11-04-2014 07:11 AM - edited 03-05-2019 12:06 AM
Who ever is going to respond please don't just put duplicate post. and if you are going to put that at least link it to the duplicate article. I'm obviously new to this forum and have not posted much on here. so some guidance or assistance will help.
Basically I have a Cisco 1921 which we are using for our ADSL connection. We are wanting to bridge the LAN interface on Gi0/1 and forward all traffic to the ATM0/0/0. I have provided the configuration below as this has been built out from knowledge from the articles.
If we add an IP address to the sub interface of the ATM interface ATM0/0/0.1 then we can ping this externally no problem. However we cant ping this IP from the bridged interface.
what do I need to do with this configuration to get the LAN on the Bridged interface to forward packets to the ATM interface??
RouterA#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer1
83.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 83.105.125.104/29 is directly connected, Dialer1
L 83.105.125.105/32 is directly connected, Dialer1
194.159.169.0/32 is subnetted, 1 subnets
C 194.159.169.241 is directly connected, Dialer1
RouterA#sh run
Building configuration...
Current configuration : 1732 bytes
!
! Last configuration change at 15:14:42 UTC Tue Nov 4 2014
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RouterA
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
!
no aaa new-model
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1833C2LC
!
!
username Admin secret 5
!
redundancy
!
!
controller VDSL 0/0/0
no cdp run
!
bridge irb
!
!
!
!
interface Loopback0
no ip address
shutdown
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
bridge-group 1
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
bridge-group 1
!
interface ATM0/0/0
no ip address
ip virtual-reassembly in
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
bridge-group 1
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0/0
no ip address
!
interface Dialer1
ip address 83.x.x.x 255.255.255.248
encapsulation ppp
dialer pool 1
ppp chap hostname
ppp chap password 0
no cdp enable
!
interface BVI1
no ip address
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end
11-04-2014 08:32 AM
It looks like none of your WAN interfaces are in the bridge group, which is going to be a problem. Also, you're bridging from Ethernet to PPP, which may create problems due to the different framing. You can try adding "bridge-group 1" to the Dialer1 interface and moving its IPv4 address to the BVI1 interface and try it, but I will be surprised if it works.
Based on your configuration, bridging may not be necessary here. If you've received a /29 from your ISP, it's not likely to be assigned directly to a PPPoE interface, which is point-to-point. It's more likely to be routed via the Dialer1's point-to-point link.
When you added the IPv4 address to the ATM0/0/0.1 interface and successfully pinged it from the outside, what address did you use for Dialer1? Was it "ip address negotiated" or "ip address dhcp" by chance?
11-05-2014 03:30 AM
Hi Jody
Thanks for responding to my post. Bridging is essential in our configuration as this is the main thing we are trying to achieve.
I have tried different way of trying to get this to work.
we tried adding the Bridge group1 to the dialer 1 interface and moved the IP address to the BVI interface but this seemed to break the connection. I was unable to ping any address. When I added the command Bridge 1 route IP command. I was then able to ping the address.
We have a /29 Internet address range assigned by our ISP. What we need is to be able to attach a device to an Ethernet port which has one of those IP addresses and is reachable over the internet using that address,
If the Internet range was say 1.2.3.0 /29
I want the router to be accessed and managed using 1.2.3.1
and my device to be configured to have an address 1.2.3.2
We have configured a dialer to have the address 1.2.3.1
We have added this to Bridge group 1
We have added an Ethernet port to Bridge group 1 and plugged a PC into this Ethernet port and given it an address 1.2.3.2 /29
We are not sure whether to configure the PC to have 1.2.3.1 as its default gateway or to configure the ISP provided default gateway.
If we configure a default route 0.0.0.0 0.0.0.0 dialer 1 into the router this does not show up in the routing table.
With this configuration we can ping the router address from the Internet but we cannot ping the internet or the router address (on the same subnet) from the laptop.
If we move the IP address to the BVI1 interface then we can ping the local address from the laptop but then cannot ping the router from the Internet.
11-05-2014 05:05 AM
Let's get to the point where you can ping your router from the Internet and work from there. Can you post your router's configuration (editing out IP addresses, usernames and passwords, of course) when it is in this state?
11-05-2014 05:54 AM
Hi Jody
Thanks for getting back to me. I have been playing around with the configuration to try and get a better understanding of the problem. So the configuration has changed since the last post.
RouterA#sh run
Building configuration...
Current configuration : 1781 bytes
!
! Last configuration change at 13:29:28 UTC Wed Nov 5 2014 by admin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RouterA
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
!
no aaa new-model
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1833C2LC
!
!
username Admin secret 5
!
redundancy
!
!
controller VDSL 0/0/0
no cdp run
!
bridge irb
!
!
!
!
interface Loopback0
no ip address
shutdown
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
bridge-group 1
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
bridge-group 1
!
interface ATM0/0/0
no ip address
ip virtual-reassembly in
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0/0
no ip address
!
interface Dialer1
ip address 83.xx.x 255.255.255.248
encapsulation ppp
dialer pool 1
ppp chap hostname
ppp chap password 0
no cdp enable
bridge-group 1
!
interface BVI1
no ip address
ip mtu 1462
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 90 0
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
RouterA#
11-05-2014 06:10 AM
You mentioned that you had it reachable when the IPv4 address was assigned to the ATM0/0/0.1 interface. What did the configuration look like then?
11-05-2014 06:24 AM
Hi Jody
For trail and error purposes I have changed the configuration since that discussion. However for investigation purpose I have added this back to the configuration for you to review.
outerA#sh run
Building configuration...
Current configuration : 1807 bytes
!
! Last configuration change at 14:17:49 UTC Wed Nov 5 2014
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RouterA
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
!
no aaa new-model
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1833C2LC
!
!
username Admin secret
!
redundancy
!
!
controller VDSL 0/0/0
no cdp run
!
bridge irb
!
!
!
!
interface Loopback0
no ip address
shutdown
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
mtu 1462
no ip address
duplex auto
speed auto
bridge-group 1
!
interface GigabitEthernet0/1
mtu 1462
no ip address
duplex auto
speed auto
bridge-group 1
!
interface ATM0/0/0
no ip address
ip virtual-reassembly in
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
ip address 83.x.x.x 255.255.255.248
bridge-group 1
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0/0
no ip address
!
interface Dialer1
no ip address
encapsulation ppp
dialer pool 1
ppp chap hostname
ppp chap password 0
no cdp enable
!
interface BVI1
no ip address
ip mtu 1462
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 90 0
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
RouterA#
11-05-2014 06:29 AM
There is no way I can think of that this configuration would be reachable from the Internet. Your default route is via a connection that doesn't even have an IP address. Can you move back to the configuration that was successfully tested from the Internet?
11-05-2014 07:54 AM
Hi Jody
After some painstaking investigations and research via the internet and some input from my CCIE colleagues I managed to get this working!
I can now browse to the internet and am able to ping out to google.com etc.
I can also remotely access this from another office which is a totally separate network.
Here is the current working configuration.
RouterA#sh run
Building configuration...
Current configuration : 1784 bytes
!
! Last configuration change at 15:33:34 UTC Wed Nov 5 2014
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RouterA
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
!
no aaa new-model
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1833C2LC
!
!
username Admin secret
!
redundancy
!
!
controller VDSL 0/0/0
no cdp run
!
bridge irb
!
!
!
!
interface Loopback0
no ip address
shutdown
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
mtu 1462
no ip address
duplex auto
speed auto
bridge-group 1
!
interface GigabitEthernet0/1
mtu 1462
no ip address
duplex auto
speed auto
bridge-group 1
!
interface ATM0/0/0
no ip address
ip virtual-reassembly in
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0/0
no ip address
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
ppp chap hostname
ppp chap password 0
no cdp enable
!
interface BVI1
ip address x.x.x.107 255.255.255.248
ip mtu 1462
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 90 0
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
RouterA#
11-05-2014 08:01 AM
Good! That's why I was asking if you had the Dialer1 interface set to "ip address negotiated" in my initial comment. When an ISP hands out a /29 over a PPPoE connection, they route that network over a negotiated point-to-point network, so you didn't need bridging at all... at least not for the ISP connection. I see that you're using it to put G0/0 and G0/1 on the same network, but that's a different application.
Because you're running a smaller MTU on the link due to the use of PPPoE, you will want to add "ip tcp adjust-mss 1422" to your Dialer1 interface to avoid fragmentation problems.
I'm glad to hear you got it sorted.
12-11-2014 11:12 AM
Hi All,
I'm trying to do this with VDSL using the VDSL HWIC but having no luck can anyone out there help ?
router#show running
Building configuration...
Current configuration : 4452 bytes
!
! Last configuration change at 18:14:49 UTC Thu Dec 11 2014 by
! NVRAM config last updated at 17:51:13 UTC Thu Dec 11 2014 by
! NVRAM config last updated at 17:51:13 UTC Thu Dec 11 2014 by
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 $1$x8zv$8L3F4KzWHvjgXVBnRd60e.
enable password EXSSPjuPFRklGRj6nV32
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip name-server 8.8.8.8
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1958678
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1958678
revocation-check none
rsakeypair TP-self-signed-1958678
!
!
crypto pki certificate chain TP-self-signed-1958678
certificate self-signed 01
30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2E312C30 2A060355 04031323 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393538 36373830 1E170D31 34313230 38313732 3133385A
170D3230 30313031 30303030 30305A30 2E312C30 2A060355 04031323 494F532D
53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31393538 36373830
819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 AD5CE76F
CE0167D3 EB5AB79A 00968C03 FEE43664 E1C5EFA9 1AEC41EB EF2E5DA6 7D2AF734
380F92B7 385D685D 4B0AFAA3 38B363AA E778B9EB 2790C1A0 46A7849C 7539D023
5E8779A4 0702A1E1 FE48FEF5 ADD99CAC F01EE47E 16A88142 A0251D5E 30DABFA9
513F8C55 29750CDC 1A638E82 2456CC06 7F0027D0 94AAF059 43B88BB1 02030100
01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 23041830
16801462 F1E1ED6F FB0A88FB 050FFF88 8A2078FA AF408C30 1D060355 1D0E0416
041462F1 E1ED6FFB 0A88FB05 0FFF888A 2078FAAF 408C300D 06092A86 4886F70D
01010505 00038181 002FEF12 C1652E31 831774BA AD06FBA4 D871E6A2 C5F3FCDF
D3230E4A 23F37B0F 7B9F8B6B DEDD09A7 13654C7B BF501EAF 63369A2D 7664353D
3740A7AD 1C75BC4E CC33AEBD 56D8D4D5 358EDCEC CD732E1E CD9D8D42 75079B72
2AEA352D BB755BAB DBD23B1E ADB99972 6678871F 5C85126D D1F463B5 3FEDA754
C1811DA7 2BE95374 95
quit
license udi pid CISCO1921/K9 sn FCZ1601C34B
!
!
username ************* privilege 15 secret 5 $1$7N5w$hzhrD3WJO8dFowKaj3.440
!
!
controller VDSL 0/0/0
!
bridge irb
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.44.4.192 255.255.255.0
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
mtu 1492
no ip address
duplex auto
speed auto
bridge-group 1
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0/0/0
description Connection to BT Infinity (VDSL 0)
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no mop enabled
!
interface Ethernet0/0/0.1
shutdown
!
interface Ethernet0/0/0.101
description 802.1Q Tagging for PPPoE (VDSL 0)
encapsulation dot1Q 101
ip address x.x.x.222 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly in
pppoe enable group global
pppoe-client dial-pool-number 1
bridge-group 1
!
interface Virtual-Template2
no ip address
bridge-group 1
!
interface Dialer1
description Dialler for my FTTC
mtu 1492
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer-group 1
keepalive 30
ppp chap hostname username
ppp chap password 0 password
ppp pap sent-username username password 0 password
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
interface BVI1
no ip address
ip mtu 1492
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password FfRzZ5TFuBzIW1aWOLsk
login local
transport input all
!
scheduler allocate 20000 1000
end
Thanks
Jeff
12-16-2014 07:16 AM
Hi Jeff
I've been reviewing your configuration as this Bridging topic has become quite hot of late as we have been heavily deploying this method across our client sites. I think what you need to do is assign an IP address to the BVI interface from the /29 range which you have configured on your sub-interface. This is what I did to get the Bridging protocol to work. Give this a go and let me know if this helped you.
interface BVI1
ip addresss x.x.x.223 255.255.255.248
ip mtu 1492
12-18-2014 07:56 AM
Hi
Thanks for the suggestion but you cannot do that:-
I get " *.*.*.216 overlaps with Dialer1 " for any of the addresses in the /29 network.
Can't think why a bridge needs an IP address if its transparent.
Still looking for an answer !
Jeff
10-24-2016 02:49 PM
Found the answer !
Make sure dialer1 is down before assigning IP address to BVI !!
That simple !
Jeff
11-15-2014 12:13 PM
Hi
All you are doing is bridging the two ports using a BVI. You are not bridging the ATM. It is undocumented and generates warning message but you can define a GRE tunnel and include it in the bridge but MSS has to be adjusted. The other option is DLSW+
Regards Conwyn
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide