I think that you've got me on - Page 2

danielr82 · ‎02-20-2016

I have a switch stack (and devices attached to that stack) all using VLAN12.
A device provided by an ISP that I cannot see or configure, (the presentation is by ethernet and the device is offsite) the instructions from the ISP (Verizon) is configure your devices using any one of these 8 static IP addresses on a /24 network and .1 is the gateway.

If I plug the ISP presentation directly into a laptop it works, I can get out to the internet.
if the internet line is plugged into an unmanaged switch switch, then multiple devices can be configured without any issues.

If the ISP device is attached to a managed switch with a VLAN configured (which I was to do to segragate the network) then it appears that all traffic is dropped. (as in the ISP equipment appears to just reject any tagged packets.)

What I am trying to do is setup a router using transparent bridging such that the switch stack and it's tagged packets are able to be taken by the router, have the tags removed and forwarded to the ISP, where the packet should then not be dropped.

Everything that's on VLAN 12 at the switch end is configured and contactable from everything else, (there is a firewall with an address configured on this network, that's able to contact the switch, the switch is able to contact workstations etc.

the router is connectted to the ISP and the router is accessible externally, but it seems that the router is dropping traffic on that vlan 12 now.

the devices are connectted and can "see" each other, just the layer 3 connectivity between the office side of the bridge on the router doesn't seem to be working.

My configurations are below. - Can anyone see what I have gotten wrong?

Switch configuration:

vlan 12
name VLAN12-ISP2

interface GigabitEthernet1/0/3
switchport access vlan 12
switchport mode access

interface Vlan12
ip address A.B.C.3 255.255.255.0

On the switch "show IP route"
gives:

S* 0.0.0.0/0 [1/0] via X.Y.Z.174 (ISP 1)
C X.Y.Z.168/29 is directly connected, Vlan11
L X.Y.Z.170/32 is directly connected, Vlan11
C A.B.C.0/24 is directly connected, Vlan12
L A.B.C.3/32 is directly connected, Vlan12

sh cdp neig:
Device ID Local Intrfce Holdtme Capability Platform Port ID
RTR-01 Gig 1/0/3 140 T B S I CISCO2901 Gig 0/1
...

on the router:
Configuration:

hostname RTR-01
no ip routing
bridge irb

interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
bridge-group 1

interface GigabitEthernet0/1
no ip address
no ip route-cache
duplex auto
speed auto

interface GigabitEthernet0/1.12
description office side of router
encapsulation dot1Q 12
bridge-group 1

interface BVI1
ip address A.B.C.2 255.255.255.0

control-plane
!
bridge 1 protocol ieee
bridge 1 route ip

sh ip route
Default gateway is not set

Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty

RTR-01#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
STACK01 Gig 0/1 175 R S I WS-C2960X Gig 1/0/3

show bridge

Total of 300 station blocks, 299 free
Codes: P - permanent, S - self

Bridge Group 1:

Address Action Interface Age RX count TX count
0090.1aa2.5ad6 forward Gi0/0 0 95628 25464
RTR-01#

From the router I can get ping response from the ISP (a.b.c.1) and from the router (a.b.c.2) but not from the switch (a.b.c.3) or from another device (asa) (a.b.c.4)

from the switch I can get a ping response from the ASA (a.b.c.4) and from the switch SVI (a.b.c.3) but the router (a.b.c.2) and the ISP gateway (a.b.c.1) are unresponsive.

Richard Burts · ‎02-23-2016

I am still not sure that you need IRB. But adding bridge 1 bridge ip would add the element that would make IRB pass your vlan 12 traffic. In your original post the router had disabled ip routing (no ip routing) and I wonder if that is still the case - or have you now enabled ip routing?

In general I believe that simple solutions are better than complex solutions. And IRB is more complex than just simple bridging. This is the reason why I suggested removing IRB (and that would want to remove the interface BVI). If you disable ip routing and put bridge groups on both interfaces (or on the subinterface if you are connecting to a trunk port on the switch) then the router should simply bridge the frames between the switch port and the provider. But if you got IRB to work then perhaps you want to keep it in the config.

I am a little unclear about in what circumstances the router does access outside resources and what circumstances it can not access outside resources. I wonder if part of that may relate to when ip routing is enabled and when it is not enabled. (when ip routing is disabled on the router then you need to configure the default-gateway on the router to be able to access outside resources)

I have been thinking about this statement " (e.g. ICMP traffic generated from the switch gets replies from the firewalls, gets replies from my router, gets replies from the ISP router 67.67.1.1, but after that no replies.)" It makes sense that the switch should be able to access resources within that subnet because for those resources it considers them local and will arp for them, and if it receives an arp response (which it should) then it will communicate. But to access anything further then the ISP router would depend on how the switch default gateway (or default route) was set. I am wondering if the switch default gateway (or default route) is set to Comcast rather than Verizon.

From your description it does seem that things that "should" work do not work (like plug the ISP directly into the switch). We do not know enough about your environment to offer much advice about that.

HTH

Rick

HTH

Rick

danielr82 · ‎02-24-2016

I think that you've got me on the right track now.

some things still aren't working 100% as I've expect, but it's working more than it has been so far...

the BVI interface has been removed, and IRB removed as well.

According to this page on the Cisco site you are correct that using BVI vlan tags remain intact. http://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/17054-741-10.html (see notes accompanying picture 4.)

An IP address is given to one of the interfaces. and this is now "pingable" from the firewall and the outside.

Additionally the firewall can ping the ISP router on the other side of the bridge, and if I add a specific route for a host telling it to us that line can ping addresses outside of the network.

(weirdly the switch, with its SVI is getting replys when pinging the firewall, but not getting replies from either my, or the ISP router. as I plan to remove the SVI from this device I'm not too worried about that.)

I need to test this "full scale" (like get everything using it!) but I think it's working now.

(if it works I'll post the whole configuration in case it helps anyone else.)

Richard Burts · ‎02-24-2016

I am glad that you now seem to be on the right track. If the firewall can ping the ISP router and if a host with the specific route can ping addresses outside of the network then I believe that you have it pretty well working.

I am not sure why the switch would be able to ping the firewall but not ping your router and the ISP router. If you want to investigate this further I would suggest that the first steps would be to post the output of show arp from the switch as well as the output of show ip route on the switch.

Is there anything else not working as you expect that is of concern to you?

HTH

Rick

HTH

Rick

Transparent bridging on router.