Cisco 2611 routing amongst Ethernet interfaces

[pixboy]

In our office, we have 2 different networks, connected to the Internet by 2 different T-1s. (The T-1s are from different providers, too.)

I've been tasked with developing a setup that will allow our Internet traffic (outgoing) to go out the other T-1 if the main one is down.

Our main router is a Cisco 2620 with 1 Ethernet and 1 CSU/DSU, connected to the MCI T-1.

The other network is connected with a Cisco 1720 with 1 Ethernet and 1 CSU/DSU, connected to the SBC T-1.

I have full access and control over the main router. I have no access nor any control over the other router.

I have a Cisco 2611 with 2 Ethernet interfaces and 1 CSU/DSU. I've been looking into using that as a bridge between the 2 networks. I've configured it to have 1 Ethernet on the main network, and 1 on the other network. However, I can't seem to get it to route any traffic between the 2 networks at all.

If I take a Windows machine and set it with a static route through the 2611 to get to a machine on the other network, it does not work at all. I'd expect to be able to ping the machine in the other network, but I can't. Doing a traceroute from one side to the other fails at the IP address of the 2611.

From the 2611 itself, I can ping things on either side with no trouble.

I've tried any number of different configurations, but to no avail. The 2611 is running IOS 12.1(7), as is the 2620 that's the main router.

I originally envisioned replacing the 2620 with the 2611 as the main router, but would like to avoid that if possible.

The overall structure of both networks looks like this:

T-1 === Router === PIX 501 firewall === hosts

(There currently is NO connection between the 2 networks. I'm only trying to take advantage of the other T-1 should the main one drop off.)

The 2611 router has inside-the-firewall addresses on both networks (10.1.10.1 in one network, and 10.10.10.1 in the other. Using 255.255.0.0 subnets on both sides.)

Any ideas? Suggestions welcome!

Thanks.

 

[DanInRaleigh]

Pixboy,

...let me see if i have this straight..

..so you are trying to ping from your windows box through the 2611 to the 1720 and get replies back to the windows box and you are not..

..the 2611 can ping the 1720 and past with no problem..

..i think i understand the windows box to be on the 10.x.x.x subnet.

..if above is all correct..

..do you have a static route in that 2611 pointing to that windows box subnet (added by interface).....

...if you do...does the 1720 know to route back that particular subnet through its ethernet interface that is connected to the 2611?






CCNP,CCSP,MCSE,Sec+,Net+,A+...

 

[pixboy]

Just to clarify ... The 1720 is on the far end of the other network, but is not involved at this point.

The ping test I was trying to run would look somewhat like this:

Host (in main network) --> 2611 --> Host (in other network)

It looks like the traffic gets from the first host to the 2611, but dies there.

I've had various routing statements in the 2611 to route traffic from one network to the other, but maybe I've got those wrong.

Here's my current configuration:

version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ROUTER2
!
enable secret 5 $1$NKM8$jaTNNSyxPox5jw.MSwkEo/
!
!
!
!
!
ip subnet-zero
no ip finger
!
!
!
!
interface Ethernet0/0
ip address 10.1.10.1 255.255.0.0
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 10.10.10.1 255.255.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip route 10.1.0.0 255.255.0.0 Ethernet0/0
ip route 10.10.0.0 255.255.0.0 Ethernet0/1
no ip http server
!
snmp-server community public RO
!
line con 0
password 7 096E7C283D29322B
transport input none
line aux 0
line vty 0 4
password 7 106C3B38213B3732
login
!
end

I've added a route statement to a Windows machine on the main network (IP address 10.1.1.168) to route 10.10.1.83 (in the other network) via 10.1.10.1, which is the 2611's Ethernet0/0 interface. The ping to 10.10.1.83 fails from the Windows machine.

Pinging 10.10.1.83 from the 2611 works fine, as does pinging 10.1.1.168 from the 2611. So the 2611 sees both hosts, but they don't see each other.

 

[jneiberger]

You don't need any routing statements whatsoever on the router in order to route between subnets that are connected to the router. It already knows how to get to those subnets because they're directly connected. It will just confuse matters if you add static routes for directly connected subnets.

It's also not necessary to add routing statements to your PCs or servers. Just make sure their subnet masks and default gateways are set correctly. The problem you're describing sounds like misconfigured subnet masks or default gateways.

 

[pixboy]

The routing statement I added to 10.1.1.168 was to test the ability of the 2611 to actually route amongst the 2 networks. The default gateway of any host in the 10.1.x.x network is 10.1.1.1 (a Cisco PIX 501). Its default gateway is our Cisco 2620, which is connected to the MCI T-1.

Without that route statement, there'd be no way for the traffic to get from the 10.1.x.x network to the 10.10.x.x network.

All the machines and routers in this test have the proper subnet masks and default gateways. So why isn't the 2611 actually routing amongst the Ethernet interfaces? That's the ultimate question here. The routing statements in the above configuration _shouldn't_ have a negative impact, unless I'm thinking too logically

 

[pixboy]

OK, so I sort of figured it out.

I was researching this further and saw a Cisco doc that happened to mention the path BACK from the other network. It occurred to me that if the host on the other network doesn't know how to route back to the host in the main network, then ... (duh)

At any rate, that seems to work now. Sort of.

I configured the Pix firewalls on either end to route traffic for the opposite network through the Pix firewall. (So one Pix had "route 10.10.0.0 255.255.0.0 10.1.10.1" and the other had "route 10.1.0.0 255.255.0.0 10.10.10.1".) Didn't seem to work at all, but that's probably more Pix related.

Now I'm trying to figure out how best to configure the "system" (as a whole) to fail over to the other network for its T-1 if the main T-1 fails. I realize that we could do that internally within the main network's 2620 router, but it'd have to be able to access the 2611 that's the bridge between them.

 

[DanInRaleigh]

...did i kinda give you a hint ...i run into these scenarious everytime i configure a new lab... especially with a pix or concentrator involved...!!

CCNP,CCSP,MCSE,Sec+,Net+,A+...

 

[DanInRaleigh]

..just because something is "connected" dont assume that subnet will be propegated...if that was the case there wouldnt be a command >redistribute connected

CCNP,CCSP,MCSE,Sec+,Net+,A+...