Network Design

Hello - I apologize for the length of this description.

Problem: When my AT&T Metro Optiman connection fails, I lose connectivity bvetween sites and also Internet.

My questions is: If my AT&T Metro Optiman goes down, how can I assure that my network
will still be able to get to Primary AT&T Internet link.
            
Do I simply need to to enable a secondary default with higher admin that Eigrp
and specify my secondary AT&T MARO/MPLS links at sites 1 and 2?
            
                       ip route 0.0.0.0 0.0.0.0 192.168.2.x 200

See attached diagram.
See attached configs.



I have a Corporate hub/spoke network with (3) sites in Corporate City location.



There are (9) Distribution centers (DC) across country that use AT&T managed 3800's that
 
come into the Data Center 3800's and then access internal serverices OR are sent out to Internet.
   

Each (DC) has a 3750 stack as headend that connects to the AT&T MARO/MPLS 3800's.    
   
The 3750's use c3750-ipbasek9-mz.122-55.SE.bin with ip routing enabled and a static default to MARO/MPLS HSRP

.

Site 1: Data center. EVERYTHING from the spokes comes in thru this AT&T MARO/MPLS connection.  This connection has a primary that connects from the AT&T MARO/MPLS router to (2) Gig interfaces on 3750 stack. There is also a secondary connection from the AT&T MARO/MPLS router to a 2960 switch.

Site 2: Corporate Executive Office has an AT&T MARO/MPLS with the same type seconday connections, BUT, this site also has "THE" Primay AT&T link to internet @ 10 Meg
The AT&T Metro Optiman connections and the Primay AT&T link to internet both use the AT&T ME 3400 to connect to the AT&T outside fiber connections.

As we found out, there is NO backup generator at this site, so when a pwr outage occurred, we lost connectivty.
      
Site 3: IT and other departments that connect to Corporate and Data center across an Optiman AT&T Metro link.

The original design several years ago was a flat network and ALL servers are configured to use Data Center MARO/MPLS static as default gateway.


All data comes into Data Center.

The Data center default route is to an ASA5520 located @ the Corporate Executive building.
To reach the default route ASA5520_192.168.2.1, traffic must cross an AT&T Metro Optiman.
Traffic is routed from the ASA to either Inside, DMZ or Outside via a "2811 Corporate_Edge router".

If the traffic was destined for Outside and the Primary AT&T 10 meg link is down, then traffic is routed back to the Data center to the "2811 Data Center_Edge router".      

To reach our backup Internet link the "2811 Data Center_Edge router" uses a Vlan where the default gateway for the Vlan is located back at the "2811 Corporate_Edge router". So traffic has to cross back across the Optiman, to the ASA_5520 to "2811 Corporate_Edge router" and out to the ISP who provides backup Internet link.

        This has been tested and does work. Although I am somewhat perplexed by the process.

Now, IF the ISP secondary link is not available, then the "2811 Data Center_Edge router" has a dialer interface that should come up and reach the ISP who provides backup Internet link.

If the link to the Primary ASA is not available, then the secondary ASA 192.168.2.2, located @ the Data Center is supposed to take over.



EOS-Root-Cause-Analysis-Industri.txt
EOS-Root-cause-analysis-Fiat.txt
EExchange-diagram-Optiman.vsd
s_coad5Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
I'll look at the visio diagram

To have dynamic routing, you have to use the Interface instead of the IP on the interface
ip route 0.0.0.0 0.0.0.0 FE1 weight1
Ip route 0.0.0.0 0.0.0.0 S1 weight2

lets say you want S1 to be the failover to FE1 so weight1 will be lower than weight2.
When FE1 is down and this is the important part, the router will take it out of the routing table.
The difficulty is if FE1 stays up, but there is no traffic that can pass through it.

I'm not sure whether MPLS link down is detected on the router.  You might be able to manage the auto-failover by using routing protocols i.e. ospf that will handle the network convergence.
0
pergrCommented:
It is definitely better to use a routing protocol here, and OSPF is a good choice.
0
s_coad5Author Commented:
On my way in this a.m., I was thinking that a n interface would be better, however, the interface
that connects to the Optiman is on a 2960 switch connected to router. The commands above need to be on router, yes?

So to describe the topology:
     ALL traffic initialy comes in through AT&T 3800's @ site 1:Data center
         Datacenter - 3750 stack - 4900 switches - 3750 used as router - 2960 switch - AT&T Metro      
         ME  3400 - across Metro Fiber (Optiman)

         Traffic comes into Corporate 2960 - 3750 used as router - to ASA (192.168.2.1)

Also, the notes docs show 192.168.2.13 (Data Center MARO/MPLS) link as Source of advertisement. So, it seems these secondary links are being used @ least by AT&T MARO, to route
some traffic.

It seems as though the Data Center and the Corporate office need to be self contained/individual routing domains with a prefered method for cross communicaton between them being the Optiman.

 If the Optiman is not working, then traffic destined for either side utilizes the MARO/MPLS connections to communicate.

Please advise.



0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

pergrCommented:
Generally speaking, this set-up seems to be a complete mess.

Possibly designed by someone who wanted to be sure they would get an eternal support contract, since no one else ever would be able to make any sense of the set-up...

I doubt it will be a matter of adding a floating static route, or two, to get it organized.

To start with, half of the boxes can probably be removed...

If you want to start drafting a new design, start with drawing up the L3 topology, which possibly is not exactly the same as the box-topology.
0
s_coad5Author Commented:
Complete re-design is definately what needs to be done. That is the long-term goal.

I need a short term fix in the event the Optiman tanks again.
0
arnoldCommented:
Interface based route needs the line/feed connected/terminated on the router.

Although I am not sure that an MPLS link down will be seen as interface down.

Using routing protocols to advertise routes with weights (cost) such that the routing table will send traffic through the lowest cost path available.
But the difficulty you encounter is that some of the devices are managed by the ISP/someone else or is managed means something else in this context?
0
arnoldCommented:
Depending on your scripting skills, you could "check" whether access through MPLS is there, if not you adjust the routing table bypassing the link while continuing to test periodically.  Once the check detects that the MPLS link is back and active, you once again alter the routing configuration.
Routing based setup will detect that OSPF is not seen coming through the MPLS peer and that link will be seen as "dead" and other paths will take over.
Some reading info
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ospffa.html
0
pwindellCommented:
Complete re-design is definately what needs to be done. That is the long-term goal.

I need a short term fix in the event the Optiman tanks again.



I'm going to agree with pergr.   That diagram just looks like a "big-pile-of-stuff" to me.  Probably your problem with the diagram is that you are mixing Logical and Physical Topology together in the same diagram.  The only thing important is the Logical Topology,...the Physical Topology is meaningless without an intimate understanding of the actual detailed configuration of each physical device.  You should have one diagram that is 100% Logical Topology and another that is 100% Physical that includes an explanation of the config of each device on a cut-sheet.  Most of the time in these forums the Physical Diagram is worthless.  You also don't want to mis-name things,...if something is doing Layer2 then it is a Switch,...if it is doing Layer3 then it is a Router,...if it is a Layer3 Switch doing both,...then show it as two separate Icons in the diagram because that is how the Logical Topology is (the fact that it is one physical device is irrelevant).  Brands and Model numbers are also irrelevant in a Logical Topology.

I think you short term solution it to just leave it alone.  The AT&T Metro Optiman simply is not suppose to go down,...if it is going down a lot then THAT is the problem you need to solve,...not worrying about how to have the Internet when it is down (it is a matter of priority and perspective).

Obviously your AT&T Metro Optiman is where the LAN's Routing Scheme resides,...you loose that you loose your Routing,..then you don't get to the Internet,..makes perfect sense.  So the bottom line here is that the AT&T Metro Optiman is the most important element of the system,..therefore it isn't supposed to go down,...if it goes down then THAT is your problem to be concerned with,...not whether or not you can get to the Internet.

Anyway,...the way this stuff is supposed to be designed would be to have a LAN Routers between the LAN Segments at each facility.  The WAN Routers for the WAN links and the Firewalls to the Internet are just "appendages" and do not make any centralized "routing decisions"

Below is a logical topology of two multi-segment LANs joined by a WAN link that could be something to shoot for when you redesign.  Notice that the Switch Icons are used to symbolize a whole subnet (1 Switch Icon per 1 subnet) and even if it is a single Layer3 Switch being used with 2 subnets (VLANs),..it is still displayed as 1 Router Icon with 2 Switch icons.

 It is showing a VPN as the WAN,..but it could be ANY kind of WAN technology,...the Line Technology does not change the Logical Topology Design  The Default Gateway of each Facility is the LAN Reouter. The LAN Router then has static routes on it for the WAN Link and uses the local Firewall as the Default Gateway.  This way the WAN Link could collapse yet the Internet will still function through the Firewall.

 Sample1
0
pwindellCommented:
Dude!!,...You're in or near Springfield, IL?  Using Hanson as the ISP?

I'm in Decatur,...also using Hanson.
0
s_coad5Author Commented:
This entire scenario has been about the Optiman going down so of course that is where the problem is!

The logical topology:

         AT&T - Datacenter - switch stack - Core switches - router -
         switch - Cisco ME 3400 - across Metro Fiber (Optiman)

         Traffic comes into Corporate switch - router - to ASA (192.168.2.1)

"Obviously your AT&T Metro Optiman is where the LAN's Routing Scheme resides".
                    The Optiman is strictly a L2 solution between the 3 sites mentioned, which also currently
                    has a 100 MAC address limit per site.

"leaving it alone" is not an option.








0
s_coad5Author Commented:

Currently the primary Internet connection, located in site 2, is accessed by crossing the Optiman.
If the Optiman connection @ site 2 fails, what is next best solution to reach Internet?
0
s_coad5Author Commented:
Please xclude Hanson from you consideration as they are not where the money has been or will be spent with any significance.

We were thinking of using Hanson to try and seperate internet traffic by employess from internet traffic by clients, BUT, there does not seem to be an acceptable way to accomplish that.
0
pwindellCommented:
That isn't why I asked about Spirngfield and Hanson.

I asked because I live and work in what is possibly your physical location and might actually know who the guy was that setup your stuff.  Heck for that matter we could meet in person and talk about it.

My diagram lays out what I think you should do,...that is really all there is to say about that.

Currently the primary Internet connection, located in site 2, is accessed by crossing the Optiman.
If the Optiman connection @ site 2 fails, what is next best solution to reach Internet?


There is none,... if the Optiman is the "only way out",..then it is the "only way out",...plain and simple...unless they get their own independent Internet Connection  and pattern it as I described in the diagram I gave.  This is the same thing people face when they join their multiple facilities with an MPLS Service and also use the MPLS for the Internet as well because the Internet and the WAN are the same path.

This entire scenario has been about the Optiman going down so of course that is where the problem is!
"leaving it alone" is not an option.
Please xclude Hanson from you consideration as they are not where the money has been or will be spent with any significance.


I'm trying to figure out if you are being "snotty" with me or not. If you are then I am done with you.  But if you want to have a discussion,..we can discuss.  "Leaving it alone" until it is redesigned is absolutely an option since when everything is working when the Optiman is up,....if you don't want to choose that option then that is an entirely different thing, and is your choice,...but it "IS" an option.  I'm a technical guy  just like you doing the same job as you at my own place I work at (I do not work for Experts-Exchange) and I am giving out whatever options I see,...I'm just giving the facts of the technology as I see them.
0
pergrCommented:
Looking at the pwindell diagram, and drafting a routing solution:

a) Each firewall should monitor its ISP connection, and as long as that is up it should signal this to your network. Effectively, the firewall should inject a default route into your network as long as its ISP connection is available.

b) Not sure if your firewall has some sort of monitoring feature it can use (like to ping the ISP). If not, you can always ask the ISP to send you a default route in a BGP session...

c) Next, the firewall should advertise that default route to the local VPN Device and/or LAN Router. If you use EIGRP, use that, or use another BGP session, and have that or those devices redistribute the default route to EIGRP. Or change it all to OSPF...

d) in order to get priority to your main ISP connection, that site needs to advertise a lower metric than the other site - a metric relevant to what ever protocol you are using.
0
pwindellCommented:
Hi pergr,

You just make the LAN Router the Default Gateway for all the Hosts on the LAN at the particular facility (instead of it being the Firewall like many try to do).
Then the LAN Router uses the Firewall as the Default Gateway.
The LAN Router then has simple static Routes that tell it to use the proper WAN Device to reach the WAN segments.  If the WAN link is Layer2 only,..then the targeted IP of the Route would be the first L3 routing device on the other end of the L2 WAN Link.

Lastly, the Firewall would have all relevant LAN segments added to it's LAT (or LAT equivalent) and then give it Static Routes that tell it to use the LAN Router as the Gateway to all of the Company's Segments.

This puts the L3 LAN Routers in charge of all the routing decisions, which is what they were meant to do.  I've been doing it that way for years, it works great and there is no real maintenance involved and doesn't require any routing protocols.

However it does require that each facility have their own independent Internet connection and firewall.

Here's a diagram showing what I mean.  This is only showing the perspective from one facility and doesn't show the WAN link,..but the WAN Device would just branch off of one of the switches/subnets,...pretty straight forward.

 3 segment LAN
0
pwindellCommented:
Personally I would never want a WAN link that was only Layer2 because that puts both ends of the WAN link in the same Broadcast Domain causing the limited bandwidth of the link to carry the burden of the broadcast packet,...but that's just me  :-)
0
pwindellCommented:
@pergr:
a) Each firewall should monitor its ISP connection, and as long as that is up it should signal this to your network. Effectively, the firewall should inject a default route into your network as long as its ISP connection is available.

OK, I may be misunderstanding the original question.   So your theory there may be a correct theory, but I don't know of any firewall product that could do what your saying.  A lot of them won't even use Routing Protocols at all.
0
pergrCommented:
My favorite firewall when it comes to routing, scripting, automation is the Juniper SRX. There is also Fortigate and a long time ago Watchguard. All can be found (new) for less than $1,000...

As even Gartner says: people by ASA since they have a Catalyst...
0
pwindellCommented:
I'm an MS MVP for MS's Firewall "TMG" (or ISA).  I am one of the only two in the USA.  There are more but they are in other countries.  I can say that ISA/TMG would not be able to do what you were describing.
0
s_coad5Author Commented:
I appreciate everyone's input.

I understand making the LAN router the default gateway and then firewall etc..

I have some other things to ask/add, si I will check back tomorrow
0
Steve JenningsSr Manager Cloud Networking OpsCommented:
Waiting .  .  .
0
s_coad5Author Commented:
I have been pulled away for "another fire". I will post something asap.

thanks
0
pwindellCommented:
Today is "Everyone wants to get infected with Malware" day.

So I'm tied up myself, with that.
0
s_coad5Author Commented:
Hello

Hope everyone had a fun new year weekend

Once issue I have been dealing with is the lack of documentation. In an effort to get something on this post, my documentation was not the best. i will post more complete info by end of day.
0
s_coad5Author Commented:
Please diagram and read the following:

If the connection noted as "X"_1 fails, there is NO access to internet or Data Center.
      My thoughts are if traffic from Site_2 to Site_1 cannot reach across Optiman
      then it should go out AT&T MPLS (192.168.4.1) and come back in 192.168.7.91



If the connection noted as "X"_2 fails, failover occurs as follows:
      
      Traffic is routed back across Optiman to Site_1 rtr_2
      Site_1 rtr_2 routes traffic out Vlan 516.

      The gateway for Vlan 516 is Site_2 rtr_2.
      So traffic is routed back across Optiman to Site_2 rtr_2
      where it exits vlan 516 to SpringNet.


Current-Site-1-and-Site-2-Logica.vsd
0
arnoldCommented:
You can export data out of visio as a pdf or as an image which will simplify things. (ref http:#a37346752)
0
s_coad5Author Commented:
ok

Also, me background for anyone new to this blog.

I have several Distribuition centers around the country.

ALL traffic for this network comes in through the 192.168.7.91 connection located in site 1
This is where the data center is.

Any traffic destined for internet is passed to Site_2 across the Optiman.

On the map, the dotted or dashed lines are Default gateways.
0
s_coad5Author Commented:
topology image
0
arnoldCommented:
How are you routing table configure ip route 0.0.0.0 0.0.0.0 <ip or Interface> weight (default route)
ip route 0.0.0.0 0.0.0.0 <MPLS_IP> weight (failover path)

There might be additional rules that you have to add for the traffic to pass through the MPLS link and the router on the other side to the outside.

a higher value weight means less preferred path.
This only will kick in if the default route uses an interface as a reference making the entry dynamic and dependent on the status of the interface i.e. when the interface is down loss of link, the entry will be removed from the routing table.

0
s_coad5Author Commented:
0
s_coad5Author Commented:
"How are you routing table configure ip route 0.0.0.0 0.0.0.0 <ip or Interface> weight (default route)
ip route 0.0.0.0 0.0.0.0 <MPLS_IP> weight (failover path)"

Which device are you wanting the static route from?
0
s_coad5Author Commented:
On the Left side of diagram, Site_1 (Data Center), the Headend LAN switch (in blue outline)
has a default gateway of 192.168.7.91.


On the Right side, Site_2 (Corporate), the Headend LAN switch (in brown outline)
has a default gateway of 192.168.2.1 (ASA5520 Primary)
      This default gateway is NOT statically defined but is received via EIGRP
0
s_coad5Author Commented:
"On the Right side, Site_2 (Corporate), the Headend LAN switch (in brown outline)
has a default gateway of 192.168.2.1 (ASA5520 Primary)
      This default gateway is NOT statically defined but is received via EIGRP "

Gateway of last resort is 192.168.2.1 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/3072] via 192.168.2.1, 2w2d, Vlan2

router eigrp 2
 network 10.0.0.0
 network 192.168.2.0
 network 192.168.4.0
 network 192.168.249.0
 eigrp stub connected
0
pergrCommented:
You need to figure out if all routers (and firewalls) are running EIGRP, and which ones of them are originating a default route (probably by redistributing a static default).

In general, it would probably be a good idea to run your routing protocol also to the spoke sites, so that they send DC traffic directly to site 1 and Internet traffic directly to site 2 - with automatic failover controlled by the routing protocol.

Perhaps you are already running a protocol (here EIGRP) in most part of the network, in which case you do not want to add more static routes - you may even want to remove some. It is essential to find out if EIGRP is coming all the way out to the firewalls. In such a case you just need to control when the firewalls should advertise a default into the network, and with what metric.
0
s_coad5Author Commented:
See diagram for EIGRP device statements
0
s_coad5Author Commented:
0
pwindellCommented:
I hate to be Mr Doom and Gloom,...but I just don't see how what you want is ever going to happen.  I'm looking back at your original question,...assuming it still represents what you want,...you asked:

My questions is: If my AT&T Metro Optiman goes down, how can I assure that my network
will still be able to get to Primary AT&T Internet link.


I just don't think it is possible.  I think the only real solution is to have each site have their own independent dependable internet connection and be able to use the internet independently on their own.  This is assuming their connection to the Data Center or other sites is independent of the internet connection.
0
arnoldCommented:
show ip route and see whether there are several paths to the outside or is it limited to one.

Site_1 seemingly has a single static default route via 192.168.7.91 while other locations have dialer1 based static routes and site2 has a dynamic. and yet the ASA have other routes defined.

you have BGP from each location to the AT&T network
What is being advertised on the optiman connection.

http://bgplay.routeviews.org/bgplay/

Do you have a raw external view only?
i.e. routers/devices that are only interfacing with external connections?

0
pergrCommented:
Hi, first of all, the "track" command on your firewall indicates that you are already monitoring if the ISP is up or down - and "redistribute static" that includes the default route in EIGRP when the ISP is available.

That assumes you also have the 'sla monitor' and 'track' commands, as documented here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

If that do not work, then perhaps your link to the ISP was up, but the ISPs own uplinks did not work. In such a case you may want to monitor more IPs on the ISP side.


You also have a BGP session with the ISP, where you are advertising your 216.174.182.0/24 network. You can check what your ISP is advertising to you - if they are advertising a default gateway, then you can use that (redistribute that) to EIGRP instead of using the static.

You also have a routing protocol (BGP) running over the MPLS, with all the routes, including 0.0.0.0, which is good.
However, you also should have something (EIGRP or BGP) running across the Optiman link - that seems to be the main missing issue.
0
s_coad5Author Commented:
Good morning

Thanks again for all the posts. They have all been very helpful!

Please see diagram that has AT&T (BGP/EIGRP) routing statements as well as my company
EIGRP statements.

0
s_coad5Author Commented:
0
arnoldCommented:
Posting images that we then have to reevaluate/reinterpret is rather cumbersome.  If you made a change, let us know what it is rather than reposing the diagram with the changes.
Site 3 has a static  default route 192.168.0.0/16 via 192.168.4.27 which I think is a problem.
0
s_coad5Author Commented:
Sorry for introducing a new diagram.

The lastest diagram seems to reflect the most "raw" routing.
This new diagrams shows the differences between the AT&T routers at site_1 and site_2.

One thing to point out on Site_2 is the switch directly conncted to AT&T router does not have a default gateway pointing back to AT&T router, the way the same setup @ Site_1 does.

Site_1 and Site_2 have redundant AT&T routers (MR1 and MR2). On both AT&T routers, at each site, Int Gi0/1 has "description connection to Opt-E-MAN.

Site_2
                  ip address 192.168.2.8 255.255.255.0
                  ip address 192.168.2.12 255.255.255.0

Site_2
                  ip address 192.168.2.9 255.255.255.0
                  ip address 192.168.2.13 255.255.255.0

These Optiman links from AT&T connect directly to the switch that provides access to the Optiman for respective sides.

Is there a way to utilize these connections better?

0
arnoldCommented:
You seem to have BGP peering setup on both sites which is where the default routing should come in.
i.e. they advertise to you their and everything else and you only advertise your own.
The default route on site 1 is likely what prevents it from failing over when the connection it has dies since it always keeps trying to send data through the statically defined default route.

How are those connections currently utilized if at all?  show ip interface gi0/1
is there any traffic that is flowing through them?

Others have pointed out that there is no routing advertisement that is going between the two on the optiman connection.

Run show ip route on MR1 or MR2 what does the routing table show?
i.e. if a packet lands on MR1 or MR2 what is the path that it will take when the packet is addressed to www.experts-exchange.com?
0
pergrCommented:
You may want to go around the routers and look at 'show ip eigrp neighbor' output. In general, routers will not form neighbor relationships (and exchange routes) unless the AS number is the same. In EIGRP the AS is the number after the 'router eigrp' command (sort of like BGP). There are 3 different EIGRP AS in the network - and that is rather confusing..., to say the least.

Also, on some router there is the same 'network' statement under two AS - which is not recommended at all.

And, many routers have 'eigrp stub' command, which effectively is used to make sure traffic will not transit across those routers - but in the topology it appears that traffic should transit across those routers...

There is some HSRP, but it is not clear what the reason for it is.

Apart from the above, I am not sure if the topology is correctly represented in the diagram - because it does not make that much sense to me... If it worked, perhaps it would be a smart design... but if no one can operate/admin it, then...

Does all 4 VLAN run across the Optiman?
Why is both 'outside' and 'inside' connected on the edge routers?
In general (and apart from the issues raised above) the key is to pass routes across the Optiman, so you need to look at eigrp neighbor relationships across there, and what routes are exchanged.
0
s_coad5Author Commented:
0
s_coad5Author Commented:
0
s_coad5Author Commented:
0
s_coad5Author Commented:
0
s_coad5Author Commented:
"i.e. if a packet lands on MR1 or MR2 what is the path that it will take when the packet is addressed to www.experts-exchange.com? "
   
    The MR1/2 routers are AT&T managed, so I cannot access it or run any commands


"There are 3 different EIGRP AS in the network - and that is rather confusing..., to say the least."

     The router's with (3) EIGRP AS' is the Edge router. There is an Edge router @ Site_1 and
     Site_2.

               EIGRP 2305 was described by original designer as a "pseudo" EIGRP that corresponds
               the the EIGRP AS on the Tertiary network.

               EIGRP 2000 was described by original designer  EIGRP that corresponds
               the the EIGRP AS between the AS5520 and the Edge routers.


"There is some HSRP, but it is not clear what the reason for it is."

      Each site has (2) AT&T routers and HSRP used to asure connectivity.


"In general (and apart from the issues raised above) the key is to pass routes across the Optiman"

    How do the AT&T Gi0/1 interfaces factor in?
    Shouldn't these also have an HSRP config?
   

One thing that seems strange, to me anyway, is:
      Site_1 and Site_2 AT&T routers have a default gateway pointing to the ASA5520 (192.168.2.1)

      Site_1, Site_2 and Site_3 company routers also have a default gateway of the ASA5520
      (192.168.2.1)

      If that device is down or not available, then what??


     
       




         


0
arnoldCommented:
Check with AT&T on what the configuration on the MR1 and MR2 are for handling failover and then see what configuration adjustments you need to make on devices you manage to estup/configure a peering session with MR1/MR2 to get routing updates from them if you are not getting them already.

The use of the routing protocols BGP to the AT&T EIGRP internallly is to converge networks when a node/connection becomes unavailable.
0
s_coad5Author Commented:
The site_2 switch is being used as router and is now known as Site_2 rtr1.

The 3750's I am using for Site_1 rtr, Site_2 rtr and Site_3 rtr are using ipbasek9 IOS.

It was mentioned earlier that EIGRP  has the "Stub" command on these and maybe they shouldn't.
I received the following message when I tried to remove stub designation.

Site_1 rtr#          config t
Site_1 rtr(config)#router eigrp 2
Site_1 rtr(config-router)#no eigrp stub connected
EIGRP is restricted to stub configurations only on this platform.
Site_1 rtr(config-router)#^Z

I am guessing I need to put ipservicesk9 as the IOS to have more routing protocol options.

The following shows that there is peering with AT&T, but not sure peering is configured
how I need it to be.


Site_1 rtr#sh ip route | inc C
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
C    192.168.12.0/24 is directly connected, Vlan12
C    192.168.125.0/24 is directly connected, Vlan7
C       10.1.26.0/24 is directly connected, Vlan726
C       10.1.25.0/24 is directly connected, Vlan725
C       10.1.24.0/24 is directly connected, Vlan724
C       10.1.31.0/24 is directly connected, Vlan731
C       10.1.23.0/24 is directly connected, Vlan723
C       10.1.22.0/24 is directly connected, Vlan722
C       10.1.21.0/24 is directly connected, Vlan721
C       10.1.20.0/24 is directly connected, Vlan720
C    192.168.248.0/24 is directly connected, Vlan248
C    192.168.7.0/24 is directly connected, Vlan7
C       192.168.2.0/24 is directly connected, Vlan2
C    192.168.70.0/24 is directly connected, Vlan70
C       192.168.71.0 is directly connected, Vlan71


Site_1 rtr# sh ip route | exc EX|C
Gateway of last resort is 192.168.2.1 to network 0.0.0.0

D    192.168.4.0/24 [90/3072] via 192.168.2.254, 2w5d, Vlan2
D    192.168.20.0/24 [90/3072] via 192.168.2.4, 2w5d, Vlan2
D    192.168.249.0/24 [90/3072] via 192.168.2.254, 2w5d, Vlan2
     10.0.0.0/8 is variably subnetted, 27 subnets, 4 masks
D       10.1.10.0/24 [90/3072] via 192.168.2.254, 2w5d, Vlan2
D       10.1.9.0/24 [90/3072] via 192.168.2.254, 2w5d, Vlan2
D       10.1.8.0/24 [90/3072] via 192.168.2.254, 2w5d, Vlan2
D       10.1.15.0/24 [90/3072] via 192.168.2.254, 2w5d, Vlan2
D       10.1.14.0/24 [90/3072] via 192.168.2.254, 2w5d, Vlan2
D       10.1.7.0/24 [90/3072] via 192.168.2.254, 2w5d, Vlan2
D       10.1.6.0/24 [90/3072] via 192.168.2.254, 2w5d, Vlan2
D       10.1.5.0/24 [90/3072] via 192.168.2.254, 2w5d, Vlan2
D       10.1.4.0/24 [90/3072] via 192.168.2.254, 2w5d, Vlan2
D       10.1.32.0/20 [90/3072] via 192.168.2.4, 2w5d, Vlan2
D       10.1.120.0/24 [90/3072] via 192.168.2.4, 7w0d, Vlan2
     12.0.0.0/8 is variably subnetted, 25 subnets, 3 masks
                    [170/28416] via 192.168.2.9, 7w0d, Vlan2
     192.168.2.0/24 is variably subnetted, 16 subnets, 2 masks
     135.89.0.0/16 is variably subnetted, 4 subnets, 2 masks
     192.168.71.0/28 is subnetted, 1 subnets
S*   0.0.0.0/0 [1/0] via 192.168.2.1


Site_1 rtr# sh ip route | inc EX
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

D EX 192.168.13.0/24 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX 192.168.14.0/24 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX 192.168.15.0/24 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX 192.168.8.0/24 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX 192.168.9.0/24 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX 192.168.251.0/24 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX 192.168.200.0/24 [170/322816] via 192.168.2.12, 2w5d, Vlan2
D EX 192.168.201.0/24 [170/322816] via 192.168.2.12, 2w5d, Vlan2
D EX    10.8.0.0/21 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    10.9.0.0/21 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    10.14.0.0/21 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    10.13.0.0/21 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    10.3.0.0/19 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    10.18.0.0/21 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    10.19.0.0/21 [170/258816] via 192.168.2.13, 2w2d, Vlan2
D EX    10.16.0.0/21 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX 192.168.17.0/24 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.115.59.84/30 [170/258816] via 192.168.2.13, 2w2d, Vlan2
D EX    12.85.56.124/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.126.20/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.99.4/30 [170/258816] via 192.168.2.13, 2w4d, Vlan2
D EX    12.85.153.128/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.115.52.44/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.162.140/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.157.184/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.38.168.0/24 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.223.12/30 [170/62208] via 192.168.2.12, 2w5d, Vlan2
D EX    12.85.208.4/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.223.8/30 [170/62208] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.223.9/32 [170/62208] via 192.168.2.13, 7w0d, Vlan2
D EX    12.85.205.36/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.168.68/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.168.72/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.205.40/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.202.44/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.85.146.116/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.84.244.108/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    12.84.149.41/32 [170/62208] via 192.168.2.8, 2w5d, Vlan2
D EX    12.84.149.40/30 [170/62208] via 192.168.2.8, 2w5d, Vlan2
D EX    12.84.149.37/32 [170/62208] via 192.168.2.9, 7w0d, Vlan2
D EX    12.84.149.36/30 [170/62208] via 192.168.2.9, 7w0d, Vlan2
D EX    12.85.204.96/30 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX 192.168.16.0/24 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX 192.168.1.0/24 [170/28416] via 192.168.2.13, 7w0d, Vlan2
D EX    192.168.2.107/32 [170/3072] via 192.168.2.1, 01:10:10, Vlan2
D EX    192.168.2.104/32 [170/3072] via 192.168.2.1, 03:20:16, Vlan2
D EX    192.168.2.105/32 [170/3072] via 192.168.2.1, 03:16:28, Vlan2
D EX    192.168.2.111/32 [170/3072] via 192.168.2.1, 02:05:03, Vlan2
D EX    192.168.2.108/32 [170/3072] via 192.168.2.1, 02:39:53, Vlan2
D EX    192.168.2.109/32 [170/3072] via 192.168.2.1, 02:18:59, Vlan2
D EX    192.168.2.103/32 [170/3072] via 192.168.2.1, 03:26:23, Vlan2
D EX    192.168.2.100/32 [170/3072] via 192.168.2.1, 03:30:46, Vlan2
D EX    192.168.2.101/32 [170/3072] via 192.168.2.1, 03:30:13, Vlan2
D EX    192.168.2.115/32 [170/3072] via 192.168.2.1, 00:40:55, Vlan2
D EX    192.168.2.113/32 [170/3072] via 192.168.2.1, 01:36:54, Vlan2
D EX    192.168.2.117/32 [170/3072] via 192.168.2.1, 00:47:25, Vlan2
D EX    192.168.2.250/32 [170/3072] via 192.168.2.1, 05:15:05, Vlan2
D EX    192.168.2.251/32 [170/3072] via 192.168.2.1, 04:55:08, Vlan2
D EX    192.168.2.252/32 [170/3072] via 192.168.2.1, 04:52:52, Vlan2
D EX 192.168.19.0/24 [170/258816] via 192.168.2.13, 2w2d, Vlan2
D EX    135.89.152.56/29 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    135.89.152.128/28 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    135.89.154.152/29 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX    135.89.157.160/28 [170/258816] via 192.168.2.13, 2w5d, Vlan2
D EX 192.168.18.0/24 [170/258816] via 192.168.2.13, 2w5d, Vlan2
Site_1 rtr#






0
arnoldCommented:
Filtering routing table and posting each three different times gives my no insight.
I understand you want to avoid disclosing your IPs.
Get the entire list and replace your IP block with X's etc.

Private IP space is private IP space.
 You have multiple places where eithin EIGRP you are advertising the same network.
192.168.2.0/24

You need  to compare the show ip route on each to see whether they match and whether they include all the paths to the outside.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pergrCommented:
"stub" is something you want on spoke sites, and not at a hub. The reason you configure stub on a spoke is to make sure that traffic from one hub to another hub does not run through a spoke.

Next you need to go over the network and make sure you have all the EIGRP neighbor relationships you expect, and obviously the routes you expect.

After that you need a maintenance window when you can shut down the main link, and check how failover works, what routes are there, and which are missing, etc.

Doing this means comparing the output from a lot of 'show' commands with the full documentation of the network.

I suggest you start working on that, and come back with more specific questions.
0
s_coad5Author Commented:
I have not completely resolved the issue, but based on what I have been advised to do, I feel it will be done soon. I don't/won't have anything to report for a while, so I am closing this discussion.

The (3) of you have been great and re-affirmed how glad I am I joined this site.

Take care
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.