08-17-2015 08:01 AM - edited 03-05-2019 02:04 AM
Good morning everyone,
I hope someone here could assist me with the situation I am facing, I am a network administrator who has been assigned the task of adding a secondary router to a redundant backup third party provided internet circuit. This router will serve two-fold firstly it will serve out dhcp addresses through a dhcp pool and secondly it will accomodate 2 Unifi AP access points. I'll show my config below but the end result is I cannot ping the outside router interface that the ISP has provided which ultimately should allow me to get on the internet. My config is below:
CLTCHIEF2#show run
Building configuration...
Current configuration : 1934 bytes
!
! Last configuration change at 17:52:47 UTC Sun Mar 3 2002
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CLTCHIEF2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$fMm.$fVzzs3q6pnSM6avr03Nho1
enable password 7 12211D0E081115
!
no aaa new-model
!
!
dot11 syslog
ip source-route
ip dhcp excluded-address 172.16.102.1 172.16.102.99
ip dhcp excluded-address 172.16.102.151 172.16.102.254
!
ip dhcp pool CLT2WIRELESS
network 172.16.102.0 255.255.255.0
default-router 172.16.102.1
domain-name INTERNAL.COM
lease 7
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
bridge irb
!
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN INTERFACE
ip address 50.58.80.82 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
description VLAN WIRED AND WIRELESS
no ip address
no ip redirects
bridge-group 1
!
interface BVI1
description VIRTUAL BONDED INTERFACE
ip address 172.16.102.2 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly max-reassemblies 1024
ip tcp adjust-mss 1360
load-interval 30
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 150 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 172.16.102.1
ip route 0.0.0.0 0.0.0.0 50.58.80.81
!
access-list 150 remark NAT TRANSLATIONS
access-list 150 permit ip 172.16.102.0 0.0.0.255 any
!
!
!
snmp-server community public RO
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 07173955541300
login
transport input all
!
end
Does this config look right?
Thank-you.
08-17-2015 08:41 AM
I wonder why you have two default routes
ip route 0.0.0.0 0.0.0.0 172.16.102.1
ip route 0.0.0.0 0.0.0.0 50.58.80.81
I understand the second one which will direct traffic to the provider router connected to FastEther0 but am puzzled about the default route with 172.16.102.1 as the next hop. In this config the router will try to use both default routes. It seems to me that it would be better logic if one were primary and the other was a backup route.
But I do not think that this has anything to do with whether the router can ping the external router or not. Would you post the output of show ip interface brief from the router? Also please post the output of show arp (or maybe show ip arp) from the router.
HTH
Rick
08-17-2015 08:46 AM
Here is the ip int brief you wanted:
CLTCHIEF2#show ip int brief
Interface IP-Address OK? Method Status Prot
ocol
BVI1 172.16.102.2 YES NVRAM up up
Dot11Radio0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up down
FastEthernet4 unassigned YES NVRAM up up
NVI0 unassigned YES unset administratively down down
Vlan1 50.58.80.82 YES NVRAM up up
And here is the arp output.
CLTCHIEF2#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 50.58.80.82 - 001e.4ac3.7ccf ARPA Vlan1
Internet 172.16.102.2 - 001e.4ac3.7ccf ARPA BVI1
Another problem I have is everytime I introduce the BVI I loose my dhcp functionality; it comes up on my laptop with limited connectivity.
Thank-you.
08-17-2015 08:46 AM
Hi there,
Please remove this static route: "ip route 0.0.0.0 0.0.0.0 172.16.102.1"
You cannot have two default-route point to two different ip-addresses and so remove the above and try it again.
thanks
08-17-2015 08:58 AM
ok removed that line will report what the result is but until I get my dhcp problem resolved I wont be able to use the ping command with any success.
08-17-2015 09:05 AM
I disagree with the statement that you "cannot" have two default routes to two different IP addresses. You absolutely can have this. The real question here is whether you "should" have this. Until we hear from the original poster explaining why it is configured this way we do not know whether it should or not be configured this way.
The output of show arp is informative. The router sees its own MAC address but does not see the MAC address of the provider router This is why ping was not working. The fact that we are not learning the MAC of the provider router indicates that either there is some problem at layer 1 or 2 or there may be a misconfigured IP address. Since the interface shows as up/up it would seem that layer 1 and 2 are probably working.
HTH
Rick
08-17-2015 10:04 AM
So based on that here is my question, when you plug in a cable to FE4 (WAN) to the provider router interface which in this case is G0/1 shouldnt fe4 interface in the ios have an ip assigned to it so that the internet can be reached?
08-17-2015 11:37 AM
The configuration you posted and the "sh ip int brief" don't match ie. the 50.x.x.82 IP is assigned to different interfaces.
So which is it meant to be ?
Jon
08-17-2015 11:37 AM
Here is the reconfigured config, I have removed the bridging based on the fact that I dont intend on using the built in wireless.
CLTCHIEF2#show run
Building configuration...
Current configuration : 1624 bytes
!
! Last configuration change at 00:26:34 UTC Fri Mar 1 2002
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CLTCHIEF2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$fMm.$fVzzs3q6pnSM6avr03Nho1
enable password 7 12211D0E081115
!
no aaa new-model
!
!
dot11 syslog
ip source-route
ip dhcp excluded-address 172.16.102.1 172.16.102.99
ip dhcp excluded-address 172.16.102.151 172.16.102.254
!
ip dhcp pool CLT2WIRELESS
network 172.16.102.0 255.255.255.0
default-router 172.16.102.1
domain-name INTERNAL.COM
lease 7
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN INTERFACE
ip address 50.58.80.82 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed 100
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
description VLAN WIRED
no ip address
no ip redirects
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 150 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.58.80.81
!
access-list 150 remark NAT TRANSLATIONS
access-list 150 permit ip 172.16.102.0 0.0.0.255 any
!
!
!
snmp-server community public RO
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 07173955541300
login
transport input all
!
end
08-17-2015 11:41 AM
Okay, couple of things -
1) you need to assign 172.16.102.1 to an interface otherwise your client access won't work.
2) can you try pinging the ISP address again and then repost -
"sh ip arp"
"sh ip int br"
Jon
08-18-2015 06:56 AM
Jon,
Can you give me for an example as far as assigning 172.16.102.1 which I understand is the default gateway for my internal network to an interface? Are you referring to a virtual interface such as a vlan?
08-18-2015 07:03 AM
From config mode -
int vlan 1
ip address 172.16.102.1 255.255.255.0
then do a "sh ip int brief" to make sure it is up/up.
Jon
08-18-2015 07:05 AM
Yes it would on vlan 1. It would look something like
interface vlan 1
ip address 172.16.102.1 255.255.255.0
Have you tried to ping the external router from the 871?
HTH
Rick
08-18-2015 08:07 AM
Ok things are starrting to look up now, I am now getting served an ip address through the dhcp service now all I need to do is add the route to get out to the internet.
Now as far as fa4 my isp gave me an ip address of 50.58.80.82 to use should I tie that to fa4 as along with the dns info?
Updated config
Current configuration : 1373 bytes
!
! Last configuration change at 00:33:40 UTC Fri Mar 1 2002
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CLTLVLTHREE
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$b126$CBurGrg/NkVtK63I7p4fg.
enable password 7 05331E163B5657
!
no aaa new-model
!
!
dot11 syslog
ip source-route
no ip routing
ip dhcp excluded-address 172.16.102.1 172.16.102.99
ip dhcp excluded-address 172.16.102.151 172.16.102.254
!
ip dhcp pool CLTLVL3
network 172.16.102.0 255.255.255.0
default-router 172.16.102.1
domain-name CLTINTERNAL.COM
lease 7
!
!
no ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
ip address 172.16.102.1 255.255.255.0
no ip route-cache
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 1111011C0D0812
login
transport input all
!
end
08-18-2015 08:30 AM
Did you just clear the whole configuration because you don't have an IP on fa4 and all your NAT configuration has gone ?
So -
1) enable routing ie. "ip routing"
2) configure fa4 with 50.x.x.82 and add a default route to 50.x.x.81 assuming these are the actual IPs.
Note this a public forum so can you go through your posts in this thread and do as it have done with the public IPs.
3) add your NAT rules back in
Then from your router if you can ping the ISP address try connecting from a client.
Edit - DNS settings depends on whether you have any DNS servers internally. If not your ISP should have given you some and you need to include these in your DHCP pool configuration so your clients get them with their IP address.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide