cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1406
Views
0
Helpful
34
Replies

Redistribution ebgp to eigrp

Steve Coady
Level 1
Level 1

Hello

I have an AVPN network of 20 sites.5 of the sites are a recent acquisition

These 5 sites required a different default link to the internet and so a GRE tunnel was implemented between these 5 sites where the 0.0.0.0 is advertised across the GRE tunnel. BGP is used to advertise out the the AVPN cloud.

Sites_1-4 use site_5 as the internet link

These (5) sites currently use static routes but want to implement  EIGRP on their L3 HE switch & route amongst themselves

I need to redistribute eoigrp into bgp and possibly vice-versa.

Here is their proposed config:

Site_1 - 4 L3 switch EIGRP config

conf t

key chain KEY

key 1

key-string (string)

exit

conf t

int fa0/24

ip authentication mode eigrp 10 md5

ip authentication key-chain eigrp 10 KEY

exit

router eigrp 10

no auto-summary

eigrp stub connected static

network 10.0.0.0 0.255.255.255

network 172.16.0.0 0.0.240.255

network 192.168.0.0 0.0.255.255

Site_5 (Internet link) L3 switch Eigrp config

conf t

key chain KEY

key 1

key-string (string)

exit

conf t

int fa0/24

ip authentication mode eigrp 10 md5

ip authentication key-chain eigrp 10 KEY

exit

router eigrp 10

no auto-summary

network 10.0.0.0 0.255.255.255

network 172.16.0.0 0.0.240.255

network 192.168.0.0 0.0.255.255

Currently I have the WAN bgp configured specifying networks to be advertiised

router bgp 6xxxx

no bgp log-neighbor-changes

network 10.40.a.0 mask 255.255.255.0

network 10.40.b.0 mask 255.255.255.0

network 10.40.c.0 mask 255.255.255.0

network 10.40.d.0 mask 255.255.255.0

.

.

network 10.40.i.0 mask 255.255.255.0

redistribute static

neighbor 172.16.x.2 remote-as 11111

neighbor 172.16.x.2 distribute-list 10 in

Requirement:

I need specific statements to complete this redistribution

sMc
13 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Steve

I had a quick read of your other thread with Milan. Can i summarise it like this  -

site 5 has an internet connection used by that site and sites 1 - 4. You have GRE tunnels between site 5 and the other sites (hub and spoke) and you advertise a default route down this tunnel for internet.  You require connectivity between these new sites and the existing sites via the AVPN cloud.

If so a couple of questions -

1)  the new sites use the GRE tunnels for internet. Do you want the new sites to use the GRE tunnels for routing between each new sites subnets as well. So the only time they use the AVPN cloud is to get to existing sites. Or do you want all non internet traffic for the new sites to use the AVPN cloud.

2) Each new site is also peering using EBGP with the AVPN cloud.

3) If so is the WAN router running BGP also the one with the GRE tunnel

4) Does BGP advertise a default route to your existing sites for their own internet connection.

If i have misunderstood then please clarify.

Jon

View solution in original post

There aren't really any pros and cons as such, it is more to do with your policy in terms of how you want to route traffic. If you wanted to use the AVPN cloud then you must make sure you do not advertise EIGRP routes down the tunnel. I asked because you said you wanted to run EIGRP between the new sites but if it is only a default route then i can't see the advantage.  And your config suggests you are using EIGRP to advertise each new sites subnets.  ?

Using mutual redistribution also needs careful planning. So a couple of further questions -

1) how many routes are there in terms of routes received via EBGP. Hopefully not too many so you can redistribute into EIGRP.

2) How many subnets are in each new site. To avoid mutual redistribution you can use network statements under the BGP config and if there are not that many subnets or you can summarise then i think that would be the way to go.

3)  The default route from BGP should be filtered. If you use statics for the GRE tunnel default the BGP route would not be used but it's still better to filter it if you do not want the new sites to ever use the AVPN internet connection. if you used EIGRP to redistribute default route from site 5 then the BGP default route definitely needs filtering as it would be the preferred route.

Have i understood your setup correctly because i need to understand it before suggesting how to do it.

Jon

View solution in original post

Steve

 

We need to agree on a few things before we proceed with configs -

1) non internet traffic between the new sites - which way do you want them to go. The easier solution is via the GRE tunnels but if you need it to go via the AVPN then so be it.

2) Do you need mutual redistribution in each new site. BGP to EIGRP yes. But EIGRP to BGP. You only have 15 subnets, is there a reason you don't want to use network statements under BGP.

For example if you do mutual redistribution then you are going to have filter out the default route that is learnt via the GRE tunnel so it is not advertised back to the AVPN cloud.

JoN

View solution in original post

Steve

Actually when i said it would get messy i'm not sure it's even possible. How do you tell site 5 to use the GRE routes for internet traffic and the AVPN cloud for non internet traffic to the same subnet. You could use PBR maybe but it is going to get very tricky.

Jon

View solution in original post

Steve

Okay here is what i would do if you want mutual redistribution. Use tags as you have done to control what gets redistributed into what. I understand the argument about not having to do manual addition. The way i used to do it was to have a summarised address range used under a network statement for BGP. The summarised range had extra subnets not used so when a subnet was added no extra config was required for BGP. I preferred this because with mutual redistribution there can be unexpected consequences.

But lets go with mutual redistribution.  You need to -

1) make sure first of all that when you redistribute EIGRP into BGP you make sure you do not redistribute the default route from site 5 into BGP at any of the new sites.

2) You should also only advertise each sites subnets into BGP ie. you will need to have a filter so site 1's subnets, for example, are redistributed in BGP at site 1 but not sites 2 - 5 subnets. Otherwise traffic could come in via site 1 for any of the other new sites and then have to go via the GRE tunnel.

I am absoultely not trying to convince you into using network statements under BGP but both the above are non issues if you do use network statements.

3) you need to make sure the default route from BGP is filtered out at each new site. If you don't BGP route is AD 20, default route from site 5 is either AD 90 OR 170 so the new sites would use the AVPN cloud for internet traffic.

4) You need  to understand that when you redistribute into EIGRP from BGP those routes learnt at site 1 for example will now be advertised down the GRE tunnel to site 5. So -

site 1 WAN router receives BGP routes and redistributes into EIGRP. Site 1 passes these EIGRP routes to site 1 switch. But because you have an EIGRP peering with site 5 on the same router site 1 also advertises those routes to site 5.  Site 5 now sees 2 paths to the same destination network. Actually site 5 will see 5 routes in total, the one it receives from BGP and the ones it receives from sites 1 - 4. It should use the BGP route but you may want to filter the routes advertised down the GRE tunnels between the new sites ie.

each site only advertises it's own routes down the GRE tunnel and you filter out the other sites routes (the new sites and the existing sites) learnt from the BGP to EIGRP redistribution.

And at site 5 you need to do the same + the default route needed for internet connectviity.

So there is a lot of route filtering you need to do.

Does everything i have said make sense ? If not please ask for clarification because you need to understand all the issues before trying to configure/implement anything.

Jon

View solution in original post

Steve

Sorry to overload you but another important to understand when you redistribute EIGRP into BGP. If site 1 receives all the AVPN routes via BGP, redistributes into EIGRP and then sends then to site 5, site 5 will then redistriute those back into BGP. Site 5 is now advertising all the AVPN destinations. So traffic for existing sites could end up going to site 5.

So route filtering + tags is crticial if you want to redistribute EIGRP into BGP.

Jon

View solution in original post

Steve

I've just posted a bit of further info of a worst case scenario. Using network statements under BGP would also remove that issue as well.

1 & 2 would not be an issue with network statements either. Basically most of your problems arise from the fact you have BGP peering in these new sites for the existing AVPN sites but also GRE for new sites.

I promise we will get to the config but how are these sites at the moment ? Are they connected at all or not. I ask because a phased approach might be sensible rather than trying to do it all at once.

I would look to get the GRE tunnels up, internet connectivity working between the new sites and making sure only site 5 has the routes for all new sites.

How are you proposing to send a default route from site 5 to the other new sites ?

Jon

View solution in original post

But at the moment are you using EIGRP down the GRE tunnels or are you still using statics ?

If you are using statics then how does the tracroute work ie.

site 1 tracroutes to 8.8.8.8. It uses the static to get to site 5 and off to the internet. But unless site 5 is aware of site 1s subnets it will send the return traffic via the AVPN cloud. So when you do a "sh ip route on site 5 WAN router what is the next hop ?

Jon

View solution in original post

Right then i can only think that the return traffic is going via the AVPN cloud. Which it is because i have just seen your last post.

One thing i forgot to ask.

You can if you want have sites 1 - 4 communicate with each other via the AVPN cloud. It is only site 5 that is the problem because site 5 has to know all subnets for the other new sites via the GRE tunnel.

Would you want this rather than all inter site traffic for the new sites going via GRE tunnels. ?

Jon

View solution in original post

Steve

Apologies but i have just seen another issue. The GRE tunnel is on the same router as the BGP connection. Site 5 receives sites 1 - 4 routes via EIGRP which are AD 90 but it also sees sites 1 - 4 routes via BGP and because it's the same router it will always choose the AVPN cloud. So all return internet traffic will go via the AVPN cloud.

If this needs to be done tonight then it depends how quick and dirty you want it.  For example sites 1 - 4 already have a static route for internet.

At site 5 on the WAN router we could simply use static routes for all site 1 - 4's subnets pointing to the relevant GRE tunnel. Static routes are preferred over EBGP routes so that would work.  Statics are not the best because there is no failover ie. if site 1 tunnel went down it couldn't then use the AVPN cloud to get to sites 2 - 4. But how much traffic is there between the new sites if you take out internet connectivity ?

Note also that even if you used EIGRP and the tunnel went down you would still have sites 1 - 5 connectivity but no internet because we are not allowing the BGP default route in. So it all comes down to how much redundancy you want/need for sites 1 - 5 non internet connectivity ? 

Can you also confirm and this is important that each new site only has the one WAN router and that is the only entry/exit point into each site ?

Jon

View solution in original post

Steve

My sincere apologies. Even though you told me it was one router i have stupidly been working under the assumption it was 2 routers connecting to a L3 switch. So i was concerned about EIGRP internal being preferred over EBGP but the actual issue is the other way round because it's all on the same router ie. the AVPN cloud will always be the preferred route.

And this happens at all new sites ie. BGP routes to new sites take preference over EIGRP learned routes. So here is what i propose -

1) let sites 1 - 4 use the AVPN cloud for inter site connectivity but not internet connectivity. This will happen without any extra config.

2) filter out the default route via BGP so sites 1 - 4 use the default route via the GRE tunnel.

3) site 5 is the issue. If we use EIGRP to advertise sites 1 - 4 subnets to site 5 down the GRE tunnel site 5 will ignore them and use the AVPN cloud. So we either -

i) change the admin distance of EIGRP at site 5 which is very messy but would mean that if the GRE tunnel went down for site 1 for example, site 5 could use the AVPN cloud for connectivity to site1 for non internet traffic. Site 1 has obviously lost connectivity to the internet.

or

ii) use statics on site 5 WAN router for all sites 1 - 4 subnets pointing to the relevant tunnel. Drawback here is that if tunnel to site 1 goes down teh AVPN cloud cannot be used as backup.

That said apart from internet just how much connectivity is there between the sites.

Once again i apologise for my really stupid mistake. 

If you want to carry on this (and i wouldn't blame you if you didn't) can you open a new thread where we can pick up as this thread is getting a bit long and taking a long time to load for me.

Let me know what you think.

Jon

View solution in original post

Yes it does but not if we change to EIGRP.

Jon

View solution in original post

Steve

Are you the one implementing this. Can we do it one step at a time. The first thing to do is get EIGRP up and running between the new sites. Don't do anything with BGP yet and certainly don't do any redistribution anywhere.

So if you can do this step by step, simply get EIGRP running between all new sites. Leave the statics in at the moment.

I'm making the assumption that you do not want return traffic from the internet for the new sites going via the AVPN cloud ie.

site1 -> GRE tunnel -> site5 -> internet

internet -> site 5 -> AVPN cloud -> site 1

if that is acceptable then the config becomes a lot easier.

Oh and can you open new thread as this is getting difficult to follow.

Jon

View solution in original post

34 Replies 34

Jon Marshall
Hall of Fame
Hall of Fame

Steve

I had a quick read of your other thread with Milan. Can i summarise it like this  -

site 5 has an internet connection used by that site and sites 1 - 4. You have GRE tunnels between site 5 and the other sites (hub and spoke) and you advertise a default route down this tunnel for internet.  You require connectivity between these new sites and the existing sites via the AVPN cloud.

If so a couple of questions -

1)  the new sites use the GRE tunnels for internet. Do you want the new sites to use the GRE tunnels for routing between each new sites subnets as well. So the only time they use the AVPN cloud is to get to existing sites. Or do you want all non internet traffic for the new sites to use the AVPN cloud.

2) Each new site is also peering using EBGP with the AVPN cloud.

3) If so is the WAN router running BGP also the one with the GRE tunnel

4) Does BGP advertise a default route to your existing sites for their own internet connection.

If i have misunderstood then please clarify.

Jon

Jon

Thank you for the reply

I would think ALL non internet traffic should use the AVPN cloud. What would be the pro's and con's of each?

The WAN router runs bgp and the GRE tunnel

BGP does advertise a default route for my existing sites

sMc

There aren't really any pros and cons as such, it is more to do with your policy in terms of how you want to route traffic. If you wanted to use the AVPN cloud then you must make sure you do not advertise EIGRP routes down the tunnel. I asked because you said you wanted to run EIGRP between the new sites but if it is only a default route then i can't see the advantage.  And your config suggests you are using EIGRP to advertise each new sites subnets.  ?

Using mutual redistribution also needs careful planning. So a couple of further questions -

1) how many routes are there in terms of routes received via EBGP. Hopefully not too many so you can redistribute into EIGRP.

2) How many subnets are in each new site. To avoid mutual redistribution you can use network statements under the BGP config and if there are not that many subnets or you can summarise then i think that would be the way to go.

3)  The default route from BGP should be filtered. If you use statics for the GRE tunnel default the BGP route would not be used but it's still better to filter it if you do not want the new sites to ever use the AVPN internet connection. if you used EIGRP to redistribute default route from site 5 then the BGP default route definitely needs filtering as it would be the preferred route.

Have i understood your setup correctly because i need to understand it before suggesting how to do it.

Jon

Steve Coady
Level 1
Level 1

Jon

Site_1 - 4 are only using GRE for a default route to Internet thru Site_5.

Router received via EBGP = approx 50

Each new site has approx 15 subnets.

Prior to this bgp/eigrp design, there was no eigrp at all. BGP had each subnet defined with network commands. Those network commands would have to be removed.

Here is the config i have developed so far.

L3 HE LAN Switches


L3 LAN switches at Sites_1 - 4

conf t
router eigrp 10
no auto-summary
eigrp stub connected static
network 10.0.0.0 0.255.255.255
network 172.16.0.0 0.0.240.255
network 192.168.0.0 0.0.255.255
exit

key chain KEY
key 1
key-string (string)
end

conf t
int fa0/24
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 KEY
ip hello-interval eigrp 10 5
ip hold-time eigrp 10 15
end


L3 LAN switch at Site_5


conf t
router eigrp 10
no auto-summary
network 10.0.0.0 0.255.255.255
network 172.16.0.0 0.0.240.255
network 192.168.0.0 0.0.255.255
exit

key chain KEY
key 1
key-string (String)
exit

conf t
int fa0/24
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 KEY
ip hello-interval eigrp 10 5
ip hold-time eigrp 10 15
exit


AVPN Router EIGRP config

Example Site_5


conf t

route-map BGP-to-EIGRP permit 10

set tag 6xxxx

!

route-map EIGRP-to-BGP deny 10

match tag 6xxxx

!

route-map EIGRP-to-BGP permit 20

match ip address any

!

router eigrp 10

no auto-summary

redistribute static

Redistribute BGP 6xxxx

redistribute bgp 6xxxx metric 10000 10 255 1 1500 route-map BGP-to-EIGRP

!

key chain KEY

key 1

key-string (string)

!

router bgp 6xxxx

redistribute eigrp 10 route-map EIGRP-to-BGP

bgp redistribute-internal

!

int Gi0/0

ip authentication mode eigrp 10 md5

ip authentication key-chain eigrp 10 KEY

ip hello-interval eigrp 10 5

ip hold-time eigrp 10 15

end

Please review and advise.

sMc

Steve

 

We need to agree on a few things before we proceed with configs -

1) non internet traffic between the new sites - which way do you want them to go. The easier solution is via the GRE tunnels but if you need it to go via the AVPN then so be it.

2) Do you need mutual redistribution in each new site. BGP to EIGRP yes. But EIGRP to BGP. You only have 15 subnets, is there a reason you don't want to use network statements under BGP.

For example if you do mutual redistribution then you are going to have filter out the default route that is learnt via the GRE tunnel so it is not advertised back to the AVPN cloud.

JoN

Steve

Actually when i said it would get messy i'm not sure it's even possible. How do you tell site 5 to use the GRE routes for internet traffic and the AVPN cloud for non internet traffic to the same subnet. You could use PBR maybe but it is going to get very tricky.

Jon

Jon

PBR would involve a MACD with AT&T, not enough time

So you are saying what exactly? that we have to use the GRE tunnels? If so, what will that look like?

sMc

Steve Coady
Level 1
Level 1

Jon

Glad I reached out to you. Thanks for the guidance!

Easier is better for me, so via the GRE tunnels is cool.

The reason for not using network statements under BGP came from partners at theses sites who don't want to have to worry about making any manual changes to BGP if all routing can be advertised via dynamic routing. They simply add/delete subnets on their L3 switch and done!

Here is an alternate config We were working on that used the GRE tunnels. What do you think?

Sites_1 – 4 Router EIGRP script

conf t
router eigrp 10
no auto-summary
network 10.0.0.0 0.255.255.255
network 172.16.0.0 0.0.240.255
network 192.168.0.0 0.0.255.255
exi

key chain KEY
key 1
key-string (string)
exit

conf t
int Tu0
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 KEY
ip hello-interval eigrp 10 5

ip hold-time eigrp 10 15
exit

int Gi0/0
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 KEY
ip hello-interval eigrp 10 5

ip hold-time eigrp 10 15
exit

Site_5 Router EIGRP script

conf t
router eigrp 10
no auto-summary
network 10.0.0.0 0.255.255.255
network 172.16.0.0 0.0.240.255
network 192.168.0.0 0.0.255.255
exit

key chain KEY
key 1
key-string (string)
exit

conf t
int Tu0
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 KEY
ip hello-interval eigrp 10 5

ip hold-time eigrp 10 15
exit

int Tu1
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 KEY
ip hello-interval eigrp 10 5

ip hold-time eigrp 10 15
exit

int Tu2
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 KEY
ip hello-interval eigrp 10 5

ip hold-time eigrp 10 15
exit

int Tu3
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 KEY
ip hello-interval eigrp 10 5

ip hold-time eigrp 10 15

exit

int Gi0/0
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 KEY
ip hello-interval eigrp 10 5

ip hold-time eigrp 10 15
exit

Would it be a combination of this GRE example combined with the example we have been discussing?

sMc

Steve

Okay here is what i would do if you want mutual redistribution. Use tags as you have done to control what gets redistributed into what. I understand the argument about not having to do manual addition. The way i used to do it was to have a summarised address range used under a network statement for BGP. The summarised range had extra subnets not used so when a subnet was added no extra config was required for BGP. I preferred this because with mutual redistribution there can be unexpected consequences.

But lets go with mutual redistribution.  You need to -

1) make sure first of all that when you redistribute EIGRP into BGP you make sure you do not redistribute the default route from site 5 into BGP at any of the new sites.

2) You should also only advertise each sites subnets into BGP ie. you will need to have a filter so site 1's subnets, for example, are redistributed in BGP at site 1 but not sites 2 - 5 subnets. Otherwise traffic could come in via site 1 for any of the other new sites and then have to go via the GRE tunnel.

I am absoultely not trying to convince you into using network statements under BGP but both the above are non issues if you do use network statements.

3) you need to make sure the default route from BGP is filtered out at each new site. If you don't BGP route is AD 20, default route from site 5 is either AD 90 OR 170 so the new sites would use the AVPN cloud for internet traffic.

4) You need  to understand that when you redistribute into EIGRP from BGP those routes learnt at site 1 for example will now be advertised down the GRE tunnel to site 5. So -

site 1 WAN router receives BGP routes and redistributes into EIGRP. Site 1 passes these EIGRP routes to site 1 switch. But because you have an EIGRP peering with site 5 on the same router site 1 also advertises those routes to site 5.  Site 5 now sees 2 paths to the same destination network. Actually site 5 will see 5 routes in total, the one it receives from BGP and the ones it receives from sites 1 - 4. It should use the BGP route but you may want to filter the routes advertised down the GRE tunnels between the new sites ie.

each site only advertises it's own routes down the GRE tunnel and you filter out the other sites routes (the new sites and the existing sites) learnt from the BGP to EIGRP redistribution.

And at site 5 you need to do the same + the default route needed for internet connectviity.

So there is a lot of route filtering you need to do.

Does everything i have said make sense ? If not please ask for clarification because you need to understand all the issues before trying to configure/implement anything.

Jon

Jon

That's alot to take in!!

If I keep the network statements under BGP, then issues 1 & 2 are nill, yes?

I undertsand that Routes learnt from BGP will be re-advertised down the tunnel due to peering and that I do not want this to happen.

So I want to use this latest config with the tunnels but add route filtering like in the first config?

Could you please provide some examples of the filtering statements?

sMc

Steve

I've just posted a bit of further info of a worst case scenario. Using network statements under BGP would also remove that issue as well.

1 & 2 would not be an issue with network statements either. Basically most of your problems arise from the fact you have BGP peering in these new sites for the existing AVPN sites but also GRE for new sites.

I promise we will get to the config but how are these sites at the moment ? Are they connected at all or not. I ask because a phased approach might be sensible rather than trying to do it all at once.

I would look to get the GRE tunnels up, internet connectivity working between the new sites and making sure only site 5 has the routes for all new sites.

How are you proposing to send a default route from site 5 to the other new sites ?

Jon

Jon

The Tunnels are up and I can traceroute to Google dns from each site across the tunnel.

Each site has the other sites routes in their route table via BGP

sMc

But at the moment are you using EIGRP down the GRE tunnels or are you still using statics ?

If you are using statics then how does the tracroute work ie.

site 1 tracroutes to 8.8.8.8. It uses the static to get to site 5 and off to the internet. But unless site 5 is aware of site 1s subnets it will send the return traffic via the AVPN cloud. So when you do a "sh ip route on site 5 WAN router what is the next hop ?

Jon

We do not have EIGRP configued at all at this time

sMc
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco