Will having 2 default ip routes cause routing and authentication issues to secure sites?

douglas.mckee · ‎03-30-2015

We are currently trying to switch from a 3MB MPLS circuit to a 100MB layer 2 connection over sonet. When I bring up the new circuit users are able to get to internet sites such as yahoo but are not able to access mail from these sites. Any other site that requires authentication doesn't seem to pass the traffic back through our network as well.

I did notice afterward that there are 2 default routes 0.0.0.0 0.0.0.0 one that goes to the old MPLS circuit and one that goes over the new Gig0/1 interface for the 100MB circuit. The ospf database is also still showing our old MPLS circuit IP address as one of the GW's instead of the ip to our new 100MB circuit. Would having 2 default routes pointing to different circuits be causing internet traffic not to flow back properly through our network?

NOTE: Also, I lose the abiltiy to log backin through our managment vlan but still can get to the login prompt of our 3845 router. The user traffic connected to GIG0/0 has subinterfaces for the mgmt, data and voice vlans but are not configured on the GIG0/1 to our new 100MB circuit. We are using OSPF as the routing protocol over the GIG0/1 to GIG0/1 between our (2) 3845 routers.

Jon Marshall · ‎03-30-2015

Douglas

It's difficult to tell if you have two routers with different connections because at the end of your post you mention two routers.

It's also not clear what is happening in terms of public IP addressing ie. do you have separate addressing for each circuit or one set for both circuits ?

As a general answer if there are two default routes in the IP routing table the router will alternate between them on a per destination flow unless you have enabled per packet load sharing which shouldn't be the default.

Difficult to say if this is causing the issues without more details.

Jon

douglas.mckee · ‎03-30-2015

Jon,

Correct. We have 2 different IP addressing schemes. Our MPLS (Multilink) currently on our 3845 remote router is using an IP scheme from our ISP. The new 100MB circuit I've configured a new subnet locally Gig0/1 ##.#.xyz.1 to Gig0/1 ##.#.xyz.2 and using OSPF to route traffic between our (2) 3845 routers.

Below is the configuration for our 3MB MPLS multilink that is currently working. The main 3845 at my location supports all MPLS circuits for outlying areas including the other 3845 we're trying to bring up on the new 100MB circuit.

interface Serial0/1/0:1
description ***> XYZ
bandwidth 1544
no ip address
ip flow ingress
ip flow egress
encapsulation ppp
ppp multilink
ppp multilink group 2
!
interface Serial0/1/1:2
description ***> XYZ2
bandwidth 1544
no ip address
ip flow ingress
ip flow egress
encapsulation ppp
ppp multilink
ppp multilink group 2

---------------------------------------------------------------------------

User traffic being sent through MPLS cloud

interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
media-type sfp
negotiation auto
!
interface GigabitEthernet0/0.###
description ***> Management-Vlan
encapsulation dot1Q ###
ip address ##.#.###.17 255.255.255.240 secondary
ip address ##.#.###.1 255.255.255.240
ip flow ingress
ip flow egress
service-policy output Local-Interface-QoS
!
interface GigabitEthernet0/0.###
description ***> Data-Vlan
encapsulation dot1Q ###
ip address ##.#.###.1 255.255.255.0
ip helper-address ##.#.#.12
ip flow ingress
ip flow egress
ip pim sparse-mode
service-policy output Local-Interface-QoS
!
interface GigabitEthernet0/0.###
description ***> Voice-Vlan
encapsulation dot1Q ###
ip address ##.#.###.1 255.255.255.0
ip flow ingress
ip flow egress
service-policy output Local-Interface-QoS

Jon Marshall · ‎03-30-2015

Douglas

Sorry I'm not getting it :-)

Can you do a quick diagram by hand showing all routers and how they relate to each other together with IP addressing ?

For internet access ie. not MPLS should all remote sites come to the central site ?

Jon

douglas.mckee · ‎03-30-2015

Jon,

Attached is a quick network diagram. All remote sites do come into our central site for internet access after they pass through our 3845 and through our core devices. I can't give you our exact ip addressing scheme but plug in generic IP's and you probably can tell where we're coming from. We're using a /30 between our two 3845 routers with the network statement adding this network into the OSPF process.

Thank You,

Doug

Jon Marshall · ‎03-30-2015

Doug

Thanks for the diagram

I am really sorry, I usually get these things a lot quicker but I still can't understand how everything relates to each other. Perhaps because I have limited experience with SONET.

I was hoping for a big picture drawing of how everything fits together ie. where is the MPLS network, where is the router with the 3Mbps circuit, is it one of them shown in your diagram.

Where are the actual internet connections etc.

Perhaps someone else will see what you are asking.

Happy to try and work it through with you but you may get frustrated trying to explain it to an obviously stupid person like me :-)

Jon

douglas.mckee · ‎03-30-2015

Jon,

The 3MB circuit goes into the Delta connection via 2 serial links which combine to form the multilink. Basically I was told to forget its a sonet connection and configure layer 2 between the two 3845 routers. There's nothing to configure sonet wise since they are strictly providing layer 2 connectivity. The whole MPLS network goes through our main 3845 on the diagram which goes out our dmarc point over a fiber connection.

Thank You,

Doug

Jon Marshall · ‎03-30-2015

Doug

I think it may be starting to make sense.

So the bottom router in your diagram is the remote router and it has a 3Mbps connection to MPLS.

It also has a 100Mbps connection via SONET to your main site ie. not MPLS.

And the bottom router is showing two default routes one via MPLS and one via the SONET link ?

Is that correct.

If so are the defaults both OSPF routes ie. do you pass OSPF across MPLS as well as over the SONET link ?

Jon

douglas.mckee · ‎03-30-2015

Jon,

Correct. All MPLS circuits are configured for OSPF. The bottom router is the 3MB sonet circuit and the top is the MPLS/OSPF that all the remote sites feed into.

The layer 2 sonet network is running over OSPF as well.

Doug

Jon Marshall · ‎03-30-2015

Doug

So why can you not just shut down the 3Mbps connection to the MPLS and let everything route over the SONET connection.

As long as you advertise the subinterface user subnets into OSPF over SONET I would have thought it should all work.

Is it because you need them both up for testing or have you tried it and it just doesn't work ?

Jon

douglas.mckee · ‎03-30-2015

Jon,

We are leaving the MPLS 3MB up while we're testing. All 3 subnets are currently in the router ospf 10 and I have the default route route going out GIG0/1. When I look at the OSPF from the last time we were testing its showing the 3MB MPLS as the gateway of last resort.

Also, the 3 subnets show up in the OSPF process statically assigned to GIG0/0 which is the 3MB MPLS circuit. It doesn't appear that any of those 3 subnets are going accross our layer 2 sonet which may due to the static assignment is overriding the OSPF network statement? If so, do you think turning off or unplugging the 3MB circuit would fix this issue?

This may explain why I get a log in prompt for my router but am unable to authenticate back to tacacs. It may also explain why secure internet sites are failing to authenticate back to our hosts?

Doug

Jon Marshall · ‎03-30-2015

Doug

the 3 subnets show up in the OSPF process statically assigned to GIG0/0 which is the 3MB MPLS circuit.

What do you mean by "statically assigned"

If you are passing OSPF across MPLS then you must have network statements under the OSPF configuration or a redistribute connected for the subinterfaces otherwise they wouldn't be advertised in which case they should be advertised over the SONET link as well.

Are you running just one OSPF process on the remote router ?

And are you running just one OSPF process on the main site router ?

Jon

douglas.mckee · ‎03-30-2015

Jon,

The 3 subnets are shown as being "directly connected" via GIG0/0 when looking at the show ip ospf database. We have a redistribute connected for the 3 subinterfaces.

We are running only 1 OSPF process on the remote router with the exception of our distance learning traffic being routed over a tunnel which uses a different OSPF process.

The main router has the 1 main router ospf 10 process and tunnels to the outlying areas for distance learning.

Doug

Jon Marshall · ‎03-30-2015

Doug

Okay on the remote router they will show as directly connected and that's as you would expect so it's fine.

If you have one OSPF process and are redistributing connected they should then be redistributed into OSPF and advertised via both links ie. MPLS and SONET so your main site router should be getting them via both links.

Your main site router is also receiving all the other sites OSPF advertisements via MPLS and so should be advertising those via the SONET link as well to the remote router as it too is only running one OSPF process.

So the TACACS server, what IP subnet is that on and what does the remote router show for that subnet ie.

both in the IP routing table and the OSPF database ?

Jon

douglas.mckee · ‎03-30-2015

Jon,

The show ip ospf database log is showing the subnets being advertised over the 3MB MPLS and the Sonet. The tacacs is in a different subnet than the redistributed static routes and is not showing in the OSPF database.

Although, the show ip route is showing the tacacs subnet being advertised over the sonet connection though. At the top of the "show ip route" it has the 3MB MPLS as the first Gateway with a S* next to the 3MB MPLS ip address.

Doug