[cisco-nas] Routing mystery
Joe Mays
jfmays at launchpad.win.net
Fri Apr 1 05:27:16 EDT 2011
Okay, I've almost got this whole ppp multilink over pppoe thing worked out, but I'm dealing with one final mystery.
Without ppp multilink in the virtual template, the link comes up as a normal ppp connection, as would be expected.
interface Virtual-Template1
ip unnumbered FastEthernet1/0.2
ip tcp adjust-mss 1360
peer default ip address pool pppoepool
ppp authentication pap chap
Show users shows --
gw1.armplc#show users
Line User Host(s) Idle Location
* 2 vty 0 admin idle 00:00:00 admin1.win.net
3 vty 1 admin 216.24.35.11 00:04:09 admin1.win.net
Interface User Mode Idle Peer Address
Vi2.1 K1.LXFU.396865..SC PPPoE 00:01:09 216.24.35.68
Vi2.2 K1.LXFU.396853..SC PPPoE 00:01:07 216.24.35.57
Vi2.3 quickcash at win.net PPPoE 00:00:08 216.24.35.11
The route to the network on the other end of the connection (216.24.2.88/29) can be pinged fine from the 7206 through the static route that is entered ("ip route 216.24.2.88 255.255.255.248 216.24.35.11").
gw1.armplc#ping 216.24.2.89
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.24.2.89, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/48 ms
>From another outside router we can see that this route is being broadcast fine via OSPF, and pinging works fine from this location, also...
core-gw1.noc#ping 216.24.2.89
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.24.2.89, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms
core-gw1.noc#show ip route 216.24.2.88
Routing entry for 216.24.2.88/29
Known via "ospf 5150", distance 110, metric 20, type extern 2, forward metric 2
Last update from 216.24.28.246 on Serial6/1, 00:01:49 ago
Routing Descriptor Blocks:
* 216.24.28.246, from 216.24.30.16, 00:01:49 ago, via Serial6/1
Route metric is 20, traffic share count is 1
Debug IP ICMP on 216.24.35.11 (which is the wan interface of the router the 216.24.2.89 interface is on) shows the incoming packets being received fine from the outside router....
*Mar 1 11:48:28.837: ICMP: echo reply sent, src 216.24.2.89, dst 216.24.28.245
*Mar 1 11:48:28.877: ICMP: echo reply sent, src 216.24.2.89, dst 216.24.28.245
*Mar 1 11:48:28.925: ICMP: echo reply sent, src 216.24.2.89, dst 216.24.28.245
*Mar 1 11:48:28.969: ICMP: echo reply sent, src 216.24.2.89, dst 216.24.28.245
*Mar 1 11:48:29.013: ICMP: echo reply sent, src 216.24.2.89, dst 216.24.28.245
So everything is great. Now when I add "ppp multilink" to the virtual template....
gw1.armplc#config t
Enter configuration commands, one per line. End with CNTL/Z.
gw1.armplc(config)#int virtual-template1
gw1.armplc(config-if)#ppp multilink
The link drops and comes back as part of a multilink bundle as it should...
gw1.armplc#show users
Line User Host(s) Idle Location
* 2 vty 0 admin idle 00:00:00 admin1.win.net
Interface User Mode Idle Peer Address
Vi2.1 K1.LXFU.396853..SC PPPoE 00:09:01 216.24.35.57
Vi2.2 K1.LXFU.396865..SC PPPoE 00:09:01 216.24.35.68
Vi4 quickcash at win.net PPPoE 00:02:10
Vi5 quickcash at win.net MLP Bundle 00:02:10 216.24.35.11
>From the 7206 the link is terminated on, everything still works. 216.24.35.11 and 216.24.2.89 can still be pinged successfully. From the outside router, the route is still in OSPF, but pings to 216.24.35.11 and 216.24.2.89 now fail, and nothing appears in "debug ip icmp" on the 216.24.35.11 router, indicating the packets were never routed down the link link at all. traceroute from the outside router shows that the packets were sent to the 7206, but it then did not send the packets on to the 216.24.35.11 router.
core-gw1.noc#traceroute 216.24.2.89
Type escape sequence to abort.
Tracing the route to 216-24-2-89.ip.win.net (216.24.2.89)
1 s3-0.gw1.armplc.win.net (216.24.28.246) 0 msec 0 msec 4 msec
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
This behavior makes no sense to me. The sum seems to be that when the connection to 216.24.35.11 is not part of a multilink bundle, everything works. When it IS part of a multilink bundle, however, the 7206 terminating the multilink bundle can send traffic down the bundle fine, and knows to route traffic to 216.24.2.89 down the bundled link to 216.24.35.11, but refuses to route traffic from anywhere else down the link. The problem seems to be completely on the 7206. Perhaps I am hitting an access list or something, but I can see no access list that should know or care whether or not the link is in a multilink bundle or not, and anyway if there is an access list causing the problem, it's not keeping the 7206 itself from routing properly down the link, it's just not routing traffic from anywhere else down the link.
Here is the complete config on the 7206....
gw1.armplc#show run
Building configuration...
Current configuration : 11250 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gw1.armplc
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius WinAuthAcct
server 216.24.27.48 auth-port 1812 acct-port 1813
server 216.24.27.49 auth-port 1812 acct-port 1813
server 216.24.27.201 auth-port 1645 acct-port 1646
server 216.24.27.202 auth-port 1645 acct-port 1646
server 216.24.27.203 auth-port 1645 acct-port 1646
server 216.24.27.204 auth-port 1645 acct-port 1646
server 216.24.27.205 auth-port 1645 acct-port 1646
server 216.24.27.206 auth-port 1645 acct-port 1646
server 216.24.27.207 auth-port 1645 acct-port 1646
server 216.24.27.208 auth-port 1645 acct-port 1646
server 216.24.27.209 auth-port 1645 acct-port 1646
server 216.24.27.200 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication ppp default local group WinAuthAcct
aaa authorization exec default local none
aaa authorization network default local group WinAuthAcct if-authenticated
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting network default start-stop broadcast group WinAuthAcct
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
ip telnet source-interface Loopback100
ip tftp source-interface Loopback100
ip domain list win.net
ip domain name win.net
ip name-server 216.24.27.3
ip name-server 24.235.0.25
ip name-server 216.24.27.4
!
no ip bootp server
pppoe-forwarding
!
!
!
!
!
!
!
!
!
!
!
username admin secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
controller T3 6/0
!
!
bba-group pppoe global
virtual-template 1
!
interface Loopback100
description gw1.armplc.win.net loopback interface
ip address 216.24.30.16 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet1/0
ip address 216.24.8.1 255.255.255.0
duplex full
!
interface FastEthernet1/0.2
encapsulation dot1Q 2
ip address 216.24.12.193 255.255.255.192
pppoe enable group global
no snmp trap link-status
!
interface FastEthernet1/0.3
encapsulation dot1Q 3
ip tcp adjust-mss 1360
pppoe enable group global1
no snmp trap link-status
!
interface FastEthernet1/0.16
encapsulation dot1Q 16
no snmp trap link-status
!
interface FastEthernet1/0.17
encapsulation dot1Q 17
no snmp trap link-status
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
interface Serial3/0
description Armory Place CO to Heyburn
bandwidth 44210
ip address 216.24.28.246 255.255.255.252
ip route-cache flow
dsu bandwidth 44210
framing c-bit
cablelength 50
serial restart-delay 0
no cdp enable
!
interface Serial3/1
no ip address
shutdown
dsu bandwidth 44210
framing c-bit
cablelength 10
serial restart-delay 0
!
interface Serial4/0
no ip address
shutdown
dsu bandwidth 44210
framing c-bit
cablelength 10
serial restart-delay 0
!
interface ATM5/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Virtual-Template1
ip unnumbered FastEthernet1/0.2
ip tcp adjust-mss 1360
peer default ip address pool pppoepool
ppp authentication pap chap
!
interface Virtual-TokenRing2
no ip address
ring-speed 16
!
router ospf 5150
log-adjacency-changes
area 0 authentication message-digest
summary-address 216.24.9.0 255.255.255.128
redistribute connected subnets route-map ospf-redistrib
redistribute static subnets route-map ospf-redistrib
passive-interface default
no passive-interface FastEthernet1/0
no passive-interface Serial3/0
no passive-interface Loopback100
network 24.235.0.0 0.0.31.255 area 0
network 216.24.0.0 0.0.63.255 area 0
!
ip local pool pppoepool 216.24.12.100 216.24.12.180
ip classless
ip route 0.0.0.0 0.0.0.0 Serial3/0
ip route 216.24.2.88 255.255.255.248 216.24.35.11
no ip http server
!
!
!
ip access-list standard allow-our-nets
permit 216.24.0.0 0.0.63.255
permit 24.235.0.0 0.0.31.255
!
ip access-list extended in-block-all-smtp-nb
deny tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-block-nb
remark -- Same as out-block-nb
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-block-smtp-nb
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
deny tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-dangerously-allow-all
permit ip any any
ip access-list extended in-permitlog-smtp
remark -- This one is used to see who we need to not apply blocksmtp to.
remark -- It is functionally identical to in-block-nb.
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
permit tcp any any eq smtp syn log-input
permit tcp any any eq smtp
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-block-all-smtp-nb
deny tcp any eq smtp any log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-block-nb
remark -- Same as in-block-nb
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-block-smtp-nb
permit tcp 216.24.27.0 0.0.0.255 eq smtp any
deny tcp any eq smtp any log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-dangerously-allow-all
permit ip any any
ip access-list extended out-permitlog-smtp
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
permit tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip radius source-interface Loopback100
logging source-interface Loopback100
!
route-map ospf-redistrib permit 10
match ip address allow-our-nets
!
snmp-server trap-source Loopback100
!
radius-server attribute nas-port format c
radius-server dead-criteria tries 2
radius-server host 216.24.27.201 auth-port 1645 acct-port 1646
radius-server host 216.24.27.202 auth-port 1645 acct-port 1646
radius-server host 216.24.27.203 auth-port 1645 acct-port 1646
radius-server host 216.24.27.204 auth-port 1645 acct-port 1646
radius-server host 216.24.27.205 auth-port 1645 acct-port 1646
radius-server host 216.24.27.206 auth-port 1645 acct-port 1646
radius-server host 216.24.27.207 auth-port 1645 acct-port 1646
radius-server host 216.24.27.208 auth-port 1645 acct-port 1646
radius-server host 216.24.27.209 auth-port 1645 acct-port 1646
radius-server host 216.24.27.200 auth-port 1645 acct-port 1646
radius-server retry method reorder
radius-server transaction max-tries 3
radius-server retransmit 0
radius-server timeout 3
radius-server deadtime 2
radius-server key xxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 60 0
logging synchronous
transport preferred none
transport input telnet
!
!
end
Seriously, it wouldn't surprise me at all if I'm just overlooking something simple and obvious here, but I'm stalled on what could be happening here. Any insights anyone can offer would be hugely appreciated.
--
"In Lancre we have what I suppose you'd call a constitutional monarchy if we had a constitution. What this means is this: there is only one king and more'n 500 subjects, and they all work every day at jobs which mostly involve sharp things. It's one of those lessons that are so obvious they don't have to be taught."
-- Terry Pratchett, "Nanny Ogg's Cookbook"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-nas/attachments/20110401/958a2b2f/attachment-0001.html>
More information about the cisco-nas
mailing list