How do I stop my 801 from dialing every two minutes? I

[merlincat]

Hi I hope someone can help?

I have two 801 routers, configured for DDR. The they work fine, except they like to dial eather other for absolutely no reason. Unless Network Broadcasts are causing it. I think I have put all the baned most of the bad network access protocols? Maybe I am wrong?

He is one of the configurations:

Using 1715 out of 8077 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption

hostname ADVSWEST***

boot system flash c800-y6-mw.l21-9.bin bin
logging buffered 4096 notifications
no logging console
enable secret ************************************
username ADV***** ********************
ip subnet-zero

no ip domain-lookup
isdn switch-type basic-nets

interface EthernetO
description ^SOUTHAMPTON LAN CONNECTION**
IP address 10.1.7.6 255.255.255.0
ip access-group 121 in
no ip proxy-arp
no keepalive
no cdp enable


interface BRIO
description * CONNECTED TO ADVWITNEY**
no ip address
encapsulation ppp
dialer pool-member l
isdn switch-type basic-net3
no cdp enable


interface DialerO
no ip address
shutdown
no cdp enable


interface Dialer1
ip address 192.168.100.1 255.255.255.0
ip access-group 121 in
ip access-group 121 out
no ip proxy-arp
encapsulation ppp
dialer pool 1
dialer remote-name *****WITNEY***
dialer idle-timeout 10
dialer string 01+++++++++ class DialerClass
dialer-group 1
no cdp enable
ppp authentication chap

ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1

map-class dialer DialClass
access-list 121 permit ip any any time-range TIME
access-list 121 deny udp any eq netbios-dgm any
access-list 121 deny udp any eq netbios-ns any
access-list 121 deny udp any eq netbios-ss any
access-list 121 deny tcp any eq 137 any
access-list 121 deny tcp any eq 138 any
access-list 121 deny tcp any eq 139 any
dialer-list 1 protocol ip permit
no cdp run

line con 0

time-range TIME
periodic daily 0:00 to 23:59
end
command completed.

If any one can help it would be much appreciated!

Cheers

Rob

 

[CCIEWANNABE]

Everything you need is here at Link:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/800/800fmod/1203t.htm

Configuring Telephone Interface Physical Characteristics Route once; switch many

 

[wybnormal]

You can attack this a couple of ways. Run a debug on the dialer and see what is triggering it.. or config the accesslist to block everything and log the results. You can cross off what would normally be denied and what remains will give clues to what is tripping the dialer.

800-isdn#debug dialer packets or 800-isdn#debug dialer ; this debugs the *interesting* packets

possible problem children would be DHCP packets, routing protocol packets like RIP, bad apps that broadcast but never told you and so on.

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[merlincat]

Thanks guys I will try this.

One last question?

How would I stop every type of packet and then find out which ones I need?

Can you stop everything, then have exceptions?

Cheers

Rob

 

[wybnormal]

If you made a blank access list, there is an implied deny all at the end of every access list. So you specify all your exceptions first then deny everything else either by leaving the last line blank or just spelling out the deny all at the end.

In the list below, I spelled out certain web sites I wanted denied AND logged on an inbound link. Then I permited a a certain UDP protocol in. Then a certain TCP prtocol is allowed to a certain IP address and that is logged. Everything else is permited by the permit any at the end.

access-list 107 deny ip 211.0.0.0 0.255.255.255 any log
access-list 107 deny ip 210.0.0.0 0.255.255.255 any log
access-list 107 deny ip 10.0.0.0 0.255.255.255 any log
access-list 107 deny ip 172.0.0.0 0.255.255.255 any log
access-list 107 deny ip 127.0.0.0 0.255.255.255 any log
access-list 107 deny ip 255.0.0.0 0.255.255.255 any log
access-list 107 deny ip 224.0.0.0 0.255.255.255 any log
access-list 107 deny ip 192.168.50.0 0.0.0.255 any log
access-list 107 deny icmp any any echo log
access-list 107 deny tcp any any eq finger
access-list 107 permit udp any any eq syslog
access-list 107 permit tcp host 192.168.1.10 any log
access-list 107 permit ip any any


Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[LiNuXGuRL]

I have experienced the same problem on a 1700series router which was configured for VPN - I also had a default route set, and debugging did not help too much, because I could not check on the router 50 times a day to see if the ISDN was established for unknown reasons. What I did was, I set an access list on the fastethernet interface, logging all traffic. Like this I was able to see in the log which traffic initiated the isdn. I also set up IP accounting. Anyways, it came down to a misconfigured print server. In another case where I had this happen it came down to MS Outlook and the MSN Messenger which both actively kept the ISDN line up.

 

[Guest_imported]

Thanks folks. I think I may have fixed it! Although, I keep saying this to my boss!

I have now changed the access list to:

map-class dialer DialClass
access-list 121 deny udp any any eq netbios-dgm
access-list 121 permit ip any any time-range TIME
access-list 121 deny udp any any eq netbios-ns
access-list 121 deny udp any any eq netbios-ss
access-list 121 deny tcp any any eq 137
access-list 121 deny tcp any any eq 138
access-list 121 deny tcp any any eq 139
access-list 121 deny tcp any any eq 135
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx deny
no cdp run

The router at the Head Office now closes the Dialer and does not activate. I think the original access list was configured wrong, command wise. Anyway I think I have cracked it, again!! ( Probably haven't !)

Our other ISDN routers are 3COM and we have absolutely now trouble with them at all. Its a shame 3COM are not in the Router market any more ;'-(

I am away now for the weekend. I will keep you all posted if it worked or not. As you know when the punters go home the network always behaves itself!!

Best Wishes

Rob

 

[Guest_imported]

LynuxGurl

Can you explain the commands for setting up an access list for logging traffic on the ethernet interface? and IP accounting? I am not very good Cisco stuff. I have just bought a book called "Cisco Admin in 24 hours" Its not very good!

Thanks for your help

Kind regards

Rob

 

[LiNuXGuRL]

see how wybenormal set up his access lists..he just added the word "log" behind the access list command. that will do it. handling access lists (ACLs) you need to keep in mind that
1) they will be processed in which order they are put in
2) there is an invisible "deny any any" at the end of each list.
you can not take off a single line...as soon as you type "no access-list 121 .... the entire access-list is gone. use an editor, and design your list the way u need it. i my case it was simple:

global config: access-list 120 permit ip any any log

(fast)ethernet config mode: access-group 121 in