Cisco ISR Bridging LTE – Cisco C899G LTE ISR as Transparent IP Router/Bridge

bridgingcisco-isrlte

I have a Cisco ISR router C899G with LTE Cellular interface. I'd like to bridge the LTE into one of the eth ports in order to tap the wan link into my firewall device. When I try the BVI method as follows:

interface Cellular0
  bridge-group 1

The device complains that the interface does not support bridging. How can I achieve simple transparent LTE Layer3 to ethernet routing? Could this somehow be achieved through dialer interfaces? I'm quite lost with this.

EDIT: by "bridging" I mean that IP traffic should be "bridged" transparently such that the public ip address is assigned to the firewall sitting behind the ISR LTE router in a same manner that many consumer appliance support (transparent connection on L3). IP communication should be transparent between wan and the firewall.

I have tried the following but the device behind GigabitEthernet9 does not get an ip:

!
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface Cellular0
 no ip address
 ip virtual-reassembly in
 encapsulation slip
 ip tcp adjust-mss 1318
 dialer in-band
 dialer pool-member 1
 async mode interactive
 routing dynamic
!
interface GigabitEthernet9
 no ip address
 duplex auto
 speed auto
 bridge-group 1
!
interface Dialer1
 !ip address negotiated !With this we get  an ip for the dialer interface
 no ip address
 dialer pool 1
 dialer idle-timeout 0
 dialer string lte
 dialer persistent
 no cdp enable
 bridge-group 1
!

Best Answer

I think that's an X/Y-problem. What you need to do is route from LTE to IPoE (transparently or NATed) and then connect your firewall for analysis and filtering.

Bridging happens on the data link layer (L2) and that's impossible between LTE and IP due to framing differences. LTE encapsulates IP and IPoLTE to IPoE needs to be routed.

After all, there's little point in jumping through hoops trying to capture from the LTE interface (more or less directly) when you don't do any significant filtering before the firewall.

Edit: Here is a tested config for the isr router to achieve this passthrough routing with 1 to 1 nat:

!
interface Cellular0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation slip
 ip tcp adjust-mss 1318
 dialer in-band
 dialer idle-timeout 0
 dialer string lte
 dialer-group 1
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
!
interface GigabitEthernet9
 ip address 10.1.1.2 255.255.255.252
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source static 10.1.1.1 interface Cellular0
ip route 0.0.0.0 0.0.0.0 Cellular0
!

This works when the firewall/router wan interface is plugged into the isr routers ge9 port and the wan interface is configured with 10.1.1.1 ip address.

Related Solutions

Cisco ISR G2 encrypted bandwidth restriction

You are running into one of the fun, new, restrictions of the ISR Generation 2.

I assume you have the basic "security" licensing package installed as noted by this part of the message:

securityk9 technology package license

However the securityk9 package is Cisco's "unrestricted export" version of that license, and will artificially limit you. You need the hseck9 package. See this white paper for more information. It says in part:

The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E.

With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.

The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits. The HSEC license requires the universalk9 image and the SEC license pre-installed.

A quick way to check which license you have, is to issue the following command on your router:

show license feature

This will show you which licenses you have purchased from Cisco and installed on this router. You need to make sure that the hseck9 license is enabled. Otherwise you will be limited to that 85Mbps limit for encrypted traffic. Which on circuits below 100Mbps, might not be an issue, and you could safely ignore this problem. Either way, see this page for more information on installing the new license once you purchase it.

Another handy command for troubleshooting this is:

show platform cerm-information

This will either spit out a list of information about the limits in place, including the failed encrypt/decrypt packet counts, or it will give you the following:

router-1#show platform cerm-information 
Crypto Export Restrictions Manager(CERM) Information:
 CERM functionality: DISABLED

More information on this command here.

Cisco C891F-K9 ISR – Latency Issues Explained

What is the multicast routing latency of Cisco C891F-K9 ISR? Please cite references for your answer. I think it's store-forward type and isn't one of the fastest models (given its price!).

... from the comments: we want to know the effective bandwidth of routing multicast packets w/o dropping any packets.

What you're looking for is the RFC 2544 No Drop Rate (NDR), which is shown in Table 1 of Cisco's Portable Product Sheet, I've included a copy of it inline below...

Portable Product Sheet

In short, the fastest a Cisco 891 can forward packets without dropping them is 100Kpps, which translates to 10 microseconds of latency; however, realize this is the fastest you can forward traffic. The performance will be lower if you turn on interface-level features, such as netflow, CBWFQ, or security access-lists. Unfortunately you can't know how much lower without testing the performance yourself; you can use tools such as iperf3 for this kind of testing.

Usually it's a safe assumption to take 60% of the maximum NDR and use that number as your forwarding rate (with a lot of features); 60% of 100Kpps is 60Kpps, or 17 microseconds of latency. There should not be a meaningful difference between unicast and multicast forwarding rates.

... from the comments: the Cisco 891 seems to be limited to 20 us => 50k packets/sec => 26 Mpbs for 64 byte packets. 4.5 us => 114 Mpbs

This is where your assumptions are leading you sideways. A router's NDR is measured with 64-byte frames, but you should not use that to build the maximum possible bandwidth of the device, because no sane person builds services that inefficiently; we all use much larger frames than 64-bytes. You're the only person who can tell us what your average server's packets will be, but let's assume they are 300 bytes:

Cisco 891 @ 60Kpps (many features) and 300 byte IP packets: 144Mbps
Cisco 891 @ 100Kpps and 300 byte IP packets: 240Mbps

Final notes:

Keep in mind that the PPS forwarding rate of the router is a unidirectional measurement. Bidirectional traffic will consume part of those numbers... so if we use 60Kpps / 300-byte packets, and you require 90Mbps downstream, you should plan on no more than 54 Mbps of upstream traffic.

Also account for the reality that network engineers do not want to operate routers at 100% CPU all the time. Usually we start looking for upgrades around 70 or 80% CPU.

So... all that said, your best approach to finding out whether a Cisco 891 is enough is to do some testing with the real services and features that you're going to pass in production. If your IT staff won't turn on many features, plan on 100Mbps bi-directionally. If your IT staff needs to turn on a lot of features, you really should test the router with the combination of features you think you'll need.

Best Answer

Related Solutions

Cisco ISR G2 encrypted bandwidth restriction

Cisco C891F-K9 ISR – Latency Issues Explained

Related Topic