cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1127
Views
0
Helpful
8
Replies

1941 router HSRP/WAN LAN Setup

"For HSRP circuits, it is a requirement that Datacenter use the first 3 available IPs in the routing network. Datacenter must assign 1.1.1.66 to one of our routers.

1.1.1.68-1.1.1.70 are the only IPs your company can use on the routing network.

The usable IP range for 2.2.2.128/28 is 2.2.2.129-2.2.2.142. You may configure this network however you want within your internal network, just be aware that we will be sending all traffic destined for that network to 1.1.1.68."

 

This is what I got from my Datacenter guys. I have a 1941 router with 2 gigabit ports. I am confused on how I should set this up. Please help.

2 Accepted Solutions

Accepted Solutions

You are receiving two ranges of IP:

1- 1.1.1.64/29. 

In this range 1.1.1.65 to 1.1.1.70 are usable, but your ISP is using the first three IPs, so you need to put 1.1.1.68 on your router interface and then configure a default route to the data center.

IP route 0.0.0.0 0.0.0.0 1.1.1.66

Data center will have a route toward 1.1.1.68 which will be placed on your router.
 

 

2-   2.2.2.128/28 

You can put 2.2.2.129 on your other router interface and assign 130 to 142 to your computers or other devices inside your network.

 

It was only a basic example. You might implement different scenario based on the number of users inside your network, your network topology, type of the link you get from data center or .....

Masoud

View solution in original post

With my scenario, you do not need NAT because 2.2.2.128/28 is public. You are receiving two ranges of public IPs. But  you may use NAT if you have more devices in your network. You can NAT your local network (lets say 192.168.1.0/24) to 2.2.2.128 and and also to 1.1.1.68-70.

 

Masoud

View solution in original post

8 Replies 8

You are receiving two ranges of IP:

1- 1.1.1.64/29. 

In this range 1.1.1.65 to 1.1.1.70 are usable, but your ISP is using the first three IPs, so you need to put 1.1.1.68 on your router interface and then configure a default route to the data center.

IP route 0.0.0.0 0.0.0.0 1.1.1.66

Data center will have a route toward 1.1.1.68 which will be placed on your router.
 

 

2-   2.2.2.128/28 

You can put 2.2.2.129 on your other router interface and assign 130 to 142 to your computers or other devices inside your network.

 

It was only a basic example. You might implement different scenario based on the number of users inside your network, your network topology, type of the link you get from data center or .....

Masoud

Thats what I thought too. So am I NAT'ng 2.2.2.128/28 to 1.1.1.68? 2.2.2.128/28 are public IPs. 

With my scenario, you do not need NAT because 2.2.2.128/28 is public. You are receiving two ranges of public IPs. But  you may use NAT if you have more devices in your network. You can NAT your local network (lets say 192.168.1.0/24) to 2.2.2.128 and and also to 1.1.1.68-70.

 

Masoud

Thanks. That worked. Just one small issue now, Clients behind the router with Public IPs are unable to ping anything past the routers. I removed "no ip redirects" and "no ip unreachables" from the interface. Any ideas?

Can you share your router config? What is the IP of client and its gateway?

 

Try to use extended ping inside your router. Try to ping an external IP like 4.2.2.4 or 8.8.8.8

Router#Ping 4.2.2.4 source 1.1.1.68

router#Ping 4.2.2.4 source 2.2.2.129

If you receive replies from first ping and do not receive from the second, call your ISP

If you receive from both, check your configuration

Masoud


 

Below is the config. I tried pinging using both interfaces as source and both are successful. The clients use 2.2.2.129 as gateway. The client machines are Ubuntu. I try pinging the same from them and it doesn't work.

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!

!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$KodW$O6tniShaSK2i0eJIRrW1L1
enable password 7 06242B12081D1D0C1556534A2C
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
no ipv6 cef
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
no ip bootp server
ip domain name bdsmsp.com
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9 sn FTX154201AW
!
!
username bdsadmin password 7 096E6A3A5D5603071B4D456B0B
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no mop enabled
!
interface GigabitEthernet0/0
 description connection to IO
 ip address 1.1.1.70 255.255.255.248
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description public IPs
 ip address 2.2.2.129 255.255.255.240
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.1.1.1.66
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
!
no cdp run
!
snmp-server community public RO
!
!
!
control-plane
!
!

!
line con 0
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line 2
 exec-timeout 15 0
 login authentication local_auth
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 0803687D4D4A1102024A4D450A
 login authentication local_auth
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Hello,

 

"just be aware that we will be sending all traffic destined for that network to 1.1.1.68."

Based on the line above, you need to change the IP of GigabitEthernet0/0 to  1.1.1.68. And also enter the command of "ip proxy-arp" under the interfaces. It does not hurt.

Is the configuration of Ubuntu corret? Try use windows if you doubt.

Masoud

 

Hi,

 

Apparently the Datacenter guys gave us the wrong Gateway. I changed the Gateway to 1.1.1.65 from 1.1.1.66 and everything started to work. Thanks for all your help!

 

-Pratik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco