Re: Problem when bridging VLANs (flapping)

gblomqvist · ‎09-04-2013

Hi!

At a customers site we (I) setup a "WLAN-bridge"as a backup-link/redundancy för a fiber-connection between the main office and the wharehouse, a distance of approximately 500 meters.

The bridge consists of two AP1240BG and external panel antennas and the customer wants to bridge 16 VLANS across the air in case of a broken fiber.

When we had installed the link and tested it, by disconnecting the fiber (Gi0/1) and connecting the Bridge-AP (Fa0/14) to the switch in the wharehouse we got problems. The switch in the wharehouse reported host flappimg between ports in several VLANs. Also The clients on the APs in wharehouse and the wired clients started to lose connections to the services/applications in the main office.

The idea is that it works like this: ..... Under normal condistions the fiber is the primary "traffic-channel", in this case the two ports connecting the "Bridge-APs" at the two buidings are in "shutdown"! If the fiber breaks it will be disconnected at the core-switch and the two ports connecitn the "Bridge-APs" will manually be brought to "NO shutdown" to enable traffic to use the backup WLAN-link.

I attach a picture of the setup and the config of the two bridges and the config of the two ports connecting the bridge-APs and a snippet of the error log

QUESTION: What have I done wrong???.... I hope I have explained the problem and setup properly ....

Best Regards

Göran

Configuration of "Bridge-1":

===============

SE01NBR1#sh ru

Building configuration...

Current configuration : 5800 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname SE01NBR1

!

logging rate-limit console 9

enable secret ??????????????????????

!

no aaa new-model

clock timezone +0100 1

!

dot11 syslog

dot11 vlan-name Mgmnt vlan 100

dot11 vlan-name PSN vlan 200

!

dot11 ssid WLAN-BRIDGE

vlan 100

authentication open

authentication key-management wpa

infrastructure-ssid

wpa-psk ascii ???????????????????

!

power inline negotiation prestandard source

!

username Cisco password 7 01300F175804

username admin password 7 003033140F5E1F12

username tdc password 7 090F1F471A0A1A

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

encryption vlan 100 mode ciphers tkip

!

encryption vlan 200 mode ciphers tkip

!

encryption vlan 1 mode ciphers tkip

!

encryption vlan 6 mode ciphers tkip

!

encryption vlan 8 mode ciphers tkip

!

encryption vlan 10 mode ciphers tkip

!

encryption vlan 12 mode ciphers tkip

!

encryption vlan 20 mode ciphers tkip

!

encryption vlan 24 mode ciphers tkip

!

encryption vlan 101 mode ciphers tkip

!

encryption vlan 150 mode ciphers tkip

!

encryption vlan 204 mode ciphers tkip

!

encryption vlan 211 mode ciphers tkip

!

encryption vlan 216 mode ciphers tkip

!

encryption vlan 603 mode ciphers tkip

!

ssid WLAN-BRIDGE

!

antenna transmit right-a

antenna receive right-a

antenna gain 3

channel 2437

station-role root bridge

!

interface Dot11Radio0.1

encapsulation dot1Q 1

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.6

encapsulation dot1Q 6

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.8

encapsulation dot1Q 8

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.12

encapsulation dot1Q 12

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.24

encapsulation dot1Q 24

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.101

encapsulation dot1Q 101

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.150

encapsulation dot1Q 150

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.200

encapsulation dot1Q 200

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.204

encapsulation dot1Q 204

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.211

encapsulation dot1Q 211

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.216

encapsulation dot1Q 216

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.603

encapsulation dot1Q 603

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.1

encapsulation dot1Q 1

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.6

encapsulation dot1Q 6

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.8

encapsulation dot1Q 8

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.12

encapsulation dot1Q 12

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.24

encapsulation dot1Q 24

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0.101

encapsulation dot1Q 101

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.150

encapsulation dot1Q 150

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.200

encapsulation dot1Q 200

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.204

encapsulation dot1Q 204

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.211

encapsulation dot1Q 211

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.216

encapsulation dot1Q 216

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface FastEthernet0.603

encapsulation dot1Q 603

no ip route-cache

bridge-group 3

bridge-group 3 spanning-disabled

!

interface BVI1

ip address 10.32.16.23 255.255.255.0

no ip route-cache

!

ip default-gateway 10.32.16.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

snmp-server community hund RO

bridge 1 protocol ieee

bridge 1 route ip

bridge 3 protocol ieee

!

banner motd ^CCThis access point should receive vlan 100 untagged for management purposes^C

!

line con 0

logging synchronous

login local

line vty 0 4

login local

!

end

SE01NBR1#

Connecting port in "Switch-1:

=====================

interface FastEthernet0/15

description Wireless bridge to warehouse.

switchport trunk native vlan 100

switchport mode trunk

Configuration of "Bridge-2":

====================

SE01NBR2#sh ru

Building configuration...

Current configuration : 7557 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname SE01NBR2

!

logging rate-limit console 9

enable secret ???????????????????????

!

no aaa new-model

clock timezone +0100 1

!

dot11 syslog

dot11 vlan-name Mgmnt vlan 100

dot11 vlan-name PSN vlan 200

!

dot11 ssid WLAN-BRIDGE

vlan 100

authentication open

authentication key-management wpa

infrastructure-ssid

wpa-psk ascii ???????????????????????

!

power inline negotiation prestandard source

!

username Cisco password 7 096F471A1A0A

username admin password 7 09786E1B12000306

username tdc password 7 0150574A58040B

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

encryption vlan 100 mode ciphers tkip

!

encryption vlan 200 mode ciphers tkip

!

encryption vlan 1 mode ciphers tkip

!

encryption vlan 6 mode ciphers tkip

!

encryption vlan 8 mode ciphers tkip

!

encryption vlan 10 mode ciphers tkip

!

encryption vlan 12 mode ciphers tkip

!

encryption vlan 20 mode ciphers tkip

!

encryption vlan 24 mode ciphers tkip

!

encryption vlan 101 mode ciphers tkip

!

encryption vlan 150 mode ciphers tkip

!

encryption vlan 204 mode ciphers tkip

!

encryption vlan 211 mode ciphers tkip

!

encryption vlan 216 mode ciphers tkip

!

encryption vlan 603 mode ciphers tkip

!

ssid WLAN-BRIDGE

!

antenna transmit right-a

antenna receive right-a

antenna gain 3

station-role non-root bridge

!

interface Dot11Radio0.1

encapsulation dot1Q 1

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.6

encapsulation dot1Q 6

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.8

encapsulation dot1Q 8

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.12

encapsulation dot1Q 12

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.24

encapsulation dot1Q 24

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.101

encapsulation dot1Q 101

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.150

encapsulation dot1Q 150

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.200

encapsulation dot1Q 200

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.204

encapsulation dot1Q 204

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.211

encapsulation dot1Q 211

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.216

encapsulation dot1Q 216

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface Dot11Radio0.603

encapsulation dot1Q 603

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.1

encapsulation dot1Q 1

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface FastEthernet0.6

encapsulation dot1Q 6

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface FastEthernet0.8

encapsulation dot1Q 8

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface FastEthernet0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface FastEthernet0.12

encapsulation dot1Q 12

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface FastEthernet0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface FastEthernet0.24

encapsulation dot1Q 24

no ip route-cache

bridge-group 3

!

interface FastEthernet0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.101

encapsulation dot1Q 101

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface FastEthernet0.150

encapsulation dot1Q 150

no ip route-cache

bridge-group 3

!

interface FastEthernet0.200

encapsulation dot1Q 200

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface FastEthernet0.204

encapsulation dot1Q 204

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface FastEthernet0.211

encapsulation dot1Q 211

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface FastEthernet0.216

encapsulation dot1Q 216

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface FastEthernet0.603

encapsulation dot1Q 603

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

!

interface BVI1

ip address 10.32.16.24 255.255.255.0

no ip route-cache

!

ip default-gateway 10.32.16.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

snmp-server community hund RO

bridge 1 protocol ieee

bridge 1 route ip

bridge 3 protocol ieee

!

banner motd ^CThis access point should receive vlan 100 untagged for management purposes^C

!

line con 0

logging synchronous

login local

line vty 0 4

logging synchronous

login local

transport input telnet

!

end

SE01NBR2#

Connecting port in "Switch-2:

=====================

interface FastEthernet0/14

description Wireless bridge to office building.

switchport trunk native vlan 100

switchport trunk allowed vlan 1,6,8,10,12,20,24,100,101,150,200,204,211,216

switchport trunk allowed vlan add 603

switchport mode trunk

Error messages in "Switch-2":

======================

se01nlg2#

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.267f in vlan 10 is flapping between port F a0/14 and port Gi0/1

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.267f in vlan 12 is flapping between port F a0/14 and port Gi0/1

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.267f in vlan 6 is flapping between port Gi 0/1 and port Fa0/14

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.267f in vlan 1 is flapping between port Gi 0/1 and port Fa0/14

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.709c.3b0d in vlan 8

se01nlg2#is flapping between port Gi0/1 and port Fa0/14

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.267f in vlan 8 is flapping between port Gi 0/1 and port Fa0/14

se01nlg2#

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.709c.3b0d in vlan 20 is flapping between port F a0/14 and port Gi0/1

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.2abf in vlan 211 is flapping between port Gi0/1 and port Fa0/14

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.2abf in vlan 603 is flapping between port Gi0/1 and port Fa0/14

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.2abf in vlan 8 is flapping between port Gi 0/1 and port Fa0/14

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.7080.6889 in vlan

se01nlg2# 20 is flapping between port Fa0/14 and port Gi0/1

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.7080.6889 in vlan 8 is flapping between port Gi 0/1 and port Fa0/14

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.2abf in vlan 10 is flapping between port G i0/1 and port Fa0/14

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.2abf in vlan 12 is flapping between port F a0/14 and port Gi0/1

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.2abf in vlan 1 is flapping between port Gi 0/1 and port Fa0/14

4d01h: %SW_MA

se01nlg2#TM-4-MACFLAP_NOTIF: Host 649e.f363.2abf in vlan 6 is flapping between port Gi0/1 and port Fa0/14

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.2abf in vlan 216 is flapping between port Gi0/1 and port Fa0/14

se01nlg2#

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.2abf in vlan 101 is flapping between port Gi0/1 and port Fa0/14

se01nlg2#

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 00a0.f865.b529 in vlan 20 is flapping between port F a0/14 and port Gi0/1

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 00a0.f865.b529 in vlan 8 is flapping between port Gi 0/1 and port Fa0/14

se01nlg2#

4d01h: %SW_MATM-4-MACFLAP_NOTIF: Host 649e.f363.267f in vlan 211 is flapping between port Gi0/1 and port Fa0/14

Stephen Rodriguez · ‎09-04-2013

You have all the vlan you are sending across the link dumped into one bridge-group.

Each radio sub interface needs to be linked to a unique wired interface.

Fixing that, it should work.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

gblomqvist · ‎09-04-2013

Hmm... that was one of my concerns but the doc's I found didn't convince me which way to go. So with a 50/50 chance.....

I will make the adjustments and try again...

Oh, by the way.... There are no limitations to the numbering of Bridge-groups?... I mean; Can I use the numbering scheme of radio0.123 -> eth 0.123 -> bridge-group 123??...

Best Regards

Göran

Edit. .....

Oh!!... As you see the VLAN/IP-adress of the BVI1-interface is VLAN 100... Will cause any troubles? With CDP, VTP or something else...?? Should I try to move this to VLAN 1??