10 permit 10.1.128.0 0.0.3.255

access-list 10 permit 10.1.14.0 0.0.0.255

access-list 10 permit 10.1.13.0 0.0.0.255

access-list 10 permit 10.1.8.0 0.0.0.255

access-list 10 permit 10.1.7.0 0.0.0.255

access-list 10 permit 10.1.4.0 0.0.0.255

!

** all these on the 4948E L3 Switch **

access-list 20 permit 192.168.0.0 0.0.0.255

access-list 20 permit 10.1.5.0 0.0.0.255

access-list 20 permit 172.16.1.0 0.0.0.255

access-list 20 permit 10.1.48.0 0.0.0.255

access-list 20 permit 10.1.200.0 0.0.0.255

access-list 20 permit 10.1.250.0 0.0.0.255

Richard Burts · ‎09-06-2012

If you want to use distribute list in and distribute list out you certainly can do this.

If there is an EIGRP router connected on an interface then it makes sense to have that interface not passive. I made the suggestion because it seemed to me possible that some switch interfaces might have users or servers connected but not an EIGRP neighbor.

HTH

Rick

HTH

Rick

ALIAOF_ · ‎09-07-2012

Thank you for the reply I am getting a bit confused about the passive interface.

I have VLAN 1, 5, 200 and 250. No physical interfaces are configured with an IP address. Basically all the other switches and other network devices have the management IPs in VLAN 200. So the second 4948E will be connected to this switch via port channel and will have an IP on VLAN 200, but I will also have other VLAN IP's configured on it for the glbp.

3750x L3 switch has VLAN 4,7,8,9,128,132,136 interfaces configured.

So I am confused about which VLAN interfaces I need to go into and set them up as passive interfaces. I am assuming since VLAN 128,132,136 on the 3750x have users and servers make them passive, Also on 4948's VLAN 1 has servers so make that passive? Thank you in advance.

Richard Burts · ‎09-08-2012

I am a bit confused about your explanation of the network. I think that I understand that you have two switches 4948E. And I think that I understand that these switches use VLAN 200 as the management VLAN. So I defiitely would make this one not passive. I think that they also have VLANs 1, 5, and 250. But I am not sure what is happening with these VLANs so it is hard to give advice about whether to make them passive.

In general I would advocate that if you have two switches connected on multiple interfaces that they should be active on one or two VLANs/subnets but that they should not be active on all VLANs/subnets.

Then you mention a 3750 that has 7 VLANs. But none of these VLANs match up with VLANs on the 4948E switches. So I do not know what to advise about these VLANs.

But I do agreee with your final statement that VLANs that have only servers and users (and no other routers or layer 3 switches) should be passive.

HTH

Rick

HTH

Rick

ALIAOF_ · ‎09-17-2012

Sorry Richard let me elaborate a bit more:

SWITCH1 4948

SWITCH2 4948

Both of these are going to be configured with GLBP. They have VLAN's 1, 5, 48, 9, 200, 250 as interfaces (Actually an IP on all those VLAN's), VLAN's 4,7,8,128,132,136 are just in the VLAN database.

Switch 3750x (Stacked)

This has VLAN 4,7,8,128,132,136 as interfaces (Actually an IP on all those VLAN's). VLAN's 1, 5, 48, 9, 250 are just in the VLAN database. *** Now since this switch also has VLAN 200 configured with an IP address I will leave this one as an active interface and rest of them will be passive. And I will do the same for 4948's above make VLAN 200 active and VLAN's 1, 5, 48, 9, 250 will be passive because those are only used for the workstation and server connectivity, DMZ etc.***