Running EIGRP in PIX: What’s the Workaround?

Q: We have a network which connects to the ISP with an E-1 for Internet and, at the same time, connects to a satellite link (different ISP) which we use as a backup to the Internet.I want to install a PIX firewall (535) for this network and we are running EIGRP. Almost all reference materials show how to configure PIX to work with a default route in gateway router. Since PIX is not supporting multicast, is there any workaround method to run EIGRP in PIX? (My requirement is to switch to satellite link when E-1 is down.)

Answer:Plain and simple, the PIX does not support EIGRP. You can run RIP, OSPF or static routing.

You can specify static routes with different metrics so that if one is unavailable (ARP timeout) then it will switch over to the other one. You may have to play with some timers for really good convergence time, though.

I suppose the first question I would have for you is: If you are using these for Internet connections, you are really just concerned with the 0.0.0.0/0 route, correct?

If the answer is yes, then simply run EIGRP on the inside portion of your network, and get all of the benefits and simplicity that you have come to love.

On the outside of your PIX (so, PIX, E-1 router and satellite router) run RIP or OSPF. Because all you’re looking for is a simple preference for which way to go out in case of failure, the configuration can be very basic and very simple.

With OSPF, you have more controls and faster convergence time. Knowing a little bit (or assuming a little bit) about your network design here, what I would do is generate a default route from your satellite router first using OSPF. On the off chance that this is some proprietary box where configuration may not be simple to manipulate the details, I’d start here.

Everyone on the outside of your PIX should learn the 0.0.0.0/0 route at this point. Look at the metric associated with it, whatever it may be by default. Then go to your Cisco router with the E-1 and create a default route, as well.

We can even go a step further here and generate a conditional default route. Let’s assume that the satellite router generated its default route with a metric of 20.

On the Cisco router, let’s assume that 10.4.4.4/30 is your E-1’s link address to the Internet. (Assumptions are good to get us started since I don’t know all the details of your configuration.)

Config: Access-list 10 permit 10.4.4.4 0.0.0.3
Route-map ConditionE1 permit 10
Match ip address 10
Router ospf 1
Default-information originate always metric 10 route-map ConditionE1

With this configuration, you will originate a default route into OSPF as long as the route in ACL 10 exists (the E-1 link). If the E-1 goes down, that route will disappear from your routing table and, thus, the 0.0.0.0/0 route will disappear from OSPF.

The fact that we set a metric of 10 here makes it better than the metric of 20 from your satellite router. But at the same time, if the metric 10 disappears, 20 will still exist. Your PIX is simply learning from OSPF, so it’s getting the best of all worlds at this point.

Without getting into too many other details of your configuration, I’d say this would be a nice way to dynamically give yourself some failover within the confines of protocols that actually exist on the PIX.

Hope that helps :)

Press our buttons!
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Live
  • Reddit
  • StumbleUpon
  • Technorati
  • TwitThis
Q&A
Related posts: