Configuring Transparent Bridging The Cisco IOS software bridging functionality combines the advantages of a spanning-tree bridge and a full multiprotocol router. This combination provides the speed and protocol transparency of an adaptive spanning-tree bridge, along with the functionality, reliability, and security of a router. This chapter describes how to configure transparent bridging and source-route transparent (SRT) bridging.
Configuring Transparent Bridging Technology Overview Transparent Bridging Features Cisco’s transparent bridging software implementation has the following features: • Complies with the IEEE 802.1D standard. • Provides the ability to logically segment a transparently bridged network into virtual LANs.
Configuring Transparent Bridging Technology Overview Integrated routing and bridging makes it possible to route a specific protocol between routed interfaces and bridge groups, or route a specific protocol between bridge groups. Local or unroutable traffic can be bridged among the bridged interfaces in the same bridge group, while routable traffic can be routed to other routed interfaces or bridge groups.
Configuring Transparent Bridging Technology Overview Figure 8 Bridge-Group Virtual Interface in the Router Routed interface Bridge group 1 E0 E1 E3 10.0.0.1 E2 Bridged interfaces S4757 BVI 1 10.0.0.2 The bridge-group virtual interface is a normal routed interface that does not support bridging, but does represent its corresponding bridge group to the routed interface. It has all the network layer attributes (such as a network layer address and filters) that apply to the corresponding bridge group.
Configuring Transparent Bridging Technology Overview FDDI-bridged interface. But for Internet Packet Exchange (IPX), Novell-ether encapsulation from the bridge-group virtual interface is translated to raw-token or raw-FDDI when bridging IPX to a Token Ring- or FDDI-bridged interface. Because this behavior is usually not what you want, you must configure IPX SNAP or Service Advertisement Protocol (SAP) encapsulation on the bridge-group virtual interface.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List bridged network. To tie in existing bridges, you must use source-route translational bridging (SR/TLB) instead. SR/TLB is described in the chapter “Configuring Source-Route Bridging.” Bridging between Token Ring and other media requires certain packet transformations. In all cases, the MAC addresses are bit-swapped because the bit ordering on Token Ring is different from that on other media.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Configuring Transparent Bridging and SRT Bridging To configure transparent and SRT bridging, you must perform the following tasks: • Assigning a Bridge Group Number and Defining the Spanning-Tree Protocol • Assigning Each Network Interface to a Bridge Group • Choosing the OUI for Ethernet Type II Frames Assigning a Bridge Group Number and Defining the Spanning-Tree Protocol The first step in setting up your transpar
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List The purpose of placing network interfaces into a bridge group is twofold: • To bridge all nonrouted traffic among the network interfaces making up the bridge group. If the packet’s destination address is known in the bridge table, it is forwarded on a single interface in the bridge group. If the packet’s destination is unknown in the bridge table, it is flooded on all forwarding interfaces in the bridge group.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List The primary application of transparently bridged VLANs constructed in this way is to separate traffic between bridge groups of local network interfaces, to multiplex bridged traffic from several bridge groups on a shared interface (LAN or HDLC serial), and to form VLANs composed of collections of bridge groups on several routers.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List To configure a VLAN on a transparently bridged network, use the following commands beginning in global configuration mode: Command Purpose Step 1 interface type slot/port.subinterface-number Specifies a subinterface. Step 2 encapsulation sde said Specifies the IEEE 802.10 Security data exchange security association identifier (in other words, specifies the “color”).
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List forwarding decision and only switch the traffic to local interfaces configured as belonging to the same VLAN broadcast domain. Router A provides an inter-VLAN mechanism that lets Router A function as a gateway for stations on a given LAN segment by transmitting VLAN encapsulated traffic to and from other switched VLAN domains or simply transmitting traffic in native (non-VLAN) format.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Configuring a Subscriber Bridge Group The Digital Subscriber Line (xDSL) bridge support feature enables you to configure a router for intelligent bridge flooding for xDSL and other bridge applications.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Support for RFC 1483 was added in Cisco IOS Release 12.0(3)T, enabling transparent bridging between Token Ring LANs (using AAL5-SNAP PVCs) and LANs, VLANs or ELANS (using bridged PDUs). RFC 1483 defines an encapsulation type for transferring LAN data via ATM networks. For more information on configuring ATM, refer to the “Configuring ATM” chapter in the Cisco IOS Wide-Area Networking Configuration Guide.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Determining Access for Bridging You can determine access by either permitting all bridge packets or by controlling access according to Ethernet type codes. To permit all transparent bridge packets, use the following command in global configuration mode: Command Purpose dialer-list dialer-group protocol bridge permit Defines a dialer list that permits all transparent bridge packets.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Bridging in a Frame Relay Network with No Multicasts The Frame Relay bridging software uses the same spanning-tree algorithm as the other bridging functions, but allows packets to be encapsulated for transmission across a Frame Relay network. You specify IP-to-data-link connection identifier (DLCI) address mapping and the system maintains a table of both the Ethernet address and the DLCIs.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Configuring Transparent Bridging over SMDS We support fast-switched transparent bridging for Switched Multimegabit Data Service (SMDS) encapsulated serial and HSSI networks. Standard bridging commands are used to enable bridging on an SMDS interface.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Configuring Concurrent Routing and Bridging You can configure the Cisco IOS software to route a given protocol among one group of interfaces and concurrently bridge that protocol among a separate group of interfaces, all within one router. The given protocol is not switched between the two groups. Rather, routed traffic is confined to the routed interfaces and bridged traffic is confined to the bridged interfaces.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Assigning a Bridge Group Number and Defining the Spanning-Tree Protocol Prior to configuring the router for integrated routing and bridging, you must enable bridging by setting up a bridge group number and specifying a Spanning-Tree Protocol. You can choose either the IEEE 802.1D Spanning-Tree Protocol or the earlier Digital protocol upon which this IEEE standard is based.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List When you enable routing for a given protocol on the bridge-group virtual interface, packets coming from a routed interface but destined for a host in a bridged domain are routed to the bridge-group virtual interface, and are forwarded to the corresponding bridged interface. All traffic routed to the bridge-group virtual interface is forwarded to the corresponding bridge group as bridged traffic.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Note When a bridge group contains Token Ring interfaces, the Token Ring packets must not include RIF. The IEEE 802.1d transparent bridge standard specifies that frames with source routing information are to be dropped by transparent bridges; therefore, if Token Ring traffic includes RIF, it will be dropped. RIF is designated by the RII, which is the first bit of the MAC address.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Command Purpose no ip routing Disables IP routing. ip routing Enables IP routing. All interfaces in the bridge group that are bridging IP should have the same IP address. However, if you have more than one bridge group, each bridge group should have its own IP address. Enabling Autonomous Bridging Normally, bridging takes place on the processor card at the interrupt level.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List To reduce the amount of bandwidth that LAT traffic consumes on serial interfaces, you can specify a LAT-specific form of compression. Doing so applies compression to LAT frames being sent out by the Cisco IOS software through the interface in question.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Preventing the Forwarding of Dynamically Determined Stations Normally, the system forwards any frames for stations that it has learned about dynamically. By disabling this activity, the bridge will only forward frames whose address have been statically configured into the forwarding cache.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Note • Setting Filters at the MAC Layer, page 46 • Filtering LAT Service Announcements, page 51 When setting up administrative filtering, remember that there is virtually no performance penalty in filtering by Media Access Control (MAC) address or vendor code, but there can be a significant performance penalty when filtering by protocol type.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Filtering by Specific MAC Address You can filter frames with a particular MAC-layer station source or destination address. Any number of addresses can be configured into the system without a performance penalty.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Command Purpose bridge-group bridge-group input-address-list access-list-number Assigns an access list to an interface for filtering by MAC source addresses. bridge-group bridge-group output-address-list access-list-number Assigns an access list to an interface for filtering by the MAC destination addresses.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List To filter these packets on input or output, use either or both of the following commands in interface configuration mode: Command Purpose bridge-group bridge-group input-type-list access-list-number Adds a filter for Ethernet- and SNAP-encapsulated packets on input. bridge-group bridge-group output-type-list access-list-number Adds a filter for Ethernet- and SNAP-encapsulated packets on output.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list. Caution Because of their complexity, only use extended access lists if you are very familiar with the Cisco IOS software.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Filtering LAT Service Announcements The bridging software allows you to filter LAT frames. LAT bridge filtering allows the selective inclusion or exclusion of LAT multicast service announcements on a per-interface basis. Note The LAT filtering commands are not implemented for Token Ring interfaces. In the LAT protocol, a group code is defined as a decimal number in the range 0 to 255.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List To specify deny or permit conditions for LAT groups on input, use one of the following commands in interface configuration mode: Command Purpose bridge-group bridge-group input-lat-service-deny group-list Specifies the group codes with which to deny access upon input. bridge-group bridge-group input-lat-service-permit group-list Specifies the group codes with which to permit access upon input.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Note Only network administrators with a good understanding of how bridges and the Spanning-Tree Protocol work should make adjustments to spanning-tree parameters. Poorly planned adjustments to these parameters can have a negative impact on performance. A good source on bridging is the IEEE 802.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Note Each bridge in a spanning tree adopts the interval between hello BPDUs, the forward delay interval, and the maximum idle interval parameters of the root bridge, regardless of what its individual configuration might be. Adjusting the Interval between Hello BPDUs You can specify the interval between hello BPDUs.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Configuring Transparent and IRB Bridging on a PA-12E/2FE Ethernet Switch The PA-12E/2FE Ethernet switch port adapter provides Cisco 7200 series routers with up to twelve 10-Mbps and two 10/100-Mbps switched Ethernet (10BASE-T) and Fast Ethernet (100BASE-TX) interfaces for an aggregate bandwidth of 435 Mbps, full-duplex. The PA-12E/2FE port adapter supports the Ethernet, IEEE 802.3, and IEEE 802.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Note If you plan to use a PA-12E/2FE interface to boot from a network (TFTP), ensure that the interface is configured for a loop-free environment, an IP address is configured for the interface’s bridge-group virtual interface, and system boot image 11.2(10)P is installed on your router (use the show version command to view your router’s system boot image).
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Command Purpose Step 8 Step 9 Repeat Step 1 through Step 7 for each interface. copy running-config startup-config Saves the new configuration to memory. To enable integrated routing and bridging on the bridge groups, perform the following tasks beginning in global configuration mode: Command Purpose Step 1 bridge irb Enables integrated routing and bridging.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Command Purpose show running-config Displays the running configuration file. show startup-config Displays the configuration stored in NVRAM. Configuring Bridge Groups Using the 12E/2FE VLAN Configuration WebTool The 12E/2FE VLAN Configuration WebTool, shown in Figure 11, is a Web browser-based Java applet that displays configured interfaces and bridge groups for PA-12E/2FE port adapters installed in Cisco routers.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Task List Figure 11 Note Example Home Page for a Cisco 7200 Series Router (Cisco 7206 Shown) You must use a Java enabled Web browser to access the 12E/2FE VLAN Configuration WebTool from your router’s home page. All Cisco routers running Cisco IOS Release 11.0 or later have a home page. If your router has an installed PA-12E/2FE port adapter, you can access the 12E/2FE VLAN Configuration WebTool from the router’s home page.
Configuring Transparent Bridging Tuning the Transparently Bridged Network Note The VLAN Configuration WebTool hypertext link is listed in the router’s home page only when a PA-12E/2FE port adapter is installed in the router.
Configuring Transparent Bridging Tuning the Transparently Bridged Network To define a circuit group, use the following command in interface configuration mode: Command Purpose bridge-group bridge-group circuit-group circuit-group Adds a serial interface to a circuit group. For circuit groups of mixed-bandwidth serial interfaces, it might be necessary to configure a pause interval during which transmission is suspended to avoid misordering packets following changes in the composition of a circuit group.
Configuring Transparent Bridging Monitoring and Maintaining the Transparent Bridge Network Monitoring and Maintaining the Transparent Bridge Network This section describes how to monitor and maintain activity on the bridged network. You can use one or more of the following commands in privileged EXEC mode: Command Purpose clear bridge bridge-group Removes any learned entries from the forwarding database and clears the transmit and receive counts for any statically configured forwarding entries.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples • Integrated Routing and Bridging with Multiple Bridge Groups Example, page 67 • Transparently Bridged VLANs Configuration Example, page 67 • Routing between VLANs Configuration Example, page 70 • Ethernet-to-FDDI Transparent Bridging Example, page 70 • Ethernet Bridging Example, page 71 • SRT Bridging Example, page 72 • Multicast or Broadcast Packets Bridging Example, page 73 • X.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples The configuration file for the router in Figure 12 is as follows: interface tokenring 0 ip address 131.108.1.1 bridge-group 1 ! interface fddi 0 ip address 131.108.2.1 bridge-group 1 ! interface ethernet 0 ip address 192.31.7.26 bridge-group 1 ! interface serial 0 ip address 192.31.7.34 bridge-group 1 ! interface ethernet 1 ip address 192.31.7.65 bridge-group 1 ! bridge 1 protocol dec 255.255.255.0 255.255.255.0 255.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples ! bridge bridge bridge bridge ! crb 1 protocol ieee 1 route appletalk 1 route ip Basic Integrated Routing and Bridging Example Figure 13 is an example of integrated routing and bridging that uses Bridge-Group 1 to bridge and route IP. The router has three bridged Ethernet interfaces and one routed Ethernet interface. Figure 13 Basic IP Routing using Integrated Routing and Bridging Bridged domain Routed domain 3.0.0.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples Complex Integrated Routing and Bridging Example Figure 14 is a more complex example of integrated routing and bridging, where bridge group 1 is used to route IP traffic, bridge IPX traffic, and bridge and route AppleTalk traffic. Figure 14 Complex Integrated Routing and Bridging Example E2 3.0.0.1 E3 7.0.0.1 E1 5.0.0.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples Integrated Routing and Bridging with Multiple Bridge Groups Example In the example illustrated in Figure 15, integrated routing and bridging is used to route and bridge IP between two bridge groups. Integrated Routing and Bridging with Multiple Bridge Groups Bridge group 1 Bridge group 2 E1 E2 E2 E3 BVI 1 3.0.0.1 BVI 2 5.0.0.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples Router One bridge 18 protocol ieee interface ethernet 0/1 bridge-group 18 ! interface ethernet 0/2 bridge-group 18 ! interface ethernet 0/3 bridge-group 18 ! interface fddi 4/0.8 encapsulation sde 45 bridge-group 18 ! bridge 54 protocol ieee interface ethernet 1/1 bridge-group 54 ! interface ethernet 1/2 bridge-group 54 ! interface ethernet 1/3 bridge-group 54 ! interface fddi 4/0.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples ! bridge 8 protocol ieee interface ethernet 1/1 bridge-group 8 ! interface ethernet 1/2 bridge-group 8 ! interface ethernet 1/3 bridge-group 8 ! interface ethernet 1/4 bridge-group 8 ! interface fddi 2/0.14 encapsulation sde 1008 bridge-group 8 Router Three bridge 1 protocol ieee interface ethernet 0/1 bridge-group 1 ! interface ethernet 0/2 bridge-group 1 ! interface ethernet 0/3 bridge-group 1 ! interface fddi 2/0.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples Routing between VLANs Configuration Example The following example shows the configuration for the topology shown in Figure 10. IP traffic is routed to and from switched VLAN domains 300, 400, and 600 to any other IP routing interface, as is IPX for VLANs 500 and 600. Because Fast Ethernet interfaces 2/1.20 and 3/1.40 are combined in bridge group 50, all other nonrouted traffic is bridged between these two subinterfaces.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples If the other side of the FDDI ring were an FDDI interface running in encapsulation mode rather than in transparent mode, the following additional configuration commands would be needed: interface fddi 0 fddi encapsulate Ethernet Bridging Example In the following example, two buildings have networks that must be connected via a T1 link.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples Router/Bridge in Building 2 The configuration file for the router in Building 2 is similar to Building 1: decnet address 3.56 ! interface ethernet 0 ip address 128.88.11.9 255.255.255.0 decnet cost 10 ! interface serial 0 ip address 128.88.2.2 255.255.255.0 bridge-group 1 decnet cost 10 ! interface ethernet 1 ip address 128.88.16.8 255.255.255.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples Configuration for the New York City Router interface tokenring 0 ip address 150.136.1.1 255.255.255.128 bridge-group 1 ! interface ethernet 0 ip address 150.136.2.1 255.255.255.128 bridge-group 1 ! interface serial 0 ip address 150.136.3.1 255.255.255.128 bridge-group 1 ! bridge 1 protocol ieee Configuration for the Thule, Greenland Router interface tokenring 0 ip address 150.136.10.1 255.255.255.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples However, the following configuration might work initially but will eventually fail. The failure occurs because the configuration does not allow for an ARP broadcast with a destination address of FFFF.FFFF.FFFF, even though the destination address on the output interface is correct: access-list 700 permit 0260.8c34.0864 0000.0000.0000 access-list 700 deny 0000.0000.0000 FFFF.FFFF.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples Configuration for Bridge 3 interface serial 0 encapsulation x25 x25 address 31370019565 bridge-group 5 x25 map bridge 31370019027 broadcast x25 map bridge 31370019134 broadcast ! bridge 5 protocol ieee Frame Relay Transparent Bridging Examples Figure 20 illustrates three bridges connected to each other through a Frame Relay network.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples Configuration for Bridge 3 interface serial 0 encapsulation frame-relay bridge-group 5 frame-relay map bridge 27 broadcast frame-relay map bridge 134 broadcast ! bridge 5 protocol ieee Bridging in a Frame Relay Network with Multicasts The multicast facility is used to learn about the other bridges on the network, eliminating the need for the frame-relay map commands.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples encapsulation lapb multi bridge-group 1 ! bridge 1 protocol ieee Fast-Switched Transparent Bridging over ATM Example (Cisco 7000) The following configuration example enables fast-switched transparent bridging over ATM: interface atm 4/0 ip address 1.1.1.1 255.0.0.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples bridge-group 1 pulse-time 1 ! access-list 200 permit 0x0800 0xFFF8 ! dialer-list 1 protocol bridge list 200 bridge 1 protocol ieee bridge 1 hello 10 Fast-Switched Transparent Bridging over SMDS Example The following configuration example enables fast-switched transparent bridging over SMDS: interface serial 0 encapsulation smds bridge-group 1 smds multicast bridge c141.5797.1313.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples Figure 21 Bridged Subnetworks with Domains Domain 1 Bridged Subnetwork Domain 2 Bridged Subnetwork To other parts of BSN E0 E1 3 3 E2 E3 3 3 3 Router A 1 T1 F0 1 FDDI F0 Router B 1 1 1 T2 To other parts of BSN E1 E2 To other parts of BSN Domain 3 F0 2 Bridged Subnetwork Router C 2 2 2 S0 S1 S2 Circuit group 7 Bridged Subnetwork Circuit group 4 S2 S0 S1 5 5 5 5 E4 5 E5 S2322 Router D To other parts
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples Note To get spanning-tree information by bridge group, use the show span command. Included in this information is the root bridge of the spanning tree. The root bridge for each spanning tree can be any router in the spanning tree. The routers in this network are configured for bridging and demonstrate some of the bridging features available.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples Configuration for Router B Router B demonstrates a simple bridge configuration. It is connected to the FDDI backbone and has domain 2 defined. As such it can bridge traffic with the other FDDI-connected BSNs. Note that bridge group 1 has no relationship to bridge group 1 in Router A; bridge groups are an organization internal to each router.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples interface serial 2 bridge-group 5 bridge-group 5 circuit-group 4 ! bridge 5 domain 3 bridge 5 protocol ieee Fast Ethernet Subscriber Port, Frame Relay Trunk Example The following example uses the Fast Ethernet subinterface as the subscriber port and Frame Relay as the trunk: bridge 1 protocol ieee # Form a subscriber bridge group using policy 1 # bridge 1 subscriber-policy 1 bridge 1 protocol ieee interface fast0.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples int atm0 int atm0.1 point-to-point # # Use AAL5 SNAP encapsulation # atm pvc 1 0 101 aal5snap bridge-group 1 int atm0.2 # # Use AAL5 SNAP encapsulation # atm pvc 2 0 102 aal5snap bridge-group 1 # # Configure ATM trunk port # int atm1.
Configuring Transparent Bridging Transparent and SRT Bridging Configuration Examples %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/1, changed state to up %LINK-3-UPDOWN: Interface FastEthernet3/1, changed state to up Router(config)# int ethernet 3/2 Router(config-if)# bridge-group 20 Router(config-if)# cut-through Router(config-if)# no shutdown Router(config-if)# exit Router(config)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet3/2, changed state to up %LINK-3-UPDOWN: Interface E
