I had something kind of ugly happen at work today and I
thought I'd share the details.
I have two DS1s in our office that leads to our border 7206 which
is in a colocated rack. One runs to a 2611, the other to a 2621. I have
two Cat 3524s tied together with a copper gigabit link. They have two
VLANS - #2 is 10.10.1.0/24 and #5 is xxx.xxx.21.32/27
The 2611 has one interface plugged into VLAN2, the other into
VLAN 5, while the 2621 uses an 802.1Q trunk to one switch that carries
both VLANs.
Both routers back each other up via HSRP - the 2611 is primary
for 10.10.1.0/24, the 2621 is primary for xxx.xxx.21.32/27 - thus load
balancing the traffic across the two DS1s.
Both routers run OSPF. Everything is in area 0 and there are
three other sites that are fed from the core 7206 via DS1s. Nothing else
was happening at the other sites when my trouble occured.
I have a NAT pool on each router. The 2611 was there when I
started and it originally had some numbers pulled out of the air with a
static route from the 7206 to the particular serial interface so they
were reachable. I got tired of wrestling with that config and stole .61
and .62 from xxx.xxx.21.32/27 to use instead. When I brought the 2621 in
I created a loopback 1 interface and attached xxx.xxx.21.240/32 to it
and used the middle two addresses for the NAT pool. I did this so I
could *see* which subnets were used where. Loopback0 on each router is a
/32 taken from the top of the xxx.xxx.21.0/24 - the 2611 is
xxx.xxx.21.252 and the 2621 is xxx.xxx.21.247 - this is done so we have
stable router IDs in OSPF for those of you who haven't read that chapter
yet.
The interface on the 2611 that carries the public numbers got
plugged into a port that was in the wrong vlan. The port was up/down and
I didn't notice when I left on Sunday after having just converted from a
100 mbit link to the gigabit connection.
This led to a couple of interesting consequences. Both of the
routers private addresses were reachable via telnet from the inside and
once there I could see everything else in the network but stations on
the inside could not reach anything.
The DNS server for our network lies on the public segment that was
not reachable via the 2611 and the addresses used for NAT came from the
downed interface. With the 2611 being the active HSRP interface it
couldn't see DNS and it was using numbers from a network that our core
router believed to be reachable only through the 2621 ... which was not
where the NAT sessions were occuring.
I spent two hours digging on VLANs and other stuff before I noticed
the interface to the public LAN on the 2611 was up/down.
I knew I liked the Loopback interface on the 2621 holding the NAT
pool a lot better than stealing from the public segment and I am going
to make that my policy now on any router that has to do NAT. I may find
a good use for a /31 yet :-)
I also screwed up on interface tracking - I tracked the DS1s which
was a good thing but in a setup like this I believe the public LAN
interface needs to be tracked as well. I don't know if HSRP will let you
track multiple interfaces but I am going to find out as soon as I click
send for this message.
Take heed, your CCIE wannabes, and demonstrate your problem solving
skills to the lab examiner instead of while standing in front of twenty
grumpy coworkers who want to know why they can't get their email :-(
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
