Solved

T1 Point to Point Configuration Question

Posted on 2010-09-03
11
600 Views
Last Modified: 2012-08-14
I have a Cisco 2800 Series router with 2 WIC cards in it at my main office.  At our 2 remote sites we have just finished having our ISP run point to point t1 circuits.

both of those sites have cisco 1800 series routers

tell me if the following config will be valid for all the connectivity to work i just want to know before i actually try to put all this into production.

Information -

Main site subnet - 150.50.1.x 255.255.255.0
Remote Site 1 subnet - 150.50.11.x 255.255.255.0
Remote Site 2 Subnet - 150.50.12.x 255.255.255.0

Main Site Router Config

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MAIN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip cef
!
no ip domain lookup
multilink bundle-name authenticated
!
archive
 log config
  hidekeys
!
interface GigabitEthernet0/0
 description LAN BACKBONE SWITCH
 ip address 150.50.1.1 255.255.255.0
 duplex auto
 speed auto
 bridge-group 1
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description Remote Site 1
 service-module t1 clock source line
 service-module t1 data-coding normal
 service-module t1 remote-loopback full
 service-module t1 framing esf
 service module t1 linecode b8zs
 service module t1 lbo none
 ip address 160.60.1.1 255.255.255.0
 encapsulation ppp
 service-module t1 remote-alarm-enable
!
interface Serial0/1/0
 description Remote Site 2
 service-module t1 clock source line
 service-module t1 data-coding normal
 service-module t1 remote-loopback full
 service-module t1 framing esf
 service module t1 linecode b8zs
 service module t1 lbo none
 ip address 160.60.2.1 255.255.255.0
 encapsulation ppp
 service-module t1 remote-alarm-enable
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 150.50.1.29 <--- (Our Cisco ASA Firewall/Internet Gateway)
ip route 150.50.11.0 255.255.255.0 Serial0/0/0
ip route 150.50.12.0 255.255.255.0 Serial0/1/0
!
ip flow-cache timeout active 1
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
control-plane
!
bridge 1 protocol ieee
!
scheduler allocate 20000 1000
!
end

Remote Site 1 Router Configuration

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Remote Site 1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
no ip dhcp use vrf connected
!
interface FastEthernet0/0
 ip address 150.50.11.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
description TO MAIN
 service-module t1 clock source line
 service-module t1 data-coding normal
 service-module t1 remote-loopback full
 service-module t1 framing esf
 service module t1 linecode b8zs
 service module t1 lbo none
 ip address 160.60.1.2 255.255.255.0
 encapsulation ppp
 service-module t1 remote-alarm-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip http server
!
control-plane
!
end

Remote Site 2 Configuration

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LakeBlalockWarden
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
no ip dhcp use vrf connected
!
interface FastEthernet0/0
 ip address 150.50.12.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
description TO MAIN
 service-module t1 clock source line
 service-module t1 data-coding normal
 service-module t1 remote-loopback full
 service-module t1 framing esf
 service module t1 linecode b8zs
 service module t1 lbo none
 ip address 160.60.2.2 255.255.255.0
 encapsulation ppp
 service-module t1 remote-alarm-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip http server
ip http timeout-policy idle 60 life 86400 requests 10000
!
control-plane
!
end

-------------------------------------------------------------------

So will this be good to get all the traffic back and forth from both sites properly?

The workstations at the remote sites need to be able to get back to the Main office network to access exchange servers/sharepoint/sql etc...

Thanks!


0
Comment
Question by:gedruspax
11 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 33600256
Well, first of all, you're using public IP space that is assigned to two different RIRs for your networks, which will potentially lead to trouble if you're trying to connect to any of the organisations that are legitimately using these addresses.  Beyond this it all looks good here, assuming that the framing and line coding are in-line with the parameters provided by your telco.  You don't *technically* need to assign IPs to the Serial0/0/0 interfaces but what you have will work fine.

As a test, you may want to change the clock source on the main office router to internal and connect the branch router to the head office router with a crossover T1 cable (pin 1 to pin 4, pin 2 to pin 5) before you take it on-site and deploy it.
0
 
LVL 2

Expert Comment

by:cmonteith
ID: 33600441
The T1 commands look from what I can see assuming your provider has the T1 lines set for B8ZS/ESF  (this tends to be the norm anymore)

The routing between your three routers should be fine.  Are you also planning on pulling internet access from the main site to each remote office?  If so, you will also need to add a routing statement in your ASA so that the ASA will know how to send traffic back to the two remote networks.  Assuming your inside network is named "inside" in the ASA, these commands would be required:

route inside 150.50.11.0 255.255.255.0 150.50.1.1
route inside 150.50.12.0 255.255.255.0 150.50.1.1

You may also need to adjust your NAT statement to allow those networks out.  if your ASA ins't set to:

nat (inside) 1 0.0.0.0 0.0.0.0

let us know...you'll either need to make it that, or create an ACL for your NAT traffic so that all three networks in question get translated.

One other consideration.  Are any hosts on your network using the 150.50.1.29 as their default gateway?  I would recommend to make certain all hosts are using 150.50.1.1 as the DG so you don't run into issues with same-interface traffic drops on your ASA.
0
 

Author Comment

by:gedruspax
ID: 33600628
We actually are already using 150.50.1.1 for the DG for everyting at the main office so thats not a problem.  Nothing uses 150.50.1.29 for DG except the Main Office Router.

I am going to deploy this stuff next week probably on Tuesday I will update you and let you know how it goes, thank you for your input.
0
 
LVL 6

Expert Comment

by:SkykingOH
ID: 33604268
You need to use private IP's on the T1 links.  You can't use public IP space.

You are also using /24 bit subnet masks on the WAN interfaces.  Best practices dictate running /30 so you only have the required two hoses

Example:

Router pair 1, member 1:

ip address 10.100.100.2 255.255.255.252

Router pair 1, member 2

ip address 10.100.100.1 255.255.255.252

Router pair 2, member 1

ip address 10.100.100.6 255.255.255.252

Router pair 2, member 2

ip address 10.100.100.5 255.255.255.252

When using small address space you only take up four address in the address space per network:

IE:

Network 1:

10.100.100.0 - Network Address
10.100.100.1 - Host IP
10.100.100.2 - Host IP
10.100.100.3 - Broadcast IP

Network 2 -

10.100.100.4 - Network Address
10.100.100.5 - Host IP
10.100.100.6 - Host IP
10.100.100.7 - Broadcast Address

The free Solar Winds subnet calculator is a great tool for subnet visualization.


0
 

Author Comment

by:gedruspax
ID: 33619109
Ok so i'm out here at remote site number 1 trying to get things up and going.  Before I left the main office i configured the main office router with the following

interface Serial0/0/0
 description Remote Site 1
 service-module t1 clock source line
 service-module t1 data-coding normal
 service-module t1 remote-loopback full
 service-module t1 framing esf
 service module t1 linecode b8zs
 service module t1 lbo none
 ip address 10.100.100.1 255.255.255.252
 encapsulation ppp
 service-module t1 remote-alarm-enable
!
interface Serial0/1/0
 description Remote Site 2
 service-module t1 clock source line
 service-module t1 data-coding normal
 service-module t1 remote-loopback full
 service-module t1 framing esf
 service module t1 linecode b8zs
 service module t1 lbo none
 ip address 10.100.100.5 255.255.255.252
 encapsulation ppp
 service-module t1 remote-alarm-enable
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 150.50.1.29 <--- (Our Cisco ASA Firewall/Internet Gateway)
ip route 150.50.11.0 255.255.255.0 Serial0/0/0
ip route 150.50.12.0 255.255.255.0 Serial0/1/0
!

Then i got out here to remote site number one and have that router configured with the following

interface Serial0/0/0
description TO MAIN
 service-module t1 clock source line
 service-module t1 data-coding normal
 service-module t1 remote-loopback full
 service-module t1 framing esf
 service module t1 linecode b8zs
 service module t1 lbo none
 ip address 10.100.100.2 255.255.255.252
 encapsulation ppp
 service-module t1 remote-alarm-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!

So i plug the cable into the provoder demarc box here on site and the link immedately comes up.

Something is limiting the connectivity though.  Here is what DOES work

If i am inside the 150.50.11.1 router HERE i can PING the 150.50.1.1 router back at the MAIN OFFICE successfully, i can also telnet into the main office router as well.

When i am telneted into the main office router I CANNOT ping the 150.50.11.1 router.

From the 150.50.11.1 router i CANNOT ping anything else PAST the router at our main office.  Not even the backbone switch that it is connected to let alone any of the servers/internet.

These point-to-point T1s are replacing the very old (and slow) frame relay lines that the sites currently use.  Not sure whether that matters or not just thought I would mention it.

so in a nutshell the situation is

REMOTE SITE ROUTER ---> MAIN OFFICE ROUTER = OK
MAIN OFFICE ROUTER---> REMOTE SITE ROUTER = X
REMOTE SITE ROUTER ---> ANYTHING ELSE ON MAIN OFFICE NETWORK = X
REMOTE SITE ROUTER ---> INTERNET = X

Any Ideas?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 2

Expert Comment

by:cmonteith
ID: 33619295
On your remote routers, did you have their Ethernet ports plugged into anything, or were they in a Down state?  If you were connected to your routers at the remote site but did not have your ethernet plugged into anything, your router would not respond to a ping as it's route to that connected interface would have been missing at that time.

When doing your ping testing, were you just verifying connectivity with the basic ping command ("ping 4.2.2.1") or were you doing an extended ping?  When in console with a Cisco router, your ping traffic will be sourced with the exiting interface.  So in this case if you were pining 4.2.2.1 from remote A router, your traffic would come from 10.100.100.1.  If your firewall back at the main office does not also have a route for the 10.100.100.0/30 and 10.100.100.4/30 networks pings sourced from your router within an extended ping will fail, as your firewall will not know to send the traffic back towards your T1 router.

You can verify connectivity for each LAN by using an extended ping as such: "ping ip 4.2.2.1 source 150.50.11.1"   This will force your remote router to use the specific interface (fa0/0 in this case) as the source address for your ping traffic.
0
 

Author Comment

by:gedruspax
ID: 33619361
Yes I have the ethernet port here at the remote site plugged into the swtich they use to connect all the workstations so it was up.

I am able to ping from the remote router to the main office router no problem, i'm just not able to ping from main office router to remote router.
0
 
LVL 2

Expert Comment

by:cmonteith
ID: 33619506
That is odd. Are you running any NAT on either router?  It doesn't look like it from the history of this case...but didn't know if anything else had changed....


On your main router,  can you do a "show ip route" and post the results?  Also,  if you do not try pinging via the extended ping command (my previous post) please try that as well and post the results.
0
 

Author Comment

by:gedruspax
ID: 33619526
No NAT is running on either router.

Here are ping test results

ping ip 150.50.1.1 source 150.50.11.1 - FAILS
ping ip 150.50.1.1 source 10.100.100.2 - SUCCESS

ping ip 150.50.11.1 source 150.50.1.1 - FAILS
ping ip 150.50.11.1 source 10.100.100.1 - FAILS
0
 
LVL 2

Expert Comment

by:cmonteith
ID: 33619580
ok,  my guess is something is a miss on your routing statements on your main router.  From your remote 1 router you can ping the T1 interface on the main site, but if you source from the LAN the ping fails.  This would make me think your main office router is sending the reply destined for 150.50.11.1 to another location.  Posting a "show ip route 150.50.11.0" of your main office router should display if that is the case.

Since you can ping the serial interface IP that would lead me to believe your T1 line itself is up and passing data correctly...so it has got to be a simple routing issue somewhere.
0
 
LVL 2

Accepted Solution

by:
cmonteith earned 250 total points
ID: 33619599
btw-  I mainly bring this up based on your note that this is replacing an existing network connection.  If your main site router already has another route to your 150.50.11.0 network (pointing to your old frame connection) then I would expect pings from your new connection to fail until you remote any legacy routing statements sending that traffic elsewhere.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Let’s list some of the technologies that enable smooth teleworking. 
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now