The configuration looks fine.

lucas.shelton1 · ‎01-13-2016

We are setting up EIGRP for gateway failover to a redundant data center and I'm having issues getting EIGRP (or OSPF for that matter) to form an adjacency. I've attached diagram of our setup but a brief description below:

Campus LAN eventually hits a Nexus 5596, trunked to a 3560 that serves as the default gateway. On the 3560 there's a Int VLAN 7 10.7.0.254. This 3560's DG is a Palo Alto, which eventually hits the internet. For redundancy we have a fiber link from the 3560 to an offsite DC that hits another 5596, then another 3560 with an Int VLAN 8 10.8.0.254. On both 5596's there is also an Int VLAN 999 with 192.168.1.1 & 192.168.1.2. I can PING the Int VLAN 999 of the other 3560 on each switch. However they are not forming an adjacency. Is something configured incorrectly with my trunks? The VLAN's are present on each 5596 & 3560. See diagram to fully understand.

devils_advocate · ‎01-13-2016

Hi

To clarify, which switches in the diagram are you trying to form neighbourships between?

You have also said in your description that the Nexus 5596 switches have Vlan 999 and use 192.168.1.1 and .2 but the diagram shows the 3560's as having those IP addresses on Vlan 999?

If you are using Vlan 999 as your transit Vlan for EIGRP, does it exist on all 4 switches in the diagram and is it allowed on the Trunk ports between them?

What IP addresses (for Vlan 999) do each of the switches have?

Thanks

lucas.shelton1 · ‎01-13-2016

I figured it out, stupid mistake on my behalf. I wasn't advertising the 192.168 network on the 3560's, which is the only common IP they have in common.

To answer your question, the 5596's in this application are just to pass the traffic for those VLAN's, no IP's configured (for this application). The 3560's have the IP's configured as SVI's.

Here's another question though. The 3560's at each site have their DG's out to the internet with IP's of the Palo Alto's that are connected (PA3050's in diagram). The primary link is on the left side of the diagram. Should the PA go down, we need an automated failover to inject a new default route into the 5596. That's the real end goal here. So if PA on left of drawing goes down, I need EIGRP to inject a DG with a next hop of the 3560 on the right side. Which in turn has it's DG set as the IP of the Palo Alto connected to it.

devils_advocate · ‎01-13-2016

Do the Palo Alto devices peer with the 3560's? i.e. are they sharing routes via EIGRP or does the PA simply have static routes pointing back for the LAN Subnets?

lucas.shelton1 · ‎01-13-2016

Static routes pointing to the LAN subnets. That won't change in this scenario.

devils_advocate · ‎01-13-2016

How are you injecting the default route into EIGRP at the moment?

lucas.shelton1 · ‎01-13-2016

We aren't. On the 5596 there is a static route pointing to the Palo. We plan on creating a routed interface on the 3560's and re-IPing the Palo Alto's. Creating a DG on the 3560's pointing the their respective Palo Alto's. Creating SVI's on the 3560's. Primary DG for the 5596 is the left side, if the Palo goes down, inject new DG pointing to right side.

Jon Marshall · ‎01-13-2016

So are the links between the 3560s and the firewalls going to be P2P links ie. if the firewall fails then the 3560 knows about it.

If so then you should be configure a static default route on both 3560s and redistribute them both into EIGRP and then influence which route is chosen if both firewalls are up.

You can do this with the metrics when you redistribute or you can adjust the delay on certain interfaces.

Basically you want both default routes to be available on the Nexus switch but with the preferred route in use unless the primary firewall fails and if possible you want the backup default route to be a feasible successor although to be honest with your topology it isn't going to make much difference.

The above should work as long as when the primary firewall fails the 3560 connected to it knows it has failed and so will remove the static route from it's routing table which means it won't be redistributed into EIGRP.

Jon

lucas.shelton1 · ‎01-13-2016

Yes, P2P links between the Palo and 3560. I'll lab up your EIGRP recommendation this afternoon and post the results.

lucas.shelton1 · ‎01-13-2016

One last question, and maybe its for a different thread. In Cisco's VIRL I'm having an issue with the two 3560's that are connected to the Nexus 5596's forming a EIGRP adjacency. In my application the ports connecting both 3560's to the 5596's are just trunk ports, they aren't configured on the Nexus as routed ports. On NX-OS can you do it this way, or do the ports need to be routed ports?

Jon Marshall · ‎01-13-2016

Haven't used Nexus but as far as I know you should be able to use an SVI for peering.

It is just a L3 interface after all.

Jon

lucas.shelton1 · ‎01-13-2016

There is no SVI on the Nexus. The SVI's are on the 3560's, trunked through the Nexus.

Jon Marshall · ‎01-13-2016

I don't follow.

I thought you wanted EIGRP routes passed from the 3560s to the Nexus switches ?

If so then the Nexus switches need a L3 interface to peer with the corresponding 3560.

This can either be an SVI or a L3 port but you need something.

Have I misunderstood what you are trying to do ?

Jon

lucas.shelton1 · ‎01-13-2016

Yep, thats what I'm trying to accomplish. Excuse my previous statement. So I've created a SVI on the Nexus 10.7.0.2/24, created SVI on 3560 10.7.0.254/24, there is a trunk link between the switches allowing all VLAN's. I can PING between the two SVI's.

On 3560 I have:

router eigrp 1
network 10.7.0.0 0.0.0.255
eigrp router-id 10.7.0.254

On the Nexus the setup is a bit different, you don't specify a network under the eigrp command. So I have:

router eigrp 1

Then I have:

interface Vlan7
no shutdown
ip address 10.7.0.2/24
ip router eigrp 1

No adjacency forms.

Jon Marshall · ‎01-13-2016

The configuration looks fine.

Have you tried debugging on both the switches ?

Jon

EIGRP not passing through trunk ports