Secondary IP Address

[jkaftan]

I have assigned a secondary IP address on my edge router's inside interface. I have a VLAN with two networks on it and I want this interface to be able to talk to both networks.

When I try to ping my firwall on the network that is my secondary on the edge router the router is sending the traffic to its default gateway or to the ISP even though the router shows the network as being directly attached when I do a sh ip route.

Any idea why this router is not using the attached network over the default gateway?

 

[jneiberger]

Please post the output of "show ip route" on your router as well as the IP address you're trying to ping. It would also be helpful to see the config on that interface.

 

[jkaftan]

Here is the info including most of the config and the results of a "sh ip route" Thanks for taking a look

I am trying to ping 72.237.4.140. It works fine if I specify extended comands and specify the source as 72.237.4.135. If I do not do that it goes out the default-gateway with a source of 12.86.158.50.

SEC-RTR#sh run
Building configuration...

Current configuration : 1833 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SEC-RTR
!
boot-start-marker
boot-end-marker
!
card type t3 1

!
memory-size iomem 15
clock timezone eastern -5
clock summer-time eastern recurring
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller T3 1/0
clock source line
!
!
!
!
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 72.237.4.135 255.255.255.224 secondary
ip address 12.185.48.17 255.255.255.240
speed 100
full-duplex
!
interface Serial1/0
bandwidth 30300
ip address 12.86.158.50 255.255.255.252
ip route-cache flow
dsu bandwidth 30300
scramble
!
interface FastEthernet2/0
no ip address
shutdown
half-duplex
!
interface FastEthernet3/0
no ip address
shutdown
duplex auto
speed auto
!
router bgp 26808
no synchronization
bgp log-neighbor-changes
network 12.185.48.16 mask 255.255.255.240
neighbor 12.86.158.49 remote-as 7018
neighbor 12.86.158.49 soft-reconfiguration inbound
neighbor 12.86.158.49 prefix-list Gateway in
neighbor 12.86.158.49 prefix-list Advertise out
no auto-summary
!
no ip http server
no ip http secure-server
ip flow-export source Serial1/0
ip flow-export version 5 peer-as
ip flow-export destination 72.237.4.140 2055
ip classless
!
!
!
ip prefix-list Advertise seq 6 permit 12.185.48.16/28
!
ip prefix-list Gateway seq 5 permit 0.0.0.0/0
!

!
!
!
control-plane
!
!
!
!
!
!


SEC-RTR#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 12.86.158.49 to network 0.0.0.0

72.0.0.0/27 is subnetted, 1 subnets
C 72.237.4.128 is directly connected, FastEthernet0/1
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 12.185.48.16/28 is directly connected, FastEthernet0/1
C 12.86.158.48/30 is directly connected, Serial1/0
B* 0.0.0.0/0 [20/0] via 12.86.158.49, 1d00h
SEC-RTR#

 

[jkaftan]

I have removed the secondary IP address from F0/1 and configured F0/0 with the same ip and it works fine. I could leave it this way but I am still wondering why the sec address did not work. It always has before.

 

[jneiberger]

The secondary address needs to be assigned to the interface attached to that network. It's no surprise that it didn't work if that network is actually attached to your F0/0 interface.

 

[jkaftan]

It was connected at the time. I pulled the 72.237.4.135 address from the F1/0 interface and plugged the F0/0 interface in with a seperate cable into the same VLAN. Then I assigned the 72.237.4.135 ip to the F0/0 interface and it worked as it should. However it still should have worked when I had one cable connect to F0/1 that had both IPs assigned.

 

[jneiberger]

Ah, I see what you're saying. I misunderstood.

Is this a really busy router? I'm trying to remember the right debugging command...I think "debug ip packet" will show you why certain paths were chosen, but that will bring your router to its knees if you're logging to the console. Turn off console logging and give it a shot if this router isn't too busy.

 

[burtsbees]

Have you thought about an OER config?

Burt

 

[jkaftan]

No I am stuck with BGP because am dual hommed and need to have my incoming traffic re-routed should my Primary go down.

My firewall devices are not Cisco so I could not use OER between my Firewalls and Edge Routers.

Am I missing something?