cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3095
Views
10
Helpful
6
Replies

Bridged 887va VDSL VLAN 10 dot1Q commands help

LavaBlade
Level 1
Level 1

So here is my problem.

 

The firewall does not have a VDSL modem. So my solution is to use a 887VA-K9 in bridged mode on port Fa0 to pass the ISP VLAN onto the WAN interface of the firewall so the firewall gets the public IP via DHCP and handles NAT.

The ISP does not use authentication, it's just tagged VLAN 10 with the following details. MTU 1500, MSS 0, VLAN ID 10.

 

I found this thread https://community.cisco.com/t5/switching/vdsl2-bridge-config/td-p/2252527 and it sounds exactly like what I need. However I am having a little trouble with finding the correct console commands to get the configuration set this way.

 

I have not found a helpful resource showing how to create the bridged group and setting the dot1Q tagging. (So far, I am a IOS novice).

Once the bridge is set up then I should never need to back into the config. The firewall will do everything else.

 

Here is my configuration so far:

I probably need to remove the "switchport trunk allowed vlan", but unsure how to.

 

RO01#show running-config
Building configuration...

Current configuration : 1379 bytes
!
!
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RO01
!
boot-start-marker
boot-end-marker
!
!
enable secret
enable password
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
no ip routing
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
CISCO887VA-K9
!
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
no ip route-cache
shutdown
!
interface ATM0
no ip address
no ip route-cache
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 10
switchport trunk allowed vlan 1,2,10,1002-1005
switchport mode trunk
no cdp enable
!
interface FastEthernet1
shutdown
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
shutdown
no cdp enable
!
interface Vlan1
no ip address
no ip route-cache
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
logging esm config
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
password ####
login
transport input all
!
end

RO01#


RO01#show controller vdsl 0
Controller VDSL 0 is UP

Daemon Status: Up

XTU-R (DS) XTU-C (US)
Chip Vendor ID: 'BDCM' 'BDCM'
Chip Vendor Specific: 0x0000 0xB1AD
Chip Vendor Country: 0xB500 0xB500
Modem Vendor ID: 'CSCO' 'BDCM'
Modem Vendor Specific: 0x4602 0xB1AD
Modem Vendor Country: 0xB500 0xB500
Serial Number Near: Serial 887VA-K9 15.1(2)T
Serial Number Far: eq_nr multiline_cpe software_rev
Modem Version Near: 15.1(2)T
Modem Version Far: 0xb1ad

Modem Status: TC Sync (Showtime!)
DSL Config Mode: AUTO
Trained Mode: G.993.2 (VDSL2) Profile 17a
TC Mode: PTM
Selftest Result: 0x00
DELT configuration: disabled
DELT state: not running
Trellis: ON ON
Line Attenuation: 0.0 dB 0.0 dB
Signal Attenuation: 0.0 dB 0.0 dB
Noise Margin: 6.2 dB 6.1 dB
Attainable Rate: 46236 kbits/s 14238 kbits/s
Actual Power: 14.5 dBm 8.3 dBm
Per Band Status: D1 D2 D3 U0 U1 U2 U3
Line Attenuation(dB): 19.1 51.7 0.1 6.9 41.9 63.1 N/A
Signal Attenuation(dB): 19.1 51.7 N/A 6.9 41.5 61.3 N/A
Noise Margin(dB): 6.1 6.3 N/A 6.1 6.1 6.1 N/A
Total FECS: 31747 0
Total ES: 0 0
Total SES: 0 0
Total LOSS: 0 0
Total UAS: 0 0
Total LPRS: 0 0
Total LOFS: 0 0
Total LOLS: 0 0
Bit swap: 1 0

Full inits: 2
Failed full inits: 0
Short inits: 0
Failed short inits: 0

Firmware Source File Name (version)
-------- ------ -------------------
VDSL embedded VDSL_LINUX_DEV_01212008 (1)

Modem FW Version: 100608_1515-4.02L.03.A2pv6C030h.d22k
Modem PHY Version: A2pv6C030h.d22k


DS Channel1 DS Channel0 US Channel1 US Channel0
Speed (kbps): 0 42600 0 13446
Previous Speed: 0 42604 0 13363
Reed-Solomon EC: 0 31747 0 0
CRC Errors: 0 0 0 0
Header Errors: 0 157 0 0
Interleave (ms): 0.00 8.00 0.00 8.00
Actual INP: 0.00 2.00 0.00 2.00

Training Log : Stopped
Training Log Filename : flash:vdsllog.bin

RO01#


Any help in being pointed the right way would be very appreciated.

1 Accepted Solution

Accepted Solutions

Hello LavaBlade,

from the configuration that you have provided you just need to connect the firewall port to interface Eth0 instead of Fas0.

To be noted the eth0 can give a maximum of 10 Mbps full duplex or only 3 Mbps in half duplex. This might be a bottleneck,

However, the FAs0 cannot be configured with the no switchport command and so it is not possible to create the subif fas0/0.10 the command is rejected because the interface is acting as a L2 switch port and in this mode it does not support subinterfaces.

The no switchport command when supported allows to make a port a routed port and would allow to configure a subinterface.

Make sure your FW to Eth0 link is working in full duplex to avoid performance issues caused by half-duplex (the max performance in half duplex is 33% of link speed for the need to wait for the wire to be silent before sending a frame).

 

Notice that I use the >>> string as a way to highlight a command but this does not work on the device. This is expected.

 

Edit:

interface eth0 must be enabled please use

config t

interface eth0

no shut

 

Your internal link is eth0.10 but if you shutdown the main interface also eth0.10 will be shut down.

Fas0 is not usable in your platform for this purpose as explained above.

 

Hope to help

Giuseppe

 

View solution in original post

6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello LavaBlade,

first of all, you need to be sure that the outside interface of the firewall can send and receive frames with 802.1Q header and Vlan-id=10.

This is a requirement for the following configuration.

To make a router to work like a bridge for IPv4 traffic you need to perform the following

 

a) in global config disable IP routing

no ip routing

b) configure the bridge group 1 and specifies it will use IEEE STP protocol in global config

bridge 1 protocol ieee

 

c) Associate two interfaces to the bridge-group. The bridging action will be performed between them.

 

The internal interface Fas0 should have the following configuration

to clean FAs0 config use the following in global config mode

default interface Fas0

interface Fas0

Description Interface to Firewall

no switchport

no ip ipaddress

no ip route-cache

interface fas0/0.10

encapsulation dot1q 10

no ip address

no ip route-cache

>>bridge-group 1

 

As noted above this configuration requires that the firewall sends and receives frames with vlan-id 10.

 

What is the second member interface of the bridge-group 1?

In all the proposed configurations the interface used is interface SVI Vlan1, probably because by default frames in this are carried over the VDSL2 link.

 

interface Vlan1

no ip address

ip virtual-reassembly in

no ip route-cache

bridge-group 1<<<<<<<

!

Try this configuration. it should work. But you have to be sure that your firewall is using a subinterface with Vlan-id 10.

 

Hope to help

Giuseppe

 

 

 

Hello Giuseppe,

 

Thanks for the quick reply. I have a follow up question.

 

I ran through your instructions and it looks like the interface fas0/0.10 command did not quite work.

I have not yet tested the config so please let me know if the fas0/0.10 command did what it was supposed to do.

The firewall has a Intel Pro NIC so it should handle the VLANs fine.

 

Here is my current running config copied to startup config. Then below it will be the console log.

 

RO01#show running-config
Building configuration...

Current configuration : 1450 bytes
!
!
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RO01
!
boot-start-marker
boot-end-marker
!
!
enable secret
enable password
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
no ip routing
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
no ip route-cache
shutdown
!
interface Ethernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 1
!
interface ATM0
no ip address
no ip route-cache
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
description Interface to Firewall
!
interface FastEthernet1
shutdown
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
shutdown
no cdp enable
!
interface Vlan1
no ip address
ip virtual-reassembly in
no ip route-cache
bridge-group 1
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
logging esm config
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
password
login
transport input all
!
end

 

console commands below or in the file attached.

 

https://pastebin.com/TSePwUyF

 

Thanks for your help so far.

Hello LavaBlade,

from the configuration that you have provided you just need to connect the firewall port to interface Eth0 instead of Fas0.

To be noted the eth0 can give a maximum of 10 Mbps full duplex or only 3 Mbps in half duplex. This might be a bottleneck,

However, the FAs0 cannot be configured with the no switchport command and so it is not possible to create the subif fas0/0.10 the command is rejected because the interface is acting as a L2 switch port and in this mode it does not support subinterfaces.

The no switchport command when supported allows to make a port a routed port and would allow to configure a subinterface.

Make sure your FW to Eth0 link is working in full duplex to avoid performance issues caused by half-duplex (the max performance in half duplex is 33% of link speed for the need to wait for the wire to be silent before sending a frame).

 

Notice that I use the >>> string as a way to highlight a command but this does not work on the device. This is expected.

 

Edit:

interface eth0 must be enabled please use

config t

interface eth0

no shut

 

Your internal link is eth0.10 but if you shutdown the main interface also eth0.10 will be shut down.

Fas0 is not usable in your platform for this purpose as explained above.

 

Hope to help

Giuseppe

 

Hello Giuseppe,

 

Thank you very much. I finally got working after working on it all weekend.

I will write up a guide on how I got it running from start to finish and give you your due credit.

 

After running the following commands my problem was resolved.
config t
interface eth0
no shut
ctrl+z
copy running-config startup-config

 

The firewall WAN port is untagged (non-802.1Q, HP terminology)

 

It did not work straight away, I could get a DHCP lease from the ISP on the WAN interface of the firewall but I could not access any internet services.

I checked the ARP table on the firewall and found a public IP that was within the same subnet of the DHCP assigned public IP.

So it seems obvious that the ISP is blocking the traffic.

Next, I set the firewall WAN interface to spoof the MAC printed on the back of the ISP supplied router and sure enough I have access to all internet services.

 

After running a speed test I noticed that the ICMP ping response time was 24ms (4x slower) to the upstream gateway and every router after that.

I unplugged the 887VA and plugged the ISP router back in several times back and forth and confirmed that the ISP router had a ICMP ping response time of 7ms to the upstream gateway, speed tests where 27% faster on the ISP router as well (38/12 vs 47/15).

 

The firewall WAN interface is connected to the 887VA at 100BASE-TX full duplex over Cat5e 8P8C.
Looking at your response, this is the best case senario for this router, correct?

 

I can easily enough acquire a 867VAE-K9 which has two Gigabit interfaces, will this be faster or will I need to go with a 1900 IDR and a HWIC-1VDSL to get improvements.

 

Or am I barking up the wrong tree and the problem is with the routing protocols on the firewall. I don't get that high a ping when using the firewall in double NAT with the ISP router in front.

 

It's brilliant that we got it going this far, thanks for the help.


Now I just need to deal with the fundamental problem that the ISP router is used as a VOIP ATA RGW for a SIP to analog phone line. I have to clone that same router's MAC on the firewall WAN port to get WAN traffic flowing. This does not look good.

Hello LavaBlade,

I am happy you have been able to make it working.

And you did something brilliant too:

>> Next, I set the firewall WAN interface to spoof the MAC printed on the back of the ISP supplied router and sure enough I have access to all internet services.

 

This is a great trick, the ISP has probably configured or learned the MAC address of the ISP supplied router.

 

About your other questions:

if using eth0 you get 100 Mbps full duplex I would say you are  lucky as this interface should only go at 10 Mbps.

 

About the speed performance you need to understand that a Cisco router works well when used as a router.

In your case if you look at the configuration you will find that

a) cef is disabled globally

no ip cef

b) cef is disabled on interfaces members of the bridge group 1

no ip route-cache

 

In other words bridging is performed on software using the slowest less efficient method to move packets/frames that is called process switching.

 

I don't think that you can get much more with a device like 867, the risk that the GE ports cannot be configured with a subinterface is high. In one of the threads looked in yesterday they were using eth0 for bridging.

 

There is one point that is not clear to me: you say that the firewall is sending untagged frames but at the beginning of the thread you said the ISP is expecting frames with 802.1Q tag and vlan-id = 10.

 

>> Now I just need to deal with the fundamental problem that the ISP router is used as a VOIP ATA RGW for a SIP to analog phone line. I have to clone that same router's MAC on the firewall WAN port to get WAN traffic flowing. This does not look good.

 

I am afraid this is a blocking problem unless you are able to connect the firewall downstream the ISP supplied router. But in this case you probably don't need the 887va.

 

Hope to help

Giuseppe

 

Hello,

 

for what it is worth, I found a sample config which puts the router in bridge mode:

 

Current configuration : 1379 bytes
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RO01
!
boot-start-marker
boot-end-marker
!
enable secret
enable password
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
memory-size iomem 10
crypto pki token default removal timeout 0
!
ip source-route
no ip routing
!
no ip cef
no ipv6 cef
!
CISCO887VA-K9
!
controller VDSL 0
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 1
!
interface ATM0
no ip address
no ip route-cache
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
no ip route-cache
bridge-group 1
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
logging esm config
!
control-plane
!
bridge 1 protocol ieee
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
password ####
login
transport input all
!
end

Review Cisco Networking for a $25 gift card