10-20-2015 06:34 PM - edited 03-05-2019 02:33 AM
"For HSRP circuits, it is a requirement that Datacenter use the first 3 available IPs in the routing network. Datacenter must assign 1.1.1.66 to one of our routers.
1.1.1.68-1.1.1.70 are the only IPs your company can use on the routing network.
The usable IP range for 2.2.2.128/28 is 2.2.2.129-2.2.2.142. You may configure this network however you want within your internal network, just be aware that we will be sending all traffic destined for that network to 1.1.1.68."
This is what I got from my Datacenter guys. I have a 1941 router with 2 gigabit ports. I am confused on how I should set this up. Please help.
Solved! Go to Solution.
10-20-2015 08:18 PM
You are receiving two ranges of IP:
1- 1.1.1.64/29.
In this range 1.1.1.65 to 1.1.1.70 are usable, but your ISP is using the first three IPs, so you need to put 1.1.1.68 on your router interface and then configure a default route to the data center.
IP route 0.0.0.0 0.0.0.0 1.1.1.66
Data center will have a route toward 1.1.1.68 which will be placed on your router.
2- 2.2.2.128/28
You can put 2.2.2.129 on your other router interface and assign 130 to 142 to your computers or other devices inside your network.
It was only a basic example. You might implement different scenario based on the number of users inside your network, your network topology, type of the link you get from data center or .....
Masoud
10-21-2015 05:25 AM
With my scenario, you do not need NAT because 2.2.2.128/28 is public. You are receiving two ranges of public IPs. But you may use NAT if you have more devices in your network. You can NAT your local network (lets say 192.168.1.0/24) to 2.2.2.128 and and also to 1.1.1.68-70.
Masoud
10-20-2015 08:18 PM
You are receiving two ranges of IP:
1- 1.1.1.64/29.
In this range 1.1.1.65 to 1.1.1.70 are usable, but your ISP is using the first three IPs, so you need to put 1.1.1.68 on your router interface and then configure a default route to the data center.
IP route 0.0.0.0 0.0.0.0 1.1.1.66
Data center will have a route toward 1.1.1.68 which will be placed on your router.
2- 2.2.2.128/28
You can put 2.2.2.129 on your other router interface and assign 130 to 142 to your computers or other devices inside your network.
It was only a basic example. You might implement different scenario based on the number of users inside your network, your network topology, type of the link you get from data center or .....
Masoud
10-21-2015 03:33 AM
Thats what I thought too. So am I NAT'ng 2.2.2.128/28 to 1.1.1.68? 2.2.2.128/28 are public IPs.
10-21-2015 05:25 AM
With my scenario, you do not need NAT because 2.2.2.128/28 is public. You are receiving two ranges of public IPs. But you may use NAT if you have more devices in your network. You can NAT your local network (lets say 192.168.1.0/24) to 2.2.2.128 and and also to 1.1.1.68-70.
Masoud
10-23-2015 11:01 AM
Thanks. That worked. Just one small issue now, Clients behind the router with Public IPs are unable to ping anything past the routers. I removed "no ip redirects" and "no ip unreachables" from the interface. Any ideas?
10-23-2015 11:28 AM
Can you share your router config? What is the IP of client and its gateway?
Try to use extended ping inside your router. Try to ping an external IP like 4.2.2.4 or 8.8.8.8
Router#Ping 4.2.2.4 source 1.1.1.68
router#Ping 4.2.2.4 source 2.2.2.129
If you receive replies from first ping and do not receive from the second, call your ISP
If you receive from both, check your configuration
Masoud
10-24-2015 10:21 AM
Below is the config. I tried pinging using both interfaces as source and both are successful. The clients use 2.2.2.129 as gateway. The client machines are Ubuntu. I try pinging the same from them and it doesn't work.
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$KodW$O6tniShaSK2i0eJIRrW1L1
enable password 7 06242B12081D1D0C1556534A2C
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
no ipv6 cef
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
no ip bootp server
ip domain name bdsmsp.com
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9 sn FTX154201AW
!
!
username bdsadmin password 7 096E6A3A5D5603071B4D456B0B
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no mop enabled
!
interface GigabitEthernet0/0
description connection to IO
ip address 1.1.1.70 255.255.255.248
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description public IPs
ip address 2.2.2.129 255.255.255.240
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.1.1.1.66
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
!
no cdp run
!
snmp-server community public RO
!
!
!
control-plane
!
!
!
line con 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 0803687D4D4A1102024A4D450A
login authentication local_auth
transport input telnet ssh
!
scheduler allocate 20000 1000
end
10-24-2015 07:05 PM
Hello,
"just be aware that we will be sending all traffic destined for that network to 1.1.1.68."
Based on the line above, you need to change the IP of GigabitEthernet0/0 to 1.1.1.68. And also enter the command of "ip proxy-arp" under the interfaces. It does not hurt.
Is the configuration of Ubuntu corret? Try use windows if you doubt.
Masoud
10-24-2015 11:35 PM
Hi,
Apparently the Datacenter guys gave us the wrong Gateway. I changed the Gateway to 1.1.1.65 from 1.1.1.66 and everything started to work. Thanks for all your help!
-Pratik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide