Solved: Re: OSPF Routing Problem - Page 2

wasiimcisco · ‎05-11-2011

I am facing problem in Routing in between head office and DR (disaster recovery) Side.

I have two links to my DR Side. I have GRE Tunnel with Primary and Secondary Router located in head office.

I want DR to use the Primary Router (tunnel 550) as primary link and Secondary IPVPN Router (Tunnel 540) as backup.

But I am not able to achieve this. I have even shut down the GRE tunnel (540) on Secondary IPVPN Router but still the traffic is going through this link. I am not able to track which path the traffic is taking. My bandwidth graph is high on on Secondary IPVPN link and Hardly few kbps is being used on the primary IPVPN link.

This means that something is wrong with the routing. Please go through the configuration and let me know what i am missing and which link cost I need to modify in order to use exact require link.

Thotsaphon Lueangwattanaphong · ‎05-13-2011

Hi,

If Tunnel 540 is up with ip ospf cost 50 command, ENOCDC_R03 will go to 192.168.10.x(DR) via this link. Right? Please post "show ip route 192.168.10.0 255.255.255.0" while Tunnel 540 is up.

Toshi

wasiimcisco · ‎05-13-2011

Hi,

My object is traffic for subnet 192.168.200.0/24 use tunnel 550 always. But this is not happening even while shut down the tunnel 540. My bandwidth graph etc all showing traffic is going to Secondary IPVPN Link as mention prviously in the post by attaching the bandwidth graph.

ENOCDC_R03#sh running-config interface tunnel 540
Building configuration...

Current configuration : 306 bytes
!
interface Tunnel540
description connected to the DR-Site
bandwidth 1024000
ip address 172.27.5.37 255.255.255.252
ip mtu 1476
ip policy route-map RE_ROUTE>RACK2
ip ospf network point-to-point
ip ospf cost 50
keepalive 5 3
tunnel source GigabitEthernet0/0
tunnel destination 192.168.253.25
end

ENOCDC_R03#show ip route 192.168.10.0
Routing entry for 192.168.10.0/24
Known via "ospf 1", distance 110, metric 41, type intra area
Last update from 192.168.0.40 on GigabitEthernet0/1, 1w2d ago
Routing Descriptor Blocks:
* 192.168.0.146, from 172.27.1.10, 1w2d ago, via FastEthernet0/0/0
      Route metric is 41, traffic share count is 1
    192.168.0.40, from 172.27.1.10, 1w2d ago, via GigabitEthernet0/1
      Route metric is 41, traffic share count is 1

Thotsaphon Lueangwattanaphong · ‎05-13-2011

Hi,

Do you want DR-Router to always send 192.168.200.0/24 back via Tunnel550?. Right? Please post "show ip route 192.168.200.0 255.255.255.0" on DR-Router while Tunnel-540 is up.

Edit: Sorry guys, I know it's a production now but we sometime need to verify the problem like this. In DR-Router point of view if it can learn 192.168.200.0/24 via ENOCDC_R04# and ENOCDC_R03# we should not have a problem with modifing to select a preferable path in this case.

Toshi

wasiimcisco · ‎05-14-2011

Hi,

Show ip route when tunnel 540 is down.

ENOC_DR_R01#show ip route 192.168.200.0
Routing entry for 192.168.200.0/24
Known via "ospf 1", distance 110, metric 60, type extern 1
Last update from 172.27.5.165 on Tunnel550, 00:01:23 ago
Routing Descriptor Blocks:
* 172.27.5.165, from 192.168.0.162, 00:01:23 ago, via Tunnel550
Route metric is 60, traffic share count is 1

ENOC_DR_R01#show ip ospf interface brief
Interface    PID   Area            IP Address/Mask    Cost State Nbrs F/C
Fa0/0        1     0               192.168.10.2/24    1     DR    0/0
Tu550        1     0               172.27.5.166/30    10    P2P   1/1
Tu540        1     0               172.27.5.38/30     20    DOWN 0/0

=============================================================

show ip route when tunnel 540 is up.

ENOC_DR_R01#show ip ospf interface brief
Interface    PID   Area            IP Address/Mask    Cost State Nbrs F/C
Fa0/0        1     0               192.168.10.2/24    1     DR    0/0
Tu550        1     0               172.27.5.166/30    10    P2P   1/1
Tu540        1     0               172.27.5.38/30     20    P2P   1/1

ENOC_DR_R01#show ip route 192.168.200.0
Routing entry for 192.168.200.0/24
Known via "ospf 1", distance 110, metric 60, type extern 1
Last update from 172.27.5.165 on Tunnel550, 00:00:11 ago
Routing Descriptor Blocks:
* 172.27.5.165, from 192.168.0.162, 00:00:11 ago, via Tunnel550
Route metric is 60, traffic share count is 1

I want DR Router should use tunnel 550 as long as it is up. Once tunnel 550 down. DR should start sending traffic to Tunnel 540.

Thotsaphon Lueangwattanaphong · ‎05-14-2011

Hi,

As fas as I can see, it worked as expected.

#####################################

Tunnel550 is up & Tunnel540 is up

ENOC_DR_R01#show ip route 192.168.200.0
Routing entry for 192.168.200.0/24
Known via "ospf 1", distance 110, metric 60, type extern 1
Last update from 172.27.5.165 on Tunnel550, 00:00:11 ago
Routing Descriptor Blocks:
* 172.27.5.165, from 192.168.0.162, 00:00:11 ago, via Tunnel550
Route metric is 60, traffic share count is 1

ENOC_DR_R01 is using Tunnel550 for 192.168.200.0/24 network.

#####################################

Tunnel550 is up & Tunnel540 is down

ENOC_DR_R01#show ip route 192.168.200.0

Routing entry for 192.168.200.0/24

Known via "ospf 1", distance 110, metric 60, type extern 1

Last update from 172.27.5.165 on Tunnel550, 00:01:23 ago

Routing Descriptor Blocks:

* 172.27.5.165, from 192.168.0.162, 00:01:23 ago, via Tunnel550

Route metric is 60, traffic share count is 1

ENOC_DR_R01 is using Tunnel550 for 192.168.200.0/24 network.

#####################################

HTH,

Toshi

wasiimcisco · ‎05-15-2011

Hi,

Unfortunately this is not happening. If you see the above attached bandwidth graph it is clearly showing that the traffic is not going to the ENOCDCR04 Link.

Whatever we want to send to DR from the head office side. It is utilizing the ENOCDCR03 Link. I dont know what is happening. Apparently everything seems to be okay but when actual traffic is going it is not taking the right path.

See above graph.

Kishore Chennupati · ‎05-15-2011

what happens when you shut the Tunnel 550? and then check the routing on the DR.

Regards,

Kishore

Thotsaphon Lueangwattanaphong · ‎05-15-2011

Hi,

Please post the output of ENOC_DR_R01#traceroute 192.168.253.1 and ENOC_DR_R01#traceroute 192.168.253.37.

To verify the traffic from DR to Primary router. Please add the following commands.

Conditions:

1. Tu550 and Tu540 are up

2. There are connections between 192.168.10.0/24 to 192.168.200.0/24.

#############ENOCDC_R04##############

!

ip access extend TEST-DR-192.168.10.0-IN-R04

permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255

permit ip any any

!

ip access extend TEST-DR-192.168.10.0-OUT-R04

permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

!

ENOCDC_R04#conf t

ENOCDC_R04(conf-t)#interface g0/0

ENOCDC_R04(conf-if)#ip access-group TEST-DR-192.168.10.0-IN-R04 in

ENOCDC_R04(conf-if)#ip access-group TEST-DR-192.168.10.0-OUT-R04 out

Please post the output of show access-list TEST-DR-192.168.10.0-IN-R04 and show access-list TEST-DR-192.168.10.0-OUT-R04

#############ENOCDC_R03##############

!

ip access extend TEST-DR-192.168.10.0-IN-R03

permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255

permit ip any any

!

ip access extend TEST-DR-192.168.10.0-OUT-R03

permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

!

ENOCDC_R04#conf t

ENOCDC_R04(conf-t)#interface g0/0

ENOCDC_R04(conf-if)#ip access-group TEST-DR-192.168.10.0-IN-R03 in

ENOCDC_R04(conf-if)#ip access-group TEST-DR-192.168.10.0-OUT-R03 out

Please post the output of show access-list TEST-DR-192.168.10.0-IN-R03 and show access-list TEST-DR-192.168.10.0-OUT-R03

Toshi

wasiimcisco · ‎05-15-2011

Hi,

I will apply the Access-list at night because this is production and i need to process the change management procedure. Below is the trace ouput.

ENOCDC_R04#traceroute 192.168.253.37

Type escape sequence to abort.
Tracing the route to 192.168.253.37

1 172.27.5.166 0 msec 4 msec 4 msec
2 * * *
3 * * *
4 192.168.253.37 0 msec * 0 msec
ENOCDC_R04#

===========================================================

ENOC_DR_R01#traceroute 192.168.253.1

Type escape sequence to abort.
Tracing the route to 192.168.253.1

1 192.168.253.26 4 msec 4 msec 0 msec
2 192.168.253.2 12 msec 0 msec 0 msec
3 192.168.253.1 0 msec 0 msec

=================================================================

ENOCDC_R03#traceroute 192.168.253.1

Type escape sequence to abort.
Tracing the route to 192.168.253.1

1 192.168.0.146 0 msec
192.168.0.40 0 msec *

ENOCDC_R03#traceroute 192.168.253.25

Type escape sequence to abort.
Tracing the route to 192.168.253.25

1 192.168.253.38 16 msec 8 msec 0 msec
2 192.168.253.26 4 msec 8 msec 4 msec
3 * *

===============================================================================

wasiimcisco · ‎05-15-2011

Hi,

I have make both the tunnels up and applied the access-list but nothing is coming in the access-list.

We are running GRE so i think we need to apply the access-list on the Tunnel interfaces ???????. Below are the results when both the tunnels are up and traffic is passing between Head office and DR.

==========================================================

ENOCDC_R03#show access-lists TEST-DR-192.168.10.0-IN-R03
Extended IP access list TEST-DR-192.168.10.0-IN-R03
10 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
20 permit ip any any (447337 matches)

ENOCDC_R03#show access-lists TEST-DR-192.168.10.0-OUT-R03
Extended IP access list TEST-DR-192.168.10.0-OUT-R03
10 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip any any (418554 matches)

ENOCDC_R03#show ip ospf interface brief
Interface    PID   Area            IP Address/Mask    Cost State Nbrs F/C
Gi0/1        1     0               192.168.0.39/27    30    DR    1/1
Lo0          1     0               192.168.0.161/32   1     LOOP 0/0
Fa0/0/0      1     0               192.168.0.145/30   30    P2P   1/1
Tu540        1     0               172.27.5.37/30     50    P2P   1/1

ENOCDC_R03#show ip route 192.168.10.0
Routing entry for 192.168.10.0/24
Known via "ospf 1", distance 110, metric 41, type intra area
Last update from 192.168.0.40 on GigabitEthernet0/1, 14:36:28 ago
Routing Descriptor Blocks:
* 192.168.0.146, from 172.27.1.10, 14:36:28 ago, via FastEthernet0/0/0
      Route metric is 41, traffic share count is 1
    192.168.0.40, from 172.27.1.10, 14:36:28 ago, via GigabitEthernet0/1
      Route metric is 41, traffic share count is 1

==================================================================================

ENOCDC_R04#show access-lists TEST-DR-192.168.10.0-IN-R04
Extended IP access list TEST-DR-192.168.10.0-IN-R04
10 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
20 permit ip any any (103308 matches)

ENOCDC_R04#show access-lists TEST-DR-192.168.10.0-OUT-R04
Extended IP access list TEST-DR-192.168.10.0-OUT-R04
10 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip any any (135906 matches)

ENOCDC_R04#show ip ospf interface brief
Interface    PID   Area            IP Address/Mask    Cost State Nbrs F/C
Gi0/1        1     0               192.168.0.40/27    30    BDR   1/1
Lo0          1     0               192.168.0.162/32   1     LOOP 0/0
Fa0/0/0      1     0               192.168.0.146/30   30    P2P   1/1
Tu550        1     0               172.27.5.165/30    10    P2P   1/1

ENOCDC_R04#show ip route 192.168.10.0
Routing entry for 192.168.10.0/24
Known via "ospf 1", distance 110, metric 11, type intra area
Last update from 172.27.5.166 on Tunnel550, 1w4d ago
Routing Descriptor Blocks:
* 172.27.5.166, from 172.27.1.10, 1w4d ago, via Tunnel550
Route metric is 11, traffic share count is 1

================================================================

Both the Tunnel 540 and 550 is up and show ip route of DR router

ENOC_DR_R01#show ip route 192.168.200.0
Routing entry for 192.168.200.0/24
Known via "ospf 1", distance 110, metric 60, type extern 1
Last update from 172.27.5.165 on Tunnel550, 00:01:32 ago
Routing Descriptor Blocks:
* 172.27.5.165, from 192.168.0.162, 00:01:32 ago, via Tunnel550
Route metric is 60, traffic share count is 1

Thotsaphon Lueangwattanaphong · ‎05-15-2011

Hi,

Ahhh, sorry guys my fault. packets are already encasulated before hitting ACL. Please put ACLs on the tunnel interfaces.

Toshi

wasiimcisco · ‎05-16-2011

Hi,

I have applied the acl on tunnel interfaces.

================================================

When Tunnel 540 is active and Tunnel 550 is down. I can see the traffic on this tunnel 540.

ENOCDC_R03#show access-lists TEST-DR-192.168.10.0-OUT-R03
Extended IP access list TEST-DR-192.168.10.0-OUT-R03
    10 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255 (11277 matches)
    20 permit ip any any (715 matches)
ENOCDC_R03#show access-lists TEST-DR-192.168.10.0-IN-R03
Extended IP access list TEST-DR-192.168.10.0-IN-R03
    10 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255 (507 matches)
    20 permit ip any any (72 matches)

ENOCDC_R03#show access-lists TEST-DR-192.168.10.0-IN-R03
Extended IP access list TEST-DR-192.168.10.0-IN-R03
10 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255 (514 matches)
20 permit ip any any (74 matches)
ENOCDC_R03#sh run interface tunnel 540
Building configuration...

Current configuration : 404 bytes
!
interface Tunnel540
description connected to the DR-Site
bandwidth 1024000
ip address 172.27.5.37 255.255.255.252
ip access-group TEST-DR-192.168.10.0-IN-R03 in
ip access-group TEST-DR-192.168.10.0-OUT-R03 out
ip mtu 1476
ip policy route-map RE_ROUTE>RACK2
ip ospf network point-to-point
ip ospf cost 50
keepalive 5 3
tunnel source GigabitEthernet0/0
tunnel destination 192.168.253.25
end

ENOCDC_R04#show access-lists TEST-DR-192.168.10.0-OUT-R04
Extended IP access list TEST-DR-192.168.10.0-OUT-R04
    10 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
    20 permit ip any any
ENOCDC_R04#show access-lists TEST-DR-192.168.10.0-IN-R04
Extended IP access list TEST-DR-192.168.10.0-IN-R04
    10 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
    20 permit ip any any

=======================================================================================

When Tunnel 550 is active and Tunnel 540 is also active. I can see the traffic on this tunnel 550.

nterface Tunnel550
description connected to the DR-Site
ip address 172.27.5.165 255.255.255.252
ip access-group TEST-DR-192.168.10.0-IN-R04 in
ip access-group TEST-DR-192.168.10.0-OUT-R04 out
ip mtu 1476
ip policy route-map RE_ROUTE>RACK1
ip ospf network point-to-point
ip ospf cost 10
keepalive 5 3
tunnel source GigabitEthernet0/0
tunnel destination 192.168.253.25
end

ENOCDC_R04#show access-lists TEST-DR-192.168.10.0-IN-R04
Extended IP access list TEST-DR-192.168.10.0-IN-R04
    10 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255 (15589 matches)
    20 permit ip any any (2405 matches)
ENOCDC_R04#show access-lists TEST-DR-192.168.10.0-OUT-R04
Extended IP access list TEST-DR-192.168.10.0-OUT-R04
    10 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255 (21917 matches)
    20 permit ip any any (2150 matches)

interface Tunnel540
description connected to the DR-Site
bandwidth 1024000
ip address 172.27.5.37 255.255.255.252
ip access-group TEST-DR-192.168.10.0-IN-R03 in
ip access-group TEST-DR-192.168.10.0-OUT-R03 out
ip mtu 1476
ip policy route-map RE_ROUTE>RACK2
ip ospf network point-to-point
ip ospf cost 50
keepalive 5 3
tunnel source GigabitEthernet0/0
tunnel destination 192.168.253.25
end

ENOCDC_R03#show access-lists TEST-DR-192.168.10.0-OUT-R03
Extended IP access list TEST-DR-192.168.10.0-OUT-R03
    10 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
    20 permit ip any any
ENOCDC_R03#show access-lists TEST-DR-192.168.10.0-IN-R03
Extended IP access list TEST-DR-192.168.10.0-IN-R03
    10 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
    20 permit ip any any (264 matches)

=======================================================================================================

When Tunnel 550 is active and Tunnel 540 is down. I can see the traffic on this tunnel 550 only

ENOCDC_R04#show access-lists TEST-DR-192.168.10.0-OUT-R04
Extended IP access list TEST-DR-192.168.10.0-OUT-R04
10 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255 (23386 matches)
20 permit ip any any (2513 matches)

========================================================================================================

Thotsaphon Lueangwattanaphong · ‎05-16-2011

Hi,

The routing is working correctly. Do you still see wrong information in your network monitoring?

Toshi

wasiimcisco · ‎05-17-2011

Hi,

THanks for the continous help. Actually i couldnt tested throughly. Inface I have applied the QOS through Packet shaper for this link because of this routing proble. I will once again go through the change mangement process to disable the QOS and then I will ask the other team to push the traffic to DR.

I want to clear few things regarding cost Please correct me if i am calculating the right cost. I have included the LAN Cost of each Router as well during this cost calculating.

OSPF cost from DR to R03 ---------------------------------------> (1+20+30)=51 cost of lan of DR is 1, DR tunnel cost is 20 and cost of R03 Lan is 30

OSPF cost from R03 to DR -----------------------------------------> (30+50+1)=81

OSPF cost from R03--->R04---->DR -------------------------> (30+30+10+1)=71

OSPF cost from DR to R04 ----------------------------------------> (30+10+1)=41

OSPF cost from R04 to DR -----------------------------------------> (30+10+1)=41

OSPF cost from R04--->R03---->DR -------------------------> (30+30+50+1)=111

Thotsaphon Lueangwattanaphong · ‎05-17-2011

Hi,

You need to specific the network to calculate the cost.

R04 point of view , Go to 192.168.10.0/24

Cost = 1+10 = 11 , (Cost of LAN on DR + Cost of Tunnel 550 on R04)

Primary IPVPN#show ip route 192.168.10.0
Routing entry for 192.168.10.0/24
Known via "ospf 1", distance 110, metric 11, type intra area
Last update from 172.27.5.166 on Tunnel550, 1w0d ago

##################

R03 point of view Go to 192.168.10.0/24

Cost = 1+10+30 = 41 , (Cost of LAN on DR + Cost of Tunnel 550 on R04 + Cost of GigabitEthernet0/1 on R03)

ENOCDC_R03#show ip route 192.168.10.0
Routing entry for 192.168.10.0/24
Known via "ospf 1", distance 110, metric 41, type intra area
Last update from 192.168.0.40 on GigabitEthernet0/1, 1w2d ago

################

DR point of view , Go to 192.168.200.0/24

Cost = 50+10 = 60 , ( O*E1 Cost from R04 + Cost of Tunnel550 on DR ) External Cost + Cost to ASBR

ENOC_DR_R01#show ip route 192.168.200.0
Routing entry for 192.168.200.0/24
Known via "ospf 1", distance 110, metric 60, type extern 1
Last update from 172.27.5.165 on Tunnel550, 00:01:23 ago

####Check the external cost for 192.168.200.0 on DR####

ENOC_DR_R01#sh ip ospf database external 192.168.200.0

<>

< 50=""> <----- You should see this line.

<>

################

HTH,

Toshi