Solved

Unable to access, via telnet, Serial IP on MPLS network

Posted on 2012-03-21
13
812 Views
Last Modified: 2012-07-16
I have an MPLS network with 40 locations.  I can telnet to any Cisco router at the sub locations via internal ip address.  However, I'm unable to telnet to the public serial IP address of the routers (which as you know is extremely handy when making vlan changes remotely).

Any ideas on how to correct this?
0
Comment
Question by:sstire
13 Comments
 

Author Comment

by:sstire
Comment Utility
These are Cisco 2800 series routers.
0
 
LVL 2

Expert Comment

by:BDC-Net
Comment Utility
Do you have routes to those subnets? Can you ping them? You might try telneting from the host router (the one connected to the MPLS cloud).

There could also me an ACL limiting what IP addresses can be connected to via telnet on the routers.
0
 

Author Comment

by:sstire
Comment Utility
I'm using vlans and I can ping anything internally such as connected VLANS on those routers.  There are not any ACL's affecting this.  I cant telnet to the serial address from the router that I'm trying to access though...
0
 

Author Comment

by:sstire
Comment Utility
Anybody have any experience with MPLS that can help in this?  It'd be nice to be able to telnet to the serial interface of the router and complete the configuration changes from there.  

I used to be able to do this on a standard data t1, but since switching to MPLS circuits, I can only telnet to internal private IP's.  

I know there must be a way to do this, because AT&T can telnet to the serial interface of our router from their demarc, and make changes in an emergency.
0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
Please post router configuration, especially the serial interfaces and the line vty sections. Also, can you actually ping the serial interface? I can imagine configurations where you wouldn't have any access to that interface.

If you add loopback interfaces to the routers, you should be able to ssh to the loopback interface and still maintain access even if you shut down or break the Ethernet interfaces, as long as you still have a route through the serial interface.

FWIW, you should not use telnet, nor allow AT&T to use telnet (get it in the contract). Use SSH, as telnet in insecure, can be sniffed for passwords, commands can be modified in transit, etc.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:sstire
Comment Utility
!
controller T1 0/2/0
 channel-group 0 timeslots 1-24
!

interface Serial0/2/0:0
 ip address 12.11.5.234 255.255.255.252 (not actual IP address-obviously)
 encapsulation ppp
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 authorization exec local_authen
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 privilege level 15
 authorization exec local_authen
 login authentication local_authen
 transport input telnet ssh
0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
Okay, can you PING the serial IP? I agree that there appears to be no access-list on either the serial interface or the vty interface. That doesn't mean that you have a route to the serial interface, nor does it mean that AT&T isn't filtering the traffic anyway.
0
 

Author Comment

by:sstire
Comment Utility
I can ping the serial ip and also telnet/ssh when I'm ON the local network.  However, remotely or from any other location-I'm unable to.  This is also an MPLS meshed network.
0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
I believe that you need to talk to your MPLS provider. They may (and probably should) be filtering the traffic.
0
 
LVL 17

Accepted Solution

by:
pergr earned 500 total points
Comment Utility
The problem must be that the network (above 12.11.5.234/30 ) is not being advertised in the MPLS network.

To solve it we need to know what routing you have set up. Possibly, you just run static routing, with a default route on each Cisco towards the MPLS cloud, and your provider has a static route to each site with its local network.

If that is the case, then your provider needs to include the local/connected networks in your "vrf routing table".

If you have a protocol running (like OSPF or BGP) then you may be able to do that advertising yourself.
0
 

Author Closing Comment

by:sstire
Comment Utility
I added the serial interface IP address in the advertised bgp networks on that router, and then added a static route on the core router to AT&T's router.  When that was done, I could ping the serial interface and ssh into it.  It works! No more burnt bridges!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now