Current configuration : 2860 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname HOSTNAME

!

boot-start-marker

boot system flash c1841-ipbasek9-mz.124-15.T8.bin

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 ***

!

no aaa new-model

clock timezone cst -6

clock summer-time cdt recurring

dot11 syslog

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.201 192.168.2.255

ip dhcp excluded-address 192.168.2.1 192.168.2.99

!

ip dhcp pool 192.168.2.0/24

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.254

   dns-server 192.168.0.2

!

!

class-map match-all VOICE

 match access-group 100

!

!

policy-map VOICE-POLICY

 class VOICE

  priority percent 20

 class class-default

  fair-queue

!

!

interface Multilink1

 description *** MLPPP Interface ***

 no ip address

 shutdown

 ppp multilink

 ppp multilink interleave

 ppp multilink group 1

 service-policy output VOICE-POLICY

!

interface MFR1

 no ip address

!

interface FastEthernet0/0

 description INSIDE

 ip address 10.10.0.254 255.255.0.0 secondary

 ip address 192.168.2.254 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 description OUTSIDE_ASE1

 ip address 192.168.101.2 255.255.255.0

 duplex auto

 speed auto

 service-policy output VOICE-POLICY

!

interface Serial0/0/0

 description OUTSIDE_0

 no ip address

 encapsulation ppp

 shutdown

 ppp multilink

 ppp multilink group 1

!

interface Serial0/1/0

 description OUTSIDE_1

 no ip address

 encapsulation ppp

 shutdown

 ppp multilink

 ppp multilink group 1

!

router eigrp 1

 network 192.168.2.0

 network 192.168.101.0

 no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.0.202 permanent

ip route 192.168.0.0 255.255.255.0 192.168.101.1

!

!

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 100 permit ip host 192.168.2.240 host 192.168.0.240

access-list 100 permit ip host 192.168.2.240 host 192.168.0.241

!

!

control-plane

!

!

line con 0

 password ***

 logging synchronous

 login

line aux 0

line vty 0 4

 privilege level 15

 password ***

 logging synchronous

 login

 transport input telnet

line vty 5 15

 privilege level 15

 password ***

 logging synchronous

 login

 transport input telnet

!

scheduler allocate 20000 1000

end

It looks like you are running EIGRP between this site and your other site, is that the case ?

If so you need to add a "network 10.10.0.0 0.0.255.255" statement under your EIGRP configuration so it is also advertised.

Jon

I cannot confirm that the other site is using EIGRP, but the other sites (2.x, 101.x) do. Right now, the only address I can successfully ping from the 10.10.0.0/16 is 10.10.0.254.

EDIT: I can confirm after further investigation that the other site is not using EIGRP.

So are you saying any 10.10.x.x device cannot ping even the 192.168.2.254 IP on the router ?

Do the 10.10.x.x devices have default gateways set to 10.10.0.254 ?

Jon

Allow me to clarify the topology now that I've had some time to dig into it. The 10.10.0.0/16 subnet faces our infrastructure without any sort of gateway. The devices come into our LAN via fiber, which goes into a Dell 2824, which then goes into a WIC on our Cisco 1841. The Dell is set up as a single VLAN, which I suspect is the problem. If we had an open port on the 1841, I would simply bring the 10.10.0.0/16 into its own interface there, but we don't. It has been suggested that we create a second VLAN on the 2824 for the 10.10.0.0/16. I'll likely go that route.

Had a quick look at the Dell 2824 and as far as I can tell it is L2 only which means even if you create another vlan it won't route between them.

Perhaps I have misunderstood what you meant ?

Jon

We were planning to use a "router on a stick" configuration, something like...

interface FastEthernet0/0
 description PLANT_INSIDE
 ip address 192.168.2.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.10.0.254 255.255.0.0
!

And on the 2824:

!
interface FastEthernet0/1
 switchport mode trunk
!

Okay that makes sense.

Your configuration may or may not work ie. I have seen it work with some IOS versions and not with others.

Firstly for it to work either way because fa0/0 is not a subinterface you need to make sure the untagged vlan (native vlan in Cisco terminology) on the trunk link is the vlan for the 192.168.2.0/24 subnet.

Otherwise fa0/0 will receive a tagged packet and won't know what to do with it.

Even if you do that I have seen occasions where it doesn't work. So you would need to -

1) create a new subinterface for existing vlan and remove the IP address from the main interface.

2) allocate the IP to the new subinterface and then add the encapsulation command.

If the existing vlan is untagged on the trunk link then it would be -

"encapsulation dot1q <vlan ID> native"

if both vlans are tagged on the trunk link then -

"encapsulation dot1q <vlan ID>"

Like I say it may work if you just ensure the existing vlan ie. the one for 192.168.2.0/24 is untagged on the trunk link.

Apologies if I am telling you things you already know.

Jon

Quite the contrary, all of this is new to me. I've worked with firewalling and VPN, but this is uncharted territory... call it on-the-job training, literally. Thanks for your input, and I will report back with my success, or lack thereof.