Question regarding BVI

aquilla

Hi Guys,

I have an 877w which is setup with a BVI to bridge the Wired and Wireless sections together on the same network. One thing I've noticed is a problem with pinging wireless devices from the wired segment and ping wireless devices from other wireless devices. The router can ping all devices regardless of where they sit.

From my desktop (wired) trying to ping my wireless laptop (192.168.1.100) and the wireless printer (192.168.1.192). Both of which are currently on:

C:\Users\Stuart>ping 192.168.1.192

Pinging 192.168.1.192 with 32 bytes of data:
Reply from 192.168.1.96: Destination host unreachable.
Reply from 192.168.1.96: Destination host unreachable.
Reply from 192.168.1.96: Destination host unreachable.
Reply from 192.168.1.96: Destination host unreachable.

Ping statistics for 192.168.1.192:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\Users\Stuart>ping 192.168.1.100

Pinging 192.168.1.100 with 32 bytes of data:
Reply from 192.168.1.96: Destination host unreachable.
Reply from 192.168.1.96: Destination host unreachable.
Reply from 192.168.1.96: Destination host unreachable.
Reply from 192.168.1.96: Destination host unreachable.

Ping statistics for 192.168.1.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


From the router:

Router#ping 192.168.1.100 repeat 50

Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 1/2/4 ms
Router#ping 192.168.1.192 repeat 50

Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 192.168.1.192, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 1/8/36 ms

I also can't browse the to the printers HTTP page for management. The laptop is also unable to ping the printer (as such we have no printing at the moment unless I hook up a cable) however the laptop can ping my wired desktop!

The laptop is currently surfing the internet via the wireless so connectivity is good.

Here are the relevant parts of my config:

interface Vlan1
 no ip address
 bridge-group 1
end

Router#show run int Dot110
Building configuration...

Current configuration : 280 bytes
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers aes-ccm
 !
 broadcast-key vlan 1 change 1800
 !
 !
 ssid HIDDEN
 !
 speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 channel 2412
 station-role root
end

Router#show run int Dot110.1
Building configuration...

Current configuration : 259 bytes
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
end

Router#show run int bvi 1
Building configuration...

Current configuration : 161 bytes
!
interface BVI1
 description *** Internal Network ***
 ip address 192.168.1.254 255.255.255.0
 ip directed-broadcast
 ip nat inside
 ip virtual-reassembly
end

bridge irb
bridge 1 protocol ieee
bridge 1 route ip

Poison_Dwarf

Did you ever resolve this... I am facing the same problem. Its driving me mad!

jibbajabba

Just got myself an 877W which is the first time I actually worked with any Cisco device. Took me a while to get it working myself ..

Here my config

Cisco#sh run
Building configuration...

Current configuration : 6973 bytes
!
! Last configuration change at 15:20:46 GMT Mon Jun 20 2011 by router
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
service internal
!
hostname Cisco
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-24.T5.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 4096000
enable secret 5 xxx
!
aaa new-model
!
!         
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-399913742
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-399913742
 revocation-check none
 rsakeypair TP-self-signed-399913742
!
!
crypto pki certificate chain TP-self-signed-399913742
 certificate self-signed 01
xxx
  	quit
dot11 syslog
!
dot11 ssid cheesecake
 authentication open 
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 7 xxx
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.13.240
ip dhcp excluded-address 192.168.13.254
ip dhcp excluded-address 192.168.13.200 192.168.13.210
!
ip dhcp pool MikeHome
   import all
   network 192.168.13.0 255.255.255.0
   domain-name xxx.co.uk
   default-router 192.168.13.254 
   dns-server xxx xxx
   update arp
!
!
ip cef
ip name-server xxx
ip name-server xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
password encryption aes
!
!
username mike password 7 xxx
username router privilege 15 secret 5 xxx
! 
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 6 xxx address xx.xx.xx.xx
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to DC
 set peer xx.xx.xx.xx
 set transform-set ESP-AES128-SHA 
 match address 100
!
archive
 log config
  hidekeys
!
!
!         
bridge irb
!
!
interface ATM0
 description ADSL Connection
 no ip address
 no atm ilmi-keepalive
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode adsl2+ 
 dsl enable-training-log 
 dsl bitswap both
 hold-queue 200 in
!
interface FastEthernet0
 description Aspire-Revo
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
 ip unnumbered Dialer0
 peer default ip address pool vpdn_pool
 no keepalive
 ppp encrypt mppe auto
 ppp authentication ms-chap ms-chap-v2
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers tkip 
 !
 ssid cheesecake
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer0
 bandwidth inherit
 ip address negotiated
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp header-compression iphc-format
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxx
 ppp chap password 7 xxxx
 ppp pap sent-username xxxx password 7 xxx
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map SDM_CMAP_1
 ip rtp header-compression iphc-format
!
interface BVI1
 ip address 192.168.13.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool vpdn_pool 192.168.13.200 192.168.13.210
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http secure-server
!
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 permit 192.168.13.0 0.0.0.255
access-list 100 remark Traffic via DC
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.1.255
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.16.0 0.0.15.255
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 102 remark Traffic via ADSL
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.1.255
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.16.0 0.0.15.255
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 102 permit ip 192.168.13.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 password 7 xxx
 no modem enable
line aux 0
 password 7 xxx
line vty 0 4
 password 7 xxx
 transport input ssh
 transport output telnet ssh
!         
scheduler max-task-time 5000
ntp server xxx prefer
ntp server xxx prefer
end

The magic line was the overload line

ip nat inside source list access-list number interface overload

So my default without any IPSec Tunnels etc. was

ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 192.168.13.0 0.0.0.255
dialer-list 1 protocol ip permit

aquilla

Poison_Dwarf wrote: »

Did you ever resolve this... I am facing the same problem. Its driving me mad!

Hi,

Blimey I'd forgotten about this post. Yes I did solve it. It was to do with the encapsulation dot1Q on the wireless subinterface. I believe some devices (e.g. my wireless printer didn't like it) and so wouldn't play fair.

I removed the wireless subinterface and configured the bridge-group under the proper interface. Since doing that everything is a peach.

Here's the new config:

rtr-crwy-01#show run int dot110
Building configuration...

Current configuration : 490 bytes
!
interface Dot11Radio0
description *** Wireless Network ***
no ip address
!
encryption mode ciphers aes-ccm
!
broadcast-key change 3600
!
!
ssid HIDDEN
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
end

rtr-crwy-01#show run int vlan 1
Building configuration...

Current configuration : 159 bytes
!
interface Vlan1
description *** Ethernet Network ***
no ip address
pppoe-client dial-pool-number 1
bridge-group 1
bridge-group 1 spanning-disabled
end

rtr-crwy-01#show run int bvi 1
Building configuration...

Current configuration : 366 bytes
!
interface BVI1
description *** Internal Network ***
mac-address 001c.xxxx.xxxx
ip address 192.168.1.254 255.255.255.0
ip directed-broadcast
ip nat inside
ip virtual-reassembly in
ipv6 address 2001:470:::1/64
ipv6 enable
ipv6 mtu 1280
ipv6 nd prefix 2001:470:::/64 no-advertise
ipv6 nd advertisement-interval
ipv6 nd ra interval 30
end


The MAC address statement under the BVI interface is required to get PPPoE working with my ISP (don't ask - it's a long story).

The above setup works for me just using 1 VLAN.

Poison_Dwarf

Thanks aquilla... I turns out my issue was exactly that. I removed the dot1q config and its now working!

I spent hours looking and still didn't spot it

Great website... going to stick around I think as I'm about to sit my CCNA, you guys seem like a good bunch.