I'll try to keep this brief... explaining complicated detailed network issues in words is difficult for me without a whiteboard/visio drawing.
"""
TLDR: I want to configure a router to only form neighbor relationships to one specific address, and not 10 other routers on the same broadcast domain.
"""
I am configuring a stack of routers for a new dmvpn network (30 routers) in an enterprise environment. The NBMA addresses are on our default business network and the dmvpn is segregated on vrf X. Half of this network is layer 3 to the access layer, but the other half is a giant stretched layer 2 network (100 vlans). Let's not get distracted on why you shouldn't have a giant stretched layer 2 network!!!! It actually runs really good, well documented, and curated tightly to avoid exposure. Anyways, not my call. Brownfield deployment. Can you guess which side my problem lies on?
On the layer 2 side we created vlan 666, with an SVI on the core *10.0.0.1/24*, and each router has an address in this subnet so it can communicate with the rest of the underlay and conveniently a source interface for us to manage the device on the default business network. Also, each router has a loopback0 that resides in the default global routing table that is used as the NBMA address of the DMVPN tunnel.
For anyone to reach this loopback0, I first tried advertising it with our standard default business network eigrp AS which DID work. The problem with this solution was that each router was forming 10 eigrp neighbor relationships, which seemed like a lot of overhead and potential weirdness/asynchronous routing/dmvpn confusion.
This left me with 2 choices that I could think of. Remove eigrp completely and configure static routes on the core (of layer 2 side) pointing to the loopback0 addresses of the spoke routers and default routes on the spoke router pointing to the svi (10.0.0.1) on the core. Or configure unicast eigrp neighbor relationships on both the core and the spokes. FUN FACT... the "eigrp neighbor 10.0.0.x g0/0/0" must be configured on BOTH sides of the link, not just the spoke side. The spoke sends unicast hello's to the core and stops listening for multicast 224.0.0.9, and the core is sending out hello's to multicast 224.0.0.9 and dropping unicast eigrp hello's. Sure be cool if that worked differently.
Our team are not all routing wizards ( hence the layer 2 design), myself included, and opted for the static route method to make it more "readable". And it does work great! Deployed 95% of the routers, dmvpn tunnels are up strong, reliable and squeaky clean.
Now I am down to the two final routers to configure and of course they are the oddballs. These will be installed in a portable comm shelter which frequently roams around from one side of the network to the other, sometimes fed by microwave, sometimes with fiber/copper. I would sure like to use a dynamic routing protocol on these 2 spoke routers rather than adding and removing static routes all the time.
So, my question is, can your filter eigrp hello messages to specific neighbors? I thought I had it with the "distribute-list gateway <prefix-list name> in" under the eigrp configuration, but I still formed a relationship with the second spoke router on the same vlan.
No comments:
Post a Comment