HCCI_IT
asked on
Cisco 2811 config with Verizon Bonded T1 lines
I have 2 Verizon/MCI T1 internet lines that are bonded. I am currently using a preconfigured nortel router from Verizon, but I want to switch it over to my Cisco 2811. I have 2 WIC cards in the 2811.
Is anyone else running this same config, and can send me a copy.
I believe Verizon uses frame-relay encapsulation, but I am not sure. I have tried contacting Verizon about this but they are useless.
Is anyone else running this same config, and can send me a copy.
I believe Verizon uses frame-relay encapsulation, but I am not sure. I have tried contacting Verizon about this but they are useless.
ASKER
What is the difference between bridging and bonding? I need this pipe to act as a 3Mb line.
I think what the preceding answer is referring to is that he has the FastEthernet and Serial ports bridged so there is just a Layer 2 connection between them and everything that appears on one appears on the other. This is a very common setup with wireless in Cisco products or in other scenarios where you want to push traffic across dissimilar interfaces (which is what is being done in the example above).
Channel bonding, on the other hand, is combining two similar interfaces into one larger pipe and it sounds like that is what you want to do. What you probably need is a configuration for PPP Multi-Link and that configuration would look something like this:
Serial0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
Serial0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
interface Multilink1
ip address 192.168.254.1 255.255.255.252
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
!
interface Serial0/1
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
!
Each additional interface can be added with another iteration of the "interface Serial0/x" code block and the "Serial0/x" block.
However, it is possible that your provider is using a multi-link ATM circuit or something else weird. But if the circuits support PPP MultiLink, this type of configuration may be close to what you need.
Channel bonding, on the other hand, is combining two similar interfaces into one larger pipe and it sounds like that is what you want to do. What you probably need is a configuration for PPP Multi-Link and that configuration would look something like this:
Serial0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
Serial0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
interface Multilink1
ip address 192.168.254.1 255.255.255.252
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
!
interface Serial0/1
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
!
Each additional interface can be added with another iteration of the "interface Serial0/x" code block and the "Serial0/x" block.
However, it is possible that your provider is using a multi-link ATM circuit or something else weird. But if the circuits support PPP MultiLink, this type of configuration may be close to what you need.
ASKER
I think they are using Frame Relay technology. This is the example Verizon sent me, but they could not send me one for bonding the circuits. Do you know what the config would be when bonding frame circuits?
!
version 12.1 ! IOS Version
service timestamps debug uptime ! Requests timestamp of
logs
no service password-encryption ! No password encryption
! ! Off by default
hostname ROUTER
!
ip subnet-zero ! Allows the router to
use the first subnet of a block
ip cef ! Enables Cisco express
forwarding
no ip finger ! Disables finger on the
router (UNIX Comand)
!
interface FastEthernet0/0 ! Customer Interior
Interface
ip address XX.XX.XX.XX 255.255.255.0 ! Interior IP Address
no ip mroute-cache ! Disables multicast
fast
switching
no keepalive ! Disables Ethernet
keepalives
speed 100 ! Locks down port speed
full-duplex ! Locks down duplex mode
no cdp enable ! Disable Cisco
Discovery Protocol
!
interface Serial0/0 ! Customer WAN interface
no ip address
encapsulation frame-relay IETF ! Sets interface
encapsulation
service-module t1 timeslots 1-24 ! Sets timeslots
(channels of T1)
service-module t1 framing esf ! Sets T1 Framing
service-module t1 linecode b8zs ! Sets T1 Linecode
service-module t1 clock source internal ! Sets clocking to
Internal
frame-relay lmi-type ansi ! Set LMI type
load-interval 30 ! Sets length of time
load
calculations
no fair-queue ! Enable Fair Queuing on
an Interface
bandwidth ! Bandwidth. Just a
description
!
interface Serial0/0.1 point-to-point ! Enables sub-interface
ip addresss XX.XX.XX.XX 255.255.255.252 ! IP address of WAN
interface
frame-relay interface-dlci 500 IETF ! Sets DLCI and
Encapsulation
no ip redirects ! Disables redirect
messages from WAN INT.
no ip proxy-arp ! Disables ARP per
RFC1027
no arp frame-relay ! Disables ARP for the
interface
no cdp enable ! Disable Cisco
Discovery Protocol
bandwidth ! Bandwidth. Just a
description
!
ip route 0.0.0.0 0.0.0.0 Serial0/0.1 ! Sets default gateway
of last esort
ip classless ! Enable classless
routing behavior
no cdp run ! Disable Cisco
Discovery Protocol
no ip http server ! Disables HTTP server
feature (for security)
!
ip domain-name ALTER.NET ! Sets domain-name
ip name-server 198.6.1.1 ! DNS server router uses
ip name-server 198.6.1.2 ! Secondary DNS server
router uses
snmp-server community 6f270ca640 RO ! SNMP community string
snmp-server trap-authentication
!
!
version 12.1 ! IOS Version
service timestamps debug uptime ! Requests timestamp of
logs
no service password-encryption ! No password encryption
! ! Off by default
hostname ROUTER
!
ip subnet-zero ! Allows the router to
use the first subnet of a block
ip cef ! Enables Cisco express
forwarding
no ip finger ! Disables finger on the
router (UNIX Comand)
!
interface FastEthernet0/0 ! Customer Interior
Interface
ip address XX.XX.XX.XX 255.255.255.0 ! Interior IP Address
no ip mroute-cache ! Disables multicast
fast
switching
no keepalive ! Disables Ethernet
keepalives
speed 100 ! Locks down port speed
full-duplex ! Locks down duplex mode
no cdp enable ! Disable Cisco
Discovery Protocol
!
interface Serial0/0 ! Customer WAN interface
no ip address
encapsulation frame-relay IETF ! Sets interface
encapsulation
service-module t1 timeslots 1-24 ! Sets timeslots
(channels of T1)
service-module t1 framing esf ! Sets T1 Framing
service-module t1 linecode b8zs ! Sets T1 Linecode
service-module t1 clock source internal ! Sets clocking to
Internal
frame-relay lmi-type ansi ! Set LMI type
load-interval 30 ! Sets length of time
load
calculations
no fair-queue ! Enable Fair Queuing on
an Interface
bandwidth ! Bandwidth. Just a
description
!
interface Serial0/0.1 point-to-point ! Enables sub-interface
ip addresss XX.XX.XX.XX 255.255.255.252 ! IP address of WAN
interface
frame-relay interface-dlci 500 IETF ! Sets DLCI and
Encapsulation
no ip redirects ! Disables redirect
messages from WAN INT.
no ip proxy-arp ! Disables ARP per
RFC1027
no arp frame-relay ! Disables ARP for the
interface
no cdp enable ! Disable Cisco
Discovery Protocol
bandwidth ! Bandwidth. Just a
description
!
ip route 0.0.0.0 0.0.0.0 Serial0/0.1 ! Sets default gateway
of last esort
ip classless ! Enable classless
routing behavior
no cdp run ! Disable Cisco
Discovery Protocol
no ip http server ! Disables HTTP server
feature (for security)
!
ip domain-name ALTER.NET ! Sets domain-name
ip name-server 198.6.1.1 ! DNS server router uses
ip name-server 198.6.1.2 ! Secondary DNS server
router uses
snmp-server community 6f270ca640 RO ! SNMP community string
snmp-server trap-authentication
!
I guess the question then becomes whether a Frame Relay sub-interface can participate in a multi-link group and I don't have an immediate answer to that. I will try to come up with an answer for you but if someone has a working configuration for that, I will gladly yield to them for the answer.
After surfing over to the Nortel site to see what they might be using in the existing solution, I started wondering if Verizon might be using Nortel's Split Multi-Link Trunking (or Multi-Link Split Trunking). If so, you might be looking at a proprietary solution that you will not be able to duplicate with your Cisco router. Any chance you could get the model number from your Nortel CPE and post it?
ASKER
I was able to get the config from my Nortel router that does work with this circuit. I am just unsure how to translate it to Cisco speak:
module t1 1
clock_source line
exit t1
module t1 2
clock_source line
exit t1
interface ethernet 0
ip address <LAN IP> 255.255.255.192
qos
exit qos
exit ethernet
interface bundle MFR1
link t1 1
link t1 2
encapsulation frelay
fr
intf_type dte
frame_size 4470
mfr fragment_size 4000
mfr seg_threshold 3999
lmi ansi
exit lmi
pvc 500
no frf12
shaping cir 3072000 bcmax 3072000 bcmin 65536
no policing
ip address <WAN IP> 255.255.255.252
map <WAN IP GATEWAY AT VERIZON>
red
exit red
qos
exit qos
exit pvc
interleave
hiprio 50 100
exit interleave
exit fr
qos
exit qos
exit bundle
hostname *******
log utc
telnet_server
system display-boot-config no
system hdlc_error 6000
ip
load_balance per_flow
route 0.0.0.0 0.0.0.0 <WAN IP GATEWAY AT VERIZON> 1
exit ip
module t1 1
clock_source line
exit t1
module t1 2
clock_source line
exit t1
interface ethernet 0
ip address <LAN IP> 255.255.255.192
qos
exit qos
exit ethernet
interface bundle MFR1
link t1 1
link t1 2
encapsulation frelay
fr
intf_type dte
frame_size 4470
mfr fragment_size 4000
mfr seg_threshold 3999
lmi ansi
exit lmi
pvc 500
no frf12
shaping cir 3072000 bcmax 3072000 bcmin 65536
no policing
ip address <WAN IP> 255.255.255.252
map <WAN IP GATEWAY AT VERIZON>
red
exit red
qos
exit qos
exit pvc
interleave
hiprio 50 100
exit interleave
exit fr
qos
exit qos
exit bundle
hostname *******
log utc
telnet_server
system display-boot-config no
system hdlc_error 6000
ip
load_balance per_flow
route 0.0.0.0 0.0.0.0 <WAN IP GATEWAY AT VERIZON> 1
exit ip
I'm thinking that the implementation your router is showing is Nortel proprietary and depends on Nortel equipment on the other end, but I will confirm that after I get home and get some dinner.
ASKER
Thank you
Well, it appears I was wrong - what you need is "multi-link frame relay" and the config should look something like this (from Cisco's Web site):
interface MFR1
no ip address
mls qos trust dscp
frame-relay intf-type dce
frame-relay multilink bid router1
!
interface MFR1.1 point-to-point
ip address 10.0.1.1 255.255.255.0
ip pim sparse-mode
mls qos trust dscp
frame-relay interface-dlci 100
interface Serial5/0
encapsulation frame-relay MFR1
frame-relay multilink lid first-link
frame-relay multilink hello 9
frame-relay multilink retry 3
interface Serial6/0
encapsulation frame-relay MFR1
frame-relay multilink ack 4
The Cisco IOS Wide-Area Networking Configuration Guide Release 12.4T has all the details and now that you've got me interested, I'm going to take a look there and see if any caveats pop up. You can find it at:
http://www.cisco.com/en/US/products/ps6441/products_installation_and_configuration_guides_list.html
Beware, they have rearranged their Web site and are doing away with the old UniverCD and CCO Website in favor of a new and improved document library. But many of the references are now available in a book-length PDF file which is very handy for keeping on the laptop to take from site to site.
interface MFR1
no ip address
mls qos trust dscp
frame-relay intf-type dce
frame-relay multilink bid router1
!
interface MFR1.1 point-to-point
ip address 10.0.1.1 255.255.255.0
ip pim sparse-mode
mls qos trust dscp
frame-relay interface-dlci 100
interface Serial5/0
encapsulation frame-relay MFR1
frame-relay multilink lid first-link
frame-relay multilink hello 9
frame-relay multilink retry 3
interface Serial6/0
encapsulation frame-relay MFR1
frame-relay multilink ack 4
The Cisco IOS Wide-Area Networking Configuration Guide Release 12.4T has all the details and now that you've got me interested, I'm going to take a look there and see if any caveats pop up. You can find it at:
http://www.cisco.com/en/US/products/ps6441/products_installation_and_configuration_guides_list.html
Beware, they have rearranged their Web site and are doing away with the old UniverCD and CCO Website in favor of a new and improved document library. But many of the references are now available in a book-length PDF file which is very handy for keeping on the laptop to take from site to site.
After reading through the WAN Command Reference, it looks as though the skeleton configuration above should be close to workable. Unfortunately, I don't have my lab set up to test frame-relay any more since my WAN is now all Ethernet-format microwave. But I hope this gives you a start towards the solution.
pmwrightjr,
good work! Welcome to EE. Hope to see you around in other threads. There's nothing like the "good answer" emails, is there?
good work! Welcome to EE. Hope to see you around in other threads. There's nothing like the "good answer" emails, is there?
pmwrightjr: Thanks so much for picking this up. I wasn't able to respond back due to work issues on my own network. :-( I'm glad you were able to take off on where I started and fill the author in on where I was going. :)
You're quite welcome but it reading back over my responses it was more like a stream-of-consciousness journey of discovery sort of thing rather than a coherant answer. But I eventually got there, I guess :-)
You know....that is what is great about collaboration. It allows discussion of thoughts which ultimately provides the solution. I'm curious if HCCI got this working.
ASKER
After reading this posting and finding another EE string that kind of helped:
https://www.experts-exchange.com/questions/22468805/cisco-2620-bundling-two-Verizon-frame-T1s.html
....I am going to deploy the below config tonight. If you happen to notice anything wrong with it, please let me know.
interface MFR1
description :MLFR:NxT1
mtu 4470
bandwidth 3072
no ip address
no ip redirects
no ip proxy-arp
no ip mroute-cache
load-interval 30
no arp frame-relay
frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
ip address <Public WAN IP> 255.255.255.252
ip access-group 100 in
no ip redirects
no ip proxy-arp
no arp frame-relay
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I NTF-INFO-F E 0/0$
ip address <Public LAN IP> 255.255.255.192
duplex full
speed auto
!
interface Serial0/0/0
description :MLFR:NxT1
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
interface Serial0/1/0
description :MLFR:NxT1
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
no ip classless
ip route 0.0.0.0 0.0.0.0 <WAN GW>
https://www.experts-exchange.com/questions/22468805/cisco-2620-bundling-two-Verizon-frame-T1s.html
....I am going to deploy the below config tonight. If you happen to notice anything wrong with it, please let me know.
interface MFR1
description :MLFR:NxT1
mtu 4470
bandwidth 3072
no ip address
no ip redirects
no ip proxy-arp
no ip mroute-cache
load-interval 30
no arp frame-relay
frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
ip address <Public WAN IP> 255.255.255.252
ip access-group 100 in
no ip redirects
no ip proxy-arp
no arp frame-relay
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address <Public LAN IP> 255.255.255.192
duplex full
speed auto
!
interface Serial0/0/0
description :MLFR:NxT1
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
interface Serial0/1/0
description :MLFR:NxT1
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
no ip classless
ip route 0.0.0.0 0.0.0.0 <WAN GW>
Just remember that the gateway must be to the next physically connected hop. So if your <WAN GW> is directly connected to this 2811, you are set for the ip route 0.0.0.0 0.0.0.0 routing. The one thing I would change, and this is per the ICND class I took, is that you will want to set the speed on your FastEthernet0/0 to the supported top speed on both ends. Mine are connected to a 10/100 switch so I set mine to Full Duplex and 100 on both ends. While devices are supposted to auto negotiate, I would not trust that for switches and routers. For your desktops, go ahead and use auto negotiate, but since this is a router connecting (I presume) to a switch, I would set the port speed and duplex.
ASKER
OK, deployed the confirm and it seems we are half way there. Verizon can PING my WAN IP but not my LAN Public IP. I can PING 4.2.2.2 from the router, but not from the FW that is plugged into it.
It's like it is not able to route from the LAN interface to the WAN and via versa.
It's like it is not able to route from the LAN interface to the WAN and via versa.
What happens if you do an extended ping using the LAN address as the source IP and vice-versa? Can you ping the other interface within the router?
Can you ping a loopback interface?
Can you post a routing table from the router?
And although it might be too obvious, have you enabled IP routing with an 'ip routing' statement? (Don't laugh - I actually forgot that once on a border router and was baffled for the longest time)
What is 4.2.2.2?
Am I asking too many questions? :-)
Can you ping a loopback interface?
Can you post a routing table from the router?
And although it might be too obvious, have you enabled IP routing with an 'ip routing' statement? (Don't laugh - I actually forgot that once on a border router and was baffled for the longest time)
What is 4.2.2.2?
Am I asking too many questions? :-)
HCCI, you are more than halfway. This part is actually a lot easier to get going as it is simply a routing issue on your router to inform traffic how to get to your LAN.
So to get this right. When you telnet into your 2811 router, you can ping a known pingable address such as yahoo.com (206.190.60.37)? When you try pinging that from within the LAN, you are not able to ping it? If you can ping by the address, then it is a DNS issue (but I doubt this is your issue). BTW, what is FW? Can you post your full config file? It would be helpful if you could post your non-routable IP addresses as well. If you do not feel comfortable with that, then use a similar model with different IPs. It makes it hard to figure out a routing issue if the IPs are not listed since you may not have your routing configured properly for your subnet. Such as using a default gateway that is 2 hops away. This will result in failed pings.
So to get this right. When you telnet into your 2811 router, you can ping a known pingable address such as yahoo.com (206.190.60.37)? When you try pinging that from within the LAN, you are not able to ping it? If you can ping by the address, then it is a DNS issue (but I doubt this is your issue). BTW, what is FW? Can you post your full config file? It would be helpful if you could post your non-routable IP addresses as well. If you do not feel comfortable with that, then use a similar model with different IPs. It makes it hard to figure out a routing issue if the IPs are not listed since you may not have your routing configured properly for your subnet. Such as using a default gateway that is 2 hops away. This will result in failed pings.
In reading through this whole thread, I did find one little clue that may or may not mean anything.
In the sample configuration that you got from Verizon, they enable classless routing with an 'ip classless' statement. In your configuration, you disable classless routing with the second-to-last statement.
In view of this, I think it would be particularly important to take a very close look at the routing table because you could have something like a 4.2.2.2/30 address being treated like a 4.2.2.2/8 classful address and that could definitely push your routing decisions over the edge.
In the sample configuration that you got from Verizon, they enable classless routing with an 'ip classless' statement. In your configuration, you disable classless routing with the second-to-last statement.
In view of this, I think it would be particularly important to take a very close look at the routing table because you could have something like a 4.2.2.2/30 address being treated like a 4.2.2.2/8 classful address and that could definitely push your routing decisions over the edge.
I'm not sure, pmwrightjr. If that was the case, I would think the router wouldn't get to it as well. It seems to be an issue with the LAN hitting the router and then not knowing what to do with the traffic from the LAN. If you run a tracert from one of your workstations to yahoo.com, where does it hang?
You can try what pmwrightjr said and put it into ip classless and see if it works.
You can try what pmwrightjr said and put it into ip classless and see if it works.
ASKER
Here is my entire config. I have remove password and encryption information and changed the IP, but the IP scheme represents one very similar to mine.
Current configuration : 3791 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HCC_ROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name yourdomain.com
ip name-server 198.6.100.53
ip name-server 198.6.100.25
ip name-server 4.2.2.2
!
!
!
crypto pki trustpoint TP-self-signed-*******
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-***** **
revocation-check none
rsakeypair TP-self-signed-*******
!
!
crypto pki certificate chain TP-self-signed-*******
certificate self-signed 01
<HEX CODES>
quit
username admin privilege 15 secret 5 <Password>
!
!
!
!
!
interface MFR1
description :MLFR:NxT1
mtu 4470
no ip address
no ip redirects
no ip proxy-arp
no ip route-cache cef
no ip mroute-cache
load-interval 30
frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
ip address 137.235.18.142 255.255.255.252
ip access-group 100 in
no ip redirects
no ip proxy-arp
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I NTF-INFO-F E 0/0$
ip address 69.21.189.129 255.255.255.192
duplex full
speed auto
!
interface FastEthernet0/1
ip address 192.168.21.1 255.255.255.0
shutdown
duplex auto
speed auto
no routing dynamic
!
interface Serial0/0/0
description :MLFR:NxT1
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
service-module t1 timeslots 1-24
no arp frame-relay
!
interface Serial0/1/0
description :MLFR:NxT1
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
service-module t1 timeslots 1-24
no arp frame-relay
!
ip classless
ip route 0.0.0.0 0.0.0.0 137.235.18.141
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password 7 <password>
login
transport input telnet ssh
line vty 5 14
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 15
access-class 23 in
privilege level 15
password 7 <password>
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
Current configuration : 3791 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HCC_ROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name yourdomain.com
ip name-server 198.6.100.53
ip name-server 198.6.100.25
ip name-server 4.2.2.2
!
!
!
crypto pki trustpoint TP-self-signed-*******
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-*******
!
!
crypto pki certificate chain TP-self-signed-*******
certificate self-signed 01
<HEX CODES>
quit
username admin privilege 15 secret 5 <Password>
!
!
!
!
!
interface MFR1
description :MLFR:NxT1
mtu 4470
no ip address
no ip redirects
no ip proxy-arp
no ip route-cache cef
no ip mroute-cache
load-interval 30
frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
ip address 137.235.18.142 255.255.255.252
ip access-group 100 in
no ip redirects
no ip proxy-arp
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 69.21.189.129 255.255.255.192
duplex full
speed auto
!
interface FastEthernet0/1
ip address 192.168.21.1 255.255.255.0
shutdown
duplex auto
speed auto
no routing dynamic
!
interface Serial0/0/0
description :MLFR:NxT1
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
service-module t1 timeslots 1-24
no arp frame-relay
!
interface Serial0/1/0
description :MLFR:NxT1
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
service-module t1 timeslots 1-24
no arp frame-relay
!
ip classless
ip route 0.0.0.0 0.0.0.0 137.235.18.141
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password 7 <password>
login
transport input telnet ssh
line vty 5 14
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 15
access-class 23 in
privilege level 15
password 7 <password>
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
ASKER
Also, Verizon sent me this config last night, which I tried today but my router did not like the "controller T1 0/0/0" command.
Appendix A. CPE Configurations
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64 !
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64 !
interface MFR1
mtu 4470
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay IETF
no ip route-cache cef
no ip mroute-cache
load-interval 30
no arp frame-relay
frame-relay lmi-type ansi
frame-relay multilink bid to gw
!
interface MFR1.500 point-to-point
ip address x.x.x.2 255.255.255.252
no ip redirects
no ip proxy-arp
no arp frame-relay
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
ip address a.a.a.1 255.255.255.0
!
interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
interface Serial0/0/1:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
!
ip route 0.0.0.0 0.0.0.0 MFR1.500
Appendix A. CPE Configurations
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64 !
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64 !
interface MFR1
mtu 4470
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay IETF
no ip route-cache cef
no ip mroute-cache
load-interval 30
no arp frame-relay
frame-relay lmi-type ansi
frame-relay multilink bid to gw
!
interface MFR1.500 point-to-point
ip address x.x.x.2 255.255.255.252
no ip redirects
no ip proxy-arp
no arp frame-relay
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
ip address a.a.a.1 255.255.255.0
!
interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
interface Serial0/0/1:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
!
ip route 0.0.0.0 0.0.0.0 MFR1.500
I notice an ACL on the input (ip access-group 100 in) - is this access-list and the access-list for the TTY ports (access-list 23) defined in a part of the configuration you didn't send. It could be relevant if pings are being denied as is often the case.
The "controller" terminology is for a different type of interface hardware which is why your router didn't like it. My 2811 with a dual-port MFT controller (VWIC-2MFT-T1) uses the terminology that Verizon proposed in their latest note but my 2621XM routers with a WIC-1DSU-T1 use only the "serial" terminology. So you have that part right with the config from last night, you just have a routing issue and it's not likely that the interface configuration has anything to do with it.
I wish I had a brilliant flash of inspiration for you but looking at the ACLs is the only thing I can offer at this point. The output from "sh ip route" would be very helpful at this point, even if you wanted to redact all the routable (i.e. non-RFC1918) addresses.
The "controller" terminology is for a different type of interface hardware which is why your router didn't like it. My 2811 with a dual-port MFT controller (VWIC-2MFT-T1) uses the terminology that Verizon proposed in their latest note but my 2621XM routers with a WIC-1DSU-T1 use only the "serial" terminology. So you have that part right with the config from last night, you just have a routing issue and it's not likely that the interface configuration has anything to do with it.
I wish I had a brilliant flash of inspiration for you but looking at the ACLs is the only thing I can offer at this point. The output from "sh ip route" would be very helpful at this point, even if you wanted to redact all the routable (i.e. non-RFC1918) addresses.
ASKER
What I sent you above is my entire config. So should I remove the "ip access-group 100 in" command from the MFR interface?
Anything else that sticks out? The routing in not complicated (only one route) so I don't really understand how it came be a routing issue.
Anything else that sticks out? The routing in not complicated (only one route) so I don't really understand how it came be a routing issue.
Hmm... I dont know what the effect of having an "access-group" statement without having the associated access-list, but yes, you might try removing it and see what happens. Eventually, you will probably want it as a security measure - typically an access list in that position is used to block any traffic except that which is headed for your LAN. When you get to that point, Cisco has an excellent document on constructing an ACL for Internet egress but for now, I think we need to eliminate that as a possibility.
Once you try that, if you could review again what you can ping and what you can't. At this point, Verizon can ping your WAN interface but not your LAN? From a workstation on the LAN, you can ping the LAN but not the WAN interface and not an address beyond the WAN? Is that where we are? If not, let me know!
It might not be a routing issue but a routing table can sometimes give valuable clues about where the packets might be going. Also, pings fail with different codes and those can be helpful (if it fails with a 'U', it means the host is not reachable by that route, if it fails with a period, it indicates that the network server timed out waiting for a replay).
I think the reason we are thinking about routing issues that is the fact that Verizon can ping your WAN interface, so that indicates the circuit is up. But if you wanted to be sure of that, you can do a "show frame-relay multilink" and check the output.
The extended ping (type 'ping' and hit enter with no address to step through the choices one by one) can also be particularly valuable because you can determine the source of the packet).
If you want to see more detail, you can do a ping debug with 'debug ip icmp' to see the ping details as they are sent and received. If you do this through a telnet session, be sure to do a 'term mon' so you see the output and make sure you turn off all debugging when you are through with an 'undebug all'.
If you still have some thought that it might be a frame relay problem, you can try turning up a frame-relay debug and watching the lmi packets come and go or watch the circuit setup, etc. A good one to start would be 'debug frame-relay multilink control mfr1'
I think you're close... very, very close but you need to somehow obtain some visibility into what the packets are actually doing as they enter and traverse the router. That's why I recommend the routing table, followed by various ping tests including extended pings from different sources and then finally some debug sessions.
For example, if you were doing a ping debug, you would most likely see exactly what is happening with the pings from your LAN (e.g. whether they are entering the router but don't have a route back or whether they are not entering at all).
The other suggestion I would make is to create a loopback interface with an address used nowhere else on your LAN or WAN - maybe something like this:
interface Loopback 0
ip address 172.16.254.254 255.255.255.255
no shutdown
That gives you an anchor point that you can use to test connectivity with one interface at a time and a loopback interface is always up. There are other uses for loopback interfaces but they are outside the scope of what we are doing here but there is no harm in creating one.
Once you try that, if you could review again what you can ping and what you can't. At this point, Verizon can ping your WAN interface but not your LAN? From a workstation on the LAN, you can ping the LAN but not the WAN interface and not an address beyond the WAN? Is that where we are? If not, let me know!
It might not be a routing issue but a routing table can sometimes give valuable clues about where the packets might be going. Also, pings fail with different codes and those can be helpful (if it fails with a 'U', it means the host is not reachable by that route, if it fails with a period, it indicates that the network server timed out waiting for a replay).
I think the reason we are thinking about routing issues that is the fact that Verizon can ping your WAN interface, so that indicates the circuit is up. But if you wanted to be sure of that, you can do a "show frame-relay multilink" and check the output.
The extended ping (type 'ping' and hit enter with no address to step through the choices one by one) can also be particularly valuable because you can determine the source of the packet).
If you want to see more detail, you can do a ping debug with 'debug ip icmp' to see the ping details as they are sent and received. If you do this through a telnet session, be sure to do a 'term mon' so you see the output and make sure you turn off all debugging when you are through with an 'undebug all'.
If you still have some thought that it might be a frame relay problem, you can try turning up a frame-relay debug and watching the lmi packets come and go or watch the circuit setup, etc. A good one to start would be 'debug frame-relay multilink control mfr1'
I think you're close... very, very close but you need to somehow obtain some visibility into what the packets are actually doing as they enter and traverse the router. That's why I recommend the routing table, followed by various ping tests including extended pings from different sources and then finally some debug sessions.
For example, if you were doing a ping debug, you would most likely see exactly what is happening with the pings from your LAN (e.g. whether they are entering the router but don't have a route back or whether they are not entering at all).
The other suggestion I would make is to create a loopback interface with an address used nowhere else on your LAN or WAN - maybe something like this:
interface Loopback 0
ip address 172.16.254.254 255.255.255.255
no shutdown
That gives you an anchor point that you can use to test connectivity with one interface at a time and a loopback interface is always up. There are other uses for loopback interfaces but they are outside the scope of what we are doing here but there is no harm in creating one.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
framing esf
clock source internal
linecode b8zs <---- that is common, but you need to verify if Verizon is using that
channel-group 0 timeslots 1-24 <--- I think this will be more for you since you have bonded
bridge irb
!
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip route-cache flow
ip tcp adjust-mss 1412
duplex full
speed 100
no mop enabled
bridge-group 1
!
!
interface Serial0/0/0:0
no ip address
bridge-group 1
!
!
bridge 1 protocol ieee
bridge 1 route ip
That is basically what I have on my 2811 routers. I have them bridged, though, so the settings may differ for your need.