Making ACI Configurations Consistent
One of my customers needed to quickly convert his core 6500 switches over to Nexus 7700 switches at two main sites connected by a Comcast ENS service as primary link. The sites are also connected with an MPLS service as a backup path.
In the first project phase, the plan was to try to just move what was currently configured on the old cores over to the new core devices. Since this was mainly a switched environment, this seemed like a reasonable plan. He was planning to move one site at a time.
The old core routing configuration had been grown organically over several years. There was definitely some outdated configuration that could be cleaned up, but optimizing the routing was deferred to Phase 2. I did discuss with the customer that they appeared to have too many static routes, and were redistributing them on all four cores without any route-maps or distribute-lists to control them — not a recommended practice.
One function the customer wanted to migrate was supporting the voice gateway loopbacks. At each location, the customer had loopbacks on two voice gateway routers that he wanted to use to establish tie-lines with the other location. He wanted the traffic to the voice gateway (VG) loopbacks to go across the MPLS ‘backup’ path. On the old 6500s, he had been using static routes at each site to point to the remote voice gateway loopbacks via the local managed MPLS customer edge (CE) router. These routes were redistributed into the EIGRP routing process.
The old running configuration at each site included the following key elements:
After the migration of one side, the MPLS backup path was just performing as a backup path. The SP managed CE router was running EIGRP with his Core2 routers, and BGP across the MPLS. The appropriate tagging and route-maps appeared to be in place on the CE for the redistribution of the EIGRP routes into BGP at one site, and then back into EIGRP at the other site. The MPLS routers were announcing the remote voice gateway loopbacks as routes with an administrative distance of 170.
We discussed what his VG goal was — he wanted to use his MPLS links for the traffic to the VG loopbacks most of the time, and as a backup link when needed.
The customer had been using the distance command in the EIGRP routing process to increase the administrative distance of the remote loopbacks to 171. This technique was successful in allowing him to send just the voice gateway traffic across the backup MPLS links.
We talked about difference between NX-OS and EIGRP: NX-OS does not support redistribution of static routes without a route map, and it does not support the distance command in the EIGRP routing process. Typically, the routing process is configured on an interface, and not with a network statement.
Initial Table-Map Solution
I initially thought we could replace/recreate the 6500’s EIGRP distance command using prefix-lists, route-maps, and table-maps. We decided that he did not need static routes on all his core routers pointing to the remote gateways.
To follow his previous EIGRP distance configuration, I came up with the following configuration using NX-OS table-maps:
A Simpler Solution
After writing up the table-map solution, I realized that a much simpler solution could be implemented. Instead of trying to do the ‘NX-OS’ way of implementing distances in the EIGRP routing process, we could instead recreate the intent.
We could use an EIGRP summary address with a higher distance for the two voice gateway IPs on the ENS interface of the Core1-7Ks. The command will announce a summary route for the two local VG loopbacks to each Core1-7K’s peers. We could then accomplish the customer’s intent with a simplified configuration.
The remote EIGRP peer will learn a higher distance, less specific route, and so it will prefer the MPLS path for traffic.
In the end, we did not use table-maps on the Cisco Nexus. We agreed that the simple solution is best in this scenario.
I felt it was an interesting exercise looking at EIGRP distance manipulation in NX-OS vs. IOS routing processes.
Making ACI Configurations Consistent
Six Tips to Help with Your Next Configuration Audit
Does Security Belong Near Endpoints?
Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.
Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.
John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services. Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.
He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.