«

An external supplier has a VLAN in place to one of our border routers on a
dedicated link but needs to be able to see an internal router via the border
router.

We have this on our border router side.
interface FastEthernet4/1.503
desc Handoff to External Supplier
encapsulation dot1Q 503
ip address 10.12.16.1 255.255.255.0
no ip redirects
no ip proxy-arp
no cdp enable

ip route 212.15.68.2 255.255.255.255 10.12.16.2

They are 10.12.16.2 and we can see each other fine.

We have an internal router on 212.15.68.4/24 which they need to be able to
see.

Our border router config is below for the inside facing interface
interface FastEthernet0/0.504
encapsulation dot1Q 504
ip address 212.15.68.1 255.255.255.0
no ip redirects
no ip proxy-arp
no cdp enable

The internal router has
interface FastEthernet0/1.504
encapsulation dot1Q 504
ip address 212.15.68.4 255.255.255.0
no ip redirects
no ip proxy-arp
no cdp enable
!
ip route 212.15.68.2 255.255.255.255 FastEthernet0/1.504

Now. The external supplier needs to be able to see the internal router at
212.15.68.4, and if they ping it our internal router sees the pings, but
nothing arrives back at the supplier.


What can ping what?
10.12.16.1 can ping 10.12.16.2 both ways
212.15.68.4 can ping 212.15.68.1 both ways
212.15.68.2 can ping 212.15.68.1 both ways

PROBLEM:
212.15.68.2 CANNOT ping 212.15.68.4 even though 212.15.68.4 does see the
pings from 212.15.68.2 but for some reason the pings never get back?

Gary

Unless you are doing some sort of tunneling, this is really a poor
design. The customer should not use an IP address that is in the same
subnet as your internal network. This is a much higher level design
issue that what I will tackle here, but what the problem will boil down
to for you here is this. The reason it doesn't work is because your
border router has an interface on the 212.15.68/24 subnet, so a
"connect" route is populated int its routing table, you are trying to
put a static route in your border router telling it that one address
in that subnet should be routed out a different interface. That route
is being ignored. Why? Because a connected interface has an
administrative distance of 0 and a static route has an administrative
distance of 1. The "connect" wins.

==>

An external supplier has a VLAN in place to one of our border routers
on a
dedicated link but needs to be able to see an internal router via the
border
router.

We have this on our border router side.
interface FastEthernet4/1.503
desc Handoff to External Supplier
encapsulation dot1Q 503
ip address 10.12.16.1 255.255.255.0
no ip redirects
no ip proxy-arp
no cdp enable

ip route 212.15.68.2 255.255.255.255 10.12.16.2

They are 10.12.16.2 and we can see each other fine.

We have an internal router on 212.15.68.4/24 which they need to be able
to
see.

Our border router config is below for the inside facing interface
interface FastEthernet0/0.504
encapsulation dot1Q 504
ip address 212.15.68.1 255.255.255.0
no ip redirects
no ip proxy-arp
no cdp enable

The internal router has
interface FastEthernet0/1.504
encapsulation dot1Q 504
ip address 212.15.68.4 255.255.255.0
no ip redirects
no ip proxy-arp
no cdp enable
!
ip route 212.15.68.2 255.255.255.255 FastEthernet0/1.504

Now. The external supplier needs to be able to see the internal router
at
212.15.68.4, and if they ping it our internal router sees the pings,
but
nothing arrives back at the supplier.

What can ping what?
10.12.16.1 can ping 10.12.16.2 both ways
212.15.68.4 can ping 212.15.68.1 both ways
212.15.68.2 can ping 212.15.68.1 both ways

PROBLEM:
212.15.68.2 CANNOT ping 212.15.68.4 even though 212.15.68.4 does see
the
pings from 212.15.68.2 but for some reason the pings never get back?

Gary

"Kevin Widner" <> wrote in message
news: ups.com...
> Unless you are doing some sort of tunneling, this is really a poor
> design. The customer should not use an IP address that is in the same
> subnet as your internal network. This is a much higher level design
> issue that what I will tackle here, but what the problem will boil down
> to for you here is this. The reason it doesn't work is because your
> border router has an interface on the 212.15.68/24 subnet, so a
> "connect" route is populated int its routing table, you are trying to
> put a static route in your border router telling it that one address
> in that subnet should be routed out a different interface. That route
> is being ignored. Why? Because a connected interface has an
> administrative distance of 0 and a static route has an administrative
> distance of 1. The "connect" wins.
>
> ==>
>
> An external supplier has a VLAN in place to one of our border routers
> on a
> dedicated link but needs to be able to see an internal router via the
> border
> router.
>
> We have this on our border router side.
> interface FastEthernet4/1.503
> desc Handoff to External Supplier
> encapsulation dot1Q 503
> ip address 10.12.16.1 255.255.255.0
> no ip redirects
> no ip proxy-arp
> no cdp enable
>
> ip route 212.15.68.2 255.255.255.255 10.12.16.2
>
> They are 10.12.16.2 and we can see each other fine.
>
> We have an internal router on 212.15.68.4/24 which they need to be able
> to
> see.
>
> Our border router config is below for the inside facing interface
> interface FastEthernet0/0.504
> encapsulation dot1Q 504
> ip address 212.15.68.1 255.255.255.0
> no ip redirects
> no ip proxy-arp
> no cdp enable
>
> The internal router has
> interface FastEthernet0/1.504
> encapsulation dot1Q 504
> ip address 212.15.68.4 255.255.255.0
> no ip redirects
> no ip proxy-arp
> no cdp enable
> !
> ip route 212.15.68.2 255.255.255.255 FastEthernet0/1.504
>
> Now. The external supplier needs to be able to see the internal router
> at
> 212.15.68.4, and if they ping it our internal router sees the pings,
> but
> nothing arrives back at the supplier.
>
> What can ping what?
> 10.12.16.1 can ping 10.12.16.2 both ways
> 212.15.68.4 can ping 212.15.68.1 both ways
> 212.15.68.2 can ping 212.15.68.1 both ways
>
> PROBLEM:
> 212.15.68.2 CANNOT ping 212.15.68.4 even though 212.15.68.4 does see
> the
> pings from 212.15.68.2 but for some reason the pings never get back?
>
> Gary
>


Does not sound exactly true.

Our border router sees.
show ip route 212.15.68.2
Routing entry for 212.15.68.2/32
Known via "static", distance 1, metric 0
Redistributing via eigrp 1
Advertised by eigrp 1
Routing Descriptor Blocks:
* 10.12.16.2
Route metric is 0, traffic share count is 1

The link to the external supplier runs across 10.12.16.0/24
The link to our internal router runs across 212.15.68.0/24

The external supplier has 212.15.68.2 and 10.12.16.2 on their side and we
have 212.15.68.1 and 10.12.16.1 on our border router.

Does your explanation still apply.

Gary

"Gary" <> wrote in message
news:n7uTd.23125$%U2.10257@lakeread01...
>
> "Kevin Widner" <> wrote in message
> news: ups.com...
> > Unless you are doing some sort of tunneling, this is really a poor
> > design. The customer should not use an IP address that is in the same
> > subnet as your internal network. This is a much higher level design
> > issue that what I will tackle here, but what the problem will boil down
> > to for you here is this. The reason it doesn't work is because your
> > border router has an interface on the 212.15.68/24 subnet, so a
> > "connect" route is populated int its routing table, you are trying to
> > put a static route in your border router telling it that one address
> > in that subnet should be routed out a different interface. That route
> > is being ignored. Why? Because a connected interface has an
> > administrative distance of 0 and a static route has an administrative
> > distance of 1. The "connect" wins.
> >
> > ==>
> >
> > An external supplier has a VLAN in place to one of our border routers
> > on a
> > dedicated link but needs to be able to see an internal router via the
> > border
> > router.
> >
> > We have this on our border router side.
> > interface FastEthernet4/1.503
> > desc Handoff to External Supplier
> > encapsulation dot1Q 503
> > ip address 10.12.16.1 255.255.255.0
> > no ip redirects
> > no ip proxy-arp
> > no cdp enable
> >
> > ip route 212.15.68.2 255.255.255.255 10.12.16.2
> >
> > They are 10.12.16.2 and we can see each other fine.
> >
> > We have an internal router on 212.15.68.4/24 which they need to be able
> > to
> > see.
> >
> > Our border router config is below for the inside facing interface
> > interface FastEthernet0/0.504
> > encapsulation dot1Q 504
> > ip address 212.15.68.1 255.255.255.0
> > no ip redirects
> > no ip proxy-arp
> > no cdp enable
> >
> > The internal router has
> > interface FastEthernet0/1.504
> > encapsulation dot1Q 504
> > ip address 212.15.68.4 255.255.255.0
> > no ip redirects
> > no ip proxy-arp
> > no cdp enable
> > !
> > ip route 212.15.68.2 255.255.255.255 FastEthernet0/1.504
> >
> > Now. The external supplier needs to be able to see the internal router
> > at
> > 212.15.68.4, and if they ping it our internal router sees the pings,
> > but
> > nothing arrives back at the supplier.
> >
> > What can ping what?
> > 10.12.16.1 can ping 10.12.16.2 both ways
> > 212.15.68.4 can ping 212.15.68.1 both ways
> > 212.15.68.2 can ping 212.15.68.1 both ways
> >
> > PROBLEM:
> > 212.15.68.2 CANNOT ping 212.15.68.4 even though 212.15.68.4 does see
> > the
> > pings from 212.15.68.2 but for some reason the pings never get back?
> >
> > Gary
> >
>
>
> Does not sound exactly true.
>
> Our border router sees.
> show ip route 212.15.68.2
> Routing entry for 212.15.68.2/32
> Known via "static", distance 1, metric 0
> Redistributing via eigrp 1
> Advertised by eigrp 1
> Routing Descriptor Blocks:
> * 10.12.16.2
> Route metric is 0, traffic share count is 1
>
> The link to the external supplier runs across 10.12.16.0/24
> The link to our internal router runs across 212.15.68.0/24
>
> The external supplier has 212.15.68.2 and 10.12.16.2 on their side and we
> have 212.15.68.1 and 10.12.16.1 on our border router.
>
> Does your explanation still apply.
>
> Gary
>
>
>

Are you suggesting we use a tunnel - Is that the *right* solution?

Maybe the better solution would be to just use a different IP address
on the router that is at your external supplier's site. Why do you want
that router on the same segment as your internal routers? Just setup an
IP address that isn't in that same subnet and let the router actually
do "routing". I'm just trying to determine the reason why you chose to
address an interface on a distant router not directly attached to your
internal segment with a local subnet address. Not attacking you, just
trying to understand your goal.


Are you suggesting we use a tunnel - Is that the *right* solution?

"Kevin Widner" <> wrote in message
news: ups.com...
> Maybe the better solution would be to just use a different IP address
> on the router that is at your external supplier's site. Why do you want
> that router on the same segment as your internal routers? Just setup an
> IP address that isn't in that same subnet and let the router actually
> do "routing". I'm just trying to determine the reason why you chose to
> address an interface on a distant router not directly attached to your
> internal segment with a local subnet address. Not attacking you, just
> trying to understand your goal.
>
>
> Are you suggesting we use a tunnel - Is that the *right* solution?
>
Actually that is where we are now.

The VLAN to the external supplier is 10.12.16.1 on our border router and
10.12.16.2 on their router.

The VLAN from our border router to our internal router is 212.15.68.1 on the
border router to 212.15.68.4 and 10.12.16.4 on internal router.

The odd thing now is that our internal router can ping 10.12.16.2 [the
external supplier] but they cannot ping 10.12.16.4 or 212.15.68.4?

Everytyhing else pings fine.

Gary