Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

paa
New Member

Bridging with two 871

Good day!

I have a problem. I have to connect remote office like on this plan:

[netw-1]---[871]---[ISP]---[871]---[netw-1]

871 must work like a bridge for [netw-1], between two 871 must be a IPSEC tunnel. Problem that I don't know how I can put all traffic from netw-1 to tunnel.

Please help!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Bridging with two 871

Alexander

The last time that I tried to configure bridge-group under a tunnel interface it accepted the command. That was a long time ago and it was not an 870 router. So it is possible that since it is officially not supported that they have changed the IOS to not accept that command on tunnel interfaces. Or maybe it is something else.

Actually I just checked this on an 1841 router. The command does not show up in on line help. If you enter the command in interface configuration mode it is accepted but generates a warning message that This command is an unreleased and unsupported feature.

The BVI is the transition point between the bridged interfaces (which represent a single flat broadcast domain) and the routed domain.

HTH

Rick

12 REPLIES
Hall of Fame Super Silver

Re: Bridging with two 871

Alexander

You have a difficult situation for which there is not a good clean solution. The problem is that IPSec is for unicast IP and it would work well if you were routing over the ISP link but apparently you need to bridge over the ISP link.

One alternative that I would suggest is to route over the ISP link and configure an IPSec tunnel. Then configure Network Address Translation for overlapping addresses. This will work and will allow both networks to use the same address space, creating 2 broadcast domains. But if you really need both networks to be in the same broadcast domain then it will not work.

The other alternative is to encapsulate the bridged traffic over the ISP link. You could try configuring a GRE tunnel with the IPSec and bridging over the GRE tunnel. This might work. But be aware that bridging over GRE is not officially supported. If you configure it, you may get traffic to go across. But if you get something that does not work as you want Cisco may respond that it is not guaranteed to work and they are under no committment to help make it work.

HTH

Rick

paa
New Member

Re: Bridging with two 871

Thanks for you fast answer Rick!!! I'll trying your solutions tomorrow and post a result of my work.

paa
New Member

Re: Bridging with two 871

Too long vocation =)

I think about my neordinary bridging, and I create config like this:

_________________________________________

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 5

crypto isakmp key test12 address 192.168.0.1

!

!

crypto ipsec transform-set TRANS ah-md5-hmac esp-3des

!

crypto map GRE 10 ipsec-isakmp

set peer 192.168.0.1

set transform-set TRANS

match address GRE_TUN

!

bridge irb

!

interface Tunnel0

no ip address

tunnel source FastEthernet4

tunnel destination 192.168.0.1

!

interface FastEthernet0

no ip address

no cdp enable

!

interface FastEthernet4

ip address 10.10.10.1 255.255.255.0

ip route-cache flow

duplex auto

speed auto

no cdp enable

crypto map GRE

bridge-group 1

!

interface Vlan1

no ip address

bridge-group 1

!

interface BVI1

no ip address

ip route-cache flow

!

ip classless

ip route 0.0.0.0 0.0.0.0 Tunnel0

ip route 192.168.0.1 255.255.255.255 10.10.10.10

!

ip access-list extended GRE_TUN

permit gre host 10.10.10.1 host 192.168.0.1

!

bridge 1 protocol ieee

_________________________________________

...and asymmetric config on the other side. Would it work?

Hall of Fame Super Silver

Re: Bridging with two 871

Alexander

If you are going to attempt the solution with briging over the GRE tunnel then I believe that there are a few changes you should make in the config that you have posted:

- if you are going to bridge over the GRE then the bridge-group command should be on the tunnel instead of the FastEthernet which is the physical outbound interface.

- your default route points to the tunnel but with no ip address configured the tunnel will not be processing IP traffic. Perhaps you want the default route to point at a next hop reachable through the BVI.

- the BVI in your configuration has no IP address. For bridging IP from VLAN to tunnel the BVI should have an IP address.

- for IRB to work correctly I believe that you also need the statement bridge 1 route ip

HTH

Rick

paa
New Member

Re: Bridging with two 871

I tryed to set bridge-group to tunnel0 but I don't have this command in my IOS (c870-advsecurityk9-mz.123-8.YI2). I don't understand how BVI works, Is it translate all packets from vlan1 interface to other side?

[vlan1]--{bvi(ip-address)}--{eth4(ip-address)}---[ISP]---... ?

And what about tunnel? Tunnel destination - eth4 on the other side or BVI on the other side?

Sorry stupid questions, I newer working with configuration like this =)

Hall of Fame Super Silver

Re: Bridging with two 871

Alexander

The last time that I tried to configure bridge-group under a tunnel interface it accepted the command. That was a long time ago and it was not an 870 router. So it is possible that since it is officially not supported that they have changed the IOS to not accept that command on tunnel interfaces. Or maybe it is something else.

Actually I just checked this on an 1841 router. The command does not show up in on line help. If you enter the command in interface configuration mode it is accepted but generates a warning message that This command is an unreleased and unsupported feature.

The BVI is the transition point between the bridged interfaces (which represent a single flat broadcast domain) and the routed domain.

HTH

Rick

paa
New Member

Re: Bridging with two 871

Great thanks for your help, Rick! I solved my problem with your help.

Command 'bridge-groupb on tunnel interface is realy exist, but not listing on help. My working config is (only main things):

!

bridge 1 protocol ieee

bridge 1 route ip

!

bridge irb

!

inter bvi1

no ip address

!

inter Tunn0

ip address 10.10.10.1 255.255.255.252

tunnel source fast4

tunnel destination 70.70.70.2

bridge-group 1

!

inter vlan1

no ip address

bridge-group 1

!

inter fast4

ip address 192.168.0.1 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 tunnel0

ip route 70.70.70.2 255.255.255.255 192.168.0.2

!

Also I add IPSEC between 871, it was simple =)

And a last questions. What is Cisco officialy solution for case like my?

New Member

Re: Bridging with two 871

can you please send me both side configuration. i need the to exact solution but i did not make it work. My e-mail address is taylanesen@gmail.com If you can send i'll really appreciate

New Member

Re: Bridging with two 871

Hi Alexander,

I am trying to setup the same network configuration ( Bridging over GRE). Is it possible to send me your configuration for both Routers?

Thanks

Ali

Hall of Fame Super Gold

Re: Bridging with two 871

The other router would be configured identically to the one with the configuration above, with the different IP address for tunnel source and destination.

As Rick pointed out already, bridging over GRE is not supported and you run it at your own risk.

The best choice is to fix your network to eliminate bridging like all the networks in the world do with total happiness.

The thing that I still see a lot is that customers that really do not understand much about networking are willing to dictate flawed designs, in my opinion any consultant that accepts such constraints is not professionally rendering a service but just making things more unstable non-supportable.

New Member

Re: Bridging with two 871

In my case , we are trying to save time by installing systems which will be later delivered and integrated in an existing customer Environment. I wont to install the systems and integrate them in the customer domain and finish all the configurations issues , then deliver them without any changes.

That why iam trying to extend the customer network to me. If you have another suggestion i'll be thankfull.

Thx

Hall of Fame Super Gold

Re: Bridging with two 871

Have the two sites to use two separate IP subnets. Connect them via GRE tunnels, or if you need encryption, IPSec.

This standard configuration is so proven that even if you cannot test it in house before delivering, it will take few minutes to install and troubleshoot on site.

The most important thing is that you set the router correctly to be accessed from internet via telnet or ssh, so that in case of any problem you can remotely log in and check / fix things.

Hope this helps, please rate post if it does!

203
Views
0
Helpful
12
Replies
CreatePlease to create content