Alcatel Unleashed

Hi,
Unfortunately, config didn't pass the test.
For this test I used topology just with two switches and two workstation. I attached my testing topology to this message.
I applied your ACL and OSPF config to the swithces.
So, when I pinged from workstation to workstation everything looked fine but when I did "traceroute" from workstation 10.10.100.201 I've got this:

C:\Documents and Settings\Field>tracert 10.30.112.201

Tracing route to 10.30.112.201 over a maximum of 30 hops

1 4 ms 2 ms 2 ms 10.10.100.1
2 2 ms 2 ms 2 ms 10.20.250.13
3 <1 ms <1 ms <1 ms 10.30.112.201

Trace complete.

As you see traffic jumped from network 10 to network 20.
So, I did "show ip route" and this I've got:

-> show ip route

+ = Equal cost multipath routes
* = BFD Enabled static route
Total 15 routes

Dest Address Subnet Mask Gateway Addr Age Protocol
------------------+-----------------+-----------------+---------+-----------
10.10.100.0 255.255.255.0 10.10.100.1 06:20:53 LOCAL
10.10.250.0 255.255.255.252 10.10.250.1 00:11:42 LOCAL
10.10.250.8 255.255.255.252 +10.20.250.13 00:09:43 OSPF
+10.10.250.13 00:09:43 OSPF
10.10.250.12 255.255.255.252 10.10.250.14 00:11:42 LOCAL
10.20.100.0 255.255.255.0 10.20.100.1 06:20:52 LOCAL
10.20.112.0 255.255.255.0 +10.20.250.13 00:09:43 OSPF
+10.10.250.13 00:09:43 OSPF
10.20.250.0 255.255.255.252 10.20.250.1 00:27:38 LOCAL
10.20.250.8 255.255.255.252 +10.20.250.13 00:09:43 OSPF
+10.10.250.13 00:09:43 OSPF
10.20.250.12 255.255.255.252 10.20.250.14 00:27:38 LOCAL
10.30.112.0 255.255.255.0 +10.20.250.13 00:09:43 OSPF
+10.10.250.13 00:09:43 OSPF
127.0.0.1 255.255.255.255 127.0.0.1 06:22:05 LOCAL

Then I physically pulled out network 20 fiber jumper and did "traceroute" and "show ip route" from workstation 10.10.100.201:

C:\Documents and Settings\Field>tracert 10.30.112.201

Tracing route to 10.30.112.201 over a maximum of 30 hops

1 4 ms 2 ms 2 ms 10.10.100.1
2 18 ms * 2 ms 10.10.250.13
3 2 ms <1 ms <1 ms 10.30.112.201

Trace complete.

-> show ip route

+ = Equal cost multipath routes
* = BFD Enabled static route
Total 8 routes

Dest Address Subnet Mask Gateway Addr Age Protocol
------------------+-----------------+-----------------+---------+-----------
10.10.100.0 255.255.255.0 10.10.100.1 06:25:15 LOCAL
10.10.250.0 255.255.255.252 10.10.250.1 00:16:04 LOCAL
10.10.250.8 255.255.255.252 10.10.250.13 00:14:05 OSPF
10.10.250.12 255.255.255.252 10.10.250.14 00:16:04 LOCAL
10.20.100.0 255.255.255.0 10.20.100.1 06:25:14 LOCAL
10.20.112.0 255.255.255.0 10.10.250.13 00:14:05 OSPF
10.30.112.0 255.255.255.0 10.10.250.13 00:14:05 OSPF
127.0.0.1 255.255.255.255 127.0.0.1 06:26:26 LOCAL

After that I tried to change ACL on both switches to:

! QOS :
policy network group vlan-10 10.10.0.0 mask 255.255.0.0 10.10.0.0 mask 255.255.0.0
policy network group vlan-20 10.20.0.0 mask 255.255.0.0 10.20.0.0 mask 255.255.0.0
policy condition vlan10_vlan20 source network group vlan-10 destination network group vlan-20
policy condition vlan20_vlan10 source network group vlan-20 destination network group vlan-10
policy action allow
policy action deny disposition deny
policy rule vlan10_vlan20 precedence 160 condition vlan10_vlan20 action deny
policy rule vlan20_vlan10 precedence 150 condition vlan20_vlan10 action deny
qos apply

So, when I did "traceroute" and "show ip route" from workstation 10.10.100.201 and local switch I've got this:

C:\Documents and Settings\Field>tracert 10.30.112.201

Tracing route to 10.30.112.201 over a maximum of 30 hops

1 174 ms 2 ms 2 ms 10.10.100.1
2 * * * Request timed out.
3 5 ms * 5 ms 10.30.112.201

Trace complete.


-> show ip route

+ = Equal cost multipath routes
* = BFD Enabled static route
Total 15 routes

Dest Address Subnet Mask Gateway Addr Age Protocol
------------------+-----------------+-----------------+---------+-----------
10.10.100.0 255.255.255.0 +10.10.250.14 00:34:00 OSPF
+10.20.250.14 00:05:07 OSPF
10.10.250.0 255.255.255.252 +10.10.250.14 00:34:00 OSPF
+10.20.250.14 00:05:07 OSPF
10.10.250.8 255.255.255.252 10.10.250.10 00:36:01 LOCAL
10.10.250.12 255.255.255.252 10.10.250.13 00:36:01 LOCAL
10.20.100.0 255.255.255.0 +10.10.250.14 00:34:00 OSPF
+10.20.250.14 00:05:07 OSPF
10.20.112.0 255.255.255.0 10.20.112.1 01:55:39 LOCAL
10.20.250.0 255.255.255.252 +10.10.250.14 00:05:47 OSPF
+10.20.250.14 00:05:07 OSPF
10.20.250.8 255.255.255.252 10.20.250.10 00:05:52 LOCAL
10.20.250.12 255.255.255.252 10.20.250.13 00:05:52 LOCAL
10.30.112.0 255.255.255.0 10.30.112.1 03:31:09 LOCAL
127.0.0.1 255.255.255.255 127.0.0.1 1d 6h LOCAL

As you see traffic goes through wrong gateway even with ACL applied. But when I physically pulled out network 20 fiber jumper and did "traceroute" and "show ip route" from workstation 10.10.100.201 I've got this:


C:\Documents and Settings\Field>tracert 10.30.112.201

Tracing route to 10.30.112.201 over a maximum of 30 hops

1 2 ms 2 ms 2 ms 10.10.100.1
2 2 ms 3 ms 2 ms 10.10.250.13
3 1 ms <1 ms <1 ms 10.30.112.201

Trace complete.

C:\Documents and Settings\Field>


-> show ip route

+ = Equal cost multipath routes
* = BFD Enabled static route
Total 8 routes

Dest Address Subnet Mask Gateway Addr Age Protocol
------------------+-----------------+-----------------+---------+-----------
10.10.100.0 255.255.255.0 10.10.250.14 00:07:17 OSPF
10.10.250.0 255.255.255.252 10.10.250.14 00:07:17 OSPF
10.10.250.8 255.255.255.252 10.10.250.10 00:08:07 LOCAL
10.10.250.12 255.255.255.252 10.10.250.13 00:08:07 LOCAL
10.20.100.0 255.255.255.0 10.10.250.14 00:07:17 OSPF
10.20.112.0 255.255.255.0 10.20.112.1 02:22:59 LOCAL
10.30.112.0 255.255.255.0 10.30.112.1 03:58:29 LOCAL
127.0.0.1 255.255.255.255 127.0.0.1 1d 7h LOCAL

So, how to make ospf pick the wright gateway(path)?
This is big question for me.

Hi Gucul,
please apply entire configuration, not only ospf and acl, remove aclman config (aclman.cfg)! Please be aware your cabling according attached picture and ip/gw on the client PCs!
In your routing tables I miss some routes, compare with attached.

Hi,
I did everything like you say.
1) During copy and paste process I ran into this issue on 10.10.100.1switch:

-> avlan 10 auth-ip 10.10.100.253
-> avlan 14 auth-ip 10.10.250.1
ERROR: Configured auth-ip conflict with the router's IP addr of this vlan

-> avlan 15 auth-ip 10.10.250.13
-> avlan 20 auth-ip 10.20.100.253
-> avlan 24 auth-ip 10.20.250.1
ERROR: Configured auth-ip conflict with the router's IP addr of this vlan

-> avlan 25 auth-ip 10.20.250.13
-> ! 802.1x :

and into this issue on 10.10.112.1 switch


-> ! AAA :
-> aaa authentication console "local"
-> ! PARTM :
-> ! AVLAN :
-> avlan 10 auth-ip 10.10.112.253
-> avlan 14 auth-ip 10.10.250.13
ERROR: Configured auth-ip conflict with the router's IP addr of this vlan

-> avlan 15 auth-ip 10.10.250.9
-> avlan 20 auth-ip 10.20.112.253
-> avlan 24 auth-ip 10.20.250.13
ERROR: Configured auth-ip conflict with the router's IP addr of this vlan

-> avlan 25 auth-ip 10.20.250.9
-> avlan 30 auth-ip 10.30.112.253
-> ! 802.1x :

But anyway, when I did "show ip route" I've got routing table very similar to yours(I attached the files) just with preferred gateways from network 20 .
So I did "traceroute" from pc 10.10.100.201:

C:\Documents and Settings\Field>tracert 10.30.112.201

Tracing route to 10.30.112.201 over a maximum of 30 hops

1 171 ms 2 ms 2 ms 10.10.100.1
2 2 ms 2 ms 2 ms 10.20.250.13
3 4 ms * <1 ms 10.30.112.201

Trace complete


I saw "show ip route" from yours config and in your case preferred gateways on the network 10, so can you please connect additional pc to the network 20 on 10.20.100.1switch, make this pc 10.20.100.201 and try to do "traceroute" to 10.30.112.201 pc. I'm pretty sure that all traffic gonna go through 10 network...

Hi,
you don't need avlan(only for tests, keep ip interfaces up).
Your routing entries are the same. '+' mean equal cost routes from OSPF, speak 'redundancy' and its gut;)

1 171 ms 2 ms 2 ms 10.10.100.1
2 2 ms 2 ms 2 ms 10.20.250.13
3 4 ms * <1 ms 10.30.112.201

I get this result if I detach 1/1 on cc (or 1/2 on omni10.10.100.1), is OK because on omni10.10.100.1:

I saw "show ip route" from yours config and in your case preferred gateways on the network 10, so can you please connect additional pc to the network 20 on 10.20.100.1switch, make this pc 10.20.100.201 and try to do "traceroute" to 10.30.112.201 pc. I'm pretty sure that all traffic gonna go through 10 network...

There are not the same networks 10 or 20(vlan-10,vlan-20), but transit networks vlan-14/vlan-15 and vlan-24/vlan-25, you yourself have configured. It is all Layer3! And these we don't blocked with ACLs.

Here is my test what you suggested from omni10.100.10.1 port 1/11 vlan-20: If 1/9 on cc (or 1/10 on omni10.10.100.1) is DOWN: If 1/9(1/10) is UP Ping to 10.10.100.0/24 is still blocked from 10.20.100.201.

Hi,
According to the requirements it shouldn't be any redundancy through OSPF equal cost routes. Network 10.10.x.x has to communicate through 10.10.250.x network and network 10.20.x.x has to communicate through 10.20.250.x network, that's it. Don't forget that this is RING topology.
Do you know how to meet requirements?
P.S. I wanna let you know I very appreciate your help.

Hi,

Network 10.10.x.x has to communicate through 10.10.250.x network and network 10.20.x.x has to communicate through 10.20.250.x network, that's it.

simply put corresponding transfer ip networks to appropriate network groups.

Don't forget that this is RING topology.

What exactly do you mean by RING. I just modified your configuration so that it works, no vlans added or removed. I see 2 cabling rings in your visio picture, but in your configs these all are separate transit networks (mask /30). The same is with vlan-10 and vlan-20, there are all have separate networks on each switch. Therefore I always thought that you mean Layer 3 configuration on all switches(OSPF). But if you are saying these RINGs are Layer 2, then your design is wrong and you need to define where is L3 and where is L2.

Hi,

Network 10.10.x.x has to communicate through 10.10.250.x network and network 10.20.x.x has to communicate through 10.20.250.x network, that's it.

"simply put corresponding transfer ip networks to appropriate network groups. "

Can you please explain what do you by this statement? Please give an example.


Don't forget that this is RING topology.

"What exactly do you mean by RING. I just modified your configuration so that it works, no vlans added or removed. I see 2 cabling rings in your visio picture, but in your configs these all are separate transit networks (mask /30). The same is with vlan-10 and vlan-20, there are all have separate networks on each switch. Therefore I always thought that you mean Layer 3 configuration on all switches(OSPF). But if you are saying these RINGs are Layer 2, then your design is wrong and you need to define where is L3 and where is L2."


Yes, I mean L3 config on all switches. All RINGs have to be L3. I'm not saying that your config doesn't work, it just doesn't go with requirements. You can modify my config as how as you want (add or remove vlans). What I need it just to meat requirements.

Hi,
simply add this on both switches: Then you can get this(from vlan10) : And this is again what you do not want, because traffic traverse vlan-20

Hi Gucul,
try these attached configs. Please take care of static routes on not cc switches.

Hi one6f,
Thanks for the config. I'll let you know the result.

Sincerely
Gucul