Hello

Regards the topology can you post a diagram so we can see the exact setup or how you wish it to be?

I think the suggestion from Paul about a diagram will be helpful. I am not sure what was in the link that you used that introduced your to IRB. So I can not comment on how it relates to the current discussion. The main point of IRB is that it enables bridging on several interfaces and it uses a virtual interface (BVI) to do routing. IRB does bridging between the interfaces in the bridge group and does routing on the BVI. A key concept in IRB is that it establishes a bridged domain (all of the interfaces doing bridging) and a routed domain (the BVI) and it allows traffic to be forwarded between the domains.

In your config both interfaces Eth0.101 and vlan 90 are in bridge group 100. So both interfaces are using the same IP address. So why does it make sense to have the same IP on the outside interface and on the IPTV interface?

Perhaps another way to look into this issue starts with a statement from your post "Therefore everything should route out to the internet".  I see the key element as being that they route to the Internet. To route it should start from one subnet and forward to a different subnet. When both interfaces are in the same bridge group and share the same IP address then you are really bridging to the Internet.

HTH

Rick

Hi Paul, 

A crude drawing attached and apologies for the delay, it is one of those weeks!

The aim:

 - Cisco 887 to provide internet to the Cisco 2960 switch.

 - VLAN 1 will be disabled and 

 - There will be a VLAN for the Home network, Office Netwrok, an alternate network for Testing/Guest and a separate network for the IPTV box. May section of a network for IOT devices as I see so many articles about security.

I am OK building my VLANs for different network and controlling access. I had expected that the Cisco 887 Fa3 port and Cisco 2960 Fa9 and Fa10 would allow the IPTV box to run. They are all Acess ports in VLAN 90. However, It may be a problem with my Bridge (BVI100) which Richard has pointed out as I believe my laptop worked OK in VLAN 20 and VLAN 1.

I may be best taking my plan back to the start as I kept hitting barriers with the Cisco 887 not running Ether Channel, HSRP, etc. 

John

Rick,

I changed BVI100 to no ip address and applied 192.168.90.254 to the VLAN 90 interface. The IPTV box stopped working until i moved back to my config.

I believe I am doing the right thing here. The layer 3 VLAN IP address is assigned to the bridge. Here my reference for the config.

https://www.cisco.com/c/en/us/td/docs/optical/15000r8_5/ethernet/454/guide/r85ether/r85irb.pdf

https://community.cisco.com/t5/networking-documents/how-to-configure-irb/ta-p/3131332

John

John

Thanks for the update. I looked at the diagram that you posted and see the fa switch port interfaces but do not see the Ether0/Ether0.101 interface. Can you clarify for me what that is and what it connects to?

I am still a bit puzzled about the use of IRB. When we talk about routing out to the Internet I expect to see one (or more) inside interface with an inside subnet communicating to an outside interface with an outside subnet. I am not seeing that here. But I have read and re-read this discussion and what becomes obvious is that IRB was suggested in the post from the BT site and that when configured with IRB using Fa3 that IPTV works. And when you moved the IP address from the BVI to the vlan interface that it did not work. So I just need to stop worrying about IRB and accept that it is part of the solution for this particular environment.

I am now thinking about why it does not work when you move the IPTV to the switch port. Can you set that up again and then post the output of sow interface status from the switch?

HTH

Rick

Hi Rick,

The IRB config works now the IPTV box is connected via the switch.

Cabling: Cisco 887 Fa3 >> Cisco 2960 Fa9 and Cisco 2960 Fa10 to IPTV

The IPTV box initially could not connect to the router or showed an internet connection but I got an error streaming. I thought I was going to have the same issue until i got internet channels streaming. Tentatively, the issue looks resolved and I will have to monitor because the IPTV box was showing internet connection/streaming errors the next day,

The Ethernet 0 is not a physical interface as the Cisco 887 has only Fast Ethernet 0-3 and a console port. The Ethernet0.101 is a sub interface I created to tag traffic for the VDSL WAN connection configured with Dialer1. This is opposed to using the ATM interface for an ADSL WAN connection. From what I gather, the 887 is a Branch router and doesn't operate the same as the ISR's with limited featues i.e. no HSRP, EtherChannel, and other functions I have not come across!

The IRB puzzle is one I will keep tinkering with as I am not 100% on why the IP is specified on the BVI and not the VLAN interface. I tried adding the IP to the interface and a different subnet to the BVI (like a GRE tunnel) but that didn't work. So next I will add another port to VLAN 90 and attach another device to see what happens.

Thanks for the interest/help mate, any suggestions welcome. I will post back in a few days with thumbs up or with bad news.

John

updated config:

Cisco 887

RouterRes#sh run
Building configuration...

Current configuration : 6099 bytes
!
! Last configuration change at 17:13:48 UTC Fri Sep 27 2019 by RouterResAdmin
! NVRAM config last updated at 17:13:53 UTC Fri Sep 27 2019 by RouterResAdmin
! NVRAM config last updated at 17:13:53 UTC Fri Sep 27 2019 by RouterResAdmin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterRes
!
boot-start-marker
boot-end-marker
!
!
enable password 7 13061E0108035C727C362D20
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.90.1 192.168.90.50
ip dhcp excluded-address 192.168.20.1 192.168.20.50
ip dhcp excluded-address 192.168.10.1 192.168.10.50
ip dhcp excluded-address 192.168.50.1 192.168.50.50
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 192.168.1.254
!
ip dhcp pool IPTV
network 192.168.90.0 255.255.255.0
default-router 192.168.90.254
dns-server 192.168.90.254
!
ip dhcp pool LAN_ALT
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
dns-server 192.168.20.254
!
ip dhcp pool LAN_MAIN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.254
!
ip dhcp pool LAN_IOT
network 192.168.50.0 255.255.255.0
default-router 192.168.50.254
dns-server 192.168.50.254
!
!
ip domain name cisco887res.local
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FGL17362220
!
!
username RouterResAdmin privilege 15 secret 5 $1$dXP7$8JplBb4SxDkUlgWBVEBb8.
!
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
description Allowed_Protocol_From_INSIDE_to_OUTSIDE
match protocol http
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol icmp
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
bridge irb
!
!
!
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL0)
encapsulation dot1Q 101
ip nat outside
ip virtual-reassembly in
no ip route-cache
pppoe enable group global
pppoe-client dial-pool-number 1
bridge-group 100
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
zone-member security INSIDE
!
interface FastEthernet1
switchport access vlan 10
no ip address
zone-member security INSIDE
!
interface FastEthernet2
switchport access vlan 20
no ip address
zone-member security INSIDE
!
interface FastEthernet3
switchport access vlan 90
no ip address
zone-member security INSIDE
!
interface Vlan1
description Default VLAN to be disabled
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
interface Vlan10
description Main Network
no ip address
!
interface Vlan20
description Alternate VLAN to Main Network
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan50
description VLAN for IOT devices
no ip address
!
interface Vlan90
description VLAN for IP TV boxes
no ip address
bridge-group 100
!
interface Dialer0
no ip address
no cdp enable
!
interface Dialer1
description BT Res VDSL
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap ms-chap callin
ppp chap hostname bthomehub@btbroadband.com
ppp chap password 7 15020A1F173D24362C
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
interface BVI100
description Brdige VLAN90 to Ethernet0.101
ip address 192.168.90.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1350
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source static tcp 192.168.1.125 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.125 32400 interface Dialer1 32400
ip nat inside source static tcp 192.168.1.30 32401 interface Dialer1 32401
ip nat inside source static tcp 192.168.1.30 3389 interface Dialer1 33891
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 192.168.1.0 0.0.0.255
permit tcp any eq 3389 host 192.168.1.125 eq 3389
permit tcp any eq 33891 host 192.168.1.30 eq 3389
permit tcp any eq 32400 host 192.168.1.125 eq 32400
permit tcp any eq 32401 host 192.168.1.30 eq 32401
!
access-list 1 remark Networks allowed through Dialer interface
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.90.0 0.0.0.255
access-list 1 deny any
access-list 5 remark Remote Mgt Access
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 5 deny any
dialer-list 1 protocol ip permit
!
!
!
bridge 100 protocol ieee
bridge 100 route ip
!
line con 0
logging synchronous
line aux 0
line vty 0 4
access-class 5 in
exec-timeout 15 0
password 7 01100F1758045E57765E4B1A
logging synchronous
transport input all
!
!
end

John

Thanks for the update. Glad to know that IPTV now does work when connected via switch. Do let us know your results as you continue to work on this.

HTH

Rick

Hi Rick,

Unfortunately the wheels feel off the next morning!

The IPTV box was showing connected to the internet, resolved EPG channel/program information but no picture with an error appearing. Therefore the box has been reconnected to Cisco 887 Fa3 and all is working. 

Work continues and I will post a solution . . .. when found

John

John

Thanks for the update. Sorry to hear that it has taken a step backwards. Interesting that it seems to work ok when connected to router fa3 but has problems when connected to the switch. Don't know if there are other things you need to do first or whether you would want to work on the switch issue now. But when you are ready to work on the switch please do these steps:

- connect router fa3 to switch. (can you confirm that this connection is using standard Ethernet cable?)

- connect IPTV to switch.

- post the output of show vlan from switch.

- post output of show interface status from switch.

- post output of show ip interface brief from the router.

- post the output of show arp from the router.

- post the current running config from the switch.

HTH

Rick