02-03-2009 09:26 AM - edited 03-06-2019 03:50 AM
Hello,
I have a bit of a problem. Up until today, we had RIP running on our PTP and frame routers. I migrated to EIGRP and internally everything looks fine, and all devices can contact each other. The only issue I have is a few of our remote offices can not access the internet.
The office affected are the ones directly connected to our main router. The main site has no issues with internet either.
Packets just seem to get to the main router and get dropped.
Here is the main routers config. Some has been edited to fit the post.
interface FastEthernet0/0
description connected to EthernetLAN_1
ip address 192.168.0.254 255.255.255.0
ip policy route-map WWW_Traffic
speed auto
full-duplex
no cdp enable
!
interface Serial0/0
description connection to village
ip address 192.168.108.2 255.255.255.0
no ip mroute-cache
!
interface Serial0/1
description connection to east
ip address 192.168.102.2 255.255.255.0
no ip mroute-cache
fair-queue
!
interface Serial0/1.4
!
interface Serial1/0
description connection to warehouse
ip address 192.168.104.2 255.255.255.0
!
interface Serial1/1
no ip address
encapsulation frame-relay
no fair-queue
frame-relay lmi-type ansi
!
interface Serial1/1.1 point-to-point
ip address 192.168.205.2 255.255.255.0
!
interface Serial1/1.2 point-to-point
description connection to East Hampton
ip address 192.168.105.2 255.255.255.0
frame-relay interface-dlci 17
!
interface Serial1/1.3 point-to-point
description connetcion to watermill
ip address 192.168.103.2 255.255.255.0
frame-relay interface-dlci 18
!
interface Serial1/1.4 point-to-point
description connetcion to tutto
ip address 192.168.110.2 255.255.255.0
frame-relay interface-dlci 19
!
interface Serial1/1.5 point-to-point
description connetcion to tutto
ip address 192.168.110.4 255.255.255.0
shutdown
frame-relay interface-dlci 20
!
router eigrp 10
network 192.168.0.0
network 192.168.102.0
network 192.168.103.0
network 192.168.105.0
network 192.168.108.0
network 192.168.110.0
auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
no ip http server
!
!
access-list 199 permit tcp any any eq www
access-list 199 permit tcp any any eq 443
access-list 199 permit udp any any eq domain
dialer-list 1 protocol ip permit
!
route-map WWW_Traffic permit 10
match ip address 199
set ip next-hop 192.168.0.15
!
route-map WWW_Traffic permit 20
!
end
Headquarters#
02-03-2009 09:49 AM
Hi
I think u r facing the issue with eigrp split horizon,disable it under u r serial1/1 interface and check.
Thanks
Mahmood
02-03-2009 10:04 AM
Mahmoud:
Why would split horizon pose a problem on sub-interfaces that are configured as point-to-point?
Fret:
Perhaps giving us more topological information would help us.
Give a specific example of one remote site that does not have Internet access.
Can you post the config of that remote router that does not have Internet access?
What sits in front of the core router? A firewall?
Have you checked the routing tables HOP-BY-HOP to make sure that each device has a route to the destination network it is supposed to be forwarding traffic to?
HTH
Victor
02-03-2009 10:08 AM
I tried the no "ip split-horizon eigrp 10" command on each interface and still have the same issue.
02-03-2009 10:17 AM
Hi
Victor
Thanks for pointing my mistake as i didnt read the post carefully.
Thanks
Mahmood
02-03-2009 10:34 AM
Victor,
Here is the "show IP route" on the core router.
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
D 192.168.107.0/24
[90/2172416] via 192.168.0.251, 01:30:27, FastEthernet0/0
D 192.168.104.0/24
[90/2172416] via 192.168.0.249, 01:30:29, FastEthernet0/0
C 192.168.105.0/24 is directly connected, Serial1/1.2
D 192.168.8.0/24 [90/2172416] via 192.168.108.1, 00:20:21, Serial0/0
C 192.168.110.0/24 is directly connected, Serial1/1.4
D 192.168.9.0/24 [90/2174976] via 192.168.0.249, 01:30:29, FastEthernet0/0
D 192.168.10.0/24 [90/2172416] via 192.168.110.1, 01:29:13, Serial1/1.4
C 192.168.108.0/24 is directly connected, Serial0/0
D 192.168.109.0/24
[90/2172416] via 192.168.0.249, 01:30:29, FastEthernet0/0
D 192.168.4.0/24 [90/2174976] via 192.168.0.249, 01:30:29, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.1.1.0/24 [90/2174976] via 192.168.105.1, 01:29:38, Serial1/1.2
D 10.1.1.109/32 [90/2174976] via 192.168.105.1, 01:29:38, Serial1/1.2
D 192.168.6.0/24 [90/2172416] via 192.168.105.1, 01:29:38, Serial1/1.2
D 192.168.7.0/24 [90/2174976] via 192.168.0.251, 01:30:27, FastEthernet0/0
C 192.168.0.0/24 is directly connected, FastEthernet0/0
C 192.168.102.0/24 is directly connected, Serial0/1
C 192.168.205.0/24 is directly connected, Serial1/1.1
C 192.168.103.0/24 is directly connected, Serial1/1.3
D 192.168.2.0/24 [90/2172416] via 192.168.102.1, 01:30:21, Serial0/1
D 192.168.3.0/24 [90/2172416] via 192.168.103.1, 01:29:40, Serial1/1.3
S* 0.0.0.0/0 [1/0] via 192.168.0.1
Here is the config and routing table on the router attached to int S0/1
ip subnet-zero
ip dhcp excluded-address 192.168.2.1 192.168.2.60
ip dhcp excluded-address 192.168.2.200 192.168.2.230
!
ip dhcp pool Eastside
network 192.168.2.0 255.255.255.0
dns-server 192.168.0.2 192.168.0.3
netbios-name-server 192.168.0.2 192.168.0.3
default-router 192.168.2.1
!
!
interface FastEthernet0
ip address 192.168.2.1 255.255.255.0
speed auto
full-duplex
!
interface Serial0
ip address 192.168.102.1 255.255.255.0
!
router eigrp 10
network 192.168.2.0
network 192.168.102.0
auto-summary
no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.102.2
no ip http server
!
!
end
Gateway of last resort is 192.168.102.2 to network 0.0.0.0
D 192.168.107.0/24 [90/2684416] via 192.168.102.2, 01:33:32, Serial0
D 192.168.104.0/24 [90/2684416] via 192.168.102.2, 01:33:32, Serial0
D 192.168.105.0/24 [90/2681856] via 192.168.102.2, 01:33:32, Serial0
D 192.168.8.0/24 [90/2684416] via 192.168.102.2, 00:23:34, Serial0
D 192.168.110.0/24 [90/2681856] via 192.168.102.2, 01:33:32, Serial0
D 192.168.9.0/24 [90/2686976] via 192.168.102.2, 01:33:32, Serial0
D 192.168.10.0/24 [90/2684416] via 192.168.102.2, 01:32:25, Serial0
D 192.168.108.0/24 [90/2681856] via 192.168.102.2, 01:33:32, Serial0
D 192.168.109.0/24 [90/2684416] via 192.168.102.2, 01:33:32, Serial0
D 192.168.4.0/24 [90/2686976] via 192.168.102.2, 01:33:32, Serial0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.1.1.0/24 [90/2686976] via 192.168.102.2, 01:32:50, Serial0
D 10.1.1.109/32 [90/2686976] via 192.168.102.2, 01:32:50, Serial0
D 192.168.6.0/24 [90/2684416] via 192.168.102.2, 01:32:50, Serial0
D 192.168.7.0/24 [90/2686976] via 192.168.102.2, 01:33:33, Serial0
D 192.168.0.0/24 [90/2172416] via 192.168.102.2, 01:33:33, Serial0
C 192.168.102.0/24 is directly connected, Serial0
D 192.168.103.0/24 [90/2681856] via 192.168.102.2, 01:33:33, Serial0
C 192.168.2.0/24 is directly connected, FastEthernet0
D 192.168.3.0/24 [90/2684416] via 192.168.102.2, 01:32:52, Serial0
S* 0.0.0.0/0 [1/0] via 192.168.102.2
02-03-2009 10:36 AM
and victor, there are two firewall attached to the network. one is the 192.168.0.1 address and teh other is the 192.168.0.15 addressin the main config.
The topolgy of the network is mostly hub and spoke, at least for the serial connection on the main router.
02-03-2009 10:54 AM
Hello, you've mentioned the following:
The only issue I have is a few of our remote offices can not access the internet.
I assume that the the users are not able to browse to the web but have you check if you are able to ping or browse to web site using the ip address instead of the site name? Trying to suggest to see of the routing is really the issue. If you are able to ping to an internet ip address then the routing obviuosly is okay and the issue is somewhere else.
02-03-2009 11:59 AM
Add something besides Bob's suggestion.
1. All internet traffic coming from those serial links will go throuth the firewall 192.168.0.1. Does internet not work for all remote sites which are connected via those serial links on core router?
2. You have a PBR configured under LAN interface which will redirect all web traffic to firewall 192.168.0.15. Do you know if you web traffic in main site use a different firewall?
02-03-2009 12:30 PM
Sorry for any confusion.
Until I changed from RIP to EIGRP this morning, everything worked fine. All sites had internet, and could communicate with no issues. Once I implimented eigrp, and removed RIP from the routers, that is when the 4 remote offices lost internet. but they can communicate to our servers here at the main site.
I removed the ip olicy from fa0/0 on the main router, but that did not help.
I know I could alway impliment RIP again, but that is not the resolution to me. Apparently something is wrong with my config, and would rather fix this issue.
We have two connections to the internet. One connection, 192.168.0.15, is solely interent traffic, that is why the IP policy is applied to fa0/0. All other traffic goes out the other firewall at 192.168.0.1.
I did not configure this network. So i am slowly fixing things, or breaking as it seems today.
I have to assume it has to do with the main router and the serial interfaces connected to it, as none of the other sites have any issues connected to other routers
02-03-2009 12:34 PM
In that case, cau you try to apply that PBR under one of your serial interface to see if it helps?
02-03-2009 12:38 PM
Fret:
Assuming these remote sites have no Internet connectivity, whether IP or name addresses are used, you would have to finish verifying the routing.
The spoke defaults to the core, and the core has a policy (which I recommend you put back in place for now so as not to create any new issues) that forwards Internet traffic to the 0.15 FW.
Does that FW have a route back to the source network behind the spoke?
If you're routing has been verified in BOTH directions, hop-by-hop, check to see if there are any ACLs that are blocking traffic to the source subnet behind the spoke.
02-03-2009 12:13 PM
it there suppose the be a dlci on subint
=====
interface Serial1/1.1 point-to-point
ip address 192.168.205.2 255.255.255.0
02-03-2009 12:18 PM
it there suppose the be a dlci on subint
=====
interface Serial1/1.1 point-to-point
ip address 192.168.205.2 255.255.255.0
02-03-2009 12:36 PM
sorry for the confusion on this. That cicuit is not in service.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide