Layer 2 HWIC 4 Port routing?

accurisit · ‎09-23-2010

Hi All,

I'm looking for some urgent help please.

I have a Cisco 1901 router with 2 onboard Gigabit Ethernet ports that are configured as a BVI due to an unusual config with the ISP (it works!).

I also need to route/NAT to from 2 or 3 other subnets and requested my reseller to provide a 4 port HWIC which they did.

I tried to apply ip addressing to the FastEthernet ports only to receive a message stating it wasn't possible on a Layer 2 port.

I therefore created a vlan and assigned it an ip address and subnet mask from a subnet I wished to route traffic through. I assigned the vlan to the Layer 2 FastEthernet port but cannot ping or route through it.

Is this even possible or am I banging my head against a very solid wall.

Regards

Simon...

Jon Marshall · ‎09-23-2010

Simon

They are L2 ports only but you should be able to do the vlan setup that you have tried. Might be an idea to post the config together with details of what test(s) you have run.

Jon

accurisit · ‎09-23-2010

Configuration:

bridge irb

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

bridge-group 1

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

bridge-group 1

!

interface FastEthernet0/0/0

description SS7

switchport access vlan 10

!

interface FastEthernet0/0/1

switchport access vlan 20

!

interface FastEthernet0/0/2

shutdown

!

interface FastEthernet0/0/3

shutdown

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 10.150.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan20

ip address 10.30.1.253 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface BVI1

description **** WAN Link to ISP IP Network ****

ip address a.b.c.b 255.255.255.192

ip nat outside

ip virtual-reassembly

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool lan a.b.c.a a.b.c.a netmask 255.255.255.192

ip nat inside source list 5 pool lan overload

ip nat inside source static 10.30.1.32 a.b.c.d

ip nat inside source static 10.30.1.5 a.b.c.e

ip nat inside source static 10.30.1.42 a.b.c.f

ip route 0.0.0.0 0.0.0.0 87.198.157.1

ip route 87.198.157.4 255.255.255.255 a.b.c.g

ip route 87.198.157.6 255.255.255.255 a.b.c.g

ip route 87.198.157.8 255.255.255.255 a.b.c.g

ip route 87.198.157.9 255.255.255.255 a.b.c.g

ip route 87.198.157.10 255.255.255.255 a.b.c.g

ip route 87.198.157.11 255.255.255.255 a.b.c.g

ip route 87.198.157.20 255.255.255.255 a.b.c.g

ip route 87.198.157.22 255.255.255.255 a.b.c.g

ip route 87.198.157.45 255.255.255.255 a.b.c.g

!

access-list 5 permit 10.150.1.0 0.0.0.255

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

TESTS

Ping 10.30.1.253 from router itself.

Tried to ping 10.30.1.253 from 10.30.1.0 subnet.

Tried to route through 10.30.1.253 from 10.30.1.0 subnet.

All tests failed.

Regards

Simon...

Jon Marshall · ‎09-23-2010

Can you post output of "sh ip int brief".

I'm assuming you created the vlan at L2 ?

Jon

accurisit · ‎09-23-2010

Thanks Jon.

interface FastEthernet0/0/0 & interface FastEthernet0/0/1 are the 2 in question.

As you've probably guessed I'm masking the Public IPs with a.b.c.x.

Output:

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 unassigned YES manual up up

GigabitEthernet0/1 unassigned YES NVRAM up up

FastEthernet0/0/0 unassigned YES unset down down

FastEthernet0/0/1 unassigned YES unset up up

FastEthernet0/0/2 unassigned YES unset administratively down down

FastEthernet0/0/3 unassigned YES unset administratively down down

Vlan1 unassigned YES manual up down

Vlan20 10.30.1.253 YES manual up down

Vlan10 10.150.1.1 YES manual up down

NVI0 unassigned NO unset up up

BVI1 a.b.c.b YES manual up up

Jon Marshall · ‎09-23-2010

Simon

The problem is your vlan interfaces are up/down ie. they are not up so they won't respond to anything.

Did you create the vlan at L2 and not just the L3 vlan interface ie.

either -

router(config)# vlan

or

router# vlan database

router(...)# vlan

sorry i can never remember which one it is on these routers !

Jon

accurisit · ‎09-23-2010

router(config)# vlan

accurisit · ‎09-23-2010

Not sure if this helps:

Router#sh spanning-tree vlan 20

VLAN20 is executing the ieee compatible Spanning Tree protocol

Bridge Identifier has priority 32768, address 68ef.bd9a.af63

Configured hello time 2, max age 20, forward delay 15

We are the root of the spanning tree

Topology change flag not set, detected flag not set

Number of topology changes 0 last change occurred 04:37:27 ago

Times: hold 1, topology change 35, notification 2

hello 2, max age 20, forward delay 15

Timers: hello 0, topology change 0, notification 0, aging 300

Port 2 (FastEthernet0/0/1) of VLAN20 is broken (Port Type Mismatch)

Port path cost 19, Port priority 128, Port Identifier 128.2.

Designated root has priority 32768, address 68ef.bd9a.af63

Designated bridge has priority 32768, address 68ef.bd9a.af63

Designated port id is 128.2, designated path cost 0

Timers: message age 1, forward delay 14, hold 0

Number of transitions to forwarding state: 0

BPDU: sent 8318, received 0

Jon Marshall · ‎09-23-2010

Simon

Can you post -

"sh vlan database" or "sh vlan brief"

Can you modify fa0/0/1 to be -

int fa0/0/1

switchport mode access

switchport access vlan 20

spanning-tree portfast

then shutdown fa0/0/1 and vlan 20 and then do a "no shut" on each interface.

Jon

accurisit · ‎09-23-2010

Jon,

Got this message and as this connects directly into a switch will it cause an issue?

Router(config-if)#spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a single host.

Connecting hubs, concentrators, switches, bridges, etc.to this interface

when portfast is enabled, can cause temporary spanning tree loops.

Use with CAUTION

%Portfast has been configured on FastEthernet0/0/1 but will only

have effect when the interface is in a non-trunking mode.

I can now ping 10.30.1.253 from the router but not from anywhere else or to anywhere else on the 10.30.1.0 subnet.

Router#sh int vlan 20

Vlan20 is up, line protocol is up

Hardware is EtherSVI, address is 68ef.bd9a.af63 (bia 68ef.bd9a.af63)

Internet address is 10.30.1.253/24

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 0/255

Encapsulation ARPA, loopback not set

Keepalive not supported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:11:31, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

1 packets input, 92 bytes, 0 no buffer

Received 1 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

70 packets output, 4744 bytes, 0 underruns

0 output errors, 2 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

Simon

Jon Marshall · ‎09-23-2010

Simon

What is connected into fa0/0/1 ? is it a switch or is it your laptop. If it is a switch then you should not have "spanning-tree portfast". I assumed it was the laptop.

Also if it is a switch and your laptop is connected to that switch how have you configured the switch ? Can you post config and indicate which port is the link to fa0/0/1 and which your laptop is connected to.

Where are the other clients in the same vlan connected to ?

Jon

accurisit · ‎09-23-2010

Jon,

What is connected into fa0/0/1 ? is it a switch or is it your laptop. If it is a switch then you should not have "spanning-tree portfast". I assumed it was the laptop.

Connected to a switch.

Also if it is a switch and your laptop is connected to that switch how have you configured the switch?

I'm connected over Telnet via the BVI1.

Can you post config and indicate which port is the link to fa0/0/1 and which your laptop is connected to.

Laptop remote.

Where are the other clients in the same vlan connected to ?

Connected to the switch.

Thanks

Simon

Jon Marshall · ‎09-23-2010

Simon

Then need to see the switch config.

Have you set the default-gateway of all the other clients in that vlan to be the fa0/0/1 ip address ?

Are all the ports for the clients configured to be in vlan 20 ?

Presumably you are trying to ping the other clients ? - do you have personal firewalls on the PC's that could be blocking the pings ?

Jon

accurisit · ‎09-24-2010

This has now been resolved. Not sure if it's the textbook answer but it works.

********************************************

interface FastEthernet0/0/1

switchport trunk native vlan 20

switchport mode trunk

interface Vlan20

ip address 10.30.1.253 255.255.255.0

ip nat inside

ip virtual-reassembly

********************************************

Thanks for all of your assistance Jon

Jon Marshall · ‎09-24-2010

Simon

So the port on the switch connecting to fa0/0/1 was configured as a trunk link. That would explain your STP output.

Thanks for letting me know you fixed it.

Jon