Solved

Learning how to change routing traffic between offices through AT&T MPLS network instead of site to site VPN

Posted on 2013-05-28
11
337 Views
Last Modified: 2013-06-14
Dear experts:

We have AT&T mpls network between our two offices. I see that from one office we are not getting to the other using the mpls network instead is getting to us from another office that has a VPN tunnel.

A tracert display of what I am trying to communicate:

From my office here in OKC to Houston:

C:\Users\me>tracert 172.16.100.1 <-Houston HSRP router LAN Address
Tracing route to 172.16.100.1 over a maximum of 30 hops
  1     1 ms     1 ms     1 ms  172.16.8.3 <- My Voice gateway router
  2    <1 ms    <1 ms    <1 ms  10.255.254.6 <- AT&T router link
  3     1 ms     1 ms     1 ms  12.113.178.153
  4    16 ms    15 ms    14 ms  cr2.kc9mo.ip.att.net [12.123.130.234]
  5    19 ms    15 ms    15 ms  cr1.dlstx.ip.att.net [12.122.155.5]
  6    17 ms    14 ms    14 ms  cr2.hs1tx.ip.att.net [12.122.28.158]
  7    13 ms    13 ms    13 ms  12.113.178.145
  8    19 ms    13 ms    13 ms  12.113.178.146
  9    40 ms    39 ms    38 ms  10.255.254.1 <- Houston Voice gateway router link with AT&T
 10    39 ms    38 ms    45 ms  10.255.254.1 <- Houston Voice gateway router link with AT&T
 11    49 ms    45 ms    39 ms  172.16.100.1 <-Houston HSRP router address
Trace complete.

Tracert from Houston to OKC my office:

C:\Users\houston>tracert 172.16.8.1<- OKC HSRP router address

Tracing route to 172.16.8.1 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  172.16.100.2 <- Houston VPN router address
  2    39 ms    42 ms    41 ms  10.255.255.10 <- Tulsa VPN router office router link address
  3   410 ms   438 ms   416 ms  172.16.8.1 <-OKC RSRP router

Trace complete.

 hous-rtvpn-01#sh ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.102.5 to network 0.0.0.0

     98.0.0.0/32 is subnetted, 1 subnets
S       98.xx.xx.77 [1/0] via 173.xx.xx.22
C    192.168.10.0/24 is directly connected, FastEthernet1.700
     172.16.0.0/16 is variably subnetted, 13 subnets, 4 masks
D EX    172.16.253.0/24 [170/2059264] via 10.255.255.1, 2d07h, Tunnel10
D       172.16.16.0/23 [90/2036224] via 10.255.255.10, 2d07h, Tunnel50
D       172.16.19.0/24 [90/2036224] via 10.255.255.18, 2d07h, Tunnel60
D       172.16.12.0/24 [90/2292224] via 10.255.255.10, 2d07h, Tunnel50
D       172.16.8.0/22 [90/2292224] via 10.255.255.10, 2d07h, Tunnel50
D       172.16.8.0/21 [90/2036224] via 10.255.255.1, 3d07h, Tunnel10
D EX    172.16.0.0/24 [170/2059264] via 10.255.255.1, 2d07h, Tunnel10
C       172.16.104.0/24 is directly connected, FastEthernet1.900
D       172.16.104.0/22 is a summary, 2d07h, Null0
C       172.16.100.0/24 is directly connected, FastEthernet1.10
D       172.16.100.0/22 is a summary, 2d07h, Null0
C       172.16.102.0/24 is directly connected, FastEthernet1.222
S       172.16.103.0/24 [1/0] via 172.16.102.5
     172.31.0.0/24 is subnetted, 1 subnets
D EX    172.31.254.0 [170/2059264] via 10.255.255.1, 2d07h, Tunnel10
     173.11.0.0/29 is subnetted, 1 subnets
C       173.11.153.16 is directly connected, FastEthernet0
     216.xx.xx.0/32 is subnetted, 1 subnets
S       216.201.183.67 [1/0] via 173.11.153.22
     10.0.0.0/8 is variably subnetted, 14 subnets, 4 masks
C       10.255.255.8/30 is directly connected, Tunnel50
D       10.255.255.12/30 [90/2289664] via 10.255.255.10, 2d07h, Tunnel50
                         [90/2289664] via 10.255.255.1, 2d07h, Tunnel10
C       10.255.255.0/30 is directly connected, Tunnel10
D EX    10.10.10.0/24 [170/2059264] via 10.255.255.1, 2d07h, Tunnel10
S       10.0.0.0/8 is directly connected, Null0
D EX    10.255.254.0/30
           [170/1671680] via 172.16.102.3, 2d07h, FastEthernet1.222
D EX    10.255.254.4/30
           [170/1671680] via 172.16.102.3, 2d07h, FastEthernet1.222
C       10.255.255.16/30 is directly connected, Tunnel60
D       10.255.0.24/32 [90/2161664] via 10.255.255.10, 2d07h, Tunnel50
C       10.255.0.1/32 is directly connected, Loopback22
D       10.255.0.2/32 [90/156160] via 172.16.102.3, 2d07h, FastEthernet1.222
D       10.255.0.12/32 [90/2164224] via 10.255.255.1, 2d07h, Tunnel10
D       10.255.0.14/32 [90/2161664] via 10.255.255.18, 2d07h, Tunnel60
D       10.255.0.11/32 [90/2161664] via 10.255.255.1, 2d07h, Tunnel10
     74.0.0.0/32 is subnetted, 1 subnets
S       74.xx.xx.114 [1/0] via 173.xx.xx.22
S*   0.0.0.0/0 [1/0] via 172.16.102.5
S    172.16.0.0/12 is directly connected, Null0
S    192.168.0.0/16 is directly connected, Null0

As you can see we have VPN tunnels to other smaller offices. The two main office have an MPLS network in between. Houston is not taking the route of the AT&T MPLS network to OKC.

For your help and time on this I thank you! M
0
Comment
Question by:marceloNYC
  • 6
  • 5
11 Comments
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39202354
You've got two EIGRP routes to 172.16.8.0 - one using Internal EIGRP; the other using External EIGRP. I'm assuming the external link is your MPLS connection, because the VPN is going to be the internal one.

I think you're going to need to add an administrative weight to the internal EIGRP route, to make it overcome the natural tendency to prefer an internal route to an external. I haven't worked with Cisco routers in so long, I can't really remember exactly where it's done, but that's what you should do.
0
 

Author Comment

by:marceloNYC
ID: 39202495
i think you are right. This is an EIGRP configuration job check this out:

show ip eigrp topology all-links
IP-EIGRP Topology Table for AS(42)/ID(10.255.0.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 10.255.255.8/30, 1 successors, FD is 2033664, serno 5190
        via Connected, Tunnel50
P 10.255.255.12/30, 2 successors, FD is 2289664, serno 5194
        via 10.255.255.1 (2289664/2033664), Tunnel10
        via 10.255.255.10 (2289664/2033664), Tunnel50
P 10.10.10.0/24, 1 successors, FD is 2059264, serno 5157
        via 10.255.255.1 (2059264/51200), Tunnel10
        via 10.255.255.10 (2315264/2059264), Tunnel50
P 10.255.255.0/30, 1 successors, FD is 2033664, serno 5123
        via Connected, Tunnel10
P 10.255.254.0/30, 1 successors, FD is 1671680, serno 5023
        via 172.16.102.3 (1671680/1669120), FastEthernet1.222
        via 10.255.255.1 (2038784/1671680), Tunnel10
P 10.255.254.4/30, 1 successors, FD is 1671680, tag is 65500, serno 5031
        via 172.16.102.3 (1671680/1669120), FastEthernet1.222
        via 10.255.255.1 (2038784/1671680), Tunnel10
P 10.255.255.16/30, 1 successors, FD is 2033664, serno 5057
        via Connected, Tunnel60

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 172.16.253.0/24, 1 successors, FD is 2059264, serno 5159
        via 10.255.255.1 (2059264/51200), Tunnel10
        via 10.255.255.10 (2315264/2059264), Tunnel50
P 172.31.254.0/24, 1 successors, FD is 2059264, serno 5160
        via 10.255.255.1 (2059264/51200), Tunnel10
        via 10.255.255.10 (2315264/2059264), Tunnel50
P 192.168.10.0/24, 1 successors, FD is 28160, serno 4
        via Connected, FastEthernet1.700
P 192.168.0.0/16, 1 successors, FD is 51200, serno 8
        via Rstatic (51200/0)
P 172.16.16.0/23, 1 successors, FD is 2036224, serno 5192
        via 10.255.255.10 (2036224/28160), Tunnel50
        via 10.255.255.1 (2292224/2036224), Tunnel10
P 172.16.19.0/24, 1 successors, FD is 2036224, serno 5081
        via 10.255.255.18 (2036224/28160), Tunnel60
P 172.16.12.0/24, 1 successors, FD is 2292224, serno 5195
        via 10.255.255.10 (2292224/2036224), Tunnel50
P 172.16.8.0/22, 1 successors, FD is 2292224, serno 5197
        via 10.255.255.10 (2292224/2036224), Tunnel50
P 172.16.8.0/21, 1 successors, FD is 1671680, serno 5161
        via 10.255.255.1 (2036224/28160), Tunnel10
        via 172.16.102.3 (1671680/1669120), FastEthernet1.222
P 172.16.0.0/24, 1 successors, FD is 2059264, serno 5158

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

        via 10.255.255.1 (2059264/51200), Tunnel10
        via 10.255.255.10 (2315264/2059264), Tunnel50
P 172.16.0.0/12, 0 successors, FD is Inaccessible, serno 0
        via 10.255.255.10 (2315264/2059264), Tunnel50
        via 10.255.255.1 (2059264/51200), Tunnel10
P 172.16.104.0/22, 1 successors, FD is 28160, serno 5124
        via Summary (28160/0), Null0
        via 10.255.255.10 (2548224/2292224), Tunnel50
P 172.16.104.0/24, 1 successors, FD is 28160, serno 5
        via Connected, FastEthernet1.900
        via 10.255.255.1 (2548224/2292224), Tunnel10
        via 172.16.102.3 (30720/28160), FastEthernet1.222
P 172.16.100.0/22, 1 successors, FD is 28160, serno 5055
        via Summary (28160/0), Null0
P 172.16.100.0/24, 1 successors, FD is 28160, serno 2
        via Connected, FastEthernet1.10
        via 10.255.255.10 (2294784/2038784), Tunnel50
        via 10.255.255.1 (2038784/1671680), Tunnel10
        via 172.16.102.3 (30720/28160), FastEthernet1.222
P 172.16.102.0/24, 1 successors, FD is 28160, serno 3
        via Connected, FastEthernet1.222
P 10.255.0.24/32, 1 successors, FD is 2161664, serno 5191
        via 10.255.255.10 (2161664/128256), Tunnel50

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

        via 10.255.255.1 (2417664/2161664), Tunnel10
P 10.255.0.1/32, 1 successors, FD is 128256, serno 1, anchored
        via Connected, Loopback22
P 10.255.0.2/32, 1 successors, FD is 156160, serno 10
        via 172.16.102.3 (156160/128256), FastEthernet1.222
P 10.255.0.12/32, 1 successors, FD is 2164224, serno 5163
        via 10.255.255.1 (2164224/156160), Tunnel10
        via 10.255.255.10 (2420224/2164224), Tunnel50
        via 172.16.102.3 (1671680/1669120), FastEthernet1.222
P 10.255.0.14/32, 1 successors, FD is 2161664, serno 5080
        via 10.255.255.18 (2161664/128256), Tunnel60
P 10.255.0.11/32, 1 successors, FD is 2161664, serno 5156
        via 10.255.255.1 (2161664/128256), Tunnel10
        via 10.255.255.10 (2417664/2161664), Tunnel50
 hous-rtvpn-01#

This might be the ticket to solve this issue:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c2d96.shtml
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39205169
Yes, that link would be the correct resource for this. But from what you're describing, it sounds like the best choice would be to use their first solution, of changing the interface delay, rather than changing the administrative distance (which was what I had in mind.) The way that we used to do it was to change the administrative distance on both sides, to avoid the problems they describe. But if you don't need to do that using the first solution, that would be better.
0
 

Author Comment

by:marceloNYC
ID: 39207615
Here is what I have for that interface tunnel from Houston to here:

interface Tunnel10
 description *** VPN to okc-vpn ***
 bandwidth 1440
 ip address 10.255.255.2 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip summary-address eigrp 42 xx.xx.104.0 255.255.252.0 5
  ip summary-address eigrp 42 xx.xx.100.0 255.255.252.0 5
 load-interval 30
 delay 1000
 qos pre-classify
 keepalive 10 3
 tunnel source FastEthernet0
 tunnel destination 98.xx.xx.77
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN shared

What should the Delay change be for this interface?
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39207642
That's a tougher question. It has to be long enough to give you a total of more than that of the MPLS connection. What's the delay on that one?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:marceloNYC
ID: 39207708
I change the delay in the tunnel to OKC interface to 120 as it said in the article just to test it out and didn't get the result I wanted.

The Delay in the MPLS connection I am not sure what it is. I don't have access to the AT&T router. Let me investigate a little more.
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39207735
Is the AT&T router participating in the EIGRP schema? I didn't know they do that.
0
 

Author Comment

by:marceloNYC
ID: 39207740
Nope! They are not in the EIGRP schema.
0
 
LVL 8

Accepted Solution

by:
d0ughb0y earned 500 total points
ID: 39207769
Then I'm not sure their delay settings make a difference here, or if those settings would even apply if they did. The delay settings that matter are what EIGRP thinks the delay is for that link. The number 120 may not be sufficient because EIGRP makes its own calculations for route preference.

The point here is to use some mechanism to make the VPN route less desirable than the MPLS route. The difference mechanisms described all can do that, but they have caveats. I've never done it by increasing delay like they're suggesting, because you sort of have to figure out what that magic number needs to be to overcome the inherent desirability of the "direct" route (the VPN tunnel appears to be a direct-connection) over the more "arduous" path provided by MPLS. That's why we used to use administrative distances for it - they were easier to figure out. Yes, as the article says, they can lead to problems. We set them on both sides of the links, to make sure that things traveled appropriately. But the article makes a solid argument that the delay settings are the better way to go.

Be sure that you're adding delay to the VPN link. There may be a way to see exactly what the delay settings to to the relative desirability of a link, in which case, monitor those and  then pop it up some, to see what happens. Experiment a bit. I wish I could give you a more definite answer, but it's been years since I've worked with Cisco routers. I still remember the concepts, but the actual commands... it's been awhile. (And since EIGRP is Cisco-proprietary, I've had no opportunity to use it since.)
0
 

Author Comment

by:marceloNYC
ID: 39220132
So, I unplugged the Data cox modem we have for those tunnels and the tracert here from Houston is the way I wanted to be. Plus the other office here in Oklahoma are reached.

C:\Users\Houston>tracert 172.16.8.222 <-to us here OKC

Tracing route to server [172.16.8.222]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  172.16.100.2
  2     1 ms     1 ms     1 ms  172.16.102.3
  3    <1 ms    <1 ms    <1 ms  10.255.254.2
  4     1 ms    <1 ms    <1 ms  12.113.178.145
  5    13 ms    15 ms    15 ms  cr2.hs1tx.ip.att.net [12.122.103.234]
  6    15 ms    15 ms    15 ms  cr1.dlstx.ip.att.net [12.122.28.157]
  7    14 ms    15 ms    15 ms  cr81.ocyok.ip.att.net [12.122.155.6]
  8    12 ms    12 ms    12 ms  12.113.178.153
  9    13 ms    13 ms    13 ms  12.113.178.154
 10    13 ms    13 ms    13 ms  10.255.254.5
 11    13 ms    13 ms    13 ms  server here [172.16.8.222]

Trace complete.

C:\Users\Houston>tracert 172.16.17.1 <Tulsa Office router

Tracing route to 172.16.17.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.16.100.2
  2    34 ms    32 ms    33 ms  172.16.17.1<-- looks good!

Trace complete.
0
 

Author Closing Comment

by:marceloNYC
ID: 39247565
Thank you!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
DNS on-premise and on-cloud 15 70
Dyndns Configuration 3 49
Cisco ACS mixed versions 8 53
how to access my server 9 28
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now