cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3916
Views
49
Helpful
50
Replies

configuring RIP between a Pix and a 4500 switch

Kevin Melton
Level 2
Level 2

I have a 4500 switch which is in the center of one of my customers networks.  The 4500 effectively routes between all the production VLAN's for the customer.

I have a PIX connected to the switch in VLAN 1.  I have just configured RIP v1 as follows on the PIX:

rip outside passive version 1

rip inside passive version 1

rip inside default version 1

I used a sniffer and captured the RIP updates between the 4500 and the PIX.  I see the pix sending out a RIP update for the default route.  However I do not ever see the 4500 update it routing table to reflect it

routes on 4500.JPG

It is unclear to me why the 4500 wont update it route table with the default route from the PIX.  I want this to be a secondary default route in case the Main static route goes down.

Thanks

Kevin

9 Accepted Solutions

Accepted Solutions

k-melton wrote:

Jon

You did not misunderstand.  I have one static route configured for default and currently it provides the only path out to the Internet.  Since we do have a 2nd DSL connection for the client, I wanted to have a backup default route so that if something happens to the main one, I wont loose connectivity to the Internet.

The static route configured on the 4500 for default points to an ASA.  I guess I need to turn on RIP on the ASA as well and then remove the static route from the 4500 altogether?  Will I see both default routes on the ASA then, Jon?

Thanks

Kevin

Kevin

You don't necessarily need to run RIP on anything. You could actually have a floating static route on the 4500 ie,

ip route 0.0.0.0 0.0.0.0  200

the 200 is important because that is the AD. So your existing default-route is still the ASA, If the ASA is lost then the static route will be removed and the floating static used. If the ASA comes back online then the original static route will be used again.

Sounds great but because they are ethernet connections you would need to track the availability of the next-hop ie. the ASA internal interface. You do this with IP SLA which your switch may or may not support - depends on IOS version.

Alternatively you could -

1) have a floating static default-route

ip route 0.0.0.0 0.0.0 200

2) remove the other default route that points to the ASA

3) turn on RIP on the ASA and advertise a default route to the 4500.

Because RIP has a lower AD than 200 which is the AD of your floating static the RIP route would be used. If the ASA failed it would no longer advertise the route and then the floating static would be used.

This would be a simpler solution if you are happy to turn on RIP on your ASA.

Out of interest any reason why RIP, is this what you run internally ?. I ask because the ASA supports OSPF and as of v8.x code EIGRP.

Jon

View solution in original post

k-melton wrote:

John

I am experimenting with using a floating static default route here at this client as one of the options which you had recommended.

Here is a snapshot of the ip routes as configured on the core switch:

bhicore#sho run | i ip route

ip route 0.0.0.0 0.0.0.0 192.168.5.8

ip route 0.0.0.0 0.0.0.0 198.100.100.81 200

The 192.168.5.8 address is the inside interface of the ASA and leads to our Primary Metro Ethernet connection.

The 198.100.100.81 address is the inside interface of the PIX and leads to our Secondary DSL connection.

For testing:  If I unplug the inside interface of the ASA, will the router know it is not there?  How will it know to roll over to the Secondary connection.

Thanks

Kevin

Kevin

That's one of the problems with ethernet ie. the router may not realise the ASA has gone. That is why i suggested using a floating static on the router/switch pointing to the pix and then use the dynamic routing protocol for the ASA. EIGRP/RIP/OSPF will all have lower ADs than 200 so it should be used unless the ASA fails and then the route will not be sent to the switch.

If you want to use 2 static routes you will need to track the state of the ASA interface using IP SLA which your switch may or may not support.

Jon

View solution in original post

k-melton wrote:

Jon

Sorry for the delay in my response. 

We have a Metro Ethernet connection to the ISP...

Is the command that I use to redistribute the static

router eigrp 100

redistribute static ( i am not sure of the rest)  seems the options are route-map or metric

Thanks Jon

Kevin

Kevin

You don't need to specify a metric when you redistribute static routes into EIGRP (altho you do need a metric for redistributing everything else into EIGRP !!).

The route-map would be used if you had a number of static routes on the device and you only wanted to redistributed some of them.

So "redistribute static" should do the trick for you.

Jon

View solution in original post

k-melton wrote:

Because I have static routes on the Border router which point to the client inside network addresses, I had to write the following route-map and ACL

route-map static permit 10
match ip address 20

bhigw2#sho access-list 20
Standard IP access list 20
    10 permit 0.0.0.0 (2 matches)
    20 deny   any (28 matches)

Once I did this, I could see the 0 route advertised out.  What I am not seeing is the 0 route in the ASA (his EIGRP neighbor) route table. The only 0 route is the static configured on it... 

thx

Kevin

Kevin

If you have a statically configured default route on the ASA then a default route learnt from EIGRP will not replace it or be entered into the routing table. You would need to remove the statically configured route and then the EIGRP route would be used.

Presumably the default route from EIGRP is using the same next-hop as the statically configured default route on the ASA ?

Before you do this run this command on the ASA "sh eigrp topology all-links". You should see the EIGRP routes learnt from your border router and hopefully the default route will be there.

Jon

View solution in original post

It is such an interesting post, and thought of barging in... i was reading the entire post for the past 20 mins and have a fair idea .. Sorry if i misunderstood something or asking questions which have already been answered here..

the dmz switch bhiedge is layer 3 ? I saw in some posts before that it was layer 2 ? are the L3 DMZ terminating on the bhiasaop firewall or the bhiedge switch (for the VLANs 172.16.1.x) ? can you please give "show ip eigrp neighbor" on the ASA bhiasaop firewall to check if it has a neighbor relation with bhiedge switch ? Why dont u have a direct eigrp neighborship with bhiasaip instead of having the switch in between (on L3) ? incase the dmz switch has eigrp configured, make sure you dont have passive interface configured for the layer 3 vlan ip subnets..

Raj

View solution in original post

Hi kevin

I do see the routes for 206.248.224.0/24 on the dmz and bhiasaip firewall.... these are the routes which are propagated from the bhiasaop firewall right ? I see the following:

P 206.248.224.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (30720/28160), Ethernet0/0

can you give a show ip route on dmz and bhiasaip firewall and confirm if these routes are installed in the routing table ? are you having issues with reachability ?

Regards

Raj

View solution in original post

k-melton wrote:

Raj

I made sure that auto summary is turned off everywhere.  Here are the outputs from bhiedge switch in the DMZ and bhiasaip (inside Firewall)

bhiedge#sho ip eigrp top all
EIGRP-IPv4 Topology Table for AS(100)/ID(172.16.1.7)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 206.248.224.0/24, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (28416/28160), Vlan1
P 192.168.5.0/24, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.3 (28416/28160), Vlan1
P 172.16.1.0/24, 1 successors, FD is 2816, serno 1
        via Connected, Vlan1
bhiedge#

bhiasaip#   sho ei top all

EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.10.20)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 192.168.10.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.11.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.5.0 255.255.255.0, 1 successors, FD is 28160, serno 1
        via Connected, Ethernet0/1
P 172.16.1.0 255.255.255.0, 1 successors, FD is 28160, serno 2
        via Connected, Ethernet0/0
P 198.100.100.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 206.248.224.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (30720/28160), Ethernet0/0
bhiasaip#

When i turn on debugging on the Edge switch, I do not see anything happening with respect to EIGRP.  No routes or anything else..

bhiedge#debug ip eigrp
IP-EIGRP Route Events debugging is on
bhiedge#debug ip eigrp top
% Incomplete command.

bhiedge#debug ip eigrp top ?
  WORD  Topology instance name

bhiedge#debug ip eigrp top 100
IP-EIGRP Route Events debugging is on
bhiedge#

Thanks Raj

Kevin

Kevin

I think we need to see all the routing tables from the relevant devices as Raj requested.

Can we have routing tables from border router/outside firewall (op), DMZ switch, inside firewall ip.

Also can you post relevant config from each of the above devices for any static routes that you have added.

Some routers are showing as FD inaccessible which often means that there is a better route available such as a static i think we need to see exactly what is configured on each device.

Jon

View solution in original post

k-melton wrote:

One more thing

In response to:

2) if ethernet then we could use IP SLA with object-tracking. If we have to insert another route when we remove the default route we can simply use a dummy route. An additional fail safe would be to use a route-map when we redistribute the statics into EIGRP on the border router. We only allow the default route to be redistributed so whatever dummy route we added would not be redistributed to your ASA.

I think I have object tracking configured,,, did you see this on a post from earlier this morning?  I am pinging the ISP GW from the Border router using IP SLA  (perhaps object tracking is different, I will research). 

Also I had created a route map on the Border router as you had recommended this earlier.  It is only allowing the default route and denying all others..

see below:

route-map static permit 10
match ip address 20


bhigw2#sho access-list 20
Standard IP access list 20
    10 permit 0.0.0.0 (3 matches)
    20 deny   any (42 matches)
bhigw2#

Hope this helps

Kevin

Kevin

You have configured the IP SLA but but you need to tie that into the static route and i'm not aware you have done that altho you may have. Have a look at this link which explains it all -

Object tracking

The route-map does help thanks. It means if we have to insert a dummy route there is no possibility of it getting past the border router.

Jon

View solution in original post

k-melton wrote:

Jon

I read the article entitled "Reliable Static Routing Backup Using Object Tracking" that you had sent the link for.  Here is the config I have so far based on what it said to do:

ip sla monitor 1

type echo protocol ipIcmpEcho 209.145.88.29

frequency 30

ip sla monitor schedule 1 life forever start-time now

track 123 rtr 1 reachability

ip local policy route-map ipsla

access-list 150 permit icmp host 209.145.88.30 host 209.145.88.29

access-list 150 deny   icmp any any

route-map ipsla permit 150

match ip address 150

set interface GigabitEthernet0/1

ip route 0.0.0.0 0.0.0.0 209.XXX.88.XX track 123

ip route 0.0.0.0 0.0.0.0  123.456.789.123 254

Here is the output from the sho ip route track table command:

bhigw2#sho ip route track-tab
ip route 0.0.0.0 0.0.0.0 209.xxx.88.xx track 123 state is [up]
bhigw2#

I am hoping this may be all we need.  If you can look this over and tell me what you think.

Have a splendid weekend!

Kevin

Kevin

Had a spare half hour Sunday evening so did a quick lab. Apologies for this but reliable static routing with object tracking is actually overkill for what we need. All you actually need to do is track the route so full config -

ip sla monitor 1

type echo protocol ipIcmpEcho 209.145.88.29

frequency 30

track 123 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 209.145.88.29 track 123

and that's all you need to add. I tested this by shutting down the ethernet interface on the upstream router ie. the 209.145.88.29 router and once the IP SLA failed on bhigw2 the static route was removed. Once removed it was no longer being redistributed into EIGRP and so was not passed back down the line to the 4500. The 4500 then used it's floating static route pointing to the other gateway. Note, i think i have already mentioned this but make your floating static AD 200 or above.

Once i brought the interface back up and the IP SLA succeeded the route was reinstalled on bhigw2 and then redistributed all the way back to the 4500.

So i think we are there. Let me know if you have any other queries.

Jon

View solution in original post

50 Replies 50

Jon Marshall
Hall of Fame
Hall of Fame

k-melton wrote:

I have a 4500 switch which is in the center of one of my customers networks.  The 4500 effectively routes between all the production VLAN's for the customer.

I have a PIX connected to the switch in VLAN 1.  I have just configured RIP v1 as follows on the PIX:

rip outside passive version 1

rip inside passive version 1

rip inside default version 1

I used a sniffer and captured the RIP updates between the 4500 and the PIX.  I see the pix sending out a RIP update for the default route.  However I do not ever see the 4500 update it routing table to reflect it

It is unclear to me why the 4500 wont update it route table with the default route from the PIX.  I want this to be a secondary default route in case the Main static route goes down.

Thanks

Kevin

Kevin

Could you clarify something ?

You have a static default-route configured on the 4500 and you have the pix advertising a default-route to the 4500 with RIP and you don't see the RIP route in the routing table on the 4500 - is that what you are saying ?

If so, you won't see it until the static route that you have configured is removed because the static configured route will have a lower AD and so be the one entered into the routing table.

If i have misunderstood please let me know.

Jon

Jon

You did not misunderstand.  I have one static route configured for default and currently it provides the only path out to the Internet.  Since we do have a 2nd DSL connection for the client, I wanted to have a backup default route so that if something happens to the main one, I wont loose connectivity to the Internet.

The static route configured on the 4500 for default points to an ASA.  I guess I need to turn on RIP on the ASA as well and then remove the static route from the 4500 altogether?  Will I see both default routes on the ASA then, Jon?

Thanks

Kevin

k-melton wrote:

Jon

You did not misunderstand.  I have one static route configured for default and currently it provides the only path out to the Internet.  Since we do have a 2nd DSL connection for the client, I wanted to have a backup default route so that if something happens to the main one, I wont loose connectivity to the Internet.

The static route configured on the 4500 for default points to an ASA.  I guess I need to turn on RIP on the ASA as well and then remove the static route from the 4500 altogether?  Will I see both default routes on the ASA then, Jon?

Thanks

Kevin

Kevin

You don't necessarily need to run RIP on anything. You could actually have a floating static route on the 4500 ie,

ip route 0.0.0.0 0.0.0.0  200

the 200 is important because that is the AD. So your existing default-route is still the ASA, If the ASA is lost then the static route will be removed and the floating static used. If the ASA comes back online then the original static route will be used again.

Sounds great but because they are ethernet connections you would need to track the availability of the next-hop ie. the ASA internal interface. You do this with IP SLA which your switch may or may not support - depends on IOS version.

Alternatively you could -

1) have a floating static default-route

ip route 0.0.0.0 0.0.0 200

2) remove the other default route that points to the ASA

3) turn on RIP on the ASA and advertise a default route to the 4500.

Because RIP has a lower AD than 200 which is the AD of your floating static the RIP route would be used. If the ASA failed it would no longer advertise the route and then the floating static would be used.

This would be a simpler solution if you are happy to turn on RIP on your ASA.

Out of interest any reason why RIP, is this what you run internally ?. I ask because the ASA supports OSPF and as of v8.x code EIGRP.

Jon

Jon

I did not realize until your reply that the ASA supports EIGRP. I am running 8.2.1 and checked it out and right you are.  I may try to configure that instead.

RIP was just a lowest common denominator that I was going to use.  I had forgotten about floating static routes.

Thanks for your help.  I will keep you posted.

John

I am experimenting with using a floating static default route here at this client as one of the options which you had recommended.

Here is a snapshot of the ip routes as configured on the core switch:

bhicore#sho run | i ip route

ip route 0.0.0.0 0.0.0.0 192.168.5.8

ip route 0.0.0.0 0.0.0.0 198.100.100.81 200

The 192.168.5.8 address is the inside interface of the ASA and leads to our Primary Metro Ethernet connection.

The 198.100.100.81 address is the inside interface of the PIX and leads to our Secondary DSL connection.

For testing:  If I unplug the inside interface of the ASA, will the router know it is not there?  How will it know to roll over to the Secondary connection.

Thanks

Kevin

k-melton wrote:

John

I am experimenting with using a floating static default route here at this client as one of the options which you had recommended.

Here is a snapshot of the ip routes as configured on the core switch:

bhicore#sho run | i ip route

ip route 0.0.0.0 0.0.0.0 192.168.5.8

ip route 0.0.0.0 0.0.0.0 198.100.100.81 200

The 192.168.5.8 address is the inside interface of the ASA and leads to our Primary Metro Ethernet connection.

The 198.100.100.81 address is the inside interface of the PIX and leads to our Secondary DSL connection.

For testing:  If I unplug the inside interface of the ASA, will the router know it is not there?  How will it know to roll over to the Secondary connection.

Thanks

Kevin

Kevin

That's one of the problems with ethernet ie. the router may not realise the ASA has gone. That is why i suggested using a floating static on the router/switch pointing to the pix and then use the dynamic routing protocol for the ASA. EIGRP/RIP/OSPF will all have lower ADs than 200 so it should be used unless the ASA fails and then the route will not be sent to the switch.

If you want to use 2 static routes you will need to track the state of the ASA interface using IP SLA which your switch may or may not support.

Jon

Jon

I am including a network diagram with the addresses striken for you to take a look at.  I am not so much concerned that the ASA may fail, but rather that my Metro Ethernet connection will fail.  I think I actually am going to have to set up a dynamic routing protocol between my Border router (bhigw2), my Outside PIX (bhiasaop) and my Inside ASA (bhiasaip).  Otherwise I am not sure how the Inside ASA would ever know that the default route is missing off of the Border router.

If you could please confirm that in fact I will have to turn on dynamic routing updates on the mentioned devices I would appreciate it.

I think this will make sense to you once you look at the attached drawing.

Thanks Jon

Kevin

Kevin

Apologies but i can't read visios on my laptop. Can you post it as a .jpg/.png file instead ?

Jon

You bet.  Attached as .jpg

Kevin

k-melton wrote:

Jon

I am including a network diagram with the addresses striken for you to take a look at.  I am not so much concerned that the ASA may fail, but rather that my Metro Ethernet connection will fail.  I think I actually am going to have to set up a dynamic routing protocol between my Border router (bhigw2), my Outside PIX (bhiasaop) and my Inside ASA (bhiasaip).  Otherwise I am not sure how the Inside ASA would ever know that the default route is missing off of the Border router.

If you could please confirm that in fact I will have to turn on dynamic routing updates on the mentioned devices I would appreciate it.

I think this will make sense to you once you look at the attached drawing.

Thanks Jon

Kevin

Kevin

You are right although it is a little more complicated than that. You could use IP SLA  tracking on your 4500 and check the reachability of the next-hop from your border router ie. where you border sends traffic to after it leaves your LAN.

Or as you say you can use a routing protocol but note you still need to use IP SLA tracking but this time on the border router. Because it is ethernet you need to track the next-hop from the border router. If that is up then advertise the default-route into your routing protocol which will then get propogated to your pix and ASA. If it is not up then the border router should not advertise it to the pix -> asa -> 4500. Then the floating static on the 4500 will kick in and it should go via the other link.

Note if you are going to run dynamic routing between border router/pix/asa make sure you use authentication and that the border router is secure.

Either way involves a fair bit of extra config

1) IP SLA on 4500, if supported (need to know IOS and feature set). You would need to allow ICMP through both firewalls and the border router to get to the next-hop you are checking for reachability

2) IP SLA on border router (will be supported) - you need to enable routing protocol on all intermediate devices

Jon

Jon

the current IOS running on my 4500 Sup II+ module is Version 12.2(46)SG, RELEASE SOFTWARE (fc1)

How can we tell if this will support IP SLA.

I have the following available in the IOS I know from using context sensative help:

bhicore#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
bhicore(config)#ip sla ?
  key-chain  Use MD5 authentication for IP SLAs control message
  responder  Enable IP SLAs Responder

bhicore(config)#ip sla

thanks Jon

Kevin

k-melton wrote:

Jon

the current IOS running on my 4500 Sup II+ module is Version 12.2(46)SG, RELEASE SOFTWARE (fc1)

How can we tell if this will support IP SLA.

I have the following available in the IOS I know from using context sensative help:

bhicore#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
bhicore(config)#ip sla ?
  key-chain  Use MD5 authentication for IP SLAs control message
  responder  Enable IP SLAs Responder

bhicore(config)#ip sla

thanks Jon

Kevin

Kevin

What feature set are you running ?

Jon

IP Base?..  here is the sho ver output

bhicore#sho ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(46)SG, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 27-Jun-08 16:56 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x11ABEC24

ROM: 12.2(20r)EW1
Dagobah Revision 226, Swamp Revision 34

thx

Kevin

k-melton wrote:

IP Base?..  here is the sho ver output

bhicore#sho ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(46)SG, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 27-Jun-08 16:56 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x11ABEC24

ROM: 12.2(20r)EW1
Dagobah Revision 226, Swamp Revision 34

thx

Kevin

Kevin

Bad news unfortunately. You need Enterprise Services to run PBR but there is no Enterprise Services for the SupII+. I think PBR is only supported on Supervisor IV upwards on the 4500 switches.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: