Bridge-domain traffic paths

Similar Messages

• Bridge Domain and multicast traffic

  Hi All,
  i am planning to build a Point to multipoint network based on ME3600X switch at the HQ and ISR 2900 routers at the Branches. i need to simulate a lan service.
  i though of using EOMPLS at the ISR 2900 and closing them at the ME3600X. at the ME3600X i will use bridge domain to have this point to multipoint functionality.
  at the configuration guide i saw that when i am using bridge domain i need to disable IGMP snooping on every Vlan.
  my question is how the bridge domain treat Multicast traffic ?
  furthermore, can i mix EOMPLS and Bridge Domain ?
  Thanks,
  Avi.

  Hi Avi,
  ME3600X doesn't support VPLS yet (check with your account team for the roadmap) so I don't think your design will work here. What you can do is having a router behind the ME3600X which will have a dedicated VLAN with each remote site.
  HTH
  Laurent.

• How to make ASR9000 bridge domain forward traffic between sub interfaces of same physical interface?

  Hi,
  I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/10.3122 l2transport
  description CUSTOMER A CORE
  encapsulation dot1q 3122
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/10.3122
  When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/5.22 l2transport
  description CUSTOMER A WAN2
  encapsulation dot1q 22
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/5.22
  If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
  Is this because tag rewrites are not happening since packets don't leave the physical interface?
  How can I work around this and establish a L2 connection between the two subinterfaces?
  Thank you

  a vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
  If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
  you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
  that might give a hint to what the precise issue in your forwarding is.
  regards
  xander

• Bridge-domain vs xconnect

  Hi guys, I have been readying a few documents about VPLS/EoMPLS but still confuse about the bridge-domain and xconnect. Could you please provide any ideas which scenarios I should use bridge-domain and which should be for xconnect? What is the difference between them, any documens can explain this?
  Thanks, Leo

  The simple difference between the 2 is mac learning.
  An Xcon will just throw everything it received over to the other end.
  A bridge-domain will forward traffic based on the dmac knowing where it should go. If it doesnt know it goes flooding.
  So if you have 2 circuits to connect only, VPWS or XCON is the right choice as it is simple, light weight and fast.
  If you have more then 2 end points you will need a Bridge Domain which constitutes mac learning with the notion that flooding is intensive from a hw forwarding perspective and will consume more system resources in terms of mac tables.
  xander
  Xander Thuijs #6775
  Principal Engineer ASR9000

• High bridge domain (BD) utlization

  Hello,
  is there any way to know which brdige domain/P2P Xconnect is getting more utlizaiton or traffic.
  since many BD are sharing the same physical interface there is a need to know which BD is getting more of link bandwidh.
  Mohamed.

  Hi Mohammed,
  You can run mpls netflow on the core facing interface and based on the VC label you can figure out which pseudowire is getting lot of traffic.
  other way to check would be "sh l2vpn bridge-domain bd-name xxx detail" and look at the
  Statistics:
          packets: received 0, sent 0
          bytes: received 0, sent 0
  which will be cumbersome if you have lot of p2p in the network.
  HTH,
  Chander

• How to configure 8192 bridge domain default limit shows 2048

  Hello,
   How can i scale up bridge-domain from 2048 to 8192.
   As per the link (http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-1/lxvpn/configuration/guide/lesc41/lesc41p2mps.html) ASR9000 series routers can scale up to 8192 bridge-domains.
   However my ASR9k shows the l2vpn capability to be only around 2048. How can i configure 8192 bridge-domain
  RP/0/RSP0/CPU0:ci-asr9k#show l2vpn capability 
  Tue Feb 10 14:11:36.797 EST
  Capability mode: mixed-mode
  L2vpn all-capable: N
  System capability:
    VPLS Max MAC addresses: 32000 
    VPLS Max bridge-domains: 2048 
    VPLS Max attachment circuits: 32768 
    VPLS Max pseudowires: 32768 
    RSI bit size: 13 
    Per-AC drop counters supported: Y 
    VPLS Preferred path allowed: Y 
    VPLS Preferred path fallback enable allowed: Y 
    VPLS Preferred path fallback disable allowed: Y 
    MAC withdrawal allowed: Y 
    Max attachment circuits per bridge-domain: 16384 
    VPLS Max virtual forwarding interfaces: 2048 
    VPLS Max virtual forwarding interfaces per bridge-domain: 1 
    VPLS Max pseudowires per bridge-domain: 512 
    VPLS Max pseudowires per virtual forwarding interface: 512 
    VPWS PW redundancy supported: Y 
    VPLS Access PW supported: Y 
    Bundle AC supported: Y 
    Security config supported: Y 
    DHCP snooping supported: Y 
    VPLS Static MAC filter supported: Y 
    VPLS MAC configs on bridge port supported: Y 
    VPLS Flooding config on bridge port supported: Y 
    Flood unknown unicast disable supported: Y 
    IGMP snooping supported: Y 
    MMRP flood optimization supported: Y 
    MMRP flood optimization max multicast address entries: 8192 
    MMRP flood optimization max PW participants: 262144 
    VPLS MAC Aging Default Timer Value: 300 
    VPLS MAC Aging Min Timer Value: 300 
    VPLS MAC Aging Max Timer Value: 30000 
    VPWS Max attachment circuits: 32768 
    VPWS Max pseudowires: 32768 
    VPWS Preferred path fallback enable allowed: Y 
    VPWS Preferred path fallback disable allowed: Y 
  -Ramdas

  Are there any LC scale profiles configured in the admin mode? If so, that would reduce L2 resources. If you don't need the L3 profile, remove it and reboot the router to gain back 8k bridge domains.
  Regards, 
  /A

• I have this message error when i open bridge "Process:         Adobe Bridge CC [342] Path:            /Applications/Adobe Bridge CC/Adobe Bridge CC.app/Contents/MacOS/Adobe Bridge CC Identifier:      com.adobe.bridge6 Version:         ??? (???) Code Type:

  Something to this error "
  Process:    
  Adobe Bridge CC [342]
  Path:       
  /Applications/Adobe Bridge CC/Adobe Bridge CC.app/Contents/MacOS/Adobe Bridge CC
  Identifier: 
  com.adobe.bridge6
  Version:    
  Code Type:  
  X86-64 (Native)
  Parent Process:  launchd [99]
  Date/Time:  
  2015-03-14 12:33:37.617 +0100
  OS Version: 
  Mac OS X 10.6.8 (10K549)
  Report Version:  6
  Interval Since Last Report:     
  424686 sec
  Crashes Since Last Report:      
  7
  Per-App Crashes Since Last Report:   7
  Anonymous UUID:                 
  D26D2B7A-D5F9-4B8B-8FE3-0D77F6FDEF2A
  Exception Type:  EXC_BREAKPOINT (SIGTRAP)
  Exception Codes: 0x0000000000000002, 0x0000000000000000
  Crashed Thread:  0
  Dyld Error Message:
    Library not loaded: /usr/lib/libcurl.4.dylib
    Referenced from: /Applications/Adobe Bridge CC/Adobe Bridge CC.app/Contents/MacOS/../Frameworks/dvanet.framework/Versions/A/dvanet
    Reason: Incompatible library version: dvanet requires version 7.0.0 or later, but libcurl.4.dylib provides version 6.0.0
  Binary Images:
  0x7fff5fc00000 -
  0x7fff5fc3be0f  dyld 132.1 (???) <29DECB19-0193-2575-D838-CF743F0400B2> /usr/lib/dyld
  Model: iMac7,1, BootROM IM71.007A.B03, 2 processors, Intel Core 2 Duo, 2.4 GHz, 2 GB, SMC 1.21f4
  Graphics: ATI Radeon HD 2600 Pro, ATI,RadeonHD2600, PCIe, 256 MB
  Memory Module: global_name
  AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x88), Broadcom BCM43xx 1.0 (5.10.131.42.4)
  Bluetooth: Version 2.4.5f3, 2 service, 19 devices, 1 incoming serial ports
  Network Service: Ethernet, Ethernet, en0
  Serial ATA Device: ST31000528AS, 931,51 GB
  Parallel ATA Device: MATSHITADVD-R   UJ-85J
  USB Device: Mass Storage Device, 0x058f  (Alcor Micro, Corp.), 0x6362, 0xfa400000 / 3
  USB Device: Keyboard Hub, 0x05ac  (Apple Inc.), 0x1006, 0xfa200000 / 2
  USB Device: Apple Optical USB Mouse, 0x05ac  (Apple Inc.), 0x0304, 0xfa230000 / 5
  USB Device: Apple Keyboard, 0x05ac  (Apple Inc.), 0x0221, 0xfa220000 / 4
  USB Device: Built-in iSight, 0x05ac  (Apple Inc.), 0x8502, 0xfd400000 / 2
  USB Device: Bluetooth USB Host Controller, 0x05ac  (Apple Inc.), 0x8206, 0x1a100000 / 2
  USB Device: Generic USB Hub, 0x058f  (Alcor Micro, Corp.), 0x9254, 0x1d100000 / 2
  USB Device: PTZ-630, 0x056a  (WACOM Co., Ltd.), 0x00b1, 0x1d120000 / 4
  USB Device: Composite Device, 0x0971  (GretagMacbeth AG), 0x2005, 0x1d110000 / 3
  USB Device: IR Receiver, 0x05ac  (Apple Inc.), 0x8242, 0x5d100000 / 2"

  Acrobat Support

• ME3600-ME3800: service-instance & bridge-domain syntax

  Hello,
  what is the best practice for the configuration of L3VPN on Cisco ME3XXX ?
  Old Syntax:
  interface GigabitEthernet0/1
  switchport trunk allowed vlan none
  switchport mode trunk
  service instance 2 ethernet
    encapsulation dot1q 3
    rewrite ingress tag pop 1 symmetric
    bridge-domain 4
  interface vlan 4
  vrf forwarding L3VPN-1
  ip address 2.2.2.1 255.255.255.0
  New Syntax:
  interface GigabitEthernet0/1
  switchport trunk allowed vlan none
  switchport mode trunk
  service instance 2 ethernet
    encapsulation dot1q 3
    rewrite ingress tag pop 1 symmetric
  bridge-domain 4
  member GigabitEthernet0/1 service-instance 2
  interface vlan 4
  vrf forwarding L3VPN-1
  ip address 2.2.2.1 255.255.255.0
  The new syntax is very much similar to the new syntax for L2VPN, see:
  http://www.cisco.com/en/US/docs/switches/metro/me3600x_3800x/software/design/guide/ME3600x_Design_Guide.pdf
  I'm soon sending in the field some more ME3600, so I'd like to start right.
  Best Regards
  Andrea

  Hello.
  You might have confused service instance configuration and usual switchport mode trunk.
  Please refer figure 11-10 in the document http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/12-2_52_ey/configuration/guide/3800x3600xscg/swevc.html
  >But there is a typo - per description it should be "enc doat1q 20" under service instance 9on the picture).
  Also under Figure 11-2 we have following example:
   QinQ is also supported when sending packets between an EFP and a switchport trunk, because the switchport trunk is implicitly defined as rewrite ingress tag pop 1 symmetric. The same external behavior as Method 1 can be achieved with this configuration:
  Switch (config)# interface gigabitethernet0/1 
  Switch (config-if)# service instance 1 Ethernet 
  Switch (config-if-srv)# encapsulation dot1q 1-100 
  Switch (config-if-srv)# bridge-domain 30
  Switch (config)# interface gigabitethernet0/2 
  Switch (config-if)# switchport mode trunk
  Again, service instance 1 on Gigabit Ethernet port 0/1 is configured with the VLAN encapsulations used by the customer: C-VLANs 1-100. These are forwarded on bridge-domain 30. The service provider facing port is configured as a trunk port. The trunk port implicitly pushes a tag matching the bridge-domain that the packet is forwarded on (in this case S-VLAN 30). 

• Get Domain directory path in weblogic server 10gR3

  Hi all,
  Does anyone know how to get the directory path of to a domin in WLS 10gR3 using JMX?
  Basically, I am trying to create a timer in WLI manually using Java code but for that to work, I
  need to know the domain directory path as below.
  BTW, I know it can be created in WLST with ease... but I want to try using Java code
  import com.bea.wli.mbconnector.timer.TimerConnGenerator;
  public class WLITimerTest {
  public static void main(String args[]) {
  String domainDir = <path of domain>; // e.g. C:\bea103\user_projects\domains\mydomain
  String domainDir = "C:/bea103/user_projects/domains/esis_domain";
  try {
  TimerConnGenerator.main(new String[] {"-inName", "timerName", "-outfile",
  domainDir +"/WLITimerEG_" + "timerName" + ".jar"});
            } catch (Exception e) {
                 e.printStackTrace();
  Thanks
  Sam

  Just to answer my own question. It's System.getenv('DOMAIN_HOME') where DOMAIN_HOME is set in setDomainEnv.cmd of your domain.

• Bridge domain issue

  Hi,
  Im Currently using a 4431 router configuring it with a bridge domain. Im encountering problems with the bridge domain interface not able to ping my load balancer IP address.
  We have one 4431 router connected to 2 2960 switches with 2 F5 connected to both of the switches also.
  Below is my configuration for the bridge domain:
  interface BDI1
   ip address 192.168.1.219 255.255.255.224
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   no cdp enable
  interface GigabitEthernet0/0/1
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   negotiation auto
   service instance 1 ethernet
    encapsulation untagged
    bridge-domain 1
  interface GigabitEthernet0/0/2
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   negotiation auto
   service instance 1 ethernet
    encapsulation untagged
    bridge-domain 1
  Im not able to ping my load balancer IP address:
  sg-wr01#ping 192.168.1.220
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.220, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  sg-wr01#ping 192.168.1.221
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.221, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  sg-wr01#ping 192.168.1.222
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.222, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  But when I change the bridge domain interface to a layer 3 interface I can ping the load balancer IP address:
  interface GigabitEthernet0/0/1
   ip address 192.168.1.219 255.255.255.224
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   negotiation auto
  end
  sg-wr01#ping 192.168.1.220
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.220, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  sg-wr01#ping 192.168.1.221
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.221, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  sg-wr01#ping 192.168.1.222
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.222, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  Has anyone encountered this before?
  Below is the network diagram:
  Thanks,
  Marvin

  Did you do a no shut on the BDI?
  "The initial administrative state of a BDI depends on how the BDI is created. When a BDI is created at boot time in the startup configuration, the default administrative state for the BDI will be up, and will remain in this state unless the startup configuration includes the shutdown command. This behavior is consistent with all the other interfaces. When a BDI is created dynamically by a user at command prompt, the default administrative state is down."

• Bridge-domain and trunk configuration on ES20 card.

  Hello.
  I have two 7609-S boxes equipped with ESM20G cards and WS-X6748-GE-TX cards. A trunk is configured on ports of WS cards between these devices. A very important system is to be connected with two optical links to both devices via ES20 cards for redundancy. I consider configuring it using EVC framework in the following way:
  service instance -> bridge-domain XXX -> interface VLAN XXX and enable HSRP on my devices.
  I am not sure what is the structure of conecting system so I would like to have some kind of L2 connectivity between my devices for this connection. For other connections made using ports on WS card a dedicated VLAN is allocated for every one of them and then this VLAN is simply put in trunk between devices. Can I simply add vlan XXX to the list of VLANs allowed on the WS-card-based-trunk or do I have to utilize some completely different solution? Links to any related documentation are appreciated. Tomorrow I am going to test this configruation any way but I would like to have some backup solution in case this will not work.
  Thanks in advance,
  Andrew.

  Hi Andrei,
  Im having the same dilemna and im wondering if you were able to find a solution for this?
  I need to support HSRP on a vlan interface with bridging over port channel bundled interface between routers.
  im trying this but i cant seem to get this to work.
  ----R2----
  interface Vlan10
  ip vrf forwarding BOB
  ip address 10.1.1.2 255.255.255.248
  standby 1 ip 10.1.1.1
  standby 1 priority 110
  standby 1 preempt
  end
  interface Port-channel1
  no ip address
  service instance 10 ethernet
    encapsulation dot1q 10
    bridge-domain 10
  --- R2----
  interface Vlan10
  ip vrf forwarding BOB
  ip address 10.1.1.3 255.255.255.248
  standby 1 ip 10.1.1.1
  end
  interface Port-channel1
  no ip address
  service instance 10 ethernet
    encapsulation dot1q 10
    bridge-domain 10
  BR//
  Chanuka

• Domain directory path different than unc path??

  GroupWise 8 new secondary on Linux
  things "looked right, but couldn't connect
  Checked "Display Object" in C-1 on the domain object and I see that the Domain directory path is wrong - it is not what the UNC path is.
  Where do I change it?? or do I need to copy the files from the "real" domain directory to the wrong one and change the unc path?
  This is a new empty secondary domain.
  Also the "Display Object" listing shows Unsafe = 3
  anything I need to worry about there?

  Originally Posted by dzanre
  kjhurni wrote:
  > Only because if the GWIA is down, it'll alert nobody (haha) because well,
  > the GWIA is down.
  Oh - but you don't want to use your GWIA for alerts. Monitor has its own
  SMTP mailer, so unless you HAVE to go through a relay host, monitor can
  alert you regardless of whether the system is down. I send my alerts to the
  smtp address of my phone.
  Danita
  Novell Knowledge Partner
  Moving GroupWise to Linux?
  Moving GroupWise
  Even better! Yes, we can send to the relay host and let it go wherever.
  I was just thinking that let's say a regional POA/MTA is having problems, that the delivery address for the notification should be an " internal" GW account.
  Obviously though, if the GWIA is having an issue we'd not know about it because it would try to deliver to the internal GW address and that has to go through the GWIA.
  Although with diff. groups I will see if I can put the GWIA/MTA into a special group that gets notified to like the blackberry or something (like a text message).

• Bridge domain questions

  Hi everybody.
  At work , I have seen a lot of bridge domains configured on a single switch. My question is what is bridge domain and why we use them. An example with configurations will be great.
  Thanks and have a great day.

  Hi Marvin and Rick
  Please consider the following config and questions:
  R1#  show platform
  Interrupt Throttling:
    Throttle Count   = 00052552   Timer Count      = 00039372
    Netint usec      = 00000800   Netint Mask usec = 00000240
    Active           =        0   Configured       =        1
    Longest IRQ(usec)= 00003999
  MSFC CPU IDPROM:
  IDPROM image:
    (FRU is 'C7600 MSFC4 Daughterboard')
  +++++++++++++++++++++++++++++++++++++++++
  R1#show running-config interface gigabitEthernet 9/7
  service instance 1251 ethernet
    encapsulation dot1q 1251
    rewrite ingress tacg pop 1 symmetri
    bridge-domain 440
  service instance 2001 ethernet
    encapsulation dot1q 2001
    rewrite ingress tag pop 1 symmetric
    bridge-domain 440
  +++++++++++++++++++++++++++++++++++++++++
  Let say R1 receives a packet with vlan tag 1251 on g9/7. What will happen next? will R1 update its MAc table with source mac?
  1)Will there be a mac table for bridge -domain 440?  Do we have one-to one correspondence between the two i.e each  bridge-domain has its own mac table.?
  2)Let say R1 receives a packet with vlan tag 1251 on g9/7. What will happen next? will R1 update its MAc table with source mac?
  3) Let say R1 receives a frame with vlan tag 1251 with destination mac ff:ff:ff:ff
  What will R1 do next?
  4)Will R1 forward it to all service instance in bridge-domain 440 except the one R1 receives the broadcast frame? 
  ( in our case we have two service instances under  bridge -domain 440 i.e service instance 1251 ethernet,service instance  2001 ethernet)
  5) Will R1 change the vlan tag 1251 to 2001 when forwarding the broadcast frame out of instance 2001?
  Appreciate your help.
  Thanks

• VPLS: bridge-domain o xconnect?

  Hi all,
  to attach an interface to a vfi I have seen two kind of possible solution:
  L2 vfi <name> manual
  Vpn id <VPNid>
  bridge-domain <bridge-domain id>
  Neighbor <Remote-PE>
  interface fastethernetx/y
  bridge-domain < bridge-domain id>
  or
  interface fastethernetx/y
  xconnect vfi <name>
  What is the difference between the command bridge-domain o xconnect? When I must use one or the other?
  Thanks in advance
  Gianluca

  hi! I am not entirely sure about it but this is my best shot...
  X-connect would be used to establish a pseudo-wire (point-to-point) for an EPL service like EoMPLS. That will just connect the 2 UNI together to the VC created by the X-connect command. In this case ther would be no mac table maintained for the VSI in the router.
  Bridge domain can be used so that you create a seperate bridge domain ( like a virtual bridge) and add ports to that and connect it to remote PE so that you create a VPLS connection. The PE will maintain a seperate mac table for the VSI.
  So thats what I think - PWE3 v/s VPLS..
  Correct me if I am wrong.
  Thanks....

• SR520 Locks up with Domain traffic

  Hello everyone, we are having an issue with a SR520 that I though I'd run by everyone.
  We have a SR520 setup with a site to site VPN to an ASA5505. The SR520 has 10 computers behind it and the ASA has 15 computers behind it, including the domain controller. Everything has been running smooth without issue, traffic passing in both directions, etc. However, we recently installed a Windows Domain controller (SBS 2008) at the main (asa) site and would like to start joining computers at the remote (sr520) site to the domain. What we found out is that the domain traffic locks up the SR520. So, if none of the computers are joined to the domain, it runs fine, traffic can flow in both directions. We join a computer to the domain & after a couple hours we can't access the main site from the remote site. We can access the remote site from the main site. Also, the computers at the remote site can't access the internet, although we can ping the outside interface of the SR (from a remote host), and even ssh to the SR through the VPN which runs across the internet service. We reboot the SR520 and everything works fine, for a couple of hours.
  I reviewed the access-lists and the traffic seems to be qualifying for the correct lists. I even tried to clear the acl counters, but no luck.
  My best theory, at this point, is that the domain traffic exceeds some limit and the SR gets confused and can't route the traffic anymore.
  At any rate, I had a few questions in regards to this:
  1. Any ideas?
  2. Could this be a problem with the domain traffic exceeding some compacity on the SR520? If so, how would I measure that?
  3. Does anyone have any experience with a scenario like this? Specifically, with running a SR520 at a remote site with domain-joined computers?
  4. Are there any specific debug commands that we can use to troubleshoot this?
  I can upload the configs also, but I wanted to get the discussion going. We are trying to get the smartnet cleared up, so I can open a case with the TAC, but until then I just have to do my best.
  Thanks,
  Ben

  1) LAN port speed doesn't appear to have any effect
  2) Forcing a connection type doesn't seem to have any effect. This is also rather impractical.
  3) I don't have that option (though there is a TKIP/AES mixed option). Either way, I'd rather not have to resort to using a weaker encryption method.
  4) No effect.
  I did manage to find some information about the error message (older versions of firmware didn't even offer that clue).
  http://www.dd-wrt.com/wiki/index.php/Advanced_wireless_settings#Beacon_Interval
  I ended up increasing the beacon interval from 100ms to 500ms under Wireless > Advanced Settings.
  The wifi analyzer app on android seems to keep dropping the SSID when the beacon interval is set that high, so I might have to adjust it to find a good balance.
  However, while it was set to 500ms, none of the access points went down for two days.
  [edit]: I reduced the beacon interval incrementally down to 300ms. It started locking up at 250ms.