To Clear A PAssive EIGRP Route

We have a Cisco router which has learned an incorrect passive eigrp route; we would like to clear this route from the router but don't know how.
We'd like to avoid rebooting the router if possible.
Any info on this is appreciated.

Hello,
where from the route was injected into EIGRP? As long as the route is injected it will be announced to all EIGRP routers. "Passive" means just, that the route is learned and no queries are unanswered. This is the normal state of any route in EIGRP.
So to get rid of the route you should have a look at the router injecting it and reconfigure it to not advertise it.
Hope this helps! please rate all posts.
Regards, Martin

Similar Messages

Eigrp routes doesn't refresh when neighbor down

hi guys, need some tips for troubleshooting an ongoing issue, but can't do the changes anymore untill next call and yes the issue is still ongoing.
                       WAN1 <--------------------------------------------------------------------------------------------> WAN2
                           |                                                                             |
                   metro ethernet ME-3600X-A <----> ME-3600X-B <-----> ME-3600X-C<----> c3560v2
I have 3 metro ethernet switches and a c3560v2 switch connected as above. The WAN1 redistributes all routes to ME-3600X-A's eigrp and WAN2 redistributes all routes to c3560v2 's eigrp and these two propagates all their eigrp routes to ME-3600X-B and ME-3600X-C which are in the same eigrp AS. And all link/connections are point-to-point.
Now, when the link between ME-3600X-B <----> ME-3600X-C is physically disconnected, the ME-3600X-C's eigrp still points the route(s) to the ME-3600X-B's p2p ip as its next-hop - which is down(neighborship between them goes down, but still the routes doesn't refresh/rebuild). However, switch c3560v2 has route to the same network learnt from WAN2.
Wonder why, need inputs please? Thanks.

You shouldn't reference the CrystalReportViewer in the Page_Load handler, since there's issues with serialization of the report source:
http://devlibrary.businessobjects.com/BusinessObjectsXIR2SP2/
en/en/CrystalReports_dotNET_SDK/crsdk_net_doc/doc/
crsdk_net_doc/html/
crconsdkfundamentalspersistencepageloadeventhandler.htm
In fact, you should save the report source in session, and bind it to the viewer on post-back. Sample code can be found here:
http://resources.businessobjects.com/support/communitycs/
FilesAndUpdates/sample_applications_for_.NET_developers.pdf
Sincerely,
Ted Ueda

EIGRP Routing across MPLS Cloud

I appologize if this has been covered but I dont see any exact hits...
We are working with our Service Provider to implement MPLS between our remote sites and main campus. We are currently using PtoP T1 in a hub and spoke model. We are running EIGRP in our entire environment.
We would like to continue to run EIGRP in our environment but the SP does not support this protocol through the cloud. I would prefer not to introduce any new routing protocols into our environment such as BGP. (I believe SP is running BGP).
I have read snippits that I can us e GRE tunnel between sites and send EIGRP routing updates via this tunnel.
Can anyone support this method or are there better alternatives? If I implement GRE, I will still need to configure static routes so GRE knows how to reach the remote sites. I also cannot find any literature on how to configure GRE tunnels and use them ONLY for routing updates. I would think sending all traffic via GRE would cause additional overhead.
I will also have a need to send Multicast traffic between sites. I have read that GRE is the way to do this. To me it seems GRE will serve dual purposes.. first to allowing Dynamic routing updates between sites and also to allow Multicast traffic.
I appreciate any comments or suggestions!

Hello Phil,
using GRE tunnels to build an overlay would deny one of the greatest benefits of MPLS L3 VPN: the peer model where each CE talks only with local PE node.
unless you have a small number of sites this approach is not recommended.
What if a new site is added in the future? you would need to configure a tunnel GRE to the new site in each of the existing sites.
You could run a DMVPN ( that is to use mGRE) to solve this but it has some complexity.
You can run BGP without using mutual redistribution: BGP allows to advertise internal networks using the network command even if they are not directly connected to the CE router but learned via EIGRP.
So it is enough to redistribute only BGP into EIGRP by setting a default seed metric (it requires five values in EIGRP and it is necessary or redistribution will not occur)
router bgp 65001
neigh PE-address remote-as SP-AS-number
network 10.10.10.0 mask 255.255.255.0
network 10.10.20.0 mask 255.255.254.0
no auto-summary
! note:if auto-summary is disabled you need to provide the exact mask / prefix length
router eigrp 100
redistribute bgp 65001
default-metric 10000 1000 255 1 1500
! BW delay reliabilty load MTU
Hope to help
Giuseppe

ISR router EIGRP Route Tag

Hi,
Wondering any one has successfully set route tag for EIGRP routes?
What I am trying to achieve here is to set route tag for the summary routes of the connected interfaces and subnets of some other connected interfaces.
Let's say an ISR router R1 with IOS 15.1(4)M3 has three interfaces running with EIGRP.
Interface Gi0/0
ip add 172.16.0.1/24
summary-add 172.16.0.0/16
Interface Gi0/1
ip add 172.16.1.1/24
summary-add 172.16.0.0/16
Interface Gi0/2
ip add 192.168.2.1/24
I am having difficulty to set route tag for summary add 172.16.0.0/16 and 192.168.2.0/24 before they get advertised to another router.
Any idea please?
Thanks
Cedar

Duplicate posts.
Go here: https://supportforums.cisco.com/discussion/12256521/isr-router-eigrp-route-tag

Overwrite dynamic (eigrp) route when external dials into router

Hi
I would like to find a way to overwrite a dynamic (eigrp) route with a routing entry pointing to a dialer interface, when someone has dialed into this dialer interface.
Does someone of you knows a way how this can be done?
Thanks in advance and kind regards
Mark

Thanks tor you reply.
Until now I have heard of reverse route injection only in conjunction with setting up vpn connections. And a quick search doesn't shows much. But I keep on searching.
Maybe I should tell something more about my setup. There are 2 routers (both 2612). On the LAN side the do hsrp. And on the WAN side each of them has 2 BRI interfaces connected to a multi-line-hunting-group for dialin and dialout. On the LAN I do eigrp and so overwrite a static route pointing to the dialer on the second router because of an administrativ distance of 200 at the static route.
When dialing out everything works fine. But when someone dials in to the second router (which is the hsrp standby one) the routing table of this router isn't changed/updated. I Bad expected something like a "directly connected" event puts a new entry in the routing table pointing to the now connected dialer Interface. But this does not happen.
What I'm looking for is a way how this can be done, so that these is a backward pointing route on the hsrp standby router for the dialed in sides.
Is there a way to do this?
Regards
Mark

Eigrp routes

How would I stop eigrp routes being advertised so that it doesnt keep bringing up my isdn line, what do I put on the access list ?

access-list 100 deny eigrp any any
access-list 100 permit ip any any
!--- EIGRP routing packets are denied in the dialer-list.
!--- This prevents eigrp packets from keeping the link up.
!--- Adjust the interesting traffic depending on your traffic definitions.
dialer-list 1 protocol ip list 100
http://www.cisco.com/en/US/tech/tk713/tk237/technologies_configuration_example09186a00800a3b77.shtml

Setting advertisement / split horizon direction in EIGRP routing

Hello all,
I am trying to work out if I am being a bit rubbish or if split horizon is my new worst enemy.
Below is a diagram of my (simplified) problem scenario using EIGRP.
The solution I am looking for is that Router R3 learns of the 10.0.0.0/8 network from both R1 and R2, then does not advertise it to either. Simple with split horizon enabled.
But when either R1 or R2 are rebooted, a decision somehow takes place, and may well determine that R3 should advertise 10/8 to the new (rebooted) neighbour, at which point split horizon prevents it from being advertised back again. This means the topology table on R3 doesn't contain this route for this neighbour and is slow to converge if the other neighbour is lost.
Is there a way to control in which direction routes are advertised first on a neighbour link? and then I can let split horizon do its thing
Or is there something I am not thinking of...
many thanks,
Paul

This is what i think would work.
Two assuptions i'm making -
1) R1 and R2 have full routes in terms of the remote branch subnets which from what we have talked about seems to be the case.
2) R1 will advertise the specific subnets it is primary for (see below) to R3 which then advertises them to R2 and R2 will do the same for it's primary subnets.
R1 is primary for 32 - 63 summary address 192.168.32.0 255.255.224.0
R2 is primary for 64 - 95 summary address 192.168.64.0 255.255.224.0
Each router is secondary for the other router's primary subnets.
on R1 configure a summary address for R2's subnets on the interface connecting to R3 -
ip summary-address eigrp <AS no> 192.168.64.0 255.255.224.0
on R2 do the same for R1's subnets -
ip summary-address eigrp <AS no> 192.168.32.0 255.255.224.0
So now -
R1 points to R3 and R3 points to R2 for 192.168.32.0/19
R2 points to R3 and R3 points to R1 for 192.168.64.0/19
Because you have used a summary address this suppresses the advertisement of the more specific routes within that summary range.
R1 will therefore advertises it's specific subnets for which it is primary to R3 and a summary address only for R2's subnets.
And R2 does the same ie. it advertises it's specific subnets and a summary for R1's.
R3 then obviously passes these summaries via EIGRP to R1 and R2.
R3's routing table will have specific branch routes pointing to the respective
primary router but only a summary route for the same subnets pointing to the secondary router.
Because a router will always pick the longest match it will use the more specific subnets unless there isn't a matching route.
Which means no need to use metrics to load balance traffic.
In addition the summary route is already in the routing table so no need for either R1 or R2 to send a query to R3 if one of their branch links fail.
I may well have overlooked something so let me know whether you think this will work for you or not.
Jon

Nexus 5548p AND eigrp routing

Hello all. Do I need a L3 expansion module to run eigrp on the Nexus 5548P? Thanks,

Yes you do

How do you Redistribution EIGRP into OSPF and maintain a distance of 250 for a static route?

Ok, I have scoured the forums long enough and have to post. The design is below. I moved a firewall to our new data center, which required adding some static routes for VPN connections and broadband backups. To minimize the amount of static routes I redistribute static into EIGRP with a route-map and prefix-list.
My problem is the next part of my network. When the data leaves my 56128's it hits an edge device connecting to our dark fiber. On this edge device I am running OSPF onto the dark fiber, then redistribute some EIGRP subnets into OSPF and again all is well.
Everything works up until the point the redistributed routes hit my RIB at my main data center where I am running IBGP. IBPG is run between our MPLS router and core for all our remote sites. When my backup route from the 56128's hits the cores, it supersedes the BGP route because the AD route O E2 [110/20] is lower than the BGP AD B [200/0]. Given the configuration below what can be done to remedy this? Oh when I redistribute I can only change the AD for the backup routes, all other routes should stay the same.
56128's where my static routes are:
ip route 192.168.101.0/24 192.168.30.77 name firewall 250
router eigrp 65100
redistribute static route-map Static-To-Eigrp
route-map Static-To-Eigrp permit 10
match ip address prefix-list Static2Eigrp
ip prefix-list Static2Eigrp seq 2 permit 192.168.101.0/24
Edge device:
router eigrp 65100
network 172.18.0.5 0.0.0.0
network 172.18.0.32 0.0.0.3
network 172.18.0.36 0.0.0.3
redistribute ospf 65100 metric 2000000 0 255 1 1500
redistribute static metric 200000 0 255 1 1500 route-map STATICS_INTO_EIGRP
passive-interface default
no passive-interface Port-channel11
no passive-interface Port-channel12
eigrp router-id 172.18.0.5
router ospf 65100
router-id 172.18.0.5
log-adjacency-changes
redistribute eigrp 65100 subnets route-map EIGRP_INTO_OSPF
passive-interface default
no passive-interface GigabitEthernet1/0/1
no passive-interface GigabitEthernet1/0/2
no passive-interface GigabitEthernet2/0/1
no passive-interface GigabitEthernet2/0/2
network 172.18.0.0 0.0.255.255 area 0
ip prefix-list EIGRP_INTO_OSPF seq 5 permit 172.18.0.0/16 le 32
ip prefix-list EIGRP_INTO_OSPF seq 10 permit 192.168.94.0/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 15 permit 192.168.26.32/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 20 permit 192.168.30.72/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 25 permit 192.168.20.128/25 le 32
ip prefix-list EIGRP_INTO_OSPF seq 26 permit 192.168.101.0/24 le 32 <- Backup Route for MPLS Remote Office
route-map EIGRP_INTO_OSPF permit 10
match ip address prefix-list EIGRP_INTO_OSPF

So in the case of a /24. If it were say broken up into /25's? From our remote sites we are using aggregate-address summary-only. Not sure how I would advertise a more specific route via BGP, sorry.
I didnt have this problem until I moved my firewalls. They plugged into the cores where IBGP was running and the static never kicked in unless the bgp route disappeared. I guess I could use my static redistribution for my VPN sites and use statics across the cores for the handful of backup links I have.

HSRP EIGRP TWO DEFAULT ROUTES

Hi,
I have a question concerning EIGRP routing on a L3 switch behind a HSRP HA pair of routers which connect to a WAN.
HSRP is operating as should be and when R1 fails, or an interface thereon, R2 becomes the active. All good.
However there are now two default routes in the route table on the L3 switch. One is routing traffic to the R2 real IP which is expected but also there is the old default route to R1's real IP.
Using EEM we can overcome this but is there another simpler method to prevent this occurring?
Thanks
F

F
If i understand correcty your LAN interfaces on the routers ie. the ones connecting to the L3 switch are running HSRP and you are also running EIGRP between the L3 switch and the routers.
If so you wouldn't usually have both solutions in use ie. you either -
1) use HSRP and point the default route on the L3 switch to the HSRP VIP
or
2) use EIGRP between the routers and the L3 switch. If a router or interface fails it should stop advertising the default route to the L3 switch.
However that sounds like it is not happening which suggests the default routes are not coming from the WAN.
So where are the default routes in EIGRP on the L3 switch coming from ?
Jon

Advertise route as OSPF, but I see it as "EIGRP" ?

Sorry if this is a stupid question but I don't understand well why I am able to see route
D 152.1.1.4/30 on RouterD.
Basically the network 152.1.1.4/30 has been advertised via OSPF on RouterC interface. However, that was not advertised there as an EIGRP route...
How come I am able to see it on RouterD as EIGRP ?
Please find attached complete run config.
Please note I am doing one-way redistribution EIGRP->OSPF. Therefore in my view that doesn't justify the EIGRP route for 152.1.1.4/30 on RouterD.
RouterB so]===[s0 RouterC s01]===[s0 RouterD]
RouterB s0=152.1.1.5/30
RouterB S1=152.1.1.6/30
RouterD S0=152.1.2.2/24
From RouterD:
Gateway of last resort is not set
152.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 152.1.3.0/24 is directly connected, Loopback0
C 152.1.2.0/24 is directly connected, Serial0/0
D 152.1.1.4/30 [90/2681856] via 152.1.2.1, 00:01:58, Serial0/0

Just one correction here.
network 152.1.1.5 0.0.0.0 area 0 is CORRECT, if the interface IP is 152.1.1.5.
The main misunderstanding encountered is: the network statement and especially the wildcard mask determine the routing updates sent. Wrong.
The only purpose the network statement serves in OSPF is to identify the IP interfaces where to send hellos and include the networks with configured mask into routing updates (LSAs).
So f.e.
router ospf 10
network 0.0.0.0 0.0.0.0 area 0
has nothing to do with a default route. it just means: "Include any active IP interface into OSPF and send hellos." Still configured network/mask would be announced correctly.
Writing this I would even recommend instead of 0.0.0.0 0.0.0.0 to use
network 152.1.1.1 0.0.0.0 area 0
because you will not unintentionally enable OSPF on an interface, where it should not start (f.e. towards ISP).
Hope this helps! Please rate all posts.
Regards, Martin

BGP redistribution to EIGRP

Hi all,
I'm trying to redistribute BGP to EIGRP and vice versa. I am succussfully redistributing EIGRP to BGP, but can't get EIGRP routes into BGP.
Here's my config. Any guidance or assistance would be very much appreciated.
router eigrp 100 network 10.18.72.0 0.0.0.255 redistribute static route-map DEFAULT_ROUTE redistribute bgp 65535 passive-interface default no passive-interface FastEthernet0/0!router bgp 65535 bgp router-id 172.18.2.1 bgp log-neighbor-changes redistribute eigrp 100 route-map EIGRP_REDISTRIBUTE neighbor 172.18.2.2 remote-as 65535 neighbor 172.18.2.2 password ciscobgp no auto-summaryip access-list extended EIGRP_ROUTES_TO_BGP permit ip any any!!ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0!route-map EIGRP_REDISTRIBUTE permit 20 match ip address EIGRP_ROUTES_TO_BGP!route-map DEFAULT_ROUTE permit 10 match ip address prefix-list DEFAULT
Thanks in advance.
Neil

Add "bgp redistribute-internal" to your bgp process. By default, iBGP doesn't redistribute into an IGP. The reason for this is simply the amount of routes that a bgp router can receive could overload an igp very easily, so you would definitely want to filter routes out when doing this.
After you add this, clear your bgp neighbors and you should start seeing routes.
HTH,
John
*** Please rate all useful posts ***

(High Ip input) on My router , I need to troubleshoot why CPU is high !!!!

(High Ip input) on My router , I need to troubleshoot why CPU is high !!!!
=================
i have a cisco router 7200 NPEG2 processor , worked as LNS for PPPOVPDN circuits (Router for ADSL clients)
i have "high ip input on my processor" and there is alot of differnce on my router between operations done by cef and operations done by router cpu
as an example , lets make show cpu process sorted
CPU utilization for five seconds: 67%/54%; one minute: 67%; five minutes: 68%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
87 10837056 46891299 231 6.31% 6.04% 6.32% 0 IP Input
122 4081972 38214106 106 2.47% 2.36% 2.46% 0 L2X Data Daemon
270 467844 2089101 223 0.79% 0.78% 0.79% 0 PPP Events
275 1862224 2102444 885 0.71% 0.73% 0.71% 0 SNMP ENGINE
112 627104 93588 6700 0.39% 0.36% 0.37% 0 CEF: IPv4 proces
273 854004 4207368 202 0.31% 0.26% 0.24% 0 IP SNMP
52 453256 12321 36787 0.31% 0.31% 0.31% 0 Compute load avg
258 295540 701580 421 0.23% 0.17% 0.15% 0 RADIUS
142 45792 14107303 3 0.23% 0.21% 0.21% 0 HQF Shaper Backg
78 86532 166975 518 0.23% 0.17% 0.13% 0 ACCT Periodic Pr
260 483164 248673 1942 0.23% 0.19% 0.24% 0 L2TP mgmt daemon
272 63980 1073491 59 0.15% 0.16% 0.15% 0 IPHC Admin
77 111560 184597 604 0.15% 0.08% 0.06% 0 AAA ACCT Proc
261 330572 217566 1519 0.15% 0.12% 0.15% 0 L2TUN Applicatio
274 450584 2102164 214 0.15% 0.15% 0.15% 0 PDU DISPATCHER
16 152352 1081873 140 0.07% 0.08% 0.19% 0 EnvMon
279 229040 27298 8390 0.07% 0.10% 0.11% 0 VTEMPLATE Backgr
40 23704 53593 442 0.07% 0.03% 0.02% 0 Net Background
95 4512 55604 81 0.07% 0.00% 0.00% 0 PPP Hooks
109 6844 62029 110 0.07% 0.00% 0.00% 0 IP Background
269 21384 1931910 11 0.07% 0.06% 0.07% 0 PPP manager
271 116 60672 1 0.07% 0.00% 0.00% 0 Multilink PPP
23 98400 321 306542 0.00% 0.07% 0.03% 0 AAA high-capacit
=====================
as we see above , we have high "IP Input" about differnece in cpu =67-54=13 % , which is high value process in software .
i follwed the article here :
http://www.cisco.com/c/en/us/support/docs/routers/7500-series-routers/41160-highcpu-ip-input.html
i check and found that my router is fine ,
no arp calls.
no routing loops.
no flapping links.
i checked that my router has cef enabled and no enormous routing protocol updates
i found that i have big differnce between hardware & software process on the router which is 13 %
but when the traffic is more and more , the cpu reach reach 93 % and begin to have drops.
i just want to ask , how can i debug the operations that are done on the cpu processor of the router ???
i mean that if i know that traffic , i can estimate and know the problem that increasing my cpu !!!
another question :
how to debug the packest that has a ttl exceeded 50 or ttl exceeded 100 ?????
i dont wan tto make debug ip packed , because i have a huge traffic and it will let my router hanged due to large debug !!
===============
righ now i will post my router config and some verification:
drvirus#sh running-config
Building configuration...
Current configuration : 12291 bytes
upgrade fpd auto
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
hostname drvirus
boot-start-marker
boot system flash disk2:c7200p-adventerprisek9-mz.124-24.T7.bin
boot system flash disk2:c7200p-adventerprisek9-mz.124-24.T8.bin
boot-end-marker
logging message-counter syslog
aaa new-model
aaa group server radius radiusservers
server-private 10..f.f.f auth-port 1812 acct-port 1813 key 7 weifuhjkefkjdbhfjkasbfjka
aaa authentication login adminstaff local
aaa authentication login sdm_vpn_xauth_ml_1 group radius
aaa authentication login ahmad local
aaa authentication ppp vpdn group radiusservers local
aaa authentication ppp drvirus local
aaa authentication ppp vpdn1 local group radiusservers
aaa authentication ppp ddd none
aaa authentication ppp dddd none
aaa authentication ppp anyok none
aaa authorization network default group radius local
aaa authorization network vpdn group radiusservers local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network drvirus local
aaa authorization network vpdn1 local group radiusservers
aaa authorization network ddd none
aaa authorization network anyok none
aaa accounting delay-start
aaa accounting update newinfo periodic 10
aaa accounting network vpdn
action-type start-stop
broadcast
group radiusservers
aaa server radius dynamic-author
client xxxxxxxx
client 10.xxxxxx
client 10.xxxxxxxxx
server-key 7 dihcbsdjkbvcsdhmbvhsdbvsdhmbvsd
auth-type any
aaa session-id common
clock timezone GMT+3 3
no ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
no ip bootp server
ip domain name drvirus
ip name-server x.x.x.x.x
ip name-server 8.8.8.8
login block-for 180 attempts 3 within 60
login quiet-mode access-class telnet
login on-failure log
login on-success log
no ipv6 cef
ipv6 dhcp pool vvv
prefix-delegation pool version6
address prefix 3333::/64
dns-server 4444::1
multilink bundle-name authenticated
vpdn enable
vpdn logging
vpdn logging local
vpdn history failure table-size 50
vpdn-group eeeeeeeeeeee
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname qqqqqq
local name rrrrrrr
lcp renegotiation on-mismatch
l2tp tunnel password 7ekfhjjeklfnlenfl
l2tp tunnel timeout no-session 60
ip mtu adjust
username drvirus@!34`!512&$8#$232!^@^FGsdGD privilege 0 password 7 000sdkjhvsdkjvnah94313085g2355091407458E32425D
interface Loopback1
ip address ttttttt 255.255.255.255
interface GigabitEthernet0/1
description ttttttt
ip address 10.60.60.2 255.255.255.0 secondary
ip address 10.200.200.200 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
duplex auto
speed auto
media-type rj45
negotiation auto
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip address ttttttttt 255.255.255.224
interface GigabitEthernet0/1.14
encapsulation dot1Q 14
ip address 192.168.50.3 255.255.255.0
interface FastEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0/2
ip address 10.160.150.2 255.255.255.0
duplex auto
speed auto
media-type rj45
negotiation auto
interface GigabitEthernet0/3
description rrrrrrr
ip address xxxxxxx 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
duplex full
speed 1000
media-type sfp
negotiation auto
interface Virtual-Template1
ip unnumbered Loopback1
ip tcp adjust-mss 1412
no logging event link-status
peer default ip address pool xxxxx xxxxxx
ppp mtu adaptive
ppp authentication pap vpdn1
ppp authorization vpdn1
ppp accounting vpdn
router eigrp 2
redistribute connected metric 1 2 1 2 1
passive-interface default
no passive-interface GigabitEthernet0/1
network 10.200.200.200 0.0.0.0
no auto-summary
eigrp router-id 2.2.2.2
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.200.200.2
ip route dddddddddd 255.255.255.0 fffffff
ip route ddddddddd 255.255.255.0 ffffff
no ip http server
no ip http secure-server
ip radius source-interface GigabitEthernet0/2
radius-server attribute nas-port format d
radius-server configure-nas
radius-server host ddddddddddd auth-port 1812 acct-port 1813 key 7 dddddddddd
radius-server retransmit 0
radius-server key 7 dddddddddddddddddd
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
drvirus#sh ip traffic
IP statistics:
Rcvd: 92454889 total, 5908020 local destination
0 format errors, 94 checksum errors, 3789577 bad hop count
0 unknown protocol, 23360 not a gateway
0 security failures, 0 bad options, 3730347 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 3730347 alert, 0 cipso, 0 ump
0 other
Frags: 1409002 reassembled, 485 timeouts, 0 couldn't reassemble
4542214 fragmented, 9089659 fragments, 2659413 couldn't fragment
Bcast: 6024 received, 0 sent
Mcast: 56503 received, 31033 sent
Sent: 15839581 generated, 2407203241 forwarded
Drop: 23 encapsulation failed, 0 unresolved, 0 no adjacency
0 no route, 0 unicast RPF, 0 forced drop
0 options denied
Drop: 0 packets with source IP address zero
Drop: 0 packets with internal loop back IP address
0 physical broadcast
ICMP statistics:
Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 4 unreachable
140579 echo, 33742 echo reply, 0 mask requests, 0 mask replies, 0 quench
0 parameter, 0 timestamp, 0 timestamp replies, 0 info request, 0 other
0 irdp solicitations, 0 irdp advertisements
0 time exceeded, 0 info replies
Sent: 0 redirects, 3530 unreachable, 33744 echo, 140579 echo reply
0 mask requests, 0 mask replies, 0 quench, 0 timestamp, 0 timestamp replies
0 info reply, 46795 time exceeded, 0 parameter problem
0 irdp solicitations, 0 irdp advertisements
TCP statistics:
Rcvd: 19285 total, 0 checksum errors, 7 no port
Sent: 39402 total
BGP statistics:
Rcvd: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refresh, 0 unrecognized
Sent: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refresh
IP-EIGRP statistics:
Rcvd: 39154 total
Sent: 39275 total
PIMv2 statistics: Sent/Received
Total: 0/0, 0 checksum errors, 0 format errors
Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0, Hellos: 0/0
Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0
Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0
Queue drops: 0
State-Refresh: 0/0
IGMP statistics: Sent/Received
Total: 0/0, Format errors: 0/0, Checksum errors: 0/0
Host Queries: 0/0, Host Reports: 0/0, Host Leaves: 0/0
DVMRP: 0/0, PIM: 0/0
Queue drops: 0
UDP statistics:
Rcvd: 5632168 total, 0 checksum errors, 9605 no port
Sent: 15536481 total, 0 forwarded broadcasts
OSPF statistics:
Rcvd: 0 total, 0 checksum errors
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks
Sent: 0 total
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks
ARP statistics:
Rcvd: 36012 requests, 25 replies, 0 reverse, 0 other
Sent: 3590 requests, 1883 replies (41 proxy), 0 reverse
Drop due to input queue full: 0
drvirus#sh interfaces switching
GigabitEthernet0/1 ffff
Throttle count 0
Drops RP 29334 SP 0
SPD Flushes Fast 183378 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 196591 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 50222652 1410586379 38933488 2377282438
Cache misses 0 - - -
Fast 2501299905 502401799 1732463443 1178236678
Auton/SSE 0 0 0 0
Protocol DEC MOP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 104 8008
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol ARP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 36178 2170680 3643 233084
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol CDP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 1039 385469 2067 772027
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol Other
Switching path Pkts In Chars In Pkts Out Chars Out
Process 2266 138297 6179 370740
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
Interface FastEthernet0/2 is disabled
GigabitEthernet0/2
Throttle count 0
Drops RP 0 SP 0
SPD Flushes Fast 785 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 1900 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 382927 34296776 382540 106683985
Cache misses 0 - - -
Fast 198 31569 0 0
Auton/SSE 0 0 0 0
Protocol DEC MOP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 104 8008
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol ARP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 1900 114000 1813 108780
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol CDP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 1030 378010 1031 378377
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol Other
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 6180 370800
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
GigabitEthernet0/3 drvirus
Throttle count 0
Drops RP 15 SP 0
SPD Flushes Fast 22435 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 194236 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 40507058 2970006619 56462488 1872816742
Cache misses 0 - - -
Fast 1758170357 386468928 2449949282 3706868609
Auton/SSE 0 0 0 0
Protocol DEC MOP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 105 8085
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol ARP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 5 300 7 420
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol CDP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 1034 379478
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol Other
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 6180 370800
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
drvirus#sh ip route summary
IP routing table name is Default-IP-Routing-Table(0)
IP routing table maximum-paths is 32
Route Source Networks Subnets Overhead Memory (bytes)
connected 1 1644 105280 250040
static 3 0 192 456
eigrp 2 0 0 0 0
internal 5 5860
Total 9 1644 105472 256356
Removing Queue Size 0
drvirus#sh ip route summary
IP routing table name is Default-IP-Routing-Table(0)
IP routing table maximum-paths is 32
Route Source Networks Subnets Overhead Memory (bytes)
connected 1 1645 105344 250192
static 3 0 192 456
eigrp 2 0 0 0 0
internal 5 5860
Total 9 1645 105536 256508
Removing Queue Size 0
drvirus#sh ip route summary
IP routing table name is Default-IP-Routing-Table(0)
IP routing table maximum-paths is 32
Route Source Networks Subnets Overhead Memory (bytes)
connected 1 1645 105344 250192
static 3 0 192 456
eigrp 2 0 0 0 0
internal 5 5860
Total 9 1645 105536 256508
Removing Queue Size 0
drvirus#sh ip route summary
IP routing table name is Default-IP-Routing-Table(0)
IP routing table maximum-paths is 32
Route Source Networks Subnets Overhead Memory (bytes)
connected 1 1645 105344 250192
static 3 0 192 456
eigrp 2 0 0 0 0
internal 5 5860
Total 9 1645 105536 256508
Removing Queue Size 0
drvirus#
ANy help ??????!!!!!

can some one determin if :
122 9166144 120227216 76 3.30% 2.81% 2.42% 0 L2X Data Daemon
has a relation to my high cpu
her is agian my cpu process :
drvirus#sh processes cpu sorted
CPU utilization for five seconds: 69%/51%; one minute: 62%; five minutes: 59%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
87 22165548 147317354 150 7.60% 6.54% 5.74% 0 IP Input
16 682988 2637213 258 3.61% 0.70% 0.37% 0 EnvMon
122 9166144 120227216 76 3.30% 2.81% 2.42% 0 L2X Data Daemon
270 484700 4987094 97 0.76% 0.84% 0.86% 0 PPP Events
260 746640 483367 1544 0.30% 0.51% 0.51% 0 L2TP mgmt daemon
112 1082540 228491 4737 0.30% 0.31% 0.31% 0 CEF: IPv4 proces
190 596 755 789 0.30% 0.02% 0.00% 2 SSH Process
279 461184 78909 5844 0.30% 0.39% 0.45% 0 VTEMPLATE Backgr
52 954592 29823 32008 0.30% 0.31% 0.31% 0 Compute load avg
272 53744 2782461 19 0.23% 0.17% 0.16% 0 IPHC Admin
261 513524 428266 1199 0.23% 0.38% 0.37% 0 L2TUN Applicatio
142 31888 35627222 0 0.23% 0.19% 0.20% 0 HQF Shaper Backg
258 570384 1602872 355 0.15% 0.18% 0.17% 0 RADIUS
78 43280 392561 110 0.15% 0.10% 0.08% 0 ACCT Periodic Pr
281 52340 385568 135 0.07% 0.08% 0.09% 0 IP-EIGRP: PDM
40 37300 138153 269 0.07% 0.09% 0.10% 0 Net Background
77 145860 443602 328 0.07% 0.06% 0.07% 0 AAA ACCT Proc
110 31060 53876 576 0.07% 0.03% 0.02% 0 IP RIB Update
45 11868 52400 226 0.07% 0.01% 0.00% 0 IF-MGR control p
115 20164 103667 194 0.07% 0.02% 0.00% 0 PPP IPCP
102 181600 489310 371 0.07% 0.14% 0.15% 0 SSM connection m
143 3148 1461382 2 0.07% 0.01% 0.00% 0 RBSCP Background
80 19488 22128 880 0.07% 0.02% 0.00% 0 CDP Protocol
23 189412 10771 17585 0.00% 0.15% 0.04% 0 AAA high-capacit
22 0 1 0 0.00% 0.00% 0.00% 0 CEF MIB API
21 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
20 376 153594 2 0.00% 0.00% 0.00% 0 ARP Background
24 0 2 0 0.00% 0.00% 0.00% 0 AAA_SERVER_DEADT
25 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager
26 1376 26590 51 0.00% 0.00% 0.00% 0 DDR Timers
31 4 30 133 0.00% 0.00% 0.00% 0 EEM ED Syslog
27 0 5 0 0.00% 0.00% 0.00% 0 Entity MIB API
33 324 147392 2 0.00% 0.00% 0.00% 0 GraphIt
34 0 2 0 0.00% 0.00% 0.00% 0 Dialer event
28 0 2 0 0.00% 0.00% 0.00% 0 Serial Backgroun
36 0 2 0 0.00% 0.00% 0.00% 0 XML Proxy Client

Good CCIE question: Can multiple site-2-site VPNs support dynamic routing protocols?

Hi All,
Was not sure if this should be posted in LAN routing, WAN routing or VPN forums: I have posted here as the VPN tunnels are the limiting factors...
I am trying to understand if it is possible to have dynamic routing between LANs when using site to site VPNs on three or more ASA55x5-x (9.0).
To best explain the question I have put together an example scenario:
Lets say we have three sites, which are all connected via a separate site-2-site IKEv2 VPNs, in a full mesh topology (6 x SAs).
Across the whole system there would be a 192.168.0.0/16 subnet which is divided up by VLSM across all sites.
The inside / outside interfaces of the ASA would be static IPs from a /30 subnet.
Routing on the outside interface is not of concern in this scenario.
The inside interface of the ASA connects directly to a router, which further uses VLSM to assign additional subnets.
VLSM is not cleanly summarised per site. (I know this flys against VLSM best practice, but makes the scenario clearer...)
New subnets are added and removed at each site on a frequent basis.
EIGRP will be running on each core router, and any stub routers at each site.
So this results in the following example topology, of which I have exaggerated the VLSM position:
(http://www.diagram.ly/?share=#OtprIYuOeKRb3HBV6Qy8CL8ZUE6Bkc2FPg2gKHnzVliaJBhuIG)
Now, using static route redistribution from the ASAs into EIGRP and making the ASAs to be an EIGRP neighbour, would be one way. This would mean an isolated EIGRP AS per site, but each site would only learn about a new remote subnet if the crypto map match ACL was altered. But the bit that I am confused over, is the potential to have new subnets added or removed which would require EIGRP routing processes on the relevant site X router to be altered as well as crypto map ACLs being altered at all sites. This doesn't seem a sensible approach...
The second method could be to have the 192.168.0.0/16 network defined in the crypto map on all tunnels and allow the ASAs routing table to chose which tunnel to send the traffic over. This would require multiple neighbours for the ASA, but for example in OSPF, it can only support one neighbour over a S2S VPN when manually defined (point-to-point). The only way round this I can see is to share our internal routing tables with the IP cloud, but this then discloses information that would be otherwise protected by the IPSEC tunnel...
Is there a better method to propagate the routing information dynamically around the example scenario above?
Is there a way to have dynamic crypto maps based on router information?
P.S. Diagram above produced via http://www.diagram.ly/

Hi Guys,
Thanks for your responses! I am learning here, hence the post.
David: I had looked in to the potential for GRE tunnels, but the side-effects could out weight the benifits. The link provided shows how to pass IKEv1 and ISAKMP traffic through the ASA. In my example (maybe not too clear?) the IPSEC traffic would be terminated on the ASA and not the core router behind.
Marcin: Was looking at OSPF, but is that not limited to one neighbour, due to the "ospf network point-to-point non-broadcast" command in the example (needed to force the unicast over the IPSEC tunnel)? Have had a look in the ASA CLI 9.0 config guide and it is still limited to one neighbour per interface when in point-to-point:
ospf network point-to-point non-broadcastSpecifies the interface as a point-to-point, non-broadcast network.When you designate an interface as point-to-point and non-broadcast, you must manually define the OSPF neighbor; dynamic neighbor discovery is not possible. See the "Defining Static OSPFv2 Neighbors" section for more information. Additionally, you can only define one OSPF neighbor on that interface.
Otherwise I would agree it would be happy days...
Any other ideas (maybe around iBGPs like OSPF) which do not envolve GRE tunnels or terminating the IPSEC on the core router please?
Kindest Regards,
James.

Multiple Autonomous Systems using EIGRP Named Mode

I have an EIGRP network that has multiple AS numbers. Lets says they are AS 200 and 201. AS 200 exists only in the default VRF and AS 201 exists in both the default VRF and well as a dedicated server VRF. I need to configure both AS numbers to run concurrently on our core 6500 switch.
With the older way to configure EIGRP I would just create 2 EIGRP intstances as follows:
router eigrp 200
router eigrp 201
With named mode, would I create 1 or 2 named instances for EIGRP? And would every address family need a separate router-id or can both AS nubmers in the default VRF share a router ID?
example: 1 name mode instance
router eigrp named1
address-family ipv4 unicast autonomous-system 200
af-interface default
passive-interface
exit-af-interface
  network 10.10.0.0 0.0.255.255
eigrp router-id 10.1.1.1
address-family ipv4 unicast autonomous-system 201
af-interface default
passive-interface
exit-af-interface
  network 10.20.0.0 0.0.255.255
eigrp router-id 10.1.1.1
address-family ipv4 unicast vrf server autonomous-system 201
af-interface default
passive-interface
exit-af-interface
  network 10.30.0.0 0.0.255.255
eigrp router-id 10.3.1.1
Example 2: 2 named mode instances
router eigrp named1
address-family ipv4 unicast autonomous-system 200
af-interface default
passive-interface
exit-af-interface
  network 10.10.0.0 0.0.255.255
eigrp router-id 10.1.1.1
router eigrp named2
address-family ipv4 unicast autonomous-system 201
af-interface default
passive-interface
exit-af-interface
  network 10.20.0.0 0.0.255.255
eigrp router-id 10.1.1.1
address-family ipv4 unicast vrf server autonomous-system 201
af-interface default
passive-interface
exit-af-interface
  network 10.30.0.0 0.0.255.255
eigrp router-id 10.3.1.1
Any Thoughts? Any help would be appreciated.
Ben

Hi Ben,
Personally, I do not see a significant difference between the two options you have, i.e. having multiple per-VRF EIGRP processes under a single router eigrp instance-name, as opposed to having a separate instance for each VRF. Recall that even in classic numbered configuration mode, you can have multiple per-VRF processes configured under a single numbered EIGRP instance so there is really no specific difference here.
That being said, I think that you would like the second option better, that is, having a separate EIGRP name mode section for each VRF. In fact, I have found it confusing in the numbered mode to have several VRFs grouped under a single numbered instance whose autonomous system number did not even relate in any way to the autonomous system number in the per-VRF processes.
Regarding the uniqueness of Router IDs - that's a good question. In EIGRP, the Router ID is used to prevent a router from processing information originated by itself, possibly causing a routing loop. I have always found this explanation somewhat strange, as EIGRP has different mechanisms for loop prevention, and I could never come up with an example where this mechanism would actually be useful. In any case, in newer EIGRP implementations, the RID is attached to each internal and external route as it is advertised throughout the EIGRP domain. This has two important consequences:
By looking at the show ip eigrp topology X.X.X.X/M.M.M.M output, you can always find out which router originates that particular network
If a router receives an update about a network marked with its own RID, it will ignore the update.
If your network and your VRFs are intended to remain perfectly isolated at all times, i.e. no routes from a VRF will ever be advertised across the network so that they leak from one VRF to another, or between a global routing table and a VRF, then a single router can use the same RID in all its EIGRP processes, both in global table and in a VRF. However, if there is an intended possibility of a route existing in one VRF to be advertised over a series of routers and being intentionally received by the same router in a different VRF then using the same RID in multiple EIGRP processes on that router would prevent it from accepting the update. In such case, you would need to use unique RID per each VRF process.
I hope this helps - please feel welcome to ask further!
Best regards,
Peter

To Clear A PAssive EIGRP Route

Similar Messages

Maybe you are looking for