cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3910
Views
0
Helpful
10
Replies

Multiple VLANs on Cisco 881

mm3131398
Level 1
Level 1

Hi All. I recently set up a Cisco 881 to cover a small business network. The router is currently set up and working as expected. We recently decided to move to VoIP phones and here is where I'm running into some issues. Both the engineers from the phone company and myself are at a sort of loss as to how to solve this problem, and I figured I would see if the community had any ideas before pressing the issue further.

First an overview: We run a network with a cable internet WAN connection, this connection is DHCP, however we have a static IP through our ISP. We also have a block of 30 additional IP addresses for one to one mapping as we need them. The new VoIP system is being run over T1 lines throughout the township (we are a municipal organization) and the VoIP system is being run to about 5 buildings in the township.

This brings me to the topic of VLANs. As the phone engineer explained it to me, there is a network set up over the T1 that allows the VoIP equipment to talk to one another and operates all of the VoIP phones on one network. The equipment that is being installed at our building connects to the network over the T1 and "talks" to the other equipment on the network. The engineer wants to create a VLAN and run it on ports fa1 and fa2, with the fa2 port being connected to the actual "MPLS" (their term) that connects to the T1 and into the cloud, and the fa1 port connected to the internal phone switch.

TLDR; The problem is this: When we attempt to set up the VLAN on ports fa1 and fa2, we have no connectivity with the other units in the external VoIP cloud. Pinging while directly connected to the "MPLS" yields successful pings, while pinging from the router with the "MPLS" connected to fa2 yields failures. I'm at a loss for what to do next, short of having the phone company bring in someone else. I'm going to post the running config below, I feel like what we're doing should be working. I asked around about subinterfacing, but others seemed to think this was not necessary. Any ideas?

ROUTER CONFIG

Building configuration...

Current configuration : 4909 bytes

!

! No configuration change since last restart

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

memory-size iomem 10

!

ip source-route

!

!

!

ip dhcp excluded-address 192.168.51.1 192.168.51.100

ip dhcp excluded-address 192.168.51.254

!

ip dhcp pool internal

import all

network 192.168.51.0 255.255.255.0

default-router 192.168.51.1

dns-server 192.168.51.5 8.8.8.8

!

ip cef

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

username **********************************

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

switchport access vlan 200

no ip address

!

interface FastEthernet2

switchport access vlan 200

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.51.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Vlan200

ip address 192.168.200.155 255.255.255.0

dot1x host-mode single-host

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 84600 requests 10000

!

ip nat pool webserver 24.229.79.161 24.229.79.161 prefix-length 27

ip nat inside source list 23 interface FastEthernet4 overload

ip nat inside source route-map mapWeb pool webserver overload

ip nat inside source static tcp 192.168.51.5 25 24.229.12.113 25 extendable

ip nat inside source static udp 192.168.51.5 47 24.229.12.113 47 extendable

ip nat inside source static tcp 192.168.51.5 80 24.229.12.113 80 extendable

ip nat inside source static tcp 192.168.51.5 110 24.229.12.113 110 extendable

ip nat inside source static tcp 192.168.51.5 443 24.229.12.113 443 extendable

ip nat inside source static udp 192.168.51.5 500 24.229.12.113 500 extendable

ip nat inside source static tcp 192.168.51.254 902 24.229.12.113 902 extendable

ip nat inside source static tcp 192.168.51.5 990 24.229.12.113 990 extendable

ip nat inside source static tcp 192.168.51.5 999 24.229.12.113 999 extendable

ip nat inside source static tcp 192.168.51.5 1723 24.229.12.113 1723 extendable

ip nat inside source static tcp 192.168.51.5 5678 24.229.12.113 5678 extendable

ip nat inside source static udp 192.168.51.5 5679 24.229.12.113 5679 extendable

ip nat inside source static tcp 192.168.51.5 5721 24.229.12.113 5721 extendable

ip nat inside source static tcp 192.168.51.5 26675 24.229.12.113 26675 extendabl

e

ip nat inside source static tcp 192.168.51.25 21 24.229.79.161 21 extendable

ip nat inside source static tcp 192.168.51.25 80 24.229.79.161 80 extendable

ip nat inside source static tcp 192.168.51.25 3306 24.229.79.161 3306 extendable

!

ip access-list extended webserver

permit ip 0.0.0.25 255.255.255.0 any

!

access-list 23 permit 192.168.51.0 0.0.0.255

!

!

!

!

route-map mapWeb permit 10

match ip address webserver

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

transport output telnet ssh

!

end

10 Replies 10

fsebera
Level 4
Level 4

Is this your issue or have I missed completely.

PE3#ping 172.17.30.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.17.30.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

PE3#ping vrf REG3 172.17.30.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.17.30.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

PE3#

Basically, yes. For example, connected directly to the VoIP box it is possible to ping other units in the VoIP cloud (192.168.200.2, 192.168.200.150, etc.) however once connected to the fa2 port on the router it is no longer possible to ping or communicate with those units.

I'm actually not sure what the second command you typed was, however trying that did nothing on my end. It just tried to translate vrf as a domain name.

Michael,

If you are trying to ping a client from the PE router, you MUST specify the VRF keyword followed by the of the client.

In my case if I want to ping from the PE router to the CE router, I must use the VRF keyword followed by the VRF name, which is REG3; so ping vrf REG3 .

BTW, pinging from the CE to the PE does not require the VRF , just use theping and your good.

HTH

Frank

I do remember that now, however I am definitely a "CE" router. I read this this morning:

MPLS VPN network services peer at Layer 3 with customer networks. The edge routers on either side of the Service Provider and Customer peering are respectively called Provider Edge (PE) and Customer Edge (CE) routers. The routing protocol most commonly deployed to establish the PE to CE peering is the Border Gateway Protocol (BGP). When BGP is utilized, each CE site functions as a separate BGP Autonomous System (AS). One of the challenges for organizations utilizing MPLS VPN services is the fact that they receive no routing visibility across the MPLS VPN service "cloud". BGP route analytics can help by providing multi-AS hop visibility and routing event analysis to understand how routing is working (or not!) across the MPLS VPN service.

This describes what the phone engineers had told me perfectly. The township building is the main hub, but should it go down our VoIP phones are "survivable" and can sustain themselves without the main hub.

With more specifics, even without travelling outside of the building, I am unable to ping the phone switch which has an IP of 192.168.200.7 and is a local connection we put on fa1. I feel like there's something obvious that I'm missing, perhaps an incorrectly set up vlan 200 or something else. The phone engineer was trying to set up a trunked interface with the MPLS, but we couldn't get dot1x to configure with trunking.

I'm going to do more research and try some different things to see what happens. I appreciate any responses.

Hi Michael,

Ok so we are not talking about PE to CE issues. We are now focusing on local VLAN issues.

It looks like your switch port needs to be setup with a Voice AND Data VLAN ---I.E. Trunk.

The Cisco VoIP phone is really a 2-port switch.

:

EX:

ROUTER-------CLOSET_SWITCH------TRUNK--(VLANS 6 & 7)------VoIP_Phone-------Access_VLAN--(VLAN 7)------PC

:

Router must support both VLANS if your CLOSET_SWITCH is not a Layer-3 switch.

Voice VLAN6, IP address . . .

Data VLAN7, IP address . . .

Regards

Frank

Can you provide a diagram of this setup?  Also elaborate this statement a bit, "We run a network with a cable internet WAN connection, this connection  is DHCP, however we have a static IP through our ISP. We also have a  block of 30 additional IP addresses for one to one mapping as we need  them"

Your FA4 is setup with DHCP not Static.

There are no phones on the network at this time. Only backbone equipment. I'm not at the building right now, but I will be in a few hours. Here's a rough layout:

The Mitel and Adtran equipment were configured by the phone company and their addressing information was provided to me. If I am plugged directly into the Adtran with a laptop I am able to ping the gateways at other buildings in the township, however once plugged into the 881, I am unable to ping those same gateways from the router. All traffic on the 200 network is to be going through the Adtran to reach the main hub at the township building, NOT the WAN port. All of the phones will be plugging into the Mitel Phone switch. The phones are Mitel brand as well.

To the previous poster, the ISP has me set the router to DHCP, however they have assigned us a static IP address. I believe they MAC lock the address to our router.

Thank you for the picture it would be cool to have the IP addressing listed on the network equipment too and the ports things are connected to.  Where is the Mitel Phone switch connected to ?  Router or the DLink switch?   If it is connected to the Routers fa2 port and you plug your laptop to the Mitel Phone switch and able to ping other 192.168.200.x devices we know that works.

Now if you plug your laptop to the DLINK switch and get on the 192.168.51.x network you are unable to ping the 192.168.200.x devices as well as other networks?

I've actually made some headway. Firstly, I've discovered that the phone company installed patch cables where I believe there should have been crossover cables. Secondly, I've discovered I was given the wrong VLAN to use and the proper VLAN which is 141. sh span vlan 141 now shows:

VLAN141 is executing the ieee compatible Spanning Tree protocol

  Bridge Identifier has priority 32768, address fc99.470d.8834

  Configured hello time 2, max age 20, forward delay 15

  We are the root of the spanning tree

  Topology change flag not set, detected flag not set

  Number of topology changes 2 last change occurred 01:27:58 ago

          from FastEthernet1

  Times:  hold 1, topology change 35, notification 2

          hello 2, max age 20, forward delay 15

  Timers: hello 0, topology change 0, notification 0, aging 300

Port 3 (FastEthernet2) of VLAN141 is forwarding

   Port path cost 19, Port priority 128, Port Identifier 128.3.

   Designated root has priority 32768, address fc99.470d.8834

   Designated bridge has priority 32768, address fc99.470d.8834

   Designated port id is 128.3, designated path cost 0

   Timers: message age 0, forward delay 0, hold 0

   Number of transitions to forwarding state: 1

   BPDU: sent 5371, received 2687

I'm still unable to ping other units that are offsite while plugged into the Mitel switch, or the router. I am still able to ping while connected directly to the Adtran MPLS. The show arp command only yields the VLAN's ip address as the only assigned IP in the .200 network.

Progress, but things still aren't working. I'm going to try and see if the phone engineers have any ideas if they come in tomorrow.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: