IP routing Problems over Frame-relay Wan

lepinojs · ‎12-30-2002

I have to networks connected via Frame-Relay.

Network A is our main site which has a full T1 Internet. Site B has a 384k PVC to Internet via FRame.

I am trying to setup up a backup route that allows Site A to access the internet via Site B. I am Able to reverse the situation where site B can access Internet throught Site A but not the other way. Here are the Config files for both routers:

Router A

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname RouterA

!

boot system flash aaa1336.bin

boot system flash

logging buffered 10000 debugging

!

clock timezone est -5

clock summer-time EDT recurring

ip subnet-zero

no ip finger

!

ipx routing 0009.e833.3909

!

interface FastEthernet0/0

description NetworkA

ip address 192.168.20.1 255.255.255.0

ip directed-broadcast

duplex auto

speed auto

ipx encapsulation SAP

ipx network BABE1

no mop enabled

!

interface Serial0/0

description Connection to NetworkB

bandwidth 1152

ip address 192.168.25.1 255.255.255.0

no ip directed-broadcast

encapsulation frame-relay

no ip mroute-cache

ipx network FAChyh

ipx type-20-propagation

no fair-queue

service-module t1 timeslots 1-24

service-module t1 fdl ansi

frame-relay interface-dlci 16

frame-relay lmi-type ansi

frame-relay local-dlci 16

!

router eigrp 100

network 192.168.20.0

network 192.168.25.0

default-metric 50 50 255 50 1500

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 192.168.20.5

ip route 0.0.0.0 0.0.0.0 192.168.30.1 2 (I have also tried 192.168.25.2)

no ip http server

!

no scheduler allocate

end

Router B

Current configuration : 3016 bytes

!

version 12.1

service timestamps debug datetime

service timestamps log datetime

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname routerB

!

boot system flash c2600-do3s-mz.121-6.bin

boot system flash

logging buffered 10000 debugging

!

clock timezone eastern 23 59

clock summer-time EDT recurring

ip subnet-zero

no ip source-route

no ip finger

ip name-server xxx.xxx.xxx.xxx.

ip name-server xxx.xxx.xxx.xxx

!

ip inspect name inspect1 udp timeout 300

ip inspect name inspect1 tcp timeout 300

ip inspect name inspect1 cuseeme

ip inspect name inspect1 ftp

ip inspect name inspect1 h323

ip inspect name inspect1 http

ip inspect name inspect1 rcmd

ip inspect name inspect1 realaudio

ip inspect name inspect1 sqlnet

ip inspect name inspect1 streamworks

ip inspect name inspect1 tftp

ip inspect name inspect1 vdolive

ip audit notify log

ip audit po max-events 100

ipx routing 0004.c05e.0323

!

controller T1 1/0

framing esf

linecode b8zs

channel-group 1 timeslots 1-24 speed 64

fdl ansi

description Conncetion to Site A

!

interface Tunnel1

no ip address

!

interface Ethernet0/0

description Ethernet Connection to SiteB

ip address 192.168.30.1 255.255.255.0

ip nat inside

ip inspect inspect1 in

ipx network fgfafa

no cdp enable

!

interface Serial1/0:1

description Connection to Network A

bandwidth 1536

ip address 192.168.25.2 255.255.255.0

encapsulation frame-relay

keepalive 8

ipx network hjsdhsd

ipx type-20-propagation

no fair-queue

frame-relay interface-dlci 17

frame-relay lmi-type ansi

!

interface Serial1/0:1.1 point-to-point

description ISP Conncetion

bandwidth 384

ip address xxx.xxx.xxx.54 255.255.255.252

ip access-group 150 in

no ip proxy-arp

ip nat outside

frame-relay interface-dlci 18

!

router eigrp 100

network 192.168.25.0

network 192.168.30.0

default-metric 50 50 255 50 1500

no auto-summary

no eigrp log-neighbor-changes

!

ip nat pool isp xxx.xxx.xxx.26 xxx.xxx.xxx.26 netmask 255.255.255.248

ip nat inside source list 1 pool isp overload

ip nat inside source static tcp 192.168.30.17 25 xxx.xxx.xxx.27 25 extendable

ip classless

ip forward-protocol spanning-tree

ip route 0.0.0.0 0.0.0.0 Serial1/0:1.1 xxx.xxx.xxx.53

ip route 0.0.0.0 0.0.0.0 Serial1/0:1 192.168.25.1 2

no ip http server

!

access-list 1 permit 192.168.30.0 0.0.0.255

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 12 permit 192.168.20.0 0.0.0.255

access-list 12 permit 192.168.30.0 0.0.0.255

access-list 150 deny ip 192.168.20.0 0.0.0.255 any

access-list 150 deny ip 192.168.30.0 0.0.0.255 any

access-list 150 deny ip 127.0.0.0 0.255.255.255 any

access-list 150 permit ip any any

no cdp run

!

line con 0

exec-timeout 0 0

transport input none

line aux 0

line vty 0 4

!

no scheduler allocate

end

Thanks in Advance

John

michael-faust · ‎12-30-2002

On router 'A' remove "ip route 0.0.0.0 0.0.0.0 192.168.30.1 2"

On router 'A' add "ip route 0.0.0.0 0.0.0.0 192.168.25.2 2"

On router 'A' add "no auto-summary" to the eigrp config

lepinojs · ‎12-30-2002

Any other suggestions. That did not work. Thanks

thisisshanky · ‎12-30-2002

This is what I infer frm your configs.

At site A, router A is only used to link to site B. There is another router, in the lan at site A, which is the internet gateway. ( This is because, u havent indicated any configs for the full internet T1 link at site A on router A).

At site B, router B is both the internet router, as well as the router which connects to site A ( you have listed both configs)

Now, on site A, PC (workstations) would have been configured with Internet gateway (you havent mentioned this) as default gateway. If that router, already has a default route (say "ip route 0.0.0.0 0.0.0.0 serial 0 ) to the ISP, then add another default route as follows,

ip route 0.0.0.0 0.0.0.0 192.168.20.1 2 ( where 192.168.20.1 is the fast ethernet ip address of router A at site A). The last digit 2 is the administrative distance of the route, allowing this default route to kick in, only when the primary ISP link (Full T1) at site A fails.

Hope that helps.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

lepinojs · ‎12-31-2002

Its seems to be failing after 192.168.25.2. When I do a tracert it hits the serial interface of Router B (192.168.25.2) then it times out. Anyone have any Ideas.

Thanks in Advance

michael-faust · ‎12-31-2002

Is your physical topology: internet -> serial line -> router "?" -> fastethernet -> router "A" -> serial line -> router "B" -> serial line -> internet ?

The routing that I gave you will allow router "A" to route properly, but there is a problem. The floating static route will only be used if the when the primary static route fails. The primary route will be lost if fastethernet 0/0 goes down. If fastethernet 0/0 goes down, there won't be any traffic to route.

I think I know what you are trying to do, but I need a better description of your network. Also, you will have some issues with the default gateway setting on the end devices. You may need to think about a topological change to do this.

lepinojs · ‎12-31-2002

what I have done is taken the primary route out totally and substituted the secondary route as follows

0.0.0.0 0.0.0.0 192.168.20.5(remove)

Relace with 0.0.0.0 0.0.0.0 192.168.25.2

I figured I'd start here and get it working before changing the administrative distance to create floating routes. Stilll no go. Thanks for the replies

John

lepinojs · ‎12-31-2002

My topology is as follows:

Internet router(not mentioned in previous posts)>>>Firewall(192.168.20.5)>>>>Router A Ethernet(192.168.20.1)>>>>>Router A Serial(192.168.25.1)>>>>Router B Serial1/0:1(192.168.25.2)>>>>>>Router B Ethernet0/0(192.168.30.1)>>>>>>Router B Sub Serial1/0:1.1(Internet Assigned IP)

I din not mention the Internet Router on Site A Side or the FW because they have nothing to do with changing the default route to 192.168.25.2. Even If I have to manually change the route when needed that would be fine. I can't even get that to work.

Thanks

John

michael-faust · ‎12-31-2002

Are your users at site "A" connected to the 192.168.20.0 network?

lepinojs · ‎12-31-2002

Yes they are.

michael-faust · ‎12-31-2002

Here is the problem: For the users at site "A" to reach the internet the default gateway should be set to the firewall. For them to reach site "B" the default gateway should be the router. You can probably make it work to set the default gateway to the router. When a packet comes in that needs to go to the internat, I think what will happen is the router will send it to the firewall and send an ICMP redirect back to the workstation. Not the best way to do it but it should work. When a packet comes in that needs to go to site "B", router "A" will forward it to router "B". So far so good.

But, if the internet link at site "A" goes down, the router will not know about it. The serial link is connected to the firewall, and therefore its status is insulated from the router. The fastEthernat interface at router "A" will not go down. Router "A" still thinks that the route is good (the interface is up) so it keeps the route in its forwarding table and doesn't use the floating static route.

The reason it works at site "B" is that the router will know if one link goes down and can then switch to the other.

mark_cairns · ‎12-31-2002

Agreed, the firewall isolates router A from knowing the status of the Internet connection and upon failure, router A will need manual intervention to correct routing. I still don't think router B knows how to get to the user's subnet on router A without redistributing the directly connected IP range into EIGRP. If router B does not have a route, it will send it to the valid static back to the Internet.

mark_cairns · ‎12-31-2002

Have you tried adding the redistribute connected command to your eigrp config? It looks like your traffic may be failing at router B because it gets to router B and follows the static default route to the internet but upon return can not find a route to the .20 addresses. You have the .20 network defined on router A but I believe you need to redistribute connected for the .20 network to show up as a route on router B so your return traffic will not follow the valid 0.0.0.0 static. Check both router A and B for eigrp topology.

michael-faust · ‎12-31-2002

If eigrp is working properly, the 192.168.20.0 network should be learned from router "A" at router "B". 'show ip route 192.168.20.0' should verify this. I don't think that 'redistribute connected' is necessary.

lepinojs · ‎12-31-2002

Eigrp is working correctly. Is it possible that the Nat pool is not functioning correctly and disallowing 20.0 clients to pull from the pool? I have only one address in the pool that 30.0 and 20.0 networks share. Is this a problem?

At tis poinbt I dont even care about makeing a backup route. If I have to take out the default Route and replace I am ewilling to do that. It doesn;t have to be seemless. If I do it that way the Firewall should have anyting to do with the setup. Thanks for taking the time to analyze this. I guess I'll keep searching for the answer.

John