Newbie routing problem.

Discussion in 'Cisco' started by jwinters, Jan 12, 2005.

  1. jwinters

    jwinters Guest

    I am helping with a Cisco 7206 and I am running into a problem with routing.

    The Setup:

    The Cisco 7206 has a connection to the internet and also brings in DSL
    traffic (ATM DS3).

    The fastethernet connects to a hub which goes to modem banks and web
    servers, etc.

    The Problem:

    Anyone who gets connected via the modem banks can go anywhere out through
    the router to the Internet.

    DSL Users can go anywhere (for the most part) except for computers or server
    within the class c(s) that belong to us (these are the same IP ranges that
    the dial up users can use successfully to make it through the router to the
    net.)

    For example a DSL user can get anywhere on the net, but can't reach a web
    server, mail server, etc. that has an IP address in one of the 2 class c's
    served by the router.

    I initially tried to assign non-routable IPs in the dns users pool but then
    they could only get to local servers and not the net. The exact opposite
    problem.

    I'm sure it is simple, but don't know where to start looking.

    I do have a few observations/questions.
    1. I see the syscon listed, it this something I need. This is the only
    router we are using. I'm sure that is has nothing to do with the problem
    but I am wondering if can be a security problem if not needed.
    2. While typing this I noticed that toward the bottom under the IP pool
    this is listed.
    ip route 0.0.0.0 0.0.0.0 209.176.17.65
    The *.65 is no tanywere else and was added by the upstream ISP. I assume
    that this should have been either *.66 or *.67 is this the problem?
    3. When we first started it took one password to get into the router. When
    we changed things so we could add more user names and passwords for the DSL
    users it changed so that anyone (dsl user) in the list could telnet into the
    router. I do want to authenticate for the dsl users but don't want them to
    be able to telnet into the router. What can I do about this?

    Here is the config:

    ROUTER1#show run

    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname ROUTER1
    !
    aaa new-model
    aaa authentication login default local
    aaa authentication ppp default local
    !
    username something password 0 somethingelse
    syscon address 207.178.2.4 1
    syscon shelf-id 0
    ip subnet-zero
    !
    ip name-server 207.178.2.2
    ip name-server 207.178.2.3
    !
    ip cef
    ip audit notify log
    ip audit po max-events 100
    !
    call rsvp-sync
    !
    vc-class atm dslusers
    encapsulation aal5mux ip
    !
    interface FastEthernet0/0
    ip address 207.178.2.1 255.255.255.0 secondary
    ip address 209.159.13.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    duplex half
    no cdp enable
    !
    interface Serial1/0
    no ip address
    no ip mroute-cache
    shutdown
    fair-queue
    framing c-bit
    cablelength 10
    dsu bandwidth 44210
    serial restart-delay 0
    !
    interface ATM2/0
    no ip address
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    atm scrambling cell-payload
    atm framing cbitplcp
    atm idle-timeout 0
    no atm ilmi-keepalive
    !
    interface ATM2/0.10 point-to-point
    description Upstream ATM bandwidth
    ip address 209.176.17.66 255.255.255.252
    pvc upstream 1/32
    protocol ip 209.176.17.67 broadcast
    ubr 942
    encapsulation aal5snap
    !
    !
    interface ATM2/0.20 multipoint
    description DSL Customers
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    pvc 1/33
    encapsulation aal5mux ppp Virtual-Template2
    !
    pvc 1/34
    encapsulation aal5mux ppp Virtual-Template2
    !
    pvc 1/35
    encapsulation aal5mux ppp Virtual-Template2
    !
    interface Virtual-Template2
    ip unnumbered FastEthernet0/0
    peer default ip address pool DSL_IPADDRESS
    ppp authentication pap
    !
    ip local pool DSL_IPADDRESS 209.159.13.200 209.159.13.250
    ip classless
    ip route 0.0.0.0 0.0.0.0 209.176.17.65
    ip route 207.178.2.0 255.255.255.0 FastEthernet0/0
    ip route 209.159.13.0 255.255.255.0 FastEthernet0/0
    no ip http server
    !
    dial-peer cor custom
    !
    gatekeeper
    shutdown
    !
    line con 0
    exec-timeout 0 0
    line aux 0
    line vty 0 4
    !
    end

    Thank you in advance for anyone who can help with this.

    John Winters
     
    jwinters, Jan 12, 2005
    #1
    1. Advertisements

  2. jwinters

    jwinters Guest

    I know no one has a "right" to responses, but I have only even posted with
    questions three times and never had a response. Am I doing something wrong?
    I see most other posts responded to so I wanted to make sure I was not
    causing problems with my post before giving up altogether.
     
    jwinters, Jan 13, 2005
    #2
    1. Advertisements

  3. :I know no one has a "right" to responses, but I have only even posted with
    :questions three times and never had a response. Am I doing something wrong?
    :I see most other posts responded to so I wanted to make sure I was not
    :causing problems with my post before giving up altogether.

    Sometimes people just don't have a quick answer (it's only been 24
    hours since you first posted.) People tend not to reply if the question
    is complex and outside of their experience. Personally, I don't
    have any experience in that topic, and I've been working on other things
    for 17 of the last 24 hours.

    A bit of a network diagram would help me to understand your setup.

    :> The fastethernet connects to a hub which goes to modem banks and web
    :> servers, etc.

    For example, I can't think of any good reason to have used a hub
    there instead of a switch. A hub is going to be half duplex and
    is only going to support one rate, either 10 or 100 [1000 hubs
    exist but are pretty rare!]
     
    Walter Roberson, Jan 13, 2005
    #3
  4. jwinters

    jwinters Guest

    Hello Walter,

    Thank you for the response. I was mostly wanting to make sure it really did
    go out. As you said I sent this message yesterday. I have sent two others
    over the past couple months without reponses so I wanted to make sure it was
    really going out.

    I also know how easy it is to spend hours answering questions, often on
    something as obvious as this will likely be to someone who is not as new to
    this as I am. I know I have had to pass some (obviously not cisco related)
    simply due to not having the time and so I do appreciate your response.

    You are right about the switch, and it is a switch. Just in the habit of
    calling them hubs.

    I have my pathetic attempt of a diagram here:

    http://www.onlinecol.com/cisco.htm

    As I noted in the first post I was wondering about the ip route with the
    0.0.0.0 0.0.0.0 *.65

    Because the *.65 was not either end of the gateway I thought I would try it
    with one of the two actual ips for each end of the bandwidth connection pvc.
    After changing it, and then driving down to where the router is actually
    located to change it back I learned that I kind of liked it in there
    afterall. ;)

    If anyone has any ideas or something I should look into I would appreciate
    it. Thank you in advance. - JW
     
    jwinters, Jan 14, 2005
    #4
  5. jwinters

    jwinters Guest

    I have also noted in an example for atm dsl the following which I do not
    have.

    Router EIGRP 1
    Network 170.159.68.0

    Everything else seems to work so I am not sure if I need the (extra?)
    routing protocol, and I am just now looking into what exactly the "Network"
    command does. - JW
     
    jwinters, Jan 14, 2005
    #5
  6. :http://www.onlinecol.com/cisco.htm

    When I read your description and look at the diagram and
    your notes that are there, either you have omitted an important fact
    or else the answer is simple.

    You show the 7206 and you show two interfaces on it, and you have
    IP addresses in the same subnet (dialup users and the non-functional
    DSL users) on both interfaces. How is the 7206 to know which of the
    two interfaces to send the packets to? You can't expect the setup
    to work -- not unless you have omitted an important fact such
    as that the 7206 interfaces are bridged together.

    The behaviour you see when you assign an RFC1918 IP to the DSL
    users is also seemingly understandable: the packets destined for outside
    are going to head directly over to the internet connection, trying
    to go out with reserved source IPs. Unless, that is, you have given
    the 7206 a secondary IP address on that interface that is in that range,
    and you have set up the 7206 to do "NAT on a stick" to map the IPs
    into public IP space before sending them back out the same interface.
    [This often involves installing a loopback interface.

    I haven't read your configuration or looked at the 65 question or
    the question about why you can reach one server but not the other.
    I would point out, though, that the one you can reach, the dns server,
    would likely already be in the 7206's ARP table, whereas the other
    one might not be. What happens if you ping the other device from
    the 7206 before making the attempt from the DSL users?


    Anyhow, without having read the configuration line by line, it
    sounds to me like regular routing issues combined with lack-of-NAT
    issues.
     
    Walter Roberson, Jan 14, 2005
    #6
  7. jwinters

    PES Guest

     
    PES, Jan 14, 2005
    #7
  8. jwinters

    jwinters Guest

    Hello Walter,

    Thank you for the reponse.

    I'm new to both ATM and routers so aything is possible. ;)
    I am using an ATM card and the FastEthernet port.

    I am even starting to confuse myself thinking abou this to respond back.

    When I am talking about 2 class c's I am basically just wanting them to be
    usable on my side of the router. In the past I had a 2501 and I used one IP
    for the router and then everything else passed through and I could use them
    for anything I wanted.

    I was assuming that it would be the same here. Now the two class c's use
    one Ip for the router interface but the bandwidth conection has two other
    ip's (not from mine) for the local and remote ends of that connection.

    I was assuming that the router would know that anything this side of the
    bandwidth port would be sent out through the fastethernet port and
    everything else would go out the the bandwidth connection port.

    I was thinkling of everything as either this side of the switch or the
    other. I was also following a qwest example that seemed somewhat the same
    as I what I tried.

    Relateding to the interfaces being bridged together I don't have a clue and
    am starting to suspect you may be talking in a forien language. ;) Is this
    somethign that should be done or should not be done and I will try to find
    the answer.
    I have not configured a loopback interface and if nat is set up it was by
    accident!
    I killed the router trying to "fix" the *.65 question by changing it to the
    other two"gateway" ips so I don't think it was the problem I thought it was.
    I will try that tonight as see what happens.
    Wow, you caught exactly how I feel right now!

    Again, thank you for the help. - JW
     
    jwinters, Jan 14, 2005
    #8
  9. jwinters

    jwinters Guest

    Hi Paul,

    Thank you for responding.
    I am not sure if this is the case.

    The RAS has a certian number of IPs assigned to it and I would assume that
    it would only answer for those.

    The DSL users also have a set number of IPs assigned out of a pool. So I
    would assume that one would not answer for the other right?
    Would this still apply if the above part about the RAs server is right?

    Again, thank you for your response. They at least give me somewhere to look
    to find out more about it.
     
    jwinters, Jan 14, 2005
    #9
  10. :I am using an ATM card and the FastEthernet port.

    :When I am talking about 2 class c's I am basically just wanting them to be
    :usable on my side of the router.

    The router doesn't know which is "your" side and which isn't.

    :In the past I had a 2501 and I used one IP
    :for the router and then everything else passed through and I could use them
    :for anything I wanted.

    :I was assuming that it would be the same here. Now the two class c's use
    :eek:ne Ip for the router interface but the bandwidth conection has two other
    :ip's (not from mine) for the local and remote ends of that connection.

    :I was assuming that the router would know that anything this side of the
    :bandwidth port would be sent out through the fastethernet port and
    :everything else would go out the the bandwidth connection port.

    The 'bandwidth' statement in the configuration is basically just a comment.
    There is very little that it affects -- it affects rate shaping
    specified as percentages of bandwidth, and it affects how programs
    such as 'mrtg' that monitor your system figure out whether you are
    using a lot or a little bandwidth... but other than that, it's just
    a comment. It has no effect on restricting bandwidth, it is not
    automatically set according to how the circuit is provisioned, and
    it has no effect on whether the router thinks of the interface as being
    inside or outside.

    The way the router knows which interface to send traffic out of is by
    examining the "routing table". Until you get fancy into conditional
    routing ('policy based routing'), all it looks at is the destination
    IP address, and it looks in its tables to find the most specific subnet
    that the destination IP fits into, and it uses the interface appropriate
    to the 'next hop' IP address stored with that entry. The reason
    that traffic would usually head to the Internet is that there will
    an entry for the most general possible subnet that indicates to send
    to there. The most general possible subnet is known as the
    "default route", and is usually represented as 0.0.0.0 0.0.0.0.

    The router will automatically add routing entries for each IP subnet
    that is associated with an interface through the 'ip address' command.
    When you put an IP address onto an interface, the router assumes that
    anything that is in the same subnet can be reached by sending out
    that interface.

    You can look at the routing table by commanding "show route".

    Now, these rules about how to distribute traffic are the same rules
    used for -all- of the interfaces. If you have two different
    ethernet interfaces as well as an ATM interface, the router doesn't
    normally just treat all the ethernet interfaces as being the same
    as each other and treat the ATM interface as being "outside". The
    ATM interface is only used for outside traffic if you told the router
    to send traffic to that interface by default. And when a packet
    arrives on one of the ethernet interfaces, the router will only send
    it on to the other ethernet interface if there is a routing table
    entry that indicates that the destination can be found on the other
    interface.

    Example:

    interface IP mask
    ---------- ----------- -----------
    fastethernet#1 24.25.18.22 255.255.0.0
    fastethernet#2 192.168.1.1 255.255.255.0
    ATM#1 211.212.1.6 255.255.255.252

    ip route 0.0.0.0 0.0.0.0 211.212.1.5

    With this setup, if a host 24.25.53.92 attached to fastethernet#1 sends
    a packet addressed to 192.168.1.9, then the router will look and see
    that 192.168.1.9 falls within 192.168.1.* and so the router will
    pass the packet on to interface fastethernet#2. When the destination
    host gets the packet and replies, it will be be sending out
    a packet addressed to 24.25.53.92 towards the router. The router will
    see that 24.25.53.92 falls within 24.25.*.* and will send the packet
    on to interface fastethernet#1 where it will be received by the
    original host and all will be well.


    Similarily, if the host 24.25.53.92 on fastethernet#1 sends to somewhere
    offsite, say 17.112.152.32 (www.apple.com), then the router will
    receive the packet and will look through its routing tables.
    17.112.152.32 does NOT fall within 24.25.*.* or 192.168.1.* or
    211.212.1.4 thru 211.212.1.7, the IP ranges associated with the
    directly attached interfaces. The router will, though, not send the
    packet via the ATM interface just because it is an ATM interface: the
    router will send the packet there because it will see that the manually
    added entry for IP 0.0.0.0 mask 0.0.0.0 "encloses" the destination IP
    17.112.152.32, so the router will deliver by way of the IP address
    associated with that routing entry, namely by way of 211.212.1.5 in
    this example. The router will look at 211.212.1.5 and see that it
    is enclosed within 211.212.1.4 thru 211.212.1.7 which is the range
    associated with the ATM interface, and that's why it will send the
    packet to the ATM interface.

    When a packet returns via the ATM interface from apple, source 17.112.152.32,
    the destination IP will be that of the original outgoing packet,
    24.25.53.92, and the router will look in its tables, see that
    24.25.*.* encloses that destination IP, and so will know to send
    the packet on to fastethernet#1 where it will be received by the
    original host, and everything is fine again.


    Now suppose that you put a host 24.25.197.38 attached through interface
    fastethernet#2, and suppose that that host tried to send to the
    same destination, 17.112.152.32 (www.apple.com.) The outgoing packet would
    be received by the router, which would follow the same logic and know
    to send the packet on to the ATM because the destination IP matches
    the manually added route 0.0.0.0/0.0.0.0 that points to the ATM.

    When the packet comes back from apple marked as being for that source,
    24.25.197.38, the router does NOT magically know that the host
    24.25.197.38 is on fastethernet#2. Instead, it will follow exactly
    the same routing logic as the above case, will see that 24.25.197.38
    is enclosed within the route for 24.25.*.*, and so it will send the
    packet on to fastethernet#1 *NOT* fastethernet#2. But of course the
    host isn't attached to fastethernet#1 so the packet will not arrive
    at its destination. It wasn't that the packet didn't get out: it's
    that the router could not figure out how to get the packet -back-.


    Unless you do special setup, routers always need the ethernet
    interfaces to be in different subnets -- and that means that you
    can't put hosts drawn from one of the subnets attached to the
    interface numbered in the other subnet: the router won't be able to
    find the way to send the packets back.

    The special setup you can do includes adding in very specific route
    statements to override the general rule created by putting an IP address
    on the interface. In the above example, you could add

    ip route 24.25.197.38 255.255.255.255 192.168.1.1

    and then when the router went to examine its routing tables when the
    packet returned, it would see the specific entry and would see that
    the associated hop was on fastethernet#2 and would send the packet
    out that way, where it -would- reach the destination. However, there
    would still be reasons why something on fastethernet#1 that was
    in 24.25.*.* would not know to send the packet on to the router to
    send onwards to 24.25.197.38 on fastethernet#2.

    The other kind of special setup you can do is to tell the router that
    the two ethernet interfaces are to be "bridged" together -- that the
    router is to act like a switch with respect to those two interfaces
    sending to each other. If you were to do that, then you would not
    attach IP addresses to the different fastethernet interfaces: you
    would instead attach the IP address to the virtual switch so created.


    In your situation, I would not go with briding: I would instead just
    arrange things so that you never tried had hosts in any IP address
    range behind the "wrong" interface. That would imply giving the
    DSL users a different IP subnet than the modem users. There are
    various ways to arrange that... and it's time for me to pack up to leave.
     
    Walter Roberson, Jan 14, 2005
    #10
  11. jwinters

    jwinters Guest

    Hi Walter,

    Thank you for the detailed response. I am starting to understand more.
    At the bottom of the config it did have the following.

    ip route 0.0.0.0 0.0.0.0 209.176.17.65
    ip route 207.178.2.0 255.255.255.0 FastEthernet0/0
    ip route 209.159.13.0 255.255.255.0 FastEthernet0/0

    I was confused because the first one did not indicate an interface.
    Additinally I did not know where the .65 came from and was expecting it to
    be either *.66 or *.67 which were the two assigned for the ATM connection
    connected to the upstream provider.
    The fastEnternet has the following entry:
    interface FastEthernet0/0
    ip address 207.178.2.1 255.255.255.0 secondary
    ip address 209.159.13.1 255.255.255.0

    I assumed that this would tell it to send everything in either of those
    ranges through the RJ45 into the switch. So I assumed that when a DSL user
    attempted to access it they would go out the RJ45 port and end up in the
    right place.

    There is nothing there! It is blank.
    There is only one single ethernet interface in this case.
    Again, there is only one fastethernet interface so it is using the secondary
    command:

    ip address 207.178.2.1 255.255.255.0 secondary
    ip address 209.159.13.1 255.255.255.0

    Now in your example above you have the atm interface as *.6 and your iproute
    is *.5. Is this because the remote IP address for the interface that the
    ATM circuit is connected to is *.6?

    This is what I was expecting but this is what I saw.

    ip route 0.0.0.0 0.0.0.0 209.176.17.65

    and then...

    interface ATM2/0.10 point-to-point
    description Upstream ATM bandwidth
    ip address 209.176.17.66 255.255.255.252
    pvc upstream 1/32
    protocol ip 209.176.17.67 broadcast

    SO I was supprised that it was not a *.66 or *.67 instread of *.65.
    OK, I understand that.
    So, does it matter where in the config the 0.0.0.0 is located? In my case
    it is above the others.

    ip route 0.0.0.0 0.0.0.0 209.176.17.65
    ip route 207.178.2.0 255.255.255.0 FastEthernet0/0
    ip route 209.159.13.0 255.255.255.0 FastEthernet0/0

    So, if I have the DSL user pool 209.159.13.200 209.159.13.250

    and they are online and want to go to google it should pass them through the
    ATM because its IP resolved to something other than the two ranges assigned
    to the FastEthernet, right? And this appears to be what is happening.

    But, then if they type to get email at 209.159.13.100 I was expecting it to
    pass the request through the FastEthernet port, throught the switch and to
    the mail server. This does not happen. They can not even ping the mail
    server.

    However when the Dialup users try to check mail they do get routed there.

    Interestingly I origionally was not going to use routable IP's for the DSL
    users and had assigned something like:
    ip local pool IP_ADDRESS 172.16.24.0 172.16.24.254

    And in this case they could access the local servers (in the two ranges
    assigned to the fastethernet interface) but could not get out anywhere on
    the internet through the atm interface.
    Althought I did not understand it before I can understand what you are
    saying. But, in this case I do not have more than one enternet interface so
    if I understand what you are saying above it look like it should all be
    working now.

    It does bother me that the show route you told me about does not display any
    information.

    It sounds like this would only be for two ethernet interfaces, right?


    Again, I thank you for taking the time to respond. I also understand if you
    need to get on to other things and don't have time to follow up. I really
    do understand how much time can be spent helping people in groups while
    putting off the things that you are really supposed to be doing. - JW
     
    jwinters, Jan 14, 2005
    #11
  12. jwinters

    jwinters Guest

    Hi Walter,

    OK. You made me think... enough already!

    I did read and understand what you were talking about but didn't try to
    apply much of it to this situation because it was talking about two ethernet
    interfaces and would not apply to this situation.

    Howver I kept thinking about what you were saying and went through to apply
    it to this situation and I think that you were right, just slightly
    different from your example.

    Lets see if I get this right.

    First here is the ethernet interface:
    And the routing as listed below in the config:
    So following your example if I have a DSL user with the IP of 209.159.13.200
    who tried to go out to an eternal IP the router sees that it is not in one
    of the two ranges and sends it to the "upstream" pvc due to the
    209.169.176.65 and the interface knows that is on the remote side of the
    pvc. I am not sure how the traffic coming back to this user gets to him
    since according to the ip route above it should go to the ethernet port
    instead of to the DSL user who happens to be on another PVC on the ATM
    Interface. But it works, so I guess that it somehow makes it there before
    it gets to the ethernet port?

    In the case above, all the traffic actually occurs on the ATM circuit and
    nver goes out the ethernet (except DNS perhaps) port.

    Using the same reasoning if the DSL user above goes to the web server at
    209.159.13.100 I assume that the router will be able to find that server.
    But then, I take it that the problem is that when it respond back to the DSL
    user it believes he is located somewhere on the ethernet interface and never
    returns it to the ATM interface.

    After what you said that makes sense. That would be why the non-routable IP
    did work locally but not on the net. (I had wondered why the examples had
    non-routable IP's and just asumed the Cisco acted like a proxy. Apparently
    this is not correct and the non-routable IPs were just examples and should
    have been routable.)

    So, if I am learning and understand it correctly I think I should divide one
    group of IP's in half (or whatever) and assign those IP's to the DSL user
    pool for thier connection. This part would not be included in the ip route
    for the fastethernet interface, right?

    But, if I am on the right track here is where I am confused. I would think
    I would also the other IP assigned to the DSL users to the ATM interface bit
    I am not sure how I would do it.

    In the example above "ip route 0.0.0.0 0.0.0.0 209.176.17.65" uses an IP
    that is on the other side of the upstream provider through the ATM
    interface. But, while the DSL users are on the ATM interface they are not
    on the PVC that uses that IP. The non-routable IP's seemed to get traffic
    back so perhaps ATM is ATM to the router and it does not care about the
    pvc's?

    I think I am headed in the right direction thanks to the suggestions I got
    but I have been up most of the last few nights trying this so I will wait
    until morning when I am a bit more awake and can get a dsl user to help
    test.

    If anyone has any input or perhaps a "hey stupid dont do that!" that I need
    to know or that would help I would appreciate it.

    Again, thank you to both Walter and Paul for the input, time and suggestions
    you spent to help with this.

    John Winters
     
    jwinters, Jan 14, 2005
    #12
  13. jwinters

    PES Guest

    Yes, even though there is a certain group of addresses assigned to dsl
    and a certain group assigned to ras, and they are sharing the same
    subnet you have a problem.

    Let me give you and example with rfc1918 addresses. Assume you had been
    assigned 192.168.1.x by your isp (this is completely fictitious. You
    are guessing that you may have half dial up and half dsl. You create a
    pool of 1-126 on the ras side and a pool of 129-254 on the dsl side.
    This is actually a clean place to break, your pools may not have this
    luxury. In this case, the netmask assigned to the dial users should be
    255.255.255.255 or 255.255.255.128. The dsl users should be
    255.255.255.128. The 7206 should have the following entries

    int atm bla
    ip address 192.168.1.128 255.255.255.128

    ip classless
    ip route 192.168.1.1 255.255.255.128 <ip of ras server>
     
    PES, Jan 14, 2005
    #13
  14. jwinters

    PES Guest

    I don't recommend routing the way the two routes are going out the
    ethernet. Basically you are dependent on something called proxy arp
    which should be avoided. In the above example I would do the following

    ip route 0.0.0.0 0.0.0.0 209.176.17.65
    ip route 207.178.2.0 255.255.255.0 <next hop IP>
    ip route 209.159.13.0 255.255.255.0 <next hop IP>

    The router knows what is directly connected so it will arp directly for
    the mac of the next hop. Additionally, if the above nets are directly
    on an interface, you do not need them.
     
    PES, Jan 14, 2005
    #14
  15. :At the bottom of the config it did have the following.

    :ip route 0.0.0.0 0.0.0.0 209.176.17.65
    :ip route 207.178.2.0 255.255.255.0 FastEthernet0/0
    :ip route 209.159.13.0 255.255.255.0 FastEthernet0/0

    To answer a question you had: order does not matter, as it
    always takes the most specific subnet when it is doing routing.

    :I was confused because the first one did not indicate an interface.
    :Additinally I did not know where the .65 came from and was expecting it to
    :be either *.66 or *.67 which were the two assigned for the ATM connection
    :connected to the upstream provider.

    ..65 is the IP on the other end. .66 is the IP on your end.
    ..67 is the broadcast address for the subnetwork. .64 (not mentioned)
    is the start of the subnetwork and is reserved.

    :> You can look at the routing table by commanding "show route".

    :There is nothing there! It is blank.

    Sorry, my mistake, should be "show ip route". I'm too accustomed
    to the PIX these days...
     
    Walter Roberson, Jan 14, 2005
    #15
  16. jwinters

    jwinters Guest

    Hi Paul,

    I was going to change this as the example above but and not sure if I can.

    Both of these leave the router to a switch (which does not have its own IP)
    and then off to the servers/equipment. So, I don't think I can enter a
    gateway IP of anythign after the router because there is not any one IP.

    In the second part you indicate that if the nets are directly on an
    interface I don't need this. Am I right to assume that you mean it has the
    ip address listed under the interface then it does not need to be listed
    again below in the config? It is listed as shown below but it also has the
    "secondary" used there too.

    interface FastEthernet0/0
    ip address 207.178.2.1 255.255.255.0 secondary
    ip address 209.159.13.1 255.255.255.0

    As a bit of history. The upstream ISP spent weeks trying to get his
    connection to work. It turned out to be faulty IOS but in the mean time I
    suspect many things were tried and just left in the config after everythig
    started to work.

    Thank you for the response and I am still trying to figure out how to make
    the change you suggest. - JW
     
    jwinters, Jan 15, 2005
    #16
  17. jwinters

    jwinters Guest

    Hi Walter and Phil,


    After reading what the two of you contributed I thought I had it.

    It did make sense that it would need the subnet, especially after using the
    show ip route command as directed by Walter.

    I *think* I followed everything presented (except the "secondary" issue I
    just responded to) and I still have the same problem.

    Basically I split a class C into half and assigned one half to the ethernet
    (ras) and the other to the ATM (DSL).

    For example: (I know these are non-routable IP and I'm just making it simple
    to follow.)

    I took one Class C (100.100.1.1) and divided it in two.
    The first half I assigned to the ethernet port for the RAS

    interface FastEthernet0/0
    ip address 100.100.1.1 255.255.255.128
    ip address 200.200.1.1 2555.255.255.0 secondary

    The second half I added to the ATM port associated with the DSL users.

    interface ATM2/0.20 multipoint
    ip address 100.100.100.129 255.255.255.128

    and below is says:

    ip classless
    ip route 0.0.0.0 0.0.0.0 300.300.1.65 (assigned to ATM 2/0.10)
    ip address 100.100.1.1 255.255.255.128 FastEthernet0/0
    ip address 200.200.1.1 2555.255.255.0 FastEthernet0/0
    interface FastEthernet0/0

    show ip route:

    Gateway of last resort is 300.300.1.65 to network 0.0.0.0

    300.300.1.0/30 is subneted, 1 subnets
    C 300.300.1.64 is directly connected, ATM2/0.10
    C 200.200.1.0/24 is directly connected, FastEthernet0/0
    100.100.1.0/24 is variably subnetted, 9 subnets, 2 masks
    C 100.100.1.0/25 is directly connected, FastEthernet0/0
    C 100.100.1.203/32 is directly connected, Virtual-Access4
    C 100.100.1.202/32 is directly connected, Virtual-Access6
    C 100.100.1.201/32 is directly connected, Virtual-Access3
    C 100.100.1.200/32 is directly connected, Virtual-Access5
    C 100.100.1.206/32 is directly connected, Virtual-Access2
    C 100.100.1.205/32 is directly connected, Virtual-Access7
    C 100.100.1.204/32 is directly connected, Virtual-Access8
    C 100.100.1.128/25 is directly connected, ATM2/0.20
    S* 0.0.0.0/0 [1/0] via 300.300.1.65

    So, here are numbers for my example.

    DSL user is at 100.100.1.200
    DIalup user is 100.100.1.100

    DSL user can go out anywhere on the net. DSL user can not go to
    200.200.1.14 via web or ping. Also have problems with the lower range of
    the subnet, ie, 100.100.1.25

    The DNS @ 200.200.1.2 can be pinged and they can get a web page located at
    200.200.1.105 which is on the same server at the DNS 200.200.1.2

    From my understanding of the examples it all looks right to forward traffic
    to the right place.

    When the dsl user on 100.100.1.200 tried to trace route to 200.200.1.14 it
    does show the 100.100.1.1 of the fastethernet port but then times out before
    ever going anywhere else.

    Any thing obvious or any ideas? - JW
     
    jwinters, Jan 15, 2005
    #17
  18. jwinters

    PES Guest

     
    PES, Jan 17, 2005
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.