Configure 1811 Router as other end of ISP /30 network
Hello,
Here's the situation:
I arrive in a foreign country to configure a new remote office. We ordered a /29 from the ISP. In all the other countries I have done this, I am handed an ethernet cable and I configure from the firewall -> in. In this situation, the ISP did not provide the border router (and didn't tell me). I wasinstructed to place the router at the other end of their /30 and on top of that, route my /29 network.
So I now have an 1811 an I am trying to configure it to their request given the following information from the ISP (and only this information):
IP ADDRESSES ARE NOT THE ACTUAL IP ADDRESSES
Begin ISP provided info via email*********************
"They simply have point-to-point connection from us, so on their WAN interface they should use following details:
IP: 82.148.148.22
Netmask: 255.255.255.252
Gateway: 82.148.148.21
Than on top of this they have their /29 range routed, so they can create DMZ behind their router, so it will act as a gateway for this range.
So /29 range is 78.127.187.248 - 78.127.187.255."
End ISP provided info**********************
I am comfortable inside the IOS and have attempted to configure the router as follows:
SNN-C1811#sh ru
Building configuration...
Current configuration : 4591 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SNN-C1811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$73gK$h1Sc7vn8FLszD8.h9L
enable password 7 121A0C0411040F0D39282B
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
resource policy
!
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name dts.local
ip ssh time-out 60
ip ssh authentication-retries 2
login block-for 5 attempts 5 within 5
!
!
crypto pki trustpoint TP-self-signed-1509561198
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1509561198
!
!
crypto pki certificate chain TP-self-signed-1509561198
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353039 35363131 3938301E 170D3036 30353234 30313033
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35303935
36313139 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD1F 7628EEA9 9D23A4C3 F8885A7D 956211A8 59A6E99C D6FE4C97 2C557AEB
A3CFB7E2 17D685C3 986B0A9C 36DA0995 EE6942F2 E5DE20C6 127361AD 9EE5825C
9187C90D DA54FF66 DCD6F065 64CE1C46 8877B3A1 F13C281A 27F3F532 8260D43A
7594920F 28793A80 A6C267FF 787DA3F3 71E58BC3 E08E9CA5 0A2E3CCB A4AF8A82
DB430203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13485744 2D433138 31312E64 74732E6C 6F63616C 301F0603
551D2304 18301680 1485EB7C DE114BE4 AA00564C 0D75A36F FE8D2BF7 67301D06
03551D0E 04160414 85EB7CDE 114BE4AA 00564C0D 75A36FFE 8D2BF767 300D0609
2A864886 F70D0101 04050003 81810089 FE60BACD BC6DB80D D41D53BE A6557AA4
D460885E CE487092 8FF7780E 4C75BB41 3D2B0AF7 21203A93 9708E527 6BCC941A
397702C5 510A1F70 6CFB979A 94DFF7F8 10778660 4F27E83F AAA81734 46E7894C
CBFE8125 EA284E80 1ADEF47D BDA1132C B87AF2F2 BE110E4C 5C5839AC D614D53A
E87C8CA2 3B7321E0 B1DC1980 2C6F7F
quit
username admin privilege 15 secret 5 $1$hcpl$ufg9CqnFd6atw1B2dC
!
!
!
!
!
!
interface FastEthernet0
ip address 82.148.148.22 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
speed 100
full-duplex
!
interface FastEthernet1
ip address 78.127.187.249 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
shutdown
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1452
shutdown
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 82.148.148.21
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^C
^C
banner motd ^C
Authorized users only.
^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line 1
exec-timeout 15 0
login authentication local_auth
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
privilege level 15
password 7 06040626424C081D
login authentication local_auth
transport input telnet ssh
line vty 5 15
privilege level 15
password 7 094E470E17071616
login authentication local_auth
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
**************************
From the router I am unable to ping the other side of the /30 or anything on the Internet.
I was hoping someone could review this config and let me know how bad I have this jacked up.
TIA,
Bob
Here's the situation:
I arrive in a foreign country to configure a new remote office. We ordered a /29 from the ISP. In all the other countries I have done this, I am handed an ethernet cable and I configure from the firewall -> in. In this situation, the ISP did not provide the border router (and didn't tell me). I wasinstructed to place the router at the other end of their /30 and on top of that, route my /29 network.
So I now have an 1811 an I am trying to configure it to their request given the following information from the ISP (and only this information):
IP ADDRESSES ARE NOT THE ACTUAL IP ADDRESSES
Begin ISP provided info via email*********************
"They simply have point-to-point connection from us, so on their WAN interface they should use following details:
IP: 82.148.148.22
Netmask: 255.255.255.252
Gateway: 82.148.148.21
Than on top of this they have their /29 range routed, so they can create DMZ behind their router, so it will act as a gateway for this range.
So /29 range is 78.127.187.248 - 78.127.187.255."
End ISP provided info**********************
I am comfortable inside the IOS and have attempted to configure the router as follows:
SNN-C1811#sh ru
Building configuration...
Current configuration : 4591 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SNN-C1811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$73gK$h1Sc7vn8FLszD8.h9L
enable password 7 121A0C0411040F0D39282B
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
resource policy
!
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name dts.local
ip ssh time-out 60
ip ssh authentication-retries 2
login block-for 5 attempts 5 within 5
!
!
crypto pki trustpoint TP-self-signed-1509561198
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1509561198
!
!
crypto pki certificate chain TP-self-signed-1509561198
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353039 35363131 3938301E 170D3036 30353234 30313033
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35303935
36313139 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD1F 7628EEA9 9D23A4C3 F8885A7D 956211A8 59A6E99C D6FE4C97 2C557AEB
A3CFB7E2 17D685C3 986B0A9C 36DA0995 EE6942F2 E5DE20C6 127361AD 9EE5825C
9187C90D DA54FF66 DCD6F065 64CE1C46 8877B3A1 F13C281A 27F3F532 8260D43A
7594920F 28793A80 A6C267FF 787DA3F3 71E58BC3 E08E9CA5 0A2E3CCB A4AF8A82
DB430203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13485744 2D433138 31312E64 74732E6C 6F63616C 301F0603
551D2304 18301680 1485EB7C DE114BE4 AA00564C 0D75A36F FE8D2BF7 67301D06
03551D0E 04160414 85EB7CDE 114BE4AA 00564C0D 75A36FFE 8D2BF767 300D0609
2A864886 F70D0101 04050003 81810089 FE60BACD BC6DB80D D41D53BE A6557AA4
D460885E CE487092 8FF7780E 4C75BB41 3D2B0AF7 21203A93 9708E527 6BCC941A
397702C5 510A1F70 6CFB979A 94DFF7F8 10778660 4F27E83F AAA81734 46E7894C
CBFE8125 EA284E80 1ADEF47D BDA1132C B87AF2F2 BE110E4C 5C5839AC D614D53A
E87C8CA2 3B7321E0 B1DC1980 2C6F7F
quit
username admin privilege 15 secret 5 $1$hcpl$ufg9CqnFd6atw1B2dC
!
!
!
!
!
!
interface FastEthernet0
ip address 82.148.148.22 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
speed 100
full-duplex
!
interface FastEthernet1
ip address 78.127.187.249 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
shutdown
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1452
shutdown
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 82.148.148.21
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^C
^C
banner motd ^C
Authorized users only.
^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line 1
exec-timeout 15 0
login authentication local_auth
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
privilege level 15
password 7 06040626424C081D
login authentication local_auth
transport input telnet ssh
line vty 5 15
privilege level 15
password 7 094E470E17071616
login authentication local_auth
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
**************************
From the router I am unable to ping the other side of the /30 or anything on the Internet.
I was hoping someone could review this config and let me know how bad I have this jacked up.
TIA,
Bob
I can't see anything wrong with the parameter's you've been given, and the config you've done...
You can ping devices on the /28 side?
If there are no devices, got a laptop? Set it's IP address to 78.127.187.250 255.255.255.248 and try ping .249
Then try ping your /30 side of your router.
Let me know how you go...
You can ping devices on the /28 side?
If there are no devices, got a laptop? Set it's IP address to 78.127.187.250 255.255.255.248 and try ping .249
Then try ping your /30 side of your router.
Let me know how you go...
Is there a speed/duplex mismatch on the WAN FE?
Do a "show log"
Do a "show log"
ASKER
I am now checking all provided suggestions.
thank you for the quick responses.
sincerely,
bob
thank you for the quick responses.
sincerely,
bob
Well with a speed mismatch the interface wouldn't come up.
With a duplex mismatch you'll see CRC errors but you should be able to ping a couple of times.
I would suggest checking your interface status
sh ip int bri
Also, I personally don't feel that auto-negotiation of duplex ever really works well. I would hard set it if possible since on Fast Ethernet you are going to default to half duplex if negotiation is not successful.
With a duplex mismatch you'll see CRC errors but you should be able to ping a couple of times.
I would suggest checking your interface status
sh ip int bri
Also, I personally don't feel that auto-negotiation of duplex ever really works well. I would hard set it if possible since on Fast Ethernet you are going to default to half duplex if negotiation is not successful.
ASKER
Robert,
Interface status shows ok for both interfaces
Kyle,
No errors in the log, I am configuring a spare laptop to connect to the /29 side of the router, FE1.
Interface status shows ok for both interfaces
Kyle,
No errors in the log, I am configuring a spare laptop to connect to the /29 side of the router, FE1.
So just to understand, when you ping the ip address of the lan side of your isp from your router you are not getting a response? It could very well be that they are filtering ICMP. But if you are unable to reach the outside network it could be a multitude of issues.
Were you able to look at your arp tables when you issued the ping?
Can you verify that you are pinging from the router or where you are pinging from?
Were you able to verify with the isp that their side has the right IP addresses configured?
If they are filtering against ICMP you can use the get command to get http data and see if that works.
Sorry from reading your original post I would recommend you confirm with your ISP that their interface is configured correctly.
Were you able to look at your arp tables when you issued the ping?
Can you verify that you are pinging from the router or where you are pinging from?
Were you able to verify with the isp that their side has the right IP addresses configured?
If they are filtering against ICMP you can use the get command to get http data and see if that works.
Sorry from reading your original post I would recommend you confirm with your ISP that their interface is configured correctly.
Also, if you need to provide proof to your isp you can set up a short acl to confirm your router is sending data out that port. Something like:
access-list 101 permit icmp any any
access-list 101 permit ip any any
interface f0
ip access-group 101 out
then do "sh access-list 101" and see if there are any hits after you try to ping. That would be proof that you are sending packets out that way since you will see the counters incrementing.
To elaborate on the get command you would do it this way.
telnet www.google.com:80 or port 80... the syntax escapes me at this moment.
get http
and you should see some recognizable text.
Note: google.com is an example not sure if they have port 80 open and allowed
access-list 101 permit icmp any any
access-list 101 permit ip any any
interface f0
ip access-group 101 out
then do "sh access-list 101" and see if there are any hits after you try to ping. That would be proof that you are sending packets out that way since you will see the counters incrementing.
To elaborate on the get command you would do it this way.
telnet www.google.com:80 or port 80... the syntax escapes me at this moment.
get http
and you should see some recognizable text.
Note: google.com is an example not sure if they have port 80 open and allowed
ASKER
Kyle,
I configure a laptop with .250 (/29) and connected directly to FE1. I could not ping the router @ 78.127.187.249
Robert,
I have confirmed the information not only with the provider of the /29 (Digiweb/Ireland) but also with THEIR provider who they proxy the /30 (ENET/Ireland) for. ENET confirmed the can see their interface on the fibre box is up and linked to the router.
Also, sh arp has this:
SNN-C1811#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 82.148.148.22 - 0017.9523.df32 ARPA FastEthernet0
Internet 78.127.187.249 - 0017.9523.df33 ARPA FastEthernet1
I configure a laptop with .250 (/29) and connected directly to FE1. I could not ping the router @ 78.127.187.249
Robert,
I have confirmed the information not only with the provider of the /29 (Digiweb/Ireland) but also with THEIR provider who they proxy the /30 (ENET/Ireland) for. ENET confirmed the can see their interface on the fibre box is up and linked to the router.
Also, sh arp has this:
SNN-C1811#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 82.148.148.22 - 0017.9523.df32 ARPA FastEthernet0
Internet 78.127.187.249 - 0017.9523.df33 ARPA FastEthernet1
This is a long shot, but worth a mention....
I see a "no ip gratuitous-arps" command in there, if in fact the ISP has got it wrong, and it's router is .22, your logs wouldn't show up any errors.
I see a "no ip gratuitous-arps" command in there, if in fact the ISP has got it wrong, and it's router is .22, your logs wouldn't show up any errors.
Humor me and do a no shut on Vlan1 int?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Question, on a router are the WAN ports (FE0/FE1) by default in vlan1? If so, is the shutdown command on vlan1 an issue?
I'm thinking it wouldn't be since int fe0 and 1 are routed interfaces. I believe you would have to do switchport to make it go into using vlans.
You can also check if the command is available by doing "sh int status" or "sh vlans"
I guess according to the cisco website these interfaces are switched.. but this is a bit odd, I didn't think you could assign ip addresses to switched interfaces unless you assigned it to the vlan or made it a routed port.
You can also check if the command is available by doing "sh int status" or "sh vlans"
I guess according to the cisco website these interfaces are switched.. but this is a bit odd, I didn't think you could assign ip addresses to switched interfaces unless you assigned it to the vlan or made it a routed port.
ASKER
I see we were thinking the same thing. I removed the shutdown and still have the same results:
Cannot ping from laptop conntected directly to FE1 and config'd in the same /29.
Cannot ping from my 1811 to anywhere (Internet, /30 gateway, /29 laptop)
Man I suck at this!!
Cannot ping from laptop conntected directly to FE1 and config'd in the same /29.
Cannot ping from my 1811 to anywhere (Internet, /30 gateway, /29 laptop)
Man I suck at this!!
ASKER
You are correct, the sh int status does not include fe0/fe1 in the vlan list
I agree with rob.
On the laptop, if you ping the router then immediately do a "arp -a", does the router have a MAC address assigned to it?
On the laptop, if you ping the router then immediately do a "arp -a", does the router have a MAC address assigned to it?
Maybe try ping the Laptop from the router and then do a "sh arp" on the router...
Can you provide with a "sh int status" or "sh vlans" output.
I'm thinking if they are switched ports, that the ip on the interface isn't doing any good. But at the same time your arp output makes me believe otherwise.
I think you can get around this issue by possibly assigning the ip addresses to the vlan but then it still wouldn't work because of dot1q or ISL (tagging/framing). Your isp may need to work with you on this to tag the correct vlan on their interface which I'm not sure they would want or can even support. But still not being able to ping your interface. Can you try moving your fe1 ip address to the vlan and remove it from fe1. Also ensure that it is in no shutdown and ensure that the vlan is assigned to fe1.
I'm thinking if they are switched ports, that the ip on the interface isn't doing any good. But at the same time your arp output makes me believe otherwise.
I think you can get around this issue by possibly assigning the ip addresses to the vlan but then it still wouldn't work because of dot1q or ISL (tagging/framing). Your isp may need to work with you on this to tag the correct vlan on their interface which I'm not sure they would want or can even support. But still not being able to ping your interface. Can you try moving your fe1 ip address to the vlan and remove it from fe1. Also ensure that it is in no shutdown and ensure that the vlan is assigned to fe1.
ASKER
the arp -a returns "No ARP entries found"
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
From the router:
SNN-C1811#sh vlans
No Virtual LANs configured.
SNN-C1811#sh nt status
SNN-C1811#sh int status
Port Name Status Vlan Duplex Speed Type
Fa2 disabled 1 auto auto 10/100BaseTX
Fa3 disabled 1 auto auto 10/100BaseTX
Fa4 disabled 1 auto auto 10/100BaseTX
Fa5 disabled 1 auto auto 10/100BaseTX
Fa6 disabled 1 auto auto 10/100BaseTX
Fa7 disabled 1 auto auto 10/100BaseTX
Fa8 disabled 1 auto auto 10/100BaseTX
Fa9 disabled 1 auto auto 10/100BaseTX
SNN-C1811#sh vlans
No Virtual LANs configured.
SNN-C1811#sh nt status
SNN-C1811#sh int status
Port Name Status Vlan Duplex Speed Type
Fa2 disabled 1 auto auto 10/100BaseTX
Fa3 disabled 1 auto auto 10/100BaseTX
Fa4 disabled 1 auto auto 10/100BaseTX
Fa5 disabled 1 auto auto 10/100BaseTX
Fa6 disabled 1 auto auto 10/100BaseTX
Fa7 disabled 1 auto auto 10/100BaseTX
Fa8 disabled 1 auto auto 10/100BaseTX
Fa9 disabled 1 auto auto 10/100BaseTX
Ok I think I found your problem. According to Cisco you can not assign ip addresses and them routed ports so those ip addresses need to move to the vlan.
Can you add fe0 and fe1 to vlan 1 and then remove the ip addresses from fe0 and fe1. After that add the first ip address then add the second ip address to the vlan as a secondary and that should solve your issue. Let me know if you want exact commands.
Can you add fe0 and fe1 to vlan 1 and then remove the ip addresses from fe0 and fe1. After that add the first ip address then add the second ip address to the vlan as a secondary and that should solve your issue. Let me know if you want exact commands.
i'm hoping that when you remove the ip addresses from fe0 and fe1 they will start being in vlan 1 if not you would want to make this interface a trunk or access depending on your network layout.
From Cisco's website on the product.
Q. Can the individual ports be configured as routed ports?
A. No, the Cisco EtherSwitch HWICs do not support routed ports. This means you cannot assign an IP address directly to the interface and make it a Layer 3 interface.
http://www.cisco.com/en/US/prod/collateral/routers/ps5853/prod_qas0900aecd8016c026.html
I'm guessing this is the card you have installed.
Q. Can the individual ports be configured as routed ports?
A. No, the Cisco EtherSwitch HWICs do not support routed ports. This means you cannot assign an IP address directly to the interface and make it a Layer 3 interface.
http://www.cisco.com/en/US/prod/collateral/routers/ps5853/prod_qas0900aecd8016c026.html
I'm guessing this is the card you have installed.
Rob do you agree it would be better to create 2 Vlan interfaces, assign an ip to each Vlan int, and make Fa0 an access member of one, and Fa1-6 an access member of the other?
Then you would have your WAN uplink as Fa0, and 6 ports ready for each device in your /29?
ASKER
Kyle, sure as friggin s***, I had the cables switched. Now FE1 is up and I can ping it from the /29 laptop (with some seriously high times). So, color me stupid on that one. Monster kudos to you for working that out. I swear to god the jet lag is killing me!!!
However, fe0 will not come up now.
Robert, please allow me to digest your last 2 entries.
However, fe0 will not come up now.
Robert, please allow me to digest your last 2 entries.
I honestly don't feel that would make a difference since Vlan 1 should be native if using dot1q which is what I'm hoping. I think that would create better separation but at the same time I don't know what his/her network design is ultimately that's why I was suggesting using Vlan1 for both to speed things along. But both will work.
bslattey,
I would be worried about high times depending on how high. Since that will only add on to your latency as you go through your carriers network.
I would be worried about high times depending on how high. Since that will only add on to your latency as you go through your carriers network.
No worries b.
Credit where it's due, Rob did suggest this in a previous post, I just made the request a bit more official :P
Credit where it's due, Rob did suggest this in a previous post, I just made the request a bit more official :P
ASKER
Here is my cookie cutter network layout overview used in 7 countries
Limerick-Internet-Connection-Ove.jpg
Limerick-Internet-Connection-Ove.jpg
Ok that's what I was imagining it to look like.. so I'm going to assume you would want trunked ports between your switch and your 1811. Looking at that lets tackle one issue at a time. I believe first would be bringing up the WAN interface fe0 since that would be easiest and then you can hash out your design woes ;).
do this command on global config mode
default int f0
"this will cause your interface to go to default"
then do int vlan 1
ip address "address of wan"
no shut
then go to exec mode and do "sh int status"
make sure fe0 is in vlan 1
let me know if this fixes your wan issue first.
do this command on global config mode
default int f0
"this will cause your interface to go to default"
then do int vlan 1
ip address "address of wan"
no shut
then go to exec mode and do "sh int status"
make sure fe0 is in vlan 1
let me know if this fixes your wan issue first.
ASKER
Robert, roger that.
Also, 9 minutes(according to the logs) after switching the cables, fe0 came up, but still cannot ping anywhere from the router.
I will now perform your requested actions
Also, 9 minutes(according to the logs) after switching the cables, fe0 came up, but still cannot ping anywhere from the router.
I will now perform your requested actions
if not you may have to do
switchport mode access
switchport access vlan 1
I can't remember switch syntaxes to save my life..
also after that check to make sure that the interface is behaving as configured
int f0 switchport
int f0 trunk
let me know what you get.
switchport mode access
switchport access vlan 1
I can't remember switch syntaxes to save my life..
also after that check to make sure that the interface is behaving as configured
int f0 switchport
int f0 trunk
let me know what you get.
Yeah just I guess my assumption but I don't think assigning those ip addresses is doing anything for you. Honestly, I've never messed with 1811 so I don't even know where to begin assuming how that router is behaving.
ASKER
Robert,
All comands accepted however fe0 does/will not show up in vlan1. Only fa2-fa9 appear in the vlan.
All comands accepted however fe0 does/will not show up in vlan1. Only fa2-fa9 appear in the vlan.
can you give me output of
sh int f0 switchport
sh int f0 trunk
sh vlan
sh int f0 switchport
sh int f0 trunk
sh vlan
ASKER
Here are the outputs of the 3 commands:
SNN-C1811#sh int f0 switchport
% Fa0 is not a switchable port
SNN-C1811#sh int f0 trunk
SNN-C1811#sh vlan
% Ambiguous command: "sh vlan"
SNN-C1811#sh vlan1
^
% Invalid input detected at '^' marker.
SNN-C1811#sh vlan 1
% Ambiguous command: "sh vlan 1"
SNN-C1811#show vlan 1
% Ambiguous command: "show vlan 1"
SNN-C1811#
SNN-C1811#sh int f0 switchport
% Fa0 is not a switchable port
SNN-C1811#sh int f0 trunk
SNN-C1811#sh vlan
% Ambiguous command: "sh vlan"
SNN-C1811#sh vlan1
^
% Invalid input detected at '^' marker.
SNN-C1811#sh vlan 1
% Ambiguous command: "sh vlan 1"
SNN-C1811#show vlan 1
% Ambiguous command: "show vlan 1"
SNN-C1811#
haha not fun.. its stating that the interface is not a switchport. Just to get this thing up would you mind moving the cable f0 to f2 and provide an output for
sh int f2 switchport
sh int f2 trunk
sh int status
I think getting this thing up would be more paramount and then troubleshoot the f0 issue unless you would like to work f0 all the way through.
sh int f2 switchport
sh int f2 trunk
sh int status
I think getting this thing up would be more paramount and then troubleshoot the f0 issue unless you would like to work f0 all the way through.
Sorry to add would you provide me with
sh run int f0
sh run int vlan1
I would like to see what's going on
sh run int f0
sh run int vlan1
I would like to see what's going on
ASKER
Robert, we can work it fromthe f2 perspective first if u think that's best. I have no probs with it. Here is the outut from the commands plus a sh run int f2.
SNN-C1811#sh int f2 switchport
Name: Fa2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 1
Protected: false
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
SNN-C1811#sh int f2 trunk
Port Mode Encapsulation Status Native vlan
Fa2 off 802.1q not-trunking 1
Port Vlans allowed on trunk
Fa2 1
Port Vlans allowed and active in management domain
Fa2 1
Port Vlans in spanning tree forwarding state and not pruned
Fa2 none
SNN-C1811#sh int status
Port Name Status Vlan Duplex Speed Type
Fa2 connected 1 a-half a-100 10/100BaseTX
Fa3 disabled 1 auto auto 10/100BaseTX
Fa4 disabled 1 auto auto 10/100BaseTX
Fa5 disabled 1 auto auto 10/100BaseTX
Fa6 disabled 1 auto auto 10/100BaseTX
Fa7 disabled 1 auto auto 10/100BaseTX
Fa8 disabled 1 auto auto 10/100BaseTX
Fa9 disabled 1 auto auto 10/100BaseTX
SNN-C1811#sh run int f0
Building configuration...
Current configuration : 71 bytes
!
interface FastEthernet0
no ip address
duplex auto
speed auto
end
SNN-C1811#sh run int vlan1
Building configuration...
Current configuration : 143 bytes
!
interface Vlan1
ip address 83.147.148.22 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1452
end
SNN-C1811#sh run int f2
Building configuration...
Current configuration : 31 bytes
!
interface FastEthernet2
end
SNN-C1811#
SNN-C1811#sh int f2 switchport
Name: Fa2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 1
Protected: false
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
SNN-C1811#sh int f2 trunk
Port Mode Encapsulation Status Native vlan
Fa2 off 802.1q not-trunking 1
Port Vlans allowed on trunk
Fa2 1
Port Vlans allowed and active in management domain
Fa2 1
Port Vlans in spanning tree forwarding state and not pruned
Fa2 none
SNN-C1811#sh int status
Port Name Status Vlan Duplex Speed Type
Fa2 connected 1 a-half a-100 10/100BaseTX
Fa3 disabled 1 auto auto 10/100BaseTX
Fa4 disabled 1 auto auto 10/100BaseTX
Fa5 disabled 1 auto auto 10/100BaseTX
Fa6 disabled 1 auto auto 10/100BaseTX
Fa7 disabled 1 auto auto 10/100BaseTX
Fa8 disabled 1 auto auto 10/100BaseTX
Fa9 disabled 1 auto auto 10/100BaseTX
SNN-C1811#sh run int f0
Building configuration...
Current configuration : 71 bytes
!
interface FastEthernet0
no ip address
duplex auto
speed auto
end
SNN-C1811#sh run int vlan1
Building configuration...
Current configuration : 143 bytes
!
interface Vlan1
ip address 83.147.148.22 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1452
end
SNN-C1811#sh run int f2
Building configuration...
Current configuration : 31 bytes
!
interface FastEthernet2
end
SNN-C1811#
So are you able to ping out now to the internet and ISP?
Can you go to int f0 and issue command switchport.
then provide sh outputs
sh run int f0
sh int f0 switchport
then provide sh outputs
sh run int f0
sh int f0 switchport
ASKER
I cannot ping either one.
ASKER
It will not allow me issue that command:
SNN-C1811#config t
Enter configuration commands, one per line. End with CNTL/Z.
SNN-C1811(config)#int f0
SNN-C1811(config-if)#switc
^
% Invalid input detected at '^' marker.
SNN-C1811#config t
Enter configuration commands, one per line. End with CNTL/Z.
SNN-C1811(config)#int f0
SNN-C1811(config-if)#switc
^
% Invalid input detected at '^' marker.
int Fa0
switchport access vlan 1
switchport mode access
int Vlan2
ip address 78.127.187.249 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
int Fa2
switchport access vlan 2
switchport mode access
Try that :)
switchport access vlan 1
switchport mode access
int Vlan2
ip address 78.127.187.249 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
int Fa2
switchport access vlan 2
switchport mode access
Try that :)
go to interface f2 and lets force it to vlan 1
int f2
switchport mode access
switchport access vlan 1
then verify it with
sh int f2 switchport
sh run int f2
int f2
switchport mode access
switchport access vlan 1
then verify it with
sh int f2 switchport
sh run int f2
That F0 port is behaving very oddly. According to docs its a switched interface but it doesn't want to be a switched interface. I'm wondering whether you may have to reload to clear that sort of like when you reload a router when you want to change a serial interface from ptp to mtp or vice versa. but that's another matter.. this is behaving weirdly since the port comes up and it says that access vlan 1 is default on fa2 but its not routing out that vlan... hmm when you do a ping can you do an extended ping to specify the source interface
so it'll be like
ping
then follow the prompts.
so it'll be like
ping
then follow the prompts.
Good point,
He's got 10 ports 0 - 9 inclusive, one will be a routable FE, the other members of the switch module which are not routable.
I'd put my money on Fa0 being the routable one.
Sorry b, pleas try paste this in:
int Fa0
ip address 83.147.148.22 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1452
!
int Vlan1
ip address 78.127.187.249 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
!
!
int FaX
switchport mode access
switchport access vlan 1
!
end
(Where FaX is the port where your laptop is plugged in to)
He's got 10 ports 0 - 9 inclusive, one will be a routable FE, the other members of the switch module which are not routable.
I'd put my money on Fa0 being the routable one.
Sorry b, pleas try paste this in:
int Fa0
ip address 83.147.148.22 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1452
!
int Vlan1
ip address 78.127.187.249 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
!
!
int FaX
switchport mode access
switchport access vlan 1
!
end
(Where FaX is the port where your laptop is plugged in to)
Kyle,
he had that before and I don't believe it was working, I was thinking the same thing that since the 1811 is classified as a router it should have a routed port.. but hopefully that works.. if not I guess back to VLANS :)
he had that before and I don't believe it was working, I was thinking the same thing that since the 1811 is classified as a router it should have a routed port.. but hopefully that works.. if not I guess back to VLANS :)
ASKER
Robert,
Commands issued, verified. Although the sh run int f2 will not show the default vlan 1.
SNN-C1811#sh int f2 switchport
Name: Fa2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 1
Protected: false
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
SNN-C1811#sh ru int f2
Building configuration...
Current configuration : 31 bytes
!
interface FastEthernet2
end
Commands issued, verified. Although the sh run int f2 will not show the default vlan 1.
SNN-C1811#sh int f2 switchport
Name: Fa2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 1
Protected: false
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
SNN-C1811#sh ru int f2
Building configuration...
Current configuration : 31 bytes
!
interface FastEthernet2
end
ASKER
SNN-C1811#ping
Protocol [ip]:
Target IP address:
% Bad IP address
SNN-C1811#ping
Protocol [ip]:
Target IP address: 4.2.2.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SNN-C1811#
Protocol [ip]:
Target IP address:
% Bad IP address
SNN-C1811#ping
Protocol [ip]:
Target IP address: 4.2.2.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SNN-C1811#
Are you able to ping?
can you do a sh ip route.
and try an extended ping originating the source address from your wan side.
and try an extended ping originating the source address from your wan side.
ASKER
Kyle,
Working on it, give me a minute
Working on it, give me a minute
Ah but it does, according to Cisco.com:
1811
- 2 WAN FE Interfaces
- 8 Switch Ports
The question is which FE's are the WAN ports?
The Cisco's 851 WAN port is the last one, Fa4...
Maybe its Fa8 + Fa9 on the 1811?
Can I grace this thread with a quick test config?
default Fa0
default Fa1
default Fa2
default Fa3
!
int Vlan1
no ip address
!
int Fa9
ip address 83.147.148.22 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
no shut
!
ip address 78.127.187.249 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
no shut
!
I'm gonna put money on this one.
1811
- 2 WAN FE Interfaces
- 8 Switch Ports
The question is which FE's are the WAN ports?
The Cisco's 851 WAN port is the last one, Fa4...
Maybe its Fa8 + Fa9 on the 1811?
Can I grace this thread with a quick test config?
default Fa0
default Fa1
default Fa2
default Fa3
!
int Vlan1
no ip address
!
int Fa9
ip address 83.147.148.22 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
no shut
!
ip address 78.127.187.249 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
no shut
!
I'm gonna put money on this one.
Sorry b,
Put you through all this re-configs lol!
As the saying goes, to many chefs ruin the broth.
Put you through all this re-configs lol!
As the saying goes, to many chefs ruin the broth.
Kyle,
All you. I need to get some sleep but hopefully that is the issue.. damn cisco and weird numbering if it is so :P
All you. I need to get some sleep but hopefully that is the issue.. damn cisco and weird numbering if it is so :P
Kyle,
All you. I need to get some sleep but hopefully that is the issue.. damn cisco and weird numbering if it is so :P
All you. I need to get some sleep but hopefully that is the issue.. damn cisco and weird numbering if it is so :P
ASKER
Kyle,
no go on your suggestion, could ping fa2 from the laptop, couldn't ping ISP or Internet
no go on your suggestion, could ping fa2 from the laptop, couldn't ping ISP or Internet
ASKER
Fe0 and fe1 look to be the WAN ports, They are grouped together and separate from the switchports
ASKER
Correction on earlier, could NOT ping from laptop to router
Looking at config guides on the net, Fa0+1 are the routable ones.
Dont waste your time with the Fa9+8 based config b.
Dont waste your time with the Fa9+8 based config b.
ASKER
working on your test config now
ASKER
scratch that won't do the fa8 + fa9 as we agree it's fa0 and fa1
Looks like your original config was completely correct...
If you go back to that.
erase startup-config
(confirm)
reload
Was the issue all this time just that you has the cable the wrong way around?
If you go back to that.
erase startup-config
(confirm)
reload
Was the issue all this time just that you has the cable the wrong way around?
Last idea before I'm off to bed.
bslattery,
can you configure your laptop with the wan ip address then connect it directly to your isp and ping. So take the router out of the picture completely. See if that works to ensure they are done correctly.
bslattery,
can you configure your laptop with the wan ip address then connect it directly to your isp and ping. So take the router out of the picture completely. See if that works to ensure they are done correctly.
ASKER
I don't think so as I could never ping the ISP or the internet even after switching cables. I will reload that config and check again.
ASKER
I will do that Kyle. thanks for all your help! Robert too!!
Pray for me!
Pray for me!
ASKER
did you want me to whack the startup config or the running config?
startup-config, then just paste your original in...
maybe try Rob's idea first, it'll save you some hassle if it doesn't work then....
maybe try Rob's idea first, it'll save you some hassle if it doesn't work then....
Any success?
Let me know!
Let me know!
ASKER
Sorry, I though you retired for the evening.
I connected a laptop directly to the fiber node and assigned the /30 ip and could not ping the other side of the ISP or the Internet.
I sent the ISP NOC an email and I am waiting for a response. I will most certainly update the thread as soon s I know anything. Based on everything we have tested, something certainly seems amiss with the ISP. until they prove otherwise, I will blame them!!!
I connected a laptop directly to the fiber node and assigned the /30 ip and could not ping the other side of the ISP or the Internet.
I sent the ISP NOC an email and I am waiting for a response. I will most certainly update the thread as soon s I know anything. Based on everything we have tested, something certainly seems amiss with the ISP. until they prove otherwise, I will blame them!!!
show port status -- this should give you an idea of what is plugged in, try with one cable plugged in at a time to make sure you get the port numbering straight, and links.
I also noticed that you have one port set to 100-full static - are you sure that this is correct? If it is a wan port I am wondering if it maybe should be 100 half or 10 half?
I also noticed that you have one port set to 100-full static - are you sure that this is correct? If it is a wan port I am wondering if it maybe should be 100 half or 10 half?
Also, after you issue a ping have you looked at your arp requests to see if they are coming up incomplete or are populating with a value?
Your interfaces and routing seem to be configured appropriately but I'm wondering where you are testing from?