12-19-2008 01:53 PM - edited 03-04-2019 12:46 AM
Hi,
I am running EIGRP and have the default route to the Internet properly sent to all devices. Currently our Internet goes out through the same location for all three sites.
I have a new hub location that will have its own Internet connection but will be connected to the hub via a point to point circuit.
I have a 3560 performing my routing and it is getting its routing updates from EIGRP. I added a static route on the 3560 to route Internet traffic to its local ASA device.
My problem is trying to get route Internet traffic across the point to point if the ASA device is down.
Any help would be greatly appreciated.
12-23-2008 04:40 AM
James
Can you draw a quick diagram of what is connected to what. Also you want to apply the distribute list to vlan 11 only because it is on the vlan 11 interface that the 3560 connects to the P2P router ie.
distribute-list 1 out vlan 11
When you apply the distribute-list what happens to the routing table at the hub ?
Are you receiving the default-route on the 3560 from the ASA.
Something is missing here, a topology diagram would really help.
Jon
12-23-2008 08:50 AM
Jon,
The config I posted didn't include vlan 11 part but it is in my config. I missed that it was omitted when I posted.
I have distribute-list 1 out vlan 11 applied in the eigrp section. When I apply this the hub loses the routes advertised by the 3560. The 3560 is still getting the updates from the hub. The 3560 shows all the networks advertised by the hub.
I don't have the ASA advertising the default route static route yet. I want to make sure my filtering is working.
Attached is a snip of my network diagram. I have circled the devices we have been discussing.
Thank you for you help.
James
12-23-2008 09:04 AM
James
Can you post the full config for the 3560 ?
Jon
12-23-2008 09:15 AM
James
You have the following on your 3560
router eigrp 1
distribute-list 1 out
no auto-summary
eigrp stub connected summary
network 10.0.0.0
network 192.168.130.0
you will have to remove the eigrp stub connected summary bit as there are now 2 paths to get out of the network.
Jon
12-23-2008 09:43 AM
12-23-2008 09:49 AM
James
I went back to the lab to try out my original suggestion of using 2 static routes but have the one pointing to the hub with an AD of 250.
I got the same result as you ie. the route did not drop out of the routing table. And then i realised why. It's because that route is via a L3 vlan interface ie. to get to the ASA go via vlan 1 interface.
So i changed the connection on the 3560 to a routed port connection and it worked as expected. So to summarise
on your 3560 at the moment you have the ASA connected into an interface on the switch. That interface is a switchport and is in vlan 1. You have a default-route on the 3560
0.0.0.0 0.0.0.0 10.130.1.10
problem is when 10.130.1.10 goes down the route stays in the routing table because the port the ASA is connected to is a switchport ie. it is not a layer 3 port.
So one way to make this work is to make the port that the ASA connects into on the 3560 a routed port. But you can't do that with vlan 1 because i'm assuming there are other devices in your site that are on vlan 1.
So you would need to
1) use a new subnet for 3560 to ASA eg. 192.168.5.0/30
2) on the 3560 port that connects to the ASA
int fa0/10
no switchport
ip address 192.168.5.1 255.255.255.252
ip route 0.0.0.0 0.0.0.0 192.168.5.2
ip route 0.0.0.0 0.0.0.0
3) On the ASA - the inside address would need to be changed to 192.168.5.2 255.255.255.252
And the ASA would no longer know how to get to vlan 1 subnet so you would need a route on the ASA
route (inside) 10.130.1.0 255.255.255.0 192.168.5.1
Jon
12-23-2008 12:08 PM
Jon,
I did as you suggested and everything works as designed. I took the ASA down and the default traffic routes to the hub.
Thank you for all your help. Have a good holiday.
James
12-23-2008 12:38 PM
James
Glad we finally got it working.
Have a good holiday as well :-)
Jon
12-23-2008 07:30 AM
James
I have just setup a quick lab - i don't have an ASA but i used 2 x 3550 switches and a 2600 router.
2600 (192.168.5.2/24) -> (vlan 11) -> (192.168.5.1/24) 3550_1 (192.168.1.120/24) -> vlan 2 -> (192.168.1.121/24) 3550_2
on the 3550_2 (which is emulating the ASA) i added a static default-route and redistributed into EIGRP eg.
3550_2
router eigrp 1
redistribute static
network 192.168.1.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Null0
The routing tables on the other 2 devices looked like
3550_1
C 192.168.5.0/24 is directly connected, Vlan11
C 192.168.1.0/24 is directly connected, Vlan2
D*EX 0.0.0.0/0 [170/2816] via 192.168.1.121, 00:07:57, Vlan2
2600
C 192.168.5.0/24 is directly connected, FastEthernet0/0
S 192.168.1.0/24 [1/0] via 192.168.5.1
D*EX 0.0.0.0/0 [170/28416] via 192.168.5.1, 00:00:01, FastEthernet0/0
I then added a distribute-list to 3550_1
3550_1
router eigrp 1
network 192.168.1.0
network 192.168.5.0
distribute-list 1 out Vlan11
no auto-summary
!
!
access-list 1 deny 0.0.0.0
the routing tables on the 2 devices
3550_1 (didn't change)
C 192.168.5.0/24 is directly connected, Vlan11
C 192.168.1.0/24 is directly connected, Vlan2
D*EX 0.0.0.0/0 [170/2816] via 192.168.1.121, 00:00:57, Vlan2
2600 (default-route has been removed)
C 192.168.5.0/24 is directly connected, FastEthernet0/0
S 192.168.1.0/24 [1/0] via 192.168.5.1
Jon
12-19-2008 02:37 PM
James
Can you also post output of "sh ip route" from 3560.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide