[c-nsp] ASA / EIGRP / Redundant Interfaces

Jason Link Jason.Link at whgroup.com
Thu Apr 30 12:39:10 EDT 2009 

Unfortunately, EIGRP on the ASA doesn't appear to support the max-paths
command.

Both physical interfaces are in the same VLAN, connected to different
switches that are trunked together...and I understand that only one
switchport "should" be active, and it is shown as such when doing a "sh
int redun1 detail", but it appears to be learning (and using) routes
from both routers that are on the VLAN.

Additionally, I'm not sure HSRP would help me in a situation like this,
since the way I understand it the ASA will still learn both routers
"real" IP address and will form a neighbor to each one.  I would like to
avoid calling out the neighbor specifically, if I can help it.

Maybe I could play around with the RSTP priority on the particular
switch uplink ports to make it so that one of the ports is blocking -
that way if a switch dies, that port will stop blocking and then
converge.  It may take a little longer, but I believe the end result
would be the same...but I'm not sure this is any better than calling out
the neighbor specifically (the HSRP address).




-----Original Message-----
From: Peter Rathlev [mailto:peter at rathlev.dk] 
Sent: Thursday, April 30, 2009 2:23 AM
To: Jason Link
Cc: Cisco-nsp
Subject: Re: [c-nsp] ASA / EIGRP / Redundant Interfaces

On Wed, 2009-04-29 at 14:57 -0500, Jason Link wrote:
> With an ASA running a redundant physical interface pair for the Inside
> interface, each link connected to a separate switch which is connected
> to a separate router, and everything running EIGRP, I get multiple
> routes (2) to the same destination subnet, one for each of the
connected
> routers.  This is obviously causing problems, and I can't seem to find
a
> way to resolve it.  Setting delay on the physical interfaces doesn't
> seem to take effect, and there is no variance sub-command so I can't
> just force one route.  This needs to function in a redundant
situation,
> as in if I lose a router or switch everything will continue to
function
> (hence the redundant interface).  I tried google and cisco and found
> nothing of any significance...anyone got any ideas?

AFAIK the "standard" way of doing this would be a shared VLAN on the
inside and then HSRP or similar on the routers. Any reason for not doing
that?

Regards,
Peter

More information about the cisco-nsp mailing list