10-24-2012 01:12 PM - edited 03-07-2019 09:40 AM
Hi All. I recently set up a Cisco 881 to cover a small business network. The router is currently set up and working as expected. We recently decided to move to VoIP phones and here is where I'm running into some issues. Both the engineers from the phone company and myself are at a sort of loss as to how to solve this problem, and I figured I would see if the community had any ideas before pressing the issue further.
First an overview: We run a network with a cable internet WAN connection, this connection is DHCP, however we have a static IP through our ISP. We also have a block of 30 additional IP addresses for one to one mapping as we need them. The new VoIP system is being run over T1 lines throughout the township (we are a municipal organization) and the VoIP system is being run to about 5 buildings in the township.
This brings me to the topic of VLANs. As the phone engineer explained it to me, there is a network set up over the T1 that allows the VoIP equipment to talk to one another and operates all of the VoIP phones on one network. The equipment that is being installed at our building connects to the network over the T1 and "talks" to the other equipment on the network. The engineer wants to create a VLAN and run it on ports fa1 and fa2, with the fa2 port being connected to the actual "MPLS" (their term) that connects to the T1 and into the cloud, and the fa1 port connected to the internal phone switch.
TLDR; The problem is this: When we attempt to set up the VLAN on ports fa1 and fa2, we have no connectivity with the other units in the external VoIP cloud. Pinging while directly connected to the "MPLS" yields successful pings, while pinging from the router with the "MPLS" connected to fa2 yields failures. I'm at a loss for what to do next, short of having the phone company bring in someone else. I'm going to post the running config below, I feel like what we're doing should be working. I asked around about subinterfacing, but others seemed to think this was not necessary. Any ideas?
ROUTER CONFIG
Building configuration...
Current configuration : 4909 bytes
!
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.51.1 192.168.51.100
ip dhcp excluded-address 192.168.51.254
!
ip dhcp pool internal
import all
network 192.168.51.0 255.255.255.0
default-router 192.168.51.1
dns-server 192.168.51.5 8.8.8.8
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
username **********************************
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 200
no ip address
!
interface FastEthernet2
switchport access vlan 200
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.51.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan200
ip address 192.168.200.155 255.255.255.0
dot1x host-mode single-host
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 84600 requests 10000
!
ip nat pool webserver 24.229.79.161 24.229.79.161 prefix-length 27
ip nat inside source list 23 interface FastEthernet4 overload
ip nat inside source route-map mapWeb pool webserver overload
ip nat inside source static tcp 192.168.51.5 25 24.229.12.113 25 extendable
ip nat inside source static udp 192.168.51.5 47 24.229.12.113 47 extendable
ip nat inside source static tcp 192.168.51.5 80 24.229.12.113 80 extendable
ip nat inside source static tcp 192.168.51.5 110 24.229.12.113 110 extendable
ip nat inside source static tcp 192.168.51.5 443 24.229.12.113 443 extendable
ip nat inside source static udp 192.168.51.5 500 24.229.12.113 500 extendable
ip nat inside source static tcp 192.168.51.254 902 24.229.12.113 902 extendable
ip nat inside source static tcp 192.168.51.5 990 24.229.12.113 990 extendable
ip nat inside source static tcp 192.168.51.5 999 24.229.12.113 999 extendable
ip nat inside source static tcp 192.168.51.5 1723 24.229.12.113 1723 extendable
ip nat inside source static tcp 192.168.51.5 5678 24.229.12.113 5678 extendable
ip nat inside source static udp 192.168.51.5 5679 24.229.12.113 5679 extendable
ip nat inside source static tcp 192.168.51.5 5721 24.229.12.113 5721 extendable
ip nat inside source static tcp 192.168.51.5 26675 24.229.12.113 26675 extendabl
e
ip nat inside source static tcp 192.168.51.25 21 24.229.79.161 21 extendable
ip nat inside source static tcp 192.168.51.25 80 24.229.79.161 80 extendable
ip nat inside source static tcp 192.168.51.25 3306 24.229.79.161 3306 extendable
!
ip access-list extended webserver
permit ip 0.0.0.25 255.255.255.0 any
!
access-list 23 permit 192.168.51.0 0.0.0.255
!
!
!
!
route-map mapWeb permit 10
match ip address webserver
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
!
end
10-24-2012 01:27 PM
Is this your issue or have I missed completely.
PE3#ping 172.17.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.30.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PE3#ping vrf REG3 172.17.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
PE3#
10-24-2012 01:31 PM
Basically, yes. For example, connected directly to the VoIP box it is possible to ping other units in the VoIP cloud (192.168.200.2, 192.168.200.150, etc.) however once connected to the fa2 port on the router it is no longer possible to ping or communicate with those units.
I'm actually not sure what the second command you typed was, however trying that did nothing on my end. It just tried to translate vrf as a domain name.
10-25-2012 06:25 AM
Michael,
If you are trying to ping a client from the PE router, you MUST specify the VRF keyword followed by the
In my case if I want to ping from the PE router to the CE router, I must use the VRF keyword followed by the VRF name, which is REG3; so ping vrf REG3
BTW, pinging from the CE to the PE does not require the VRF
HTH
Frank
10-25-2012 06:43 AM
I do remember that now, however I am definitely a "CE" router. I read this this morning:
MPLS VPN network services peer at Layer 3 with customer networks. The edge routers on either side of the Service Provider and Customer peering are respectively called Provider Edge (PE) and Customer Edge (CE) routers. The routing protocol most commonly deployed to establish the PE to CE peering is the Border Gateway Protocol (BGP). When BGP is utilized, each CE site functions as a separate BGP Autonomous System (AS). One of the challenges for organizations utilizing MPLS VPN services is the fact that they receive no routing visibility across the MPLS VPN service "cloud". BGP route analytics can help by providing multi-AS hop visibility and routing event analysis to understand how routing is working (or not!) across the MPLS VPN service.
This describes what the phone engineers had told me perfectly. The township building is the main hub, but should it go down our VoIP phones are "survivable" and can sustain themselves without the main hub.
With more specifics, even without travelling outside of the building, I am unable to ping the phone switch which has an IP of 192.168.200.7 and is a local connection we put on fa1. I feel like there's something obvious that I'm missing, perhaps an incorrectly set up vlan 200 or something else. The phone engineer was trying to set up a trunked interface with the MPLS, but we couldn't get dot1x to configure with trunking.
I'm going to do more research and try some different things to see what happens. I appreciate any responses.
10-25-2012 08:02 AM
Hi Michael,
Ok so we are not talking about PE to CE issues. We are now focusing on local VLAN issues.
It looks like your switch port needs to be setup with a Voice AND Data VLAN ---I.E. Trunk.
The Cisco VoIP phone is really a 2-port switch.
:
EX:
ROUTER-------CLOSET_SWITCH------TRUNK--(VLANS 6 & 7)------VoIP_Phone-------Access_VLAN--(VLAN 7)------PC
:
Router must support both VLANS if your CLOSET_SWITCH is not a Layer-3 switch.
Voice VLAN6, IP address . . .
Data VLAN7, IP address . . .
Regards
Frank
10-25-2012 08:36 AM
Can you provide a diagram of this setup? Also elaborate this statement a bit, "We run a network with a cable internet WAN connection, this connection is DHCP, however we have a static IP through our ISP. We also have a block of 30 additional IP addresses for one to one mapping as we need them"
Your FA4 is setup with DHCP not Static.
10-25-2012 08:42 AM
There are no phones on the network at this time. Only backbone equipment. I'm not at the building right now, but I will be in a few hours. Here's a rough layout:
The Mitel and Adtran equipment were configured by the phone company and their addressing information was provided to me. If I am plugged directly into the Adtran with a laptop I am able to ping the gateways at other buildings in the township, however once plugged into the 881, I am unable to ping those same gateways from the router. All traffic on the 200 network is to be going through the Adtran to reach the main hub at the township building, NOT the WAN port. All of the phones will be plugging into the Mitel Phone switch. The phones are Mitel brand as well.
10-25-2012 08:44 AM
To the previous poster, the ISP has me set the router to DHCP, however they have assigned us a static IP address. I believe they MAC lock the address to our router.
10-25-2012 01:01 PM
Thank you for the picture it would be cool to have the IP addressing listed on the network equipment too and the ports things are connected to. Where is the Mitel Phone switch connected to ? Router or the DLink switch? If it is connected to the Routers fa2 port and you plug your laptop to the Mitel Phone switch and able to ping other 192.168.200.x devices we know that works.
Now if you plug your laptop to the DLINK switch and get on the 192.168.51.x network you are unable to ping the 192.168.200.x devices as well as other networks?
10-25-2012 06:22 PM
I've actually made some headway. Firstly, I've discovered that the phone company installed patch cables where I believe there should have been crossover cables. Secondly, I've discovered I was given the wrong VLAN to use and the proper VLAN which is 141. sh span vlan 141 now shows:
VLAN141 is executing the ieee compatible Spanning Tree protocol
Bridge Identifier has priority 32768, address fc99.470d.8834
Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag not set, detected flag not set
Number of topology changes 2 last change occurred 01:27:58 ago
from FastEthernet1
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0, aging 300
Port 3 (FastEthernet2) of VLAN141 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.3.
Designated root has priority 32768, address fc99.470d.8834
Designated bridge has priority 32768, address fc99.470d.8834
Designated port id is 128.3, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 5371, received 2687
I'm still unable to ping other units that are offsite while plugged into the Mitel switch, or the router. I am still able to ping while connected directly to the Adtran MPLS. The show arp command only yields the VLAN's ip address as the only assigned IP in the .200 network.
Progress, but things still aren't working. I'm going to try and see if the phone engineers have any ideas if they come in tomorrow.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide