Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
736
Views
0
Helpful
5
Replies

ospf eigrp route distribution please help

netternewbie
Level 1
Level 1

‎09-26-2012 04:32 AM - edited ‎03-07-2019 09:07 AM

Hi folks,

New to networking and first time to post here. Would be greatful if anyone could help me on this problem. I have just started a new job in a relatively big campus environment with approx 20 3750 routers and 70 switches and maybe a 50 AP's.

The network runs both ospf and eigrp. It seems a relatively simple network setup where user traffic is routed through ospf and management traffic of network devices is routed using eigrp. So each router would be configured as follows:

router eigrp 1

network 172.16.0.0 0.0.255.255

passive-interface default

no passive-interface GigabitEthernet1/0/12

!

router ospf 1

log-adjacency-changes

passive-interface default

no passive-interface GigabitEthernet1/0/12

network 10.0.0.0 0.0.0.255 area 1

So our desktop users would get an ip address of 10.0.0.50 etc, address ranges routed by ospf. Our routers, switches and APs get an IP address in the range 172.16.0.0/23 which is routed by eigrp. I think the idea of this is not to let normal users to be able to telnet/ssh access to our network equipment. We have a server in the 172.16.0.0/23 network to allow the IT department access the equipment.

To my surprise yesterday I was able to telnet from my desktop pc 10.0.0.100 to a network switch 172.16.0.50. I presume I shouldn't have been able to do this as there are two different routing protocols for these ranges? Could we have route distribution configured somewhere? Or am I totally on the wrong track here?

Any help at all would be greatly appreciated.

Thanks.

Labels:
0 Helpful
5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-26-2012 05:01 AM

Hello Netter,

the use of two different routing protocols don't provide a complete separation between 10/8 and 172.16.0.0/23 IP networks. This would be provided by the use of VRFs that are separate routing and forwarding tables.

When the packet is sent with source 10.0.0.100  and destination 172.16.0.50 is routed via EIGRP (based on destination) on the management network. The return packet with source 172.16.0.50 DA= 10.0.0.100 is routed by OSPF in the user data network. if the target switch runs both OSPF and EIGRP.

If it is a L2 switch it can follow the path to the default route on the return path. The default route can be originated by a L3 device that runs both EIGRP and OSPF.

This is the reason why I have written that the use of two different routing protocols do not prevent communication between 10/8 and 172.16.0.0/23.

The communication can be achieved even without redistribution following the default route that for both routing domains may point to the same device of device pairs speaking both EIGRP and OSPF.

You can check if redistribution has been performed using

show ip eigrp topology 10.0.0.0

show ip ospf database  external

You can check the path to default route using

show ip route 0.0.0.0

Hope to help

Giuseppe

0 Helpful

netternewbie
Level 1
Level 1
In response to Giuseppe Larosa

‎09-26-2012 08:33 AM


Your answer makes since. It seems the thinking here was wrong about having two seperate routing protocols as the router will still use the one routing table. Is this true? All our routers run both protocols.

When I do a show ip eigrp topology command I get:

Routing entry for 172.16.10.0/24

  Known via "eigrp 1", distance 90, metric 3072, type internal

  Redistributing via eigrp 1

Is there redistributing happening here? I have omitted some of the answer for security reasons.

I guess the best way for me to stop users telneting to switches and AP's is to put a acl on the mgt vlan on each router.

Thanks,

Netter

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to netternewbie

‎09-26-2012 08:42 AM

The router will only have one routing table. If the router is running 2 routing protocols this does not mean you will have 2 separate routing tables. As Giuseppe said you can use vrfs which would mean 2 separate routing tables or you could use acls on certain interfaces to stop users accessing managment IP addresses.

But without vrfs a router will simply use one routing table and routes learnt by both EIGRP and OSPF can be used to populate it.

Jon

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to netternewbie

‎09-26-2012 08:42 AM

Hello Netter,

the routing table is only one and each device speaking both EIGRP and OSPF can route between 10/8 and management network

>> I guess the best way for me to stop users telneting to switches and AP's is to put a acl on the mgt vlan on each router.

I do agree

Hope to help

Giuseppe

0 Helpful

netternewbie
Level 1
Level 1
In response to Giuseppe Larosa

‎09-26-2012 08:47 AM

Thanks Jon and Giuseppe for helping me out on this one.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card