Solved: Re: ISR4431 BDI not Forwarding L2 Traffic?

joshvogel0 · ‎09-16-2020

I'm new to interface bridging, and I have an ISR4431 running 03.16.04b.S on which I need to bridge between two interfaces for two hosts: One interface is connecting directly to a host, the other to a switch (diagram below). I initially configured it as documented here, but this setup wasn't working in my environment, so I've read everything I can find on BDIs and played with all the related commands for a few days... I could use some input, nothing is working.

I currently have it working so L3 traffic is handled properly (both hosts can reach the BDI IP and can reach/be reached from other subnets), but L2 traffic doesn't seem to work-- the hosts can't reach each other (there was a brief blip twice where ARP resolved on one host for the other, but it went back to "incomplete" when I tried to SSH between them).

If I do a sh mac add add [host1/host2 MAC] on either of the switches, it will show the host's MAC, VLAN111, and interface correctly. I'm guessing something is wrong on the router that's stopping it from forwarding L2 traffic.

Here are the current configs:

Router:

interface GigabitEthernet0/0/2
description DLink Host .2
no ip address
negotiation auto
service instance 111 ethernet
encapsulation untagged
bridge-domain 111
!
interface GigabitEthernet0/0/3
description DLink Host .3 via Switch
no ip address
negotiation auto
service instance 111 ethernet
encapsulation untagged
l2protocol peer stp
bridge-domain 111
!
interface BDI111
mac-address 0000.1221.3443
ip address 1.1.1.1 255.255.255.248
no cdp enable

Top Switch:

interface GigabitEthernet1/1 
description DLink Router G0/0/3
switchport mode access
switchport access vlan 111
no cdp enable
spanning-tree bpduguard enable
!
interface GigabitEthernet1/2
description DLink Switch2 G1/1
switchport trunk native vlan 200
switchport mode trunk
switchport nonegotiate

Bottom Switch:

interface GigabitEthernet1/1
description ULink Switch 1 G1/2
switchport trunk native vlan 200
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/2
description DLink Host .3
switchport mode access
switchport access vlan 111
no cdp enable

Any help is greatly appreciated, I've been stuck on this for a while and am completely out of ideas.

Edit: Changed both G0/0/2 and G0/0/3 to encapsulation untagged, removed the rewrite commands from them. No changed in behavior.

joshvogel0 · ‎09-17-2020

I think we've found the problem.
These hosts are a vendor's special proprietary blend, which I have next to no control over. With their blessing, I increased the subnet mask on the old host to /29 from /30 so we could add the new host. I reached out to the vendor asking they check if maybe the subnet mask didn't update on the host since there really doesn't seem to be a misconfiguration on my end, and he found that the old host has the wrong broadcast address-- it retained the broadcast for the /30. All these days troubleshooting, and of course it's not a network problem, it's a server issue.

Waiting to confirm getting the broadcast address fixed resolves this issue, if it does I'll mark this topic resolved. Thanks all for the input to this point.

View solution in original post

marce1000 · ‎09-17-2020

- Check if the solving-reply from this thread can be helpful :

https://community.cisco.com/t5/routing/bdi-not-passing-traffic-to-directly-connected-interfaces/td-p/3737083

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

joshvogel0 · ‎09-17-2020

Thank you, but I've been over that thread, and it doesn't resolve the issue in my instance.

Georg Pauwen · ‎09-17-2020

Hello,

use the configuration below:

interface GigabitEthernet0/0/2
description DLink Host .2
no ip address
negotiation auto
service instance 111 ethernet
encapsulation dot1q 111
rewrite ingress tag pop 1 symmetric
bridge-domain 111
!
interface GigabitEthernet0/0/3
description DLink Host .3 via Switch
no ip address
negotiation auto
service instance 111 ethernet
encapsulation dot1q 111
rewrite ingress tag pop 1 symmetric
bridge-domain 111
!
interface BDI111
mac-address 0000.1221.3443
ip address 1.1.1.1 255.255.255.248

joshvogel0 · ‎09-17-2020

Thanks for the suggestion, but "encapsulation dot1q 111" on int g0/0/2 effectively breaks that interface-- the host only works if it's set to encapsulation untagged.

Both g0/0/2 and g0/0/3 are set to untagged now, and I've removed the rewrite commands from both. Everything is functioning the same this was (L3 traffic passes, L2 doesn't).

paul driver · ‎09-17-2020

Hello
Encapsulation unttaged would be applicble here , The rtr interfaces are directly connecting a untagged host and a tagged access port.
So you wouldnt want any rewrite to occur, also you shouldnt require the BDI interface either it should work all at L2.
All you should require in the rtr is the following:

rtr
int x/x
service instance 1 ethernet
encapsulation untagged
bridge-domain 111

no int BDI 111

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

joshvogel0 · ‎09-17-2020

Thank you, that is how it's currently configured, but good to have confirmation that it's correct now.

Both hosts still need L3 access to other subnets/the internet, so the BDI is needed for that. However, for troubleshooting, I removed the BDI and the hosts still weren't able to communicate with eachother.

paul driver · ‎09-17-2020

Hello

As your topology stands you wont require BDI for L3 on the rtr unless you want it to run you inter-vlan routing otherwse one or both of those switches could perfroming that function.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

joshvogel0 · ‎09-17-2020

That is true, the hosts were using the router for their default gateway because it made the most sense logically with everything else that's going on with that router and the networks it's a part of. However, I can try moving the gateway to the top switch as a test to see if that changes the behavior at all.

joshvogel0 · ‎09-17-2020

After moving the default gateway to the top switch, the "new host" acted the same, while the "old host" lost all connectivity. I'll keep fiddling with it a bit.

Router:

no interface bdi111

Top switch:

interface vlan111
ip address 1.1.1.1 255.255.255.248
no shutdown

paul driver · ‎09-17-2020

Hello

You need to enable ip routing on the switch!

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

joshvogel0 · ‎09-17-2020

Thanks for looking out! The top switch already handles the inter-vlan routing in my organization, so it's set up.

joshvogel0 · ‎09-17-2020

I think we've found the problem.
These hosts are a vendor's special proprietary blend, which I have next to no control over. With their blessing, I increased the subnet mask on the old host to /29 from /30 so we could add the new host. I reached out to the vendor asking they check if maybe the subnet mask didn't update on the host since there really doesn't seem to be a misconfiguration on my end, and he found that the old host has the wrong broadcast address-- it retained the broadcast for the /30. All these days troubleshooting, and of course it's not a network problem, it's a server issue.

Waiting to confirm getting the broadcast address fixed resolves this issue, if it does I'll mark this topic resolved. Thanks all for the input to this point.