[nsp] Routing Problem: I am not sure where to begin.

Danny McPherson danny at tcb.net
Tue Dec 16 11:54:12 EST 2003 

Jim,
What you're asking for is stateful TCP session mirroring
between the two 12012s, which isn't going to happen (only
a few existences of TCP state mirroring within a single
platform have occurred, much less inter-device).  The BGP
sessions are attached to the physical interfaces and
different devices/stacks, they're not going to fail over
between different Layer 3 elements.

An implementation could perhaps make this work IF both
working and protect circuits terminated on the same
Layer 3 element one both sides of the connection, but
this clearly scopes the redundancy that APS provides.

The common deployment scenario to accomplish what you're
looking to do requires two BGP sessions from the 7206, one
to each of the 12012s, all peering via loopback IPs that
are reachable via the OC3 and/or the inter-12012 paths
(depending on which APS tributary is active).

Because you've got an OC48 connection between the 12012s
the sessions SHOULD always remain active, regardless of
which router (working or protect) is the active tributary.
Any other configuration would trigger sessions resets
per either BGP or IGP adjacency resets/synchronization
times.

You should also be using bi-directional mode.

Another nifty thing I've done in the past was use a /29
with odd IPs for working, even for protect.  It avoids
hosing things with NMS systems and provides more intuitive
operational capabilities (e.g., DNS PTR records, traceroute
and the like clearly indicate which port/router you're
passing through).

Finally, if you're running an IGP such as OSPF or IS-IS
you may want to look at APS reflector mode, which basically
toggles some K bits in order to trigger IGP adjacency resets
to speed convergence (else you have to receive a hello from
a new/unknown neighbor on a point-to-point connection and
tear down the adjacency from there -- it used to be much
worse).

Else, at least increase the frequency of hellos so that a
new IGP neighbor is detected much more quickly.

HTH,

-danny



On Dec 15, 2003, at 1:20 PM, Jim Devane wrote:

> Jack,
>
> 1st and foremost, thank you very much for taking the time to reply.
> 2nd I will try your suggestion in a Thurs. night maintenance window.
>
> I was wondering if you would indulge me a few more minutes of your 
> time to
> look the scenario over as it is a little different from what you 
> outlined.
>
> Actually, I have a little bit different of a setup. It is as below....(
> stealing your ASCII diag)
>
> 12012 (1.1.1.1/30) --W---  	   | ---W---\ (1.1.1.2/30)
> 		             |  SONET    |         7206
> 12012 (1.1.1.1/30) --P--		 | ---P---/ (1.1.1.2/30)
>
> This is fine since the protect is "up/down" When the protect becomes 
> active
> it is using the same IP.
>
> CEF seems cool with it and the routing seems cool with it.
>
> WHY, oh why would I do this?
>
> I don't want to tie the BGP session to just one router and I don't 
> want more
> than 1 BGP session.
>
> Meaning, if I run BGP to the interface IP then BGP *should* never go 
> down
> when the interface changes. ( no BGP timer will go off and the new 
> router
> will send a open in time ) ((at least that is what I am hoping))
>
> Ultimately, I want to be able to swap the customer between the routers
> without taking a traffic hit ( upgrades or upstream trouble on one of 
> the
> GSR's I can switch over to other providers quickly )
>
> Thanks again,
>
> Jim
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Jack.W.Parks at alltel.com
> Sent: Monday, December 15, 2003 11:51 AM
> To: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] Routing Problem: I am not sure where to begin.
>
> If you are using /30 on the working and /30 on the protect then you 
> have
> two IP subnets that don't match when you have a fail over, because each
> side fails independently.  Trying using a /29
>
> For example:
>
> Properly functioning APS setup (W) working and (P) protect. The /30's
> match working-to-working (1.1.1.0/30) and one for protect-to-protect
> (2.2.2.0/30)
>
>            			 /-----------\
> 12012 (1.1.1.1/30) --W---  	       | ---W---\ (1.1.1.2/30)
> 		             |  SONET    |         7206
> 12012 (2.2.2.1/30) --P--		 | ---P---/ (2.2.2.2/30)
>           			 \-----------/
>
> In a failure, the scenario looks like:
>
>            			 /-----------\
> 12012 (1.1.1.1/30) --W---  	       | ---P---\ (1.1.1.2/30)
> 		             |  SONET    |         7206
> 12012 (2.2.2.1/30) --P--		 | ---W---/ (2.2.2.2/30)
>           			 \-----------/
>
> Now the 1.1.1.1/30 connects to 2.2.2.2/30.  Use a /29 and the 
> interfaces
> (both working and protect) will share the same subnet and your routing
> should work fine.
>
> I hope this helps...
>
> Jack
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jim Devane
> Sent: Monday, December 15, 2003 12:29 PM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Routing Problem: I am not sure where to begin.
>
>
> All,
>
>
>
> I am having a routing problem that I don't know how to attack.
>
>
>
> I have 2 12012's connect together by OC-48
>
> Each 12012 in turn in connected by OC-3 to a Lucent DMX ADM. One OC-3 
> is
> "working" and one is "protect"
>
> Each of the OC-3's is connected downstream (through a SONET cloud) to a
> customer and plugs into a 7206 VXR.
>
> APS is configured on all the routers.
>
>
>
> When I shut the "working" interface on one of the 12012's. The Protect
> interface does go "up/up"  and a "sh controllers" show the correct 
> SONET
> info for the 7206. The 7206 does not see it's interface change and a 
> "sh
> controller" shows the new 12012 as being the downstream.
>
>
>
> I believe that APS/SONET is working correctly.
>
>
>
> However, when this situation happens I am not able to pass L3 traffic.
> No pings, no BGP, NUTHIN'.
>
>
>
> I check the cef adjacency and the routes. The adj is correct and the
> routes are not learned since BGP goes down.
>
> Worse, I am not able to ping the directly connected far end interfaces.
> Meaning, I shut the working on GSR 02, APS switches over to GSR 01 and
> the protect becomes active.
>
>
>
> If I do a sh ip route for the 7206 ip ( a /30 on the GSR) it will say 
> it
> is directly connected out the correct interface.
>
> If I so a sh ip route for the 7206 on the former active GSR it says to
> go to GSR 01.
>
>
>
> Everything *looks* Ok, but traffic is not being passed.
>
>
>
> Any ideas at all? I am not sure where to start?
>
>
>
> TIA,
>
> Jim
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list