I am about to do an EIGRP configuration but I would like to hear some feedback from the experts.
This is my layout:
Inet RT -- ASA -- 3550 core -- 2651XM (voice)
The 2651XM is connected to another office in Texas with the same layout using a point-to-point connection.
I am thinking to configure EIGRP as follows:
Option 1: Configure SLA tracking on the ASA so I can track when the outside interface of the Inet RT is down. The ASA will propagate the Inet RT path as default route to the 3550 L3 switch. On the 3550 (core), I will configure a static floating route with an AD higher than the path advertised by the ASA. This static floating route will point out to our office in Texas. When the Inet RT interface is down, the ASA will remove the route and the static floating route will be added as default route in the routing table of the 3550 sending all the traffic out the 2651XM.
Option 2: Configure Texas route in Miami's devices and do redistribution.
I would like to hear some feedback from you guys. Thanks for your time.
ASA doesnot support EIGRP, it supports only RIP and OSPF at this point of time. How would you propogate the default route to 3550. In order to pass EOGRP accross the ASA, you might have to do GRE tunnel over IP, between Inet RT and 2651XM. Which might work but it will bring in a lots of complexity.
Probably you can look for using the OSPF in your topology and running OPSF between all the devices and tracking the static default route.
I recommend configuring RIP or OSPF between these 3 devices with the ASA propagating a conditional default-information originate.
Both routing protocols support this option while EIGRP does not.
Configure the current default gateway for your network with a static route with a metric higher than your current routing protocol pointing to the Texas' network, in case the ASA stops announcing the default route
Not sure what your configuration for devices in Miami is, but I would recommend establishing a GRE Tunnel between the 2651 and another GRE-capable device.
GRE is frequently used for being able to perform dynamic routing across distances (e.g. GRE over IPSec tunnels).
Routing your internal networks through firewalls is a nasty thing, especially when you don't consider your fw as a core/internal device (since it truly bridges the outside/inside).
Simply enable EIGRP between 3550 and 2651, and then enable EIGRP on the GRE subnet between sites. This works like an absolute charm.
In conjunction with what was said above, you can simply configure floating-static routes on your core (AD set high enough) and then route-tracking (SLA tracking, whatever you call it) on the ASA for being able to route back to the inside through the tunnel -- have the tunnel IP address be the tracked object.
Long-winded answer, but your ideal situation (in my opinion) is SLA tracking on fw + GRE between sites.
Why should I use GRE when I have a dedicated point-to-point between sites?
Just to clarify, I am not using the ASA to to route any internal network. I will just use the SLA tracking feature to determine whether serial int of the Internet router is up or down. When it is down, the ASA will remove that route; therefore, my core switch will remove it as well.
I have been discussing this with some local engineer and they believe that a simple EIGRP configuration will work just fine. They stated that Miami will have Texas route as the only alternate choice and vice versa; therefore, if the Internet router interface is down all the traffic will be routed out to Texas.
ahh i am sorry -- i didn't realize it was point-to-point (mis-read and assumed you have an MPLS connection or so). in that case, since your routers are already directly adjacent, you don't need GRE.
however, i think this is a poor design to have the firewall participating as a factor in the core switch's routing decision process.
all you have to do is have routes from miami come in through the serial interface (thus, EIGRP's next hop for those routes will be the serial interface). if that interface goes down, the routes will be invalidated at the 2651 and then at the 3550. there is absolutely no need to involve the firewall here...
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...