route problem? - Page 2

suthomas1 · ‎01-07-2013

Hi,

I have attached a rough network diagram of our scenario.

Existing:-

A 3750 is connected to an unmanaged switch. to this unmanaged switch, there is a 3845 router and a

netscreen firewall connected. The 3750 is doing eigrp as is the 3845.

3750 has servers connected to it.(10.96.0.91/10.96.0.95)

There is a second unmanaged switch, to which the Netscreen firewall and Internet modem is connected.

The netscreen is connected to both the unmanaged switch.

There is an ASA firewall , which connects to the second unmanaged switch so it links to the ISP modem.

Planned change( highlighted in red):-

Aim is to remove the Netscreen firewall and insert another juniper firewall as second firewall to the existing ASA.

Juniper srx lan portion connects to the First unmanaged switch ( shown with red line ) and the lan port of juniper

srx will be assigned ip in the same range as 10.96.0.50.

Routing:-

Servers connected to 3750 need to go out to some internet located destinations bearing ip 200.200.1.1.

3750 routes all traffic destined for above and few other internet ip's to the 3845 router.

From the 3845 , these internet destinations are routed towards the netscreen firewall which then goes out via

the ISP modem

Routing for change:-

insert routes in 3845 router for 200.200.1.1 pointing next hop as 10.96.0.50(Juniper srx firewall) and

remove old routes pointing towards netscreen firewall.

In the ASA appropriate nat rules are added for the sessions. Route on the ASA and Juniper srx is changed to

reflect the new path accordingly.

Problem:-

Even after changing the route on 3845, the server still goes out from the old path, i.e the netscreen firewall.

If netscreen is disconnected, the server doesn't communicate.

We've tested with a server connected directly behind the Juniper srx firewall and it successfully communicates to

the internet ip 200.200.1.1 when the SRX is connected to the ASA, hence proving there is no problem between

that path.

Query:-

1. Do we need to clear any arp on any devices? Considering , interconnections are via unmanaged switches?

2. What could be wrong here and how should it be made working. Any other ideas?

Appreciate all inputs.Thanks in advance!

suthomas1 · ‎01-09-2013

thanks again. So , i should remove the redistribution and test?

Abzal · ‎01-09-2013

No there is no need for it.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

suthomas1 · ‎01-09-2013

Ok. In that case, can i please take the liberty to ask once again, what exactly should be done to test this out so the traffic flows to the new firewall after changing the routes on 3845.

Abzal · ‎01-09-2013

First try to change static ip routes on 3845 pointing toward Juniper.

To verify routing table on 3845:

show ip route

Then try a traceroute from 3845 if it's goes through Juniper. And ensure that there is no static routes on servers by checking with command, I suppose they Windows machines.

route print

Then if it is still not working check static routes on Juniper.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

suthomas1 · ‎01-10-2013

Thanks.

I'll check this again when we run the tests. However , we have tested part of this.

After changing static routes on 3845 to point to juniper, Trace from 3845, shows that the packet doesnt reach juniper, it still goes to the netscreen. Upon disconnecting the netscreen totally, the packets drop.

When the juniper is connected to the network, i can ping it from 3845 router and see the arp entries forming on either devices.

Abzal · ‎01-10-2013

Hi,

From what you are saying on 3845 there possibly might be a PBR that routes traffic to Netscreen even with route pointing to Juniper.

Can you show run output of interface that has an IP 10.96.0.13 from 3845

sh run interface Gigabit X/Y

sh route-map

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

suthomas1 · ‎01-10-2013

Abzal,

sh run from 3845:-

interface Ethernet0

ip address 10.96.0.13 255.255.255.0

no keepalive

bridge-group 1

!

interface Serial1

ip unnumbered Ethernet0

no ip mroute-cache

bridge-group 1

!

interface Serial0

no ip address

shutdown

!

router eigrp 21

redistribute static metric 10000 100 255 1 1500

network 10.0.0.0

no auto-summary

!

ip classless

ip route 75.66.51.21 255.255.255.255 10.96.0.50

ip route 177.148.25.41 255.255.255.255 10.96.0.50

ip route 200.200.1.1 255.255.255.255 10.96.0.50

dialer-list 1 protocol ip permit

snmp-server community s3inga RO

bridge 1 protocol dec

!

=======================

Below are the routes from two servers 10.96.0.91 & 10.96.0.95

1.For 10.96.0.91-

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.96.0.13 10.96.0.91 10

200.200.1.1 255.255.255.255 10.96.0.50 10.96.0.91 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

165.82.12.44 255.255.255.255 10.96.0.50 10.96.0.91 1

224.0.0.0 240.0.0.0 10.96.0.91 10.96.0.91 10

255.255.255.255 255.255.255.255 10.96.0.91 10.96.0.91 1

Default Gateway: 10.96.0.13

===========================================================================

Persistent Routes:

None

2. For 10.96.0.95-

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.96.0.13 10.96.0.95 266

10.96.0.0 255.255.255.0 On-link 10.96.0.95 266

10.96.0.95 255.255.255.255 On-link 10.96.0.95 266

10.96.0.255 255.255.255.255 On-link 10.96.0.95 266

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 10.96.0.95 266

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 10.96.0.95 266

===========================================================================

Persistent Routes:

Network Address Netmask Gateway Address Metric

0.0.0.0 0.0.0.0 10.96.0.13 Default

===========================================================================

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination Gateway

1 306 ::1/128 On-link

1 306 ff00::/8 On-link

===========================================================================

Persistent Routes:

None

Thanks again!

Abzal · ‎01-10-2013

Hi,

By looking at your outputs on 3845 looks like PBR is not configured. But if Netscreen's IP is 10.96.0.50 there is one issue

On 10.96.0.91 server:

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.96.0.13 10.96.0.91 10

200.200.1.1 255.255.255.255 10.96.0.50 10.96.0.91 1

As you can see a route to 200.200.1.1 is hardcoded on one of the server.

And here you can run simple test from second server 10.96.0.95 because it doesn't has this route:

ping 200.200.1.1

tracert 200.200.1.1

But Juniper should be running and routes need to be pointed to it with correct IP.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

suthomas1 · ‎01-10-2013

Ok, so it means the route needs to be changed on server.

Abzal · ‎01-10-2013

If you're going to replace Netscreen it will be good to remove that route.

And to make sure test with second server with IP 10.96.0.95.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

ALIAOF_ · ‎01-17-2013

EIGRP is Cisco only by the way.