Today we’re going to play with bridging!!! Why are we talking about bridging in 2016 you ask? Well because I’m going to making a few posts as I work my way through the CCNP Cloud certification as well as catching myself up on the new CCIE DC blueprint so I’ll be talking a lot about VXLANs for a least a couple posts. Since bridging is making a come back in L2VPNs and such I figured why not start here? Also I just want to write about something that doesn’t need 50 screenshots 🙂
Topology
In order to play with bridging I made the following lab in VIRL:
2 x IOSv routers to play with legacy bridging
2 x CSR1000v routers to play with the fancy new way of doing bridging
4 x Arista vEOS switches, no real reason why I’m using Arista…just felt like it.
Legacy Bridging
So what’s bridging? Skipping over the history lesson, a bridge on a router is effectively a software switch. It can carry layer 2 traffic just like a switch and can even run STP, which can be handy for lab scenarios if you want to play with say BPDU Guard but don’t have a spare switch to play with. You can also tunnel bridge traffic to extend the L2 domain across a L3 network without a fancy L2VPN.
The bridge 1 protocol ieee command creates the first bridge and the bridge irb command allows bridge virtual interfaces (SVIs basically) to be created. Lastly we use the bridge 1 route ip command to allow routing on the BVIs.
R01(config)#bridge 1 protocol ieee R01(config)#bridge irb R01(config)#bridge 1 route ip
When you create a BVI it isn’t tied to a vlan like a Switched Virtual Interface is, so if we want to give R01 an IP address in vlan 100,200,300 then we would need to create 3 bridges, one for each vlan.
Let’s create them.
R01(config)#bridge 2 protocol ieee R01(config)#bridge 2 route ip
R01(config)#bridge 3 protocol ieee R01(config)#bridge 3 route ip
At this point we have created 3 bridges but the bridges don’t have any interfaces assigned. We can either assign a physical interface on its own or we can assign a subinterface to get some vlan tagging into our bridge.
I’ll create a sub interface for the vlans 100,200, and 300 and then assign them to the bridges we created above by using the bridge-group command.
R01(config)#interface GigabitEthernet0/1.100 R01(config-subif)# encapsulation dot1Q 100 R01(config-subif)# bridge-group 1 R01(config-subif)#interface GigabitEthernet0/1.200 R01(config-subif)# encapsulation dot1Q 200 R01(config-subif)# bridge-group 2 R01(config-subif)#interface GigabitEthernet0/1.300 R01(config-subif)# encapsulation dot1Q 300 R01(config-subif)# bridge-group 3
My R01 has 4 interfaces connected to the Arista switches so I’ll go ahead and configure the other interfaces as well. On the Arista side I have made all the interfaces trunks and created the 3 vlans.
R01(config-if)#interface GigabitEthernet0/2.100 R01(config-subif)# encapsulation dot1Q 100 R01(config-subif)# bridge-group 1 R01(config-subif)# bridge-group 1 path-cost 1 R01(config-subif)#interface GigabitEthernet0/2.200 R01(config-subif)# encapsulation dot1Q 200 R01(config-subif)# bridge-group 2 R01(config-subif)#interface GigabitEthernet0/2.300 R01(config-subif)# encapsulation dot1Q 300 R01(config-subif)# bridge-group 3 R01(config-if)#interface GigabitEthernet0/3.100 R01(config-subif)# encapsulation dot1Q 100 R01(config-subif)# bridge-group 1 R01(config-subif)#interface GigabitEthernet0/3.200 R01(config-subif)# encapsulation dot1Q 200 R01(config-subif)# bridge-group 2 R01(config-subif)#interface GigabitEthernet0/3.300 R01(config-subif)# encapsulation dot1Q 300 R01(config-subif)# bridge-group 3 R01(config-if)#interface GigabitEthernet0/4.100 R01(config-subif)# encapsulation dot1Q 100 R01(config-subif)# bridge-group 1 R01(config-subif)#interface GigabitEthernet0/4.200 R01(config-subif)# encapsulation dot1Q 200 R01(config-subif)# bridge-group 2 R01(config-subif)#interface GigabitEthernet0/4.300 R01(config-subif)# encapsulation dot1Q 300 R01(config-subif)# bridge-group 3
Once that is done we can see if any mac addresses are being learned across the bridge with the show bridge command. If you are following along you may or may not see traffic at this point.
R01#show bridge Total of 300 station blocks, 299 free Codes: P - permanent, S - self Bridge Group 1: Address Action Interface Age RX count TX count fa16.3e8e.d1c4 forward Gi0/2.100 0 464 462 Bridge Group 2: Bridge Group 3:
Legacy bridging runs a single STP instance per bridge CST and can be viewed just like on a switch. By default the router shows the detailed view so use the brief keyword to make the output a bit more normal.
R01(config-subif)#do show spann 1 brief Bridge group 1 Spanning tree enabled protocol ieee Root ID Priority 4196 Address fa16.3e8e.d1c4 Cost 4 Port 10 (GigabitEthernet0/1.100) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32768 Address fa16.3eed.1e96 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Designated Name Port ID Prio Cost Sts Cost Bridge ID Port ID -------------------- ------- ---- ----- --- ----- -------------------- ------- GigabitEthernet0/1.1 128.10 128 4 LIS 0 4196 fa16.3e8e.d1c4 128.5 GigabitEthernet0/2.1 128.12 128 4 BLK 0 4196 fa16.3e8e.d1c4 128.6 GigabitEthernet0/3.1 128.13 128 4 FWD 4 32768 fa16.3eed.1e96 128.13 GigabitEthernet0/4.1 128.14 128 4 FWD 4 32768 fa16.3eed.1e96 128.14
We can also adjust the bridge and STP parameters under a interface by looking under the bridge-group command we used to enable the switch. Many of these options are not terribly useful anymore but we can set the port cost and/or priority if needed.
R01(config)#int g0/2.100 R01(config-subif)#bridge-group 1 ? input-address-list Filter packets by source address input-lat-service-deny Deny input LAT service advertisements matching a group list input-lat-service-permit Permit input LAT service advertisements matching a group list input-lsap-list Filter incoming IEEE 802.3 encapsulated packets input-pattern-list Filter input with a pattern list input-type-list Filter incoming Ethernet packets by type code output-address-list Filter packets by destination address output-lat-service-deny Deny output LAT service advertisements matching a group list output-lat-service-permit Permit output LAT service advertisements matching a group list output-lsap-list Filter outgoing IEEE 802.3 encapsulated packets output-pattern-list Filter output with a pattern list output-type-list Filter outgoing Ethernet packets by type code path-cost Set interface path cost priority Set interface priority spanning-disabled Disable spanning tree on a bridge group subscriber-loop-control Configure subscriber loop control <cr>
Lets change the cost for the hell of it!!!!
R01(config-subif)#bridge-group 1 path-cost 1
Now we can see STP recalculating to make g0/2.100 the root port.
R01(config-subif)#do sh spann 1 brief Bridge group 1 Spanning tree enabled protocol ieee Root ID Priority 4196 Address fa16.3e8e.d1c4 Cost 1 Port 12 (GigabitEthernet0/2.100) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32768 Address fa16.3eed.1e96 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Designated Name Port ID Prio Cost Sts Cost Bridge ID Port ID -------------------- ------- ---- ----- --- ----- -------------------- ------- GigabitEthernet0/1.1 128.10 128 4 BLK 0 4196 fa16.3e8e.d1c4 128.5 GigabitEthernet0/2.1 128.12 128 1 LRN 0 4196 fa16.3e8e.d1c4 128.6 GigabitEthernet0/3.1 128.13 128 4 FWD 1 32768 fa16.3eed.1e96 128.13 GigabitEthernet0/4.1 128.14 128 4 FWD 1 32768 fa16.3eed.1e96 128.14
And now it is the root port!
R01(config-subif)#do sh spann 1 brief Bridge group 1 Spanning tree enabled protocol ieee Root ID Priority 4196 Address fa16.3e8e.d1c4 Cost 1 Port 12 (GigabitEthernet0/2.100) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32768 Address fa16.3eed.1e96 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Designated Name Port ID Prio Cost Sts Cost Bridge ID Port ID -------------------- ------- ---- ----- --- ----- -------------------- ------- GigabitEthernet0/1.1 128.10 128 4 BLK 0 4196 fa16.3e8e.d1c4 128.5 GigabitEthernet0/2.1 128.12 128 1 FWD 0 4196 fa16.3e8e.d1c4 128.6 GigabitEthernet0/3.1 128.13 128 4 FWD 1 32768 fa16.3eed.1e96 128.13 GigabitEthernet0/4.1 128.14 128 4 FWD 1 32768 fa16.3eed.1e96 128.14
You can also enable some other STP features link portfast if you want to play around with them.
R01(config)#spanning-tree ? backbonefast Enable BackboneFast Feature portfast Spanning tree portfast options uplinkfast Enable UplinkFast Feature
Now that our router is acting like a switch we can test out BPDU Guard on the Arista.
ASW1(config)#int e5-6 ASW1(config-if-Et5-6)#spanning bpduguard enable ASW1(config-if-Et5-6)# Nov 23 00:56:20 ASW1 StpTxRx: %SPANTREE-4-BLOCK_BPDUGUARD: Received BPDU packet on Ethernet5 with BPDU guard enabled. Disabling interface. (source mac fa:16:3e:ed:1e:96) ASW1(config-if-Et5-6)# Nov 23 00:56:20 ASW1 Ebra: %ETH-4-ERRDISABLE: bpduguard error detected on Ethernet5. ASW1(config-if-Et5-6)# Nov 23 00:56:20 ASW1 StpTxRx: %SPANTREE-4-BLOCK_BPDUGUARD: Received BPDU packet on Ethernet5 with BPDU guard enabled. Disabling interface. (source mac fa:16:3e:ed:1e:96) ASW1(config-if-Et5-6)# Nov 23 00:56:20 ASW1 StpTxRx: %SPANTREE-4-BLOCK_BPDUGUARD: Received BPDU packet on Ethernet6 with BPDU guard enabled. Disabling interface. (source mac fa:16:3e:95:01:22) ASW1(config-if-Et5-6)# Nov 23 00:56:20 ASW1 Ebra: %ETH-4-ERRDISABLE: bpduguard error detected on Ethernet6. ASW1(config-if-Et5-6)# Nov 23 00:56:20 ASW1 Stp: %SPANTREE-6-INTERFACE_DEL: Interface Ethernet5 has been removed from instance Vl1 Nov 23 00:56:20 ASW1 Stp: %SPANTREE-6-INTERFACE_DEL: Interface Ethernet6 has been removed from instance Vl1 (message repeated 3 times in 0.0080005 secs) Nov 23 00:56:20 ASW1 Stp: %SPANTREE-6-INTERFACE_DEL: Interface Ethernet6 has been removed from instance Vl100 Nov 23 00:56:20 ASW1 Stp: %SPANTREE-6-INTERFACE_DEL: Interface Ethernet6 has been removed from instance Vl200 Nov 23 00:56:20 ASW1 Stp: %SPANTREE-6-INTERFACE_DEL: Interface Ethernet6 has been removed from instance Vl300 ASW1(config-if-Et5-6)# Nov 23 00:56:20 ASW1 Ebra: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet5, changed state to down ASW1(config-if-Et5-6)# Nov 23 00:56:20 ASW1 Ebra: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet6, changed state to down
It works!!!
Because we enabled IRB we can also create BVI interfaces and give them IP addresses.
R01(config-subif)#interface BVI1 R01(config-if)# ip address 100.0.0.1 255.255.255.0 R01(config-if)#interface BVI2 R01(config-if)# ip address 100.2.2.1 255.255.255.0 R01(config-if)#interface BVI3 R01(config-if)# ip address 100.3.3.1 255.255.255.0
On the Arista side I’ll create a SVI and give it an IP as well.
ASW1(config)#int vlan 100 ^[[AASW1(config-if-Vl1ip add 100.0.0.254/24 ASW1(config-if-Vl100)#no shut
And we can see it works fine.
ASW1(config)#ping 100.0.0.1 PING 100.0.0.1 (100.0.0.1) 72(100) bytes of data. 80 bytes from 100.0.0.1: icmp_req=1 ttl=255 time=184 ms 80 bytes from 100.0.0.1: icmp_req=2 ttl=255 time=68.0 ms 80 bytes from 100.0.0.1: icmp_req=3 ttl=255 time=56.0 ms 80 bytes from 100.0.0.1: icmp_req=4 ttl=255 time=60.0 ms 80 bytes from 100.0.0.1: icmp_req=5 ttl=255 time=48.0 ms --- 100.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 656ms rtt min/avg/max/mdev = 48.003/83.205/184.012/50.814 ms, ipg/ewma 164.010/131.482 ms
Bridge-Domain
IOS-XE doesn’t support the legacy bridging but it has a superior feature called Bridge Domains. It also supports more robust switching features like port-channels and more up to date output for commands.
Port-Channels
Let’s take advantage of the port-channel feature on the CSRs.
But first I’ll set the Arista switches to use RSTP as well as setup the port-channels on there side.
ASW3(config)#spanning-tree mode rapid-pvst
ASW4(config)#spanning-tree mode rapid-pvst
The Arista switches operate very similarly to Nexus switches so it is best to configure the port-channel before adding assigning the interfaces. My CSR has 4 interfaces connected, two interfaces in ASW3 and 2 in ASW4.
ASW3(config)#interface Port-Channel1 ASW3(config-if-Po1)# switchport mode trunk ASW3(config-if-Po1)#int e10-11 ASW3(config-if-Et10-11)#channel-group 1 mode active
ASW4(config)#spanning-tree mode rapid-pvst ASW4(config)# ASW4(config)#interface Port-Channel1 ASW4(config-if-Po1)# switchport mode trunk ASW4(config-if-Po1)#int e10-11 ASW4(config-if-Et10-11)#channel-group 1 mode active
On the CSR we have to create port-channel interfaces before we can assign them so go ahead and do that now.
R04(config)#interface port-channel 1 *Nov 22 19:45:12.969: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down R04(config-if)#exit R04(config)#interface range g4-5 R04(config-if-range)#channel-group 1 mode active R04(config-if-range)# *Nov 22 19:45:54.689: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4, changed state to down *Nov 22 19:45:54.789: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5, changed state to down R04(config-if-range)#exit R04(config)# *Nov 22 19:46:01.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4, changed state to up R04(config)# *Nov 22 19:46:02.677: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5, changed state to up R04(config)# *Nov 22 19:46:24.216: GigabitEthernet5 added as member-1 to port-channel1 *Nov 22 19:46:24.224: GigabitEthernet4 added as member-2 to port-channel1 R04(config)# *Nov 22 19:46:26.218: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up R04(config)# *Nov 22 19:46:27.218: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
R04(config)#interface port-channel 2 R04(config-if)#exit R04(config)#interface range g2-3 R04(config-if-range)#channel-group 2 mode active
Once the port channels are up we can see the status just like on a switch with the show etherchannel summary command.
R04(config)#do sh etherchannel summary Flags: D - down P/bndl - bundled in port-channel I - stand-alone s/susp - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 1 Po1(RU) LACP Gi4(bndl) Gi5(bndl) 2 Po2(RU) LACP Gi2(bndl) Gi3(bndl) RU - L3 port-channel UP State SU - L2 port-channel UP state
Super Bridging!
On IOS-XE bridging is done using service instances, which is a very flexible and powerful feature that we’ll be playing with a lot when we do VXLANs and such. The feature is part of the Ethernet Virtual Connection (EVC) framework. Each service instance holds a 802.1Q tag or alternately matches untagged traffic. A interface can hold 4094 service instances if you get a little carried away 🙂
Under the service instance, assign the vlan just like you normally would for a subinterface and then assign a bridge domain. Bridge-Domain Interfaces also use the encapsulation dot1q command to associate vlans so you will need to create multiple bridge-domains if you want to give each of our vlans an IP interface.
R04(config)#interface port-channel 1 R04(config-if)# service instance 1 ethernet R04(config-if-srv)# encapsulation dot1q 100 R04(config-if-srv)# bridge-domain 100 R04(config-if-srv)# service instance 2 ethernet R04(config-if-srv)# encapsulation dot1q 200 R04(config-if-srv)# bridge-domain 200 R04(config-if-srv)# service instance 3 ethernet R04(config-if-srv)# encapsulation dot1q 300 R04(config-if-srv)# bridge-domain 300
I’ll do the same for port-channel 2.
R04(config)#interface port-channel 2 R04(config-if)# service instance 1 ethernet R04(config-if-srv)# encapsulation dot1q 100 R04(config-if-srv)# bridge-domain 100 R04(config-if-srv)# service instance 2 ethernet R04(config-if-srv)# encapsulation dot1q 200 R04(config-if-srv)# bridge-domain 200 R04(config-if-srv)# service instance 3 ethernet R04(config-if-srv)# encapsulation dot1q 300 R04(config-if-srv)# bridge-domain 300
STP is off by default on a IOS-XE router.
R04(config)#do sh spanning No spanning tree instance exists.
The router supports all the STP choices that we know and love.
R04(config)#spanning-tree mode ? mst Multiple spanning tree mode pvst Per-Vlan spanning tree mode rapid-pvst Per-Vlan rapid spanning tree mode
We’ll stick with RSTP to keep things somewhat simple.
R04(config)#spanning mode rapid-pvst
If we are quick with checking the spanning-tree status we can see our two port-channels going through the STP process.
R04(config)#do show spanning vlan 100 VLAN0100 Spanning tree enabled protocol rstp Root ID Priority 32868 Address 001e.e6fd.aabb This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32868 (priority 32768 sys-id-ext 100) Address 001e.e6fd.aabb Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 0 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Po1 Desg LRN 3 128.13 P2p Po2 Desg LRN 3 128.17 P2p
As it happens the router has become root for vlan 100.
R04(config)#do show spanning vlan 100 VLAN0100 Spanning tree enabled protocol rstp Root ID Priority 32868 Address 001e.e6fd.aabb This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32868 (priority 32768 sys-id-ext 100) Address 001e.e6fd.aabb Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 0 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Po1 Desg FWD 3 128.13 P2p Po2 Desg FWD 3 128.17 P2p
We can give vlan 100 an IP address by creating a BDI interface, assigning the vlan, and giving it an IP. The BDI # has to match the assigned bridge-domain under the interface.
R04(config)#interface bdi 100 R04(config-if)#encapsulation dot1q 100 R04(config-if)#ip add 100.0.0.4 255.255.255.0 R04(config-if)#no shut R04(config-if)# *Nov 23 01:57:15.436: %LINK-3-UPDOWN: Interface BDI100, changed state to up R04(config-if)# *Nov 23 01:57:16.436: %LINEPROTO-5-UPDOWN: Line protocol on Interface BDI100, changed state to up
On the Arista I’ll make a SVI and assign a IP
ASW4(config)#int vlan 100 ASW4(config-if-Vl100)#ip add 100.0.0.253/24 ASW4(config-if-Vl100)#no shut
And we can see can ping across vlan 100!!!
ASW4(config-if-Vl100)#ping 100.0.0.4 PING 100.0.0.4 (100.0.0.4) 72(100) bytes of data. 80 bytes from 100.0.0.4: icmp_req=2 ttl=255 time=44.0 ms 80 bytes from 100.0.0.4: icmp_req=3 ttl=255 time=40.0 ms 80 bytes from 100.0.0.4: icmp_req=4 ttl=255 time=44.0 ms --- 100.0.0.4 ping statistics --- 5 packets transmitted, 3 received, 40% packet loss, time 1140ms rtt min/avg/max/mdev = 40.002/42.669/44.003/1.885 ms, ipg/ewma 285.017/43.565 ms
Hi i am also studying for my CCIE Data Center and i will like to link up with you and exchange some ideas.