So, I'm trying to get a l2vpn working in my test setup, looks like this:
TP-Link Router (192.168.1.1)- (straight-cable)switchport hooked to cable modem (bpi enabled)
7225 cmts, with the following lines
cable l2-vpn-service xconnect nsi dot1q interface GigabitEthernet0/2
cable dot1q-vc-map 001d.d3f2.7b09 GigabitEthernet0/2 30
cable dot1q-vc-map 001d.d3f2.7aa5 GigabitEthernet0/2 31
(gig0/2 is configured with 10.1.1.2 ip address)
connected to gig0/2 is a cisco 2621, port fa0/0 (crossover cable)
following lines:
!
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 no ip unreachables
 duplex auto
 speed auto
!
interface FastEthernet0/0.30
 description OfficeLan
 encapsulation dot1Q 30
 no snmp trap link-status
 bridge-group 200
!
interface FastEthernet0/0.31
 description OfficeLan2
 encapsulation dot1Q 31
 no snmp trap link-status
 bridge-group 200
!
interface FastEthernet0/1
 no ip address
 no ip unreachables
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
bridge 200 protocol ieee
!
!
On the other cable modem, I'm hooked in with my laptop.(straight-cable) (192.168.1.12)
I cannot ping the tp-link router.
on the cmts:
7225-2#show cable l2-vpn xconnect dot1q-vc-map
MAC Address    Ethernet Interface      VLAN ID   Cable Intf  SID  Customer Name/VPNID
001d.d3f2.7b09 GigabitEthernet0/2          30    Cable1/0    26
001d.d3f2.7aa5 GigabitEthernet0/2          31    Cable1/0    9
on the 2621:
2621XM#show bridge
Total of 300 station blocks, 299 free
Codes: P - permanent, S - self
Bridge Group 200:
    Address       Action   Interface       Age   RX count   TX count
0026.b9ea.5835   forward   Fa0/0.31          3         50          0
Can someone tell me where I've gone wrong.. ?  I've been reading this page:
http://www.cisco.com/en/US/docs/cable/cmts/feature/tls-cmts.html#wp1067845
Config looks about right to me
1. is the 001d.d3f2.7b09 CMAC correct?
2. Do both modems have same firmware? Note there were L2VPN problems with Arris D3 firmware prior to v7.5.32
3. Maybe crank up wireshark / tcpdump on the PC and see what traffic is passing. Then swap the router/pc between the two modems and run wireshark / tcpdump again to see if anything has changed.
4. You can turn on debugging on the cmts, from memory its something like debug cable mac-address xxxx.xxxx.xxxx (repeat for each cmac), then you can debug cable l2vpn ...., then term mon. And watch what traffic is coming in/out.
When I was testing this, I had a lot of trouble getting ARP broadcasts to be seen behind the remote modem(TP-Link router in your case). Try adding a static ARP entry of the TP-Link router on your PC and see what happens then.
My fix was to use the cfg file and as mbowe said, upgrading the Arris firmware to 7.5.93. But that was using the Arris 820.
When using debug, if you want to see all packets in the L2VPN you have to use the command mbowe had above but add "verbose" after the mac address. If you don't it will just show the modem coming online and the CMTS associating it to a L2VPN. This is how I discovered the ARP issue.
doublepost
apparently my reply got queued for approval... so... here it is with the debug in a separate file....
The mac is right, both modems came from the same crate, both modems are on 7.5.93. I fired up an xp machine and replaced the tp-link with it... but still no dice.
Okay, sooo.... I briefly had the xp machine show up in the bridge group when I added an ipx/spx protocol to its network adapter, but it dropped off wouldn't come back.... I added a 3rd modem to the bridge group, and I can move my laptop around to any of the modems and have it show up behind whichever modem it is plugged into when I do the show bridge command in the 2621. If I took the xp machine and moved it to the vlan 30 modem, it would pop back up in the 2621 under vlan32 still, but it still drops back off after it ages out.
Still can't ping between them no matter what.
This is what I get from the CMTS debug cable l2-vpn conditional, when I try to ping from each side to the other.
So, I changed the command in the 2621 from
bridge 200 protocol ieee
to
bridge 200 protocol vlan-bridge
now both machines show up in the bridging table.
I also added no ip unreachables to all the vlan sub-interfaces...
but I still can't ping either machine.
I think I got it!!
In the 2621, I then applied these commands:
bridge irb
bridge 200 bridge ip
and BAM! I can ping!!!
My next question is, can I set up the bridging inside the CMTS so that I don't need external aggregation? Or would that have a detrimental impact on the CMTS? Or would it depend on the load?
Nope, Cisco CMTS L2VPN/TLS implementations cant do it. Must use another router.
Although if the CMTS supports the bridge commands (I've never checked this), I guess you could try looping a cat5 from the L2VPN port back to another local port..... probably not advisable though. Better leaving the CMTS to do just the basics and offload other stuff eg bridge or NAT to other devices.
Aloso note with L2VPN you dont have to use Cisco bridge, you can feed it into other stuff like VPLS. We are doing this with our Juniper MX80s
I might try it on the other gig ports on my test cmts just to see if it would work like that, I'm just wanting to shoot some voice traffic through it, so there will be next to no load. This 2621 I'm using is ancient, doesn't even have gig ports. I think the firmware is from 2005. Wish I knew where to get cisco ios loads without having to have a live support contract on every piece of equipment, their website is a pain.
Hello, I just want to add another question to Capm's. Is there any security issue I should be concerned with when implementing BSoD L2VPN???
You should enable DUT filtering in your L2VPN cm config files so that other general broadcast traffic doesnt leak into the VPN
So... Going from one interface to another doesn't work, because they can't be in the same subnet, and I tried manually routing 2 subnets back to each other, it just didn't work, so, anyway...
What I was trying to accomplish here, was, we have an IP phone setup here, that is trunked through our network on a vlan back to the office network. So, if I plug that vlan port from our switch into one bridged modem directly, and the IP phone into the other bridged modem directly, it will work. However, I had to increase the number of mac's allowed on the office network side modem to 255 (max). Obviously, this creates a problem if the number of devices in the office network exceeds 255, because then if the IP phone server isn't one that comes through, the IP phone won't work on the other side.
Sooooo, on the office side bridge modem, I put the Office vlan port into the tp-link router wan port, and took a switch port out to the bridge modem (so only 1 mac needs to be allowed) Okay. So that worked. On my test setup.
Move over to my live system.
I used the test cmts as my aggregator, same setup as the 2621, but I'm having a hard time getting the thing to work. If I put a PC on the IP phone side of the bridge, it will pull an IP from the tp-link, and I can ping the tp-link... but if I put the IP phone on there, it won't work, even though it booted through the nat before on the test setup. And the office side of the bridge times out and won't come back, like the switch on the tp-link isn't letting the tp-link router see/talk to the bridge... or something.
???
Okay, so I've got the bridge working, the problem I'm having now is, if I hook one of the bridge modems into a managed switch, like a 2950, into a port that is set to a particular vlan, which is then trunked out on another port, the switch blocks the port.
--
interface FastEthernet0/19
switchport access vlan 30
switchport mode access
spanning-tree portfast
--
With the port in access mode, I get this:
_2950(config-if)#
000050: Feb 11 21:10:07: %LINK-5-CHANGED: Interface FastEthernet0/19, changed state to administratively down
000051: Feb 11 21:10:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/19, changed state to down
_2950(config-if)#
_2950(config-if)#no shut
_2950(config-if)#
000052: Feb 11 21:10:14: %LINK-3-UPDOWN: Interface FastEthernet0/19, changed state to down
000053: Feb 11 21:10:17: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernet0/19 VLAN30.
000054: Feb 11 21:10:17: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet0/19 on VLAN0030. Inconsistent port type.
000055: Feb 11 21:10:17: %LINK-3-UPDOWN: Interface FastEthernet0/19, changed state to up
000056: Feb 11 21:10:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/19, changed state to up
_2950(config-if)#
_2950(config-if)#
If I switch it to a mode trunk, I get this:
_2950(config-if)#shut
_2950(config-if)#
000033: Feb 11 20:55:43: %LINK-5-CHANGED: Interface FastEthernet0/19, changed state to administratively down
000034: Feb 11 20:55:44: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/19, changed state to down
_2950(config-if)#no shut
000035: Feb 11 20:55:51: %LINK-3-UPDOWN: Interface FastEthernet0/19, changed state to up
000036: Feb 11 20:55:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/19, changed state to up
000037: Feb 11 20:55:55: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 31 on FastEthernet0/19 VLAN1.
000038: Feb 11 20:55:55: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/19 on VLAN0001. Inconsistent local vlan.
_2950(config-if)#
I can't seem to keep the switch from blocking the port....
I'm thinking this has to do with spanning-tree running on the switches. And, from what it looks like, the bpdu's will propagate until it hits a switch running spanning tree, which won't work cause it will shut down the port it hits first. Is there a way to block that?
Got it, issued
spanning-tree bpdufilter enable
and port consistency was restored (access mode)
the tunnel works.. its alive... its aliiivveee!! :)