Help with new PVC configuration

[mtbiker]

I have a Bay Networks ARN Router and I really could use some help configuring for another PVC.

This router was set up in '98 with the rest of our WAN(Frame Relay) connection. We recenly added a PVC connection to this location going to our ISP. The ISP has given us our 'public' IP addresses for our proxy server, GroupWise server, and the router. I have set up the PVC in the interface and it looks like it's set up correctly. Using Site Manager I am having difficulty getting this all to work.

My familiarity ends when we got the system configured and left it alone all this time.

Can you all help me out starting at step ONE: I think I have it basically configured correctly, except for the address translation and the routing. My ISP says they can telnet back from their end right into our router. So their end seems configured, but from my end, I can only ping from the router itself.

I'm hoping to set this connection up so that the internal network will only see this connection as an address and not a default route. I am going to set up a Proxy server to connect and provide users with Internet access. I have a separate public IP address that will be set up for our GroupWise E-Mail server specifically.

Thank You in advance.

 

[977128]

Hai,

I belived if you have configured the PVC correctly you may from the telnet do a show fr pvc ---> this will show if the pvc is active or not. From the Site Manager go to IP select Frame Relay Services and check again the PVC, thus the status is invalid/inactive/active. If invalid just activated it.

Another thing is to check for the Image i.e 11,12,13 sometime the image dos not support what you want to do.

 

[Vuti]

A couple things, if your ISP can telnet the router & you can ping externally from the device, then near enough the pvc & WAN side is set up correctly. It sounds like you have a L3 routing issue. I am presuming that your publicly addressed devices can access the Internet via this ISP (if not check IP config etc & make sure ISP has staic routes/ospf sorted out for your allocated range)

If you are having problems with NAT, below is an Baystack AN NAT config resolving the WAN address to private IP network 10.0.0.0/24. It also has a public Ip interface for DMZ devices such as your mail server etc.
ip
all-subnets enabled
classless enabled
route-filters enabled
directed-bcast disabled
arp
back
static-route address 0.0.0.0 mask 0.0.0.0 next-hop-address 19x.11x.159.193
back
rip
back
tcp
back
nat
local-range start-address 10.0.0.0 prefix-length 24
n-to-1 19x.11x.159.203
type n-to-1
back
back
back
ethernet slot 1 connector 1
circuit-name E11
ip address 10.0.0.14 mask 255.255.255.0
arp
back
nat
back
back
ip address 19x.18x.176.37 mask 255.255.255.248
arp
back
back
back
serial slot 1 connector 1
bofl disabled
promiscuous enabled
service transparent
circuit-name S11_CI
frame-relay
dlcmi
back
default-service
ip address 194.117.159.203 mask 255.255.255.224
address-resolution arp-in-arp
arp
back
nat
type global
back

Also, why don't you want to default route traffic out this link & what specifc prefixes are you after if not a default? Your problem could be how you LAN is routing traffic to your various egress points.

 

[mtbiker]

Thank You Vuti,
To answere your question about the default gatway, the Router its self is the default gateway as far as Internal IPs are concerned. The PVC that I am adding is only being given access by 2 devices. (1) our GroupWise 5.5.5 mail server and (2) our Proxy Server. This way I can control who gets access and monitor usage. This connection is a test trial. Eventually we will be installing a more perminant and separate connection for specific Interent Use.

 

[Vuti]

I am a bit confused over what exactly you are trying to achieve. Are you trying to route all your LAN Internet traffic through your proxy & then from there to the router & out. Or is your LAN still going to default to the router?

OR

Do you now want to maintain you LANs routing via the router & `old` pvc, but route traffic originating from these two devices you mentioned over the new pvc & not the old one? In effect policy based routing, which starts looking at source addresses to decide on destination.

 

[mtbiker]

I'm looking to maintain the current Private IP network intact. The Public IP is to maintain separate and not to be used as a "direct" IP gateway.
I currently have a single server which has two nic's, one private, one public. I also have a Proxy server which also has two nic's one public, one private. The PVC is simply inputed into the Router and identified as a separate public IP, which traffic from the two servers which have nic's on the same network default to the public IP. The Private network maintains it's integrety.
I guess some of my concerns are possibly some of the "holes" I could have missed, or other angles which I may not have figured at all.

I appreciate your input. Thanks

 

[Mikeydoo]

MT, it sounds like what you've got are three and not one router to the internet. First of all, you should ideally have a firewall. The proxy should be on the inside with private addresses. The other server, should sit on a DMZ unless you're using it as a router also. Policies are fine, but they're a cheap way out of having to buy a firewall. A firewall would be more secure.

There are several questions that should be asked. First, are you using the embedded firewall on your router? Second, what model router are you using? Third, what version BayRS are you using? Fourth, what is your config (from BCC, type 'sho conf -all' and remove any SNMP stuff).

 

[luggon]

Have you added the Next Hop Address in Site Manager?

 

[atuttle]

In your question you have made no mention of Group Mode and Direct Mode or placing the newly created PVC into its own Service record. Unless you have placed the new ISP PVC on a totally new frame relay circuit (separate serial interface and DSU/CSU) you have to look at using Direct Mode for your frame relay PVCs.

BayNetworks/Nortel can work with a frame relay interface in two modes - group mode and direct mode. (I believe this was introduced in ver 10 or 11 of the sofware.) When a frame relay interface is initially configured, a default service record is created. As PVCs / DLCIs are added they are all placed into the default service record and you would address all interfaces within the same IP subnet. This is group mode.

In Direct Mode, you create additional service records for each PVC or DLCI and the individual DCLIs are moved into each service record. Each Service Record is then treated as if it were a separate point to point connection. You can configure each with its own protocols and give each one a separate IP subnet, again just as though it was a point to point circuit.

This allows you to retain your original addresses for the internal network and put the ISP assigned address on your new ISP interface. You can then also put filters on the interface to help with security. But I would recommend use of a firewall and creation of a DMZ.

Note: you must also consider meshed and partially meshed frame relay networks.

These options are discussed on the BayRS/Nortel online library CDs that should have come with your routers.

Beware though - slow frame relay links (less than T1 speed and low committed information rates - CIR) can be troublesome, particularly on very congested networks
where you are using OSPF or RIP for maintaining routing tables. Congestion can lead to incomplete routing tables.