Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1077
Views
1
Helpful
5
Replies

Bridging interfaces on ISR4331

cadamwil
Level 1
Level 1

‎04-10-2023 09:50 AM - edited ‎04-10-2023 09:59 AM

Hello, I have a Cisco ISR4331 that is being used to route traffic from my ISP to my firewalls.  I am looking to use Gig0/0/1 and Gig0/0/2 for my firewall's WAN connections, and they are redundant firewalls.  Would the best configuration for this be something like

 

interface Gig0/0/1
service instance 399 ethernet
encapsulation dot1q 399
rewrite ingress tag pop 1 symmetric
bridge-domain 399


interface Gig0/0/2
service instance 399 ethernet
encapsulation dot1q 399
rewrite ingress tag pop 1 symmetric
bridge-domain 399


interface BDI399
ip address X.X.X.X 255.255.255.248
no shut

Am I leaving anything out that should be tweaked or is there a better way of doing this, aside from buying a switch module?

Labels:
5 Replies 5

MHM Cisco World
VIP
VIP

‎04-10-2023 10:20 AM - edited ‎04-11-2023 07:54 AM

you run ISR4331 with IOS-XE not IOS
so no need any ieee protocol 
but the interface connect to router effect the solution 
SW or FW it same
Case1 
SW1-ISR4k-SW2
if both SW1/2 use router ports as show below 

interface FastEthernet0/1

no switchport

ip address x.x.x.0

then the ISR config will be 

interface GigabitEthernet1/2/3

no ip address

negotiation auto

cdp enable

service instance 100 ethernet

encapsulation untagged

bridge-domain 100

!

interface to SW1 and to SW2

no ip address

negotiation auto

cdp enable

service instance 100 ethernet

encapsulation untagged

bridge-domain 100    
!

interface BDI100

ip address x.x.x.1 255.255.255.0

 

 

case2 
SW1-ISR4k-SW2
if both SW use VLAN to connect to ISR as show below 

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk
!

interface Vlan100

ip address 10.1.1.1 255.255.255.0


then the ISR config will be 

interface to SW1 and to SW2

no ip address

negotiation auto

cdp enable

service instance 100 ethernet

encapsulation dot1q 100

rewrite ingress tag pop 1 symmetric

bridge-domain 100 


that it. Freind check and update me 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎04-10-2023 11:19 AM

rewrite ingress tag pop 1 symmetric  <<- do you have more VLAN to pass ? if not i would suggest to use simple config with below mentioned cisco example guide: 

Sure that should work as expected, make sure you have the latest stable code upgrade in case of any issues:

below document explains you :

https://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/200650-Understanding-Bridge-Virtual-Interface.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

cadamwil
Level 1
Level 1
In response to balaji.bandi

‎04-10-2023 12:24 PM

is ast equivalent to ieee spanning-tree protocol?  It seems IEEE is not supported on my version of IOS or I am missing something.

(config)#bridge 1 protocol ?
ast IBM protocol
dec DEC protocol
ibm IBM protocol
vlan-bridge vlan-bridge protocol

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to cadamwil

‎04-10-2023 02:21 PM

can you post show version from -ISR4331

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎04-10-2023 12:54 PM

Hello,

which firewalls (brand/type/model) do you have ? Can you post a schematic drawing of your (desired) topology ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card