cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3689
Views
25
Helpful
16
Replies

Full bridge mode WAN with GigabitEthernet interface?

jbrown129
Level 1
Level 1

Can the WAN interface be bridged with a LAN port? I've already got a router on my network and I want to use the C1117 just for it's VDSL interface. With the old Cisco 877 I used a bridge group on the ATM0 interface and BVI but it seems that's not supported on IOS-XE.

I would like to be able to bridge my VDSL WAN with GigabitEthernet0/1/0, so that any device I plug in to GigabitEthernet0/1/0 gets the single global WAN IP from my ISP

I thought maybe it was possible to do something with Ethernet0/2/0 which is created as some kind of virtual interface for ATM0/2/0 (apparently you can't bridge ATM interfaces. My config so far:

I'd appreciate a reply, i posted another thread but got nothing.

!
! Last configuration change at 18:18:54 UTC Tue Sep 13 2022 by admin
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname cisco.rt2
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.06.03a.SPA.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
!
aaa session-id common
ip options drop
!
!
!
!
!
!
!
ip name-server {{ censored }}
ip domain name home.arpa
ip dhcp excluded-address 192.168.1.0 192.168.1.4
!
ip dhcp pool dhcp-1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
ip dhcp pool opnsense
host 192.168.1.2 255.255.255.0
hardware-address {{ censored }}
dns-server {{ censored }}
default-router 192.168.1.1
!
!
!
login on-success log
ipv6 icmp error-interval 50 20
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
license udi pid C1117-4P sn {{ censored }}
memory free low-watermark processor 70173
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 9 {{ censored }}
!
redundancy
mode none
!
controller VDSL 0/2/0
operating mode vdsl2
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Management port
ip address 192.168.2.1 255.255.255.0
negotiation auto
no cdp enable
!
interface GigabitEthernet0/1/0
no cdp enable
!
interface GigabitEthernet0/1/1
no cdp enable
!
interface GigabitEthernet0/1/2
no cdp enable
!
interface GigabitEthernet0/1/3
no cdp enable
!
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
!
interface ATM0/2/0.1 point-to-point
!
interface Ethernet0/2/0
description Internet Interface
ip dhcp client request classless-static-route
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
ip access-group WAN4_IN in
no negotiation auto
ipv6 address dhcp
ipv6 address pd-ipv6 ::1/64
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd pd-ipv6
ipv6 traffic-filter WAN6_IN in
!
interface Vlan1
description Local Area Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ipv6 address pd-ipv6 ::1:0:0:0:1/64
ipv6 enable
ip virtual-reassembly
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip nat inside source list NATACL interface Ethernet0/2/0 overload
ip route 192.168.2.0 255.255.255.0 192.168.2.2
ip route 192.168.30.0 255.255.255.0 192.168.2.2 2
ip route 192.168.31.0 255.255.255.0 192.168.2.2 2
ip ssh version 2
ip scp server enable
!
!
ip access-list standard NATACL
10 permit 192.168.1.0 0.0.0.255
ip access-list standard SNMPACL
10 permit 192.168.50.253
20 permit 192.168.50.252
30 deny any
ip access-list standard WAN4_IN
!
ip access-list extended SSH_ACL
10 permit tcp 192.168.30.0 0.0.0.255 any eq 22
20 permit tcp 192.168.31.0 0.0.0.255 any eq 22
30 permit tcp 192.168.2.0 0.0.0.255 any eq 22
40 deny tcp any any eq 22
!
!
snmp-server community public RO SNMPACL
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
access-class SSH_ACL in
privilege level 15
transport input ssh
line vty 5 14
access-class SSH_ACL in
privilege level 15
transport input ssh
!
!
!
!
!
!
end 
1 Accepted Solution

Accepted Solutions

dont worry I hope together solve the issue 

first the service instance is local per interface not per Device, i.e. the service instance can you in any other interface, 
encapsulation dot1q 10 use for match inbound and tag outbound, here are you receive frame tag with VLAN-ID =10??
if not then this also no need we can change it to encapsulation untagged.

 

service instance 100 ethernet
encapsulation dot1q 10 <<-
rewrite ingress tag pop 1 symmetric<<- this remove

 

service instance 100 ethernet
encapsulation untagged
bridge-domain 100

 that it, now try again hope this time success 

View solution in original post

16 Replies 16

Right, so I took another look at this. When I go into

conf t

I do see both

bridge and bridge-domain

commands.

Do I need to set these up before I go into the interface config for

Ethernet0/2/0 and GigabitEthernet0/1/0 ? 

These are the two ports ideally I'd like to bridge.

I set the C1117-4P up with NAT (edited above config with my current) to test that the VDSL works properly (and it does).

I noticed that when doing port scanning with nmap ports come up as "filtered" or "closed" but not just ignored. Can I do this with ACL's.... ie "DROP" as opposed to "REJECT" to use Netfilter language? I read on this page:

 
You don’t have to add the
deny ip any any
to an access-list, it’s always there at the bottom but invisible. An advantage of adding it is that you will see the number of packets that are dropped this way.
 
I also saw on that:
  • IPv4 access-lists can be standard or extended, numbered or named. IPv6 only has named extended access-lists.
  • IPv4 access-lists have an invisible implicit deny any at the bottom of every access-list. IPv6 access-lists have three invisible statements at the bottom:
    • permit icmp any any nd-na
    • permit icmp any any nd-ns
    • deny ipv6 any any

Didn't see anything on the Cisco pages about the "invisible statements" though.

This may yet another reason why I'll need to use this in bridge mode...

jbrown129
Level 1
Level 1

I've had a bit of difficulty setting this up, (it could be my understanding).

Does anyone have an example of creating a BDI with two Ethernet interfaces added to it?

jbrown129
Level 1
Level 1

Hmm, I still haven't managed to work this one out. I created a BDI interface:

cisco.bsmt-rt2#sh run int BDI1 
Building configuration...

Current configuration : 98 bytes
!
interface BDI1
ip address 192.168.3.1 255.255.255.0
encapsulation dot1Q 1 second-dot1q 2
end

 I want to bridge my switched ports

cisco.bsmt-rt2#sh running int GigabitEthernet0/1/0
Building configuration...

Current configuration : 53 bytes
!
interface GigabitEthernet0/1/0
no cdp enable
end

With my WAN interface:

cisco.bsmt-rt2#sh running int Ethernet0/2/0 
Building configuration...

Current configuration : 381 bytes
!
interface Ethernet0/2/0
description Internet Interface
ip dhcp client request classless-static-route
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
ip access-group WAN4_IN in
no negotiation auto
ipv6 address dhcp
ipv6 address pd-ipv6 ::1/64
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd pd-ipv6
ipv6 traffic-filter WAN6_IN in
end

But I haven't figured out how to add them to the BDI.

Ideally then I could get rid of most of the configuration for Ethernet0/2/0 and this could be done on the first router. The first router does a few things the Cisco router cannot do, for example OpenVPN. While I have a configuration at the moment that uses NAT, the issue is I want to use IPv6 prefix delegation with my ISP on my separate VLANs on the second router, ie for admin, server, guest VLANs.

xiEPFQB

 

jbrown129
Level 1
Level 1

I found this other thread which indicates that it is possible to bridge Gi/0/0/0 (the routed interface) with the Ethernet 0/2/0 link. However when attempting to do a DHCP lease on my opnsense box I couldn't see any traffic returning with packet sniffer. Config is as follow:

 

interface GigabitEthernet0/0/0
no ip address
negotiation auto
no cdp enable
service instance 100 ethernet
encapsulation dot1q 10
rewrite ingress tag pop 1 symmetric
bridge-domain 100
!
!
interface GigabitEthernet0/1/0
no cdp enable
!
interface GigabitEthernet0/1/1
no cdp enable
!
interface GigabitEthernet0/1/2
no cdp enable
!
interface GigabitEthernet0/1/3
no cdp enable
!
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
!
interface ATM0/2/0.1 point-to-point
!
interface Ethernet0/2/0
no ip address
no negotiation auto
no cdp enable
service instance 100 ethernet
encapsulation untagged
bridge-domain 100
!
!
interface Vlan1
description Local Area Network
ip address 192.168.1.1 255.255.255.0
ip virtual-reassembly
!
interface BDI100
no ip address
!
  •  I'm trying to run DHCP on my Opensense box to get a prefix and IP on my WAN, which is connected into GigabitEthernet0/0/0
  • GigabitEthernet0/1/0 i'm planning on using for management

I really lost here, 
you use service instance ?? are admin SP router ?
can you please more elaborate what you want here??

Sure. I'm trying to bridge the VDSL WAN (Ethernet 0/2/0) port on the Cisco C1117-4P to one of the Ethernet interfaces (Gi0/0/0).

The plan is to then request a DHCP lease on the OPNSense router and get the global IP address, and do the NATing there. This would allow me to do my prefix delegation on the OPNSense box, which I can't if it's not directly connected to the ISP. Also means I don't need to have double-nat.

There are a few reasons for wanting to do this:

  1. DHCP on each VLAN is already configured on the OPNSense router
  2. I can actually have a firewall which drops packets as opposed to rejecting, for example when doing a shieldsup test with OPNSense directly connected to the internet all ports are dropped as opposed to "closed" with the ACL method, this is what I see when the Cisco directly connects to the internet.
  3. One of my VLANs currently routes into an OpenVPN tunnel, using match - something a the Cisco ISR cannot do.

Someone mentioned, so why did I buy an expensive Cisco ISR if I was just going to bridge it, well there are a couple of reasons:

  1. It was cheap, - yes new these devices are expensive, but I think in Australia there's a lot of businesses which have flogged them off on Ebay because of FTTP/FTTC being in their area (those connections in Australia come with a NTD - Network Termination Device, provided by NBNCo (the national backhaul provider). Seems you can get a good deal from refurbished IT companies.
  2. The VDSL chipset uses a quality Broadcom controller which matches my Nokia DSLAM and produces a stable sync rate on my long line (700 meters).
  3. I can have a separate management port for SNMP, SSH etc. When I did bridging on my old TP-Link modem I was finding the MAC address of whatever was on the other end of the DSL link would periodically replace that of my modem meaning that it was not accessible via LAN.
  4. The C1117-4P supports SNMP, which means I can easily get sync rate, and periodically graph it as I did with my Cisco 877/w ADSL2+

line_att.pngline_speed.pngsnr.png

Stats like this over a period of time are very helpful when raising issues with the retail service provider and getting them to escalate issues to the back haul provider who manages the line.

I have looked at other modems such as AVM's FritzBox and TP-Link's other devices. The main issue with them is you cannot create a static route to a specific port or interface for management. The only one I have seen that you can is from Draytek in bridge mode, and it does support SNMP, however they cheap out on the chipset, and preferring MediaTek's EcoNet and Lantiq. Reports I've ready about these is they are less reliable.

bridge irb

bridge 1 protocol ieee

bridge 1 route ip

!

interface GigabitEthernet0/0/1
description WAN

bridge-group 1

!

interface GigabitEthernet0/0/2
description LAN

bridge-group 1

!

interface BVI 1

ip address x.x.x.x 255.255.255.0

That method works with the 8xx series, ie running Cisco IOS, but not with the 1111 series that runs IOS-XE, as there is no BVI for that, must be done with BDI, which is what I was attempting to do above.

you totally correct, if you use XE you need BDI 
but why this line 

rewrite ingress tag pop 1 symmetric

 

I think I copied that from the example in this thread, which appears to be what I am attempting to do.

I assumed that line removed the vlan 100 tag before putting traffic into the WAN link, my understanding from this post is it is a way to "strip the VLAN", off the link after the frame has gone across the bridge:

rewrite ingress tag pop 1 symmetric

Since the incoming tag no longer has any inherent meaning beyond this specific interface we need a way to discard that tag before forwarding the frame on. The rewrite ingress command does just that. In this case we will remove exactly 1 tag, This command is optional and there are a number options that can be done beyond simply removing the tag including, VLAN translation and imposing additional tags. We will discuss some of these options and the "symmetric" keyword a little later.

Maybe I don't actually need that.

Yes it need with SP receive VLAN ID and use different VLAN ID, here in you case I dont think you need it 

Hmm. okay, well I removed it. Still can't seem to get a lease on igb3 (opnsense) to Gi0/0/0. Not sure what else to try, it does seem @jellybeanshiba and @scidoner got it working in that other thread. I wonder what I missed.

dont worry I hope together solve the issue 

first the service instance is local per interface not per Device, i.e. the service instance can you in any other interface, 
encapsulation dot1q 10 use for match inbound and tag outbound, here are you receive frame tag with VLAN-ID =10??
if not then this also no need we can change it to encapsulation untagged.

 

service instance 100 ethernet
encapsulation dot1q 10 <<-
rewrite ingress tag pop 1 symmetric<<- this remove

 

service instance 100 ethernet
encapsulation untagged
bridge-domain 100

 that it, now try again hope this time success 

Review Cisco Networking for a $25 gift card