Improve company productivity with a Business Account.Sign Up

x
?
Solved

Unable to access, via telnet, Serial IP on MPLS network

Posted on 2012-03-21
13
Medium Priority
?
868 Views
Last Modified: 2012-07-16
I have an MPLS network with 40 locations.  I can telnet to any Cisco router at the sub locations via internal ip address.  However, I'm unable to telnet to the public serial IP address of the routers (which as you know is extremely handy when making vlan changes remotely).

Any ideas on how to correct this?
0
Comment
Question by:sstire
11 Comments
 

Author Comment

by:sstire
ID: 37748608
These are Cisco 2800 series routers.
0
 
LVL 2

Expert Comment

by:BDC-Net
ID: 37749196
Do you have routes to those subnets? Can you ping them? You might try telneting from the host router (the one connected to the MPLS cloud).

There could also me an ACL limiting what IP addresses can be connected to via telnet on the routers.
0
 

Author Comment

by:sstire
ID: 37765959
I'm using vlans and I can ping anything internally such as connected VLANS on those routers.  There are not any ACL's affecting this.  I cant telnet to the serial address from the router that I'm trying to access though...
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 

Author Comment

by:sstire
ID: 38175597
Anybody have any experience with MPLS that can help in this?  It'd be nice to be able to telnet to the serial interface of the router and complete the configuration changes from there.  

I used to be able to do this on a standard data t1, but since switching to MPLS circuits, I can only telnet to internal private IP's.  

I know there must be a way to do this, because AT&T can telnet to the serial interface of our router from their demarc, and make changes in an emergency.
0
 
LVL 43

Expert Comment

by:kevinhsieh
ID: 38180418
Please post router configuration, especially the serial interfaces and the line vty sections. Also, can you actually ping the serial interface? I can imagine configurations where you wouldn't have any access to that interface.

If you add loopback interfaces to the routers, you should be able to ssh to the loopback interface and still maintain access even if you shut down or break the Ethernet interfaces, as long as you still have a route through the serial interface.

FWIW, you should not use telnet, nor allow AT&T to use telnet (get it in the contract). Use SSH, as telnet in insecure, can be sniffed for passwords, commands can be modified in transit, etc.
0
 

Author Comment

by:sstire
ID: 38180615
!
controller T1 0/2/0
 channel-group 0 timeslots 1-24
!

interface Serial0/2/0:0
 ip address 12.11.5.234 255.255.255.252 (not actual IP address-obviously)
 encapsulation ppp
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 authorization exec local_authen
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 privilege level 15
 authorization exec local_authen
 login authentication local_authen
 transport input telnet ssh
0
 
LVL 43

Expert Comment

by:kevinhsieh
ID: 38180730
Okay, can you PING the serial IP? I agree that there appears to be no access-list on either the serial interface or the vty interface. That doesn't mean that you have a route to the serial interface, nor does it mean that AT&T isn't filtering the traffic anyway.
0
 

Author Comment

by:sstire
ID: 38180841
I can ping the serial ip and also telnet/ssh when I'm ON the local network.  However, remotely or from any other location-I'm unable to.  This is also an MPLS meshed network.
0
 
LVL 43

Expert Comment

by:kevinhsieh
ID: 38180913
I believe that you need to talk to your MPLS provider. They may (and probably should) be filtering the traffic.
0
 
LVL 17

Accepted Solution

by:
pergr earned 1500 total points
ID: 38182183
The problem must be that the network (above 12.11.5.234/30 ) is not being advertised in the MPLS network.

To solve it we need to know what routing you have set up. Possibly, you just run static routing, with a default route on each Cisco towards the MPLS cloud, and your provider has a static route to each site with its local network.

If that is the case, then your provider needs to include the local/connected networks in your "vrf routing table".

If you have a protocol running (like OSPF or BGP) then you may be able to do that advertising yourself.
0
 

Author Closing Comment

by:sstire
ID: 38191222
I added the serial interface IP address in the advertised bgp networks on that router, and then added a static route on the core router to AT&T's router.  When that was done, I could ping the serial interface and ssh into it.  It works! No more burnt bridges!
0

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question