I have an MPLS network with 5 remote locations with 1544 routers, our central office, and our data center. All of the traffic from the remote locations routes out the central office unless it goes down, in which case everything routes out the data center connection.
If I want to ping anything on the public internet from the router cli, I can. If I want to ping/traceroute anything on the MPLS network that is not local, I have to give the command with "source", i.e. ping 10.0.1.11 source 10.5.0.1 or I get nothing. Netflow is working fine because I could define the source as being eth 0/1.
The default route is going out the ppp MPLS interface, and no one inside the 10.5.0.0/23 network has any issues getting everywhere they need to, including servers at the data center that I cannot reach from the router itself without the "source 10.5.0.1" being added.
And there doesn't appear to be any way to define "source" for the syslog stuff. So the adtrans at the remote sites cannot get their syslog data to the syslog server.
These routers were primarily configured by the telco before we took ownership, so I don't know why they did certain things the way they did. e.g. should proxy-arp actually be enabled for this to work? Or could that break something else in this config? Do you see something else that would fix this problem?
Routing table:
#sh ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP
E1 - OSPF external type 1, E2 - OSPF external type 2
IA - OSPF inter area
Gateway of last resort is 208.46.133.129 ppp 1
S 0.0.0.0/0 [1/1/0] via 208.46.133.129, ppp 1
C 10.5.0.0/23 is directly connected, eth 0/1
S 67.14.0.0/17 [1/1/0] via 208.46.133.129, ppp 1
S 67.14.128.0/19 [1/1/0] via 208.46.133.129, ppp 1
C 208.46.133.128/30 is directly connected, ppp 1
C 208.46.133.129/32 is directly connected, ppp 1
Here is what should be the relevant parts of the config from one of the five remote routers (they are all functionally identical):
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
ip flow export destination 10.0.1.11 7003 source eth 0/1
ip flow export destination 10.0.1.2 9996 source eth 0/1
ip flow cache timeout active 5
ip flow top-talkers
!
no ethernet cfm
!
interface eth 0/1
description desc LAN Block 10.5.0.0/23
ip address 10.5.0.1 255.255.254.0
no ip proxy-arp
ip access-policy LAN
ip flow ingress
ip flow egress
no shutdown
no lldp send-and-receive
!
interface ppp 1
description DS1NT
ip address y.y.133.130 255.255.255.252
no rtp quality-monitoring
ppp multilink interleave
ppp multilink fragmentation
ppp multilink
no shutdown
cross-connect 1 t1 1/1 1 ppp 1
cross-connect 2 t1 1/2 1 ppp 1
!
ip access-list extended DATA-ACL
permit ip 10.5.0.0 0.0.1.255 10.0.0.0 0.0.1.255
permit ip 10.5.0.0 0.0.1.255 10.1.0.0 0.0.0.255
permit ip 10.5.0.0 0.0.1.255 5.5.0.0 0.0.255.255
permit ip 10.5.0.0 0.0.1.255 5.6.0.0 0.0.255.255
deny ip 10.5.0.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 10.5.0.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 10.5.0.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 10.5.0.0 0.0.1.255 any
!
ip policy-class LAN
allow list DATA-ACL
!
ip route 0.0.0.0 0.0.0.0 208.46.133.129
ip route 5.6.0.0 255.255.224.0 10.1.0.1
ip route x.x.0.0 255.255.128.0 y.y.133.129
ip route x.x.128.0 255.255.224.0 y.y.133.129
Best Answer
If You don't configure the source address and send the packet to 10.0.1.11, it routed by the default route, and will get the source address from interface attached to the default GW (I suspect 208.46.133.129) automatically, but not 10.5.0.1. Something in the configuration of network (routes, ACLs, IPSec policy, MPLS filters ...) prevents to communication from this address.