Solved

CONTENT BASED ACCESS CONTROL - CBAC ON ROUTERS

Posted on 2009-05-11
32
322 Views
Last Modified: 2013-12-07
ive configured the following and according to my instructions I should be able to from SANJOSE1 router be able to ping both. 172.16.1.2 & 172.17.1.2, but I CANNOT at this point as I havent added any CBAC yet, why?

Building configuration...

Current configuration : 852 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
!
!
!
interface Serial0/0
 description "FIREWALL"
 ip unnumbered Ethernet1/1
 clockrate 56000
!
interface Serial0/1
 no ip address
!
interface Serial0/2
 no ip address
 shutdown
!
interface Serial0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 description DMZ
 ip address 172.16.1.1 255.255.255.0
 half-duplex
!
interface Ethernet1/1
 description Internal Network
 ip address 172.17.1.1 255.255.255.0
 half-duplex
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
---------------------------------------------------------------------------------------

vista#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Serial0/0                  172.17.1.1      YES TFTP       up                       up      
Serial0/1                  unassigned     YES TFTP     down                    down    
Serial0/2                  unassigned     YES unset   administratively down down    
Serial0/3                  unassigned     YES unset   administratively down down    
Ethernet1/0             172.16.1.1      YES manual    up                      up      
Ethernet1/1             172.17.1.1     YES manual    up                       up

---------------------------------------------------------------------------------------      
vista#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     172.17.0.0/24 is subnetted, 1 subnets
C       172.17.1.0 is directly connected, Ethernet1/1
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Ethernet1/0
S*   0.0.0.0/0 is directly connected, Serial0/0
vista#
---------------------------------------------------------------------------------

Building configuration...

Current configuration : 611 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sanjose1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
!
interface Serial0
 ip unnumbered Ethernet0
 no fair-queue
!
interface Serial1
 no ip address
 shutdown
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
ip http server
ip classless
ip route 172.16.1.0 255.255.255.0 Serial0
ip route 172.17.1.0 255.255.255.0 Serial0
!
!
line con 0
line aux 0
line vty 0 4
!
end
-----------------------------------------------------------------------------------------
sanjose1#sh ip route int brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                    unassigned      YES unset  administratively down down    
BRI0:2                    unassigned      YES unset  administratively down down    
Ethernet0               192.168.1.1     YES manual up                    down    
Serial0                    192.168.1.1     YES TFTP     up                    up      
Serial1                    unassigned      YES unset  administratively down down
-----------------------------------------------------------------------------------------    
sanjose1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/24 is subnetted, 1 subnets
S       172.17.1.0 is directly connected, Serial0
     172.16.0.0/24 is subnetted, 1 subnets
S       172.16.1.0 is directly connected, Serial0
sanjose1#
0
Comment
Question by:mikey250
  • 19
  • 13
32 Comments
 

Author Comment

by:mikey250
ID: 24355678
Im assuming its because Ive added "IP Unnumbered" hence ping not working from Sanjose1 to HOSTB & HOSTC?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24355738
Yeah, are you supposed to be using "ip unnumbered"?  I would put 192.168.1.1 on serial0 on sanjose1 and put 192.168.1.2 on vista's serial interface.
0
 

Author Comment

by:mikey250
ID: 24355882
yes I am supposed to be using "IP Unnumbered".  ok I will remove and add relevant ip addresses to both routers to double check.

thanks!
0
 

Author Comment

by:mikey250
ID: 24363045
I did add the above for both serial interface connections:  sanjose1 192.168.1.1 & vista 192.168.1.2 and was able to go through the rest of my scenario and everything works fine as below:

- Cannot ping from sanjose1 to HOSTC 172.17.1.2/24 - unsuccessful
- Can ping from HOSTC 172.17.1.2/24 to sanjose1 - successful

- Cannot ping from sanjose1 to HOSTB 172.16.1.2/24 - unsuccessful
- Cannot ping from HOSTB 172.16.1.2/24 to sanjose1 - successful
----------------------------------------------------------------------------------------------
BUT NOW

BEARING IN MIND NOW IVE ADDED ALL OF THE EXPECTED CBAC access-lists etc, Ive now removed serial interface "IP Addresses" at the end of my scenario and replaced as originally stated with "IP Unnumbered".

Building configuration...

Current configuration : 2865 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip inspect udp idle-time 1800
ip inspect dns-timeout 15
ip inspect name STANDARD ftp
ip inspect name STANDARD http
ip inspect name STANDARD smtp
ip inspect name STANDARD sqlnet
ip inspect name STANDARD tcp
ip inspect name STANDARD tftp
ip inspect name STANDARD udp
ip inspect name STANDARD realaudio
ip audit po max-events 100
!
interface Serial0/0
 description "FIREWALL"
 ip unnumbered Ethernet1/1
 ip access-group 121 in
 ip access-group 122 out
 ip inspect STANDARD in
 clockrate 56000
!
interface Serial0/1
 no ip address
!
interface Serial0/2
 no ip address
 shutdown
!
interface Serial0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 description DMZ
 ip address 172.16.1.1 255.255.255.0
 ip access-group 111 in
 ip access-group 112 out
 half-duplex
!
interface Ethernet1/1
 description Internal Network
 ip address 172.17.1.1 255.255.255.0
 ip access-group 101 in
 ip access-group 102 out
 ip inspect STANDARD in
 half-duplex
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
!
access-list 101 permit ip 172.17.1.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 102 permit icmp any any administratively-prohibited
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny   ip any any
access-list 111 permit ip 172.16.1.0 0.0.0.255 any
access-list 111 deny   ip any any
access-list 112 permit udp any host 172.16.1.2 eq domain
access-list 112 permit tcp any host 172.16.1.2 eq domain
access-list 112 permit tcp any host 172.16.1.2 eq ftp
access-list 112 permit tcp any host 172.16.1.2 eq smtp
access-list 112 permit tcp any host 172.16.1.1 eq www
access-list 112 permit tcp 172.17.1.0 0.0.0.255 host 172.16.1.2 eq pop3
access-list 112 permit tcp 172.17.1.0 0.0.0.255 any eq telnet
access-list 112 permit icmp any any administratively-prohibited
access-list 112 permit icmp any any echo-reply
access-list 112 permit icmp any any packet-too-big
access-list 112 permit icmp any any time-exceeded
access-list 112 permit icmp any any unreachable
access-list 112 deny   ip any any
access-list 121 deny   ip 172.17.1.0 0.0.0.255 any
access-list 121 deny   ip 127.0.0.0 0.255.255.255 any
access-list 121 deny   ip 224.0.0.0 31.255.255.255 any
access-list 121 permit ip any any
access-list 122 permit icmp any any echo-reply
access-list 122 permit icmp any any time-exceeded
access-list 122 deny   ip 172.16.1.0 0.0.0.255 any
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

vista#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     172.17.0.0/24 is subnetted, 1 subnets
C       172.17.1.0 is directly connected, Ethernet1/1
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Ethernet1/0
S*   0.0.0.0/0 is directly connected, Serial0/0
vista#sh ip int breif    i rief
Interface                  IP-Address      OK? Method Status                Protocol
Serial0/0                  172.17.1.1      YES TFTP      up                        up      
Serial0/1                  unassigned      YES NVRAM  down                  down    
Serial0/2                  unassigned      YES NVRAM  administratively down down    
Serial0/3                  unassigned      YES NVRAM  administratively down down    
Ethernet1/0                172.16.1.1      YES NVRAM  up                    up      
Ethernet1/1                172.17.1.1      YES NVRAM  up                    up      
vista#
--------------------------------------------------------------------------------
Building configuration...

Current configuration : 618 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sanjose1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
interface Ethernet0
 ip address 192.168.2.1 255.255.255.0
!
interface Serial0
 ip unnumbered Ethernet0
 no fair-queue
!
interface Serial1
 no ip address
 shutdown
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
ip http server
ip classless
ip route 172.16.1.0 255.255.255.0 Serial0
ip route 172.17.1.0 255.255.255.0 Serial0
!
!
line con 0
line aux 0
line vty 0 4
 login
!
end

sanjose1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/24 is subnetted, 1 subnets
S       172.17.1.0 is directly connected, Serial0
     172.16.0.0/24 is subnetted, 1 subnets
S       172.16.1.0 is directly connected, Serial0
sanjose1#sh ip intb  briee f
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES NVRAM  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  192.168.2.1     YES NVRAM  up                    down    
Serial0                    192.168.2.1     YES TFTP       up                    up      
Serial1                    unassigned      YES NVRAM  administratively down down    
sanjose1#

----------------------------------------------------------------------------
But now I cannot specifically ping from those as above were stated

- Cannot ping from sanjose1 to HOSTC 172.17.1.2/24 - unsuccessful - as expected
- Cannot ping from HOSTC 172.17.1.2/24 to sanjose1 - unsuccessful - should be successful

- Cannot ping from sanjose1 to HOSTB 172.16.1.2/24 - unsuccessful - as expected
- Cannot ping from HOSTB 172.16.1.2/24 to sanjose1 - unsuccessful - should be successful

I know my "sh ip route" doesnt show anything although my connections are showing as UP UP.
Why is this?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24363484
The problem is ethernet0 on sanjose1 is not up/up:

Ethernet0               192.168.1.1     YES manual up                    down    

Plug a PC or a switch into ethernet0 so that it is up/up and it should work.
0
 

Author Comment

by:mikey250
ID: 24364717
whoops!!

sanjose1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
BRI0                       unassigned      YES NVRAM  administratively down down

BRI0:1                     unassigned      YES unset  administratively down down

BRI0:2                     unassigned      YES unset  administratively down down

Ethernet0                  192.168.2.1     YES NVRAM  up                    up

Serial0                    192.168.2.1     YES TFTP   up                    up

Serial1                    unassigned      YES NVRAM  administratively down down

sanjose1#

The scenario says:  now ping sanjose1 fastethernet0/0 from HostC.  these pings should be successful!

But  when pinging from HOSTC it is still saying destination unreachable!! When it should be successful!
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24364915
Hmm, config looks okay.  This is why I am not a big fan of IP Unnumbered.  IP Unnumbered and CBAC have nothing to do with eachother so you can mark this lab complete by using IP's on the serial interfaces and testing successfully.  This is an IP Unnumbered issue and not a CBAC issue.
0
 

Author Comment

by:mikey250
ID: 24365178
Ok.  I agree.  can you give me an instance for using "IP Unnumbered" other than hiding it in "sh ip route" & "sh ip int brief" for example although it still shows as up?

If they can work together I would like to resolve this issue.  Im just going through a few checks so between now and tomorrow I will let you know and if you have anymore ideas then let me know?

unless both just cant work together?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24365302
It should work with IP unnumbered it's just a sub par way of doing things.  Back in the day prior to VLSM and when everything was publicly addressed, IP Unnumbered was a way to conserve IP addresses.  It's really unnecessary nowadays.  Using IP's on each interface is the preferred method.
0
 

Author Comment

by:mikey250
ID: 24367000
ok. no probs. let me look at it tomorrow, otherwise  will leave it anyway.
0
 

Author Comment

by:mikey250
ID: 24373781
1. why does my vista router show the serial interface as below when it is set now as ip unnumbered?
2. what should the dg of, HostA - 192.168.2.2/24, HostB - 172.16.1.2/24 & HOSTC - 172.17.1.2/24?

vista#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Serial0/0                  172.17.1.1      YES TFTP   up                          up

Serial0/1                  unassigned      YES NVRAM  down                 down

Serial0/2                  unassigned      YES NVRAM  administratively down down

Serial0/3                  unassigned      YES NVRAM  administratively down down

Ethernet1/0                172.16.1.1      YES NVRAM  up                    up

Ethernet1/1                172.17.1.1      YES NVRAM  up                    down

vista#
0
 

Author Comment

by:mikey250
ID: 24373909
1. on sanjose1 the serial interface as below shows the same ip address as ethernet0 why is this?

2. I cannot ping from HOSTC - 172.17.1.2/24 - When I SHOULD be able to?

sanjose1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES NVRAM  administratively down down

BRI0:1                     unassigned      YES unset  administratively down down

BRI0:2                     unassigned      YES unset  administratively down down

Ethernet0                  192.168.2.1     YES NVRAM  up                    up

Serial0                    192.168.2.1     YES TFTP   up                    up

Serial1                    unassigned      YES NVRAM  administratively down down

sanjose1#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
sanjose1#
0
 

Author Comment

by:mikey250
ID: 24374001
1. HOSTB - 172.16.1.2/24 no DG set, but can ping 172.16.1.1 auto BUT CANNOT ping sanjose1 ETHERNET0 interface - 192.168.2.1/24.  Although HOSTB SHOULD be able to?

Note:  I have 2 pcs currently setup for HOSTC - 172.17.1.2/24 & HOSTA - 192.168.2.2/24.  

2. Although as I have 2 nics on my MAIN pc im currently using the spare nic to simulate HOSTA - 192.168.2.2/24.  I presume this is ok?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24374136
The serial interfaces have the same IP as the ethernet because you are using IP Unnumbered (this is how it works), it borrows the IP from the ethernet.  This is normal.

HOSTA should have a DG of 192.168.2.1
HOSTB should have a DG of 172.16.1.1
HOSTC should have a DG of 172.17.1.1

The default gateway is needed to reach the hosts outside its own subnet.
0
 

Author Comment

by:mikey250
ID: 24374173
Oh yes I remember reading that.  well thats ok, because I did have each HOST set with DG as youve stated and it still did not work.  I will set back and retry to double check I havent muddled something up along the way, because it must be something simple.
0
 

Author Comment

by:mikey250
ID: 24374330
Ive set them back!!

I still CANNOT ping from HOSTC - 172.17.1.2/24 DG172.17.1.1 - i SHOULD be able to!!
I still CANNOT ping from HOSTB - 172.16.1.2/24 DG 172.16.1.1 - i SHOULD be able to!!

see configs below:

Building configuration...

Current configuration : 618 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sanjose1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 192.168.2.1 255.255.255.0
!
 interface Serial0
 ip unnumbered Ethernet0
 no fair-queue
!
interface Serial1
 no ip address
 shutdown
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
ip http server
ip classless
ip route 172.16.1.0 255.255.255.0 Serial0
ip route 172.17.1.0 255.255.255.0 Serial0
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
end

sanjose1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.17.0.0/24 is subnetted, 1 subnets
S       172.17.1.0 is directly connected, Serial0
     172.16.0.0/24 is subnetted, 1 subnets
S       172.16.1.0 is directly connected, Serial0
C    192.168.2.0/24 is directly connected, Ethernet0
sanjose1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES NVRAM  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  192.168.2.1     YES NVRAM  up                    up      
Serial0                    192.168.2.1     YES TFTP   up                    up      
Serial1                    unassigned      YES NVRAM  administratively down down    
sanjose1#
-----------------------------------------
Building configuration...

Current configuration : 2865 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip inspect udp idle-time 1800
ip inspect dns-timeout 15
ip inspect name STANDARD ftp
ip inspect name STANDARD http
ip inspect name STANDARD smtp
ip inspect name STANDARD sqlnet
ip inspect name STANDARD tcp
ip inspect name STANDARD tftp
ip inspect name STANDARD udp
ip inspect name STANDARD realaudio
ip audit po max-events 100
!
!
!
interface Serial0/0
 description "FIREWALL"
 ip unnumbered Ethernet1/1
 ip access-group 121 in
 ip access-group 122 out
 ip inspect STANDARD in
 clockrate 56000
!
interface Serial0/1
 no ip address
!
interface Serial0/2
 no ip address
 shutdown
!
interface Serial0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 description DMZ
 ip address 172.16.1.1 255.255.255.0
 ip access-group 111 in
 ip access-group 112 out
 half-duplex
!
interface Ethernet1/1
 description Internal Network
 ip address 172.17.1.1 255.255.255.0
 ip access-group 101 in
 ip access-group 102 out
 ip inspect STANDARD in
 half-duplex
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
!
access-list 101 permit ip 172.17.1.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 102 permit icmp any any administratively-prohibited
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny   ip any any
access-list 111 permit ip 172.16.1.0 0.0.0.255 any
access-list 111 deny   ip any any
access-list 112 permit udp any host 172.16.1.2 eq domain
access-list 112 permit tcp any host 172.16.1.2 eq domain
access-list 112 permit tcp any host 172.16.1.2 eq ftp
access-list 112 permit tcp any host 172.16.1.2 eq smtp
access-list 112 permit tcp any host 172.16.1.1 eq www
access-list 112 permit tcp 172.17.1.0 0.0.0.255 host 172.16.1.2 eq pop3
access-list 112 permit tcp 172.17.1.0 0.0.0.255 any eq telnet
access-list 112 permit icmp any any administratively-prohibited
access-list 112 permit icmp any any echo-reply
access-list 112 permit icmp any any packet-too-big
access-list 112 permit icmp any any time-exceeded
access-list 112 permit icmp any any unreachable
access-list 112 deny   ip any any
access-list 121 deny   ip 172.17.1.0 0.0.0.255 any
access-list 121 deny   ip 127.0.0.0 0.255.255.255 any
access-list 121 deny   ip 224.0.0.0 31.255.255.255 any
access-list 121 permit ip any any
access-list 122 permit icmp any any echo-reply
access-list 122 permit icmp any any time-exceeded
access-list 122 deny   ip 172.16.1.0 0.0.0.255 any
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

vista#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     172.17.0.0/24 is subnetted, 1 subnets
C       172.17.1.0 is directly connected, Ethernet1/1
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Ethernet1/0
S*   0.0.0.0/0 is directly connected, Serial0/0
vista#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Serial0/0                  172.17.1.1      YES TFTP   up                    up      
Serial0/1                  unassigned      YES NVRAM  down                  down    
Serial0/2                  unassigned      YES NVRAM  administratively down down    
Serial0/3                  unassigned      YES NVRAM  administratively down down    
Ethernet1/0                172.16.1.1      YES NVRAM  up                    up      
Ethernet1/1                172.17.1.1      YES NVRAM  up                    up      
vista#

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24374461
Honestly, I really wouldn't drive yourself crazy with this.  IP Unnumbered is a legacy way of doing things and isn't worth the effort.  I would simply go with using real IP's on the serial interfaces and proceed that way.
0
 

Author Comment

by:mikey250
ID: 24374493
fair enough. win some loose some!! thanks for your help.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24374639
If you really want, I can try to gather some equipment and get this working using your configs.  It may take awhile...let me know.  Otherwise, if you are all set with this question, please go ahead and finalize it.  Thanks.
0
 

Author Comment

by:mikey250
ID: 24374704
ive even removed the "IP Unnumbered" and although serial interfaces are showing as UP UP and ive double checked IP Addresses for both serial interfaces are correct.  Ive tried for the last time to ping from both HOSTB & HOSTC to sanjose1 router ethernet.

Its either something to do with maybe the IP Addresses im using for the serial interfaces although there is no mismatch. or whether there is some rule I dont know! maybe my IOS version although it has took the command.

oh well I will leave it and gonna remove this config now so I can carryon with something else.

thanks!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24374721
You're welcome.  Glad to assist.
0
 

Author Comment

by:mikey250
ID: 24374743
the only thing is as ive only had 2 crossover cables instead of 3 to play with, Ive had to be aware to make sure for the 2 tests that should have pinged made sure was plugged into right positions.  i dont think this has any issue but thought I would mention.

ie cable for HOSTC & cable for HOSTA
then switched over
ie cable for HOSTB & cable for HOSTA
0
 

Author Comment

by:mikey250
ID: 24374774
ok i will leave my routers as they are and let me know it would just be nice to complete it and now the reasoning behind it although a LEGACY.  i have though in the UK seen in a couple of instances it being used but did not know at the time what it was except wondering why the serial interface was using the ethernet, but now I know why!

how long do you want?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24374775
The PC's need to use crossover cables to the ports but it looks like it was okay since your ethernet interfaces were up/up so that doesn't appear to be the issue.
0
 

Author Comment

by:mikey250
ID: 24374820
yes all cables are crossover and all show as up up with green lights but for the purposes of my 2 tests to PING from both HOSTB & HOSTC TO HOSTA SHOULD be successful!

so if I pinged from HOSTB to HOSTA, I borrowed cable from HOSTC to plug into HOSTA & vice versa, but ensuring at all times UP UP SHOWED for serial interfaces and relevant ethernet port 0 or 1!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24374975
Okay, so it might take awhile to find equipment so you may want to just move on.  The bottomline is that IP Unnumbered is the issue here, not CBAC or your configuration.  I would move...
0
 

Author Comment

by:mikey250
ID: 24375378
If you dont MIND then I dont mind I would like to know the answer?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24375694
Okay, so I don't have the equipment it turns out.  I need a router with a serial interface for the IP Unnumbered which it turns out I don't have at the moment.
0
 

Author Comment

by:mikey250
ID: 24375735
ok.  thanks for trying anyway!!  if you do in future for whatever reason then let me know because Ive also saved the config and can try it at a later date.  But as you say it is LEGACY!!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24375783
Okay, will do.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24376012
Can you close out this question now?  I'll add to this thread once I can get some equipment.
0
 

Author Closing Comment

by:mikey250
ID: 31580192
although it hasnt worked my config appears correct, but as "IP Unnumbered" is LEGACY I will not worry about this although I get the analogy behind it now with the advice also given.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now