bug L2 VPN protocol L2TPv3, MPLS VXlan, sur IR1101

guillaume-g · ‎03-04-2025

Je cherche a faire transiter une liaison avec Spanning tree RSTP entre 2 switchs Cisco au travers d'une L2VPN et tunnel GRE. Le ping entre les switchs passe bien mais pas le Spanning tree.

Le meme tests sur des cisco Catalyst 8200 fonctionne et un switch est root et l'autre passe bien son port sur la liaison L2 VPN en state Root. Sur les IR1101, on voit que le port ne recoit pas les BPDU. idem de l'autre coté de la liaison. le seul protocole spanning tree qui fonctionne est le MSTP sur instance 0. l'IR1101, se comporte comme s'il retirait l'encapsulation de la trame en entrée (port G0/0/0) lors du Xconnect et ne la pousse pas dans le circuit Virtuel. L2TPv3 ou MPLS ou NVE. l'IR est sous IOS 17.16.1a. Le problème ne se pose pas avec un 8200 en IOS XE 17.9.5e.

Bug a corriger ou limitation technique du port G0/0/0?

Guillaume

Giuseppe Larosa · ‎03-05-2025

Hello @guillaume-g ,

post the configuration of the IR1100 and that of the Cisco 8200.

>> e seul protocole spanning tree qui fonctionne est le MSTP sur instance 0

ok it may be stripping the 802.1Q header when sending the STP frames over the tunnel if this happens the Cisco Catalyst will declare invalid all Rapid PVST STP BPDUs for consistency check.

Try to make a packet capture of the packets sent over the tunnel on the backbone facing IP interface.

I remember some thread in service providers in that case there was an interoperability issue between an IR1100 and a juniper SRX device when using L2VPN services over MPLS.

Hope to help

Giuseppe

guillaume-g · ‎03-06-2025

hi Giuseppe Larosa

here there are the configuration. very simple

no spanning-tree vlan 1-1014

pseudowire-class L2TP
encapsulation l2tpv3
status control-plane route-watch
ip local interface Loopback0

interface Loopback0
ip address 20.20.20.20 255.255.255.255

iinterface GigabitEthernet0/0/0
no ip address
load-interval 30
xconnect 10.10.10.10 501 encapsulation l2tpv3 pw-class L2TP

interface Vlan100
ip address 192.168.0.1 255.255.255.0

interface f0/0/1

switchport mode access

switchport access vlan 100

ip route 10.10.10.10 255.255.255.255 192.168.0.2

The 2 routeurs are in mirror conf (10.10.10.10 for first and 20.20.20.20 for second). on each port g0/0/0 (IR1101 or 8200) there is a cable to a trunk port on the IE3000 switch. the 2 IR1101 are connected to each other by a simple cable on interface F0/0/1 but i tried with a card SPMI and the port G0/0/5 in no switchport mode and had no difference

on 8200 the 2 routers are connected by port G0/0/1

it fit very well on 8200 with spanning tree RSTP activated on both IE3000. one switch is root and the port of the other switch a the other side of the 802.1q is in state root. with IR1101 they stay both on fowarding mode like the dont see each other by spanning tree. but if I put 2 computers on 2 ports on each switch in a vlan that is allowed on trunk, they ping each other very well. only the BPDU frames are dropped or 802.1Q is drop at the enter on G0/0/0 on IR1101.

are they a missing command on g0/0/0 or pseudowire to say to keep the BPDU encapsulation?

Giuseppe Larosa · ‎03-06-2025

Hello @guillaume-g ,

you have :

>> no spanning-tree vlan 1-1014

What is the range of VLANs you would like to carry and why you have this command ?

The device you would like to use is designed to be used for IoT applications see the datasheet here:

https://www.cisco.com/c/en/us/products/collateral/routers/1101-industrial-integrated-services-router/datasheet-c78-741709.html

Now, these kind of routers like entry level routers for branch offices have WAN Ethernet ports and FE ports you should see your FE ports like downstream and the WAN ethernet ports are the uplinks toward the IP public internet or private IP network.

You are attempting to configure L2TPv3 under one WAN interface and you would like to use SVI VLAN 100 with one physical FE in L2 VLAN 100 as your "uplink".

I would suggest you to try to do the opposite try to see if you can put an xconnect command under an FE interface and to use the gi0/0/0 as the IP uplink.

You may need to use BDI and ethernet service instance instead of an SVI.

First of all the release notes are here:

https://www.cisco.com/c/en/us/td/docs/routers/access/1100/release/17-16/isr1k-rel-notes-xe-17-16-x.html#Cisco_Concept.dita_8d06af92-fa79-49b0-88e3-c3b8980fd38b

try to use EoMPLS in port mode but I am not sure it can be supported on the FE ports of your device

see

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-13/configuration_guide/mpls/b_1713_mpls_9300_cg/configuring___ethernet_over_mpls__eompls__and_pseudowire_redundancy__pwr_.html

in the past EoMPLS in port mode I was able to carry almost everything including MACSec frames that are blocked by other types of MPLS L2 VPN services

Hope to help

Giuseppe

guillaume-g · ‎03-06-2025

hi Giuseppe.

i want the IR1101 be "transparent" so i use a no vlan spanning tree just to be sure he will no participate to the spanning tree.

I tried many many many configurations. i entered on FE port and use wan port for internet acces but FE port support only vlan mode with vlan interface or even instance vlan. in vlan mode it works also the ping mode but not the spanning tree. I tried EoMPLS, i Tried Vxlan, I tried EVPN/VXLAN over BGP. every one permit the ping and communication but do not transport the spanning tree encapsulation.

I think really that the IR1101 is restricted. I tried between 2 routers with MACsec and L2TPv3 or MPLS and it works. no need of BPDU.

For my projet, our provider stop the copper. Fiber is to expensive to install so i want to use 4G on private APN between 2 switches.

I will say to the chief project that we need to use a Catalyst 8200 with a 4G module in the PIM port instead of IR1101 for that configuration.

Or if you have another idea i am listening with great attention!

sincerely thanks for your help