[nsp] Rules/restrictions regarding transparent bridging

[Bob Tinkelman]

I'm interested in hearing from others who have done what I'm
trying to do (or from folk who have tried and failed, I guess).

Executive Summary
-----------------
I'm trying to bridge LANs that are at two separate locations,
using equipment in place that's also doing ip routing.


Grubby Details
--------------
I have a customer with an off-site backup location.

The main location has multiple LANs, only one of which is
exposed to the Internet.  The others are behind a firewall.

The off-site location has a parallel set of LANs, and we want
to bridge one of these to its counterpart at the main site.

This is the hardware config:

            ISP#1--------Internet-------ISP#2
              |                           |
              |T1                         |T1
              |             T1            |
          gw1.Site1-------------------gw1.Site2
          Fa0/0|                      Fa0/0|
               |dot1q                      |ISL
               |                           |
         switch1.Site1              switch1.Site2
           |        |                 |        |
    Red1-VLAN  Orange1-VLAN     Red2-VLAN  Orange2-VLAN


My first try was to update the gw1 routers so each had
   o  two sub-interfaces on Fa0/0 (Red subinterface
      with an ip address, Orange without)
   o  a Tunnel to the other router
   o  a bridge-group containing the tunnel and the
      Orange subinterface.

This didn't work, but the failure was strangely un-symmetric.
I didn't have remote access to the OrangeNet LANs and couldn't
really test satisfactorily but, just watching "show interface"
counters, I could see packets leaving Site2 over the tunnel
and arriving at Site1, but nothing in the other direction.

Cisco suggested that bridging over a tunnel isn't supported and
I should try something different.

So the second try was to configure the inter-site T1 as f/r with
a pair of PVCs (DLCIs 21 and 22).  I used 21 for routing and 22
for bridging OrangeNet.  That didn't work with similar symptoms.

Then Cisco suggested that I couldn't route on one subinterface of
Fa0/0 and bridge on another.  

The third try was to remove gw1 from the Orange1 VLAN and to use
a cable on nontrunked Ethernet ports between switch1.Site1 and
gw1.Site1.  [Fortunately, there was an available Fa1/0 on gw1.]

This let me see things a bit more clearly, as on gw1.Site1,
"show interface Fa1/0" showed packets arriving from switch1,
while "show frame-relay pvc 22" showed no packets going out
over the PVC towards gw1.Site1.

I figured that if cisco had said that routing and bridging on
separate subinterfaces of Fa0/0 was bad, then they probably
thought the same about the T1 serial port, but had kept quiet
about it.

So, as a last test, hoping that they were wrong about tunnels,
I eliminated all subinterface use from gw1.Site1, bridging
Fa1/0 to Tunnel4.  The symptoms were the same.  Packets arrived
on Fa1/0 but were not passed onto Tunnel4 (both in the same
bridge-group 4).


Request for Help
----------------
While this is the first time I had the need for a configuration
like this, I can't believe the requirement is that unusual.

Am I just going about this the wrong way?

References to cisco documents with the real restrictions would,
of course, be greatly appreciated.

The gw1 routers are 7206VXRs running 12.2(16) and 12.2(17a).
The switch1 routers are a 3548-XL-EN and a 3524-XL-EN, both
running 12.0(5).  [Old, but I don't think the switches are
involved in the problem.]
--
Bob Tinkelman <bob at tink.com>
ISPnet, Inc.  718.464.4747