Solved

Cisco 2800 routing on MPLS

Posted on 2008-06-20
16
437 Views
Last Modified: 2010-04-17
Ok..heres what's happening,
Installing a new VOIP phone system so we set up an MPLS with the carrier. We have 2800 series routers with Vwic cards multilinked on each end. Using BGP via carrier recommendation. I can ping every interface on both sides when in the router. However i cannot ping to the LAN on either end. put i can ping the LAN interface on the cisco. Oh, forgot to add..on the MDC side, i have a Sonicwall firewall that handles internet and p2p VPN with a few other locations. So, i turned RIP on sonicwall for all the interfaces and turned RIP on both Ciscos. Wondering how to build these routes so that each side can see the the opposite LAN...heres my config summarized


DIVISION OFFICE
Gateway of last resort is 192.168.10.1 to network 0.0.0.0

70.0.0.0/32 is subnetted, 1 subnets
R 70.61.233.240 [120/1] via 192.168.10.1, 00:00:25, FastEthernet0/0
R 192.168.30.0/24 [120/1] via 192.168.10.1, 00:00:25, FastEthernet0/0
R 192.168.8.0/24 [120/1] via 192.168.10.1, 00:00:25, FastEthernet0/0
C 192.168.10.0/24 is directly connected, FastEthernet0/0
R 192.168.11.0/24 [120/1] via 192.168.10.1, 00:00:25, FastEthernet0/0
67.0.0.0/32 is subnetted, 2 subnets
B 67.17.15.144 [20/0] via 162.97.238.49, 1w3d
B 67.17.15.130 [20/0] via 162.97.238.49, 1w3d
162.97.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 162.97.238.49/32 is directly connected, Multilink1
C 162.97.238.48/30 is directly connected, Multilink1
B 162.97.125.78/32 [20/0] via 162.97.238.49, 1w3d

FastEthernet0/0 192.168.10.24 YES NVRAM up up

FastEthernet0/1 unassigned YES NVRAM administratively down down

Serial0/1/0:0 unassigned YES NVRAM up up

Serial0/1/1:0 unassigned YES NVRAM up down

Multilink1 162.97.238.50 YES NVRAM up up


Branch Office

Gateway of last resort is 146.82.57.1 to network 0.0.0.0

B 192.168.10.0/24 [20/0] via 146.82.57.1, 16:37:45
67.0.0.0/32 is subnetted, 2 subnets
B 67.17.15.144 [20/0] via 146.82.57.1, 16:35:40
B 67.17.15.130 [20/0] via 146.82.57.1, 16:35:40
162.97.0.0/16 is variably subnetted, 2 subnets, 2 masks
B 162.97.238.48/30 [20/0] via 146.82.57.1, 16:35:40
B 162.97.125.78/32 [20/0] via 146.82.57.1, 16:35:40
146.82.0.0/16 is variably subnetted, 3 subnets, 2 masks
B 146.82.72.190/32 [20/0] via 146.82.57.1, 16:35:41
C 146.82.57.1/32 is directly connected, Multilink1
C 146.82.57.0/30 is directly connected, Multilink1
C 192.168.3.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 146.82.57.1

FastEthernet0/0 192.168.3.20 YES NVRAM up up

FastEthernet0/1 unassigned YES NVRAM administratively down down

Serial0/1/0:0 unassigned YES NVRAM up up

Serial0/1/1:0 unassigned YES NVRAM up up

Serial0/2/0:0 unassigned YES NVRAM up up

Serial0/2/1:0 unassigned YES NVRAM down down

Multilink1 146.82.57.2 YES NVRAM up up

there is currently a sonicwall at the branch location that is currently hooked into the old T1 there. We need to remove that and have them get all internet traffic through our division 192.168.10.1 gateway.

Thanks in advanced.
0
Comment
Question by:jasonmichel
  • 8
  • 8
16 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 21837461
The PC's at the remote office have to use the 2800's LAN IP as their default gateway. I'll bet it is pointing to the old Sonicwall.
Same at the Main site. Everything has to point to the 2800 as the default gateway, NOT to the Sonicwall firewall.
The Sonicwall firewall will need route statements for all the remote offices pointing back to the 2800. I'm not sure you can redistribute BGP into RIP, but only the main site 2800 and the Sonicwall need it.
The Division office router does not seem to be learning a route to 192.168.3.0 branch through the MPLS. Check your BGP settings at the branch to make sure you are advertising that subnet.
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 21837719
when you say advertise the subnet with bgp, is that a redistribute connected command?  I know that i need to point the branch gateway to the 2800 LAN interface, but i didn't want to do that until i could ping lan to lan from the router.  my other question is, the sonicwall at the division office is the main firewall.  If i change the gateway to the 2800, how to i guarantee internet service for the whole MPLS.  if you look at the division route statements, it created a entry from RIP for all the p2p and vpn connections to the 192.168.10.1 gateway..which is the sonic wall.  The only thin about sonicwall is they aren't very robust when it comes to routing.  If they supported EIGRP i could redistribute BGP into EIGRP, but i can't..  I am wondering because if it is an MPLS, if the carrier has to add those subnets in thier routing tables?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21840492
Advertise the sbunet in BGP at the remote site with a network statement...
Your remote site should look something like this:

router bgp 65007
 no synchronization
 bgp log-neighbor-changes
 network 192.168.3.0
 network 162.97.238.48 mask 255.255.255.252
 neighbor 162.97.238.49 remote-as 13979
 no auto-summary

Your main site should look something like this:

router bgp 65007
 no synchronization
 bgp log-neighbor-changes
 network 192.168.10.0
 network 0.0.0.0 mask 0.0.0.0    <== advertise a default to all remotes
 network 146.82.57.0 mask 255.255.255.252
 neighbor 146.82.57.1 remote-as 13979
 no auto-summary


ip route 0.0.0.0 0.0.0.0 192.168.10.1  <== default route for everything  not learned, including VPN tunnels

This router must eventually be the default gateway for the HQ LAN. It's the only "router" in the mix, and the only one that has routes to everything. The Sonicwall only needs static routes for each of the remote networks pointing to the router. How many total remote sites are we talking about?  
Personal opinion - ditch the Sonicwall and get a Cisco ASA and do EIGRP and just redistribute BGP into EIGRP and be done with it.
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 21841321
yeah..lol, i am working on that..i wanted a pix or netscreen. but yeah..i think its going to be alot harder this way.  have a total of 4 vpns.  2 p2p and 2 ipsec.   so basically i just neet to add the remote lans as neighbors in bgp.. i'll add these configs and try out..thanks for pointing me in a direction..lol
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 21841417
>so basically i just neet to add the remote lans as neighbors in bgp
No. Your neighbor is always the MPLS Provider Edge IP address
Do you have same BGP AS numbers at each site, or unique AS numbers at each site?

With 2 MPLS remote sites and 2 IPSEC peers on the Sonicwall, all you should need are two static routes on the Sonicwall for the 2 MPLS remote sites pointing to the 2800. It learns the two remote networks through BGP and has a static default to the Sonicwall for everything it doesn't learn otherwise (like the 2 VPN sites and internet). Remote MPLS sites don't need anything other than a default pointing to the BGP neighbor, they just need to advertise their LAN subnets through BGP to the main site.

0
 
LVL 1

Author Comment

by:jasonmichel
ID: 21841445
do you have a place i can send you the config output? maybe you can get a better idea of where its at
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21849654
If you don't want to attach it here, you can post up on http://www.ee-stuff.com
And post a link back to the file back here.
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 21850005
ok.. i can ping lan to lan now..however..taking away the remote site sonicwall, i am not able to get internet...what am i missing.. i have a default-information originate statement in, and a default route of 0.0.0.0 0.0.0.0 192.168.10.1?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 79

Expert Comment

by:lrmoore
ID: 21851360
From remote site show output of "show ip route"
Remote site PC points default gateway to local router interface and 'not' the local sonicwall?

HQ Sonicwall has a route back to 192.168.3.0 ?
Can you ping the remote router LAN IP from the HQ Sonicwall?
The Sonicwall has NAT statements that define the remote subnet to be natted to the public address space?
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 21855819
ok...i've got everything except one thing up.  I just used Access list for the the remote LAN  and had Cisco handle nat by adding another IP to the division interface.  Only 1 issue.  as you can see on the division side, all the private networks that are connected via VPN with sonicwall.  The remote LAN can't see those.. how can i get them to be visible?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21862085
OK, so you enabled NAT on the division local router so that the remote sites appear as a local division IP address? If yes, then they should be able to access the VPN remote sites with no problem.


0
 
LVL 1

Author Comment

by:jasonmichel
ID: 21862145
i enabled NAT on the MPLS router to nat to 192.168.10.13 address that i added on as a secondary address to the LAN interface.  but i still can't get to the remote sites.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21864767
That is an attempt at a workaround for broken routing issues?
Disable the NAT and Post result of show ip route from both routers as they are today.
Set your PC default gateway to the MPLS router and see if you can ping the LAN IP of the remote router and still have Internet access.
Be sure that the Sonicwall has a route for the 192.168.3.0 network pointing to the MPLS router
Make sure a PC at the remote end has its default gateway set to the local MPLS router and not the local Sonicwall and ping from your PC to that PC.

0
 
LVL 1

Author Comment

by:jasonmichel
ID: 21865999
before i created the access list and NAT to the internet, i could see the division network from the remote side fine and vice versa, the issue was routing the internet out of the sonicwall from the remote site.  that is accomplished, but now i can't see the other VPNS on the sonic wall from the remote site..

Remote site out put

B    192.168.10.0/24 [20/0] via 146.82.57.1, 1d17h
     67.0.0.0/32 is subnetted, 2 subnets
B       67.17.15.144 [20/0] via 146.82.57.1, 1d17h
B       67.17.15.130 [20/0] via 146.82.57.1, 1d17h
     162.97.0.0/16 is variably subnetted, 2 subnets, 2 masks
B       162.97.238.48/30 [20/0] via 146.82.57.1, 1d17h
B       162.97.125.78/32 [20/0] via 146.82.57.1, 1d17h
     146.82.0.0/16 is variably subnetted, 4 subnets, 3 masks
B       146.82.72.190/32 [20/0] via 146.82.57.1, 1d17h
B       146.82.72.208/28 [20/0] via 146.82.57.1, 1d17h
C       146.82.57.1/32 is directly connected, Multilink1
C       146.82.57.0/30 is directly connected, Multilink1
C    192.168.3.0/24 is directly connected, FastEthernet0/0
B*   0.0.0.0/0 [20/0] via 146.82.57.1, 1d15h

Division side output


B    192.168.10.0/24 [20/0] via 146.82.57.1, 1d17h
     67.0.0.0/32 is subnetted, 2 subnets
B       67.17.15.144 [20/0] via 146.82.57.1, 1d17h
B       67.17.15.130 [20/0] via 146.82.57.1, 1d17h
     162.97.0.0/16 is variably subnetted, 2 subnets, 2 masks
B       162.97.238.48/30 [20/0] via 146.82.57.1, 1d17h
B       162.97.125.78/32 [20/0] via 146.82.57.1, 1d17h
     146.82.0.0/16 is variably subnetted, 4 subnets, 3 masks
B       146.82.72.190/32 [20/0] via 146.82.57.1, 1d17h
B       146.82.72.208/28 [20/0] via 146.82.57.1, 1d17h
C       146.82.57.1/32 is directly connected, Multilink1
C       146.82.57.0/30 is directly connected, Multilink1
C    192.168.3.0/24 is directly connected, FastEthernet0/0
B*   0.0.0.0/0 [20/0] via 146.82.57.1, 1d15h
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 21866708
this is the division output

Gateway of last resort is 192.168.10.24 to network 0.0.0.0

     70.0.0.0/32 is subnetted, 1 subnets
R       70.61.233.240 [120/1] via 192.168.10.24, 00:00:11, FastEthernet0/0
R    192.168.30.0/24 [120/1] via 192.168.10.24, 00:00:11, FastEthernet0/0
C    192.168.10.0/24 is directly connected, FastEthernet0/0
R    192.168.11.0/24 [120/1] via 192.168.10.24, 00:00:11, FastEthernet0/0
     67.0.0.0/32 is subnetted, 2 subnets
B       67.17.15.144 [20/0] via 162.97.238.49, 1d18h
B       67.17.15.130 [20/0] via 162.97.238.49, 1d18h
     162.97.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       162.97.238.49/32 is directly connected, Multilink1
C       162.97.238.48/30 is directly connected, Multilink1
B       162.97.125.78/32 [20/0] via 162.97.238.49, 1d18h
R    192.168.5.0/24 [120/1] via 192.168.10.24, 00:00:12, FastEthernet0/0
R    192.168.6.0/24 [120/1] via 192.168.10.24, 00:00:14, FastEthernet0/0
     146.82.0.0/16 is variably subnetted, 3 subnets, 3 masks
B       146.82.72.190/32 [20/0] via 162.97.238.49, 1d18h
B       146.82.72.208/28 [20/0] via 162.97.238.49, 1d18h
B       146.82.57.0/30 [20/0] via 162.97.238.49, 1d17h
R    192.168.7.0/24 [120/1] via 192.168.10.24, 00:00:14, FastEthernet0/0
R    192.168.1.0/24 [120/1] via 192.168.10.24, 00:00:14, FastEthernet0/0
R    192.168.2.0/24 [120/1] via 192.168.10.24, 00:00:14, FastEthernet0/0
B    192.168.3.0/24 [20/0] via 162.97.238.49, 1d17h
S*   0.0.0.0/0 [1/0] via 192.168.10.24
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21870615
Everything looks good on these two routers.
>issue was routing the internet out of the sonicwall from the remote site
Right, the issue is with the Sonicwall and trying to enable NAT on the router to a local address is only a partial fix and breaks everything else.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now