Solved

Basic Cisco Routing Issue

Posted on 2011-03-22
8
352 Views
Last Modified: 2012-05-11
Hello, I am new to Cisco routing and I have a very basic configuration set up. I cannot get traffic to pass between my FE0/0 and S0/0 interfaces. From the router itself I can ping across the internet to IP addresses, domains, etc. on the S0/0 interface and I can ping my directly connected host on the FE0/0 interface. But, from that directly connected host I cannot ping past the S0/0 interface, not even to the default g/w address.

My directly connected host is at 70.254.55.2/24

Here is the configuration, please help.

Building configuration...

Current configuration : 863 bytes
!
version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname Tyler_Backup
!
logging buffered 51200 warnings
!
username xxxxxxxx privilege 15 password xxxxxxxxxxxxxxxxxxx
no ip subnet-zero
!
!
ip name-server 151.164.1.8
!
!
!
!
interface FastEthernet0/0
 ip address 70.254.55.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 description Uplink to AT&T (SBC)
 no ip address
 encapsulation frame-relay IETF
 fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 ip address 70.246.168.138 255.255.255.252
 frame-relay interface-dlci 707
!
ip classless
ip route 0.0.0.0 0.0.0.0 70.246.168.137
no ip http server
!
!
line con 0
 login local
line aux 0
line vty 0 4
 login local
 transport input telnet
 transport output telnet
!
end
0
Comment
Question by:pcantrell76
  • 4
  • 4
8 Comments
 
LVL 1

Expert Comment

by:BigBlake
ID: 35194214
Why are you using an external IP address (70.254.55.2) on your local host? Is this device some sort of internet firewall ?

Unless you have been assigned this IP address by your isp they will be routing the return packets elsewhere to the customer they have assigned the address too.

0
 

Author Comment

by:pcantrell76
ID: 35194331
I was just using that address temporarily for testing with my laptop connected via a crossover cable.

We have the entire 70.254.55.0/24 range of addresses assigned to us. Also, we are using BGP and our primary router is routing all traffic for this network across the secondary link; i.e. the one that did not fail. As it turns out, our T1 card is bad, that's why the primary link went down.

I connected a backup router (with a T1 card in it) to the circuit that went down and gave it the same IP address (70.254.55.1) on the FE0/0 interface just for testing purposes.

Could it be that the ping requests were being routed back out of AT&T's network to our primary router through the secondary provider instead of coming back to me? If so, then how come I could ping (when consoled in) from the backup router itself to DNS addresses across the internet, just not from my laptop that was directly connected on ethernet to FE0/0?
0
 
LVL 1

Expert Comment

by:BigBlake
ID: 35194404
I think you are correct with your assumption - the return pings will be going back via the primary link.

From the router you are pinging from the serial interface - 70.246.168.138 / 30 which is directly connected to the isp's router on 70.246.168.137 so the return packets are coming back OK. If on the router you told it to ping via the fa interface (Ping X.X.X.X source fa 0/0) your ping should then fail.

To fix this the route for the 70.254.55.0 / 24 network will need to be changed with your isp to travel via 70.246.168.138.

If you are actively participating in routing with your isp (rare but possible - we do) you will just need to set up routing on your backup internet router to talk with the isp's router. However if like most people the route to 70.254.55.0 / 24 is set statically within the isp's network you will need to contact them to have the change made(and unmade once your primary link is fixed). Depending on your relationship with your ISP this could take an hour or a week. Good Luck !
0
 

Author Comment

by:pcantrell76
ID: 35194495
OK, i think I understand, can you confirm my thoughts...

If I ping directly from the router out the S0/0 interface then AT&T sees this as being sourced from 70.246.168.138 and it knows how to route those ping replies back to it.

But, if I try to ping 70.246.168.137 (or anything else) from my laptop (with IP 70.254.55.2) on a crossover cable connected to FE0/0 (which has 70.254.55.1) then AT&T sees this as being sourced from the 70.254.55.0/24 network and it takes a different route for the reply packets - back out through the secondary provider.

Whew... Is my thinking correct?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 1

Expert Comment

by:BigBlake
ID: 35194549
Yep, that's basically right.

The outgoing ping from the laptop would follow your default route out to the ISP router at 70.246.168.137. But the ISP router currently doesn't know how to get back to the 70.254.55.0 network.

If you are plugged in exactly as the failed T1 router was then it is likely that you were actively participating in routing with the isp, so it should be a simple matter to set that up again.

What was the routing setup on the original router with the failed T1 card? Can you post that part of the config?

Cheers
0
 

Author Comment

by:pcantrell76
ID: 35207877
BigBlake, I apologize it has taken me so long to respond. The primary router config is attached. After several tests with the isp, it appears our T1 WIC went bad.

Can you check my thinking on this thought also? I've been doing a lot of reading.

I think the isp (AT&T) DOES know how to route packets to the 70.254.55.0/24 network, but it is just not through them at the moment, it's through the 2nd isp. I say this b/c we have BGP routing the 70.254.55.0/24 range down both providers, but right now since the T1 link on the AT&T side is down, then BGP has updated all routes for the 70.254.55.0/24 range to the other isp. So, my ping replies *I think* were being routed back out across the internet to the 2nd isp and therefore never making it back to my laptop. Is that right?

Also, if you look at the BGP config, you will see the AS number for each provider. I have another question on the 'ip as-path access-list'  - What does the ^$ do? I see the other line which specifies a specific AS number, but this one does not. I don't understand what this means.

Thank you in advance.

config.txt
0
 
LVL 1

Accepted Solution

by:
BigBlake earned 125 total points
ID: 35211420
pcantrell76,

Thanks for the config from the main router, now I can visualise things properly :). Yes you were spot on, the return pings would definitely come back down the secondary internet connection because that was the only one actually hearing a route advertised to the 70.254.55.0 Network.

So it Looks like we have two options to get things going through the primary link again.

Option 1 is to swap out the routers and not have the 'backup' link through suddenlink. (Although the config has multiple interfaces it looks like you are only using three -(AT&T on S0/0/0, Suddenlink on FA0/0/0 / vlan 2 and the 70.254.55.0 network on FA 0/1) If you are willing to sacrifice the 'backup' link via FA 0/0/0 then you have enough interfaces already on the backup router.

You would need to do add the BGP and access-list part of the configuration to the backup router and physically swap it with the original router and it should start working again.  There would be no need to weight the outgoing routes.

access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 216.221.32.0 0.0.31.255 any
access-list 101 deny   ip host 210.73.76.6 any
access-list 101 deny   ip host 207.21.242.4 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 224.0.0.0 0.255.255.255 any
access-list 101 deny   ip 240.0.0.0 0.255.255.255 any
access-list 101 deny   ip 248.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 66.82.120.46 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   udp any any eq 135
access-list 101 deny   udp any any eq netbios-ns
access-list 101 deny   udp any any eq netbios-dgm
access-list 101 deny   udp any any eq netbios-ss
access-list 101 deny   udp any any eq 9889
access-list 101 deny   udp any any eq 445
access-list 101 deny   udp any any eq 1434
access-list 101 deny   tcp any any eq 4444
access-list 101 deny   tcp any any eq 135
access-list 101 deny   tcp any any eq 137
access-list 101 deny   tcp any any eq 138
access-list 101 deny   tcp any any eq 139
access-list 101 deny   tcp any any eq 445
access-list 101 deny   tcp any any eq 5554
access-list 101 deny   tcp any any eq 9996
access-list 101 permit udp any any
access-list 101 permit tcp any any
access-list 101 permit icmp any any
access-list 101 permit ip any any

Int Serial 0/0.1
 ip access-group 101 in
 ip access-group 101 out

router bgp 36484
 no synchronization
 bgp router-id 70.254.55.1
 bgp log-neighbor-changes
 network 70.254.55.0 mask 255.255.255.0
 neighbor 70.246.168.137 remote-as 7132
 neighbor 70.246.168.137 description ASXXX - SBC T1
 neighbor 70.246.168.137 password xxxxxxxxxxxxxxxxx
 neighbor 70.246.168.137 version 4
  no auto-summary

Just make sure the router is disconnected from the T1 when you make the - As soon as the AT&T network hears the advertisements from your router it will start sending everything back down this link. rather than the backup link which could break things for customers on AT&Ts network

The advantage of doing things this way is that there would be a small outage as you swapped the two routers over, but then the core router is already offline ready to have the T1 card replaced.

Option 2would be to set up both routers in tandem - one for each connection. This is a bit more complex and would require changes to the config on the primary router as well.

1. Change the ip address on the  eth 0/0 interface for your backup router. Say we make it 70.245.55.254 as an example.

2. Plug it into your WAN network so it is on the same network as the main routers 0/1 interface

3. Set up BGP routing on the backup router so the AT&T network learns where you are again
router bgp 36484
 no synchronization
 bgp router-id 70.254.55.2
 bgp log-neighbor-changes
 network 70.254.55.0 mask 255.255.255.0
 neighbor 70.246.168.137 remote-as 7132
 neighbor 70.246.168.137 description ASXXX - SBC T1
 neighbor 70.246.168.137 password xxxxxxxxxxxxxxxxx
 neighbor 70.246.168.137 version 4
 neighbor 70.246.168.137 prefix-list tll-ebgp2 out
neighbor 70.245.55.1 remote-as 36484
 no auto-summary

4. Remove PART of the BGP config from the main router
router bgp 36484
 no neighbor 70.246.168.137 remote-as 7132
 no neighbor 70.246.168.137 description ASXXX - SBC T1
 no neighbor 70.246.168.137 password xxxxxxxxxxxxxxxxx
 no neighbor 70.246.168.137 version 4
 no neighbor 70.246.168.137 prefix-list tll-ebgp2 out

5. Add a BGP statement for the backup router to the Primary router
router bgp 36484
Neighbor 70.245.55.254 remote-as 36484

There would then be more tweaking required for the route-maps and weights for the outgoing traffic as the primary link is no longer directly connected to the Primary router. I assume you would also still have an outage as you replaced the failed wic because the primary router is hollding the default gateway for the 70.245.55.0 network. In terms of a quick return to full bandwidth with minimal interruption to service I would definitely recommend option 1. It also means you can plug the old router back in if I have missed something because we have not changed it's configuration!

As for the "ip as-path access-list 10 permit ^$" command, the ^$ part stops your router from advertising nonlocal routes (to other ISPs networks) to the connect networks. Otherwise you might find you are suddenly carrying traffic from AT&Ts customers to servers hosted on the suddenlink network or vice versa.

Have a look at this website for a more detailed explanation.

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009456d.shtml
0
 

Author Closing Comment

by:pcantrell76
ID: 35215161
Thanks BigBlake, I really appreciate the assistance (and the education). I'm not sure which way I will go yet but this gives me well defined options.

Thanks again!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now