cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2442
Views
0
Helpful
9
Replies

EIGRP/RIP/Windows 2003-2008 dymanic routing

Sam Oesterling
Level 1
Level 1

I have been playing around with this for about a day now, and I needed to break down ask ask you all this as I am getting into a routing situation that I do not have a lot of experience with.

Goal:  My goal is to get my DMZ Windows hosts to populate routing updates from my Cisco network using RIP, so I do not have to maintain static routes on the host themselves.  We have an inline DMZ that is made up with two separate subnets (I.E 192.168.100.0/24 & 192.168.200.0/24).  The edge ASA is out in a collocation network, and two 3845 ISR routers connected via two bonded T1 links connect the two DMZ subnet together with another ASA in the back of the corporate DMZ.  My issue is that I am trying to configure a little router redundancy between my corporate DMZ subnet 192.168.200.0/24 and my collocation DMZ subnet (192.168.100.0/24).  I have two 1800 routers in each subnet, and the ones in the corporate DMZ of 192.168.200.0/24 is also connected to the Internet via a cable Internet connection.  I have a GRE tunnel configured between the 1800 series routers to provide an alternative path between the DMZ subnets in case of a 3845 router failure.  My entire network is running EIGRP for the network devices (layer 3 switches, routers, and ASAs) to exchange routing information automatically.

Tried so far:  I know that Windows servers support RIPv2.  In my collocation DMZ (192.168.100.0/24), I tried a test VM and configured RRAS and enabled RIPv2.  Since I use EIGRP, and I don't really want to run both protocols on all network devices, I decided to redistribute EIGRP information into RIP from my 1800 router, which populated the Windows routing table once I disabled split horizion on the router's collocation DMZ interface (192.168.100.5).

Problem:  The problem I ran into was when I enabled RIPv2 on the main 3845 collocation DMZ router.  That broke my network for a few seconds, which I in turned disabled RIP and the network was back to normal again.  I have been reading my CCNP BSCI book and read that redistribution can cause routing loops.  I thought that EIGRP's AD would maintain the routing conditions between the Cisco network, and the RIP information would be purly for the Windows hosts to get routing information from the network.  I don't have a test environment, so I'm trying to be very careful when making changes to my production network during normal business hours.

Theory:  Since I do not care for the routers to exchange information via RIP to each other (that is what I have EIGRP for), I thought that by filtering incoming routing updates on RIP on both the 3845 router and the 1800 router, that it would prevent a loop.  I would also redistribute EIGRP on both systems, which the metric being lower on the 3845, than on the 1800 so that the prefered path is the 3845.  That way in the event of a failure, the backup 1800 with the GRE tunnel over the Internet would allow traffic (VoIP, HTTP application traffic, etc) to pass back and forth.

I know this design may not make a lot of sense to a large enterprise, but we have just over 100 employees in our company, so our network budget does not allow for 2:1 devices.  Our routers' roles are not as separated or redundant as they would be at an organization with 10,000 people.  For example, the collocation 3845 router provides WAN access to corporate, QoS for VoIP, and DMVPN access for our teleworkers.  Our corporate 3845 is our WAN router, QoS system, and CME PBX.  The idea behind my design is to eliminate a single point of failure for all network services.  Sure some services will be lost if a router is out, but at least the entire network does not come to a stand still (VPN, VoIP, HTTP Apps, etc).

Question: If I configured an inbound filter on each router's RIP process to "deny ip any any", would the make sure each Cisco router did not learn anything from RIP, but they would share the redistributed information from EIGRP to the DMZ hosts?  OR  am I over engineering this and should I just bounce all traffic off of the redundant ASA firewalls and route with the ASA?  I thought that seemed a little redundant to route one direction and turn around and send it back out the opposite direction.  I have attached a picture of the network design that I am trying to configure

Any thoughts or suggestions would be appreciated!!!

1 Accepted Solution

Accepted Solutions

Support@mmicnc.com

Ah, sorry, I was thinking on the network device's default route, not the host.

In the corporate DMZ the default route would be 192.168.200.1(3845) and in the collocation DMZ it would be 192.168.100.1 (ASA).  It basically defaults out, and the static routes are for the networks that are internal.  For example, a corporate web application server needs to access an oracle database in 192.168.300.0/24 that is behind our back end ASA.  Instead of "bouncing" that traffic off of the default gateway (in this case the corporate 3845), I route it directly to the corporate back end ASA(192.168.200.254(dmz interface)/192.168.300.1(inside interface). Technically that is the shortest switched path available.

I guess another idea would be the run HSRP between the 1800 routers and the 3845 routers, but they are not the same hardware, nor are they configured alike, so I have not really considered that idea.  I guess in a really large network I would do that.

Actually i was just thinking that myself ie. the HSRP thing but you would need to change the default-gateway on the colo DMZ servers as well to point to the HSRP address. Would this be a problem ?

Basically firewalls are not really routers. Setting up HSRP between the 1800 and 3845 in each site and then pointing the servers to that HSRP address would work quite nicely. There will be some bounce back traffic ie traffic from corporate DMZ to corporate internal has to go via 3845 but that is minimal trouble compared to having to have static routes on your servers.

There would be no problem configuring HSRP between the 1800 and 3845, as long as their is L2 adjacency which it looks like there is via your DMZ switches it will work fine. You are going to have to use HSRP track on your 3845 routers so that if the serial interface fails (i'm assuming it's serial, let me know if it's not), then the HSRP active gateway switches across to the 1800 routers at both sites. If it's serial a loss of one end should bring down the serial interface on the other end.

If you made the HSRP virtual IP the default-gateway in the colo site which you would have to do then you would need a default-route pointing to the colo ASA. - *** edit actually you wouldn't need to add one as the colo ASA is redistributing this into EIGRP already

It's not a particularly clean solution ie. bouncing traffic around in the DMZ but it fits your topology and is much easier than either -

1) having static routes on the servers

2) running RIP purely for the servers and having to redistribute EIGRP into RIP

Like i say the main stumbling block i could see would be changing the default-gateway on the colo DMZ servers, is this doable ?

Edit - just to clarify the routing you would need to do -

On the 3845 and 1800 on the corporate site you would either need to -

1) add routes to your internal corporate network


2) advertise them from your corporate ASA which you may or may not be doing already

Jon

View solution in original post

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

Just to clarify a few points -

1) what is the default-gateway on your server(s) in both locations

2) are the 1800 routers also running as firewalls as they are both connected to the internet as far as i can see

3) The main point you are trying to get around is inter-dmz communcation yes ? ie. if the 3845 link goes down you want to route the traffic via the internet ?

It's a little unusual to say the least to have routers in your DMZs but lets no get too tied down with details at the moment.

Jon

Jon,

Thanks for the response!  I have routers in my DMZ b/c I have T1 serial connections connecting them together via a PPP link.  Last time I checked Cisco did not have T1 WICS for switches.  Fiber is not available in our building at the moment, so we can't get metro E.

#1 - The default gateway is 192.168.100.1 which is the collocation ASA cluster that is connected to our collocation providers network via HSRP.  That route is distributed via EIGRP from the ASA (redistributing static)

#2 - The 1800 in our corporate network connected to cable Internet is running ZBFW, the collocation router is behind the redundant ASAs

# 3 - Yes, the T1 links are bonded, but if something happened to one of the routers, lets just say worst case the supervisor dies, then I want traffic to router via the Internet over my IPSec secured GRE tunnel.  Our main concern is if that bonded PPP link goes down, everything comes to a halt.

Does that help?

Support@mmicnc.com

Jon,

Thanks for the response!  I have routers in my DMZ b/c I have T1 serial connections connecting them together via a PPP link.  Last time I checked Cisco did not have T1 WICS for switches.  Fiber is not available in our building at the moment, so we can't get metro E.

#1 - The default gateway is 192.168.100.1 which is the collocation ASA cluster that is connected to our collocation providers network via HSRP.  That route is distributed via EIGRP from the ASA (redistributing static)

#2 - The 1800 in our corporate network connected to cable Internet is running ZBFW, the collocation router is behind the redundant ASAs

# 3 - Yes, the T1 links are bonded, but if something happened to one of the routers, lets just say worst case the supervisor dies, then I want traffic to router via the Internet over my IPSec secured GRE tunnel.  Our main concern is if that bonded PPP link goes down, everything comes to a halt.

Does that help?

A bit It's quite a complex setup so you'll have to bear with me with some more questions.

1) your 1800 in the colo shows a direct connection via VPN to the internet - is that actually going via the colo ASA ?

2) Are you saying the default-gateway for all servers both colo and your corporate network is the ASA colo ? I'm not sure how this works as you said your corporate DMZ was 192.168.200.x so how are they using a default-gateway in a different subnet or have i misunderstood. Can you clarify ?

Jon

Yes this is complex, thanks for bearing with me. 

The 1800 does have limited access to the Internet.  Only IPSec related traffic from the corporate 1800 router's public IP address is allowed over the ASA.

The SLA for the T1 lines is much better than our cable Internet, so we implemented the cable Internet connection to improve the web browsing performance at our corporate office, but traffic that needs QoS or a more reliable connection routes via the T1s.

Here is how it works.  Under our Microsoft Active Directory group policies, all web browser traffic is sent to a Microsoft ISA server, which has a static default route of the 1800 router in the corporate DMZ.  This router connects to the cable modem for access to the Internet directly.  It will in turn route all "web" traffic out the cable Internet connection to take some of the junk traffic (Gmail, Yahoo, Facebook , whatever) off of the tier 1 connections where VoIP, VPN, etc runs over.  The cost of the cable internet is less than the T1 traffic, so we route "less important" traffic over it.  We do, however, want to use it in case of main network failure, hence where this question comes into play.

So, all of the Cisco network devices, have a default route that will route traffic from the corporate LANs to the edge ASA in the colo and they learn it from EIGRP.

corporate LAN ---> *back end ASA *---> corporate DMZ ---> *3845 router* --->T1 WAN --->*3845 router* -->collocation DMZ ---> *edge ASA* --> Internet

The 1800 in the colo is configured physically as such:   1800 ---->colo DMZ ----> edge ASA ---> Internet.

The 1800 in the colo is configured logically as such:      corporate DMZ ---> 1800 colo -->GRE tunnel ---> 1800 corporate --> corporate DMZ

We did this because our colo network houses our DR equipment, and we replicate data from our corporate network to the DR equipment.  Our collocation provider charges us based on a 95th percentile bandwidth usage.  If we were replicating from our corporate site to our DR site via the Internet, then it would cost extra more.  Instead the design was made (before we installed the cable internet) so that we would point our T1 to our colo/DR site and use that to route traffic to and from the Internet.  Is was a cost savings at the time.  Now that we have moved our phone equipment over to VoIP last year, the need to make the connection between the corporate office (where most of our servers are located) and the colo network (where we access the Internet) more redundant grew.  We have built this out over time to spread the capital investment over a couple of years.  So we have a mix of network design and business politics here.  I'm trying to set up the GRE tunnel that will run EGIRP a week from Saturday, and yesterday I have an epiphany about the DMZ hosts.  I have those configured with static routes to send traffic to the 3845 routers.  I realized that the hosts would not be able to take advantage of the GRE tunnel and routing convergence unless they either, 1.) learned internal routes from an internal routing protocol (Windows 2003 suports OSPF and RIPv2)(Windows 2008 only support RIPv2), or 2.) bounced all traffic off a redundant ASA.  I thought the most effeicent way to switch and router traffic is directly to the device, so I have been leaning towards the RIP idea and playing around with it.

Does that help any?

I'm trying to set up the GRE tunnel that will run EGIRP a week from Saturday, and yesterday I have an epiphany about the DMZ hosts.  I have those configured with static routes to send traffic to the 3845 routers.  I realized that the hosts would not be able to take advantage of the GRE tunnel and routing convergence unless they either, 1.) learned internal routes from an internal routing protocol (Windows 2003 suports OSPF and RIPv2)(Windows 2008 only support RIPv2), or 2.) bounced all traffic off a redundant ASA.  I thought the most effeicent way to switch and router traffic is directly to the device, so I have been leaning towards the RIP idea and playing around with it.

What i need to know is the default-gateway of the servers in both DMZs. If you have static routes on servers then yes if the link fails then they won't reroute. But if you can somehow update the default-gateway to point somewhere else you remove the need for static routes on servers.

You said before all servers had default-gateway of colo ASA ie. 192.168.1.x but the servers in your corporate DMZ are using the 192.168.200.x address space so they can't be using 192.168.1.x as a default-gateway.

So can you just specify -

1) What static routes you have on hosts

2) why you have them

3) what is the hosts default-gateway ie. on both DMZs

Jon

Ah, sorry, I was thinking on the network device's default route, not the host.

In the corporate DMZ the default route would be 192.168.200.1(3845) and in the collocation DMZ it would be 192.168.100.1 (ASA).  It basically defaults out, and the static routes are for the networks that are internal.  For example, a corporate web application server needs to access an oracle database in 192.168.300.0/24 that is behind our back end ASA.  Instead of "bouncing" that traffic off of the default gateway (in this case the corporate 3845), I route it directly to the corporate back end ASA(192.168.200.254(dmz interface)/192.168.300.1(inside interface). Technically that is the shortest switched path available.

I guess another idea would be the run HSRP between the 1800 routers and the 3845 routers, but they are not the same hardware, nor are they configured alike, so I have not really considered that idea.  I guess in a really large network I would do that.

Support@mmicnc.com

Ah, sorry, I was thinking on the network device's default route, not the host.

In the corporate DMZ the default route would be 192.168.200.1(3845) and in the collocation DMZ it would be 192.168.100.1 (ASA).  It basically defaults out, and the static routes are for the networks that are internal.  For example, a corporate web application server needs to access an oracle database in 192.168.300.0/24 that is behind our back end ASA.  Instead of "bouncing" that traffic off of the default gateway (in this case the corporate 3845), I route it directly to the corporate back end ASA(192.168.200.254(dmz interface)/192.168.300.1(inside interface). Technically that is the shortest switched path available.

I guess another idea would be the run HSRP between the 1800 routers and the 3845 routers, but they are not the same hardware, nor are they configured alike, so I have not really considered that idea.  I guess in a really large network I would do that.

Actually i was just thinking that myself ie. the HSRP thing but you would need to change the default-gateway on the colo DMZ servers as well to point to the HSRP address. Would this be a problem ?

Basically firewalls are not really routers. Setting up HSRP between the 1800 and 3845 in each site and then pointing the servers to that HSRP address would work quite nicely. There will be some bounce back traffic ie traffic from corporate DMZ to corporate internal has to go via 3845 but that is minimal trouble compared to having to have static routes on your servers.

There would be no problem configuring HSRP between the 1800 and 3845, as long as their is L2 adjacency which it looks like there is via your DMZ switches it will work fine. You are going to have to use HSRP track on your 3845 routers so that if the serial interface fails (i'm assuming it's serial, let me know if it's not), then the HSRP active gateway switches across to the 1800 routers at both sites. If it's serial a loss of one end should bring down the serial interface on the other end.

If you made the HSRP virtual IP the default-gateway in the colo site which you would have to do then you would need a default-route pointing to the colo ASA. - *** edit actually you wouldn't need to add one as the colo ASA is redistributing this into EIGRP already

It's not a particularly clean solution ie. bouncing traffic around in the DMZ but it fits your topology and is much easier than either -

1) having static routes on the servers

2) running RIP purely for the servers and having to redistribute EIGRP into RIP

Like i say the main stumbling block i could see would be changing the default-gateway on the colo DMZ servers, is this doable ?

Edit - just to clarify the routing you would need to do -

On the 3845 and 1800 on the corporate site you would either need to -

1) add routes to your internal corporate network


2) advertise them from your corporate ASA which you may or may not be doing already

Jon

Actually i was just thinking that myself ie. the HSRP thing but you would need to change the default-gateway on the colo DMZ servers as well to point to the HSRP address. Would this be a problem ?

No it would be fine.  There are only a handful of DMZ hosts, so switching these and cleaning up the static routes wouldn't be too bad.

There would be no problem configuring HSRP between the 1800 and 3845, as long as their is L2 adjacency which it looks like there is via your DMZ switches it will work fine. You are going to have to use HSRP track on your 3845 routers so that if the serial interface fails (i'm assuming it's serial, let me know if it's not), then the HSRP active gateway switches across to the 1800 routers at both sites. If it's serial a loss of one end should bring down the serial interface on the other end.

OK, I wasn't sure if the routers needs to be similar or not.  Good to know.  Yes, the interface is actually a multilink interface made up of two serial interfaces.

If you made the HSRP virtual IP the default-gateway in the colo site 
which you would have to do then you would need a default-route pointing 
to the colo ASA. - *** edit actually you wouldn't need to add one as the
 colo ASA is redistributing this into EIGRP already

Yes, 0.0.0.0 is redistributed by the colo ASA into EIGRP.

It's not a particularly clean solution ie. bouncing traffic around in the DMZ but it fits your topology and is much easier than either -

1) having static routes on the servers

2) running RIP purely for the servers and having to redistribute EIGRP into RIP

Like i say the main stumbling block i could see would be changing the default-gateway on the colo DMZ servers, is this doable ?

Edit - just to clarify the routing you would need to do -

On the 3845 and 1800 on the corporate site you would either need to -

1) add routes to your internal corporate network


2) advertise them from your corporate ASA which you may or may not be doing already

I agree with you.  The more I think about this, I think that I can live with the not so clean solution either of having something that wouldn't require advanced routing skills to configure new DMZ host (I.E installing and configuring Windows RRAS to run RIP).

Time to read up on HSRP!

Jon, thanks again for your time and effort!  I was betting my question was too complex for most people to even bother responding to!

Jon, thanks again for your time and effort!  I was betting my question was too complex for most people to even bother responding to!

No problem, glad to have helped.

Hope the changes go okay and if you need any help with HSRP setup just shout.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco