cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1212
Views
10
Helpful
20
Replies

EIGRP Static Route Redistribution

robward
Level 1
Level 1

Hi, I need some advice on the default behaviour of 'redistribute static'.

Background - we have a fully routed core network with Cat 6500's. Our Exchange network is behind an ISA firewall and is split across two 6500's for resilience. One of the 6500's routes traffic to exchange via ISA with a static route which is redistributed into EIGRP and propagated to the rest of the network i.e:

ip route x.x.252.0 255.255.255.0 x.x.42.10

x.x.42.10 is the IP address of the ISA Firewall.

I need to implement resilient routing for the Exchange network, I've tried adding the static route on the second 6500 and redistributing this but this is causing a routing loop on our other routers that have connections to both of the exchange routers:

6500#sh ip route x.x.252.0

Routing entry for x.x.252.0/24

Known via "eigrp 138", distance 170, metric 3072, type external

Redistributing via eigrp 138, bgp 64750

Advertised by bgp 64750

Last update from x.x.110.3 on Vlan3, 19:43:27 ago

Routing Descriptor Blocks:

* x.x.110.3, from x.x.110.3, 19:43:27 ago, via Vlan3

Route metric is 3072, traffic share count is 1

Total delay is 20 microseconds, minimum bandwidth is 1000000 Kbit

Reliability 255/255, minimum MTU 1500 bytes

Loading 1/255, Hops 1

x.x.1.26, from x.x.1.26, 19:43:27 ago, via Vlan806

Route metric is 3072, traffic share count is 1

Total delay is 20 microseconds, minimum bandwidth is 1000000 Kbit

Reliability 255/255, minimum MTU 1500 bytes

Loading 1/255, Hops 1

x.x.1.9, from x.x.1.9, 19:43:27 ago, via Vlan802

Route metric is 3072, traffic share count is 1

Total delay is 20 microseconds, minimum bandwidth is 1000000 Kbit

Reliability 255/255, minimum MTU 1500 bytes

Loading 1/255, Hops 1

The first route above via Vlan3 is from an old link that we'll be taking out of service shortly and originates from the same 6500 as the second route.

The third route is the one which I think is causing the loop and comes from the second 6500 that I tried to add the static route to.

I don't understand why the third route gives a hop count of 1 when the IP Address for ISA is not active on that router?

I hope this makes sense, if not please ask and I'll try to clarify!

Any tips would be appreciated?

20 Replies 20

Edison Ortiz
Hall of Fame
Hall of Fame

> I don't understand why the third route gives a hop count of 1 when the IP Address for ISA is not active on that router?

It's one hop away from the device performing the redistribution, not the destination IP.

OK, I'm lost as to why I'm getting a routing loop then. I'd have thought EIGRP would use the correct route?

Can you post a traceroute from the routers experiencing the loop ?

If both 6500s are redistributing static, the leaf routers will see two routes and should load-balance between the two 6500s.

Something is missing from your post that is causing the loop. Posting the configs will help.

The affected Routers are connected to both of the 6500's on Ten Gigabit links.

The static route is:

ip route x.x.252.0 255.255.255.0 x.x.42.10

I have EIGRP configured with 'redistribute static'.

Traceroutes look like each 6500 is trying to send the packet back to the other but only one of them (the original 6500) is routing for the x.x.42.x network that the ISA Firewall is on:

rb-cs1#traceroute x.x.252.74

Type escape sequence to abort.

Tracing the route to imap.x.x (x.x.252.74)

1 ct-cs1-rb-cs1.x.x (x.x.1.9) 0 msec

mr-cs3-rb-cs1.x.x (x.x.1.26) 0 msec

mr-cs3.x.x (x.x.110.3) 0 msec

2 mr-cs2-ct-cs1.x.x (x.x.1.6) 0 msec * *

3 mr-cs3-mr-cs2.x.x (x.x.1.14) 0 msec * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9

For info mr-cs3 is the original 6500 that's routing for the x.x.42.x network. Rb-cs1 is the router in 'the middle' and ct-cs1 is the other router that has the static route applied.

I can post configurations if necessary but they are quite big these are heavily populated 6509's!

You can cut down the layer2 stuff.

Try this command

show run | be router

and post its output here. I suggest you sanitize it and just leave the last 2 octects on IP addresses.

Here's the mr-cs3 configuration:

router eigrp 138

redistribute static

passive-interface Vlan7

passive-interface Vlan254

passive-interface Vlan442

passive-interface Vlan520

passive-interface Vlan521

passive-interface Vlan522

network x.x.0.0

distribute-list 15 out Vlan3

no auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip route x.x.42.112 255.255.255.240 x.x.42.98

ip route x.x.42.128 255.255.255.240 x.x.42.98

ip route x.x.42.144 255.255.255.240 x.x.42.98

ip route x.x.252.0 255.255.255.0 x.x.42.10

ip route x.x.253.0 255.255.255.0 x.x.42.10

ip route x.x.247.128 255.255.255.128 x.x.247.2

ip flow-export destination x.x.119.223 9996

no ip http server

ip pim rp-address x.x.27.1 override

!

logging x.x.100.139

logging x.x.110.210

access-list 15 permit x.x.0.0 0.0.255.255

access-list 15 permit x.x.247.0 0.0.0.255

access-list 15 deny any

access-list 30 permit x.x.99.186

access-list 30 permit x.x.8.17

access-list 30 permit x.x.5.210

access-list 30 permit x.x.5.194

access-list 30 permit x.x.5.178

access-list 30 permit x.x.31.0 0.0.0.255

access-list 30 permit x.x.100.0 0.0.0.255

access-list 30 permit x.x.102.0 0.0.1.255

access-list 30 permit x.x.110.0 0.0.0.255

access-list 30 permit x.x.134.0 0.0.0.255

access-list 30 permit x.x.241.0 0.0.0.255

access-list 30 permit x.x.253.0 0.0.0.255

access-list 30 deny any

access-list 40 permit x.x.100.45

access-list 40 permit x.x.102.151

access-list 40 permit x.x.100.139

access-list 40 permit x.x.5.210

access-list 40 permit x.x.5.194

access-list 40 permit x.x.5.178

access-list 40 permit x.x.31.153

access-list 40 permit x.x.31.154

access-list 40 permit x.x.31.150

access-list 40 permit x.x.31.151

access-list 40 permit x.x.110.0 0.0.0.255

access-list 40 deny any

access-list 100 permit ip x.x.64.0 0.0.0.255 x.x.0.0 0.0.255.255

access-list 100 permit icmp x.x.64.0 0.0.0.255 x.x.0.0 0.0.255.255

access-list 102 permit ip x.x.138.0 0.0.0.255 host x.x.137.20

access-list 102 permit ip x.x.213.0 0.0.0.255 host x.x.137.20

access-list 102 permit ip x.x.137.0 0.0.0.255 host x.x.137.20

access-list 102 permit tcp any host x.x.137.20 eq domain

access-list 102 permit tcp any host x.x.137.20 eq www

access-list 102 deny ip any host x.x.137.20

access-list 102 permit ip x.x.138.0 0.0.0.255 host x.x.137.14

access-list 102 permit ip x.x.213.0 0.0.0.255 host x.x.137.14

access-list 102 permit ip x.x.137.0 0.0.0.255 host x.x.137.14

access-list 102 permit tcp any host x.x.137.14 eq 443

access-list 102 permit tcp any host x.x.137.14 eq www

access-list 102 deny ip any host x.x.137.14

access-list 102 permit ip any x.x.215.0 0.0.0.255

access-list 102 permit ip any x.x.216.0 0.0.0.255

access-list 102 permit ip any x.x.213.0 0.0.0.255

access-list 102 permit ip any x.x.137.0 0.0.0.255

access-list 130 deny tcp any any eq 135

access-list 130 deny udp any any eq 135

access-list 130 permit ip any any

access-list 1020 deny FFFFFFFF 640

access-list 1020 permit FFFFFFFF

!

snmp-server engineID local 000000090200000021000000

snmp-server community snmaccess RO 40

snmp-server ifindex persist

snmp-server packetsize 8192

snmp-server enable traps chassis

snmp-server enable traps module

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server host x.x.31.150 swread chassis module envmon

!

radius-server source-ports 1645-1646

control-plane

!

!

!

dial-peer cor custom

!

!

!

!

line con 0

exec-timeout 20 0

password 7 1104181D1E

login authentication CON

line vty 0 4

access-class 30 in

exec-timeout 20 0

password 7 082C4D5600

login authentication VTY

line vty 5 15

access-class 30 in

exec-timeout 20 0

password 7 082C4D5600

login authentication VTY!

ntp clock-period 17179986

ntp update-calendar

ntp server x.x.31.3

ntp server x.x.31.2

no cns aaa enable

end

Here's the ct-cs1 configuration - the static route has been removed for now:

router eigrp 138

redistribute static

network x.x.0.0

no auto-summary

!

ip classless

!

no ip http server

!

logging x.x.100.139

logging x.x.110.210

access-list 15 permit x.x.0.0 0.0.255.255

access-list 15 permit x.x.93.0 0.0.0.255

access-list 15 permit x.x.245.0 0.0.0.255

access-list 15 permit x.x.246.0 0.0.0.255

access-list 15 permit x.x.247.0 0.0.0.255

access-list 15 permit x.x.0.0 0.0.63.255

access-list 15 permit x.x.247.128 0.0.0.127

access-list 15 deny any

access-list 30 permit x.x.99.186

access-list 30 permit x.x.8.17

access-list 30 permit x.x.5.210

access-list 30 permit x.x.5.194

access-list 30 permit x.x.5.178

access-list 30 permit x.x.31.0 0.0.0.255

access-list 30 permit x.x.100.0 0.0.0.255

access-list 30 permit x.x.102.0 0.0.1.255

access-list 30 permit x.x.110.0 0.0.0.255

access-list 30 permit x.x.134.0 0.0.0.255

access-list 30 permit x.x.241.0 0.0.0.255

access-list 30 permit x.x.253.0 0.0.0.255

access-list 30 deny any

access-list 40 permit x.x.100.45

access-list 40 permit x.x.102.151

access-list 40 permit x.x.100.139

access-list 40 permit x.x.5.210

access-list 40 permit x.x.5.194

access-list 40 permit x.x.5.178

access-list 40 permit x.x.31.153

access-list 40 permit x.x.31.154

access-list 40 permit x.x.31.150

access-list 40 permit x.x.31.151

access-list 40 permit x.x.110.0 0.0.0.255

access-list 40 deny any

access-list 100 permit ip x.x.64.0 0.0.0.255 x.x.0.0 0.0.255.255

access-list 100 permit icmp x.x.64.0 0.0.0.255 x.x.0.0 0.0.255.255

access-list 101 permit ip x.x.0.0 0.0.255.255 x.x.5.224 0.0.0.15

access-list 101 permit icmp x.x.0.0 0.0.255.255 x.x.5.224 0.0.0.15

access-list 130 deny tcp any any eq 135

access-list 130 deny udp any any eq 135

access-list 130 permit ip any any

!

snmp-server community snmaccess RO 40

snmp-server ifindex persist

snmp-server packetsize 8192

snmp-server enable traps chassis

snmp-server enable traps module

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server host x.x.31.150 swread

!

radius-server source-ports 1645-1646

!

control-plane

!

!

!

dial-peer cor custom

!

!

!

line con 0

exec-timeout 20 0

password 7 04560A1E06

login authentication CON

line vty 0 3

access-class 30 in

exec-timeout 20 0

password 7 09414F1110

login authentication VTY

transport input telnet

line vty 4

access-class 30 in

exec-timeout 20 0

password 7 09414F1110

login authentication VTY

line vty 5 15

access-class 30 in

exec-timeout 20 0

password 7 09414F1110

login authentication VTY

!

ntp clock-period 17179879

ntp update-calendar

ntp server x.x.31.3

ntp server x.x.31.2

no cns aaa enable

end

Kevin Dorrell
Level 10
Level 10

What does your BGP 64750 do? Do you have any other BGP ASs in your topology, and do they have redistribution with EIGRP? Just a thought - the BGP might be part of the equation.

Kevin Dorrell

Luxembourg

The affected Routers are connected to both of the 6500's on Ten Gigabit links.

The static route is:

ip route x.x.252.0 255.255.255.0 x.x.42.10

I have EIGRP configured with 'redistribute static'.

Traceroutes look like each 6500 is trying to send the packet back to the other but only one of them (the original 6500) is routing for the x.x.42.x network that the ISA Firewall is on:

rb-cs1#traceroute x.x.252.74

Type escape sequence to abort.

Tracing the route to imap.x.x (x.x.252.74)

1 ct-cs1-rb-cs1.x.x (x.x.1.9) 0 msec

mr-cs3-rb-cs1.x.x (x.x.1.26) 0 msec

mr-cs3.x.x (x.x.110.3) 0 msec

2 mr-cs2-ct-cs1.x.x (x.x.1.6) 0 msec * *

3 mr-cs3-mr-cs2.x.x (x.x.1.14) 0 msec * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9

For info mr-cs3 is the original 6500 that's routing for the x.x.42.x network. Rb-cs1 is the router in 'the middle' and ct-cs1 is the other router that has the static route applied.

I can post configurations if necessary but they are quite big these are heavily populated 6509's!

WRT BGP - this advertises our address range to our ISP. We receive only a default route from them via BGP. There are no other BGP Peerings but this one.

Can you clarify a couple of things.

Does mr-cs3 has this static route 'ip route x.x.252.0 255.255.255.0 x.x.42.10' in it's config?

If it does then can you get to the x.x.252.0 network from mr-cs3?

Thanks for this gents!

Yes mr-cs3 does have the static route in its configuration but I've currently removed it from ct-cs1. Things work at the moment, the problem is when I add the static route to ct-cs1 and it's redistributed via EIGRP.

Bump, still stuck on this guys anyone got any ideas?

You are adding a ip route x.x.252.0 255.255.255.0 x.x.42.10 on ct-cs1. You say that "the IP address of the ISA is not active on that router". Are you sure of that? It may not have a complete path to the ISA, but does it think is has a route?

Go to ct-cs1 and do show ip route x.x.42.10. What do you have? If it thunks it has a route, then it will redistribute, regardless of real reachability.

Kevin Dorrell

Luxembourg

ct-cs1new#sh ip route x.x.42.10

Routing entry for x.x.42.0/27

Known via "eigrp 138", distance 90, metric 3328, type internal

Redistributing via eigrp 138

Last update from x.x.1.6 on Vlan801, 5d19h ago

Routing Descriptor Blocks:

* x.x.1.10, from x.x.1.10, 5d19h ago, via Vlan802

Route metric is 3328, traffic share count is 1

Total delay is 30 microseconds, minimum bandwidth is 1000000 Kbit

Reliability 255/255, minimum MTU 1500 bytes

Loading 1/255, Hops 2

x.x.1.6, from x.x.1.6, 5d19h ago, via Vlan801

Route metric is 3328, traffic share count is 1

Total delay is 30 microseconds, minimum bandwidth is 1000000 Kbit

Reliability 255/255, minimum MTU 1500 bytes

Loading 1/255, Hops 2

mr-cs3 is currently routing for the x.x.42.0/27 subnet and ISA (x.x.42.10) is active on mr-cs3 at present so ct-cs1 can see two routes through the network to ISA which is what I'd expect to see.

However when I add the static route:

ip route x.x.252.0 255.255.255.0 x.x.42.10

to ct-cs1 this is when the problem occurs, even though mr-cs3 is routing for the x.x.42.0/27 subnet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: