Cisco 877W Switchport as WAN interface

Unanswered Question
Oct 10th, 2010

Hello

Can anyone help me figure this out, I have 877W router and I need it to work with cable internet.

As 877W has only one, DSL routable port, I'm trying to achieve this by VLAN and BVI interfaces. My configuration below is working but it's working for a little time. Then it hangs up and I need to give "shut" and "no shut" commands to the BVI interface to reestablish internet connection.

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname 877W
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret ....
!
no aaa new-model
!
dot11 ssid 877W
   vlan 3
   authentication open
   authentication key-management wpa
   wpa-psk ascii 0 ....
!
dot11 ssid 877WMobile
   vlan 4
   authentication open
   guest-mode
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.254
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.50 192.168.2.254
ip dhcp excluded-address 192.168.1.2
!
ip dhcp pool LAN
   import all
   network 192.168.2.0 255.255.255.0
   dns-server 213.157.196.131 213.157.196.132
   default-router 192.168.2.1
!
ip dhcp pool SecuredRadio
   import all
   network 192.168.3.0 255.255.255.0
   dns-server 213.157.196.131 213.157.196.132
   default-router 192.168.3.1
   lease infinite
!
ip dhcp pool UnsecuredRadio
   import all
   network 192.168.4.0 255.255.255.0
   dns-server 213.157.196.131 213.157.196.132
   default-router 192.168.4.1
   lease 5
!
!
ip name-server 213.157.196.131
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-545744410
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-545744410
revocation-check none
rsakeypair TP-self-signed-545744410
!
!
crypto pki certificate chain TP-self-signed-545744410
certificate self-signed 01
....
  quit
!
!
username .... privilege 15 password 0 ....
!
!
class-map type inspect match-all WAN_IN
match access-group name WAN_IN
class-map type inspect match-any mail
match protocol pop3
match protocol smtp extended
class-map type inspect match-all MAIL
match access-group name VLANS_OUT
match class-map mail
class-map type inspect match-all ROUTER_IN
match access-group name ROUTER_IN
class-map type inspect match-all VLANS_OUT
match access-group name VLANS_OUT
!
!
policy-map type inspect Internet_Access
class type inspect MAIL
  inspect
class type inspect VLANS_OUT
  inspect
class class-default
  drop log
policy-map type inspect Inside_Access
class type inspect WAN_IN
  inspect
class class-default
  drop log
policy-map type inspect Router_Access
class type inspect ROUTER_IN
  pass
class class-default
  drop log
!
zone security OUTSIDE
zone security INSIDE
zone-pair security INSIDE_to_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect Internet_Access
zone-pair security OUTSIDE_to_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect Inside_Access
zone-pair security OUTSIDE_to_SELF source OUTSIDE destination self
service-policy type inspect Router_Access
!
!
bridge irb
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Dot11Radio0
description Radio Interface
no ip address
no ip redirects
ip virtual-reassembly
ip route-cache flow
no dot11 extension aironet
!
encryption vlan 3 mode ciphers tkip
!
ssid 877W
!
ssid 877WMobile
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
description Secured Radio Access Point
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
zone-member security INSIDE
no cdp enable
!
interface Dot11Radio0.2
description Unsecured Radio Access Point
encapsulation dot1Q 4 native
ip address 192.168.4.1 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
zone-member security INSIDE
no cdp enable
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
zone-member security INSIDE
ip route-cache flow
!
interface Vlan3
no ip address
!
interface Vlan4
no ip address
!
interface BVI1
mac-address 0002.3f1f.ba65
ip address dhcp
no ip redirects
ip nat outside
ip virtual-reassembly
zone-member security OUTSIDE
ip route-cache flow
!
ip route 0.0.0.0 0.0.0.0 BVI1 95.104.105.1 permanent
!
!
ip http server
ip http port 8080
ip http authentication local
ip http secure-server
ip dns server
ip nat pool NX 192.168.3.2 192.168.3.2 netmask 255.255.255.0 type rotary
ip nat inside source list VLANS_OUT interface BVI1 overload
ip nat inside destination list RNAT-LAN pool NX
!
ip access-list extended NAT
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended RNAT-LAN
permit tcp any any eq 3389
permit tcp any any eq www
ip access-list extended ROUTER_IN
permit ip any any
ip access-list extended VLANS_OUT
permit ip any any
ip access-list extended WAN_IN
permit ip any any
!
logging trap critical
logging source-interface Vlan1
logging 192.168.2.1
no cdp run
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
password ....
login
!
no scheduler max-task-time
end

After hanging up WAN interface, I can still telnet to the router, but can't ping anything except of it's own, outside IP address.

Maybe something wrong with route?

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 95.104.105.1 to network 0.0.0.0

     213.157.196.0/32 is subnetted, 1 subnets
S       213.157.196.27 [254/0] via 95.104.105.1, BVI1
C    192.168.4.0/24 is directly connected, Dot11Radio0.2
     95.0.0.0/24 is subnetted, 1 subnets
C       95.104.105.0 is directly connected, BVI1
C    192.168.2.0/24 is directly connected, Vlan2
C    192.168.3.0/24 is directly connected, Dot11Radio0.1
S*   0.0.0.0/0 [1/0] via 95.104.105.1, BVI1


Please help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3 (2 ratings)
Paolo Bevilacqua Sun, 10/10/2010 - 14:26

I would eliminate ZBFW that is completely useless and only causes trouble.

Basically when troubleshooting, you start with the very minimal configuration.

tstewart Mon, 10/11/2010 - 04:07

Your configuration looks fine.  Traffic coming in F0/0 will be routable through the BVI.  You have NAT configured to translate all ip address from the inside to the BVI's ip address.  The firewall is configured to inspect all wan traffic going to the lan and pass all traffic going to the router itself.  It is also configured to inpsect all traffic going from the lan to wan, including smtp/pop3. 

You said that everything works but after awhile you can no longer access the internet from the lan, is that correct?  When it is in the broken state, what does a show interface bvi, show interface fast 0/0, and show interface vlan1 show?  Are you able to ping both the lan and wan ip addresses from the inside?  Are you able to ping the wan gateway from the router itself?  I am suspecting there could be a issue with the bvi, vlan 1 or fast 0/0 which is causing your problem, the show interfaces will help us determine that.  BTW,  fast 0/0 is currently configured for auto-duplex, do you know if the remote side is also configured for auto or is it hard coded?  If the remote is hard coded, then you will also need to hard code fas0/0.

Tim

zxspectrum128kb Mon, 10/11/2010 - 12:48

Thanks for help

Yes, it's correct, and by the way, I've discovered that it's hanging up much often while BVI1 interface is inactive (no internet use). I'm not saying it doesn't hanging up if I will use it intensively but fact is that it's hanging up anyway.

I will post interface statuses when it will do next freeze.

I can ping all interfaces from inside including IP address of the BVI 1 interface but it looses connection with its gateway.

I used AUTO mode for testing, in hope that this will somehow help make it stable.

Have no idea what is happening. When I do restart, it works perfectly. No errors, no warnings, debug shows nothing.

zxspectrum128kb Mon, 10/11/2010 - 23:33

Well, another freeze, here are results:

E0:

FastEthernet0 is up, line protocol is up
Hardware is Fast Ethernet, address is 001e.1366.9d10 (bia 001e.1366.9d10)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 11000 bits/sec, 20 packets/sec
5 minute output rate 2000 bits/sec, 4 packets/sec
9093120 packets input, 2923237890 bytes, 0 no buffer
Received 3386086 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
1376349 packets output, 155581095 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

Vlan1

Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 001e.1366.9d10 (bia 001e.1366.9d10)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 18000 bits/sec, 33 packets/sec
5 minute output rate 3000 bits/sec, 5 packets/sec
12031898 packets input, 3029553424 bytes, 26 no buffer
Received 3789484 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
1372059 packets output, 149778522 bytes, 0 underruns
0 output errors, 12 interface resets
0 output buffer failures, 0 output buffers swapped out

BVI1

BVI1 is up, line protocol is up
Hardware is BVI, address is 0002.3f1f.ba65 (bia 001e.1366.9d10)
Internet address is 95.104.105.95/24
MTU 1500 bytes, BW 100000 Kbit, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 05:51:55, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/3385/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 3 packets/sec
1761265 packets input, 2063277027 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1264009 packets output, 140223992 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out

tstewart Tue, 10/12/2010 - 04:23

Well, this isn't as easy as I had hoped it would be   The show interfaces indicates nothing is wrong with Fas0/0, or Vlan1.  The BVI shows a large number of input queue drops.  Did you by chance capture a couple show interfaces when you were trying to ping out of the router (to see if any of the counters increased)?  Some possibilites are:  STP on bridge-group1 is blocking, Vlan->transparent bridging is hanging (software issue), some routing issue. A simple test that would help isolate the problem would be to connect a PC to FE3 then place FE3 into vlan1.  When the problem happens see if you can ping from the PC to the BVI. (You will need to staticly assign a IP address to the PC that is within the subnet used by the BVI).

I suspect you will need to open a case to have this issue looked at in depth.  It seems to be heading down a path where some indepth torubleshooting is going to be needed.

Tim

zxspectrum128kb Tue, 10/12/2010 - 06:30

Tim, little problem, can't ping BVI from PC even when it works

I need to put PC into the BVI subnet, so it will have external IP, right? if BVI 1 has an IP like 95.104.105.95, it must have 95.104.105.96 for example, right?

tstewart Tue, 10/12/2010 - 06:53

Correct.  The BVI is using dhcp to get it's address.  If it's address is 95.104.105.95 then the PC's address would need to be 95.104.105.96.  The PC needs to be in vlan 1.  The PC should be able to ping the BVI under normal circumstances, but it will not likely be able to get out onto the internet unless you have multiple addresses given to you by the ISP.


TIm

zxspectrum128kb Tue, 10/12/2010 - 06:55

Tim, while I was waiting for your reply, I've decided to troubleshoot that input drops and discovered this web page explaining Input Hold Queue:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a0080094791.shtml

I have then issued the command which I found there, show processes CPU | i ^PID|Input, and results are following:

3      248292   7317041         33  0.00%  0.09%  0.08%   0 HyBridge Input P
   8     1251088   3804793        328  0.73%  0.62%  0.58%   0 ARP Input
  42         260      3930         66  0.00%  0.00%  0.00%   0 Net Input
  56           0         2          0  0.00%  0.00%  0.00%   0 ATM OAM Input
  79      217612    184064       1182  0.49%  0.11%  0.08%   0 IP Input
108           0         2          0  0.00%  0.00%  0.00%   0 ILMI Input
122           0         1          0  0.00%  0.00%  0.00%   0 RARP Input
206           4         3       1333  0.00%  0.00%  0.00%   0 DNS Server Input

Seems like ARP input is higher then normal. I bet that there are unnecessary packets coming from the ISP and my router's Input Hold Queue fills out

zxspectrum128kb Tue, 10/12/2010 - 07:06

Well,

PC:

95.104.105.96

255.255.255.0

|

Fa3:

switchport access vlan 1 (native)

|

Vlan1

no ip address

bridge-group 1

|

BVI1

95.104.105.95

....

PC can ping only its IP address.

tstewart Tue, 10/12/2010 - 07:06

The ARP process utilization is actually fairly low.  Generally speaking, process switched packets are stored in the input queue until they can be dealt with.  The default size of the queue is 75 therefore any more than that will be dropped.  There are other reasons why the input queue dropped counter could be incremented and it doesn't necassarily mean that the input queue was full.  If you look at multiple show int bvi and see the input queue dropped counter incrementing but the queue always stays at 0 then you are running into one of those situations which we would need to look into.  If the input queue counter is moving and once in awhile a drop occurs then it is a good bet that there is a lot of process switching happening (a show interface switching will also show this).  If there is a lot of process switching, then we will need to look at what those packets are (are they destined to the router, do they have a expriring ttl, etc.)

Tim

zxspectrum128kb Tue, 10/12/2010 - 07:24

BVI1
          Throttle count          0
                   Drops         RP       3385         SP          0
             SPD Flushes       Fast          0        SSE          0
             SPD Aggress       Fast          0
            SPD Priority     Inputs          0      Drops          0

    Protocol  IP
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
                 Process     152169   16197863     100734    6551652
            Cache misses          0          -          -          -
                    Fast    1910507 2189026335          0          0
               Auton/SSE          0          0          0          0

    Protocol  Trans. Bridge
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
                 Process        139      26754          0          0
            Cache misses          0          -          -          -
                    Fast          0          0    1298200  154198809
               Auton/SSE          0          0          0          0

    Protocol  ARP
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
                 Process    3836991  230219460      18180    1090800
            Cache misses          0          -          -          -
                    Fast          0          0          0          0
               Auton/SSE          0          0          0          0

    NOTE: all counts are cumulative and reset only after a reload.

Protocol ARP process changes rapidly, incrementing

Input queue: 0/75/3385/0 (size/max/drops/flushes); Total output drops: 0

I look at that 3385 number, doesn't change in about 10 minutes already

zxspectrum128kb Tue, 10/12/2010 - 07:47

Tim, do I need to set the IP address to the Vlan 1 interface to ping from PC to BVI1? not really, right?

tstewart Tue, 10/12/2010 - 09:52

The PC should be working to the BVI Ip address.  Can you look at the router's arp cache (show arp) and verify that the PC's address is listed with the correct mac-address?  Do it a few times to make sure the mac isn't changing, also look to see if other mac's are changing and if the ip addresses listed are what you would expect..  You should also look at the PC's arp cache to see what it has for the router (arp -a if it is windows).  I am curious, why are you hardcoding a mac address on the BVI?  You shouldn't need to do that since the remote gateway will pick up the bia of the bvi interface.

zxspectrum128kb Tue, 10/12/2010 - 10:30

Tim that's because my ISP is giving an IP address just after it will recognize my hardware, it's their registration rule and I have registered my laptop during sign up. That's my laptop's mac address which I can't put in the vlan interface so I decided to use bvi.

sh arp doesn't show PC...  I will check my config again...

zxspectrum128kb Tue, 10/12/2010 - 10:49

Tim, it's pinging! I forgot to remove PC's (laptop) mac address, it was the same as bvi1.

now it's time to do our test

sandervanloosbroek Wed, 10/13/2010 - 03:43

I had the same problem and made a simpler solution. I created a VLAN on one of the switchports:

interface FastEthernet0

switchport access vlan 100

interface Vlan100

description Cable internet

ip address 188.xxx.xxx.xxx 255.255.255.xxx //this is your client IP address

ip nat outside

ip virtual-reassembly

And then

ip route 0.0.0.0 0.0.0.0

You're using DHCP but I found this to be unreliable. I suggest you try your setup with static IP's first and then try to implement DHCP.

zxspectrum128kb Thu, 10/14/2010 - 03:18

Guys I have a very strange situation here

I did setup bvi 1 with static IP as Sander said, when it did freeze, I've tried to get internet back as always (shut -  no shut) but it couldn't be able to reach the gateway until I've moved back to the dhcp mode. When I moved bvi 1 interface back to the dhcp mode, it started to work again. Then I setup bvi wilth static IP.

Really don't know what to do ((

zxspectrum128kb Thu, 10/14/2010 - 04:30

I did debug of a DHCP client:

000301: *Jun  3 07:24:28.875: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
x845FD183
000302: *Jun  3 07:24:28.875: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
x845FD183
000303: *Jun  3 07:24:43.839: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xF5C4559F
000304: *Jun  3 07:24:48.071: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
x3C1A178E
000305: *Jun  3 07:25:18.703: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xA737498E
000306: *Jun  3 07:25:21.947: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xA737498E
000307: *Jun  3 07:25:22.667: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xD4331ACF
000308: *Jun  3 07:26:57.903: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
x8F8F1662
000309: *Jun  3 07:27:27.643: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xCE26ADE8
000310: *Jun  3 07:28:17.575: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xE7CD0E99
000311: *Jun  3 07:28:57.079: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xC4E3E996
000312: *Jun  3 07:29:25.703: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xC58FD5FA
000313: *Jun  3 07:30:14.951: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
x3FEEE202
000314: *Jun  3 07:31:46.911: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
x3CB8F3DB
000315: *Jun  3 07:32:14.439: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
x7BF5E518
000316: *Jun  3 07:32:36.819: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
x56B54B45
000317: *Jun  3 07:32:37.319: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
x4D29EAA6
000318: *Jun  3 07:33:33.175: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xDC822B10
000319: *Jun  3 07:33:38.783: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xB93FDEE3
000320: *Jun  3 07:33:45.267: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xE3E3A7CD
000321: *Jun  3 07:34:17.115: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
xF823A7A0
000322: *Jun  3 07:34:21.139: DHCP: Received a BOOTREP pkt Not for us..:  xid: 0
x8E8BE736

any ideas what these packets mean?

tstewart Thu, 10/14/2010 - 05:14

The messages from the debug mean that the router saw a DHCP reply, which is sent to the broadcast address but the client ID / yipaddr field did not match the router.  This is perfectly normal since the router will see all of the DHCP replies sent through the cable network (depending on how the ISP has it set up).  The reason you can't hard code the ip address is again due to the cable modem you are connecting to.  The cable modem requires the use of DHCP to register your mac-address.  This is a DOCSIS security thing where it locks one mac address to one ip address which ensures you can't just add new devices on the cable network without paying for additional addresses.  Some ISP's implement this some don't, your milage will vary.

I believe we have gotten off track on the troubleshooting.  The original problem remains, everything is working for a period of time then it stops working until you reset the interface/bvi.  We need to fully understand the state of the interface, switching mechanisms, and routing mechanisms when it is in the broken state in order to understand why it happened and how to fix it.

Based on your configuration, here's the general packet flow through the router (I purposefully left some things out):

- Fe0/0 physical link is established.  Vlan1 moves to Up/Up state.  Spanning tree runs on Vlan1 and FE0/0 is moved to fowarding state.  Spanning tree also runs on Bridge-group 1 and vlan1 moves to fowarding state.

- BVI1 sends a DHCP request to the broadcast address.  The request is flooded out bridge-group1, then vlan1, then out fe0/0.

- The cable modem registers the DHCP request and notes the mac-address that it came from.  It looks to see if this mac had registered previously and if so what the offered IP address was.  It then sends a DHCP response with that offered address (technically it tries to ping that address first to ensure it is not already being used).

- The DHCP response comes into fe0/0, is flooded to vlan1, then flooded to bridge-group1 then is received and processed by BVI1.  BVI1 now has a IP address, gateway, and any other options sent by the DHCP server (I am skipping some steps here since they don't matter for this discussion).

- Packets coming from the lan are processed by the router and a route lookup is done.  If the destination ip is not known it will be sent out the default route which based on your config is 95.104.105.1 which is located off BVI1.  This may or may not be the real default gateway, since you have it configured I assume it is correct.  You can actually remove this statement and let DHCP configure the default router which is preferred.

- Packets coming from the cable modem will be sent to the BVI's mac address.  The will enter FE0/0, and a mac look up will be done.  The mac will be found off Vlan1, then bridge-group1.  The packet will then reach the BVI.  A route lookup will be done and the packet will either be processed for transmit out of another inteface, dropped or responded to by the router depending on what it is.  The processing includes the firewall, nat,etc that you have configured.

With that said, we know it works for a period of time but then stops working.  We also know if you plug a PC into vlan1 you are still able to ping the BVI when it is "broken".  This tells me that the FEx->vlan->BVI path is still working.  If you are able to ping from the PC to one of the lan devices then we would know if the entire forwarding process is working or not.  My guess is that the router is actually working fine forwarding packets between the lan / wan and the real problem is with the communication between the router and default gateway/route.  It seems obvious that something is changing in regards to the arp cache, offered ip address, or even the gateway's ip address which breaks the communications.  Restarting the BVI resolves it because the DHCP process is started over again which allows it to work for a period of time.

To move this issue forward, please do the following:

- remove the static route from the config (no ip route 0.0.0.0 0.0.0.0 BVI1 95.104.105.1 permanent)

- configure dhcp on the BVI1

- when the BVI comes up, get a show ip route, show arp, and show dhcp lease.  These commands will tell us what the IP address is on the BVI, what the default gateway address is, what the lease time is, and what the mac address is for the default gateway.

- When problems happens, get the same commands and see if anything changed.  Also, if you still have the PC connected to vlan1 try to ping the BVI and some address on the lan just to ensure the router is functioning as expected.

BTW, Sander had a good idea in that you can remove one level of complexity if you simply configure Vlan1 as your routed port instead of using a BVI.  But, it should work with or without the BVI. 

Tim

zxspectrum128kb Thu, 10/14/2010 - 05:57

thanks a lot Tim for your detailed reply

I have issued commands you suggested and now I'm waiting for the next drop.

I can't use vlan as a routable interface because it can't handle MAC address which is required for ISP. That's why I'm using BVI. Another way is to call ISP and ask to change my MAC address similar to one of the Ethernet ports. But it doesn't matter, I had this kind of configuration a couple of month ago, it's same.

BTW, My ISP rule is that I can use only one computer, maybe there is something that recognize it's a router, not PC?

almost forgot to say, PC says "destination host unreachable" when pinging, in the working state.

zxspectrum128kb Thu, 10/14/2010 - 08:21

sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 95.104.105.1 to network 0.0.0.0

     213.157.196.0/32 is subnetted, 1 subnets
S       213.157.196.27 [254/0] via 95.104.105.1, BVI1
C    192.168.4.0/24 is directly connected, Dot11Radio0.2
     95.0.0.0/24 is subnetted, 1 subnets
C       95.104.105.0 is directly connected, BVI1
C    192.168.2.0/24 is directly connected, Vlan2
C    192.168.3.0/24 is directly connected, Dot11Radio0.1
S*   0.0.0.0/0 [1/0] via 95.104.105.1

After drop:

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 95.104.105.1 to network 0.0.0.0

     213.157.196.0/32 is subnetted, 1 subnets
S       213.157.196.27 [254/0] via 95.104.105.1, BVI1
C    192.168.4.0/24 is directly connected, Dot11Radio0.2
     95.0.0.0/24 is subnetted, 1 subnets
C       95.104.105.0 is directly connected, BVI1
C    192.168.2.0/24 is directly connected, Vlan2
C    192.168.3.0/24 is directly connected, Dot11Radio0.1
S*   0.0.0.0/0 [1/0] via 95.104.105.1


---------------------------

sh arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  95.104.105.1            0   000d.28f5.9280  ARPA   BVI1
Internet  95.104.105.95           -   0002.3f1f.ba65  ARPA   BVI1
Internet  192.168.2.1             -   001e.1366.9d10  ARPA   Vlan2
Internet  192.168.2.8             0   001d.6088.562c  ARPA   Vlan2
Internet  192.168.3.1             -   001e.1344.bd20  ARPA   Dot11Radio0.1
Internet  192.168.4.1             -   001e.1344.bd20  ARPA   Dot11Radio0.2


After drop:


Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  95.104.105.1            0   000d.28f5.9280  ARPA   BVI1
Internet  95.104.105.95           -   0002.3f1f.ba65  ARPA   BVI1
Internet  95.104.105.97         158   0002.3f1f.ba55  ARPA   BVI1
Internet  192.168.2.1             -   001e.1366.9d10  ARPA   Vlan2
Internet  192.168.2.8             0   001d.6088.562c  ARPA   Vlan2
Internet  192.168.3.1             -   001e.1344.bd20  ARPA   Dot11Radio0.1
Internet  192.168.4.1             -   001e.1344.bd20  ARPA   Dot11Radio0.2
Internet  192.168.4.4           158   000c.f126.9dba  ARPA   Dot11Radio0.2

----------------


sh dhcp lease

Temp IP addr: 95.104.105.95  for peer on Interface: BVI1
Temp  sub net mask: 255.255.255.0
   DHCP Lease server: 213.157.196.27, state: 5 Bound
   DHCP transaction id: 1782
   Lease: 0 secs,  Renewal: 0 secs,  Rebind: 0 secs
Temp default-gateway addr: 95.104.105.1
   No timer running
   Retry count: 0   Client-ID: 0002.3f1f.ba65
   Client-ID hex dump: 00023F1FBA65
   Hostname: 877W


After drop:


Temp IP addr: 95.104.105.95  for peer on Interface: BVI1
Temp  sub net mask: 255.255.255.0
   DHCP Lease server: 213.157.196.27, state: 5 Bound
   DHCP transaction id: 1782
   Lease: 0 secs,  Renewal: 0 secs,  Rebind: 0 secs
Temp default-gateway addr: 95.104.105.1
   No timer running
   Retry count: 0   Client-ID: 0002.3f1f.ba65
   Client-ID hex dump: 00023F1FBA65
   Hostname: 877W

tstewart Thu, 10/14/2010 - 09:25

If the PC is saying "destination host unreacable" then you do not have the correct default gateway configured on the PC.  It should

be the router's BVI address (95.104.105.95).  The show commands all look good.  At this point I am not seeing anything on the router that can be attributed to the problem.  Let's get that PC up and running and verify it can ping the BVI and the lan devices.  When the problem happens, ensure the PC can still ping the BVI and lan devices.  If it can, then the issue is not with the router.

Actions

Login or Register to take actions

This Discussion

Posted October 10, 2010 at 7:57 AM
Stats:
Replies:29 Avg. Rating:3
Views:2369 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard