Solved: Great reply, thanks v much.

pknudsen · ‎08-11-2016

Hi all.

I have tried to do some bridging on a ASR1001-X with no luck so far.

I have done this may times before on ISR-G2 routers with great success, but now I have to do it on a ASR1001-X router.

The setup consist in simple terms of a ASR1001-X router with a WAN port (Gi0/0/2) toward ISP backbone/MPLS and LAN port (Gi0/0/1) toward ASA5508X in untagged mode.

The router is allready running several layer 3 circuits on the WAN port for several MPLS connections - and now I want add one more vlan on my WAN port for internet use - but I don't want my ASR1001-X to be exposed on the internet with a layer 3 IP address, so a layer 2 bridging seems to be the perfect solution for me.

So i now have one more VLAN on my WAN trunkport (Gi0/0/2) - and want to bridged all traffic from this WAN Vlan toward a untagged LAN port (Gi0/0/1) - and having the folowing config so far - but so far with no luck...

!

bridge irb <-- Not sure about this is needed.

!

! LAN interface - Untagged toward outside interface on ASA5508X

interface GigabitEthernet0/0/1

service instance 50 ethernet

encapsulation untagged

bridge-domain 50

!

! WAN interface

interface GigabitEthernet0/0/2

service instance 50 ethernet

encapsulation dot1q <Vlan-ID>

bridge-domain 50

!

end

So the question is: what am I missing, or do I have done som wrong config for now...?

Peter Paluch · ‎08-11-2016

Hi,

I believe that the main reason why your configuration does not work is the lack of tag manipulation. You are receiving frames with VLAN50 on Gi0/0/2 but in order to forward them out Gi0/0/1, then need to be untagged - and vice versa.

Try this configuration instead - it uses a more recent configuration style which is going to be maintained in newer IOS-XE versions:

interface GigabitEthernet0/0/1
 service instance 50 ethernet
  encapsulation untagged
!
interface GigabitEthernet0/0/2
 service instance 50 ethernet
  encapsulation dot1q 50
  rewrite ingress tag pop 1 symmetric
!
bridge-domain 1
 member GigabitEthernet0/0/1 service-instance 50
 member GigabitEthernet0/0/2 service-instance 50

Best regards,
Peter

View solution in original post

Peter Paluch · ‎08-11-2016

Hi,

I believe that the main reason why your configuration does not work is the lack of tag manipulation. You are receiving frames with VLAN50 on Gi0/0/2 but in order to forward them out Gi0/0/1, then need to be untagged - and vice versa.

Try this configuration instead - it uses a more recent configuration style which is going to be maintained in newer IOS-XE versions:

interface GigabitEthernet0/0/1
 service instance 50 ethernet
  encapsulation untagged
!
interface GigabitEthernet0/0/2
 service instance 50 ethernet
  encapsulation dot1q 50
  rewrite ingress tag pop 1 symmetric
!
bridge-domain 1
 member GigabitEthernet0/0/1 service-instance 50
 member GigabitEthernet0/0/2 service-instance 50

Best regards,
Peter

pknudsen · ‎08-12-2016

Hi Peter

Thanx a lot for the quick answer - I have now tested with your config - and bidging is now working - Perfect..!

Regards

Preben Knudsen

Peter Paluch · ‎08-13-2016

Hi Preben,

It has been a pleasure :)

Best regards,
Peter

usmanashaikh · ‎02-27-2020

Hi Peter.. thanks for a great explanation...

I have a similar situation which is depicted below. We have a link that terminates WAN connection from our WAN provider from various offices and 3rd parties (using unique dot1q tags) on Gi0/0/0 (and Gi0/0/2 not shown here) . I have created sub-interfaces for the office vlans on the ASR Gi0/0/0 interface; however for 3rd parties I would like Layer3 to terminate on the firewall and the ASR to serve as purely an L2 device

For the purpose of understanding, lets assume 3rd party VLAN in question is 1417

WAN -------(Gi0/0/0) ASR (Gi0/0/3)-------- (Access) SWITCH (802.1q Trunk)--------- Firewall

The switch access port will be in vlan 1417 and the trunk b/w the switch and firewall will carry that vlan too with sub-interfaces created on the firewall as well

Can you please confirm if the above design is valid and if so also review the ASR configuration ?

interface GigabitEthernet0/0/0
 service instance 1 ethernet
 encapsulation dot1q 1417
 rewrite ingress tag pop 1 symmetric

interface GigabitEthernet0/0/3
 service instance 1 ethernet
 encapsulation untagged

bridge-domain 1
 member GigabitEthernet0/0/0 service-instance 1
 member GigabitEthernet0/0/3 service-instance 1

iswift · ‎06-13-2017

Hello Peter
Do you have info on what versions of IOS-XE this applies to ?
Is there a feature-set needed ?
With an ASR1001-X, universal image 03.16.02.S.155-3.S2

there is no member command under the bridge-domain config section; the only avail options are :-

Bridge-domain mode commands:
default   Set a command to its defaults
exit      Leave the bridge-domain configuration submode
ip        IP related commands
mac       MAC Address related commands
no        Negate a command or set its defaults
shutdown Take the bridge domain admin down

I am able to use the bridge-domain definition in the service-instance section, on each interface though.

My problem is a bit like the original poster, is that my 'outside' is a dot1q encap sub-interface from the carrier. (In the UK an Etherway bearer can carry multiple 'Etherflows', each one dot1q tagged from the carrier, and I need to bridge one).

Under the sub-interface you cannot select either the service-instance, or the bridge domain command itself;

ever-dcr-r01(config-subif)#bridge?
% Unrecognized command
ever-dcr-r01(config-subif)#
ever-dcr-r01(config-subif)#serv?
service-policy service-routing

ever-dcr-r01(config-subif)#serv

Ian

pknudsen · ‎06-14-2017

Hi Ian

You have to do all bridge commands under the main interface - NOT under subinterfaces due to the fact these is only for layer 3 functions. You could have many service instances under the main interface as well.

It might be sonthing like:

!
bridge-domain 50
member GigabitEthernet0/0/<xx> service-instance 50
member GigabitEthernet0/0/2 service-instance 50
!
interface GigabitEthernet0/0/2
description ** WAN interface **
no ip address
service instance 50 ethernet
description ** bridged vlan **
encapsulation dot1q 50
rewrite ingress tag pop 1 symmetric
!
!
interface GigabitEthernet0/0/2.101
description ** WAN - Layer 3 interface **
encapsulation dot1Q 101
ip address 172.16.aa.aa 255.255.255.252
!
interface GigabitEthernet0/0/2.102
description ** WAN - Layer 3 interface **
encapsulation dot1Q 102
ip address 172.16.bb.bb 255.255.255.252
!

And please rember the bridge-domain is in global config - please remember there is 2 bridge commands in global: use the "bridge-domain", and NOT the "bridge" command.

Regards

Preben Knudsen

iswift · ‎06-14-2017

Great reply, thanks v much.

I still have the problem that I have no 'member' command under the global bridge-domain command.

r01(config-bdomain)#?
Bridge-domain mode commands:
default   Set a command to its defaults
exit      Leave the bridge-domain configuration submode
ip        IP related commands
mac       MAC Address related commands
no        Negate a command or set its defaults
shutdown Take the bridge domain admin down

So I have used the dridge-domain command un der the service instance config on both interfaces.

This is what I look like now :-

bridge-domain 1
!

interface GigabitEthernet0/0/0
description *** L2 Connection to ddd ***
no ip address
negotiation auto
service-policy output VoIP
service instance 10 ethernet
description *Bridged SIP link *
encapsulation dot1q 4093
rewrite ingress tag pop 1 symmetric
bridge-domain 1

!

!
interface GigabitEthernet0/0/4
description *** L2 Connection to Mitel SIP Gateway ***
no ip address
no logging event link-status
load-interval 30
shutdown
negotiation auto
no snmp trap link-status
service instance 10 ethernet
encapsulation untagged
bridge-domain 1
!

r01#sh bridge-dom 1
Bridge-domain 1 (2 ports in all)
State: UP                    Mac learning: Enabled
Aging-Timer: 300 second(s)
    GigabitEthernet0/0/0 service instance 10
    GigabitEthernet0/0/4 service instance 10
   AED MAC address    Policy Tag       Age Pseudoport

Layer2 bridging on routed interface on ASR1001-X