IP Bridging RFC1483 with IRB issue with Cisco 867VAE

steven roullier · ‎09-18-2013

Hi support,

I'm facing to a strange problem with a Cisco ADSL router 867VAE configured in IP Bridging (RFC1483) with IRB

Since two weeks, it is no longer possbile to access to internet adn to establish the VPN with the central site at one of our remote sites.

Same configuration with the same operator is deployed in all of our remotes sites, without facing to any trouble.

We change the router to a new one with exactly the same configuration but still trouble

Therefore, I perfomed some troubleshooting but I really have no idea on what is wrong.

The ATM0 interface and BVI1 is UP:

RTR_VLSK#show ip int brief

Interface IP-Address OK? Method Status Protocol

ATM0 unassigned YES NVRAM up up

BVI1 x.x.x.x YES NVRAM up up

No errors on ATM interface:

TR_VLSK#show int atm 0

ATM0 is up, line protocol is up

Hardware is BCM6300 ATMSAR, address is 2894.0f78.6997 (bia 2894.0f78.6997)

MTU 2038 bytes, sub MTU 2038, BW 126 Kbit/sec, DLY 2920 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ATM, loopback not set

Keepalive not supported

Encapsulation(s): AAL5

2 maximum active VCs, 1024 VCs per VP, 1 current VCCs

VC Auto Creation Disabled.

VC idle disconnect time: 300 seconds

Last input 00:00:05, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: Per VC Queueing

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

5 packets input, 328 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

25 packets output, 1664 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

I can ping the virtual circuit:

RTR_VLSK#ping atm int atm0 0 35 end 20

Type escape sequence to abort.

Sending 20, 53-byte end-to-end OAM echoes, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (20/20), round-trip min/avg/max = 80/88/92 ms

Spanning-tree state is forwarding

RTR_VLSK#show spanning-tree

Bridge group 1 is executing the ieee compatible Spanning Tree protocol

Bridge Identifier has priority 32768, address 0000.0c07.8d04

Configured hello time 2, max age 20, forward delay 15

We are the root of the spanning tree

Topology change flag not set, detected flag not set

Number of topology changes 1 last change occurred 00:01:51 ago

from ATM0

Times: hold 1, topology change 35, notification 2

hello 2, max age 20, forward delay 15

Timers: hello 0, topology change 0, notification 0, aging 300

Port 3 (ATM0) of Bridge group 1 is forwarding

Port path cost 217, Port priority 128, Port Identifier 128.3.

Designated root has priority 32768, address 0000.0c07.8d04

Designated bridge has priority 32768, address 0000.0c07.8d04

Designated port id is 128.3, designated path cost 0

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

BPDU: sent 61, received 0

There is one entry in the bridge table

RTR_VLSK#show bridge

Total of 300 station blocks, 299 free

Codes: P - permanent, S - self

Bridge Group 1:

Address Action Interface Age RX count TX count

0024.c431.abd5 forward ATM0 0 23 33

Debug atm errors and debug atm events display this log only:

*Sep 18 12:54:10: bcm6300_atmsar_dequeue_pak fail bcm6300_atmsar_safe_start 1373 pak 0

*Sep 18 12:54:10: bcm6300_atmsar_dequeue_pak fail bcm6300_atmsar_safe_start 1373 pak 0 p 0 len 46

*Sep 18 12:54:11: bcm6300_atmsar_dequeue_pak fail bcm6300_atmsar_safe_start 1373 pak 0

*Sep 18 12:54:12: bcm6300_atmsar_dequeue_pak fail bcm6300_atmsar_safe_start 1373 pak 0

*Sep 18 12:54:14: bcm6300_atmsar_dequeue_pak fail bcm6300_atmsar_safe_start 1373 pak 0

*Sep 18 12:54:16: bcm6300_atmsar_dequeue_pak fail bcm6300_atmsar_safe_start 1373 pak 0

*Sep 18 12:54:16: bcm6300_atmsar_dequeue_pak fail bcm6300_atmsar_safe_start 1373 pak 0 p 0 len 46

Other usefull info:

1. RTR_VLSK#show atm interface atm 0

Interface ATM0:

AAL enabled: AAL5,, Maximum VCs: 2, Current VCCs: 1

VCIs per VPI: 1024,

Max. Datagram Size: 2096

PLIM Type: ADSL - 126Kbps Upstream, DMT, TX clocking: LINE

9 input, 45 output, 0 IN fast, 0 OUT fast

Avail bw = 126

Config. is ACTIVE

2. RTR_VLSK#show atm vc

Codes: DN - DOWN, IN - INACTIVE

VCD / Peak Av/Min Burst

Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells St

0 1 0 35 PVC SNAP UBR 126 UP

3. ISP Gateway is reachable

4. Technicians from ISP came with a TP link router to check the ADSL line and it is working

5. We check the ADSL param and IP config to the ISP : it is correct, nothing chnage

Find hereafter the router config

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname RTR5

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

wan mode dsl

!

no ip domain lookup

ip cef

ipv6 multicast rpf use-bgp

no ipv6 cef

!

controller VDSL 0

!

ip ssh version 2

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key <removed> address IP@central-site

crypto isakmp invalid-spi-recovery

!

crypto ipsec transform-set myset ah-sha-hmac esp-aes esp-sha-hmac

mode tunnel

!

crypto map VPNIPSEC 10 ipsec-isakmp

set peer IP@central-site

set transform-set myset

match address 103

!

bridge irb

!

interface ATM0

no ip address

no atm ilmi-keepalive

bridge-group 1

pvc 0/35

encapsulation aal5snap

!

interface Ethernet0

no ip address

shutdown

!

interface FastEthernet0

switchport access vlan 103

no ip address

spanning-tree portfast

!

interface FastEthernet1

switchport access vlan 103

no ip address

spanning-tree portfast

!

interface FastEthernet2

switchport access vlan 103

no ip address

spanning-tree portfast

!

interface FastEthernet3

switchport access vlan 103

no ip address

spanning-tree portfast

!

interface GigabitEthernet0

no ip address

shutdown

!

interface GigabitEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

no ip address

ip tcp adjust-mss 1452

!

interface Vlan103

ip address 10.1.103.1 255.255.255.0

ip tcp adjust-mss 1452

!

interface BVI1

ip address IP@remote-siteA

ip access-group 101 in

crypto map VPNIPSEC

!

ip route 0.0.0.0 0.0.0.0 ISP-GW

!

no cdp run

!

access-list 101 permit icmp any host 101.78.10.99

access-list 101 permit tcp any host 101.78.10.99 eq 22

access-list 101 permit ip host 202.62.104.4 host 101.78.10.99

access-list 101 permit ip host 202.137.139.134 host 101.78.10.99

access-list 103 permit ip 10.1.103.0 0.0.0.255 10.1.100.0 0.0.0.255

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input ssh

transport output ssh

!

end

A help will be great

Thanks in advance

paolo bevilacqua · ‎09-19-2013

There is no need for IRB, Configure Ip address directly under a subinterface with "atm route-bridged".

steven roullier · ‎09-20-2013

Dear paolo,

Thanks for your quick reply

It is not possible to set up an ip address over ATM via the command line you mentionned. This command line is not available on Cisco 867VAE router under atm interface.

However, we solved the problem already, our ISP was filtering 1 MAC address on the interace of their ATM switch whereas we need 2 MAC addresses (one for ATM interface and the other for bridge interface). So they change the MAC filtering to 2 MAc addresses for our interface and it is working now.

But I really willing to understand why you say that I don't need IRB for this configuration. You mean that IPoATM is the more suitable configuration?

Could you please clarify?

Thanks in advance

paolo bevilacqua · ‎09-20-2013

I don't know what you were configuring, but there is not need to configure IRB/BVI, as mentioned above. In doing so router will use one single MAC address.