Cisco BC-23 User Manual
Configuring Transparent Bridging
The Cisco IOS software bridging functionality combines the advantages of a spanning-tree bridge and a
full multiprotocol router. This combination provides the speed and protocol transparency of an adaptive
spanning-tree bridge, along with the functionality, reliability, and security of a router.
This chapter describes how to configure transparent bridging and source-route transparent (SRT)
bridging. This chapter also describes the concepts of virtual networking, transparent bridging of virtual
LANs (VLANs), and routing between VLANs. For a complete description of the transparent bridging
commands mentioned in this chapter, refer to the “Transparent Bridging Commands” chapter in the
Cisco IOS Bridging and IBM Networking Command Reference, Volume I. To locate documentation of
other commands that appear in this chapter, use the command reference master index or search online.
This chapter contains the following sections:
• Technology Overview, page 23
• Transparent and SRT Bridging Configuration Task List, page 28
• Tuning the Transparently Bridged Network, page 60
• Monitoring and Maintaining the Transparent Bridge Network, page 62
• Transparent and SRT Bridging Configuration Examples, page 62
Technology Overview
The following sections provide an overview of transparent bridging in the Cisco IOS software:
• Transparent and SRT Bridging, page 23
• Transparent Bridging Features, page 24
• Integrated Routing and Bridging, page 24
• SRT Bridging Features, page 27
Transparent and SRT Bridging
Cisco IOS software supports transparent bridging for Ethernet, Fiber Distributed Data Interface (FDDI),
and serial media, and supports source-route transparent (SRT) bridging for Token Ring media. In
addition, Cisco supports all the mandatory Management Information Base (MIB) variables specified for
transparent bridging in RFC 1286.
Cisco IOS Bridging and IBM Networking Configuration Guide
BC-23
Technology Overview
Transparent Bridging Features
Cisco’s transparent bridging software implementation has the following features:
• Complies with the IEEE 802.1D standard.
• Provides the ability to logically segment a transparently bridged network into virtual LANs.
• Provides two Spanning-Tree Protocols—an older bridge protocol data unit (BPDU) format that is
compatible with Digital Equipment Corporation (DEC) and other LAN bridges for backward
compatibility and the IEEE standard BPDU format. In addition to features standard with these
spanning-tree protocols, Cisco’s proprietary software provides for multiple domains for spanning
trees. The spanning-tree parameters are configurable.
• Allows frame filtering based on Media Access Control (MAC) address, protocol type, or the vendor
code. Additionally, the bridging software can be configured to selectively filter local-area transport
(LAT) multicast service announcements.
• Provides deterministic load distribution while maintaining a loop-free spanning tree.
• Provides the ability to bridge over Asynchronous Transfer Mode (ATM), dial-on-demand routing
(DDR), FDDI, Frame Relay, multiprotocol Link Access Procedure, Balanced (LAPB), Switched
Multimegabit Data Service (SMDS), and X.25 networks.
Configuring Transparent Bridging
• Provides concurrent routing and bridging, which is the ability to bridge a given protocol on some
interfaces in a router and concurrently route that protocol on other interfaces in the same router.
• Provides integrated routing and bridging, which is the ability to route a given protocol between
routed interfaces and bridge groups, or to route a given protocol between bridge groups.
• Provides fast-switched transparent bridging for Frame Relay encapsulated serial and High-Speed
Serial Interface (HSSI) interfaces, according to the format specified in RFC 1490.
• Provides fast-switched transparent bridging for the ATM interface on the Cisco 7000, Cisco 4500,
and Cisco 4000 series routers, according to the format specified in RFC 1483.
• Provides for compression of LAT frames to reduce LAT traffic through the network.
• Provides both bridging and routing of VLANs.
Cisco access servers and routers can be configured to serve as both multiprotocol routers and MAC-level
bridges, bridging any traffic that cannot otherwise be routed. For example, a router routing the Internet
Protocol (IP) can also bridge DEC’s LAT protocol or NetBIOS traffic.
Cisco routers also support remote bridging over synchronous serial lines. As with frames received on all
other media types, dynamic learning and configurable filtering applies to frames received on serial lines.
Transit bridging of Ethernet frames across FDDI media is also supported. The term transit refers to the
fact that the source or destination of the frame cannot be on the FDDI media itself. This allows FDDI to
act as a highly efficient backbone for the interconnection of many bridged networks. The configuration
of FDDI transit bridging is identical to the configuration of transparent bridging on all other media types.
Integrated Routing and Bridging
While concurrent routing and bridging makes it possible to both route and bridge a specific protocol on
separate interfaces within a router, the protocol is not switched between bridged and routed interfaces.
Routed traffic is confined to the routed interfaces; bridged traffic is confined to bridged interfaces. A
specified protocol may be either routed or bridged on a given interface, but not both.
Cisco IOS Bridging and IBM Networking Configuration Guide
BC-24
Configuring Transparent Bridging
Integrated routing and bridging makes it possible to route a specific protocol between routed interfaces
and bridge groups, or route a specific protocol between bridge groups. Local or unroutable traffic can be
bridged among the bridged interfaces in the same bridge group, while routable traffic can be routed to
other routed interfaces or bridge groups. Figure 7 illustrates how integrated routing and bridging in a
router interconnects a bridged network with a routed network.
Figure 7 Integrated Routing and Bridging Interconnecting a Bridged Network with a Routed
Technology Overview
Network
You can configure the Cisco IOS software to route a specific protocol between routed interfaces and
bridge groups or to route a specific protocol between bridge groups. Specifically, local or unroutable
traffic is bridged among the bridged interfaces in the same bridge group, while routable traffic is routed
to other routed interfaces or bridge groups. Using integrated routing and bridging, you can do the
following:
• Switch packets from a bridged interface to a routed interface
• Switch packets from a routed interface to a bridged interface
• Switch packets within the same bridge group
Bridge-Group Virtual Interface
Because bridging operates in the data link layer and routing operates in the network layer, they follow
different protocol configuration models. Taking the basic IP model as an example, all bridged interfaces
would belong to the same network, while each routed interface represents a distinct network.
In integrated routing and bridging, the bridge-group virtual interface is introduced to avoid confusing
the protocol configuration model when a specific protocol is both bridged and routed in a bridge group.
Figure 8 illustrates the bridge-group virtual interface as a user-configured virtual interface residing
within a router.
Cisco IOS Bridging and IBM Networking Configuration Guide
BC-25
Technology Overview
Configuring Transparent Bridging
Figure 8 Bridge-Group Virtual Interface in the Router
Routed
interface
Bridge group 1
E0
E1
E2
Bridged
interfaces
BVI 1
10.0.0.2
E3
10.0.0.1
S4757
The bridge-group virtual interface is a normal routed interface that does not support bridging, but does
represent its corresponding bridge group to the routed interface. It has all the network layer attributes
(such as a network layer address and filters) that apply to the corresponding bridge group. The interface
number assigned to this virtual interface corresponds to the bridge group that this virtual interface
represents. This number is the link between the virtual interface and the bridge group.
When you enable routing for a given protocol on the bridge-group virtual interface, packets coming from
a routed interface, but destined for a host in a bridged domain, are routed to the bridge-group virtual
interface and are forwarded to the corresponding bridged interface. All traffic routed to the bridge-group
virtual interface is forwarded to the corresponding bridge group as bridged traffic. All routable traffic
received on a bridged interface is routed to other routed interfaces as if it is coming directly from the
bridge-group virtual interface.
To receive routable packets arriving on a bridged interface but destined for a routed interface or to
receive routed packets, the bridge-group virtual interface must also have the appropriate addresses. MAC
addresses and network addresses are assigned to the bridge-group virtual interface as follows:
• The bridge-group virtual interface “borrows” the MAC address of one of the bridged interfaces in
the bridge group associated with the bridge-group virtual interface.
• To route and bridge a given protocol in the same bridge group, you must configure the network layer
attributes of the protocol on the bridge-group virtual interface. No protocol attributes should be
configured on the bridged interfaces, and no bridging attributes can be configured on the
bridge-group virtual interface.
Note When a bridged domain contains learning devices (such as switches or bridges) that can learn the
MAC address of a bridge-group virtual interface, the virtual interface must be configured with its
own MAC address—separate from the MAC addresses of the bridged interfaces in the bridge group
that are associated with the virtual interface. The MAC address is configured by using the
mac-address virtual interface command.
Because there can be only one bridge-group virtual interface representing a bridge group, and the bridge
group can be made up of different media types configured for several different encapsulation methods,
you may need to configure the bridge-group virtual interface with the particular encapsulation methods
required to switch packets correctly.
For example, the bridge-group virtual interface has default data link and network layer encapsulations
that are the same as those available on Ethernet interfaces, but you can configure the bridge-group virtual
interface with encapsulations that are not supported on an Ethernet interface. In some cases, the default
encapsulations provide appropriate results; in other cases they do not. For example, with default
encapsulation, Advanced Research Projects Agency (ARPA) packets from the bridge-group virtual
interface are translated to Subnetwork Access Protocol (SNAP) when bridging IP to a Token Ring- or
BC-26
Cisco IOS Bridging and IBM Networking Configuration Guide
Configuring Transparent Bridging
FDDI-bridged interface. But for Internet Packet Exchange (IPX), Novell-ether encapsulation from the
bridge-group virtual interface is translated to raw-token or raw-FDDI when bridging IPX to a Token
Ring- or FDDI-bridged interface. Because this behavior is usually not what you want, you must
configure IPX SNAP or Service Advertisement Protocol (SAP) encapsulation on the bridge-group
virtual interface.
Other Considerations
The following are additional facts regarding the support of integrated routing and bridging:
• Integrated routing and bridging is not supported on cBus platforms (AGS+ and Cisco 7000 series).
• Integrated routing and bridging is supported for transparent bridging, but not for source-route
• Integrated routing and bridging is supported on all media interfaces except X.25 and Integrated
• Integrated routing and bridging supports three protocols: IP, IPX, and AppleTalk in both
• Integrated routing and bridging and concurrent routing and bridging cannot operate at the same time.
• With integrated routing and bridging configured, associate Layer-3 attributes only on the
Technology Overview
bridging (SRB).
Services Digital Network (ISDN) bridged interfaces.
fast-switching and process-switching modes.
bridge-group virtual interface and not on the bridging interfaces. Having IP addresses both on the
bridge-group virtual interface and on the bridging interfaces is known to produce inconsistent
behavior.
SRT Bridging Features
Cisco routers support transparent bridging on Token Ring interfaces that support SRT bridging. Both
transparent and SRT bridging are supported on all Token Ring interface cards that can be configured for
either 4- or 16-MB transmission speeds.
As with other media, all the features that use bridge-group commands can be used on Token Ring
interfaces. As with other interface types, the bridge group can be configured to run either the IEEE or
DEC Spanning-Tree Protocols. When configured for the IEEE Spanning-Tree Protocol, the bridge
cooperates with other SRT bridges and constructs a loop-free topology across the entire extended LAN.
You can also run the DEC Spanning-Tree Protocol over Token Ring. Use it when you have other
non-IEEE bridges on other media and you do not have any SRT bridges on Token Ring. In this
configuration, all the Token Ring transparent bridges must be Cisco routers. This is because the DEC
Spanning-Tree Protocol has not been standardized on Token Ring.
As specified by the SRT bridging specification, only packets without a routing information field (RIF)
(RII = 0 in the SA field) are transparently bridged. Packets with a RIF (RII = 1) are passed to the SRB
module for handling. An SRT-capable Token Ring interface can have both SRB and transparent bridging
enabled at the same time. However, with SRT bridging, frames that did not have a RIF when they were
produced by their generating host never gain a RIF, and frames that did have a RIF when they were
produced never lose that RIF.
Note Because bridges running only SRT bridging never add or remove RIFs from frames, they
do not integrate SRB with transparent bridging. A host connected to a source-route bridge
that expects RIFs can never communicate with a device across a bridge that does not
understand RIFs. SRT bridging cannot tie in existing source-route bridges to a transparent
Cisco IOS Bridging and IBM Networking Configuration Guide
BC-27
Transparent and SRT Bridging Configuration Task List
bridged network. To tie in existing bridges, you must use source-route translational
bridging (SR/TLB) instead. SR/TLB is described in the chapter “Configuring
Source-Route Bridging.”
Bridging between Token Ring and other media requires certain packet transformations. In all cases, the
MAC addresses are bit-swapped because the bit ordering on Token Ring is different from that on other
media. In addition, Token Ring supports one packet format, logical link control (LLC), while Ethernet
supports two formats (LLC and Ethernet).
The transformation of LLC frames between media is simple. A length field is either created (when the
frame is transmitted to non-Token Ring) or removed (when the frame is transmitted to Token Ring).
When an Ethernet format frame is transmitted to Token Ring, the frame is translated into an LLC-1
SNAP packet. The destination service access point (DSAP) value is AA, the source service access point
(SSAP) value is AA, and the organizational unique identifier (OUI) value is 0000F8. Likewise, when a
packet in LLC-1 format is bridged onto Ethernet media, the packet is translated into Ethernet format.
Caution Bridging between dissimilar media presents several problems that can prevent
communication from occurring. These problems include bit order translation (or using
MAC addresses as data), maximum transmission unit (MTU) differences, frame status
differences, and multicast address usage. Some or all these problems might be present in a
multimedia bridged LAN. Because of differences in the way end nodes implement Token
Ring, these problems are most prevalent when bridging between Token Ring and Ethernet
or between Ethernet and FDDI LANs.
Configuring Transparent Bridging
Problems currently occur with the following protocols when bridged between Token Ring and other
media: Novell IPX, DECnet Phase IV, AppleTalk, Banyan VINES, Xerox Network Systems (XNS), and
IP. Further, problems can occur with the Novell IPX and XNS protocols when bridged between FDDI
and other media. We recommend that these protocols be routed whenever possible.
Transparent and SRT Bridging Configuration Task List
To configure transparent bridging or SRT bridging on your router, complete one or more of the tasks in
the following sections:
• Configuring Transparent Bridging and SRT Bridging, page 29
• Transparently Bridged VLANs for ISL, page 30
• Routing between ISL VLANs, page 32
• Configuring a Subscriber Bridge Group, page 34
• Configuring Transparent Bridging over WANs, page 34
• Configuring Concurrent Routing and Bridging, page 39
• Configuring Integrated Routing and Bridging, page 39
• Configuring Transparent Bridging Options, page 42
• Filtering Transparently Bridged Packets, page 45
• Adjusting Spanning-Tree Parameters, page 52
BC-28
• Configuring Transparent and IRB Bridging on a PA-12E/2FE Ethernet Switch, page 55
Cisco IOS Bridging and IBM Networking Configuration Guide
Configuring Transparent Bridging
Transparent and SRT Bridging Configuration Task List
Configuring Transparent Bridging and SRT Bridging
To configure transparent and SRT bridging, you must perform the following tasks:
• Assigning a Bridge Group Number and Defining the Spanning-Tree Protocol
• Assigning Each Network Interface to a Bridge Group
• Choosing the OUI for Ethernet Type II Frames
Assigning a Bridge Group Number and Defining the Spanning-Tree Protocol
The first step in setting up your transparent bridging network is to define a Spanning-Tree Protocol and
assign a bridge group number. You can choose either the IEEE 802.1D Spanning-Tree Protocol, the
earlier DEC protocol upon which this IEEE standard is based or VLAN bridge Spanning Tree Protocol.
Cisco expanded the original 802.1 D Spanning-Tree Protocol in Cisco IOS Release 12.1 by providing
VLAN bridge Spanning-Tree Protocol support and increased port identification capability. Furthermore,
the enhancement provides:
• More than one byte on a port number to distinguish interfaces
• An improved way to form the port ID
Port Number size of the Port ID support is applied only to IEEE and VLAN-bridge Spanning-Tree
Protocols. The DEC protocol only has 8 bits on the Port ID, so the extension of the Port ID cannot be
applied.
The expansion of the Port Number field into the port priority portion of the Port ID changes the useful
values the port priority can be assigned.
The way to calculate the Port Path Cost is only supported in IEEE and VLAN-bridge Spanning-Tree
Protocol environment.
To assign a bridge group number and define a Spanning-Tree Protocol, use the following command in
global configuration mode:
Command Purpose
bridge bridge-group protocol {ieee | dec |
vlan-bridge}
Assigns a bridge group number and defines a Spanning-Tree Protocol
as IEEE 802.1D standard, DEC or VLAN bridge.
The IEEE 802.1D Spanning-Tree Protocol is the preferred way of running the bridge. Use the DEC
Spanning-Tree Protocol only for backward compatibility. The VLAN-bridge Spanning-Tree Protocol,
introduced in Cisco IOS Release 12.1, supports the following media: Ethernet, fast Ethernet, FDDI,
ATM and serial (HDLC, PPP, Frame Relay IETF, SMDS, x25).
Assigning Each Network Interface to a Bridge Group
A bridge group is an internal organization of network interfaces on a router. Bridge groups cannot be
used outside the router on which it is defined to identify traffic switched within the bridge group. Bridge
groups within the same router function as distinct bridges; that is, bridged traffic and bridge protocol
data units (BPDUs cannot be exchanged between different bridge groups on a router. Furthermore,
bridge groups cannot be used to multiplex or de-multiplex different streams of bridged traffic on a LAN.
An interface can be a member of only one bridge group. Use a bridge group for each separately bridged
(topologically distinct) network connected to the router. Typically, only one such network exists in a
configuration.
Cisco IOS Bridging and IBM Networking Configuration Guide
BC-29
Transparent and SRT Bridging Configuration Task List
The purpose of placing network interfaces into a bridge group is twofold:
• To bridge all nonrouted traffic among the network interfaces making up the bridge group. If the
packet’s destination address is known in the bridge table, it is forwarded on a single interface in the
bridge group. If the packet’s destination is unknown in the bridge table, it is flooded on all
forwarding interfaces in the bridge group. The bridge places source addresses in the bridge table as
it learns them during the process of bridging.
• To participate in the spanning-tree algorithm by receiving, and in some cases transmitting, BPDUs
on the LANs to which they are attached. A separate spanning process runs for each configured
bridge group. Each bridge group participates in a separate spanning tree. A bridge group establishes
a spanning tree based on the BPDUs it receives on only its member interfaces.
For SRT bridging, if the Token Ring and serial interfaces are in the same bridge group, changing the
serial encapsulation method causes the state of the corresponding Token Ring interface to be
reinitialized. Its state will change from “up” to “initializing” to “up” again within a few seconds.
After you assign a bridge group number and define a Spanning-Tree Protocol, assign each network
interface to a bridge group by using the following command in interface configuration mode:
Command Purpose
bridge-group bridge-group
Assigns a network interface to a bridge group.
Configuring Transparent Bridging
Choosing the OUI for Ethernet Type II Frames
For SRT bridging networks, you must choose the organizational unique identifier (OUI) code that will
be used in the encapsulation of Ethernet Type II frames across Token Ring backbone networks. To
choose the OUI, use the following command in interface configuration mode:
Command Purpose
ethernet-transit-oui [90-compatible |
standard | cisco]
Selects the Ethernet Type II OUI encapsulation code.
Transparently Bridged VLANs for ISL
Traditionally, a bridge group is an independently bridged subnetwork. In this definition, bridge groups
cannot exchange traffic with other bridge groups, nor can they multiplex or de-multiplex different
streams of bridged traffic. The transparently bridged VLAN feature in Cisco IOS software permits a
bridge group to extend outside the router to identify traffic switched within the bridge group.
While bridge groups remain internal organizations of network interfaces functioning as distinct bridges
within a router, transparent bridging on subinterfaces permits bridge groups to be used to multiplex
different streams of bridged traffic on a LAN or HDLC serial interface. In this way, bridged traffic may
be switched out of one bridge group on one router, multiplexed across a subinterface, and demultiplexed
into a second bridge group on a second router. Together, the first bridge group and the second bridge
group form a transparently bridged VLAN. This approach can be extended to impose logical topologies
upon transparently bridged networks.
BC-30
Cisco IOS Bridging and IBM Networking Configuration Guide
Configuring Transparent Bridging
The primary application of transparently bridged VLANs constructed in this way is to separate traffic
between bridge groups of local network interfaces, to multiplex bridged traffic from several bridge
groups on a shared interface (LAN or HDLC serial), and to form VLANs composed of collections of
bridge groups on several routers. These VLANs improve performance because they reduce the
propagation of locally bridged traffic, and they improve security benefits because they completely
separate traffic.
In Figure 9, different bridge groups on different routers are configured into three VLANs that span the
bridged network. Each bridge group consists of conventionally bridged local interfaces and a
subinterface on the backbone FDDI LAN. Bridged traffic on the subinterface is encapsulated and
“colored” with a VLAN identifier known as a security association identifier common to all bridge
groups participating in the VLAN. In addition, bridges only accept packets bearing security association
identifiers for which they have a configured subinterface. Thus, a bridge group is configured to
participate in a VLAN if it contains a subinterface configured with the VLAN’s characteristic security
association identifier. See the “Complex Integrated Routing and Bridging Example” section on page 66
for an example configuration of the topology shown in Figure 9.
Note The 802.10 encapsulation used to “color” transparently bridged packets on subinterfaces
might increase the size of a packet so that it exceeds the MTU size of the LAN from which
the packet originated. To avoid MTU violations on the shared network, the originating
LANs must either have a smaller native MTU than the shared network (as is the case from
Ethernet to FDDI), or the MTU on all packet sources on the originating LAN must be
configured to be at least 16 bytes less than the MTU of the shared network.
Transparent and SRT Bridging Configuration Task List
Figure 9 Transparently Bridged VLANs on an FDDI Backbone
Bridge
group 18
"Striped"
packets
Router 1 Router 2
Shared network
Bridge
group 54
"Dot"
packets
"Striped"
packets
Bridge
group 1
"Sliced"
packets
Bridge
group 3
"Sliced"
packets
"Dot"
packets
Bridge
group 7
"Sliced"
packets
"Sliced"
packets
Bridge
group 6
"Striped"
packets
Bridge
group 8
"Dot"
packets
Router 3
S3228
Cisco IOS Bridging and IBM Networking Configuration Guide
BC-31
Transparent and SRT Bridging Configuration Task List
To configure a VLAN on a transparently bridged network, use the following commands beginning in
global configuration mode:
Command Purpose
Step 1
Step 2
Step 3
interface type
slot/port.subinterface-number
encapsulation sde said
bridge-group bridge-group
Transparently bridged VLANs are supported in conjunction with only the IEEE Spanning-Tree Protocol.
When you logically segment a transparently bridged network into VLANs, each VLAN computes its
own spanning-tree topology. Configuring each VLAN to compute its own spanning-tree topology
provides much greater stability than running a single spanning tree throughout. Traffic bridged within
one VLAN is unaffected by physical topology changes occurring within another VLAN.
Note The current implementation of SDE encapsulation is not recommended for serial or
Ethernet media.
Configuring Transparent Bridging
Specifies a subinterface.
Specifies the IEEE 802.10 Security data exchange security association
identifier (in other words, specifies the “color”).
Associates the subinterface with an existing bridge group.
Routing between ISL VLANs
Our VLAN Routing implementation is designed to operate across all router platforms. However, the
Inter-Switch Link (ISL) VLAN trunking protocol currently is defined on 100 BaseTX/FX Fast Ethernet
interfaces only and therefore is appropriate to the Cisco 7000 and higher-end platforms only. The IEEE
802.10 protocol can run over any LAN or HDLC serial interface. VLAN traffic is fast switched. The
actual format of these VLAN encapsulations are detailed in the IEEE Standard 802.10-1992 Secure Data
Exchange and in the Inter-Switch Link (ISL) Protocol Specification.
Our VLAN Routing implementation treats the ISL and 802.10 protocols as encapsulation types. On a
physical router interface that receives and transmits VLAN packets, you can select an arbitrary
subinterface and map it to the particular VLAN “color” embedded within the VLAN header. This
mapping allows you to selectively control how LAN traffic is routed or switched outside of its own
VLAN domain. In the VLAN routing paradigm, a switched VLAN corresponds to a single routed subnet,
and the network address is assigned to the subinterface.
To route a received VLAN packet the Cisco IOS software VLAN switching code first extracts the VLAN
ID from the packet header (this is a 10-bit field in the case of ISL and a 4-byte entity known as the
security association identifier in the case of IEEE 802.10), then demultiplexes the VLAN ID value into
a subinterface of the receiving port. If the VLAN color does not resolve to a subinterface, the Cisco IOS
software can transparently bridge the foreign packet natively (without modifying the VLAN header) on
the condition that the Cisco IOS software is configured to bridge on the subinterface itself. For VLAN
packets that bear an ID corresponding to a configured subinterface, received packets are then classified
by protocol type before running the appropriate protocol specific fast switching engine. If the
subinterface is assigned to a bridge group then non-routed packets are de-encapsulated before they are
bridged. This is termed “fall-back bridging” and is most appropriate for nonroutable traffic types.
BC-32
In Figure 10, Router A provides inter-VLAN connectivity between multiple Cisco switching platforms
where there are three distinct virtual topologies present. For example, for VLAN 300 across the two
Catalyst 1200A segments, traffic originating on LAN interface 1 is “tagged” with a VLAN ID of 300 as
it is switched onto the FDDI ring. This ID allows the remote Catalyst 1200A to make an intelligent
Cisco IOS Bridging and IBM Networking Configuration Guide
Configuring Transparent Bridging
forwarding decision and only switch the traffic to local interfaces configured as belonging to the same
VLAN broadcast domain. Router A provides an inter-VLAN mechanism that lets Router A function as
a gateway for stations on a given LAN segment by transmitting VLAN encapsulated traffic to and from
other switched VLAN domains or simply transmitting traffic in native (non-VLAN) format.
Figure 10 Inter-VLAN Connectivity between Multiple Switching Platforms
Transparent and SRT Bridging Configuration Task List
VLAN100
1
VLAN200
2
VLAN300
3
Catalyst 1200A Catalyst 1200B
100BT ISL
VLAN400 VLAN500 VLAN400 VLAN500
802.10 FDDI VLAN
Backbone
Router A
2/1
1/1
3/1
100BT ISL
VLAN400 VLAN600
Wide area link
ProStack
Mainframe
VLAN100
VLAN200
VLAN300
S3902
1
2
3
Figure 10 illustrates the following scenarios:
• Clients on VLAN 300 want to establish sessions with a server attached to a port in a different VLAN
(600). In this scenario, packets originating on LAN interface 3 of the Catalyst 1200B switch are
tagged with an 802.10 header with a security association identifier of 300 as they are forwarded onto
the FDDI ring. Router A can accept these packets because it is configured to route VLAN 300,
classify and make a layer 3 forwarding decision based on the destination network address and the
route out (in this case Fast Ethernet 3/1), and adding the ISL VLAN header (color 200) appropriate
to the destination subnet as the traffic is switched.
Step 1
Step 2
Step 3
• There is a network requirement to bridge two VLANs together through the system rather than
selectively route certain protocols. In this scenario the two VLAN IDs are placed in the same bridge
group. Note that they form a single broadcast domain and spanning tree, effectively forming a single
VLAN.
See the “Routing between VLANs Configuration Example” section on page 70 for an example
configuration of the topology shown in Figure 10.
To configure bridging between VLANs, enter the following commands, beginning in interface
configuration mode:
Command Purpose
interface type
slot/port.subinterface-number
encapsulation {sde | isl} domain
Specifies a subinterface.
Specifies the encapsulation type (either ISL or SDE) and associates the
subinterface with the VLAN.
bridge-group bridge-group
Enables bridged traffic between the subinterface and other interfaces in
the same bridge group.
Cisco IOS Bridging and IBM Networking Configuration Guide
BC-33
Transparent and SRT Bridging Configuration Task List
Configuring a Subscriber Bridge Group
The Digital Subscriber Line (xDSL) bridge support feature enables you to configure a router for
intelligent bridge flooding for xDSL and other bridge applications. To configure a subscriber bridge
group, use the following commands, beginning in global configuration mode:
Command Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
bridge bridge-group protocol {ieee |
dec | vlan-bridge}
bridge bridge-group subscriber-policy
policy
subscriber-policy policy [[no]
[default] packet [permit] [deny]]
interface type number
bridge-group bridge-group
[subscriber-trunk]
Defines the bridge Spanning-Tree Protocol.
Defines a subscriber bridge group and specifies the subscriber policy
for the group.
Defines or modifies the forward and filter decisions of the subscriber
policy.
Configures a subinterface.
Assigns a subscriber bridge group and indicates whether the
interface is upstream or downstream from the traffic flow.
Configuring Transparent Bridging
Note Standard access lists can coexist with the subscriber policy. However, subscriber policy
will take precedence over the access list by being checked first. A packet permitted by the
subscriber policy will be checked against the access list if it is specified. A packet denied
by subscriber policy will be dropped with no further access list checking.
Configuring Transparent Bridging over WANs
You can configure transparent bridging over a variety of networks, as described in the following sections:
• Configuring Fast-Switched Transparent Bridging over ATM, page 34
• Configuring Transparent Bridging over DDR, page 35
• Configuring Transparent Bridging over Frame Relay, page 36
• Configuring Transparent Bridging over Multiprotocol LAPB, page 37
• Configuring Transparent Bridging over SMDS, page 38
• Configuring Transparent Bridging over X.25, page 38
Configuring Fast-Switched Transparent Bridging over ATM
Our bridging implementation supports IEEE 802.3 frame formats and IEEE 802.10 frame formats. Our
implementation can transparently bridge ARPA style Ethernet packets (also known as Ethernet version
2).
Fast-switched transparent bridging over Asynchronous Transfer Mode (ATM) supports AAL5-SNAP
encapsulated packets only. All bridged AAL5-SNAP encapsulated packets are fast switched.
Fast-switched transparent bridging supports Ethernet, FDDI, and Token Ring packets sent in
AAL5-SNAP encapsulation over ATM. See the section “Fast-Switched Transparent Bridging over ATM
Example (Cisco 7000)” for an example configuration of fast-switched transparent bridging over ATM.
BC-34
Cisco IOS Bridging and IBM Networking Configuration Guide
Configuring Transparent Bridging
Support for RFC 1483 was added in Cisco IOS Release 12.0(3)T, enabling transparent bridging between
Token Ring LANs (using AAL5-SNAP PVCs) and LANs, VLANs or ELANS (using bridged PDUs).
RFC 1483 defines an encapsulation type for transferring LAN data via ATM networks.
For more information on configuring ATM, refer to the “Configuring ATM” chapter in the Cisco IOS
Wide-Area Networking Configuration Guide.
Configuring Transparent Bridging over DDR
The Cisco IOS software supports transparent bridging over dial-on-demand routing (DDR) and provides
you some flexibility in controlling access and configuring the interface.
To configure DDR for bridging, complete the tasks in the following sections:
• Defining the Protocols to Bridge
• Specifying the Bridging Protocol
• Determining Access for Bridging
• Configuring an Interface for Bridging
For an example of configuring transparent bridging over DDR, see the section “Transparent Bridging
over DDR Examples” section.
Transparent and SRT Bridging Configuration Task List
Defining the Protocols to Bridge
IP packets are routed by default unless they are explicitly bridged; all others are bridged by default unless
they are explicitly routed.
To bridge IP packets, use the following command in global configuration mode:
Command Purpose
no ip routing
Disables IP routing.
If you choose not to bridge another protocol, use the relevant command to enable routing of that protocol.
For more information about tasks and commands, refer to the relevant protocol chapters in the following
publications:
• Cisco IOS IP and IP Routing Configuration Guide
• Cisco IOS AppleTalk and Novell IPX Configuration Guide
• Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Configuration Guide
Specifying the Bridging Protocol
You must specify the type of spanning-tree bridging protocol to use and also identify a bridge group. To
specify the Spanning-Tree Protocol and a bridge group number, use the following command in global
configuration mode:
Command Purpose
bridge bridge-group protocol {ieee | dec |
vlan-bridge}
Defines the type of spanning tree protocol and identify a bridge group.
The bridge-group number is used when you configure the interface and assign it to a bridge group.
Packets are bridged only among members of the same bridge group.
Cisco IOS Bridging and IBM Networking Configuration Guide
BC-35
Transparent and SRT Bridging Configuration Task List
Determining Access for Bridging
You can determine access by either permitting all bridge packets or by controlling access according to
Ethernet type codes.
To permit all transparent bridge packets, use the following command in global configuration mode:
Command Purpose
dialer-list dialer-group protocol bridge
permit
Defines a dialer list that permits all transparent bridge packets.
To control access by Ethernet type codes, use the following commands in global configuration mode:
Command Purpose
Step 1
Step 2
access-list access-list-number
{permit | deny} type-code [mask]
dialer-list dialer-group protocol
bridge list access-list-number
Permits packets according to Ethernet type codes (access list numbers
must be in the range 200 to 299).
Defines a dialer list for the specified access list.
Configuring Transparent Bridging
For a table of some common Ethernet types codes, see the “Ethernet Types Codes” appendix in the
Cisco IOS Bridging and IBM Networking Command Reference, Volume I.
Configuring an Interface for Bridging
You can configure serial interfaces or ISDN interfaces for DDR bridging. To configure an interface for
DDR bridging, use the following commands beginning in global configuration mode:
Command Purpose
Step 1
interface type number
Specifies the serial or ISDN interface and enter interface
configuration mode.
Step 2
Step 3
dialer string dial-string
dialer map bridge [name
[broadcast]dial-string[:isdn-subaddress]
bridge-group bridge-group
hostname]
Configures the dial string to call.
or
Configures a dialer bridge map.
Assigns the specified interface to a bridge group.
Configuring Transparent Bridging over Frame Relay
The transparent bridging software supports bridging of packets over Frame Relay networks. This ability
is useful for such tasks as transmitting packets from proprietary protocols across a Frame Relay network.
Bridging over a Frame Relay network is supported both on networks that support a multicast facility and
those that do not. Both cases are described in this section.
BC-36
Fast-Switched Transparent Bridging
The transparent bridging software provides fast-switched transparent bridging for Frame Relay
encapsulated serial and High-Speed Serial Interface (HSSI) networks.
Switched virtual circuits (SVCs) are not supported for transparent bridging in this release. All the
Permanent virtual circuits (PVCs) configured on a subinterface must belong to the same bridge group.
Cisco IOS Bridging and IBM Networking Configuration Guide
Configuring Transparent Bridging
Bridging in a Frame Relay Network with No Multicasts
The Frame Relay bridging software uses the same spanning-tree algorithm as the other bridging
functions, but allows packets to be encapsulated for transmission across a Frame Relay network. You
specify IP-to-data-link connection identifier (DLCI) address mapping and the system maintains a table
of both the Ethernet address and the DLCIs.
To configure bridging in a network that does not support a multicast facility, define the mapping between
an address and the DLCI used to connect to the address. To bridge with no multicasts, use the following
command in interface configuration mode:
Command Purpose
frame-relay map bridge dlci broadcast
Defines the mapping between an address and the DLCI used to
connect to the address.
An example configuration is provided in the section “Frame Relay Transparent Bridging Examples” at
the end of this chapter. Frame Relay is discussed in more detail in the “Configuring Frame Relay”
chapter in the Cisco IOS Wide-Area Networking Configuration Guide.
Bridging in a Frame Relay Network with Multicasts
The multicast facility is used to learn about the other bridges on the network, eliminating the need for
you to specify any mappings with the frame-relay map bridge broadcast command. An example
configuration is provided in the section “Frame Relay Transparent Bridging Examples” at the end of the
chapter for use as a configuration guide. Frame Relay is discussed in more detail in the “Configuring
Frame Relay” chapter in the Cisco IOS Wide-Area Networking Configuration Guide.
Transparent and SRT Bridging Configuration Task List
Configuring Transparent Bridging over Multiprotocol LAPB
Cisco IOS software implements transparent bridging over multiprotocol Link Access Protocol-Balanced
(LAPB) encapsulation on serial interfaces. To configure transparent bridging over multiprotocol LAPB,
use the following commands beginning in global configuration mode:
Command Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
interface serial number
no ip address
encapsulation lapb multi
bridge-group bridge-group
bridge bridge-group protocol {ieee | dec | vlan-bridge}
Note Transparent bridging over multiprotocol LAPB requires use of the encapsulation lapb
multi command. You cannot use the encapsulation lapb
keyword to configure this feature.
For an example of configuring transparent bridging over multiprotocol LAPB, see the
“Transparent Bridging over Multiprotocol LAPB Example” section on page 76”.
Specifies the serial interface.
Specifies no IP address to the interface.
Configures multiprotocol LAPB encapsulation.
Assigns the interface to a bridge group.
Specifies the type of Spanning-Tree Protocol.
protocol command with a bridge
Cisco IOS Bridging and IBM Networking Configuration Guide
BC-37
Transparent and SRT Bridging Configuration Task List
Configuring Transparent Bridging over SMDS
We support fast-switched transparent bridging for Switched Multimegabit Data Service (SMDS)
encapsulated serial and HSSI networks. Standard bridging commands are used to enable bridging on an
SMDS interface.
To enable transparent bridging over SMDS, use the following commands beginning in global
configuration mode:
Command Purpose
Step 1
Step 2
Step 3
Step 4
interface serial number
encapsulation smds
bridge-group bridge-group
smds multicast bridge smds-address
Broadcast Address Resolution Protocol (ARP) packets are treated differently in transparent bridging
over an SMDS network than in other encapsulation methods. For SMDS, two packets are sent to the
multicast address. One is sent using a standard (SMDS) ARP encapsulation; the other is sent with the
ARP packet encapsulated in an 802.3 MAC header. The native ARP is sent as a regular ARP broadcast.
Our implementation of IEEE 802.6i transparent bridging for SMDS supports 802.3, 802.5, and FDDI
frame formats. The router can accept frames with or without frame check sequence (FCS). Fast-switched
transparent bridging is the default and is not configurable. If a packet cannot be fast switched, it is
process switched.
An example configuration is provided in the section “Fast-Switched Transparent Bridging over SMDS
Example” later in this chapter. For more information on SMDS, refer to the “Configuring SMDS”
chapter in the Cisco IOS Wide-Area Networking Configuration Guide.
Specifies the serial interface.
Configures SMDS encapsulation on the serial interface.
Associates the interface with a bridge group.
Enables transparent bridging of packets across an SMDS network.
Configuring Transparent Bridging
Configuring Transparent Bridging over X.25
The transparent bridging software supports bridging of packets in X.25 frames. This ability is useful for
such tasks as transmitting packets from proprietary protocols across an X.25 network.
The X.25 bridging software uses the same spanning-tree algorithm as the other bridging functions, but
allows packets to be encapsulated in X.25 frames and transmitted across X.25 media. You specify the
IP-to-X.121 address mapping, and the system maintains a table of both the Ethernet and X.121
addresses. To configure X.25 transparent bridging, use the following command in interface
configuration mode:
Command Purpose
x25 map bridge x.121-address broadcast
[options-keywords]
For more information about configuring X.25, refer to the “Configuring X.25 and LAPB” chapter in the
Cisco IOS Wide-Area Networking Configuration Guide.
Specifies IP-to-X.121 mapping.
BC-38
Cisco IOS Bridging and IBM Networking Configuration Guide
Configuring Transparent Bridging
Configuring Concurrent Routing and Bridging
You can configure the Cisco IOS software to route a given protocol among one group of interfaces and
concurrently bridge that protocol among a separate group of interfaces, all within one router. The given
protocol is not switched between the two groups. Rather, routed traffic is confined to the routed
interfaces and bridged traffic is confined to the bridged interfaces. A protocol may be either routed or
bridged on a given interface, but not both.
The concurrent routing and bridging capability is, by default, disabled. While concurrent routing and
bridging is disabled, the Cisco IOS software absorbs and discards bridgeable packets in protocols that
are configured for routing on any interface in the router.
When concurrent routing and bridging is first enabled in the presence of existing bridge groups, it will
generate a bridge route configuration command for any protocol for which any interface in the bridge
group is configured for routing. This is a precaution that applies only when concurrent routing and
bridging is not already enabled, bridge groups exist, and the bridge crb command is encountered.
To enable concurrent routing and bridging in the Cisco IOS software, use the following command in
global configuration mode:
Command Purpose
bridge crb
Enables concurrent routing and bridging.
Transparent and SRT Bridging Configuration Task List
Information about which protocols are routed and which are bridged is stored in a table, which can be
displayed with the show interfaces crb privileged EXEC command.
When concurrent routing and bridging has been enabled, you must configure an explicit bridge route
command for any protocol that is to be routed on the interfaces in a bridge group in addition to any
required protocol-specific interface configuration.
To configure specific protocols to be routed in a bridge group, use the following command in interface
configuration mode:
Command Purpose
bridge bridge-group route protocol
Specifies a protocol to be routed on a bridge group.
Configuring Integrated Routing and Bridging
Perform one or more of the following tasks to configure integrated routing and bridging on your router:
• Assigning a Bridge Group Number and Defining the Spanning-Tree Protocol
• Configuring Interfaces
• Enabling Integrated Routing and Bridging
• Configuring the Bridge-Group Virtual Interface
• Configuring Protocols for Routing or Bridging
Cisco IOS Bridging and IBM Networking Configuration Guide
BC-39
Transparent and SRT Bridging Configuration Task List
Assigning a Bridge Group Number and Defining the Spanning-Tree Protocol
Prior to configuring the router for integrated routing and bridging, you must enable bridging by setting
up a bridge group number and specifying a Spanning-Tree Protocol. You can choose either the IEEE
802.1D Spanning-Tree Protocol or the earlier Digital protocol upon which this IEEE standard is based.
To assign a bridge group number and define a spanning tree protocol, use the following command in
global configuration mode:
Command Purpose
bridge bridge-group protocol {ieee | dec |
vlan-bridge}
Assigns a bridge group number and defines a Spanning-Tree Protocol.
The IEEE 802.1D Spanning-Tree Protocol is the preferred way of running the bridge. Use the Digital
Spanning-Tree Protocol only for backward compatibility.
Configuring Interfaces
To configure a router interface in the Cisco IOS software, use the following commands beginning in
global configuration mode:
Configuring Transparent Bridging
Command Purpose
Step 1
Step 2
Step 3
interface type number
port
bridge-group bridge-group
Specifies the interface and enters interface configuration mode.
Specifies concentrator port operation.
Assigns bridge-groups to appropriate interfaces.
Enabling Integrated Routing and Bridging
After you have set up the interfaces in the router, you can enable integrated routing and bridging.
To enable integrated routing and bridging in the Cisco IOS software, use the following command in
global configuration mode:
Command Purpose
bridge irb
Enables integrated routing and bridging.
Use the show interfaces irb privileged EXEC command to display the protocols that a given bridged
interface can route to the other routed interface when the packet is routable, and to display the protocols
that a given bridged interface bridges.
Configuring the Bridge-Group Virtual Interface
The bridge-group virtual interface resides in the router. It acts like a normal routed interface that does
not support bridging, but represents the entire corresponding bridge group to routed interfaces within the
router. The bridge-group virtual interface is assigned the number of the bridge group that it represents.
The bridge-group virtual interface number is the link between the bridge-group virtual interface and its
bridge group. Because the bridge-group virtual interface is a virtual routed interface, it has all the
network layer attributes, such as a network address and the ability to perform filtering. Only one
bridge-group virtual interface is supported for each bridge group.
BC-40
Cisco IOS Bridging and IBM Networking Configuration Guide
Configuring Transparent Bridging
When you enable routing for a given protocol on the bridge-group virtual interface, packets coming from
a routed interface but destined for a host in a bridged domain are routed to the bridge-group virtual
interface, and are forwarded to the corresponding bridged interface. All traffic routed to the bridge-group
virtual interface is forwarded to the corresponding bridge group as bridged traffic. All routable traffic
received on a bridged interface is routed to other routed interfaces as if it is coming directly from the
bridge-group virtual interface.
To create a bridge-group virtual interface, use the following command in interface configuration mode:
Command Purpose
interface bvi bridge-group
Enables a bridge-group virtual interface.
When you intend to bridge and route a given protocol in the same bridge group, you must configure the
network-layer attributes of the protocol on the bridge-group virtual interface. Do not configure protocol
attributes on the bridged interfaces. No bridging attributes can be configured on the bridge-group virtual
interface.
Although it is generally the case that all bridged segments belonging to a bridge group are represented
as a single segment or network to the routing protocol, there are situations where several individual
networks coexist within the same bridged segment. To make it possible for the routed domain to learn
about the other networks behind the bridge-group virtual interface, configure a secondary address on the
bridge-group virtual interface to add the corresponding network to the routing process.
Transparent and SRT Bridging Configuration Task List
Configuring Protocols for Routing or Bridging
When integrated routing and bridging is enabled, the default route/bridge behavior in a bridge group is
to bridge all packets.
You could then explicitly configure the bridge group to route a particular protocol, so that routable
packets of this protocol are routed, while nonroutable packets of this protocol or packets for protocols
for which the bridge group is not explicitly configured to route will be bridged.
You could also explicitly configure the bridge group so that it does not bridge a particular protocol, so
that routable packets of this protocol are routed when the bridge is explicitly configured to route this
protocol, and nonroutable packets are dropped because bridging is disabled for this protocol.
Note Packets of nonroutable protocols such as LAT are only bridged. You cannot disable
bridging for the nonroutable traffic.
To configure specific protocols to be routed or bridged in a bridge group, use one or more of the
following commands in global configuration mode:
Command Purpose
bridge bridge-group route protocol
no bridge bridge-group route protocol
bridge bridge-group bridge protocol
no bridge bridge-group bridge protocol
Specifies a protocol to be routed in a bridge group.
Specifies that a protocol is not to be routed in a bridge group.
Specifies that a protocol is to be bridged in the bridge group.
Specifies that a protocol is not to be bridged in the bridge group.
Cisco IOS Bridging and IBM Networking Configuration Guide
BC-41
Loading...