Solved: Basic Routing. Trying to learn. Need help.

Chris Mickle · ‎07-12-2015

I just bought a Cisco study lab in order to try to further teach myself about routing and switching on Cisco devices. I have been doing some reading and decided that I would design and build my own topology using the equipment I purchased. I have (2) 1721 routers, (2) 2610XM routers, (1) 2811 router and (3) 2960 switches. I decided that for my first project, I would try to use the routers to simulate two different LANs connected to their ISPs which were connected to the real internet. My topology is as follows...

Please forgive the crudeness of the above diagram. Hopefully it is clear what I'm trying to do. The two 1721s that are acting as the "internet gateways" are running DHCP on their Ethernet interfaces and NAT. All routers are running RIP V1. Everything seems to work as it's supposed to except that the 2811 is supposed to provide access to the real internet via my LAN and it does not. I can ping each computer from the other and I can ping all the interface IPs on each router from both PCs and from all the other routers. I can ping all the way to IP address 192.168.0.200 which is the IP of F0/0 on the 2811 that is connected to my LAN. From the 2811, I can ping 192.168.0.1 which is my LAN firewall's inside interface. I worked on it for several hours yesterday and I have just run out of ideas. I know that I am missing something, I'm just not sure what it is.

Any help would be much appreciated.

Richard Burts · ‎07-15-2015

Chris

It is interesting that the firewall is a PIX that you configured. In that case it is possible to have the PIX do the address translation for all of the inside addresses and not need the 2811 to do it. And depending on how you configured the PIX it may be that it is already set up to translate all of the inside addresses, in which case all the PIX needs are routes to the subnets in your LAB environment.

It should be possible to set up a point to point serial, though it may not function with all the attributes of a carrier circuit. You are quite right that there are no serial cards for the PIX so the serial connection will need to be from the 2811.

I do not believe that it is possible to configure a HSRP virtual interface and have it learn its IP address using DHCP. So another interface on the 2811 will be needed.

Yes I believe that some NAT will be involved to map the address used through the serial connection to the address that is routable on the Internet.

The serial interfaces will need some clock source and it seems reasonable to have the 2811 do this. The clocking is usually supplied on the interface that is treated as DCE and the error message you are getting indicates that the 2811 does not think that its interface is DCE. And thinking of the interfaces brings up the question of how you are connecting them. I assume that these interfaces take RJ45 connectors? And probably you have used regular Ethernet cable to connect them? The pin outs for serial T1 are different from the pin outs for Ethernet and so you really should get a cable with the serial pin outs.

The clock rate and the bandwidth for the serial connection is kind of interesting and is a surprise to many people who are just getting acquainted with serial connections. The answer is actually pretty simple. The clock rate determines the speed of the connection (or how quickly a given amount of data can be transmitted). Many beginners intuitively believe that bandwidth controls the speed of the interface. But that is not the case. The Bandwidth configuration of the interface is descriptive of the operation of the interface but does not have any real effect on the speed of the interface. The bandwidth command is there mostly for any software running on the router that wants to know how fast the interface is running (for example for EIGRP which uses bandwidth as part of its metric calculation, or OSPF which also uses bandwidth in its calculation of cost.

I believe that what you describe can be done. Whether there is a better way depends in part on how you define your objectives, and depends in part on how you would evaluate the alternatives. If your objective is to gain experience with using serial point to point then I am not sure that there is any better. If your objective is to emulate a carrier environment then it comes up a bit short. You do not have external clocking which you would get with a true carrier, and you do not have a monitoring service checking on the performance of the serial link which you would with a true carrier, you do not have someone to call if there is a cable cut which you would with a true carrier, you will not receive periodic reports of the performance of the link which you might get from a true carrier.

As a project for a beginner in networking I believe that it has merit and I encourage you to undertake it.

HTH

Rick

HTH

Rick

View solution in original post

johnd2310 · ‎07-12-2015

Hi,

Is the NAT on your Internet firewall configured correctly for the 192.168.10.0/24 and 192.168.20.0/24 networks?

Does the Internet firewall know how to get back to the 192.168.10.0/24 and 192.168.20.0/24 networks?

Thanks

John

**Please rate posts you find helpful**

Chris Mickle · ‎07-13-2015

Why would my LAN firewall have to be aware of 192.168.10.0/24 and 192.168.20.0/24? Wouldn't the source address for internet traffic from PC1 and PC2 ultimately be 192.168.0.200 when it reached the firewall?

johnd2310 · ‎07-13-2015

Hi,

If the 2811 router (R5) is doing NAT.

Thanks

John

**Please rate posts you find helpful**

Chris Mickle · ‎07-14-2015

It is not doing NAT. I was trying to set static routes between R3,R4 and R5

Jon Marshall · ‎07-14-2015

Chris

All your addressing is 192.168.x.x which doesn't route on the internet.

The reason (I assume) John asked if your firewall knew how to get back to 192.168.10.x and 192.168.20.x was because you said your 1721s were doing NAT so the source IPs would not be 192.168.100.x or 192.168.200.x.

Basically none of your 192.168.x.x IPs route on the internet so whatever IPs they appear as to the firewall it needs to be setup to NAT those to a public IP and it also needs to know how to get back to those subnets.

Jon

Chris Mickle · ‎07-14-2015

Oh I see! Thanks for the help. Remember I'm still at the very beginning of trying to learn.

Let me see if I understand... so in this topology, R5 would also have to perform NAT translations to a 192.168.0.0/24 address on my LAN in order for the PCs to access the internet because the source address of those computers would be on the 192.168.10.0 and 192.168.20.0 networks hence unable to use 192.168.0.1 as a gateway to the internet. That explains why the PCs can ping and tracert all the way to F0/0 on R5, but not to the next hop.

Thanks again guys!

Richard Burts · ‎07-14-2015

Chris

It sounds like you got the right understanding. And have learned an important lesson about routing and about the need to translate addresses. It is likely that your firewall is configured to do address translation as your traffic goes out to the Internet. But this firewall knows only 192.168.0.0/24 on the inside. So your R5 needs to translate the addresses from your lab setup so that the firewall recognizes them and will translate them. Note that if you have access to make changes on the firewall you might be able to configure the firewall to translate for 192.168.100.0 and 192.168.200.0 and not need R5 to do address translation. (That is another important lesson that in networking there frequently is more than one way to achieve what you want if you carefully consider the possibilities)

Good luck as you continue to learn about networking.

HTH

Rick

HTH

Rick

Chris Mickle · ‎07-15-2015

Yes, I do have access to the firewall. It is a PIX 525 that I configured myself.

That brings up another question actually... I had a thought the other day of setting up a simulated T1 for my lab that would have access to the real internet. Let me give a brief description of my production LAN environment and then my idea and hopefully I can get some feedback.

I have AT&T U-verse service with a /29 pubic IP. The AT&T RG is connected via fastethernet to a 2811. Because of an ARP limitation on the RG that allows only one public IP to be assigned per MAC address, I am using HSRP on the WAN interface of the 2811 to provide 4 virtual and 1 physical interface to the RG each of which is statically configured with an IP address in the public block. The 2811 is then NATing the public IPs to addresses in a 10.0.0.0/29 network on the LAN interface. The LAN interface is connected via fastethernet to the outside interface of a PIX 525 which has 6 physical interfaces. The PIX is then NATing 10 10.0.0.0/29 addresses into a single IP address that is routed to each inside physical interface. The end result is that I have 5 physical inside LANs each of which uses one of my available Public IPs. The first three physical LANs are used to host services in my production environment with the last two being available for testing purposes. I hope that my description was good enough to provide a clear picture of my existing topology.

My idea is as follows... Since I want to have a simulated T1, I will need to use a serial interface to connect my LAB. To the best of my (limited) knowledge, there are no serial interface cards available that I can add to the PIX so the serial interface would have to be physically installed in the 2811. In addition to the /29 IP address, the AT&T RG also has a DHCP provided public IP available for use. In other words... if I plug a computer directly in to the RG, it's DHCP server will assign a NATed private IP with a route to the DHCP assigned public IP. What I am envisioning is using that DHCP provided public IP as a gateway to the internet for my LAB. The RG does have an IP passthrough mode, but it only works with the DHCP provided public IP. This, of corse, depends on several factors and brings up several questions...

1. Since the RG will only provide a route to the desired IP address via DHCP, can a virtual interface created via HSRP be configured to obtain an IP address via DHCP or will this require the installation of a third physical fastethernet interface in the 2811?

2. Once physical connectivity is established, I assume NAT would be required to translate the "public" IP configured on the serial interface of the 2811 to the real public IP that is routable on the internet.

3. Since the goal is to emulate as closely as possible a carrier provided T1 (which is a point to point link I think), the serial interface obtained for the 2811 should be the clock provider(?) for the circuit. I have a 2811 with two WIC 1 DSU-T1 V2 interfaces in my LAB. When those interfaces are connected to WIC 1 DSU-T1 interfaces in one of the 2610XM routers in my lab and I try to set the clock rate, the 2811 says "this command only applies to DCE interfaces." The link still works between the two, but without having to sat a clock rate. I guess the WIC 1 DSU-T1 V2 can automatically set the clock rate in a point to point serial link? Also, what would be the appropriate module to obtain for my production LAN 2811 to accomplish the goal?

4. Can someone pleased explain the clock rate and bandwidth settings for serial interfaces? I understand that a point to point serial link requires a clock that both interfaces can operate on in order to establish connectivity. I also understand what bandwidth is. My question is what is the significance of a particular clock rate setting and how does it relate to bandwidth if at all? For instance, what is the difference between or effect of setting the clock rate to 64000 and/or 128000? Does this setting have anything to do with the bandwidth setting? Is there an appropriate clock rate based on type of interface or a particular bandwidth setting? It seems to me that the bandwidth setting is optional. What happens if you don't set it?

5. Lastly, can what I have described even be done and is there a better way?

Sorry for the long post and thanks again for all the help!

Richard Burts · ‎07-15-2015