08-11-2016 06:27 AM - edited 03-05-2019 04:29 AM
Hi all.
I have tried to do some bridging on a ASR1001-X with no luck so far.
I have done this may times before on ISR-G2 routers with great success, but now I have to do it on a ASR1001-X router.
The setup consist in simple terms of a ASR1001-X router with a WAN port (Gi0/0/2) toward ISP backbone/MPLS and LAN port (Gi0/0/1) toward ASA5508X in untagged mode.
The router is allready running several layer 3 circuits on the WAN port for several MPLS connections - and now I want add one more vlan on my WAN port for internet use - but I don't want my ASR1001-X to be exposed on the internet with a layer 3 IP address, so a layer 2 bridging seems to be the perfect solution for me.
So i now have one more VLAN on my WAN trunkport (Gi0/0/2) - and want to bridged all traffic from this WAN Vlan toward a untagged LAN port (Gi0/0/1) - and having the folowing config so far - but so far with no luck...
!
Solved! Go to Solution.
08-11-2016 07:50 AM
Hi,
I believe that the main reason why your configuration does not work is the lack of tag manipulation. You are receiving frames with VLAN50 on Gi0/0/2 but in order to forward them out Gi0/0/1, then need to be untagged - and vice versa.
Try this configuration instead - it uses a more recent configuration style which is going to be maintained in newer IOS-XE versions:
interface GigabitEthernet0/0/1
service instance 50 ethernet
encapsulation untagged
!
interface GigabitEthernet0/0/2
service instance 50 ethernet
encapsulation dot1q 50
rewrite ingress tag pop 1 symmetric
!
bridge-domain 1
member GigabitEthernet0/0/1 service-instance 50
member GigabitEthernet0/0/2 service-instance 50
Best regards,
Peter
08-11-2016 07:50 AM
Hi,
I believe that the main reason why your configuration does not work is the lack of tag manipulation. You are receiving frames with VLAN50 on Gi0/0/2 but in order to forward them out Gi0/0/1, then need to be untagged - and vice versa.
Try this configuration instead - it uses a more recent configuration style which is going to be maintained in newer IOS-XE versions:
interface GigabitEthernet0/0/1
service instance 50 ethernet
encapsulation untagged
!
interface GigabitEthernet0/0/2
service instance 50 ethernet
encapsulation dot1q 50
rewrite ingress tag pop 1 symmetric
!
bridge-domain 1
member GigabitEthernet0/0/1 service-instance 50
member GigabitEthernet0/0/2 service-instance 50
Best regards,
Peter
08-12-2016 12:05 AM
Hi Peter
Thanx a lot for the quick answer - I have now tested with your config - and bidging is now working - Perfect..!
Regards
Preben Knudsen
08-13-2016 12:50 AM
Hi Preben,
It has been a pleasure :)
Best regards,
Peter
02-27-2020 01:13 PM - edited 02-27-2020 01:14 PM
Hi Peter.. thanks for a great explanation...
I have a similar situation which is depicted below. We have a link that terminates WAN connection from our WAN provider from various offices and 3rd parties (using unique dot1q tags) on Gi0/0/0 (and Gi0/0/2 not shown here) . I have created sub-interfaces for the office vlans on the ASR Gi0/0/0 interface; however for 3rd parties I would like Layer3 to terminate on the firewall and the ASR to serve as purely an L2 device
For the purpose of understanding, lets assume 3rd party VLAN in question is 1417
WAN -------(Gi0/0/0) ASR (Gi0/0/3)-------- (Access) SWITCH (802.1q Trunk)--------- Firewall
The switch access port will be in vlan 1417 and the trunk b/w the switch and firewall will carry that vlan too with sub-interfaces created on the firewall as well
Can you please confirm if the above design is valid and if so also review the ASR configuration ?
interface GigabitEthernet0/0/0
service instance 1 ethernet
encapsulation dot1q 1417
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/3
service instance 1 ethernet
encapsulation untagged
bridge-domain 1
member GigabitEthernet0/0/0 service-instance 1
member GigabitEthernet0/0/3 service-instance 1
06-13-2017 05:53 AM
Hello Peter
Do you have info on what versions of IOS-XE this applies to ?
Is there a feature-set needed ?
With an ASR1001-X, universal image 03.16.02.S.155-3.S2
there is no member command under the bridge-domain config section; the only avail options are :-
Bridge-domain mode commands:
default Set a command to its defaults
exit Leave the bridge-domain configuration submode
ip IP related commands
mac MAC Address related commands
no Negate a command or set its defaults
shutdown Take the bridge domain admin down
I am able to use the bridge-domain definition in the service-instance section, on each interface though.
My problem is a bit like the original poster, is that my 'outside' is a dot1q encap sub-interface from the carrier. (In the UK an Etherway bearer can carry multiple 'Etherflows', each one dot1q tagged from the carrier, and I need to bridge one).
Under the sub-interface you cannot select either the service-instance, or the bridge domain command itself;
ever-dcr-r01(config-subif)#bridge?
% Unrecognized command
ever-dcr-r01(config-subif)#
ever-dcr-r01(config-subif)#serv?
service-policy service-routing
ever-dcr-r01(config-subif)#serv
Ian
06-14-2017 01:39 AM
Hi Ian
You have to do all bridge commands under the main interface - NOT under subinterfaces due to the fact these is only for layer 3 functions. You could have many service instances under the main interface as well.
It might be sonthing like:
!
bridge-domain 50
member GigabitEthernet0/0/<xx> service-instance 50
member GigabitEthernet0/0/2 service-instance 50
!
interface GigabitEthernet0/0/2
description ** WAN interface **
no ip address
service instance 50 ethernet
description ** bridged vlan **
encapsulation dot1q 50
rewrite ingress tag pop 1 symmetric
!
!
interface GigabitEthernet0/0/2.101
description ** WAN - Layer 3 interface **
encapsulation dot1Q 101
ip address 172.16.aa.aa 255.255.255.252
!
interface GigabitEthernet0/0/2.102
description ** WAN - Layer 3 interface **
encapsulation dot1Q 102
ip address 172.16.bb.bb 255.255.255.252
!
And please rember the bridge-domain is in global config - please remember there is 2 bridge commands in global: use the "bridge-domain", and NOT the "bridge" command.
Regards
Preben Knudsen
06-14-2017 03:42 AM
Great reply, thanks v much.
I still have the problem that I have no 'member' command under the global bridge-domain command.
r01(config-bdomain)#?
Bridge-domain mode commands:
default Set a command to its defaults
exit Leave the bridge-domain configuration submode
ip IP related commands
mac MAC Address related commands
no Negate a command or set its defaults
shutdown Take the bridge domain admin down
So I have used the dridge-domain command un der the service instance config on both interfaces.
This is what I look like now :-
bridge-domain 1
!
interface GigabitEthernet0/0/0
description *** L2 Connection to ddd ***
no ip address
negotiation auto
service-policy output VoIP
service instance 10 ethernet
description *Bridged SIP link *
encapsulation dot1q 4093
rewrite ingress tag pop 1 symmetric
bridge-domain 1
!
!
interface GigabitEthernet0/0/4
description *** L2 Connection to Mitel SIP Gateway ***
no ip address
no logging event link-status
load-interval 30
shutdown
negotiation auto
no snmp trap link-status
service instance 10 ethernet
encapsulation untagged
bridge-domain 1
!
r01#sh bridge-dom 1
Bridge-domain 1 (2 ports in all)
State: UP Mac learning: Enabled
Aging-Timer: 300 second(s)
GigabitEthernet0/0/0 service instance 10
GigabitEthernet0/0/4 service instance 10
AED MAC address Policy Tag Age Pseudoport
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide