05-26-2003 03:12 AM - edited 03-02-2019 07:37 AM
We have two routers. The ethernet interfaces are combined for LAN and WAN.
both sides are connected via a wireless link.
for back-up of the Wireless link, the isdn is used.
The isdn link comes up if the route to 172.16.0.0 or 172.17.0.0 goes down, this is tested and worked well.
seeing the bill of the telco the last two months the isdn link was gone up and down many times, while the wireless link was okay.
can someone help me and see of the configuration is okay?
Could it be a RIP problem?
Please help me further?
thanks,
Michiel IJff
--------------------------------------
config router 1
hoofdlokatie#sh runn
Building configuration...
Current configuration : 1246 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname hoofdlokatie
!
enable secret 5xxxx
!
username xxxx password xxxxx
ip subnet-zero
!
isdn switch-type basic-net3
!
!
!
interface Ethernet0
ip address 172.18.1.89 255.255.0.0 secondary
ip address 172.16.1.89 255.255.0.0
no ip split-horizon
!
interface BRI0
description back up
ip address 172.19.1.89 255.255.0.0
encapsulation ppp
dialer idle-timeout 180
dialer string 00111122222
dialer load-threshold 125 either
dialer-group 1
isdn switch-type basic-net3
isdn send-alerting
ppp authentication chap
ppp multilink
!
router rip
timers basic 30 60 90 120
passive-interface BRI0
network 172.16.0.0
network 172.18.0.0
neighbor 172.18.1.90
!
ip classless
ip route 172.17.0.0 255.255.0.0 172.19.1.90 150
ip http server
!
!
dialer-list 1 protocol ip permit
banner login ^CC
Welcome on the Router of "Gemeente Bergen"
Router configured by M. IJff Volker Stevin Telecom phone number 030 6389800
Only authorized perre allowed to login !!
^C
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 15 0
password xxxx
login
!
no rcapi server
!
!
end
--------------------------------------------------------
config router 2:
Bijlokatie#sh runn
Building configuration...
Current configuration : 1373 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxx
!
enable secret xxxx
!
username xxxx password xxxx
username xxxx password xxxx
ip subnet-zero
!
isdn switch-type basic-net3
!
!
!
interface Ethernet0
ip address 172.18.1.90 255.255.0.0 secondary
ip address 172.17.1.90 255.255.0.0
no ip split-horizon
!
interface BRI0
description back up
ip address 172.19.1.90 255.255.0.0
encapsulation ppp
dialer idle-timeout 360
dialer string 0485348497
dialer load-threshold 125 either
dialer-group 1
isdn switch-type basic-net3
isdn send-alerting
no cdp enable
ppp authentication chap
ppp multilink
!
router rip
timers basic 30 60 90 120
passive-interface BRI0
network 172.17.0.0
network 172.18.0.0
neighbor 172.18.1.89
!
ip classless
ip route 172.16.0.0 255.255.0.0 172.19.1.89 150
ip http server
!
!
dialer-list 1 protocol ip permit
banner login ^CC
Welcome on the Router of "Gemeente Bergen"
Router configured by M. IJff Volker Stevin Telecom phone number 030 6389800
Only authorized persons are allowed to login !!
^C
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 15 0
password xxxx
login
!
no rcapi server
!
!
end
Bijlokatie#
05-27-2003 12:27 AM
Hi Michiel,
First of all you have to change all your passwords as you have published them now for the whole world, including the telephone number to dial-in and Volker Stevin would not appreciate this I think.
Concerning the ISDN problem: you can setup a debug or take a look at the log to see what's going on.
Good luck !
05-27-2003 11:35 AM
Johan,
thanks for your answer. I have changed the security issues.
regards,
Michiel
05-27-2003 03:58 AM
your problem is with the line ' dialer-list 1 protocol ip permit ' this is allowing any kind of traffic initiate a call , you need to make an ACL that only allows certain traffic to initiate a call . see below
access-list 101 deny ip any host 255.255.255.255 (denies broadcasts)
ccess-list 101 deny udp any any eq domain (denies DNSqueries)
access-list 101 deny udp any any ea 137 (Denies net bios)
access-list 101 deny udp any any ea 139 (denies netbios)
access-list 101 deny ip 224.0.0.0 0.0.0.255 any (denies multicast)
access-list 101 deny udp any any eq ntp (denies ntp)
access-list 101 permit ip any any log (permits all other traffic , the 'log' keword will identify the SA & DA that brings up the line in the future with port #'s , you can do additional filtering if you wish by adding to ACL 101.
You will also need to modify your dialer-list
dialer-list 1 protocol ip list 101
good luck
'
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: