Config: 2620 Routers (2) each with

[RoundAbout]

Config: 2620 Routers (2) each with a Frame Relay WIC and an additional ethernet port in the form of a Network Module (NM-1E). I have a 56k Frame Relay attached to the WIC and Cisco PIX 501 firewalls attached to the secondary ethernet port with an active VPN between them.

I want to use the highspeed VPN for the primary link but when that goes down I want it to automagically switch back to the Frame Relay link as a backup.

I'm having some limited success with OSPF and distance metrics. Still working out some buggyness.

The problem I'm seeing is that when I assign a metric of 200 to the VPN's route it shows up as [200/0] in the routing table, but when I assign a metric of 220 to the Serial link (Frame Relay backup) it shows up as [110/65] or [110/75]?!? Obviously the VPN is bypassed and the Serial line is used instead because of the lower calculated metric.

The VPN route is also showing up as an "S" (Static Route) rather than an "O" for an OSPF route while the Serial Line always seems to show up as an "O".

I'm confused.

I'm playing with adding cost and bandwidth values directly to the interfaces. THAT'LL TEACH 'EM! Bastards...

RoundAbout

 

[jimmyzz]

RoundAbout,
You may be getting confused with administrative distance and metrics. When you view your route table, the router will display [admin distance]/[metric]. In the case of OSPF [110/65] = admin distance of 110, metric (cost) of link is 65.

Your router uses the administrative distance to choose the most trusted route. If both have the same admin distance, it will then choose the path with lower metric, in the case of OSPF the metric is cost. In the case of OSPF, the cost is based on your link bandwidth. The default for Frame Relay is 1544k. To calculate the OSPF cost metric,
10^8/bandwidth. Hence 10^8/1544k = 65, which is what the router is showing you [110/65].

I a little unclear with what you want your situation is, but I'm assuming you want to modify the admin distance so that the router choose the lower admin distance route. To change the admin distance:

router ospf 1 (or other routing protocol)
distance <new distance value>

JimmyZ

 

[RoundAbout]

Thanks Jim! That definitely helps, I'll play around with it.

Basically, I have two connections between two sites, one high-bandwidth VPN (384 Kbps)and one low-bandwidth Frame Relay (56 Kbps). I want the VPN to be used all of the time but if it's unavailable for some reason, it should fall back to the lower-bandwidth Frame Relay.

Are you saying that if I want them both to be administratively equal I should remove their metric altogether? Below is what I currently have for routes.

ip route 192.168.3.0 255.255.255.0 192.168.102.2 200
ip route 192.168.3.0 255.255.255.0 Serial0/0.1 220

Should I change them both to 200 or remove the metric completely?

I have also assigned BANDWIDTH to the interfaces as below:

interface Ethernet1/0
bandwidth 384000

interface Serial0/0.1 point-to-point
bandwidth 56

Should I change these to cost instead of bandwidth and assign an appropriate value? Higher COST is LESS preferable, yes?

Thanks for your help!

RoundAbout

 

[jimmyzz]

RoundAbout,
The metrics would come into play if you are running a dynamic routing protocol, such as OSPF. If OSPF knows multiple paths to a destination, you would manipulate the cost metrics to prioritise your preferred paths.

In your case, you have 2 static routes to desired destination, so metrics are not the issue, rather admin distance. Static routes have default admin distance of 1. Hence if you have two static routes to the same destination, leave the preferred static route to its default admin distance (1) and change the admin distance of the secondary route to a higher value (220). Your config should be as follows (assuming 192.168.102.2 is your High-bandwidth link):

ip route 192.168.3.0 255.255.255.0 192.168.102.2
ip route 192.168.3.0 255.255.255.0 Serial0/0.1 220

The second route is called a floating static route. It comes into action when your first route statement is not available.

JimmyZ

 

[RoundAbout]

I have removed the admin distance as you described (I had tried this before but figured I'd try it again) and left the Floating Static Route as is.

ip route 192.168.3.0 255.255.255.0 192.168.102.2
ip route 192.168.3.0 255.255.255.0 Serial0/0.1 220

I have similar routes on the other end (but instead of .3.0 it's .2.0 and instead of .102.2 it's .103.2).

I have also removed the BANDWIDTH statements on the Serial and Ethernet interfaces.

If I unplug the PIX on this end the Serial link never kicks in. It only connects if I SHUTDOWN the ethernet port that the PIX is attached to. At that point, even though the Serial link is up, I have no communication back from the remote site (I think due to it's trying to send the reply through the downed VPN).

OSPF *IS* enabled, it detects the Serial link but I don't think it recognizes the VPN.

Any thoughts? Your help is greatly appreciated!

RoundAbout

 

[jimmyzz]

RoundAbout,
Can you clarify something about your setup. You have two connections, one high-speed and one low speed. Are both on the same router? Reading through your posts again, I get the impression that high speed link is on your PIX and the low speed link is on your cisco2600. On which device are you applying the floating static route?

JimmyZ

 

[RoundAbout]

Sorry, I guess I wasn't all that clear. I posted most of the details in another thread (thread557-631867 setup looks like this:

Hub<=>2620<=>PIX<==Internet==>PIX<=>2620<=>hub
Hub<=>2620<=======Frame Relay======>2620<=>hub

I'm using OSPF on the routers but I don't think the OSPF routing info is including the VPN link for some reason. I have all of the subnets included in the OSPF NETWORK commands but still it doesn't seem to help.

This is really beginning to annoy me, I've been working on this damn problem on-and-off for a week and a half now!

ALL of your help is TRULY appreciated!

RoundAbout

 

[jimmyzz]

RoundAbout,
From your diagram, your 2620's only knows the status of their directly connected interfaces (ie. Ethernet to PIX and Serial to F/R). If the PIX internet connection goes down, the 2620 does not recongise it. It still thinks the primary static route to 192.168.3.0 is okay because the ethernet link to the PIX is still up. Hence the secondary static route via serial inteface is not going to kick in unless the 2620 ethernet connection is not available. The solution would be to use a dynamic routing protocol such as OSPF. How exactly have you got OSPF configured?

JimmyZ

 

[RoundAbout]

I have OSPF setup on both 2620's and it covers all of the subnets associated with both routers and both PIX's.

OSPF detects the Frame well enough, but as you noticed, it is NOT passing info about the VPN's status. Since I have an access-list &quot;permit ip&quot; I figured it would pass the OSPF routing packets but I guess NOT. Is there an easy way to setup the PIX's to pass the OSPF packets to each other?

Do you need any other info regarding my setup?

Thanks for your help!

RoundAbout