Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
271
Views
0
Helpful
0
Replies

BVI not reachable

greywolf
Level 1
Level 1

‎08-17-2022 05:15 AM

Hi,

I'm trying to setup an 897 router to share a single DSL (with cellular failover) connection among 3 apartments - each with their own access point and VLAN, along with a single guest wifi network. I can connect to the access point and ping the router and internet, but I can't seem to reach the BVI on the access point. I can see the ARP request updating the Mac-address table, but no successful pings in either direction. Config for router and access point attached - any feedback would be appreciated.

The config below is a work in progress - the access points attached to gig2 and gig3 are not yet setup for mbssid (trying to get the 1st access point to behave as expected), and are reachable just fine from the BVI interface. The access-lists on vlan7 and vlan8 are to prevent users from reaching outside of their own networks, and appear to work just fine.

AP3602i_unit_1#sh run
Building configuration...
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP3602i_unit_1
!
!
logging rate-limit console 9
enable secret xxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local 
aaa authorization network default local 
!         
!
!
!
aaa session-id common
no ip source-route
no ip cef
ip domain name xxxxxxx
!
!
!
!
dot11 pause-time 100
dot11 syslog
dot11 vlan-name UNIT_1 vlan 6
dot11 vlan-name UNIT_1_ITS vlan 106
!
dot11 ssid cisco_wifi_test
   vlan 6
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii xxxxxx
!
dot11 ssid guest_wifi
   vlan 200
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii xxxxxxx
!
!
!
no ipv6 cef
!
!
username exec_login privilege 15 secret xxxxxxxxxxxx
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 shutdown
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm 
 !
 encryption vlan 6 mode ciphers aes-ccm 
 !
 encryption vlan 200 mode ciphers aes-ccm 
 !
 ssid cisco_wifi_test
 !
 ssid guest_wifi
 !
 antenna gain 0
 peakdetect
 no dfs band block
 mbssid
 channel dfs
 station-role root
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.6
 encapsulation dot1Q 6
 bridge-group 6
 bridge-group 6 subscriber-loop-control
 bridge-group 6 spanning-disabled
 bridge-group 6 block-unknown-source
 no bridge-group 6 source-learning
 no bridge-group 6 unicast-flooding
!
interface Dot11Radio1.200
 encapsulation dot1Q 200
 bridge-group 200
 bridge-group 200 subscriber-loop-control
 bridge-group 200 spanning-disabled
 bridge-group 200 block-unknown-source
 no bridge-group 200 source-learning
 no bridge-group 200 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!         
interface GigabitEthernet0.6
 encapsulation dot1Q 6
 bridge-group 6
 bridge-group 6 spanning-disabled
 no bridge-group 6 source-learning
!
interface GigabitEthernet0.200
 encapsulation dot1Q 200
 bridge-group 200
 bridge-group 200 spanning-disabled
 no bridge-group 200 source-learning
!
interface BVI1
 mac-address xxxx.xxxx.xxxx
 no ip address
!
interface BVI6
 mac-address xxxx.xxxx.xxxx
 ip address 10.1.6.20 255.255.255.0
!         
interface BVI200
 mac-address xxxx.xxxx.xxxx
 ip address 172.16.16.20 255.255.255.0
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip ssh version 2
!
!
!
bridge 1 route ip
bridge 6 route ip
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 transport input ssh
!
end

R897VAG-LTE Building configuration...
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R897VAG-LTE_base
!
boot-start-marker
boot-end-marker
!
!
enable secret xxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local 
aaa authorization network default local 
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone AEST 10 0
!
!
!
ip dhcp excluded-address 10.1.6.1 10.1.6.69
ip dhcp excluded-address 10.1.7.1 10.1.7.69
ip dhcp excluded-address 10.1.8.1 10.1.8.69
!
ip dhcp pool ITS_UNIT_1
 network 10.1.106.0 255.255.255.0
 default-router 10.1.106.1 
 dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8 
 option 150 ip 10.1.106.1 
!
ip dhcp pool ITS_UNIT_2
 network 10.1.107.0 255.255.255.0
 default-router 10.1.107.1 
 dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8 
 option 150 ip 10.1.107.1 
!         
ip dhcp pool ITS_UNIT_3
 network 10.1.108.0 255.255.255.0
 default-router 10.1.108.1 
 dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8 
 option 150 ip 10.1.108.1 
!
ip dhcp pool PC_UNIT_1
 network 10.1.6.0 255.255.255.0
 default-router 10.1.6.1 
 dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8 
 option 150 ip 10.1.106.1 
!
ip dhcp pool PC_UNIT_2
 network 10.1.7.0 255.255.255.0
 default-router 10.1.7.1 
 dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8 
 option 150 ip 10.1.107.1 
!
ip dhcp pool PC_UNIT_3
 network 10.1.8.0 255.255.255.0
 default-router 10.1.8.1 
 dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8 
 option 150 ip 10.1.108.1 
!

ip dhcp pool GUEST_WIFI
 network 172.16.16.0 255.255.255.0
 default-router 172.16.16.1 
 dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8 

!
ip dhcp pool tftp_server
 host 10.1.6.69 255.255.255.0
 client-identifier xxxxxx
 default-router 10.1.6.1 
 dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8 
!
ip dhcp pool raspberrypi
 host 10.1.6.50 255.255.255.0
 client-identifier xxxxxxx
 default-router 10.1.6.1 
 dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8 
!
!
!
ip domain name xxxxxxxx
ip cef
login block-for 120 attempts 2 within 120
login delay 10
login quiet-mode access-class 10
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
license udi pid xxxxxxxx
!
!
archive
 path tftp://10.1.6.50/$h-$t
vtp mode transparent
username exec_login xxxxxxxxxx
!         
!
!
!
!
controller VDSL 0
 operating mode vdsl2
 firmware filename flash:VA_A_39t_B_35j_24m
!
controller Cellular 0
 lte sim data-profile 1 attach-profile 1 slot 0
 no lte gps enable
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
 description WWAN_failover
!
vlan 6
 name UNIT_1
!
vlan 7
 name UNIT_2
!         
vlan 8
 name UNIT_3
!
vlan 106
 name UNIT_1_ITS
!
vlan 107
 name UNIT_2_ITS
!
vlan 108
 name UNIT_3_ITS
!
vlan 200
 name GUEST
!
track 1 ip sla 1
!

!
crypto isakmp policy 1
 encr aes
 hash sha256
 authentication pre-share
 group 2
crypto isakmp key xxxxxxx address xxxxxxxx
crypto isakmp key xxxxxxx address xxxxxxxx 
!
!
crypto ipsec transform-set transform-AES-SHA esp-aes esp-sha256-hmac 
 mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp 
 description xxxxx
 set peer xxxxxxx
 set transform-set transform-AES-SHA 
 match address VPN-1
crypto map CMAP 20 ipsec-isakmp 
 description xxxxxx
 set peer xxxxxxxxx
 set transform-set transform-AES-SHA 
 match address VPN-2
!
!
!         
!
!
!
interface Loopback0
 ip address 10.10.10.6 255.255.255.255
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Cellular0
 description xxxxxxx
 ip address negotiated
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly in
 encapsulation slip
 dialer in-band
 dialer idle-timeout 0
 dialer string lte
 dialer-group 2
!         
interface Cellular1
 no ip address
 encapsulation slip
!
interface Ethernet0
 description xxxxxxxx
 ip dhcp client route track 1
 ip address dhcp
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly in
 crypto map CMAP
!
interface GigabitEthernet0
 switchport access vlan 6
 switchport voice vlan 106
 no ip address
!
interface GigabitEthernet1
 description UNIT_1_AP3702i
 switchport mode trunk
 no ip address
!
interface GigabitEthernet2
 description UNIT_2_AP3702i
 switchport access vlan 7
 switchport voice vlan 107
 no ip address
!
interface GigabitEthernet3
 description UNIT_3_AP3702i
 switchport access vlan 8
 switchport voice vlan 108
 no ip address
!
interface GigabitEthernet4
 switchport access vlan 6
 switchport voice vlan 106
 no ip address
!
interface GigabitEthernet5
 switchport access vlan 6
 switchport voice vlan 106
 no ip address
!
interface GigabitEthernet6
 switchport access vlan 7
 switchport voice vlan 107
 no ip address
!
interface GigabitEthernet7
 switchport access vlan 8
 switchport voice vlan 108
 no ip address
!
interface GigabitEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan6
 ip address 10.1.6.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!         
interface Vlan7
 ip address 10.1.7.1 255.255.255.0
 ip access-group 107 in
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan8
 ip address 10.1.8.1 255.255.255.0
 ip access-group 108 in
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan106
 ip address 10.1.106.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan107
 ip address 10.1.107.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan108
 ip address 10.1.108.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan200
 ip address 172.16.16.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map route1 interface Ethernet0 overload
ip nat inside source route-map route2 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0 100
ip route 8.8.4.4 255.255.255.255 Cellular0
ip route 0.0.0.0 0.0.0.0 dhcp
ip route 8.8.8.8 255.255.255.255 dhcp
ip ssh version 2
!
ip access-list extended VPN-1
 permit ip 10.1.6.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip 10.1.6.0 0.0.0.255 10.1.101.0 0.0.0.255
 permit ip 10.1.106.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip 10.1.106.0 0.0.0.255 10.1.101.0 0.0.0.255
ip access-list extended VPN-2
 permit ip 10.1.6.0 0.0.0.255 10.1.2.0 0.0.0.255
 permit ip 10.1.6.0 0.0.0.255 10.1.102.0 0.0.0.255
 permit ip 10.1.106.0 0.0.0.255 10.1.2.0 0.0.0.255
 permit ip 10.1.106.0 0.0.0.255 10.1.102.0 0.0.0.255
!
ip sla 1
 icmp-echo 8.8.8.8 source-interface Ethernet0
ip sla schedule 1 life forever start-time now
!
dialer-list 2 protocol ip permit
!
route-map route1 permit 10
 match ip address 100
 match interface Ethernet0
!
route-map route2 permit 10
 match ip address 100
 match interface Cellular0
!
access-list 10 permit 10.1.6.0 0.0.0.255
access-list 100 deny   ip any 10.1.5.0 0.0.0.255
access-list 100 deny   ip any 10.1.105.0 0.0.0.255
access-list 100 deny   ip any 10.1.4.0 0.0.0.255
access-list 100 deny   ip any 10.1.104.0 0.0.0.255
access-list 100 deny   ip any 10.1.3.0 0.0.0.255
access-list 100 deny   ip any 10.1.103.0 0.0.0.255
access-list 100 deny   ip any 10.1.2.0 0.0.0.255
access-list 100 deny   ip any 10.1.102.0 0.0.0.255
access-list 100 deny   ip any 10.1.1.0 0.0.0.255
access-list 100 deny   ip any 10.1.101.0 0.0.0.255
access-list 100 permit ip 10.1.6.0 0.0.0.255 any
access-list 100 permit ip 10.1.106.0 0.0.0.255 any
access-list 100 permit ip 10.1.7.0 0.0.0.255 any
access-list 100 permit ip 10.1.107.0 0.0.0.255 any
access-list 100 permit ip 10.1.8.0 0.0.0.255 any
access-list 100 permit ip 10.1.108.0 0.0.0.255 any
access-list 100 permit ip 172.16.16.0 0.0.0.255 any
access-list 107 permit ip any 10.1.7.0 0.0.0.255
access-list 107 deny   ip any 10.1.0.0 0.0.255.255
access-list 107 permit ip any any
access-list 108 permit ip any 10.1.8.0 0.0.0.255
access-list 108 deny   ip any 10.1.0.0 0.0.255.255
access-list 108 permit ip any any
access-list 199 deny   tcp any any eq www
access-list 199 deny   tcp any any eq 1720
access-list 199 deny   tcp any any eq 5060
access-list 199 deny   udp any any eq 5060
access-list 199 permit ip any any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!         
mgcp profile default
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line 3
 script dialer lte
 no exec
 speed 384000
line 8    
 no exec
 speed 384000
line vty 0 4
 exec-timeout 0 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp server xxxxxxx
!
end

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card