Re: Connectivity question/help

mo shea · ‎09-17-2005

Hi...

I need some help troubleshooting the following connectivity issue

Our setup consists of a core 6509 IOS with sup720 at our site. We have a

remote site that we need to connect temporarily via leased line. We have a 2821

router at the remote site and a 1721 at our site.

I connected the 1721 FE port to a gig ethernet port in the core which is assigned as a

switchport under vlan 10.30.11.0 255.255.255.0 (VLAN 11), 10.30.11.1 being the vlan ip address. The 1721 FE port is assigned 10.30.11.2/24

I can ping to the 1721 fe port from the core switch, but cannot ping or telnet

from a pc on a vlan on the same core. There is a default route on the core switch that points a firewall connecting the core to another wan site.

Since the 1721 router is directly connected to the core router, do i need to have a

static route to allow vlans on the core to connect to it? Or the Gig ethernet port on the

core should be a layer 3 port? I removed all access lists on interface vlan 11

Any help is appreciated

Richard Burts · ‎09-17-2005

I believe that the issue is not anything to do with how you configured the port on the 6509. I believe the issue is that the 1721 does not have a route for the subnets that exist on the 6509 (other than it knows vlan 11 as a connected subnet). You can ping to the 1721 from the 6509 because the ping packet has the VLAN address (10.30.11.1) as the source address and the 1721 knows how to send the response. When you attempt to ping or telnet from devices in other subnets the 1721 does not know how to get to them because they are not in its routing table.

It is easy to check whether my theory is correct. Do a standard ping to the 1721 from the 6509 to verify that it still does work. Then do an extended ping from the 6509 and in the extended ping specify (in extended commands) that the source address is some other interface. If my theory is correct the standard ping will work and the extended ping will fail.

Of course you can also check my theory by doing a show ip route on the 1721 and see if the 6509 other subnets are in the routing table.

If I am right you can fix the problem by configuring static routes on the 1721 or by running a dynamic routing protocol.

You will have a similar problem about how to access the remote 2821. Both the 6509 and the 1721 will need routes to the 2821 and the 2821 will need routes to the 1721 and the 6509.

HTH

Rick

HTH

Rick

mo shea · ‎09-17-2005

Thanks for your reply,

I have configured a static route from 2821 to 6509 network 10.30.11.0 and form the 1721 to the lan connected to the 2821, but missed out the route from the 1721 to the 6509 because I thought being directly connected to the core does the job.

I will try tomorrow (its 1 a.m. here) and let you know

Thanks

mo shea · ‎09-18-2005

Hi...

Thanks for the info Rick, I can now ping to any interface after configuring static routes.

I have one question remaining though. The 2821 router comes with advanced security ios and ssh is enabled by default on all vty lines. I try to telnet to the wan interface card on the 2821 as the lan port is not currently connected. Only the 1721 router was able to telnet, not the 6509 or any pc, although they all can ping to the wan interface.

Since i do not have an ssh client I changed the transport input ssh to 'transport input all' on all vty lines just to test the connectivity. But still I got the same result.

Any ideas?

Richard Burts · ‎09-19-2005

I have a couple of points about this:

- I have quite a number of routers running the advanced feature set and none of them have presented difficulty in telnetting to the router.

- if you can ping to the 2821 WAN address from the 6509 and from PCs connected to it, then the routing issue is resolved and your problem is not an IP connectivity problem.

- if you can telnet to the 2821 from the 1721 then it is really not a question of transport input all (though I agree it was a logical thing to do if you were having problems with telnet).

It would help if you could post the config of the 2821. I am guessing that there may be an access-class configured on the vty ports of the 2821 which is permitting the 1721 but not others. (Did you perhaps use SDM to help configure the 2821? It has surprised me with a few things that it has done)

HTH

Rick

HTH

Rick

mo shea · ‎09-19-2005

Thanks for your reply,

I found out that I missed a static route from the 6509 to the WAN network (between 2821 & 1721), and after adding it telnet was up from my PC, although I still find it strange why I was able to ping the serial interfaces but not telnet before.

One last question, once I telnet from my PC or previously from the 1721, I am promted for the password and then I am in the privilege mode directly, without typing Router>enable. I have enable secret and currently 1 vty password for all the lines, as well as a local username and password on the 2821 which I use to logon to SDM (never used it to config, only monitoring),

How is it possible to get the telnet prompt for a username/password ? I'll try to post the config once

I am in Office.

Thanks again

cro9uk · ‎09-19-2005

sounds like what i had. see my post from some time ago to solve.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Archive&topic=Network%20Infrastructure&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.eeac48d/2#selected_message

Richard Burts · ‎09-19-2005

I have seen something like the symptoms described on routers that came with SDM enabled. Look on the vty lines and see if there is a command privilege level 15.

I am guessing that it is there (it has been there in a bunch of routers I have worked with that came with SDM enabled). The result of this command is to put a telnet session directly into privilege mode. If you remove it I believe that the router will then put telnet into user mode and prompt for the enable password (or secret) to let you into enable mode.

HTH

Rick

HTH

Rick

mo shea · ‎09-19-2005

Thanks Rick & cro9uk, the privilege 15 was there and was the cause for this issue, the SDM surely comes up with surprises.

One last thought though, I kept vty line 7 at priv 15 and assigned it a different password, but it seems that telnet works with passwords and privileges for lines 0 to 4, below is part of the config

line vty 0 4

password 7 10431C0A11121F1B5D24

login

transport input all

line vty 5 6

password 7 10431C0A11121F1B5D24

login local

transport input all

line vty 7

privilege level 15

password 7 000D070700560208586714

login

transport input all

line vty 8 15

password 7 10431C0A11121F1B5D24

login local

transport input all

Any ideas? Thanks again

Richard Burts · ‎09-20-2005

I am not clear what you mean when you say: it seems that telnet works with passwords and privileges for lines 0 to 4. I have a couple of points that may address your question.

By default when the IOS receives a permitted telnet request it will use the next available vty port. So in general you would only get to vty 7 if vty 0 through 6 were busy. I have seen a suggestion that you can get to specific vty ports by specifying a port number in your telnet request, very much like reverse telnet for a terminal server. I have not used this and do not know for sure if it works.

IOS works with passwords and privilege on all the VTY ports. You can configure any privilege level and any password you want on any vty port that does exist on your router. That will be the password the user must enter and the privilege level they will get if they get assigned to that particular VTY port.

HTH

Rick

HTH

Rick