I had something kind of ugly happen at work today and I thought I'd share the details. I have two DS1s in our office that leads to our border 7206 which is in a colocated rack. One runs to a 2611, the other to a 2621. I have two Cat 3524s tied together with a copper gigabit link. They have two VLANS - #2 is 10.10.1.0/24 and #5 is xxx.xxx.21.32/27 The 2611 has one interface plugged into VLAN2, the other into VLAN 5, while the 2621 uses an 802.1Q trunk to one switch that carries both VLANs. Both routers back each other up via HSRP - the 2611 is primary for 10.10.1.0/24, the 2621 is primary for xxx.xxx.21.32/27 - thus load balancing the traffic across the two DS1s. Both routers run OSPF. Everything is in area 0 and there are three other sites that are fed from the core 7206 via DS1s. Nothing else was happening at the other sites when my trouble occured. I have a NAT pool on each router. The 2611 was there when I started and it originally had some numbers pulled out of the air with a static route from the 7206 to the particular serial interface so they were reachable. I got tired of wrestling with that config and stole .61 and .62 from xxx.xxx.21.32/27 to use instead. When I brought the 2621 in I created a loopback 1 interface and attached xxx.xxx.21.240/32 to it and used the middle two addresses for the NAT pool. I did this so I could *see* which subnets were used where. Loopback0 on each router is a /32 taken from the top of the xxx.xxx.21.0/24 - the 2611 is xxx.xxx.21.252 and the 2621 is xxx.xxx.21.247 - this is done so we have stable router IDs in OSPF for those of you who haven't read that chapter yet. The interface on the 2611 that carries the public numbers got plugged into a port that was in the wrong vlan. The port was up/down and I didn't notice when I left on Sunday after having just converted from a 100 mbit link to the gigabit connection. This led to a couple of interesting consequences. Both of the routers private addresses were reachable via telnet from the inside and once there I could see everything else in the network but stations on the inside could not reach anything. The DNS server for our network lies on the public segment that was not reachable via the 2611 and the addresses used for NAT came from the downed interface. With the 2611 being the active HSRP interface it couldn't see DNS and it was using numbers from a network that our core router believed to be reachable only through the 2621 ... which was not where the NAT sessions were occuring. I spent two hours digging on VLANs and other stuff before I noticed the interface to the public LAN on the 2611 was up/down. I knew I liked the Loopback interface on the 2621 holding the NAT pool a lot better than stealing from the public segment and I am going to make that my policy now on any router that has to do NAT. I may find a good use for a /31 yet :-) I also screwed up on interface tracking - I tracked the DS1s which was a good thing but in a setup like this I believe the public LAN interface needs to be tracked as well. I don't know if HSRP will let you track multiple interfaces but I am going to find out as soon as I click send for this message. Take heed, your CCIE wannabes, and demonstrate your problem solving skills to the lab examiner instead of while standing in front of twenty grumpy coworkers who want to know why they can't get their email :-( _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]