Configuring Integrated Routing and Bridging

This module describes the configuration of Integrated Routing and Bridging (IRB). IRB provides the ability to exchange traffic between bridging services and a routed interface using a Bridge-Group Virtual Interface (BVI).

Feature History for IRB

Release

Modification

Release 6.1.1

This feature was introduced.

IRB Introduction

IRB provides the ability to route between a bridge group and a routed interface using a BVI. The BVI is a virtual interface within the router that acts like a normal routed interface. A BVI is associated with a single bridge domain and represents the link between the bridging and the routing domains on the router. To support receipt of packets from a bridged interface that are destined to a routed interface, the BVI must be configured with the appropriate IP addresses and relevant Layer 3 attributes.

Figure 1. IRB Functional View and Configuration Elements

Bridge-Group Virtual Interface

The BVI is a virtual interface within the router that acts like a normal routed interface. The BVI does not support bridging itself, but acts as a gateway for the corresponding bridge-domain to a routed interface within the router.

BVI supports only Layer 3 attributes, and has the following characteristics:

  • Uses a MAC address taken from the local chassis MAC address pool, unless overridden at the BVI interface.

  • Is configured as an interface type using the interface bvi command and uses an IPv4 address that is in the same subnet as the hosts on the segments of the bridged domain.

  • The BVI identifier is independent of the bridge-domain identifier. These identifiers do not need to correlate like they do in Cisco IOS software.

  • Is associated to a bridge group using the routed interface bvi command.

  • BVI interfaces support a number range of 1 to 4294967295.

Supported Features on a BVI

  • These interface commands are supported on a BVI:

    • bandwidth (The default is 10 Gbps and is used as the cost metric for routing protocols for the BVI)

    • ipv4

    • ipv6 (not supported in IRB environment with the Cisco ASR 9000 SIP-700)

    • mtu (The default is 1500 bytes)

    • shutdown

BVI Interface and Line Protocol States

Like typical interface states on the router, a BVI has both an Interface and Line Protocol state.

  • The BVI interface state is Up when the following occurs:

    • The BVI interface is created.

    • The bridge-domain that is configured with the routed interface bvi command has at least one available active bridge port (Attachment circuit [AC] or pseudowire [PW]).


      Note

      A BVI will be moved to the Down state if all of the bridge ports (Ethernet flow points [EFPs]) associated with the bridge domain for that BVI are down. However, the BVI will remain up if at least one pseudowire is up, even if all EFPs are down.


  • These characteristics determine when the the BVI line protocol state is up:

    • The bridge-domain is in Up state.

    • The BVI IP address is not in conflict with any other IP address on another active interface in the router.

Prerequisites for Configuring IRB

You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Before configuring IRB, be sure that these tasks and conditions are met:

  • Know the IP addressing and other Layer 3 information to be configured on the bridge virtual interface (BVI).

  • Be sure that the BVI network address is being advertised by running static or dynamic routing on the BVI interface.

Restrictions for Configuring IRB

Before configuring IRB, consider these restrictions:

  • Only one BVI can be configured in any bridge domain.

  • The same BVI can not be configured in multiple bridge domains.

  • The following areas are not supported on the BVI:

    • Access Control Lists (ACLs). However, Layer 2 ACLs can be configured on each Layer 2 port of the bridge domain.

    • IP fast reroute (FRR)

    • TI-LFA

    • SR

    • LDP

    • NetFlow

    • MoFRR

    • Quality of Service (QoS)

    • Traffic mirroring

    • Unnumbered interface for BVI

    • Video monitoring (Vidmon)

    • IRB with 802.1ah (BVI and Provider Backbone Bridge (PBB) should not be configured in the same bridge domain).

    • PIM snooping. (Need to use selective flood.)

    • VRF-aware DHCP relay

  • BVIs are supported only on bridge domains with the following characteristics:

    • Untagged EFPs are supported.

  • Label allocation mode per-CE with BVI is not supported in an access network along with PE-CE protocols enabled.

How to Configure IRB

This section includes the following configuration tasks:

Configuring the Bridge Group Virtual Interface

To configure a BVI, complete the following steps.

Configuration Guidelines

Consider the following guidelines when configuring the BVI:

  • The BVI must be assigned an IPv4 or IPv6 address that is in the same subnet as the hosts in the bridged segments.

SUMMARY STEPS

  1. configure
  2. interface bvi identifier
  3. arp purge-delay seconds
  4. arp timeout seconds
  5. bandwidth rate
  6. mac-address value1 .value2 .value3
  7. mtu bytes
  8. end or commit

DETAILED STEPS


Step 1

configure

Example:

Router# configure

Enters the global configuration mode.

Step 2

interface bvi identifier

Example:

Router(config)# interface bvi 1

Specifies or creates a BVI, where identifier is a number from 1 to 65535.

Step 3

arp purge-delay seconds

Example:

Router(config-if)#arp purge-delay 120

(Optional) Specifies the amount of time (in seconds ) to delay purging of Address Resolution Protocol (ARP) table entries when the interface goes down.

The range is 1 to 65535. By default purge delay is not configured.

Step 4

arp timeout seconds

Example:

Router(config-if)# arp timeout 12200

(Optional) Specifies how long dynamic entries learned on the interface remain in the ARP cache.

The range is 30 to 2144448000 seconds. The default is 14,400 seconds (4 hours).

Step 5

bandwidth rate

Example:

Router(config-if)# bandwidth 1000000

(Optional) Specifies the amount of bandwidth (in kilobits per second) to be allocated on the interface. This number is used as the cost metric in routing protocols for the BVI.

The range is 0 to 4294967295. The default is 10000000 (10 Gbps).

Step 6

mac-address value1 .value2 .value3

Example:

Router(config-if)# mac-address 1111.2222.3333

(Optional) Specifies the 48-bit MAC address for the BVI as three dotted-hexadecimal values, and overrides use of the default MAC address. The range for each value is 0000 to ffff. A MAC address of all 0s is not supported.

Step 7

mtu bytes

Example:

Router(config-if)# mtu 2000

(Optional) Specifies the maximum transmission unit (MTU) size for packets on the interface. The range is 64 to 65535. The default is 1514.

Step 8

end or commit

Example:

Router(config-if)# end

or


Router(config-if)# commit

Saves configuration changes.

  • When you issue the end command, the system prompts you to commit changes:

    
    Uncommitted changes found, commit them before exiting(yes/no/cancel)?
    [cancel]:
    

    Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

    Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

    Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

  • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.


Configuring the Layer 2 AC Interfaces

To configure the Layer 2 AC interfaces for routing by a BVI, complete these steps.

SUMMARY STEPS

  1. configure
  2. interface [HundredGigE | TenGigE] interface-path-id[ .subinterface] l2transport
  3. ethernet-service access-group access-list-name {ingress}
  4. end or commit

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

interface [HundredGigE | TenGigE] interface-path-id[ .subinterface] l2transport

Example:


RP/0/RP0/CPU0:router(config)# interface TenGigE 0/1/0/0.1 l2transport

Enables Layer 2 transport mode on a Gigabit Ethernet or 10-Gigabit Ethernet interface or subinterface and enters interface or subinterface configuration mode, where interface-path-id is specified as the rack/slot/module/port location of the interface and .subinterface is the optional subinterface number.

Step 3

ethernet-service access-group access-list-name {ingress}

Example:


RP/0/RP0/CPU0:router(config-if)# ethernet-service access-group p-in-filter {ingress}
Controls access to an interface.
  • Use the access-list-name argument to specify a particular Ethernet services access list.

  • Use the ingress keyword to filter on inbound packets.

This example applies filters on packets inbound GigabitEthernet interface 0/2/0/2.
Step 4

end or commit

Example:


RP/0/RP0/CPU0:router(config-if)# end

or


RP/0/RP0/CPU0:router(config-if)# commit

Saves configuration changes.

  • When you issue the end command, the system prompts you to commit changes:

    
    Uncommitted changes found, commit them before exiting(yes/no/cancel)?
    [cancel]:
    
  • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

  • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

  • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

  • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.


Configuring Ethernet Services Access Lists

This task configures an Ethernet services access list.

SUMMARY STEPS

  1. configure
  2. ethernet-service access-list name
  3. [sequence-number] {permit | deny } src-mac-address { src-mac-mask | any | host} dst-mac-address { dst-mac-mask | any | host}
  4. -Repeat Step 3 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. Allows you to revise an access list.
  5. end or commit
  6. show access-lists ethernet-services [access-list-name | summary

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

ethernet-service access-list name

Example:

RP/0/RP0/CPU0:router(config)# ethernet-service access-list L2ACL2

Enters Ethernet services access list configuration mode and configures access list L2ACL2.

Step 3

[sequence-number] {permit | deny } src-mac-address { src-mac-mask | any | host} dst-mac-address { dst-mac-mask | any | host}

Example:


RP/0/RP0/CPU0:router(config-es-acl)# 20 permit 1.2.3 3.2.1

(Or)

RP/0/RP0/CPU0:router(config-es-acl)# 30 deny any any

Specifies one or more conditions allowed or denied, which determines whether the packet is passed or dropped.

Step 4

-Repeat Step 3 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. Allows you to revise an access list.

-

Step 5

end or commit

Example:


RP/0/RP0/CPU0:router(config-es-acl)# end

or


RP/0/RP0/CPU0:router(config-es-acl)# commit

Saves configuration changes.

  • When you issue the end command, the system prompts you to commit changes:

    
    Uncommitted changes found, commit them before exiting(yes/no/cancel)?
    [cancel]:
    
  • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

  • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

  • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

  • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 6

show access-lists ethernet-services [access-list-name | summary

Example:

RP/0/RP0/CPU0:router(config)# show access-lists ethernet-services L2ACL1

(Optional) Displays the contents of the named Ethernet services access list. As a default, contents of all Ethernet access lists are displayed.


Configuring a Bridge Group and Assigning Interfaces to a Bridge Domain

To configure a bridge group and assign interfaces to a bridge domain, complete these steps.

SUMMARY STEPS

  1. configure
  2. l2vpn
  3. bridge group bridge-group-name
  4. bridge-domain bridge-domain-name
  5. interface [HundredGigE | TenGigE] interface-path-id (or) interface [Bundle-Ether] bundle-id
  6. end or commit

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

l2vpn

Example:


RP/0/RP0/CPU0:router(config)# l2vpn

Enters L2VPN configuration mode.

Step 3

bridge group bridge-group-name

Example:


RP/0/RP0/CPU0:router(config-l2vpn)# bridge group 10

Creates a bridge group and enters L2VPN bridge group configuration mode.

Step 4

bridge-domain bridge-domain-name

Example:


RP/0/RP0/CPU0:router(config-l2vpn-bg)# bridge-domain BD_1

Creates a bridge domain and enters L2VPN bridge group bridge domain configuration mode.

Step 5

interface [HundredGigE | TenGigE] interface-path-id (or) interface [Bundle-Ether] bundle-id

Example:


RP/0/RP0/CPU0:router(config-l2vpn-bg-bd)# interface HundredGigE 0/1/0/0

Associates the 100-Gigabit Ethernet or 10-Gigabit Ethernet interface with the specified bridge domain and enters L2VPN bridge group bridge domain attachment circuit configuration mode, where interface-path-id is specified as the rack/slot/module/port location of the interface and bundle-id is the logical bundle ID configured locally on the router.

Repeat this step for as many interfaces as you want to associate with the bridge domain.

Step 6

end or commit

Example:


RP/0/RP0/CPU0:router(config-l2vpn-bg-bd-ac)# end

or


RP/0/RP0/CPU0:router(config-l2vpn-bg-bd-ac)# commit

Saves configuration changes.

  • When you issue the end command, the system prompts you to commit changes:

    
    Uncommitted changes found, commit them before exiting(yes/no/cancel)?
    [cancel]:
    
  • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

  • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

  • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

  • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.


Associating the BVI as the Routed Interface on a Bridge Domain

To associate the BVI as the routed interface on a bridge domain, complete the following steps.

SUMMARY STEPS

  1. configure
  2. l2vpn
  3. bridge group bridge-group-name
  4. bridge-domain bridge-domain-name
  5. routed interface bvi identifier
  6. end or commit

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

l2vpn

Example:


RP/0/RP0/CPU0:router(config)# l2vpn

Enters L2VPN configuration mode.

Step 3

bridge group bridge-group-name

Example:


RP/0/RP0/CPU0:router(config-l2vpn)# bridge group BG_test

Creates a bridge group and enters L2VPN bridge group configuration mode.

Step 4

bridge-domain bridge-domain-name

Example:


RP/0/RP0/CPU0:router(config-l2vpn-bg)# bridge-domain 1

Creates a bridge domain and enters L2VPN bridge group bridge domain configuration mode.

Step 5

routed interface bvi identifier

Example:


RP/0/RP0/CPU0:router(config-l2vpn-bg-bd)# routed interface bvi 1

Associates the specified BVI as the routed interface for the interfaces assigned to the bridge domain.

Step 6

end or commit

Example:


RP/0/RP0/CPU0:router(config-l2vpn-bg-bd)# end

or


RP/0/RP0/CPU0:router(config-l2vpn-bg-bd)# commit

Saves configuration changes.

  • When you issue the end command, the system prompts you to commit changes:

    
    Uncommitted changes found, commit them before exiting(yes/no/cancel)?
    [cancel]:
    
  • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

  • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

  • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

  • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.


Displaying Information About a BVI

To display information about BVI status and packet counters, use the following commands:

show interfaces bvi identifier [accounting ]

Displays interface status, line protocol state, and packet counters for the specified BVI.

show adjacency bvi identifier detail hardware location slot-id

Displays packet and byte transmit counters per adjacency to the specified BVI, where slot-id is specified as the rack/slot/module .

show l2vpn bridge-domain detail

Displays the reason that a BVI is down.

Additional Information on IRB

Packet Flows Using IRB

This figure shows a simplified functional diagram of an IRB implementation to describe different packet flows between Host A, B, and C. In this example, Host C is on a network with a connection to the same router. In reality, another router could be between Host C and the router shown.

Figure 2. IRB Packet Flows Between Hosts

When IRB is configured on a router, the following processing happens:

  • ARP requests are resolved between the hosts and BVI that are part of the bridge domain.

  • All packets from a host on a bridged interface go to the BVI if the destination MAC address matches the BVI MAC address. Otherwise, the packets are bridged.

  • For packets destined for a host on a routed network, the BVI forwards the packets to the routing engine before sending them out a routed interface.

  • All packets either from or destined to a host on a bridged interface go to the BVI first (unless the packet is destined for a host on the bridge domain).

  • For packets that are destined for a host on a segment in the bridge domain that come in to the router on a routed interface, the BVI forwards the packet to the bridging engine, which forwards it through the appropriate bridged interface.

Packet Flows When Host A Sends to Host B on the Bridge Domain

When Host A sends data to Host B in the bridge domain on the 10.10.0.0 network, no routing occurs. The hosts are on the same subnet and the packets are bridged between their segment interfaces on the router.

Packet Flows When Host A Sends to Host C From the Bridge Domain to a Routed Interface

Using host information from this figure, the following occurs when Host A sends data to Host C from the IRB bridging domain to the routing domain:

  • Host A sends the packet to the BVI (as long any ARP request the is resolved between the host and the BVI). The packet has the following information:

    • Source MAC address of host A.

    • Destination MAC address of the BVI.

  • Since Host C is on another network and needs to be routed, the BVI forwards the packet to the routed interface with the following information:

    • IP source MAC address of Host A (10.10.0.2) is changed to the MAC address of the BVI (10.10.0.4).

    • IP destination address is the IP address of Host C (10.20.0.3).

  • Interface 10.20.0.2 sees receipt of a packet from the routed BVI 10.10.0.4. The packet is then routed through interface 10.20.0.2 to Host C.

Packet Flows When Host C Sends to Host B From a Routed Interface to the Bridge Domain

Using host information from this figure, the following occurs when Host C sends data to Host B from the IRB routing domain to the bridging domain:

  • The packet comes into the routing domain with the following information:

    • MAC source address—MAC of Host C.

    • MAC destination address—MAC of the 10.20.0.2 ingress interface.

    • IP source address—IP address of Host C (10.20.0.3).

    • IP destination address—IP address of Host B (10.10.0.3).

  • When interface 10.20.0.2 receives the packet, it looks in the routing table and determines that the packet needs to be forwarded to the BVI at 10.10.0.4.

  • The routing engine captures the packet that is destined for the BVI and forwards it to the BVI’s corresponding bridge domain. The packet is then bridged through the appropriate interface if the destination MAC address for Host B appears in the bridging table, or is flooded on all interfaces in the bridge group if the address is not in the bridging table.

Configuration Examples for IRB

This section provides the following configuration examples:

Basic IRB Configuration: Example

The following example shows how to perform the most basic IRB configuration:


! Configure the BVI and its IPv4 address
!
RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router(config)#interface bvi 1
RP/0/RP0/CPU0:router(config-if)#ipv4 address 10.10.0.4 255.255.255.0
RP/0/RP0/CPU0:router(config-if))# exit
!
! Configure the Layer 2 AC interface
!
RP/0/RP0/CPU0:router(config)#interface HundredGigE 0/1/0/0 l2transport
RP/0/RP0/CPU0:router(config-if))# exit
!
! Configure the L2VPN bridge group and bridge domain and assign interfaces
!
RP/0/RP0/CPU0:router(config)#l2vpn
RP/0/RP0/CPU0:router(config-l2vpn)#bridge group 10
RP/0/RP0/CPU0:router(config-l2vpn-bg)#bridge-domain 1
RP/0/RP0/CPU0:router(config-l2vpn-bg-bd)#interface HundredGigE 0/1/0/0
RP/0/RP0/CPU0:router(config-l2vpn-bg-bd-if)# exit
!
! Associate a BVI to the bridge domain
!
RP/0/RP0/CPU0:router(config-l2vpn-bg-bd)# routed interface bvi 1
RP/0/RP0/CPU0:router(config-l2vpn-bg-bd)# commit

Comprehensive IRB Configuration with BVI Bundle Interfaces: Example

This example shows a more comprehensive router configuration with IRB and BVI support:



 interface Bundle-Ether100
 l2transport
 !

 interface Bundle-Ether100
 l2transport
 !

interface TenGigE0/2/0/20/2
 bundle id 100 mode active
!

  
interface TenGigE0/4/0/2/0
 bundle id 100 mode active
!

interface TenGigE0/2/0/28/0
 bundle id 101 mode active
!


interface TenGigE0/2/0/28/3
 bundle id 101 mode active
 !


interface BVI1
 ipv4 address 100.1.1.1 255.255.0.0
 ipv6 address 100:1:1::1/32
!


 interface BVI2
 ipv4 address 100.2.1.1 255.255.0.0
 ipv6 address 100:2:1::1/32
!


l2vpn
 bridge group bg1
  bridge-domain bd1
   interface Bundle-Ether100
   !
     routed interface BVI1
  !
 !
 bridge group bg2
  bridge-domain bd2
   interface Bundle-Ether101
  !
   routed interface BVI2
  !
 !
!

Adding Entries with Sequence Numbers: Example

In this example, a new entry is added to Ethernet services access list acl_5.



ethernet-service access-list acl_5
2 permit 1.2.3 5.4.3
5 permit 2.3.4. 6.5.4 
50 permit any any

configure
ethernet-service access-list acl_5
15 permit 1.5.7 7.5.1
end
ethernet-service access-list acl_5
2 permit 1.2.3 5.4.3
5 permit 2.3.4. 6.5.4 
15 permit 1.5.7 7.5.1
50 permit any any