Need help configuring router! HELP!!!

[paradoxwd]

Hey,

Where I work we recently got two t1 lines and had someone, who really didn't know how, configure our Cisco 3640 router. No one in our office really knows how to configure routers either, so during attempts to improve the performance of the configuration, we probably screwed it up a bit more.

BGP is working fine, but only 1 of our t1 lines seems to be doing all the work. The other line is barely doing anything at all. Download speeds are much lower than they should be and pings are all over the place. Not only are we running web servers and file servers, but we are also attempting to run a game server. Clients who connect to the game server have a good ping most of the time, but it continually spikes from 30 to 200 almost every second, making playing impossible.

One of the lines was original frame-relay, and was configured that way in the router. However, we had it switched to point-to-point, but every time I try to set encapsulation to ppp on that interface, the line protocol goes down and does not come back up. If anyone can help me at all, it would be truly appreciated.

Our running config is as follows:

version 12.2
service timestamps debug uptime
service timestamps log uptime
!
hostname Router
!
enable secret 5
!
ip subnet-zero
ip cef
!
!
ip domain-name alter.net
ip name-server 198.6.1.122
ip name-server 198.6.1.142
ip name-server 66.115.51.2
ip name-server 65.212.126.2
!
ip audit notify log
ip audit po max-events 100
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
description to UUNet u88932
bandwidth 1536
ip address 63.122.229.10 255.255.255.252
encapsulation frame-relay IETF
no ip mroute-cache
!
interface Ethernet0/1
no ip address
ip load-sharing per-packet
shutdown
half-duplex
!
interface Serial0/1
description ciberlynx line
bandwidth 1536
ip address 216.242.227.198 255.255.255.252
encapsulation ppp
no ip mroute-cache
no fair-queue
!
interface FastEthernet1/0
ip address 65.212.126.1 255.255.255.0 secondary
ip address 66.115.51.1 255.255.255.0 secondary
ip address 216.242.60.161 255.255.255.224
speed auto
full-duplex
!
router bgp 23325
no synchronization
bgp log-neighbor-changes
network 65.212.126.0 mask 255.255.255.0
network 66.115.51.0 mask 255.255.255.0
neighbor 63.122.229.9 remote-as 701
neighbor 63.122.229.9 version 4
neighbor 63.122.229.9 soft-reconfiguration inbound
neighbor 63.122.229.9 distribute-list 1 out
neighbor 216.242.227.197 remote-as 13488
neighbor 216.242.227.197 version 4
neighbor 216.242.227.197 soft-reconfiguration inbound
neighbor 216.242.227.197 distribute-list 1 out
maximum-paths 2
!
ip classless
ip route 0.0.0.0 0.0.0.0 216.242.227.197
ip route 65.212.126.0 255.255.255.0 Null0
ip route 66.115.51.0 255.255.255.0 Null0
ip route 216.242.60.160 255.255.255.224 Null0
ip http server
ip pim bidir-enable
!
access-list 1 permit 66.115.51.0 0.0.0.255
access-list 1 permit 65.212.126.0 0.0.0.255
access-list 1 deny any
!
line con 0
password
login
line aux 0
line vty 0 4
password
login
!
end

Again any assitance at all, will be truly appreciated. Thank you for your time and patience.

 

[wybnormal]

A few things jump out..

You said first you had frame then went to point to point? What I suspect you really did is went to a point to point frame link.. not PPP protocol. So you would have a DLCI mapped to the interface and the type of interface would point to point. Encapsulation would still be frame-relay, not PPP. If you want to *support* PPP over frame relay, that is doable. You still config the FR like any other time but you add a few lines like below:
!
interface serial 2
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface serial 2.1 point-to-point
frame-relay interface-dlci 32 ppp virtual-template1
!
interface Virtual-Template1
ip unnumbered ethernet 0
ppp authentication chap pap

See this link from Cisco for more info:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/wan_c/wcdfrely.htm#33991

possible problem two is the default gateway of 0.0.0.0 pointing to the 216.242.227.197 address. That hardwires the output to that interface unless it has a known route in the route tables. Unless you tell the router there are TWO default routes, it has no idea about the 2nd port that can be used as a default route. But, then you need to set the preference of BGP to one or the other. Have you looked at the BGP route tables yet?

When you say the pings go all over the place, what exactly happens? Also, have you run a traceroute? this will provide better information to what is actually happening on the routes.. like if you see the traceroute hitting BOTH serial interfaces on the way out, you might want to take a look at why. Some times it's a good thing to have round robin packets but other times it can cause havoc.

How is the router getting local route information? This is not the default gateway for local machines is it? BGP wont pick up routes locally until they are redistributed from a IGP like OSPF or EIGRP.

You might want to consider policy routing to spread the love across the two interfaces. Or even static routes where certain ranges go to one interface and other go out the 2nd. Then have floating statics reversing it so if one serial drops offline, the packets will still make it out.

I'm sure others here will add to the list of possiblities and things to check.

BTW- having HTTP enabled on this router is a rather large security risk. You might want to consider disabling it.

MikeS
Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"

 

[CCIEWANNABE]

Post your resullts from the following Command:
show frame-relay pvc and
show frame-relay map and
debug frame-relay lmi Will tell me if the the DLCIs correct Route once; switch many

 

[paradoxwd]

Hey,

First of all I'd just like to say thanks for replying. When I tried to setup the ppp over Frame-relay it was accepted and the line was up, however, it was not getting any traffic. I think it was because I didn't know how to setup the virtual template. I was supposed to add the:
ip address 63.122.229.10 255.255.255.252
line to the sub-interface of serial 0/0 right? I temporarily set the sub-interface to use IETF instead of ppp, just so that it works.

So how do I go about telling the router there are two default routes and that it should prefer one or the other in bgp? Something I noticed, in both the BGP neighbor settings and the default route, it specifies 216.242.227.197, when the serial 1/0 interface uses ip 216.242.227.198, is this right?

Pings don't stay steady, they jump and spike like crazy. Most of the time, from home, when I connect to the game server my ping is around 30. However, it's constantly spiking to 200 and randomly hitting all values in between (40, 70, 90, 150, etc).

Traceroute to yahoo.com from router:
Tracing the route to yahoo.com (66.218.71.113)

1 72.ATM1-0.GW1.MIA4.ALTER.NET (63.122.229.9) [AS 701] 220 msec 220 msec 212 msec
2 154.at-5-0-0.XR2.MIA4.ALTER.NET (146.188.233.166) [AS 701] 212 msec 236 msec 236 msec
3 0.so-4-2-0.XL2.MIA4.ALTER.NET (152.63.101.46) [AS 701] 232 msec 204 msec 212 msec
4 0.so-7-0-0.XL4.ATL5.ALTER.NET (152.63.85.194) [AS 701] 220 msec 220 msec 228 msec
5 192.ATM4-0.BR3.ATL5.ALTER.NET (152.63.82.217) [AS 701] 224 msec 212 msec 220 msec
6 atm2-0-1.core1.Atlanta1.Level3.net (209.0.227.161) [AS 3356] 228 msec 216 msec 200 msec
7 so-4-0-0.mp1.Atlanta1.Level3.net (64.159.3.62) [AS 3356] 220 msec 40 msec 40 msec
8 so-2-0-0.mp1.SanJose1.Level3.net (209.247.9.114) [AS 3356] 80 msec 76 msec 80 msec
9 gige9-0.ipcolo4.SanJose1.Level3.net (64.159.2.10) [AS 3356] 92 msec 84 msec 84 msec
10 cust-int.level3.net (64.152.81.62) [AS 3356] 88 msec * 84 msec
11 ge-1-2-0.msr2.pao.yahoo.com (216.115.100.154) [AS 10310] 80 msec
ge-1-3-0.msr1.pao.yahoo.com (216.115.100.150) [AS 10310] 80 msec *
12 vl11.bas2.scd.yahoo.com (66.218.64.138) [AS 10310] 80 msec 80 msec
vl10.bas1.scd.yahoo.com (66.218.64.134) [AS 10310] 88 msec
13 yahoo.com (66.218.71.113) [AS 10310] 100 msec 120 msec 84 msec

From one of the servers behind the router:
Tracing route to 66.218.71.113 over a maximum of 30 hops

1 60 ms 200 ms <10 ms 216.242.60.161
2 20 ms 10 ms 20 ms 63.122.229.9
3 10 ms 10 ms 10 ms 146.188.233.162
4 <10 ms <10 ms 10 ms 152.63.101.42
5 20 ms 30 ms 40 ms 152.63.85.190
6 20 ms 40 ms 30 ms 152.63.82.213
7 60 ms 50 ms 60 ms 209.0.227.161
8 40 ms 40 ms 40 ms 64.159.3.62
9 90 ms 90 ms 91 ms 209.247.9.114
10 81 ms 80 ms 80 ms 64.159.2.10
11 80 ms 80 ms 70 ms 64.152.69.18
12 81 ms 80 ms 80 ms 216.115.100.150
13 70 ms 80 ms 80 ms 66.218.64.146
14 91 ms 90 ms 90 ms 66.218.71.113

If I understand you correctly, than yes, the router is the default gateway for I/O in our local network. In case I didn't understand correctly, maybe an ip config from one of our servers will help:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : paradox
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Adapter (PILA8470B) #2
Physical Address. . . . . . . . . : 00-30-48-51-12-6D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 65.212.126.253
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 66.212.126.1
DNS Servers . . . . . . . . . . . : 65.212.126.2
66.115.51.2

and here are the results from the requested commands:

show frame-relay pvc
PVC Statistics for interface Serial0/0 (Frame Relay DTE)

Active Inactive Deleted Static
Local 1 0 0 0
Switched 0 0 0 0
Unused 0 0 0 0

DLCI = 500, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0.1

input pkts 272314 output pkts 455947 in bytes 32624565
out bytes 319652550 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 40 out bcast bytes 11760
pvc create time 00:37:28, last time pvc status changed 00:37:28

show frame-relay map
Serial0/0.1 (up): point-to-point dlci, dlci 500(0x1F4,0x7C40), broadcast, IETF
status defined, active

show frame-relay lmi
LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = ANSI
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 2352 Num Status msgs Rcvd 2361
Num Update Status Rcvd 0 Num Status Timeouts 1

Thank you again for all your time and patience.

 

[paradoxwd]

Where did all my people go?

 

[benzito]

Why try to reverse-engineer this? You need to call both isp's and confirm how they're configured on their end to be sure your setup complies. Have them email you a copy of how their interfaces are configured...<they shouldn't have a problem doing this>. The &quot;maximum-paths&quot; <load balancing> statement in your config may also affect performance since this was not meant to be used when running bgp w/ 2 isp's <multihomed>. With your setup, you'll need to go w/ load sharing instead. Getting your interfaces properly configured then tweaking your bgp statements will make troubleshooting easier.

 

[BuckWeet]

Another question, why are you running BGP on a 3640? Having routes for the entire internet on a box like that is kinda overdoing it. You need more power.. Have you checked processor utilization?

BuckWeet

 

[moetech]

I agree, is there some reason you are running bgp? You really should not be using it. Also, your access lists are not applied to any interface.

 

[wybnormal]

The ACL is applied.. it's a outbound distribution list.. better known as route filtering.
::snip::
neighbor 216.242.227.197 distribute-list 1 out
::snip::

The neighbor gets the two specified netowrks and the rest are denied.

BGP is run on 3600s often. It's not recommended though to run BGP AND use the router as your default gateway as such is the case here. What is worse is that if this router is the default gateway, where is the firewall? Also, many ISPs will not connect a site via BGP since a broken BGP configuration can cause havoc across the network. Most times the ISP will connect to your network via OSPF or some other routing protocol.

I'm not saying any of this is absolute but it is common and there are exceptions to virtually everything. I agree with getting in contact with the ISP and let them hash through the config. If they cant or wont, I would seriously consider finding another ISP that understands what the concept of *support* is. Personally I would be surprised if the ISP doesnt help.. it's in their best interest to make the BGP works properly.

MikeS

Find me at

http://www.packetattack.com

&quot;The trouble with giving up civil rights is that you never get them back&quot;

 

[marsd]

moetech,
The access-list is a bgp filter as far as I can make out.
It's really not interface specific.

 

[moetech]

My mistake, I missed that on your config.

 

[paradoxwd]

We have a watchdog.. but lol, its not configured properly, so its not currently activated. We have someone coming down to configure it for us.

 

[marsd]

Jeez.
You guys need to hire someone to get in there at least PT
and make sure that things run smoothly and that your secu-
rity is a little tighter than what you are talking about.

Synopsis:
You have given a lot of unknown people a lot of information
including an internal server address, dhcp, dns server
addresses, router addresses, AND the fact that you have no firewall..this is frightening to me.

 

[paradoxwd]

Well like i said, someone is coming down to configure the watchdog... which is why I dont mind to much about revealing ip addresses.

 

[paradoxwd]

I've been told that the only real way to balance two lines from seperate providers is to use access lists to specify that certain ips use certain interfaces. In order to do this don't I have to deny ips of one line access on the other interface? If so, doesn't that defeat the purpose of BGP? If one line goes down, the other line is supposed to pick up the ip address so that important websites and servers don't lose their connection to the net. However, if an ip address of the line that is down comes across the other line it would be denied access, and therefore the website/server would be down. Correct? Or is there some other way to configure this so that it will work correctly?

 

[benzito]

You use metrics so that one interface becomes preferred over the other, then if the preferred interface goes down, your weighted interface would route the downed interfaces'traffic. Wybnormal stated this previously....&quot;Or even static routes where certain ranges go to one interface and other go out the 2nd. Then have floating statics reversing it so if one serial drops offline, the packets will still make it out.&quot;

For this to acheive a load balancing effect you may need to re-allocate ips's across your LAN so that all the &quot;heavy traffic genrators&quot; aren't bunched up in the same block. Say if you have a /24...split it into two /25's and spread your servers evenly across both netblocks. Then assign one netblock to each interface. This way both interfaces should see simaliar usage.

 

[paradoxwd]

Great great... so how do I do it?

 

[CCIEWANNABE]

DLCI = 500

pvc create time 00:37:28, last time pvc status changed 00:37:28

Here is at least one problem from your posting you are not creating a PVC. verify Your DLCI values with your ISP. Also post a debug frame-relay lmi. I can verify an exact problem Route once; switch many

 

[CCIEWANNABE]

Also post a
show interface Serial0/0 Output
Verify all the control Signals for example:

dcd=up dsr=up DTR=up RTS=up CTS=up
This will verify a good physical connection.
Then we proceed to step two. Route once; switch many

 

[benzito]

What I'm suggesting would require LAN analysis. You'd have to look @ your networks topology and come up w/ a scheme to distribute traffic from your LAN as evenly as possible over the two WAN interfaces. This could get very involved and may require the reallocation of ip addresses across the network. You state that you have multiple web / file servers...you don't want all of your servers on one interface and your workstations on the other. I don't know how your LAN is configured...this would have to be taken into consideration. Now that's just my opinion, I don't think you should really be running bgp either but if you continue to @ least make sure you have >=128Megs of mem on board. A 3640 should be able to handle full routes w/ that much memory (you'd probably want to drop CEF though). The optimum setup would be to buy another 3640 (yeah, yeah I know...$$$$) and run bgp / hsrp b/t the two. This would give you a fully redundant setup. Right now if you were to lose the router you also lose both circuits and that somewhat defeats the purpose of being multihomed (to a certain extent). Start w/ independently certifying your configs w/ your isp's and go from there. I agree w/ marsd...it sounds like you guys have a pretty complex shop and w/ a network consisting of two /24's and a /27, you should have a network administrator on hand @ least pt to help out w/ situations like this.