Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

configuring RIP between a Pix and a 4500 switch

I have a 4500 switch which is in the center of one of my customers networks.  The 4500 effectively routes between all the production VLAN's for the customer.

I have a PIX connected to the switch in VLAN 1.  I have just configured RIP v1 as follows on the PIX:

rip outside passive version 1

rip inside passive version 1

rip inside default version 1

I used a sniffer and captured the RIP updates between the 4500 and the PIX.  I see the pix sending out a RIP update for the default route.  However I do not ever see the 4500 update it routing table to reflect it

routes on 4500.JPG

It is unclear to me why the 4500 wont update it route table with the default route from the PIX.  I want this to be a secondary default route in case the Main static route goes down.

Thanks

Kevin

9 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

Jon

You did not misunderstand.  I have one static route configured for default and currently it provides the only path out to the Internet.  Since we do have a 2nd DSL connection for the client, I wanted to have a backup default route so that if something happens to the main one, I wont loose connectivity to the Internet.

The static route configured on the 4500 for default points to an ASA.  I guess I need to turn on RIP on the ASA as well and then remove the static route from the 4500 altogether?  Will I see both default routes on the ASA then, Jon?

Thanks

Kevin

Kevin

You don't necessarily need to run RIP on anything. You could actually have a floating static route on the 4500 ie,

ip route 0.0.0.0 0.0.0.0  200

the 200 is important because that is the AD. So your existing default-route is still the ASA, If the ASA is lost then the static route will be removed and the floating static used. If the ASA comes back online then the original static route will be used again.

Sounds great but because they are ethernet connections you would need to track the availability of the next-hop ie. the ASA internal interface. You do this with IP SLA which your switch may or may not support - depends on IOS version.

Alternatively you could -

1) have a floating static default-route

ip route 0.0.0.0 0.0.0 200

2) remove the other default route that points to the ASA

3) turn on RIP on the ASA and advertise a default route to the 4500.

Because RIP has a lower AD than 200 which is the AD of your floating static the RIP route would be used. If the ASA failed it would no longer advertise the route and then the floating static would be used.

This would be a simpler solution if you are happy to turn on RIP on your ASA.

Out of interest any reason why RIP, is this what you run internally ?. I ask because the ASA supports OSPF and as of v8.x code EIGRP.

Jon

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

John

I am experimenting with using a floating static default route here at this client as one of the options which you had recommended.

Here is a snapshot of the ip routes as configured on the core switch:

bhicore#sho run | i ip route

ip route 0.0.0.0 0.0.0.0 192.168.5.8

ip route 0.0.0.0 0.0.0.0 198.100.100.81 200

The 192.168.5.8 address is the inside interface of the ASA and leads to our Primary Metro Ethernet connection.

The 198.100.100.81 address is the inside interface of the PIX and leads to our Secondary DSL connection.

For testing:  If I unplug the inside interface of the ASA, will the router know it is not there?  How will it know to roll over to the Secondary connection.

Thanks

Kevin

Kevin

That's one of the problems with ethernet ie. the router may not realise the ASA has gone. That is why i suggested using a floating static on the router/switch pointing to the pix and then use the dynamic routing protocol for the ASA. EIGRP/RIP/OSPF will all have lower ADs than 200 so it should be used unless the ASA fails and then the route will not be sent to the switch.

If you want to use 2 static routes you will need to track the state of the ASA interface using IP SLA which your switch may or may not support.

Jon

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

Jon

Sorry for the delay in my response. 

We have a Metro Ethernet connection to the ISP...

Is the command that I use to redistribute the static

router eigrp 100

redistribute static ( i am not sure of the rest)  seems the options are route-map or metric

Thanks Jon

Kevin

Kevin

You don't need to specify a metric when you redistribute static routes into EIGRP (altho you do need a metric for redistributing everything else into EIGRP !!).

The route-map would be used if you had a number of static routes on the device and you only wanted to redistributed some of them.

So "redistribute static" should do the trick for you.

Jon

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

Because I have static routes on the Border router which point to the client inside network addresses, I had to write the following route-map and ACL

route-map static permit 10
match ip address 20

bhigw2#sho access-list 20
Standard IP access list 20
    10 permit 0.0.0.0 (2 matches)
    20 deny   any (28 matches)

Once I did this, I could see the 0 route advertised out.  What I am not seeing is the 0 route in the ASA (his EIGRP neighbor) route table. The only 0 route is the static configured on it... 

thx

Kevin

Kevin

If you have a statically configured default route on the ASA then a default route learnt from EIGRP will not replace it or be entered into the routing table. You would need to remove the statically configured route and then the EIGRP route would be used.

Presumably the default route from EIGRP is using the same next-hop as the statically configured default route on the ASA ?

Before you do this run this command on the ASA "sh eigrp topology all-links". You should see the EIGRP routes learnt from your border router and hopefully the default route will be there.

Jon

Re: configuring RIP between a Pix and a 4500 switch

It is such an interesting post, and thought of barging in... i was reading the entire post for the past 20 mins and have a fair idea .. Sorry if i misunderstood something or asking questions which have already been answered here..

the dmz switch bhiedge is layer 3 ? I saw in some posts before that it was layer 2 ? are the L3 DMZ terminating on the bhiasaop firewall or the bhiedge switch (for the VLANs 172.16.1.x) ? can you please give "show ip eigrp neighbor" on the ASA bhiasaop firewall to check if it has a neighbor relation with bhiedge switch ? Why dont u have a direct eigrp neighborship with bhiasaip instead of having the switch in between (on L3) ? incase the dmz switch has eigrp configured, make sure you dont have passive interface configured for the layer 3 vlan ip subnets..

Raj

Re: configuring RIP between a Pix and a 4500 switch

Hi kevin

I do see the routes for 206.248.224.0/24 on the dmz and bhiasaip firewall.... these are the routes which are propagated from the bhiasaop firewall right ? I see the following:

P 206.248.224.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (30720/28160), Ethernet0/0

can you give a show ip route on dmz and bhiasaip firewall and confirm if these routes are installed in the routing table ? are you having issues with reachability ?

Regards

Raj

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

Raj

I made sure that auto summary is turned off everywhere.  Here are the outputs from bhiedge switch in the DMZ and bhiasaip (inside Firewall)

bhiedge#sho ip eigrp top all
EIGRP-IPv4 Topology Table for AS(100)/ID(172.16.1.7)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 206.248.224.0/24, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (28416/28160), Vlan1
P 192.168.5.0/24, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.3 (28416/28160), Vlan1
P 172.16.1.0/24, 1 successors, FD is 2816, serno 1
        via Connected, Vlan1
bhiedge#

bhiasaip#   sho ei top all

EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.10.20)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 192.168.10.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.11.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.5.0 255.255.255.0, 1 successors, FD is 28160, serno 1
        via Connected, Ethernet0/1
P 172.16.1.0 255.255.255.0, 1 successors, FD is 28160, serno 2
        via Connected, Ethernet0/0
P 198.100.100.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 206.248.224.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (30720/28160), Ethernet0/0
bhiasaip#

When i turn on debugging on the Edge switch, I do not see anything happening with respect to EIGRP.  No routes or anything else..

bhiedge#debug ip eigrp
IP-EIGRP Route Events debugging is on
bhiedge#debug ip eigrp top
% Incomplete command.

bhiedge#debug ip eigrp top ?
  WORD  Topology instance name

bhiedge#debug ip eigrp top 100
IP-EIGRP Route Events debugging is on
bhiedge#

Thanks Raj

Kevin

Kevin

I think we need to see all the routing tables from the relevant devices as Raj requested.

Can we have routing tables from border router/outside firewall (op), DMZ switch, inside firewall ip.

Also can you post relevant config from each of the above devices for any static routes that you have added.

Some routers are showing as FD inaccessible which often means that there is a better route available such as a static i think we need to see exactly what is configured on each device.

Jon

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

One more thing

In response to:

2) if ethernet then we could use IP SLA with object-tracking. If we have to insert another route when we remove the default route we can simply use a dummy route. An additional fail safe would be to use a route-map when we redistribute the statics into EIGRP on the border router. We only allow the default route to be redistributed so whatever dummy route we added would not be redistributed to your ASA.

I think I have object tracking configured,,, did you see this on a post from earlier this morning?  I am pinging the ISP GW from the Border router using IP SLA  (perhaps object tracking is different, I will research). 

Also I had created a route map on the Border router as you had recommended this earlier.  It is only allowing the default route and denying all others..

see below:

route-map static permit 10
match ip address 20


bhigw2#sho access-list 20
Standard IP access list 20
    10 permit 0.0.0.0 (3 matches)
    20 deny   any (42 matches)
bhigw2#

Hope this helps

Kevin

Kevin

You have configured the IP SLA but but you need to tie that into the static route and i'm not aware you have done that altho you may have. Have a look at this link which explains it all -

Object tracking

The route-map does help thanks. It means if we have to insert a dummy route there is no possibility of it getting past the border router.

Jon

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

Jon

I read the article entitled "Reliable Static Routing Backup Using Object Tracking" that you had sent the link for.  Here is the config I have so far based on what it said to do:

ip sla monitor 1

type echo protocol ipIcmpEcho 209.145.88.29

frequency 30

ip sla monitor schedule 1 life forever start-time now

track 123 rtr 1 reachability

ip local policy route-map ipsla

access-list 150 permit icmp host 209.145.88.30 host 209.145.88.29

access-list 150 deny   icmp any any

route-map ipsla permit 150

match ip address 150

set interface GigabitEthernet0/1

ip route 0.0.0.0 0.0.0.0 209.XXX.88.XX track 123

ip route 0.0.0.0 0.0.0.0  123.456.789.123 254

Here is the output from the sho ip route track table command:

bhigw2#sho ip route track-tab
ip route 0.0.0.0 0.0.0.0 209.xxx.88.xx track 123 state is [up]
bhigw2#

I am hoping this may be all we need.  If you can look this over and tell me what you think.

Have a splendid weekend!

Kevin

Kevin

Had a spare half hour Sunday evening so did a quick lab. Apologies for this but reliable static routing with object tracking is actually overkill for what we need. All you actually need to do is track the route so full config -

ip sla monitor 1

type echo protocol ipIcmpEcho 209.145.88.29

frequency 30

track 123 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 209.145.88.29 track 123

and that's all you need to add. I tested this by shutting down the ethernet interface on the upstream router ie. the 209.145.88.29 router and once the IP SLA failed on bhigw2 the static route was removed. Once removed it was no longer being redistributed into EIGRP and so was not passed back down the line to the 4500. The 4500 then used it's floating static route pointing to the other gateway. Note, i think i have already mentioned this but make your floating static AD 200 or above.

Once i brought the interface back up and the IP SLA succeeded the route was reinstalled on bhigw2 and then redistributed all the way back to the 4500.

So i think we are there. Let me know if you have any other queries.

Jon

50 REPLIES
Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

I have a 4500 switch which is in the center of one of my customers networks.  The 4500 effectively routes between all the production VLAN's for the customer.

I have a PIX connected to the switch in VLAN 1.  I have just configured RIP v1 as follows on the PIX:

rip outside passive version 1

rip inside passive version 1

rip inside default version 1

I used a sniffer and captured the RIP updates between the 4500 and the PIX.  I see the pix sending out a RIP update for the default route.  However I do not ever see the 4500 update it routing table to reflect it

It is unclear to me why the 4500 wont update it route table with the default route from the PIX.  I want this to be a secondary default route in case the Main static route goes down.

Thanks

Kevin

Kevin

Could you clarify something ?

You have a static default-route configured on the 4500 and you have the pix advertising a default-route to the 4500 with RIP and you don't see the RIP route in the routing table on the 4500 - is that what you are saying ?

If so, you won't see it until the static route that you have configured is removed because the static configured route will have a lower AD and so be the one entered into the routing table.

If i have misunderstood please let me know.

Jon

New Member

Re: configuring RIP between a Pix and a 4500 switch

Jon

You did not misunderstand.  I have one static route configured for default and currently it provides the only path out to the Internet.  Since we do have a 2nd DSL connection for the client, I wanted to have a backup default route so that if something happens to the main one, I wont loose connectivity to the Internet.

The static route configured on the 4500 for default points to an ASA.  I guess I need to turn on RIP on the ASA as well and then remove the static route from the 4500 altogether?  Will I see both default routes on the ASA then, Jon?

Thanks

Kevin

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

Jon

You did not misunderstand.  I have one static route configured for default and currently it provides the only path out to the Internet.  Since we do have a 2nd DSL connection for the client, I wanted to have a backup default route so that if something happens to the main one, I wont loose connectivity to the Internet.

The static route configured on the 4500 for default points to an ASA.  I guess I need to turn on RIP on the ASA as well and then remove the static route from the 4500 altogether?  Will I see both default routes on the ASA then, Jon?

Thanks

Kevin

Kevin

You don't necessarily need to run RIP on anything. You could actually have a floating static route on the 4500 ie,

ip route 0.0.0.0 0.0.0.0  200

the 200 is important because that is the AD. So your existing default-route is still the ASA, If the ASA is lost then the static route will be removed and the floating static used. If the ASA comes back online then the original static route will be used again.

Sounds great but because they are ethernet connections you would need to track the availability of the next-hop ie. the ASA internal interface. You do this with IP SLA which your switch may or may not support - depends on IOS version.

Alternatively you could -

1) have a floating static default-route

ip route 0.0.0.0 0.0.0 200

2) remove the other default route that points to the ASA

3) turn on RIP on the ASA and advertise a default route to the 4500.

Because RIP has a lower AD than 200 which is the AD of your floating static the RIP route would be used. If the ASA failed it would no longer advertise the route and then the floating static would be used.

This would be a simpler solution if you are happy to turn on RIP on your ASA.

Out of interest any reason why RIP, is this what you run internally ?. I ask because the ASA supports OSPF and as of v8.x code EIGRP.

Jon

New Member

Re: configuring RIP between a Pix and a 4500 switch

Jon

I did not realize until your reply that the ASA supports EIGRP. I am running 8.2.1 and checked it out and right you are.  I may try to configure that instead.

RIP was just a lowest common denominator that I was going to use.  I had forgotten about floating static routes.

Thanks for your help.  I will keep you posted.

New Member

Re: configuring RIP between a Pix and a 4500 switch

John

I am experimenting with using a floating static default route here at this client as one of the options which you had recommended.

Here is a snapshot of the ip routes as configured on the core switch:

bhicore#sho run | i ip route

ip route 0.0.0.0 0.0.0.0 192.168.5.8

ip route 0.0.0.0 0.0.0.0 198.100.100.81 200

The 192.168.5.8 address is the inside interface of the ASA and leads to our Primary Metro Ethernet connection.

The 198.100.100.81 address is the inside interface of the PIX and leads to our Secondary DSL connection.

For testing:  If I unplug the inside interface of the ASA, will the router know it is not there?  How will it know to roll over to the Secondary connection.

Thanks

Kevin

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

John

I am experimenting with using a floating static default route here at this client as one of the options which you had recommended.

Here is a snapshot of the ip routes as configured on the core switch:

bhicore#sho run | i ip route

ip route 0.0.0.0 0.0.0.0 192.168.5.8

ip route 0.0.0.0 0.0.0.0 198.100.100.81 200

The 192.168.5.8 address is the inside interface of the ASA and leads to our Primary Metro Ethernet connection.

The 198.100.100.81 address is the inside interface of the PIX and leads to our Secondary DSL connection.

For testing:  If I unplug the inside interface of the ASA, will the router know it is not there?  How will it know to roll over to the Secondary connection.

Thanks

Kevin

Kevin

That's one of the problems with ethernet ie. the router may not realise the ASA has gone. That is why i suggested using a floating static on the router/switch pointing to the pix and then use the dynamic routing protocol for the ASA. EIGRP/RIP/OSPF will all have lower ADs than 200 so it should be used unless the ASA fails and then the route will not be sent to the switch.

If you want to use 2 static routes you will need to track the state of the ASA interface using IP SLA which your switch may or may not support.

Jon

New Member

Re: configuring RIP between a Pix and a 4500 switch

Jon

I am including a network diagram with the addresses striken for you to take a look at.  I am not so much concerned that the ASA may fail, but rather that my Metro Ethernet connection will fail.  I think I actually am going to have to set up a dynamic routing protocol between my Border router (bhigw2), my Outside PIX (bhiasaop) and my Inside ASA (bhiasaip).  Otherwise I am not sure how the Inside ASA would ever know that the default route is missing off of the Border router.

If you could please confirm that in fact I will have to turn on dynamic routing updates on the mentioned devices I would appreciate it.

I think this will make sense to you once you look at the attached drawing.

Thanks Jon

Kevin

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

Kevin

Apologies but i can't read visios on my laptop. Can you post it as a .jpg/.png file instead ?

Jon

New Member

Re: configuring RIP between a Pix and a 4500 switch

You bet.  Attached as .jpg

Kevin

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

Jon

I am including a network diagram with the addresses striken for you to take a look at.  I am not so much concerned that the ASA may fail, but rather that my Metro Ethernet connection will fail.  I think I actually am going to have to set up a dynamic routing protocol between my Border router (bhigw2), my Outside PIX (bhiasaop) and my Inside ASA (bhiasaip).  Otherwise I am not sure how the Inside ASA would ever know that the default route is missing off of the Border router.

If you could please confirm that in fact I will have to turn on dynamic routing updates on the mentioned devices I would appreciate it.

I think this will make sense to you once you look at the attached drawing.

Thanks Jon

Kevin

Kevin

You are right although it is a little more complicated than that. You could use IP SLA  tracking on your 4500 and check the reachability of the next-hop from your border router ie. where you border sends traffic to after it leaves your LAN.

Or as you say you can use a routing protocol but note you still need to use IP SLA tracking but this time on the border router. Because it is ethernet you need to track the next-hop from the border router. If that is up then advertise the default-route into your routing protocol which will then get propogated to your pix and ASA. If it is not up then the border router should not advertise it to the pix -> asa -> 4500. Then the floating static on the 4500 will kick in and it should go via the other link.

Note if you are going to run dynamic routing between border router/pix/asa make sure you use authentication and that the border router is secure.

Either way involves a fair bit of extra config

1) IP SLA on 4500, if supported (need to know IOS and feature set). You would need to allow ICMP through both firewalls and the border router to get to the next-hop you are checking for reachability

2) IP SLA on border router (will be supported) - you need to enable routing protocol on all intermediate devices

Jon

New Member

Re: configuring RIP between a Pix and a 4500 switch

Jon

the current IOS running on my 4500 Sup II+ module is Version 12.2(46)SG, RELEASE SOFTWARE (fc1)

How can we tell if this will support IP SLA.

I have the following available in the IOS I know from using context sensative help:

bhicore#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
bhicore(config)#ip sla ?
  key-chain  Use MD5 authentication for IP SLAs control message
  responder  Enable IP SLAs Responder

bhicore(config)#ip sla

thanks Jon

Kevin

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

Jon

the current IOS running on my 4500 Sup II+ module is Version 12.2(46)SG, RELEASE SOFTWARE (fc1)

How can we tell if this will support IP SLA.

I have the following available in the IOS I know from using context sensative help:

bhicore#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
bhicore(config)#ip sla ?
  key-chain  Use MD5 authentication for IP SLAs control message
  responder  Enable IP SLAs Responder

bhicore(config)#ip sla

thanks Jon

Kevin

Kevin

What feature set are you running ?

Jon

New Member

Re: configuring RIP between a Pix and a 4500 switch

IP Base?..  here is the sho ver output

bhicore#sho ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(46)SG, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 27-Jun-08 16:56 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x11ABEC24

ROM: 12.2(20r)EW1
Dagobah Revision 226, Swamp Revision 34

thx

Kevin

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

IP Base?..  here is the sho ver output

bhicore#sho ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(46)SG, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 27-Jun-08 16:56 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x11ABEC24

ROM: 12.2(20r)EW1
Dagobah Revision 226, Swamp Revision 34

thx

Kevin

Kevin

Bad news unfortunately. You need Enterprise Services to run PBR but there is no Enterprise Services for the SupII+. I think PBR is only supported on Supervisor IV upwards on the 4500 switches.

Jon

New Member

Re: configuring RIP between a Pix and a 4500 switch

This makes me want to ask then about EIGRP.  I understand that it is a bit overkill for this little network, however because it is link state would it not suffice?  I think that all the devices will support it on the ASA side leading to the Internet (Border Router, ASA Outside, DMZ switch which is a 3550 model, and Inside ASA?

If the Border router loses its Ethernet facing outside, then would EIGRP propogate the loss since it is a topology change down the line until it reached the Core Router?

Thanks Jon

Kevin

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

This makes me want to ask then about EIGRP.  I understand that it is a bit overkill for this little network, however because it is link state would it not suffice?  I think that all the devices will support it on the ASA side leading to the Internet (Border Router, ASA Outside, DMZ switch which is a 3550 model, and Inside ASA?

If the Border router loses its Ethernet facing outside, then would EIGRP propogate the loss since it is a topology change down the line until it reached the Core Router?

Thanks Jon

Kevin

Kevin

DMZ 3550 switch, if this is L2 then it doesn't need to support EIGRP. If L3 then you need EMI image on it.

You would have a default-route on the border router pointing to the next-hop ISP address and redistribute this into EIGRP. This will then be an EIGRP external route with an AD of 170 so make sure your floating static has a higher AD.

Once the route is removed from the border router then yes it will propogate all the way back to your 4500 and it will be removed and so the floating static you have configured on your 4500 to the other ASA will then be used. The only thing i'm not 100% sure about is will the route be removed if the interface goes down and i'm not sure it will because you are not receiving this route from your ISP, you are actually originating it on the border router.

So it will need testing. If i have time tomorrow i will lab it up for you.

Edit - actually if the interface goes down the route will be removed. It's more a question of what happens if the remote ISP router goes down that needs testing. What connectivity is there between your border router and the ISP router ie. is it ethernet or serial ?

Jon

New Member

Re: configuring RIP between a Pix and a 4500 switch

Jon

Sorry for the delay in my response. 

We have a Metro Ethernet connection to the ISP...

Is the command that I use to redistribute the static

router eigrp 100

redistribute static ( i am not sure of the rest)  seems the options are route-map or metric

Thanks Jon

Kevin

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

Jon

Sorry for the delay in my response. 

We have a Metro Ethernet connection to the ISP...

Is the command that I use to redistribute the static

router eigrp 100

redistribute static ( i am not sure of the rest)  seems the options are route-map or metric

Thanks Jon

Kevin

Kevin

You don't need to specify a metric when you redistribute static routes into EIGRP (altho you do need a metric for redistributing everything else into EIGRP !!).

The route-map would be used if you had a number of static routes on the device and you only wanted to redistributed some of them.

So "redistribute static" should do the trick for you.

Jon

New Member

Re: configuring RIP between a Pix and a 4500 switch

Because I have static routes on the Border router which point to the client inside network addresses, I had to write the following route-map and ACL

route-map static permit 10
match ip address 20

bhigw2#sho access-list 20
Standard IP access list 20
    10 permit 0.0.0.0 (2 matches)
    20 deny   any (28 matches)

Once I did this, I could see the 0 route advertised out.  What I am not seeing is the 0 route in the ASA (his EIGRP neighbor) route table. The only 0 route is the static configured on it... 

thx

Kevin

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

Because I have static routes on the Border router which point to the client inside network addresses, I had to write the following route-map and ACL

route-map static permit 10
match ip address 20

bhigw2#sho access-list 20
Standard IP access list 20
    10 permit 0.0.0.0 (2 matches)
    20 deny   any (28 matches)

Once I did this, I could see the 0 route advertised out.  What I am not seeing is the 0 route in the ASA (his EIGRP neighbor) route table. The only 0 route is the static configured on it... 

thx

Kevin

Kevin

If you have a statically configured default route on the ASA then a default route learnt from EIGRP will not replace it or be entered into the routing table. You would need to remove the statically configured route and then the EIGRP route would be used.

Presumably the default route from EIGRP is using the same next-hop as the statically configured default route on the ASA ?

Before you do this run this command on the ASA "sh eigrp topology all-links". You should see the EIGRP routes learnt from your border router and hopefully the default route will be there.

Jon

New Member

Re: configuring RIP between a Pix and a 4500 switch

I ran the command "sho eigrp top all-links" as you had indicated.  This showed

the learned routes just as you had indicated (way to go Jon!).

Here is a snapshot:

bhiasaop# sho eigrp top all

EIGRP-IPv4 Topology Table for AS(100)/ID(206.248.224.2)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 0.0.0.0 0.0.0.0, 0 successors, FD is Inaccessible, serno 0
        via 206.248.224.1 (33280/30720), Ethernet0/0
P 192.168.5.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.3 (30720/28160), Ethernet0/1
P 172.16.1.0 255.255.255.0, 1 successors, FD is 28160, serno 2
        via Connected, Ethernet0/1
P 206.248.224.2 255.255.255.255, 0 successors, FD is Inaccessible, serno 0
        via 206.248.224.1 (30720/28160), Ethernet0/0
P 206.248.224.0 255.255.255.0, 1 successors, FD is 28160, serno 3
        via Connected, Ethernet0/0

For some reason, the ASA is not propogating these routes inward towards the DMZ switch.  I have tried toggling auto-summary on the ASA and receive these messages while running debug on the DMZ switch:

bhiedge#
Jan 26 16:18:59.672: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(100) 100: Neighbor 172.16.1.2 (Vlan1) is down: peer restarted
Jan 26 16:19:00.140: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(100) 100: Neighbor 172.16.1.2 (Vlan1) is up: new adjacency
Jan 26 16:19:01.680: EIGRP-IPv4(Default-IP-Routing-Table:100): 172.16.1.0/24 - do advertise out Vlan1
Jan 26 16:19:01.680: EIGRP-IPv4:(100): Int 206.248.224.0/24 M 28416 - 25600 2816 SM 28160 - 25600 2560
Jan 26 16:19:01.680: EIGRP-IPv4(Default-IP-Routing-Table:100): 206.248.224.0/24 routing table not updated thru 172.16.1.2
Jan 26 16:19:01.688: EIGRP-IPv4(Default-IP-Routing-Table:100): 172.16.1.0/24 - do advertise out Vlan1
Jan 26 16:19:01.688: EIGRP-IPv4:(100): Int 206.248.224.0/24 M 28416 - 25600 2816 SM 28160 - 25600 2560
Jan 26 16:19:01.700: EIGRP-IPv4:(100): Int 206.248.224.0/24 M 28416 - 25600 2816 SM 28160 - 25600 2560

What am I missing Jon?

Kevin

Re: configuring RIP between a Pix and a 4500 switch

It is such an interesting post, and thought of barging in... i was reading the entire post for the past 20 mins and have a fair idea .. Sorry if i misunderstood something or asking questions which have already been answered here..

the dmz switch bhiedge is layer 3 ? I saw in some posts before that it was layer 2 ? are the L3 DMZ terminating on the bhiasaop firewall or the bhiedge switch (for the VLANs 172.16.1.x) ? can you please give "show ip eigrp neighbor" on the ASA bhiasaop firewall to check if it has a neighbor relation with bhiedge switch ? Why dont u have a direct eigrp neighborship with bhiasaip instead of having the switch in between (on L3) ? incase the dmz switch has eigrp configured, make sure you dont have passive interface configured for the layer 3 vlan ip subnets..

Raj

New Member

Re: configuring RIP between a Pix and a 4500 switch

Raj

Dont feel like you are barging in.  I welcome your help with this.  John has been very gracious with his expertise on this and other posts.

To answer your questions

the dmz switch bhiedge is layer 3 ?

  Yes it is L3.  I have the one VLAN configured on it and it has an ip address on it that functions as the default gateway for the 4 servers in our DMZ.

Can you please give "show ip eigrp neighbor" on the ASA bhiasaop firewall to check if it has a neighbor relation with bhiedge switch ?

bhiasaop# sho eigrp nei
EIGRP-IPv4 neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   172.16.1.7              Et0/1            13     1d02h 3    200   0   44
2   172.16.1.3              Et0/1            14     1d02h 1    200   0   72
0   206.248.224.1           Et0/0            12     1d02h 6    200   0   41
bhiasaop#

Why dont u have a direct eigrp neighborship with bhiasaip instead of having the switch in between (on L3) ?

I think they are neighbors too?..

incase the dmz switch has eigrp configured, make sure you dont have passive interface configured for the layer 3 vlan ip subnets..

I dont have it configured as passive.  See below:

bhiedge#sho run | begin router
router eigrp 100
network 172.16.0.0

Thanks Raj.  Like I said, any input is welcome.

Kevin


Re: configuring RIP between a Pix and a 4500 switch

Hi Kevin

Even if the DMZ switch isnt L2, it should learn the routes propagated by bhiasaop.. as Jon said, give a "no auto-summary" on the eigrp process to make sure it can support classless routing.. the outputs on asa bhiasaop looks good.. can you give us the output on bhiedge switch and bhiasaip of the EIGRP topology database ? show ip eigrp topology ? are these networks being advertised back from bhipix ??

can you make sure you have the internal network 172.16.1.0 on the switch and bhiasaip pix ? have no auto-summary on all switches and PIX running EIGRP...

lastly - you can run debug eigrp neigbor to check if the routes are being received on the dmz switch ?

note - if you want to make bhiedge a layer 3 switch, you should probably split up the broadcast domain between bhiasaop and bhiasaip... have seperate /30 networks between the switch and the firewalls, so that there are prominant eigrp neighbors defined...

Hope this helps.. all the best

Raj

New Member

Re: configuring RIP between a Pix and a 4500 switch

Raj

I made sure that auto summary is turned off everywhere.  Here are the outputs from bhiedge switch in the DMZ and bhiasaip (inside Firewall)

bhiedge#sho ip eigrp top all
EIGRP-IPv4 Topology Table for AS(100)/ID(172.16.1.7)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 206.248.224.0/24, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (28416/28160), Vlan1
P 192.168.5.0/24, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.3 (28416/28160), Vlan1
P 172.16.1.0/24, 1 successors, FD is 2816, serno 1
        via Connected, Vlan1
bhiedge#

bhiasaip#   sho ei top all

EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.10.20)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 192.168.10.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.11.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.5.0 255.255.255.0, 1 successors, FD is 28160, serno 1
        via Connected, Ethernet0/1
P 172.16.1.0 255.255.255.0, 1 successors, FD is 28160, serno 2
        via Connected, Ethernet0/0
P 198.100.100.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 206.248.224.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (30720/28160), Ethernet0/0
bhiasaip#

When i turn on debugging on the Edge switch, I do not see anything happening with respect to EIGRP.  No routes or anything else..

bhiedge#debug ip eigrp
IP-EIGRP Route Events debugging is on
bhiedge#debug ip eigrp top
% Incomplete command.

bhiedge#debug ip eigrp top ?
  WORD  Topology instance name

bhiedge#debug ip eigrp top 100
IP-EIGRP Route Events debugging is on
bhiedge#

Thanks Raj

Kevin

Re: configuring RIP between a Pix and a 4500 switch

Hi kevin

I do see the routes for 206.248.224.0/24 on the dmz and bhiasaip firewall.... these are the routes which are propagated from the bhiasaop firewall right ? I see the following:

P 206.248.224.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (30720/28160), Ethernet0/0

can you give a show ip route on dmz and bhiasaip firewall and confirm if these routes are installed in the routing table ? are you having issues with reachability ?

Regards

Raj

New Member

Re: configuring RIP between a Pix and a 4500 switch

No issues with reachability Raj.  I have static routes configured for all networks everywhere.  This is a milestone as I am

attempting for the first time to implement some dynamic routing on the network in order to facilitate the ability to failover to a different route to 0.0.0.0 if the main Internet connection fails.  This is pretty well documented within the earlier parts of this chain between John and I.

I am simply trying to get the 0.0.0.0 route advertised by the Border Router to propogate down the line via EIGRP until it makes it into our Core Router.

I can post the route tables when I get onsite tomorrow if necessary.  But the main focus and next step should be why the 0 route is not making it from the bhiasaop device to the bhiedge switch, as EIGRP ought to be shipping it to the switch from the Firewall.  I am not sure why this is not happening.

Thanks

Kevin

Hall of Fame Super Blue

Re: configuring RIP between a Pix and a 4500 switch

k-melton wrote:

Raj

I made sure that auto summary is turned off everywhere.  Here are the outputs from bhiedge switch in the DMZ and bhiasaip (inside Firewall)

bhiedge#sho ip eigrp top all
EIGRP-IPv4 Topology Table for AS(100)/ID(172.16.1.7)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 206.248.224.0/24, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (28416/28160), Vlan1
P 192.168.5.0/24, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.3 (28416/28160), Vlan1
P 172.16.1.0/24, 1 successors, FD is 2816, serno 1
        via Connected, Vlan1
bhiedge#

bhiasaip#   sho ei top all

EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.10.20)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 192.168.10.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.11.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 192.168.5.0 255.255.255.0, 1 successors, FD is 28160, serno 1
        via Connected, Ethernet0/1
P 172.16.1.0 255.255.255.0, 1 successors, FD is 28160, serno 2
        via Connected, Ethernet0/0
P 198.100.100.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 192.168.5.1 (28416/2816), Ethernet0/1
P 206.248.224.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.2 (30720/28160), Ethernet0/0
bhiasaip#

When i turn on debugging on the Edge switch, I do not see anything happening with respect to EIGRP.  No routes or anything else..

bhiedge#debug ip eigrp
IP-EIGRP Route Events debugging is on
bhiedge#debug ip eigrp top
% Incomplete command.

bhiedge#debug ip eigrp top ?
  WORD  Topology instance name

bhiedge#debug ip eigrp top 100
IP-EIGRP Route Events debugging is on
bhiedge#

Thanks Raj

Kevin

Kevin

I think we need to see all the routing tables from the relevant devices as Raj requested.

Can we have routing tables from border router/outside firewall (op), DMZ switch, inside firewall ip.

Also can you post relevant config from each of the above devices for any static routes that you have added.

Some routers are showing as FD inaccessible which often means that there is a better route available such as a static i think we need to see exactly what is configured on each device.

Jon

New Member

Re: configuring RIP between a Pix and a 4500 switch

Jon

I can put these routing tables in later if necessary, but I can definitely tell you that all routes are configured statically at this point.  This is how the network was first built.  It was simple and we did not see the need to run any dynamic protocol.  Now we are at a point where we can see how it would be beneficial to have the ability to fail over with respect to Internet access (we have many processes at this customer that depend on the Internet fo transactions) to keep things up.

This was not really an option before as the alternate Internet connection was a DSL connection that was only at 1 mg or some small figure.  It has since been upgraded to a 10 mg pipe.

Thanks Jon

Kevin

1942
Views
49
Helpful
50
Replies