My WAN and I need help!

[bubarooni]

Hello To All,

I have never worked on a WAN before and have some questions that I simply can't come up with a solution for. The place I am working has three Cisco 1750 routers, one at each location in the company and I will soon need to add a fourth for a new location . They were already configured when I arrived here two months ago. I am running frame relay. I am really unfamiliar with IOS so I hope I've left nothing to important out. I am clueless so bear with me.

Here is my setup:
Home Office is running NT Sever 4.0 with DHCP and WINS.
Remote locations have no server.
I have a PIX firewall with NAT inside at Home Office.
Home office has a PVC to each remote location (2).
Remote offices have one PVC back to home office.
192.168.1.1 = Home Office router
192.168.2.1 = Office 2 router
192.168.3.1 = Office 3 router
192.168.1.7 = PDC at home office (DHCP, WINS and Mail)
192.168.1.4 = Citrix server
192.168.1.254 = PIX firewall


Here is what I would like:
1 To be able to browse the other locations. Ideally, I would be able to see each location in Network Neighborhood.
2 To be able to use the mail server in the home office in the remote locations. Currently users at remote locations can only access mail through a Citrix server located at the home office.

Here are some things that baffle me:
I can ping workstations in remote locations from workstations in the home office. I cannot ping anything, even the router, at a remote location from the PDC running the DHCP and WINS at the Home Office.
I can ping workstations at the home office from remote locations but, once again the PDC cannot be pinged. This of course, is where my mail Post Office is located (MS Mail).
The PDC lists the PIX as it's DNS server. Why would it be set up that way?
Why does Office2 configuration list Loopback0 as an interface? What does that do?

Here are the router configurations.

------Home Office------

!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname home_1750
!
boot system flash:1:aaa1397.bin
no logging console
enable secret ***************************
enable password ****************
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
interface Serial0
ip address 10.0.1.1 255.255.255.0
encapsulation frame-realy
no fair-queue
service-module t1 timeslots 1-2
frame-relay map ip 10.0.1.2 17
frame-relay map ip 10.0.1.3 18
frame-relay lmi-type cisco
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
speed auto
full duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 192.168.1.4 255.255.255.255 FastEthernet0
ip route 192.168.2.0 255.255.255.0 10.0.1.2
ip route 192.168.3.0 255.255.255.0 10.0.1.3
no ip http server
!
!
line con 0
exec-timeout 300 0
transport input none
line aux 0
line vty 0 4
exec-timeout 300 0
password ********
login *********
!
no scheduler allocate
end

-------Office 2--------
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Office2_1750
!
no logging console
enable secret ***************************
enable password ****************
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool dhcpOffice2
network 192.168.2.0 255.255.255.0
default router 92.168.2.1
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Serial0
description connected to will
ip address 10.0.1.2 255.255.255.0
encapsulation frame-realy
no fair-queue
service-module t1 timeslots 1-2
frame-relay lmi-type cisco
!
interface FastEthernet0
ip address 192.168.2.1 255.255.255.0
speed auto
half duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.1.0 255.255.255.0 10.0.1.1
no ip http server
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password ********
login *********
!
no scheduler allocate
end


-------Office 3--------
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Office3_1750
!
no logging console
enable secret ***************************
enable password ****************
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
ip dhcp excluded-address 192.168.3.1 192.168.3.10
!
ip dhcp pool dhcpOffice3
network 192.168.3.0 255.255.255.0
default router 92.168.3.1
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
interface Serial0
ip address 10.0.1.3 255.255.255.0
encapsulation frame-realy
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-2
frame-relay map ip 10.0.1.1 16
frame-relay lmi-type cisco
!
interface FastEthernet0
ip address 192.168.3.1 255.255.255.0
no ip mroute-cache
speed auto
half duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.1.0 255.255.255.0 10.0.1.1
no ip http server
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password ********
login *********
!
no scheduler allocate
end


I really appreciate any pointers on these that anyone can give. I have to open a new branch in eight weeks. I would love to have a cookie cutter pattern for every new location we roll out.

 

[wybnormal]

Well.. right off the top of my tired head, you will need to either UPD Forward or use IP HELPER on the routers to get WINS, DHCP and Network Neighborhood to work. You need to be able to forward broadcast packets for these to work and that is what these two commands do. IP Helper would be preferred as it forwards a standard 10 types of broadcast packets where UPD Forward requires you to name each type of packet. They both work but UPD Forward is more work.

For example..

if you have this setup:

[router1]---------------------------[router2]
192.1.1.1 LAN 10.10.10.1 LAN

say on the E0 interface:

ip helper-address 10.10.10.255 ip helper-address 192.1.1.255

This points each router to the other LAN for forwarding the broadcasts.

Here is a nice article from Cisco with details

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs006.htm

I'll re-read the entire post later and see if there are any other comments I can make about

Mike S
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[bubarooni]

Thanks for the input. I had printed out some of the Cisco documents: Configuring IP, Routing IP and Troubleshooting TCP/IP. I saw something there about IP Helper and thought that sounded promising but, it's a lot to go thru over a weekend.
When I run the Cisco ConfigMaker utility it inserts the following:
!
router rip
version 2
passive-interface FastEthernet 0
no auto-summary
!
Would this add the funtionality I am seeking?

I know the original post has a lot in it. Thank you for taking the time to go thru it.

 

[jeter]

I would also advise in getting more than a 128k connection at the host. ip helper probably is the route to take on the
connection . If yout going to use a routing protocol use
EIGRP, if not you can use STATIC ROUTES. Jeter@LasVegas.com
J.Fisher CCNA

 

[JohnJohn]

Seems more like an IP config problem on the PDC. I have several NT Domains that I can browse and I'm not using IP helper, in my opinion you would not want to propigate broadcast traffic. If you can not ping clean from PDC and your PIX is setup not to drop the ping packets I would look at default gateway on PDC make sure that it is correct. Is it using WINS from itself? Is it using DNS to resolve that is valid? You said it uses DNS from the PIX, why? Did you try a trace to and from the PDC? If so where does it go or not? Hope this helps.

 

[wybnormal]

Some types of broadcast traffic you have very little choice in propagating.. DHCP, DNS, WINS, NB over IP for some types of services and the list goes on. There are many custom applications that use broadcast for all or part of their protocol, Heathcare is really bad for this with completely vertical apps written in some guys garage 10 years ago and it's never been updated :-(

Windows domains are not the same as a broadcast domain. Dont confuse the two.. as long as everyone is on the same IP subnet, you dont need the IP Helper.. once you cross the IP subnet border, you need a bridge or a router to pass traffic from one subnet to another subnet. "Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[JohnJohn]

Wybnormal
If you have WINS working correctly you need not enable IP Helper. Getting from one IP subnet to another does not require you to enable IP helper. And I am not confused on domains IP or NT. DHCP, WINS, and DNS do not need IP Helper.Raw NetBios is not routable. I agree back in the days of old like when people used Datatree Mumps to write Heathcare software you needed to bridge you networks because these old apps where designed for LAN use. I am no expert on IP or IP Helper, but it is not needed to fix his problem.

In any case if bubarooni sets up WINS correctly and his ip packets are getting from point a to point b he should have no problems. And not need to use IP Helper to add traffic to his 128k circuit. This is an example of how you can also use LMHOST if you don't want to me with WINS.

When you bring up a Windows NT Server as a "Server", the Windows NT Server communicates with the domain controller and checks for access permissions and so on. When the domain spans over a wide area network and the domain controller is located across a router that is routing IP only, you should perform the following procedure to bring up a server in the domain.

These steps will allow the Windows NT Server to resolve the name of the domain controller and communicate with it for authentication and participation in the domain:


Prepare an LMHOSTS file on another machine. The LMHOSTS file should contain the following information:


IP Address of DC NetBIOS name of DC #PRE #DOMomain name

For example:

130.20.7.80 DOMCTRLR #PRE #DOM:MYDOMAIN



Copy the LMHOSTS file to a floppy disk so that it can later be imported by the domain controller.


When you are installing the Server, select the Custom Install option to install the Advanced Server.


During a network installation, make sure you select TCP/IP Protocol to be installed. This step is important; otherwise, only NetBEUI will be installed, and the Windows NT Server is not able to communicate with the domain controller.


After TCP/IP is installed, choose OK. The TCP/IP settings menu will be displayed. After entering the IP address and other TCP/IP- related information, choose the IMPORT LMHOSTS File button.


Place the floppy disk containing the new LMHOSTS file in the floppy disk drive and specify the path for the LMHOSTS file in the IMPORT LMHOSTS File dialog box. Note that you need only specify the path, not the name of the file. For example, if the LMHOSTS file is located in the root directory of the floppy disk and the disk is in drive A, you need only specify "A:\" in the dialog box. Also note that the file must be named "LMHOSTS".


Follow the instructions and answer the installation questions.

Good Luck.

 

[JohnJohn]

FYI. This is what Microsoft had to say.

SYMPTOMS

The following error messages are added to your domain controller's system log (as seen with the Event Viewer) approximately every 12
minutes:

Event Log information:

Date: 6/14/95 Event ID: 8003
Time: 12:12:00 PM
Source: Rdr
User: N/A Type: Error
Computer: MyPDC Category:None



Description:

The master browser has received a server announcement from the computer MyBDC that believes that it is the master browser for the domain on transport NetBT_NETFLX1. The master browser is stopping or an election is being forced.

Data: Words

0000: 00000000 004a0003 00000000 c0001f43
0010: 00000000 00000000 0000055a 00000000
0020: 00000000 00000000


CAUSE

Routers on your network are configured to forward UDP broadcasts(IP Helper is Enabled).

If a Windows NT domain spans more than one subnet and the TCP/IP protocol (NetBT) is used, each subnet will have a Master Browser. If a Master Browser receives server announcements from another computer, claiming to be a Master Browser, an election is forced to ensure that there is only one Master Browser per subnet. These browser elections cause the 8003 message to be recorded.

If the routers on the network are configured to forward UDP broadcasts(IP Helper) to UDP ports 137 and 138, then the election broadcasts that are intended to remain in the subnet are forwarded to other subnets.

This has also been seen with bridges(IP Helper) or switches between two dissimilar network segments within the same subnet.


RESOLUTION

To stop the 8003 error messages, make sure the routers on the network are not forwarding UDP broadcasts(Not using IP Helper), keeping browser elections on NetBT local to each subnet and enable WINS or lmhosts on the network for netbios name resolution.

NOTE: Switches configured for VLAN's (virtual segmentation) have to be configured on a per VLAN basis to prevent UDP broadcast propagation.

 

[wybnormal]

John-
I respectfully disagree about WINS. It's true *IF* you have directed broadcasts.. ie.. pointed to a single IP address. But in most cases, WINS is configured to either get the WINS info from the local subnet by directed IP ( H-mode) OR it will default to a broadcast to try and find ANY WINS box that can answer it's query. WINS has a few diffent modes to operate, H mode, M mode, B mode and so on.

You want to make sure you are set to H node *IF* you want to avoid the broadcast issue. And even then, if the client can not find the server, it will attempt to broadcast anyways. B mode is worse as it's only broadast.. ugh!! bad idea but I have seen it.

LMHOST files would "fix" the problem but in a large enterprise ( 4,000 plus nodes here, 340 subnets) it's not very practical. Same thing applies to the PRE# and son on. I owuld expect a clever person could place it all in a profile or login script but that is more work on the admin side.

If you look at a sniff trace from the logging in and authentication from a client to a NT server PDC, you will find that the first packets from the client are based on UDP and UDP is a broadcast protocol and will be blocked by the router unless specificly allowed to be passed. THe port is 138 and unless you pass this UDP mailslot, you dont get on the domain.

Again, to pass UDP port 138 between subnets via the router, you need either UDP forwarding enabled OR IP Helper which defaults to forwarding this port plus 9 others like TFTP, BOOTP( DHCP) and so on.

PDC-----subtnet1----router1-----subnet2----client

I too have read the articles from MS about this and what it really says that MS used a poor design for logging into the domain. In order to login and get WINS working right across subnets, you end up with configuration on the router that passes UDP port 138 and blocks almost everything else. THis also depends ALOT on link speed and server response time.

This is very easy to test with a single router and two ethernet ports or just two routers back to back. Config one ethernet with a subnet and the second with a different subnet. Place a NT server on one side.. a client on the other. Try to browse the network.. try to logging to the domain. Neither will work. Enable IP helper on one ethernet port and you will find that you can browse one direction but not the other.

If you want some real fun, put together the NT server and client on a hub and sniff the login sequence. You will see the port 138 UDP packets which was something surprising to a few of us when we figured this out a while back.

For some very good details about this discussion, see:

http://www.cisco.com/warp/public/473/winnt_dg.htm

MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[JohnJohn]

You have every right to disagree and so do I. This is a statement from the Cisco link you posted and as you can see they also highly recommend using WINS so I guess I'm not alone.As for not being able to get WINS from one subnet to the other without passing UDP packets I don't get that. I have many subnets none of which use IP Helper all are using WINS all login to the domain and can browse. You can do what you want this is only my opinion. I don't think we are helpping the guy who started this posting at this point.

This is from the Cisco:

Windows Internet Name Service
WINS was created to allow clients on different IP subnets to dynamically resolve addresses, register themselves, and browse the network without sending broadcasts. Clients send unicast packets to the WINS server at a well-known address. For compatibility with older Microsoft Networking clients, however, broadcast name resolution is still turned on by default, even when WINS is also configured.

To repeat what was stated above, it is highly recommended for optimum network performance to use WINS. Again, there is a direct correlation between the number of broadcasts in a network and network performance; broadcasts are necessary for a network to function, but minimizing them can be critical.

 

[wybnormal]

Agreed.. the nice thing about networks is there is always more then *1* way to make it work... even a few ways that I have seen where I shake my head and just shrug and go on about my business ;-) The good news is that if you can dig deep enough, it almost always will make sense once you get all the pieces lined up right.

MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[JohnJohn]

True, true. Now to get way off the original subject. Do you know anything about DLSw? I have a mainframe group that has one printer that they can not convert to IP until the end of the year and I need to use DLSw to talk from the Ethernet segment to a tokenring that has this SNA printer. I'm going to post this on the Nortel area but I thought I might ask. Oh yeh its Bay/Nortel routers on both ends.

 

[wybnormal]

I know Cisco's flavor of DLSW and have run it to NJ from SouthernCa.. and locally to route some other odds and ends. I'm not sure how it will translate to Nortel

MikeS "Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin