Cisco 2612 Point to point-- can't get traffic/in out 4

[ITlackey]

With apologies for what is most likely a simple solution.

I have set up a t1 point to point connection to be used to link two plants together, bridging 2 subnets (192.168.0.0 & 192.168.1.0). I have configured the routes to run statically routed and filtered using a route map set up, and a access list configured. I can ping all four interfaces from either machine (both ethernet interfaces on either end and both serial interfaces), but cannot get traffic outside the router (e.g. 192.168.1.253 is unreachable). I am just not seeing what else needs to be done.

Any suggestions of how to fix this/do this better would be most helpful. See configuration below (less passwords):

Current configuration:
!
version 12.0
service config
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname plant2
!
!
!
!
!
!
ip subnet-zero
!
cns event-service server
!
!
--More--  !
process-max-time 200
!
interface Ethernet0/0
description ethernet interface plant 2
ip address 192.168.1.254 255.255.255.0
no ip directed-broadcast
ip route-cache policy
ip policy route-map toplant1
no cdp enable
no mop enabled
!
interface Serial0/0
description pt-pt t1
ip address 172.16.216.3 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
service-module t1 clock source internal
!
interface TokenRing0/0
no ip address
no ip directed-broadcast
shutdown
--More--   ring-speed 16
no cdp enable
!
router rip
redistribute connected
network 172.16.0.0
network 192.168.1.0
distribute-list 12 out Ethernet0/0
distribute-list 12 in Ethernet0/0
distribute-list 12 out Serial0/0
distribute-list 12 in Serial0/0
!
ip classless
ip route 172.16.216.0 255.255.255.0 Ethernet0/0
ip route 192.168.0.0 255.255.255.0 172.16.216.2
ip route 192.168.1.0 255.255.255.0 Ethernet0/0
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.1.0
access-list 10 permit any
access-list 11 permit 192.168.0.0
access-list 11 permit any
access-list 12 permit 172.16.216.0
access-list 12 permit any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
route-map toplant1 permit 10
match ip address 1
set ip next-hop 172.16.216.2
!
route-map toplant1 permit 20
match ip address 2
set interface Ethernet0/0
!
!
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4

login
!
end

plant2#

 

[robertjo24]

As far as my limited understanding goes, I think this would be correct:
With a point to point linking two subnets with static routs, you don’t need RIP.

Your static route “ip route 172.16.216.0 255.255.255.0 Ethernet0/0” says to get to the 172.16.216.0 network to go through the E0/0 interface. Since the two routers are connected on the S0/0 interface at 172.16.216.2 & .3, the routers see this as a connected interface and therefore should not require a route statement. And even if it did, you are routing to the wrong interface E0/0.

This static route is required “ip route 192.168.0.0 255.255.255.0 172.16.216.2”.

This static route “ip route 192.168.1.0 255.255.255.0 Ethernet0/0”, is redundant as this is a connected interface on the router.

I don't think your ACL's are buying you anything either.

 

[ITlackey]

thanks robertjo. this reflects my understanding as well. I put in the extra static routes more or less out of desparation just to be sure that any traffic would have somewhere to go. Would any of these problems getting in my way (e.g. having two routing protocols) or can these co-exist?

 

[lambent]

distribute-list 12 out Ethernet0/0
distribute-list 12 in Ethernet0/0
distribute-list 12 out Serial0/0
distribute-list 12 in Serial0/0
!
access-list 12 permit 172.16.216.0
access-list 12 permit any
!

You can totally remove the above configurations as they do nothing but just advertise everything in and out to e0/0 and s0/0 as you got a "permit any" in access-list 12.

If you run RIP, you can remove all the static routes actually. Also you better add the following commands in the "router rip":

!
router rip
version 2
no auto-summary
neighbor 172.16.216.2
!

Use "neightbor" to force RIP to use unicase update as there's no point to use broadcast on a ptp link.

And at this point you don't really need "redistribute connected".

Also I can see you got a policy routing "ip policy route-map toplant1" in e0/0. Remove it...make the network and configuration as simple as possible.

Make sure the other router has similar RIP configuration. I assume you'll have the following minimum configuration in the other router:

interface Ethernet0/0
description ethernet interface plant 2
ip address 192.168.0.254 255.255.255.0
!
interface Serial0/0
description pt-pt t1
ip address 172.16.216.2 255.255.255.0
!
router rip
version 2
no auto-summary
network 172.16.0.0
network 192.168.0.0
neighbor 172.16.216.2
!

 

[JOAMON]

Ethernet 0/0
delete route-map
ip nat inside

serial 0/0
encapsulation ppp
ip nat inside


only router needed
ip route 192.168.0.0 255.255.255.0 172.16.216.2

router rip
version 2
no auto-summary
network 172.16.0.0
network 192.168.0.0

 

[lambent]

hmmmmm I don't understand why we need to use "ip nat inside" in both interfaces and the static route when RIP will advertise the networks.

 

[ITlackey]

OK thanks for all the tips. Unfortunately, so far no dice.

Lambent, I followed your advice, and it yielded the same results. just to be clear, I can ping on every router interface traffic in the chain, but I cannot pass traffic outside the router (e.g. to a computer connected to either router) yet, I can telnet into each router from either subnet (so no IP addressing problems so far as I can tell).

a couple questions:

1) I am using HLDC as a serial line protocol. Could this do it?
2) Is there a lockout that I am missing?
3) could there be a hardware issue? These are refurbished routers, and I have no reason to suspect this, yet it is a possibility, unlikely as it is.

What I ultimately want is to use the as a hub and spoke system where all outbound traffic from the far router gets transported to our main plant, passed to the appropriate desitination or out to the internet (you'll see a zero 0.0.0.0 route in the far router config attempting to account for this). I have also tried EIGRP with a stub configuration, but unfortunately IOS and budget does not allow that to work (stub is only support in 12.0 (22) or something like that. I am runnnig 12.0 on one router and 11.3 on the other). I also tried to use static routes only to do this. Again, nothing doing.

Further, I should say, the routing is working. When I trace a patch to an address on the opposite subnet, it immediately outputs the appropriate address of the serial interface (.2 going toward plant 1, .3 going toward plant 2). However, it does not cross into the opposite subnet; it just stops and times out eventually. this is my primary concern. It an almost but not quite. truely agrevating.

Your help is most graciously received in this case as I am at my wit's end with this lot. See configs below

thanks

itlackey

Plant 1 configuration

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname plant1
!
enable secret 5 *********************
enable password ********
!
!
!
!
!
ip subnet-zero
!
cns event-service server
!
!
!
process-max-time 200
!
interface Ethernet0/0
ip address 192.168.0.254 255.255.255.0
no ip directed-broadcast
!
interface Serial0/0
description t1 pt to pt plant 2
ip address 172.16.216.2 255.255.255.0
ip directed-broadcast
!
interface TokenRing0/0
no ip address
no ip directed-broadcast
shutdown
ring-speed 16
!
router rip
version 2
network 172.16.0.0
network 192.168.0.0
neighbor 172.16.216.3
no auto-summary
!
no ip classless
no ip http server
!
!
snmp-server engineID local 00000009020000B064B1BC20
snmp-server community public RO
!
line con 0
transport input none
line aux 0
line vty 0 4
password ************
login
!
!
end

Plant 2 configuration

version 12.0
service config
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname plant2
!
enable secret 5 **************************
enable password ************
!
!
!
!
!
no ip subnet-zero
!
cns event-service server
!
!
!
process-max-time 200
!
interface Ethernet0/0
description ethernet interface plant 2
ip address 192.168.1.254 255.255.255.0
ip directed-broadcast
!
interface Serial0/0
description pt-pt t1
ip address 172.16.216.3 255.255.255.0
ip directed-broadcast
service-module t1 clock source internal
!
interface TokenRing0/0
no ip address
no ip directed-broadcast
shutdown
ring-speed 16
no cdp enable
!
router rip
version 2
network 172.16.0.0
network 192.168.1.0
neighbor 172.16.216.2
no auto-summary
!
no ip classless
no ip http server
!
!
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password ****
login
!
!
end

 

[JOAMON]

Your right...no ip nat inside needed. I think you need to use PPP instead of HDLC though. Aslo.....did you do a show IP route to see if rip is advertising properly?

 

[ITlackey]

Yes and it is. WHich is why this is so infuriating.

 

[JOAMON]

Can you post output from "show ip route"

 

[ITlackey]

Sure. I tried PPP. No help there.

Here is Plant 2 ip route. I just noticed that this interface (somehow) has 2 subnets for serial 0/0-- /24 & /32. How do I get rid of this second subnet? Could that be the issue?

Here's plant 2 show ip route

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.216.0/24 is directly connected, Serial0/0
C 172.16.216.2/32 is directly connected, Serial0/0
R 192.168.0.0/24 [120/1] via 172.16.216.2, 00:00:14, Serial0/0
C 192.168.1.0/24 is directly connected, Ethernet0/0

Here's plant 1 show IP route

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.216.0/24 is directly connected, Serial0/0
C 172.16.216.3/32 is directly connected, Serial0/0
C 192.168.0.0/24 is directly connected, Ethernet0/0
R 192.168.1.0/24 [120/1] via 172.16.216.3, 00:00:07, Serial0/0

thanks for the help

 

[JOAMON]

OK...if you can ping the interface but nothing beyond then it would appear to be a problem in the network environment. Have you done any traceroutes from the PC's to see where it is dying? Also 2612 ethernet is old 10Baase-T half duplex ethernet port. If connecting to a Cisco switch then set switch port to 10 full and change interface to full as well. Post the output from "show interface" and see if there are any errors on the interfaces.

 

[lambent]

Say you ping from Plant 1 PC to Plant 2 PC and fail, but success for ping from Plant 1 PC to interfaces in Plant 1 router and Plant 2 router.

Did you try to ping from Plant 2 PC to interfaces in routers?

 

[ITlackey]

I actually have not tried that particularly, and have been primarily working on pings through the IOS interfaces. I did this because there is an existing link opperating here (and hence the PC would try that route) (a too slow too unstable VPN linkup that is simply not keeping up with demand, and unfortunately, we are rurual enough not to be able to get good bandwidth at our other plant) and not tell me anything about the link. I have tried, though, explicitly routing traffic trough the routers from the outside and that did not work either (I disabled the VPN and re-routed through our gateway firewall). Trying to set this up without disrupting the current set up is somewhat exasperating the situation. However, I can ping from the router to PC addresses on their respective subnets, but not across.

Unfortunately, all of this is on hold for the time being as I reset one of the routers lsat night and have been getting a flash error ever since-- will not even load IOS. I am working with a vendor on this. I will post again when things are running.

thanks as always for the help.

 

[ITlackey]

Here, by the way is the show interfaces of the operable router :

Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 00b0.64f3.5aa0 (bia 00b0.64f3.5aa0)
Description: ethernet interface plant 2
Internet address is 192.168.1.254/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 2/75, 0 drops
5 minute input rate 3000 bits/sec, 4 packets/sec
5 minute output rate 1000 bits/sec, 2 packets/sec
46984 packets input, 5021658 bytes, 0 no buffer
Received 46534 broadcasts, 0 runts, 0 giants, 0 throttles
2 input errors, 0 CRC, 0 frame, 0 overrun, 2 ignored
0 input packets with dribble condition detected
10121 packets output, 903155 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 1 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Serial0/0 is down, line protocol is down
Hardware is PQUICC with Fractional T1 CSU/DSU
Description: pt-pt t1
Internet address is 172.16.216.3/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 14 interface resets
0 output buffer failures, 0 output buffers swapped out

 

[lambent]

Serial0/0 is down, line protocol is down

-___-

 

[ITlackey]

I realize that. the last post capture was taken while one of the routers was off-line and hence, down. When I came in Friday morning, the plant 1 router was out of comission. It turned out that the IOS had disappeared entirely. I got it reloaded, and tried the most reccent suggestions, with the same results. I am starting to suspect a hardware issue-- especially since this makes so little sense. Any other suggestions of how to test this or other possible problems that could account for this.

By the way, I should mention that I can telnet through the t1 to the router on the far end and it goes right through. I will post again on Monday.

 

[plshlpme]

a caouple things i see....

i would change your point to point serial links subnetmask from 255.255.255.0 to 255.255.255.252 to make it a true point to point

and the big one

no ip classless but you are subnetting a class B address for your wan link.
i would add ip classless to your config there is no point in using a classless routing protocol when youve turned off classless routing in the router.

and after that can you post up your configs again..

the only other thing that i was wondering is if any of these sites are using the internet? and if so is the internet being provided at both sites or just at siteA ? because you will need a default route at the stub site if it requires internet through site A.

 

[ITlackey]

OK. I have things put back together and I am trying a 252 subnet and added a ip classless notation on either end. Still no dice. I can use a PC to successfully ping the far ethernet interface, but no further. I am royally stumped here. Oh yea, I also added a static default route on the far router.

here are the configs:

Plant 1-----------------------------------------------------

Building configuration...

Current configuration : 915 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname plant1
!
enable secret 5 *********************
enable password ***********
!
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.0.254 255.255.255.0
half-duplex
!
interface Serial0/0
description pt-pt t1
ip address 172.16.216.1 255.255.255.252
ip directed-broadcast
no ip mroute-cache
!
interface TokenRing0/0
no ip address
shutdown
ring-speed 16
!
router rip
version 2
network 172.16.0.0
network 192.168.0.0
neighbor 172.16.216.2
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.216.2
no ip http server
ip pim bidir-enable
!
!
snmp-server engineID local 00000009020000B064B1BC20
snmp-server community public RO
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
password ***********
login
!
no scheduler allocate
end

Plant 2----------------------------------------------------

show running-config
Building configuration...

Current configuration : 948 bytes
!
version 12.2
service config
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname plant2
!
enable secret 5 **************
enable password ************
!
no ip subnet-zero
!
!
!
call rsvp-sync
cns event-service server
!
!
!
!
!
!
!
!
interface Ethernet0/0
description ethernet interface plant 2
ip address 192.168.1.254 255.255.255.0
ip directed-broadcast
half-duplex
!
interface Serial0/0
description pt-pt t1
ip address 172.16.216.2 255.255.255.252
ip directed-broadcast
service-module t1 clock source internal
!
interface TokenRing0/0
no ip address
shutdown
ring-speed 16
no cdp enable
!
router rip
version 2
network 172.16.0.0
network 192.168.1.0
neighbor 172.16.216.1
no auto-summary
!
no ip classless
no ip http server
ip pim bidir-enable
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password ************
login
!
end

plant2#

Let any suggestions are more thank welcome.

 

[JOAMON]

Give this a shot...if no results then remove:
on each serial and ethernet lan interface add:
ip nat inside