Multiple Default Routes to Internet

Unanswered Question
Dec 19th, 2008

Hi,

I am running EIGRP and have the default route to the Internet properly sent to all devices. Currently our Internet goes out through the same location for all three sites.

I have a new hub location that will have its own Internet connection but will be connected to the hub via a point to point circuit.

I have a 3560 performing my routing and it is getting its routing updates from EIGRP. I added a static route on the 3560 to route Internet traffic to its local ASA device.

My problem is trying to get route Internet traffic across the point to point if the ASA device is down.

Any help would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 12/19/2008 - 14:03

James


Have you tried using floating statics eg. on the 3560


ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0 250


Note the 250 at the end of the second ip route. This is the AD (Administrative Distance). If the ASA is up and reachable the ASA will be used. If the ASA goes down then it will route over the P2P because the route with the AD of 250 will be used.


If the ASA devices comes back up the 3560 will then use the ASA again.


Jon

jkrysinski Fri, 12/19/2008 - 14:30

Hi Jon,


Thank you for the fast response.


I added the two static routes. I took the ASA down and the default route is still pointing to the ASA.


James

Jon Marshall Fri, 12/19/2008 - 14:34

James


Is the ASA the next-hop to your 3560 switch ?

Once the next-hop is unreachable the route should be removed from the 3560 routing table and replaced with the 250 static route.


Jon

jkrysinski Fri, 12/19/2008 - 14:46

Jon


Yes the ASA is the next hop from the 3560.


Below is my show ip route.


Gateway of last resort is 10.130.1.10 to network 0.0.0.0


100.0.0.0/24 is subnetted, 1 subnets

D EX 100.100.11.0 [170/30976] via 192.168.130.9, 03:00:31, Vlan11

D EX 192.168.15.0/24 [170/30976] via 192.168.130.9, 03:00:31, Vlan11

D EX 192.168.42.0/24 [170/30976] via 192.168.130.9, 03:00:31, Vlan11

D EX 192.168.128.0/24 [170/30976] via 192.168.130.9, 03:00:31, Vlan11

D EX 198.99.240.0/24 [170/30976] via 192.168.130.9, 03:00:31, Vlan11

D EX 192.168.9.0/24 [170/30976] via 192.168.130.9, 03:00:31, Vlan11

192.168.130.0/30 is subnetted, 1 subnets

C 192.168.130.8 is directly connected, Vlan11

D EX 172.16.0.0/16 [170/30976] via 192.168.130.9, 03:00:31, Vlan11

172.19.0.0/24 is subnetted, 1 subnets

D EX 172.19.2.0 [170/30976] via 192.168.130.9, 03:00:31, Vlan11

172.24.0.0/22 is subnetted, 1 subnets

D EX 172.24.0.0 [170/30976] via 192.168.130.9, 03:00:32, Vlan11

192.168.64.0/30 is subnetted, 2 subnets

D 192.168.64.8 [90/30976] via 192.168.130.9, 03:00:32, Vlan11

D 192.168.64.4 [90/286976] via 192.168.130.9, 03:00:32, Vlan11

D 192.168.65.0/24 [90/30976] via 192.168.130.9, 03:00:32, Vlan11

10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks

D 10.8.0.0/16 [90/28416] via 192.168.130.9, 03:00:32, Vlan11

D 10.18.0.0/16 [90/287232] via 192.168.130.9, 03:00:32, Vlan11

D 10.19.0.0/16 [90/287232] via 192.168.130.9, 03:00:32, Vlan11

D 10.16.0.0/16 [90/287232] via 192.168.130.9, 03:00:32, Vlan11

D 10.17.0.0/16 [90/287232] via 192.168.130.9, 03:00:32, Vlan11

D 10.32.0.0/16 [90/33536] via 192.168.130.9, 03:00:32, Vlan11

D EX 10.64.0.0/16 [170/30976] via 192.168.130.9, 03:00:32, Vlan11

D EX 10.130.0.0/16 [170/30976] via 192.168.130.9, 03:00:32, Vlan11

C 10.130.1.0/24 is directly connected, Vlan1

D EX 10.129.1.0/24 [170/30976] via 192.168.130.9, 03:00:32, Vlan11

D EX 10.128.1.0/24 [170/30976] via 192.168.130.9, 03:00:32, Vlan11

D EX 10.200.1.0/24 [170/30976] via 192.168.130.9, 03:00:32, Vlan11

165.72.0.0/24 is subnetted, 1 subnets

D EX 165.72.239.0 [170/30976] via 192.168.130.9, 03:00:32, Vlan11

S* 0.0.0.0/0 [1/0] via 10.130.1.10

Jon Marshall Fri, 12/19/2008 - 14:52

Okay, just to clarify then


you have 2 static routes on the 3560, one with an AD of 250.


Both next-hop's in the static routes are up and pingable.


So when you shut down the ASA and ping it times out but you still have the same static route in routing table ?


Jon

jkrysinski Fri, 12/19/2008 - 14:56

Jon


Here are my static routes from the 3560. The IP of the 3560 is 10.130.1.1 .


10.130.1.10 is the ASA

192.168.130.9 is the point to point router. The default route on the point to point router points to the hub.


ip route 0.0.0.0 0.0.0.0 10.130.1.10

ip route 0.0.0.0 0.0.0.0 192.168.130.9 250


If I take the ASA down, the default route still points to the ASA.

Jon Marshall Fri, 12/19/2008 - 15:07

James


That's strange because it should remove the route if the next-hop is unreachable.


What version of ASA software are you using.


What version of IOS and feature set ie. IP Base or IP Services.


Jon

Jon Marshall Fri, 12/19/2008 - 15:30

James


I was going to suggest either


1) ip sla on the 3560 to monitor the availability of the next-hop and change if it goes down. But i believe you need IP Services image


OR


2) Eigrp on the ASA for which you need version 8 - which you have.


So you could run an EIGRP process on your ASA , make all interfaces passive except for the inside interface and then either


1) use an "summary-address eigrp .." command to advertise default-route to 3560


OR


2) i assume you have a default-route already on the ASA. You could simple redistribute static into the EIGRP process.


For full details -


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1092871


Then if the ASA goes down the EIGRP process will go down and the static route with 250 will be installed into the routing table.


Note - you will need to remove the 0.0.0.0 route to 10.130.1.10 from your config for this to work.


Jon


jkrysinski Fri, 12/19/2008 - 16:17

Jon,


I will give one of those a try on Monday.


Will the redistribution of static entries on the ASA into EIGRP effect my hub and other spokes?


Thank you for the help.


Jamies

Jon Marshall Fri, 12/19/2008 - 23:06

James


It could do so the best thing to do would be to use a distribute-list on your 3560 to filter out that route and make sure it doesn't get sent to the main hub across the point-to-point.


Jon

jkrysinski Mon, 12/22/2008 - 14:08

Jon,


I tried adding a distribute-list on the 3560 to filter outbound updates. When I apply the acl I can't communicate to the hub. Below is the acl and the applying of the list on the 3560. I don't understand why all traffic is stopped when the acl is applied to the eigrp section. Your help is greatly appreciated.


access-list 100 permit ip 10.0.0.0 0.255.255.255 any

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip any any




router eigrp 1

network 10.0.0.0

network 192.168.130.0

distribute-list 100 out

no auto-summary

Jon Marshall Mon, 12/22/2008 - 14:43

James


You are just trying to stop the default-route from the ASA being sent to the P2P router so -


access-list 1 deny 0.0.0.0


router eigrp 1

distribute-list 1 out vlan 11


Jon

jkrysinski Mon, 12/22/2008 - 15:46

Jon,


I added the commands as you suggested.

I even updated from to 122-46.SE from c3560-ipbase-mz.122-35.SE. The results were the same with both IOS. As soon as the distribute-list is applied I can't connect from the hub.



access-list 1 deny 0.0.0.0


router eigrp 1

distribute-list 1 out

no auto-summary

eigrp stub connected summary

network 10.0.0.0

network 192.168.130.0

Jon Marshall Tue, 12/23/2008 - 04:40

James


Can you draw a quick diagram of what is connected to what. Also you want to apply the distribute list to vlan 11 only because it is on the vlan 11 interface that the 3560 connects to the P2P router ie.


distribute-list 1 out vlan 11


When you apply the distribute-list what happens to the routing table at the hub ?


Are you receiving the default-route on the 3560 from the ASA.


Something is missing here, a topology diagram would really help.


Jon

jkrysinski Tue, 12/23/2008 - 08:50

Jon,


The config I posted didn't include vlan 11 part but it is in my config. I missed that it was omitted when I posted.


I have distribute-list 1 out vlan 11 applied in the eigrp section. When I apply this the hub loses the routes advertised by the 3560. The 3560 is still getting the updates from the hub. The 3560 shows all the networks advertised by the hub.

I don't have the ASA advertising the default route static route yet. I want to make sure my filtering is working.


Attached is a snip of my network diagram. I have circled the devices we have been discussing.


Thank you for you help.


James



Attachment: 
Jon Marshall Tue, 12/23/2008 - 09:15

James


You have the following on your 3560


router eigrp 1

distribute-list 1 out

no auto-summary

eigrp stub connected summary

network 10.0.0.0

network 192.168.130.0



you will have to remove the eigrp stub connected summary bit as there are now 2 paths to get out of the network.


Jon

jkrysinski Tue, 12/23/2008 - 09:43

Jon,


Here is the config of the 3560. I have reverted back to the original IOS. After adding the latest IOS it modified my eigrp config to make it a stub.


Thanks,

James



Attachment: 
Jon Marshall Tue, 12/23/2008 - 09:49

James


I went back to the lab to try out my original suggestion of using 2 static routes but have the one pointing to the hub with an AD of 250.


I got the same result as you ie. the route did not drop out of the routing table. And then i realised why. It's because that route is via a L3 vlan interface ie. to get to the ASA go via vlan 1 interface.


So i changed the connection on the 3560 to a routed port connection and it worked as expected. So to summarise


on your 3560 at the moment you have the ASA connected into an interface on the switch. That interface is a switchport and is in vlan 1. You have a default-route on the 3560


0.0.0.0 0.0.0.0 10.130.1.10


problem is when 10.130.1.10 goes down the route stays in the routing table because the port the ASA is connected to is a switchport ie. it is not a layer 3 port.


So one way to make this work is to make the port that the ASA connects into on the 3560 a routed port. But you can't do that with vlan 1 because i'm assuming there are other devices in your site that are on vlan 1.


So you would need to


1) use a new subnet for 3560 to ASA eg. 192.168.5.0/30


2) on the 3560 port that connects to the ASA


int fa0/10

no switchport

ip address 192.168.5.1 255.255.255.252


ip route 0.0.0.0 0.0.0.0 192.168.5.2

ip route 0.0.0.0 0.0.0.0 250


3) On the ASA - the inside address would need to be changed to 192.168.5.2 255.255.255.252


And the ASA would no longer know how to get to vlan 1 subnet so you would need a route on the ASA


route (inside) 10.130.1.0 255.255.255.0 192.168.5.1


Jon

jkrysinski Tue, 12/23/2008 - 12:08

Jon,


I did as you suggested and everything works as designed. I took the ASA down and the default traffic routes to the hub.


Thank you for all your help. Have a good holiday.


James

Jon Marshall Tue, 12/23/2008 - 12:38

James


Glad we finally got it working.


Have a good holiday as well :-)


Jon

Jon Marshall Tue, 12/23/2008 - 07:30

James


I have just setup a quick lab - i don't have an ASA but i used 2 x 3550 switches and a 2600 router.


2600 (192.168.5.2/24) -> (vlan 11) -> (192.168.5.1/24) 3550_1 (192.168.1.120/24) -> vlan 2 -> (192.168.1.121/24) 3550_2


on the 3550_2 (which is emulating the ASA) i added a static default-route and redistributed into EIGRP eg.


3550_2


router eigrp 1

redistribute static

network 192.168.1.0

no auto-summary

!


ip route 0.0.0.0 0.0.0.0 Null0


The routing tables on the other 2 devices looked like


3550_1


C 192.168.5.0/24 is directly connected, Vlan11

C 192.168.1.0/24 is directly connected, Vlan2

D*EX 0.0.0.0/0 [170/2816] via 192.168.1.121, 00:07:57, Vlan2


2600


C 192.168.5.0/24 is directly connected, FastEthernet0/0

S 192.168.1.0/24 [1/0] via 192.168.5.1

D*EX 0.0.0.0/0 [170/28416] via 192.168.5.1, 00:00:01, FastEthernet0/0


I then added a distribute-list to 3550_1


3550_1


router eigrp 1

network 192.168.1.0

network 192.168.5.0

distribute-list 1 out Vlan11

no auto-summary

!


!

access-list 1 deny 0.0.0.0


the routing tables on the 2 devices


3550_1 (didn't change)


C 192.168.5.0/24 is directly connected, Vlan11

C 192.168.1.0/24 is directly connected, Vlan2

D*EX 0.0.0.0/0 [170/2816] via 192.168.1.121, 00:00:57, Vlan2


2600 (default-route has been removed)


C 192.168.5.0/24 is directly connected, FastEthernet0/0

S 192.168.1.0/24 [1/0] via 192.168.5.1


Jon

Actions

This Discussion