EIGRP FMC Configuration
Cisco Secure Firewall EIGRP Configuration
Introduction
Release 7.2 adds native EIGRP configuration to the Firewall Management Center (FMC) UI.
Background
Enhanced Interior Gateway Routing Protocol (EIGRP) is a widely used distance vector routing protocol developed by Cisco Systems. It is Cisco proprietary but is an open standard.
Note
This document does not provide technical details about the EIGRP protocol. Instead, it provides a high-level description of how the FMC provides configuration of the protocol.
See the references for more information about EIGRP protocol and configuration details on the Cisco Secure Firewall.
Both the Cisco Secure Firewall ASA (ASA) and Cisco Secure Firewall Threat Defense (FTD) have long supported EIGRP.
Prior to Release 7.2, configuring EIGRP for FMC managed devices required FlexConfig, a feature that writes configuration commands directly to the data plane (ASA) configuration. As part of the continuing initiative to deprecate FlexConfig, the Release 7.2 provides EIGRP configuration natively in the FMC UI.
Supported Platforms and Licensing
- The FMC must be running 7.2 or higher, but the managed devices can be running any supported version. For example, if the FMC is running 7.2, the managed devices can be running 6.6, 6.7, 7.0, 7.1, or 7.2. The feature is only a UI enhancement. EIGRP configuration in the data plane remains the same.
- This feature does not require any feature licensing.
Limitations
- There can only be a single EIGRP instance (autonomous system) on each FTD.
- The Releases 7.2/9.18.1 do not support EIGRP for IPv6.
- Only the Global VRF supports EIGRP. EIGRP can receive routes from other protocols through redistribution, but only within the Global VRF.
Treatment of FlexConfig Objects Containing EIGRP Commands
If a user upgrades the FMC to 7.2, and there are FlexConfig objects containing EIGRP commands, the FMC behavior depends on the Deployment attribute of the FlexConfig object.
- If the Deployment attribute is set to Once, the FMC generates an error during deployment
Figure 1: Deployment attribute set to Once
- If the Deployment attribute is set to Everytime, the FMC generates a warning during deployment.
Figure 2: Deployment attribute set to Everytime
When running 7.2, if a user tries to save a FlexConfig object containing EIGRP commands, the FMC generates an error:
Figure 3: Error - FlexConfig object contains EIGRP commands
Configuration Overview
A detailed EIGRP configuration discussion is beyond the scope of this document. The companion YouTube video demonstrates a simple EIGRP configuration. References at the end of this document provide low level configuration details.
To configure EIGRP, navigate to Devices > Device Management and edit the appropriate device. Select the Routing tab and select EIGRP from the left navigation pane.
Figure 4: Enable EIGRP
You can create a minimal configuration using just the Setup tab. All you need to do is the following:
- Check Enable EIGRP.
- Enter the AS Number.
- Select at least one network object. Interfaces with IP addresses contained in these objects will actively participate in EIGRP, advertising and learning routes. For example, if you select any-ipv4, all interfaces with (static or DHCP provided) IPv4 addresses will participate. This includes VTI and VNI interfaces.
Also, you can use the Setup tab to configure auto-summary and passive interfaces.
Below is a brief description of the remaining tabs.
Neighbors
Configure static neighbors. Specify the interface used to reach the neighbor and an IPv4 host network object representing the IP address of the neighbor. This is particularly useful in networks that do not support multi-cast.
Filter Rules
Using Standard ACLs, create inbound and outbound filters.
- Create filters for specified interfaces.
- Create filters for route redistribution.
Redistribution
Enable route redistribution to into EIGRP: static, connected, BGP, OSPF, RIP.
- Optionally specify EIGRP metric for redistributed routes.
- Optionally specify route-map.
- For OSPF, select types of routes to learn: internal, external1, external2, NSSA-external1, NSSA-external2.
Summary Address
Configure summary addresses for route advertisements.
- Specify the interface and a network object for each summary address.
- Optionally specify administrative distance.
Interfaces
Customize interface.
- Modify timers: hello interface, hold time.
- Enable split horizon.
- Set static delay time.
- Enable and configure MD5 authentication.
Advanced
There are six sections.
- Default Route Information – set router ID, accept or advertise default routes.
- Stub – specify receive only, connected, redistributed, static, summary.
- Administrative Distance – specify internal and external distance.
- Default Metrics – specify default bandwidth, delay time, reliability, loading, MTU.
- Adjacency Change – log neighbor changes, log neighbor warnings.
REST API
The FMC provides a comprehensive set of EIGRP configuration API commands. There are two types of API URLs. The first type does not include a VRF UUID.
| Method | URL |
|---|---|
| GET | /api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords /{containerUUID}/routing/eigrproutes |
| GET (by ID) | /api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords /{containerUUID}/routing/eigrproutes/{objectId} |
| POST | /api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords /{containerUUID}/routing/eigrproutes |
| PUT | /api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords /{containerUUID}/routing/eigrproutes/{objectId} |
| DELETE | /api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords /{containerUUID}/routing/eigrproutes/{objectId} |
The second type includes a VRF UUID to future proof the API. In Release 7.2, these API calls only work with the Global VRF UUID.
| Method | URL |
|---|---|
| GET | /api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords /{containerUUID}/routing/virtualrouters/{virtualrouterUUID}/eigrproutes |
| GET (by ID) | /api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords /{containerUUID}/routing/ virtualrouters/{virtualrouterUUID}/eigrproutes/{objectId} |
| POST | /api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords /{containerUUID}/routing/virtualrouters/{virtualrouterUUID}/eigrproutes |
| PUT | /api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords /{containerUUID}/routing/virtualrouters/{virtualrouterUUID}/eigrproutes/{objectId} |
| DELETE | /api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords /{containerUUID}/routing/virtualrouters/{virtualrouterUUID}/eigrproutes/{objectId} |
See the API-Explorer for details on how to use these API calls.
Verification and Troubleshooting
Use the following FTD CLI commands to troubleshoot EIGRP.
- show running-config router eigrp – inspect EIGRP configuration.
- show eigrp {interfaces | neighbors | topology | traffic} – inspect EIGRP functionality.
- debug eigrp {fsm | neighbors | packets | transmit} – low level debug information.
- show route eigrp – confirm insertion of EIGRP routes into the device route table.
In the following example, we first inspect the EIGRP configuration. We then confirm that one interface is participating in EIGRP, but EIGRP did not discover any neighbors. Finally, we confirm redistribution of static routes.
> show running-config router eigrp
router eigrp 10
no default-information in
no default-information out
no eigrp log-neighbor-warnings
no eigrp log-neighbor-changes
network 10.100.100.0 255.255.255.0
redistribute static
!
> show eigrp interfaces
EIGRP-IPv4 Interfaces for AS(10)
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
inside 0 0 / 0 0 0 / 1 0 0
> show eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
> show eigrp topology
EIGRP-IPv4 Topology Table for AS(10)/ID(172.16.1.84)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.100.100.0 255.255.255.0, 1 successors, FD is 512
via Connected, inside
P 0.0.0.0 0.0.0.0, 1 successors, FD is 512
via Rstatic (512/0)
P 11.0.0.0 255.0.0.0, 1 successors, FD is 512
via Rstatic (512/0)
>
📚Additional Resources
- This document provides a good introduction to EIGRP: Understand and Use the Enhanced Interior Gateway Routing Protocol
- RFC 7868 defines the EIGRP protocol: Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP)
- This section of the Cisco Secure Firewall Management Center Device Configuration Guide, 7.2 covers EIGRP configuration using the FMC: Chapter: EIGRP
- This section of CLI Book 1: Cisco Secure Firewall ASA Series General Operations CLI Configuration Guide, 9.18 covers EIGRP configuration for ASA: Chapter: EIGRP
- This YouTube video demonstrates EIGRP configuration using the FMC: EIGRP with Firewall Management Center (FMC)
Updated over 1 year ago