Hi Tarik,
The route is not re-learned. When you create a summary in EIGRP you will have a route for pointing to Null 0 installed in the routing table with an AD of 5. If you shut both the outside interfaces then you will have the below output. It’s obvious that packets to the outside will be dropped anyhow when there are no connections to the outside. In this case the Null 0 route is dropping everything. Pretty much the same. Scenario is designed when one of the two outside interfaces shutdown, not for both/all. Samarth Chidanand Sr Instructor / Developer – IPexpert CCIE #18535 (R&S, Security) CCSI #34585 From: Tarik Admani [mailto:[email protected]] Sent: Thursday, May 23, 2013 9:02 AM To: Samarth Chidanand; [email protected] Subject: Re: [OSL | CCIE_Security] WorkBook 1 Task4 point 5 Samarth, I went ahead and ran through this scenario and wanted to confirm my understanding. The summary address is configured on the inside interface which sends the summary address outbound but then specifies the AD to 250 if this route is relearned when both default routes become unreachable, hence loop prevention kicks in. So in my scenario I shut both outside interfaces and when I issue a show route on the ASA here are the results I see for the null route: ASA-003fw# sho rout Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 D 1.1.1.0 255.255.255.0 [90/130816] via 192.168.103.1, 0:02:34, INSIDE C 10.1.1.0 255.255.255.0 is directly connected, Dmzserver C 192.168.203.0 255.255.255.0 is directly connected, dmz1 D 11.11.11.11 255.255.255.255 [90/130816] via 192.168.103.1, 0:02:34, INSIDE D 11.11.11.23 255.255.255.255 [90/130816] via 192.168.103.1, 0:02:34, INSIDE C 192.168.103.0 255.255.255.0 is directly connected, INSIDE D 192.168.100.0 255.255.255.0 [90/28416] via 192.168.103.1, 0:02:34, INSIDE D* 0.0.0.0 0.0.0.0 is a summary, 0:00:12, Null0 ASA-003fw# show eigrp topology 0.0.0.0 EIGRP-IPv4 (AS 111): Topology Default-IP-Routing-Table(0) entry for 0.0.0.0 0.0.0.0 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2816 Routing Descriptor Blocks: 0.0.0.0 (Null0), from 0.0.0.0, Send flag is 0x0 Composite metric is (2816/0), Route is Internal Vector metric: Minimum bandwidth is 1000000 Kbit Total delay is 10 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 0 Exterior flag is set I do not see the AD for this route. Thanks, _____ From: Samarth Chidanand <[email protected]> To: 'Tarik Admani' <[email protected]>; [email protected] Sent: Monday, May 20, 2013 10:58 PM Subject: RE: [OSL | CCIE_Security] WorkBook 1 Task4 point 5 Hi Tarik, When installed in the routing table you can see the admin distance. Samarth Chidanand Sr Instructor / Developer – IPexpert CCIE #18535 (R&S, Security) CCSI #34585 From: [email protected] [mailto:[email protected]] On Behalf Of Tarik Admani Sent: Tuesday, May 21, 2013 7:21 AM To: [email protected] Subject: [OSL | CCIE_Security] WorkBook 1 Task4 point 5 Sam, I also took a look at this section and wanted to make sure my understanding is correct. If I add the summary route to the interface then remove both floating static routes, then I am left with the null default route, however I do not see the administrative distance on the asa, when I issue a show route. I wanted to know one could verify the AD of the summary route by looking in the routing table or is the interface command for the summary address the only way to make sure? Thanks, You do not need prefix list interface GigabitEthernet0/1 authentication key eigrp 111 CISC0I123 key-id 10 authentication mode eigrp 111 md5 summary-address eigrp 111 0.0.0.0 0.0.0.0 250 NULL route is similar to a discard route and is locally significant on that router which advertises EIGRP default route or uses summary address in eigrp. Here we are referring to the AD of the NULL route and not the AD of the advertised route which R1 receives. See below R1 has the default route but the AD is the default of 90. Hence what we are taking about is the AD of the NULL route generated when summary-address command is used on ASA which is locally significant. R1#sh ip ro Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 192.168.103.10 to network 0.0.0.0 D* 0.0.0.0/0 [90/28416] via 192.168.103.10, 00:17:44, FastEthernet0/0 Samarth Chidanand Sr Instructor / Developer - IPexpert CCIE #18535 (R&S, Security) CCSI #34585 From: ccie_security-bounces at onlinestudylist.com <http://onlinestudylist.com/mailman/listinfo/ccie_security> [mailto:ccie_security-bounces at onlinestudylist.com <http://onlinestudylist.com/mailman/listinfo/ccie_security> ] On Behalf Of Mike Rojas Sent: Saturday, April 13, 2013 4:29 AM To: ccie_security at onlinestudylist.com <http://onlinestudylist.com/mailman/listinfo/ccie_security> Subject: [OSL | CCIE_Security] WorkBook 1 Task4 point 5 Hi, I do have some questions in regards to that specific point. It says that I need to send the default route to Router 1 (Which I already did to practice prefix lists :)) but it also says that change the distance of the null route to 250 and that is where I get confused. Is the null route the default route? Also, is that route the same one that it is being advertised? I saw that I can change the distance, but only for routes inserted on our routing table. Was looking also for the DSG of Workbook 1 but it seems like it is not finished already. Thanks, Mike. -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_security/attachments/20130
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
