SM's won't route off Subnet ?

Blink · October 13, 2005, 2:35am

Canopy 900 System. Running 7.1.4

My Main AP is at 172.16.3.2 /24

Cisco 4500, which is the User subnet’s default gateway at 172.16.3.1 /24

SM’s are 172.16.3.11, 3.21, 3.31 etc (all are /24 too)

All SM’s have their default gateway pointing to the Cisco at 3.1 as does the AP.

The NOC is 172.16.2.0/24 and is on the Cisco on another interface - IP is 172.16.2.1 /24.

I can ping everything from the Cisco so long as I use the Interface IP that’s on the SM’s subnet (3.1).

If I try and ping the SM’s from anywhere but the 172.16.3.0/24 subnet I get no response. But I can ping the AP from any subnet.

It hasn’t been a problem, since I can manage all the SM’s via the AP LUID Select, but I’m now setting up MRTG and need to be able to get replies from the SM’s from my Management system which is in the NOC subnet

I know it’s not the routing on Cisco box… I ‘could’ NAT on the Cisco, but shouldn’t it work without NATting into the 3.0 subnet ?

Is it some setting on the SM’s ?

Any hints much appreciated

Thanks.

Cambium-Tom · October 13, 2005, 5:23pm

Did you set the SM IP address to public instead of local on the IP configuration page?

Blink · October 13, 2005, 5:32pm

Device Information

900MHz - Multipoint - Subscriber Modem - 0a-00-3e-90-64-2b
Lan1 Network Interface Configuration
IP Address 172.16.3.11. Network Accessibility Local XPublic
Subnet Mask 255.255.255.0
Gateway IP Address 172.16.3.1

The Radio button Beside “Public” is selected (where I placed the X above). There’s a radio button before “Local” which is not selected.

Which from RTFM I thought was the correct setting ?

Thanks
B

msmith · October 13, 2005, 7:50pm

What type of IP address are you giving your customer behind their SM? Is it an address on the 172.16.2.0/24 subnet?

Is there a switch somewhere in this topology? CMM? If you telnet to your Cisco you should be able to ping any device on both the 172.16.2.0/24 and 172.16.3.0/24 subnet without having to specify an interface to use. It should query the routing table and the routing information should be present dynamically just from knowing the IP addresses of the dot-one interfaces of those subnets.

Give me an example of where a ping is failing - from what subnet to what subnet.

Blink · October 13, 2005, 9:27pm

I use the NLOS SM as a transport to a LOS MicroCell… So it goes like this :

NOC<>Cisco1900Switch<>Cisco4500<>Cisco1700Switch<>NLOSAP<>900SM<>Ethernet Switch<>2.4Ghz LOS APs

So my client’s IP’s are not on the ‘Backbone’ subnet (172.16.3.0/24) at all. The Ethernet Interface of the LOS AP’s and is on the 3.0 Subnet. The routing on my Cisco sends the LOS AP Client Subnets directly to the LOS AP’s Ethernet IP (since the Canopy 900SM is running no NAT and functions like a bridge)

I have full connectivity everywhere. I can ping the NLOS AP from anywhere, Same for the LOS AP’s.

I can NOT ping the NLOS SM unless I have an IP on the 3.0 Subnet.

My Cisco ARP cache DOES show that the Canopy SM MAC is known. As you said the Cisco must know about the SM’s subnets since it has an interface in the 3.0 subnet… so I know it’s not the routing there.

Interface IP-Address OK? Method Status Protocol
Ethernet0 172.16.2.2 YES NVRAM up up
Ethernet1 172.16.3.1 YES NVRAM up up

The ping below works (becuase by default the Cisco uses the nearest interface IP which is 3.1)

ping 172.16.3.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.11, timeout is 2 seconds:
.!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/13/16 ms
gz-arn-01#

This does not

gz-arn-01#ping
Protocol [ip]:
Target IP address: 172.16.3.11
Extended commands [n]: y
Source address or interface: 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.11, timeout is 2 seconds:
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out
Success rate is 0 percent (0)

Can anyone else ping their SM’s from another Subnet ??

msmith · October 14, 2005, 4:23am

Can you paste a “sh ip route” from your 4500?

Blink · October 14, 2005, 1:46pm

I’m pretty sure it’s not the 4500 that is the problem. I have full connectivity to everything else. Including the AP which is on the 3.0 network as well.

Gateway of last resort is 172.16.2.1 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
S 172.16.32.0/23 [1/0] via 172.16.3.10
S 172.16.0.0/24 [1/0] via 172.16.2.1
S 172.16.1.0/24 [1/0] via 172.16.2.1
C 172.16.2.0/24 is directly connected, Ethernet0
C 172.16.3.0/24 is directly connected, Ethernet1
S* 0.0.0.0/0 [1/0] via 172.16.2.1

and the 3.11 MAC is in the Cisco’s ARP cache

gz-arn-01#sho ip arp 172.16.3.11
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.3.11 1 0a00.3e90.642b ARPA Ethernet1

thanks

Teknix · October 14, 2005, 1:48pm

Is the following reasonably accurate?

NOC-router - 172.16.2.1
Cisco1900Switch
Cisco4500-Eth0 - 172.16.2.2
Cisco4500 - default route 172.16.2.1
Cisco4500-Eth1 - 172.16.3.1
Cisco1700Switch
900-NLOS-AP - 172.16.3.2, gateway 172.16.3.1
900SM - 172.16.3.11, gateway 172.16.3.1
Ethernet Switch
2.4Ghz LOS AP - 172.16.3.12, gateway 172.16.3.1
2.4 SM - 172.16.3.13, gateway 172.16.3.1
Customer-PC - 172.16.3.14, gateway 172.16.3.1

A management PC connected to the Cisco1900Switch would have an address of 172.16.2.x. The PC’s gateway would be based on the PC’s purpose: 172.16.2.1 to get to the Internet, 172.16.2.2 to get to the Canopy network.

Your description implies there are other subnets on the Canopy or customer side, but you don’t mention any other routers. Please correct my list above if it’s not accurate. You don’t need to describe your entire network, just the path to a single customer PC, including any SMs with NAT enabled.

Your description also implies that pieces of your network closer to the customer may have their default gateway set to the address of the 900-NLOS-AP. This would never be a useful setting.

Blink · October 14, 2005, 5:34pm

It get’s more complicated behind the LOS AP’s (and there are more routers too), but yes you’re pretty close.
The Customers PC’s default Gateway is the “private” side of their LOS CPE. The LOS CPE NAT’s the Customer’s private side IP into the LOS Network. The LOS CPE’s IP is assigned to the CPE by the LOS AP based on the Radius Server in the NOC. The CPE’s default Gateway is the wireless IP of their Respective LOS AP.
Assuming that the LOS AP has an IP on the backbone (3.0 /24) then its Default Gateway is the Cisco at 3.1. I can’t NAT on the SM’s since I need to see the CPE’s IP to enforce QOS and rate limiting on the MT in the NOC.
All the LOS stuff is routed at Layer three.
Sorry - I may have been unclear : The NLOS SM is not the default gateway for anything.
So far as the customer’s are concerned Everything works. Everything can ping everything (that it’s allowed to) except for the Canopy SM’s - which are only reachable if SRC IP is part of that 172.16.3.0/24 network.

This is trying it from the Cusomter’s Side Tracing to the NLOS AP IP at the NOC

Tracing route to cpap1.gozoom.arn.ca [172.16.3.2]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.11.5 <customer’s CPE private side
2 <1 ms <1 ms <1 ms trap1.gozoom.gl.ca [172.16.33.1] <LOS AP
3 2 ms 2 ms 2 ms tr-ap-2.gozoom.us.ca [172.16.32.1] <This LOS AP is on the Backbone - it’s Ethernet interface is in 172.16.3.0 – which is traceable
4 25 ms 14 ms 14 ms cpap1.gozoom.arn.ca [172.16.3.2] <The NLOS AP at the NOC

Tracing to the NLOS SM IP
C:’>tracert 172.16.3.11

Tracing route to 172.16.3.11 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.11.5
2 1 ms <1 ms <1 ms trap1.gozoom.gl.ca [172.16.33.1]
3 2 ms 2 ms 3 ms tr-ap-2.gozoom.us.ca [172.16.32.1] <This LOS AP is on the Backbone - it’s Ethernet interface is in 172.16.3.0 – which is traceable
4 * * * Request timed out. < This is the SM directly adjacent to the LOS AP above.

C:’>tracert 172.16.3.10

Tracing route to 172.16.3.10 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.11.5
2 1 ms <1 ms <1 ms trap1.gozoom.gl.ca [172.16.33.1]
3 2 ms 2 ms 2 ms 172.16.3.10 < The LOS AP in hop 3 above on the Ethernet Side.

All of that doesn’t "really " concern me. I don’t need the Customer’s being able to access the SMs anyway. But it’s the same symptom as from the NOC side. Since the SM would see this customer as an IP off of it’s subnet it should send that to the Cisco; which would then route the packet back to the LOS AP at 3.10 (via the SM at 3.11) and back to the customer… but the packet never shows up at the Cisco (I’ve run LOTS of ip packet debug and Sniffer port mirroring… the packet never gets there)

I had forgotten that when the AP’s power failed (AC died, UPS ran out after 3 hours) a month or so ago, I COULD ping the SM from the customer side… but only until it resestablished the link to the AP.

Is any one else monitoring their SM’s from off subnet ?

Thanks

B.

Teknix · October 14, 2005, 11:54pm

To answer your question: Yes, I manage Canopy APs and SMs using one privately-addressed network, serve DHCP addresses to customers’ PCs in a different privately-addressed network, and statically assign addresses to customers’ routers in a publicly-address network. All three IP networks exist on the same physical Canopy network. I’m using the terms “private” and “public” in the RFC-1918 sense.

I’m having a difficult time getting a clear picture of your network. Is the following path from NOC to customer any closer to your setup? Please correct the list for me.

NOC-router - 172.16.2.1
DHCP-Server – passing out 172.16.33.x, gateway 172.16.33.1 for LOS SMs
Cisco1900Switch
Cisco4500-Eth0 - 172.16.2.2
Cisco4500 - default route 172.16.2.1
Cisco4500-Eth1 - 172.16.3.1
Cisco1700Switch
900-NLOS-AP - 172.16.3.2, gateway 172.16.3.1
900SM - 172.16.3.11, gateway 172.16.3.1
RouterX-Eth0 – 172.16.3.x, gateway 172.16.3.1
RouterX-Eth1 – 172.16.32.1
Ethernet Switch
RouterY-Eth0 – 172.16.32.x, gateway 172.16.32.1
RouterY-Eth1 – 172.16.33.1
2.4Ghz LOS AP – 172.16.3.12, gateway 172.16.3.1
2.4 SM – (NAT outside) DHCP-client, 172.16.33.x, gateway 172.16.33.1
2.4 SM – (NAT inside) 192.168.11.5
Customer-PC – 192.168.11.x, gateway 192.168.11.5

Blink · October 15, 2005, 1:50am

Pretty close, but this

900SM - 172.16.3.11, gateway 172.16.3.1
RouterX-Eth0 – 172.16.3.x, gateway 172.16.3.1
RouterX-Eth1 – 172.16.32.1
Ethernet Switch
RouterY-Eth0 – 172.16.32.x, gateway 172.16.32.1
RouterY-Eth1 – 172.16.33.1
2.4Ghz LOS AP – 172.16.3.12, gateway 172.16.3.1
2.4 SM – (NAT outside) DHCP-client, 172.16.33.x, gateway 172.16.33.1
2.4 SM – (NAT inside) 192.168.11.5
Customer-PC – 192.168.11.x, gateway 192.168.11.5

Is actually this
900SM - 172.16.3.11, gateway 172.16.3.1
Ethernet Switch
2.4Ghz LOS AP eth0– 172.16.3.10, gateway 172.16.3.1
2.4Ghz LOS AP Wifi – 172.16.32.1, gateway 172.16.3.1 via Eth0
2.4 SM – (NAT outside) DHCP-client, 172.16.32.x, gateway 172.16.32.1
2.4 SM – (NAT inside) 192.168.11.5
Customer-PC – 192.168.11.x, gateway 192.168.11.5

Thanks,
B

Teknix · October 22, 2005, 2:47pm

Your TRACEROUTE shows a 172.16.33.x hop, but your description does not. Please list the complete network path again, from a single customer to the NOC’s outbound router, with each component’s description (manufacturer/model), function (bridge/router/NAT), and IP (address/mask/gateway).

I was confused by your apparent ability to NAT on an AP, an ability Canopy does not have, until I noticed you describe your LOS equipment as “WiFi”. This may not seen to you to be an important detail, but it is when asking questions on the Canopy Community Forum. You say “AP” and “SM”; I think Canopy.

If all your wireless equipment is Canopy, and you use the term “WiFi” as a synonym for 2.4GHz, please clarify this. This would also mean you’re missing more than one router in your described path.