12-19-2008 01:53 PM - edited 03-04-2019 12:46 AM
Hi,
I am running EIGRP and have the default route to the Internet properly sent to all devices. Currently our Internet goes out through the same location for all three sites.
I have a new hub location that will have its own Internet connection but will be connected to the hub via a point to point circuit.
I have a 3560 performing my routing and it is getting its routing updates from EIGRP. I added a static route on the 3560 to route Internet traffic to its local ASA device.
My problem is trying to get route Internet traffic across the point to point if the ASA device is down.
Any help would be greatly appreciated.
12-19-2008 02:03 PM
James
Have you tried using floating statics eg. on the 3560
ip route 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0
Note the 250 at the end of the second ip route. This is the AD (Administrative Distance). If the ASA is up and reachable the ASA will be used. If the ASA goes down then it will route over the P2P because the route with the AD of 250 will be used.
If the ASA devices comes back up the 3560 will then use the ASA again.
Jon
12-19-2008 02:30 PM
Hi Jon,
Thank you for the fast response.
I added the two static routes. I took the ASA down and the default route is still pointing to the ASA.
James
12-19-2008 02:34 PM
James
Is the ASA the next-hop to your 3560 switch ?
Once the next-hop is unreachable the route should be removed from the 3560 routing table and replaced with the 250 static route.
Jon
12-19-2008 02:46 PM
Jon
Yes the ASA is the next hop from the 3560.
Below is my show ip route.
Gateway of last resort is 10.130.1.10 to network 0.0.0.0
100.0.0.0/24 is subnetted, 1 subnets
D EX 100.100.11.0 [170/30976] via 192.168.130.9, 03:00:31, Vlan11
D EX 192.168.15.0/24 [170/30976] via 192.168.130.9, 03:00:31, Vlan11
D EX 192.168.42.0/24 [170/30976] via 192.168.130.9, 03:00:31, Vlan11
D EX 192.168.128.0/24 [170/30976] via 192.168.130.9, 03:00:31, Vlan11
D EX 198.99.240.0/24 [170/30976] via 192.168.130.9, 03:00:31, Vlan11
D EX 192.168.9.0/24 [170/30976] via 192.168.130.9, 03:00:31, Vlan11
192.168.130.0/30 is subnetted, 1 subnets
C 192.168.130.8 is directly connected, Vlan11
D EX 172.16.0.0/16 [170/30976] via 192.168.130.9, 03:00:31, Vlan11
172.19.0.0/24 is subnetted, 1 subnets
D EX 172.19.2.0 [170/30976] via 192.168.130.9, 03:00:31, Vlan11
172.24.0.0/22 is subnetted, 1 subnets
D EX 172.24.0.0 [170/30976] via 192.168.130.9, 03:00:32, Vlan11
192.168.64.0/30 is subnetted, 2 subnets
D 192.168.64.8 [90/30976] via 192.168.130.9, 03:00:32, Vlan11
D 192.168.64.4 [90/286976] via 192.168.130.9, 03:00:32, Vlan11
D 192.168.65.0/24 [90/30976] via 192.168.130.9, 03:00:32, Vlan11
10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
D 10.8.0.0/16 [90/28416] via 192.168.130.9, 03:00:32, Vlan11
D 10.18.0.0/16 [90/287232] via 192.168.130.9, 03:00:32, Vlan11
D 10.19.0.0/16 [90/287232] via 192.168.130.9, 03:00:32, Vlan11
D 10.16.0.0/16 [90/287232] via 192.168.130.9, 03:00:32, Vlan11
D 10.17.0.0/16 [90/287232] via 192.168.130.9, 03:00:32, Vlan11
D 10.32.0.0/16 [90/33536] via 192.168.130.9, 03:00:32, Vlan11
D EX 10.64.0.0/16 [170/30976] via 192.168.130.9, 03:00:32, Vlan11
D EX 10.130.0.0/16 [170/30976] via 192.168.130.9, 03:00:32, Vlan11
C 10.130.1.0/24 is directly connected, Vlan1
D EX 10.129.1.0/24 [170/30976] via 192.168.130.9, 03:00:32, Vlan11
D EX 10.128.1.0/24 [170/30976] via 192.168.130.9, 03:00:32, Vlan11
D EX 10.200.1.0/24 [170/30976] via 192.168.130.9, 03:00:32, Vlan11
165.72.0.0/24 is subnetted, 1 subnets
D EX 165.72.239.0 [170/30976] via 192.168.130.9, 03:00:32, Vlan11
S* 0.0.0.0/0 [1/0] via 10.130.1.10
12-19-2008 02:52 PM
Okay, just to clarify then
you have 2 static routes on the 3560, one with an AD of 250.
Both next-hop's in the static routes are up and pingable.
So when you shut down the ASA and ping it times out but you still have the same static route in routing table ?
Jon
12-19-2008 02:56 PM
Jon
Here are my static routes from the 3560. The IP of the 3560 is 10.130.1.1 .
10.130.1.10 is the ASA
192.168.130.9 is the point to point router. The default route on the point to point router points to the hub.
ip route 0.0.0.0 0.0.0.0 10.130.1.10
ip route 0.0.0.0 0.0.0.0 192.168.130.9 250
If I take the ASA down, the default route still points to the ASA.
12-19-2008 03:07 PM
James
That's strange because it should remove the route if the next-hop is unreachable.
What version of ASA software are you using.
What version of IOS and feature set ie. IP Base or IP Services.
Jon
12-19-2008 03:17 PM
ASA is 8.04
3560 is IP Base version 12.2
12-19-2008 03:30 PM
James
I was going to suggest either
1) ip sla on the 3560 to monitor the availability of the next-hop and change if it goes down. But i believe you need IP Services image
OR
2) Eigrp on the ASA for which you need version 8 - which you have.
So you could run an EIGRP process on your ASA , make all interfaces passive except for the inside interface and then either
1) use an "summary-address eigrp .." command to advertise default-route to 3560
OR
2) i assume you have a default-route already on the ASA. You could simple redistribute static into the EIGRP process.
For full details -
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1092871
Then if the ASA goes down the EIGRP process will go down and the static route with 250 will be installed into the routing table.
Note - you will need to remove the 0.0.0.0 route to 10.130.1.10 from your config for this to work.
Jon
12-19-2008 04:17 PM
Jon,
I will give one of those a try on Monday.
Will the redistribution of static entries on the ASA into EIGRP effect my hub and other spokes?
Thank you for the help.
Jamies
12-19-2008 11:06 PM
James
It could do so the best thing to do would be to use a distribute-list on your 3560 to filter out that route and make sure it doesn't get sent to the main hub across the point-to-point.
Jon
12-22-2008 02:08 PM
Jon,
I tried adding a distribute-list on the 3560 to filter outbound updates. When I apply the acl I can't communicate to the hub. Below is the acl and the applying of the list on the 3560. I don't understand why all traffic is stopped when the acl is applied to the eigrp section. Your help is greatly appreciated.
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip any any
router eigrp 1
network 10.0.0.0
network 192.168.130.0
distribute-list 100 out
no auto-summary
12-22-2008 02:43 PM
James
You are just trying to stop the default-route from the ASA being sent to the P2P router so -
access-list 1 deny 0.0.0.0
router eigrp 1
distribute-list 1 out vlan 11
Jon
12-22-2008 03:46 PM
Jon,
I added the commands as you suggested.
I even updated from to 122-46.SE from c3560-ipbase-mz.122-35.SE. The results were the same with both IOS. As soon as the distribute-list is applied I can't connect from the hub.
access-list 1 deny 0.0.0.0
router eigrp 1
distribute-list 1 out
no auto-summary
eigrp stub connected summary
network 10.0.0.0
network 192.168.130.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide