Test lab setup - need access to production network

Unanswered Question
Nov 16th, 2007
User Badges:

Hello there,


I am currently trying to set up a small test lab with which to test certain networking features and whatever else I need to test. I'd like to keep the test lab on a separate network and plus I need to be able to access the production network from the test lab -- with the goal being to analyze traffic coming from my machine while performing day-to-day tasks and manipulating the traffic without affecting the rest of the network.


Right now I have my laptop connected to a Cisco 1711 router. The router has a built-in switch. Here is the physical topology:


<laptop>--<1711 test router>--<2960xl production switch>--<3560G core switch>--<core router>--<ATM / MPLS WAN>


The ethernet interface of the 1711 is connected to the production switch. My laptop is connected to the built-in switch. My laptop is on a 192.168.1.0/24 network, the ethernet interface has an IP on the production network.


So far i'm able to access my local network. At first I was only able to access the local network if an entry in the test routers ARP table existed for that host. That problem disappeared after changing some settings. I wasn't able to completely solve the problem, but this morning the problem appeared to go away on its own.


The problem I have now is i'm unable to contact any remote networks on our WAN. Using static routes, i'm pretty sure both networks have routes going to each other (the test 1711 router can ping remote networks but the connected laptop can't)


Here is the config for the 1711.


!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ldntst1711

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 critical

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

!

!

!

ip cef

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

no crypto isakmp enable

!

!

!

interface FastEthernet0

ip address <IP of production network> <subnet mask>

no ip proxy-arp

speed auto

full-duplex

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

shutdown

!

interface FastEthernet3

no ip address

shutdown

!

interface FastEthernet4

no ip address

shutdown

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip broadcast-address 192.168.1.255

no ip proxy-arp

no ip route-cache cef

no ip route-cache

!

interface Async1

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 <core router IP>

ip route <production network address> <subnet mask> <core router IP>

no ip http server

no ip http secure-server

!

!

!

!

!

control-plane

!

!

line con 0

password xxx

login

line 1

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

login local

transport input telnet ssh

!

!

end


The routing table for my core router contains:


S 192.168.1.0/24 [1/0] via <test 1711 production IP>


The routing table for the remote network router contains:


S 192.168.1.0/24 [1/0] via <next hop for remote networks> (basically configured the same as our production subnets are in the routing table)


Any ideas or troubleshooting steps I can perform (debug commands, etc) would be greatly appreciated.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nicholas Poole Fri, 11/16/2007 - 11:01
User Badges:

...S 192.168.1.0/24 [1/0] via


Is this the core, or another router which might need static routes adding?


Also, why have you got the broadcast address set, it really shouldnt need it.

bishop777 Fri, 11/16/2007 - 11:17
User Badges:

I'm not entirely sure, I think it may be the next hop on the MPLS network?


The WAN interface for the remote router with that route is x.x.1.1 and the next hop is x.x.1.2 ... all of the routes to the remote locations on that router use that as the next hop, though (it's on a different network than our production network is.) The remote router has a static route going to that network, using that address as the next hop. The core router has a route to 192.168.1.0 .


I've tried using the IP of the core router at my location, with the same result.


I can remove the broadcast address, I didn't think it was needed either, just added it as a troubleshooting step.

bishop777 Tue, 11/20/2007 - 10:51
User Badges:

Just an update on this - apparently the ISP won't allow all traffic across their WAN, we need to let them know in advance to allow certain networks to be allowed through. That's why this isn't working -- it's apparently blocked from their ATM switch or whatever the next hop is.

Actions

This Discussion