Hi,
We currently have a miniature test network configured like so:
Interface | Config |
---|
Fast Ethernet 0 Fast Ethernet 1 switchport access vlan 2 Fast Ethernet 2 switchport access vlan 3 Fast Ethernet 3 switchport access vlan 4 | - ip address 10.0.0.52 255.255.0.0 - ip address 192.168.0.1 255.255.255.0 - no ip address - no ip address |
Machine A (10.0.6.9) -> Fast Ethernet 2
Fast Ethernet 3 -> Switch
Switch -> Fast Ethernet 0
Switch -> Machine B (10.0.6.10)
Vlan 3 & vlan 4 in bridge-group 1
with
bridge irb
and
bridge 1 protocol ieee
Using a Cisco 887M on "Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.0(1)M3, RELEASE SOFTWARE (fc2)"
We are attempting to use Fast Ethernet 2 & 3 to have a transparent firewall whilst also using the cisco as an EZVPN end-point with the implicit vlan 1 as outside and vlan 2 as inside.
We are experiencing 2 problems:
Number 1:
==========
When a network cable is unplugged from either of the FastEthernet ports in the bridge group and re-plugged, the vlan interface status ends up as:
VLan is up, Line Protocol is down
and does not re-enable until we do:
config term
interface vlan X
shutdown
no shutdown
Does anyone know if there is a way to automatically bring the VLAN and therefore the bridge group back to forwarding when the FastEthernet interface comes back up?
Number 2:
==========
Machine A is unable to communicate with the Cisco on IP address 10.0.0.52 through the bridge
(I am under the impression that the traffic should flow from machine A, through the bridge, to the switch and back to FastEthernet 1), whilst Machine B can ping and SSH to it with no difficulty.
Wireshark on Machine A shows that the machine receives no reply to an ARP "Who Has 10.0.0.52?" request.
Does anyone know why this is and if there is a way to correct this?
Thanks
-Rob
For our config see below:
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CiscoVPN
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
memory-size iomem 10
clock timezone GMT 0
!
!
!
ip source-route
!
!
!
!
ip cef
ip name-server ---.---.---.---
no ipv6 cef
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn voip
connect auto
group ----- key ------
mode client
peer ---.---.---.---
nat allow
username ---- password -----
xauth userid mode local
!
bridge irb
!
!
!
!
interface Loopback10
ip address 192.168.99.5 255.255.255.255
crypto ipsec client ezvpn voip inside
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 9
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 3
!
interface FastEthernet3
switchport access vlan 4
!
interface Vlan1
description VPN-Internet-Access
ip address 10.0.0.52 255.255.0.0
crypto ipsec client ezvpn voip
!
interface Vlan2
description VPN-Internal
ip address 192.168.0.1 255.255.255.0
crypto ipsec client ezvpn voip inside
!
interface Vlan3
description Bridged-Interface
no ip address
bridge-group 1
!
interface Vlan4
description Bridged-Interface
no ip address
bridge-group 1
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
access-list 1 permit ---.---.---.---
access-list 1 permit ---.---.---.---
access-list 1 permit ---.---.---.---
access-list 101 permit ip ---.---.---.--- 0.0.1.255 any
access-list 101 permit ip ---.---.---.--- 0.0.0.255 any
access-list 101 permit ip ---.---.---.--- 0.0.0.7 any
access-list 101 permit ip ---.---.---.--- 0.0.0.255 any
no cdp run
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
!
line con 0
password 7 ---------
login local
no modem enable
line aux 0
line vty 0
exec-timeout 0 0
login local
transport input ssh
line vty 1 4
login local
transport input ssh
!
scheduler max-task-time 5000
ntp server ---.---.---.---
end