Solved

Cisco 1721 setup

Posted on 2007-04-03
9
751 Views
Last Modified: 2007-12-19
I'm trying to setup a  Cisco 1721 router for a customer that will be using it for video conferencing.. They will have multiple sites with a Full T1.which are all  provided by Global Crossing on their private VPN network. Each location will have a 1721 with a WIC-1DSU-T1.

I have the T1 interface setup as follows...

Linecode - B8ZS
Framing - ESF
Timeslots - 24 speed 64
Clock source - Line
Encapsulation PPP
 IP (One of the Serial IP's given.

That's pretty basic to setup, but they have given me two serial IP's and one LAN IP.  My asumption is that I set the WIC card to one of the two Serial IP's and then the LAN IP will be given to the FastEth connection. Am I correct? Also, is there any routing that I will have to setup  between the T1 interface and the FastEth? This is where I lack the understanding.  I do no have the router in place yet, but tomorrow I will be instaling it at the first location. Any help is appreciated.

Thanks!
0
Comment
Question by:Vardata
  • 6
  • 3
9 Comments
 
LVL 4

Expert Comment

by:AndrewCink
Comment Utility
You will have two serial IP addresses from your provider. One will be your router's serial IP, and the other will be their router's IP. That IP address will have a /30 mask, notated 255.255.255.252. You will need to put whichever IP is yours on your serial interface. The other IP will go on your fastethernet interface. Your router will need a default route that points all traffic to your serial interface. You can do this by doing ip route 0.0.0.0 0.0.0.0 serial0 (assuming your serial is named serial 0). You could also do ip route 0.0.0.0 0.0.0.0 <ip address of the carrier router>, but it's preferable to just send it to the serial interface.

Devices on your LAN will need to be sent to the IP address of the fastethernet port on the cisco to get to whatever network you are getting to via global crossing. Assuming you send devices to your fastethernet on the cisco, and your router has a route pointing all traffic it gets to your serial interface, you should be in like flynn. Good luck.

Andy
The first thing to do is plug the circuit into the router's T-1 interface, and then do a show service-module and make sure the circuit is up. If the circuit/serial interface is up and you are addressed correctly, you should be able to ping the ip of the carrier router and get a response from it. If that doesn't work you'll need to work with the carrier before you go further.

0
 
LVL 4

Expert Comment

by:AndrewCink
Comment Utility
Ahhh! Editing failure.. ;) The paragraph that got stuck at the bottom should have been the second paragraph :(

Just remember, on the serial IP you have two, yours and theirs. Make sure to put yours on your serial interface, and then try to ping the IP address of theirs as your first test of connectivity. You will probably need to contact the carrier to load your routes once the serial interface is connected so the LAN block will be active, but that depends on the carrier.

It's actually quite simple! Again good luck.. going to bed before I make any more editing errors...
0
 

Author Comment

by:Vardata
Comment Utility

Unfortunately I will not have a live T1 to test this setup so I have to drop it off and pray that everything works. Does this look alright? Thanks for your help!   Here is a capture of my sh run...



sh run



Building configuration...

Current configuration : 788 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$zvs.$r8JQFSSfGTLjn8gijFPiM.
enable password xxxx
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip routing
 --More--         no ip cef
!
!
!
no ftp-server write-enable
!
!
!
!
interface FastEthernet0
 ip address 64.xxx.xxx.xxx 255.0.0.0
 no ip route-cache
 speed auto
!
interface Serial0
 ip address 67.xxx.xxx.xxx 255.0.0.0
 encapsulation ppp
 no ip route-cache
 no fair-queue
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
 --More--         no ip http server
!
!
line con 0
line aux 0
line vty 0 4
 password xxxx
 login
!
!
end

0
 
LVL 4

Expert Comment

by:AndrewCink
Comment Utility
I am worried about the subnet masks. Your interface serial0 should be:

ip address 67.xxx.xxx.xxx 255.255.255.252

Almost every PPP serial interface will have a 255.255.255.252 (/30) mask.

Your fastethernet should have a different subnet mask as well more than likely. I cannot say what it should be without more information from your carrier, but the odds of it being 255.0.0.0 is very low. Almost any subnet mask you would get would be 255.255.255.0 (/24) or "higher" (Like 255.255.255.240 or higher)

To have any idea if it will work, you need to plug in the T-1 to the serial interface and do a show int and show service-module. On the show int you want to see "Interface Serial 0 is up, line protocol is up" if it is "down down" or "up down" that is bad. On the show service-module you want to see no alarms of any sort, no errors on the line, etc, etc. If you attach show int, show service-module I can help if it's not coming up.


0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 4

Expert Comment

by:AndrewCink
Comment Utility
Oh, another thing.. your router says "no ip routing", from config t I would type "ip routing" to make sure your router is routing!
0
 

Author Comment

by:Vardata
Comment Utility
Thanks Andrew. I didn't know what the Subnet should have been on the Serial connection. I know you mentioned the .252, but i thought because it was a class A it was going to be 255.0.0.0. I'm trying to confirm what it should be with GC.

 I really appreciate your help this far. Its been great!
0
 

Author Comment

by:Vardata
Comment Utility
I just confirmed that the subnet mask was as you said, .252 for the T1 and .248 for the LAN. Thanks again for your help. One more question if you don't mind. Is there anything I need to do to be able to remotely administer these routers? O r should I be able to get into these without enabling any feature on the router?
0
 
LVL 4

Expert Comment

by:AndrewCink
Comment Utility
You would be best off to enable SSH access to the router, as it will enable you to access it over an encrypted connection. The fallback option would be to use telnet to access it, which you can do from anywhere.

Anyway, here is what you need to do. Put an access list on the router to make sure only you can connect. (This does require that you are connecting from a static IP address or block. If you cannot be sure you will be coming from the same IP block every time, an access-list will only ensure you are locked out forever!)

Make a local username on the device such as:

username testuser password 0 test123

(encrypting the password is a good idea)

If your company connects from 123.111.222.0/24 and 123.111.223.0/24 this access list

access-list 1 permit 123.111.222.XXX 0.0.0.255
access-list 1 permit 123.111.223.XXX 0.0.0.255

The below commands tell the device for telnet access (line vty 0 4 means telnet access by default) access-class 1 in says only allow telnet from the IP ranges specified in acess-list 1, and login local means to look for a username and password on the local device (the username and password we specified above)

line vty 0 4
access-class 1 in
login local

If you want to enable SSH access under line vty 0 4 also put in:

 transport preferred none
 transport input ssh

That will make it so you can only connect via SSH, and telnet will no longer work.

NOTE!!!!!

Make sure you are present to physically power cycle the router (or you have dial in access to the console port) when making these changes! It is VERY common for even experienced people to make a slight mistake in an access list and lock themselves out of the router. You can remedy this in two ways:

1) Leave a telnet/ssh session up to the router, and then try to launch another connection to log in, so if you make a mistake you can correct it using the open session
2) Do not do a write memory until you have verified everything works right, so you can restore access by simply having someone power cycle it.

Good luck,

Andy

0
 
LVL 4

Accepted Solution

by:
AndrewCink earned 500 total points
Comment Utility
Haven't seen any activity for a few days here. For SSH by the way, there's a couple other steps. You also need to set the domain name by doing:

domain-name whatever.com
ca generate rsa key 1024

(You have to set a domain name before you can make an RSA key, the ca command tells the router to generate a RSA key which will be used for SSH to authenticate)

Otherwise SSH will work fine. Or just use telnet. :)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now