12-04-2014 11:33 AM - edited 03-07-2019 09:47 PM
Hello
What kind of problems could arise by using the key chain EIGRP config?
how would this correctly be implemented?
I recently migrated to a new ASA and DMZ architecture.
The old architecture looked like:
traffic coming into network would hit the DMZ_1 switch, then go to the ASA, back to the DMZ switch and then across a TRUNK to the CORE.
-All the ASA interfaces connected to this one DMZ switch.
-DMZ_1 switch has Eigrp and uses "key chain EIGRP" commands.
The new architecture looks like:
traffic coming into network would hit the DMZ_1 switch, then go to the ASA. The Inside interface and DMZ interfaces now connect to a new
switch, DMZ_2, which then which then has (2) Trunks to Core. The DMZ_1 switch no longer has a Trunk to the Core.
1). for Inside traffic
2). For DMZ traffic
My ASA uses EIGRP and advertises the Inside interface ip address as the default gateway.
The ASA does not have the key chain EIGRP" commands.
DMZ_2 switch config was pretty much copied from DMZ_1 with changes based on new Trunk links.
This switch Does not appear to have received the default gateway from the ASA
Both the ASA and the DMZ_2 see each other in the eigrp ne table.
Solved! Go to Solution.
12-04-2014 12:37 PM
Steve
The key chain commands in EIGRP are used for authentication.
The confusing part of your post is that you say original switch DMZ_1 has the key chain commands but the ASA doesn't and yet it was working.
Does this mean you didn't need the default route from the ASA on the DMZ_1 switch before ?
Jon
12-04-2014 12:37 PM
Steve
The key chain commands in EIGRP are used for authentication.
The confusing part of your post is that you say original switch DMZ_1 has the key chain commands but the ASA doesn't and yet it was working.
Does this mean you didn't need the default route from the ASA on the DMZ_1 switch before ?
Jon
12-04-2014 01:38 PM
Jon
Thank you for the response.
From what little I have read and see, I thought the key statement on only the DMZ switch was peculiar especially since it is working.
No the current DMZ_1 switch receives the default gateway via EIGRP from the current ASA.
In DMZ_2, I see the ASA Inside int in the EIGRP ne table.
What would prevent the DMZ_2 switch from obtaining the default gateway dynamically from the ASA?
12-04-2014 01:44 PM
Steve
Have you looked at the full topology table on the new switch ie.
"sh ip eigrp topology all-links"
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide