cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
447
Views
0
Helpful
6
Replies

Browsing Issue

tuhinbhowmick
Level 1
Level 1

Hi,

We are about to commission a new link for **** provided by ****  a 2 MB (180.*.*.*/30) link. We have configured the new link (180.*.*.22) on the G0/3 interface of our WAN Router 1 (164.*.*.2) and given the route accordingly. Please find below the router config for your reference and also the IP details provided by ISP.

RTR Config :
----------------------------------------------------------------------

Building configuration...

Current configuration : 4763 bytes
!
! Last configuration change at 10:50:34 IST Fri Nov 26 2010 by admin
!
upgrade fpd auto
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname ****-WAN-RTR-01
!
boot-start-marker
boot system flash disk2:c7200-advipservicesk9-mz.124-24.T4.bin
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$3/4X$R8oIFCjtSajJ2IGl1lkKR1
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone IST 5 30
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name ****.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
--More--
!
!
!
username admin
!
archive
log config
  hidekeys
!
!
!
!
!
ip ssh time-out 60

!
!
!
interface GigabitEthernet0/1
mtu 1998
ip address 164.*.*.2 255.255.255.0
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex full
speed auto
media-type rj45
no negotiation auto
standby 1 ip 164.*.*.1
standby 1 priority 110
standby 1 preempt
no mop enabled
!
interface GigabitEthernet0/2
  mtu 1998
ip address 10.*.*.239 255.255.255.128
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
media-type rj45
no negotiation auto
standby 4 ip 10.*.*.241
standby 4 priority 110
standby 4 preempt
no mop enabled
!
interface GigabitEthernet0/3
description ##  Test ###
ip address 180.*.*.22 255.255.255.252
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
media-type rj45
no negotiation auto
no mop enabled
!
interface Serial1/0
no ip address
shutdown
no fair-queue
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.*.*.254
ip route 0.0.0.0 0.0.0.0 180.*.*.21 10
ip route 10.36.0.0 255.255.0.0 10.*.*.254
ip route 10.36.23.0 255.255.255.0 164.*.*.6
ip route 10.36.47.0 255.255.255.128 10.*.*.254
ip route 10.36.47.128 255.255.255.128 10.*.*.254
ip route 10.36.60.0 255.255.255.128 164.*.*.6
ip route 10.36.61.8 255.255.255.248 10.36.61.1
ip route 10.36.61.8 255.255.255.248 164.*.*.6
ip route 10.36.61.16 255.255.255.248 10.36.61.1
ip route 10.36.61.16 255.255.255.248 164.*.*.6
ip route 10.36.62.0 255.255.255.224 10.36.61.1
ip route 10.36.62.0 255.255.255.224 164.*.*.6
ip route 10.36.63.0 255.255.255.192 10.36.61.1
ip route 10.36.63.0 255.255.255.192 164.*.*.6
ip route 10.36.63.64 255.255.255.224 10.36.61.1
ip route 10.36.63.128 255.255.255.240 10.36.61.1
ip route 10.36.63.128 255.255.255.240 164.*.*.6
ip route 10.183.0.0 255.255.0.0 10.*.*.254
no ip http server
no ip http secure-server
!
ip flow-cache timeout active 5
ip flow-export source GigabitEthernet0/1
--More--                           ip flow-export version 5
ip flow-export destination 10.36.60.8 2055
!
!
logging trap emergencies
logging source-interface GigabitEthernet0/1
logging 10.36.60.8
access-list 10 permit 164.*.*.0 0.0.0.255
access-list 10 permit any
no cdp run

!
!
!
!
!
snmp-server community **** RO
snmp-server enable traps cpu threshold
snmp-server host 10.36.63.6 ****
!
control-plane
!
!
--More--                           !
!
!
!
!
gatekeeper
shutdown
!
banner motd ^CC

!
line con 0
exec-timeout 5 0
password 7 094F0F1A1A4C3743595F
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 10 in
access-class 10 out
exec-timeout 5 0
password 7 111D5D0114
transport input ssh
line vty 5 15
password 7 15064F0807
transport input ssh
!
ntp server 164.*.*.1
end

------------------------------------------------------------------------------------------------


ISP IP Details for the new link:-

--------------------------------------------
WAN IP : 180.*.*.20/30 (ISP End: 180.*.*.21, OUR end :180.*.*.22)
LAN IP : 180.*.*.144/29
Primary DNS : 203.*.*154
Secondary DNS: 203.*.*.152

Also we are briefing what we have done so far to test from our side.

1>  We have connected the LAPTOP to the mux and we were able to reach ISP gateway IP (180.*.*.21) as well as able to browse internet site properly.

2>  But when tried the same thing from our NOC segment (10.*.*.0/24), we are not able to browse. Though we are able to ping the global DNS and also the ISP DNS.

3>  We have checked the traceroute from our NOC PC and we are able to reach our WAN router 1 where the new link has been configured and after that we got the "Request Timed Out".

4>  Similarly, our internal application is also not reachable from outside world, when we have disconnect our existing another ISP link.

NOTE : Our intention is to use this new ISP link for redundancy whenever our existing ISP link goes down.

So, could you anyone please suggest anything on this ?

Regards,

TB

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

TB

2>  But when tried the same thing from our NOC segment (10.*.*.0/24), we are not able to browse. Though we are able to ping the global DNS and also the ISP DNS.

3>  We have checked the traceroute from our NOC PC and we are able to reach our WAN router 1 where the new link has been configured and after that we got the "Request Timed Out".

I'm confused as to how the above relate. 2 suggests you can get beyond the router, whereas 3 suggests you can't. Could you clarify ?

Regardless of the above, 10.x.x.x addressing is not routable on the internet so you need to setup NAT on your router eg.

int gi0/2

ip nat inside

int gi0/3

ip nat outside

access-list 101 permit ip 10.x.x.0 0.0.0.255 any

ip nat inside source list 101 interface gi0/3 overload

Jon

Jon

I was also puzzled about what is going on here and believe that the issue is about translating addresses. I believe that there is some clue about what is going on by looking at the configured static default routes.

ip route 0.0.0.0 0.0.0.0 10.*.*.254
ip route 0.0.0.0 0.0.0.0 180.*.*.21 10

So in normal circumstances the default route is to a next hop device in the 10.0.0.0 network. To me this implies that there is at least one more router and/or firewall before traffic gets to the Internet and that address translation may be taking place on that device.

But your point is well taken that if traffic is going to use this new connection to the Internet that there needs to be address translation on this router.

I also question how the second default route (the floating static default to the new interface) will work. As long as the primary static default route is in the table the floating static will not be used. And it is pretty common that a static route going through an Ethernet interface will not be withdrawn until the Ethernet interface goes line protocol down. You can frequently lose communication with the next hop router but the interface is still up. So it seems to me that there are 3 questions for the original poster to answer:

1) what are you doing in your test to get traffic to use the floating static route and not the normal static route?

2) what are you planning to do in the production environment to get the primary static default route withdrawn if the Ethernet interface does not go line protocol down?

3) Given the specification from the ISP

ISP IP Details for the new link:---------------------------------------------
LAN IP : 180.*.*.144/29

where are the 180.*.*.144 addresses?

HTH

Rick

HTH

Rick

Thanks for both of you to put your valuable comments.

Below are the changes we have done.....

1> Put the "ip nat inside" in G0/1

2> Put the "ip nat outside" in g0/3

3> Put "ip nat inside source list 101 interface GigabitEthernet0/3 overload"

4> Put "access-list 101 permit ip 164.*.*.0 0.0.0.255 any"

and the browse problem has been resolved from inside network 10.36.*.0/26 (which is located after FW) without giving the the DNS of new ISP from our system.

Also we haven't used this LAN SEGMENT : 180.*.*.144/29 still now.

As I have mentioned earlier that we r going to use this new link as a backup running simultaneously whenever our main ISP link goes down.

Now, one problem we are facing now, our application is not accessing form outside world, which is configured with our primary ISP public IPs (eg. 164.*.*.0/24).

Looking forward to you.

Regards,

TB

Also there is another problem.........as the links are confogured on GigabitEthernet, so when evr one link has been down the interface is still showing up and the 2nd link will not activated untill we put down the primary link manually.

So, could anyone help us to do the configuration such a way so that fallback happen as our primary link goes down ?

Regards,

TB

TB

Would I be correct in assuming that your new connection to the Internet is from a different ISP than your old primary connection? The basic problem is that your servers are using address space that belongs to your primary provider and so all Internet originated traffic is routed to your primary ISP. If Internet originated traffic (attempting to access your application from outside) is routed to your primary ISP and that link is down then there is no way to get through to you.There are a few alternatives that you might consider.

- set it up so that you make DNS changes when the primary connection is down use the new provider addressing. then restore the original DNS settings when the primary connection comes back up.

- ask both ISPs for permission to advertise your part of the address space of primary ISP through the backup ISP, to be used only when there is a problem with the primary ISP. Note that this implies that you would then be running BGP with both providers.

I had mentioned the problem of using static routes which go over Ethernet interfaces in my previous post. There are a couple of alternatives that you could consider:

- if you run BGP with both providers as suggested above this would solve the problem since you would not use static default routes but would learn the default routes dynamically. And BGP would know to switch over if it stopped receiving communication from the primary ISP.

- you could configure IP SLA (sometimes referred to as Object Tracking) to check reachability of the primary ISP and to withdraw the static default route is the primary ISP were no longer reachable.

HTH

Rick

HTH

Rick

Dear Rick,

Thanks for your assistance.

As per the suggestion we have configured the IP SLA and the auto fall back is happening from primary to secondary ISP link and we are able to do the browsing. But, now the problem is that, whwnever our primary link comes back then our outgoing traffic is not taking the route for primary ISP link. We are sending the config for your refernece and please check whether the configuration is ok or we have to do some addition config.

Building configuration...

Current configuration : 5106 bytes
!
!
upgrade fpd auto
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *********
!
boot-start-marker
boot system flash disk2:c7200-advipservicesk9-mz.124-24.T4.bin
boot-end-marker
!
logging message-counter syslog

aaa new-model
!
!
!
!
aaa session-id common
clock timezone IST 5 30
ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name *******.com
no ipv6 cef
!
multilink bundle-name authenticated
!

archive
log config
  hidekeys
!
ip ssh time-out 60
!
track 1 ip sla 1 reachability
!
interface GigabitEthernet0/1
  mtu 1998
ip address 164.*.*.2 255.255.255.0
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex full
speed auto
media-type rj45
no negotiation auto
timeout absolute 200 0
standby 1 ip 164.*.*.1
standby 1 priority 110
standby 1 preempt
no mop enabled
!
interface GigabitEthernet0/2

mtu 1998
ip address 10.*.*.239 255.255.255.128
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
media-type rj45
no negotiation auto
standby 4 ip 10.*.*.241
standby 4 priority 110
standby 4 preempt
no mop enabled
!
interface GigabitEthernet0/3
description #### Link Newly Commissioned ####
ip address 180.*.*.22 255.255.255.252
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
no negotiation auto
no mop enabled
!
interface Serial1/0
no ip address
shutdown
no fair-queue
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.*.*.254 track 1
ip route 0.0.0.0 0.0.0.0 10.*.*.254 ---> Without this route the revert traffic from secondary (newly commissioned) to primary link is not happening when our Primary  Link  comes back
ip route 0.0.0.0 0.0.0.0 180.*.*.21 10

no ip http server
no ip http secure-server
!
ip flow-cache timeout active 5
ip flow-export source GigabitEthernet0/1
ip flow-export version 5
ip flow-export destination 10.*.*.8 2055
!
ip nat inside source list 101 interface GigabitEthernet0/3 overload
!
ip sla 1
icmp-echo 4.2.2.2 source-ip 164.*.*.1
ip sla enable reaction-alerts
logging trap emergencies
logging source-interface GigabitEthernet0/1
logging 10.*.*.8
access-list 101 permit ip 164.*.*.0 0.0.0.255 any
no cdp run


control-plane
!
!
gatekeeper
shutdown
line con 0
exec-timeout 5 0
password 7 094F0F1A1A4C3743595F
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 10 in
access-class 10 out
exec-timeout 5 0
password 7 111D5D0114
transport input ssh
line vty 5 15
password 7 15064F0807
transport input ssh
!
end

-------------------------------------------------------------------------------

Kindly review the same and suggest.

With Regards,

TB

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: