Help with Cisco 871-K9

Answered Question
Sep 9th, 2009
User Badges:

Hi everyone! I'm having trouble with my 871 router.


My problem is the next one.


It's starts like this:

My ISP give me an address by DHCP, it is connected to a 1841 (Fe 0/1), on Fe0/0 I assign 10.22.1.1 and by DHCP on my 871, I gather the IP the router gives me.

Now, in the 871, as you can see on the attach everything's configured, I can make pings to everything unless to my computer, with the IP 10.22.2.3 and Gateway 10.22.2.1 (Vlan1). Therefore, I ping from my computer to the vlan1 (inside) and the Fe4 port (outside) -works- but I dont have access to the web. Neither I can ping 10.22.1.2 that is 1841 router.

Any ideas of what I'm doing wrong?


1841 is working perfect and it's natting the public ip into private.



Correct Answer by Jerry Ye about 7 years 9 months ago

Glad that fix the problem.


Do you want to connect the C2960 to the 871 or 1841? If you are connecting that to the 871's VLAN 1, you only have 5 addresses (- the default GW on the 871) for the C2960. You can try to put one of the port on the 871 to VLAN X and put a different subnet for VLAN X, but remember to add a route on the 1841 to point back to the 871 and change ACL 10 to include that with NAT.


Here is an example


interface f3

switchport access vlan 2

interface vlan X

no shut

ip address 10.22.100.1 255.255.255.0


Regards,

jerry

Correct Answer by Jerry Ye about 7 years 9 months ago

I see the problem on your 1841, you need to add the following to your NAT ACL. The 10.22.2.0/29 network is not catching by that ACL for NAT to the internet.


access-list 10 permit 10.22.2.0 0.0.0.7


So, the end result of access-list 10 should look like this on the 1841


access-list 10 permit 10.22.1.0 0.0.0.255

access-list 10 permit 10.22.2.0 0.0.0.7


HTH,

jerry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jerry Ye Wed, 09/09/2009 - 16:54
User Badges:
  • Cisco Employee,

Are you saying the 1841 assigns an IP address to the 871 via DHCP? And can you confirm your topology is the follow:


Internet <->(F0/1) 1841 (F0/0)<->(F4) 871 (VL1)<-> PC


If this is what you have, the default route on the 871 is incorrect, it should look like the follow:


ip route 0.0.0.0 0.0.0.0 10.22.1.1

or

ip route 0.0.0.0 0.0.0.0 f4


HTH,

jerry

martinsajon Wed, 09/09/2009 - 17:15
User Badges:

Jerry, The topology is correct, now I'm correcting the IP route, and I'll let you know.

martinsajon Wed, 09/09/2009 - 17:29
User Badges:

Jerry, I'm still having the same problem, I cant access to the internet and, from the router (871) when I ping the computer 10.22.2.3 I have no answer but the computer can ping F4 and Vl1, but cant ping 10.22.1.2 that is the 1841

Jerry Ye Wed, 09/09/2009 - 18:01
User Badges:
  • Cisco Employee,

Okay, does the 1841 has a return route back to the 871's network (10.22.2.0/29)? BTW, why are you doing DHCP on the 871's F4 interface? There might be a small issue on configuring static route on the 1841.


If you configure static IP address on the 871, you can configure something like this in the 1841


ip route 10.22.2.0 255.255.255.248 10.22.1.x


where 10.22.1.x is the IP address of the 871's F4 interface.


HTH,

jerry

martinsajon Wed, 09/09/2009 - 18:32
User Badges:

I've changed the config into static, every ping works unless, the one to the computer, I'm in the same situation. I cant ping the computer from the router and I cant access the internet.

Jerry Ye Wed, 09/09/2009 - 18:38
User Badges:
  • Cisco Employee,

Okay, if the PC cannot ping the 871, can you post the output of ipconfig /all on CMD and the show run of the 871? If you don't mind, the show run of the 1841 will be great also.


I also want to know if you have the Windows FW turned on. Turning that off would help troubleshooting.


Regards,

jerry

martinsajon Wed, 09/09/2009 - 18:42
User Badges:

No, the 871 cant ping the pc, now with the ip route you gave me, the pc pings all, the cablemodem, the 1841, the 871.

871 is still not pinging the pc and I'm still without internet access.

I dont have the firewall on.

Thanks in advance for you patience.

Jerry Ye Wed, 09/09/2009 - 18:54
User Badges:
  • Cisco Employee,

Okay, can you post the output of ping x.x.x.x source vlan 1, where x.x.x.x is the IP of the PC. And I would like to see the output of show ip arp also.


Regards,

jerry

Correct Answer
Jerry Ye Wed, 09/09/2009 - 19:05
User Badges:
  • Cisco Employee,

I see the problem on your 1841, you need to add the following to your NAT ACL. The 10.22.2.0/29 network is not catching by that ACL for NAT to the internet.


access-list 10 permit 10.22.2.0 0.0.0.7


So, the end result of access-list 10 should look like this on the 1841


access-list 10 permit 10.22.1.0 0.0.0.255

access-list 10 permit 10.22.2.0 0.0.0.7


HTH,

jerry

martinsajon Wed, 09/09/2009 - 19:14
User Badges:

Jerry !!! YES AWESOME it works, thank you very much for your help and patience, and I need to review my ccna books again! hehe

A final question, sorry to bother, I have a 2960 switch already configured, so I would connect it to the 871, how I have to do? because I cant make Subints on L2, I'd need to do them on the 1841?

Correct Answer
Jerry Ye Wed, 09/09/2009 - 19:20
User Badges:
  • Cisco Employee,

Glad that fix the problem.


Do you want to connect the C2960 to the 871 or 1841? If you are connecting that to the 871's VLAN 1, you only have 5 addresses (- the default GW on the 871) for the C2960. You can try to put one of the port on the 871 to VLAN X and put a different subnet for VLAN X, but remember to add a route on the 1841 to point back to the 871 and change ACL 10 to include that with NAT.


Here is an example


interface f3

switchport access vlan 2

interface vlan X

no shut

ip address 10.22.100.1 255.255.255.0


Regards,

jerry

martinsajon Wed, 09/09/2009 - 19:27
User Badges:

I want to connect it to the 871, as you said, I will put one port (F3) on a new vlan (vlan2) and I'll put a new subnet.

One more thing, do I need to put in port F3 Trunk mode?

Jerry Ye Wed, 09/09/2009 - 19:29
User Badges:
  • Cisco Employee,

No, it can be on access port if you just want to support a single subnet. I don't think the 871 will support more than 2 VLAN's.


Regards,

jerry

martinsajon Thu, 09/10/2009 - 04:40
User Badges:

Jerry, everythings working but I'm having a very slow connection with the 871, am I missing any command?

I'm connected directly with another computer to the 1841, and it's working normally.

Jerry Ye Thu, 09/10/2009 - 05:00
User Badges:
  • Cisco Employee,

Can you check your CPU on the 871 which process is using lots of CPU cycle?


show proc cpu


Also, how many PC is behind the 871?


Also can you remove this command on interface F4


ip flow ingress


This is for netflow, and I don't see you have any netflow collector configured.


Please keep in mind that 871 is a low end router, and the performance is much lower than the 1800 series.


HTH,

jerry

martinsajon Thu, 09/10/2009 - 05:50
User Badges:

Jerry, I attach you the results, I've just removed the ip flow ingress command.

And I'm only using one computer at this time, I know 871 has a lower performance, but the web pages take too long to open, and I can't even open messenger.



Attachment: 
martinsajon Thu, 09/10/2009 - 06:02
User Badges:

For your consideration, now I'm downloading a Excel file, and the transfer rate is about of 1.2KB/sec, meanwhile, here in my laptop is about 412KB/sec

Jerry Ye Thu, 09/10/2009 - 06:20
User Badges:
  • Cisco Employee,

Your CPU process looks fine. Could you please do the following commands


no service tcp-keepalives-in

no service tcp-keepalives-out

no ip reflexive-list timeout 120

no ip ssh source-interface FastEthernet0

no logging source-interface FastEthernet0


Troubleshooting latency is pretty complicated. There might be lots of TCP re-transmission happening in the network. You can check this with a sniffer to see what is happening on the network.


HTH,

jerry



martinsajon Thu, 09/10/2009 - 13:21
User Badges:

Jerry, those commands helped a bit. So if theres lots of TCP re-transmission, what would I have to do? I'm watching with Wireshark and seems that there is a lot of re-transmissioning.

I would have to use: ip tcp adjust-mss xxx?


Regards!

Jerry Ye Thu, 09/10/2009 - 15:20
User Badges:
  • Cisco Employee,

I would find out the what cause the re-transmission first. Adjusting TCP MTU will fix fragmentation problem. I would like to see the interface status along the path first. I am trying to look for errors along the path to rule out any physical problems.


The output I am interested is from show interface fx/x command


R1#sh int f0/0

FastEthernet0/0 is up, line protocol is up

... SNIP ...

Full-duplex, 100Mb/s, 100BaseTX/FX

... SNIP ...

210469 packets input, 20392024 bytes

Received 210311 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

302463 packets output, 25408663 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

R1#


Regards,

jerry

martinsajon Thu, 09/10/2009 - 15:38
User Badges:

Jerry, the show int of the 871 is the next one:


Kepler#sh int fast 4

FastEthernet4 is up, line protocol is up

Hardware is PQUICC_FEC, address is 001c.f68c.d6af (bia 001c.f68c.d6af)

Description: (outside) InterNet uplink

Internet address is 10.22.1.25/24

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:19, output 00:00:09, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

12780 packets input, 12752825 bytes

Received 768 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

7481 packets output, 1323110 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 unknown protocol drops

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Kepler#sh int vlan1

Vlan1 is up, line protocol is up

Hardware is EtherSVI, address is 001c.f68c.d6a5 (bia 001c.f68c.d6a5)

Internet address is 10.22.2.1/29

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:04, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

9016 packets input, 1718675 bytes, 0 no buffer

Received 12 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

12164 packets output, 12687233 bytes, 0 underruns

0 output errors, 1 interface resets

0 unknown protocol drops

0 unknown protocol drops

Jerry Ye Thu, 09/10/2009 - 15:41
User Badges:
  • Cisco Employee,

This one looks pretty clean. Can you do the show interface on the port your PC is connected to?


If you can do that on the 1841, that would be great.


Regards,

jerry

martinsajon Thu, 09/10/2009 - 15:48
User Badges:

Show int, from my pc is connected to.


Kepler#sh int f1

FastEthernet1 is up, line protocol is up

Hardware is Fast Ethernet, address is 001c.f68c.d6a6 (bia 001c.f68c.d6a6)

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

9250 packets input, 1794276 bytes, 0 no buffer

Received 39 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 input packets with dribble condition detected

17022 packets output, 13084979 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 unknown protocol drops

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

martinsajon Thu, 09/10/2009 - 15:43
User Badges:

The show int of the 1841 is the following:


FastEthernet0/0 is up, line protocol is up

Hardware is Gt96k FE, address is 001b.53f9.063e (bia 001b.53f9.063e)

Description: (outside) InterNet uplink

Internet address is 186.136.51.14/24

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 6/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:02, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 2383000 bits/sec, 216 packets/sec

5 minute output rate 75000 bits/sec, 131 packets/sec

2448100 packets input, 3040226785 bytes

Received 48030 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

1588140 packets output, 171645278 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Jerry Ye Thu, 09/10/2009 - 15:50
User Badges:
  • Cisco Employee,

Okay, all your interfaces are clean.


How does the network behave during none peak hour?


Regards,

jerry

martinsajon Thu, 09/10/2009 - 16:12
User Badges:

Yep, I dunno what is happening, during peak hour it slows down, but in that pc I cannot enter to messenger, and web pages load very slow.

Now, in my laptop I'm downloading at 300KB/sec and in the computer connected to the 871 the speed is 3KB/sec. WEIRD


Regards!

Thanks you very much for your help!

Jerry Ye Thu, 09/10/2009 - 17:01
User Badges:
  • Cisco Employee,

It looks like your link is very congested during peak hour.


Regards,

jerry

Jerry Ye Thu, 09/10/2009 - 20:08
User Badges:
  • Cisco Employee,

Sorry, misunderstood your previous email. I am curious, what IOS version are you running on the 871?


Regards,

jerry

martinsajon Fri, 09/11/2009 - 22:17
User Badges:

The IOS version I'm running is: c870-advipservicesk9-mz.124-24.T

Jerry Ye Mon, 09/14/2009 - 06:31
User Badges:
  • Cisco Employee,

Just curious, have you switch the computer on 1841 to the 871 and and the computer on 871 to 1841 to see how they behave?


Also, have you tried another IOS software like 12.4(15)T9? This version is quite stable.


Regards,

jerry



Actions

This Discussion