Re: Three bridges to one vlan in router

BRENDON-WALSH · ‎05-01-2025

I am trying to go from a layer 3 port and use three different bridges with vrf going to one vlan in a router going to another router with same configuration. I unsure of how to do this because all the documentation is for switches or is too old to be useful. Can someone explain how it can be done

Joseph W. Doherty · ‎05-01-2025

Not 100% certain I understand.

On the router believe you could use subinterfaces, each in a different VRF and using .1Q tagging. The switch would then use a trunk interface and its VLANs would keep the VRF traffic separated.

Joseph W. Doherty · ‎05-02-2025

@BRENDON-WALSH as the other posters' replies suppose, you desire to use a router, in lieu of a bridge, is what you want to do? Or, your intent is to somehow directly connect together, several routers (mesh?), yet they would share VRFs yet route between themselves (sort of like L3 switches)?

I'm still not certain what "I am trying to go from a layer 3 port and use three different bridges with vrf going to one vlan in a router going to another router with same configuration." means.

Possibly a simple diagram would be worth 1024 words.

Jens Albrecht · ‎05-01-2025

For the interface of the router that is facing the switches you can use the router-on-a-stick configuration with VRFs as @Joseph W. Doherty mentioned.

How do you plan to connect the 2 routers?
In order to preserve the separation of the VRFs you could either use sub-interfaces again or use a tool like GRE-tunnels.
If you plan to connect these VRFs to the internet, then even more questions arise...

Would be really helpful if you could post a network diagram to show us what you plan to set up.

paul driver · ‎05-01-2025

Hello
can you share a topology for this - so to clarify what you are want to do?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

rkthapa9 · ‎05-02-2025

Hi,

What you’re trying to do is a form of VRF-aware bridging (or Integrated Routing and Bridging with VRF), where traffic from different VRFs (Layer 3) needs to be bridged (Layer 2) to a common VLAN and sent across to a peer device with the same configuration. This is more common in modern routers and software-defined environments (like IOS-XE or IOS-XR), but it can still be done in traditional CLI-based configurations.

Let’s break it down step by step:

Your Goal (Simplified)

One Layer 3 routed port.
Three VRFs.
Each VRF has an interface (or subinterface).
You want to bridge all three VRFs to the same VLAN.
This VLAN is trunked (or routed) to another router with mirrored config.

Key Concepts

BVI (Bridge Virtual Interface) – This is your Layer 3 gateway in a bridge domain.
Bridge Domains / Bridge Groups – Used to group interfaces/subinterfaces under a common L2 domain.
IRB (Integrated Routing and Bridging) – Allows bridging and routing to coexist (used in older IOS setups).
VRF-aware bridging – Supported in newer Cisco platforms like IOS-XE, IOS-XR.

General Configuration Approach (IOS-XE Example)

Let’s assume:

VLAN 100 is the shared VLAN.
You have VRFs: VRF1, VRF2, VRF3.
You’re using subinterfaces or loopbacks as part of the bridge.

Step 1: Create VRFs
ip vrf VRF1
rd 1:1
!
ip vrf VRF2
rd 2:2
!
ip vrf VRF3
rd 3:3
Step 2: Define the Bridge Domain (L2 Bridging)
bridge 1 protocol ieee
bridge 1 route ip
Step 3: Create Interfaces in Each VRF to Bridge
interface GigabitEthernet0/0.10
encapsulation dot1Q 100
bridge-group 1
ip vrf forwarding VRF1
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 100
bridge-group 1
ip vrf forwarding VRF2
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 100
bridge-group 1
ip vrf forwarding VRF3
ip address 192.168.1.1 255.255.255.0
All VRFs share the same IP (as it's on the BVI interface from their perspective), but they're isolated logically.

Step 4: Define the BVI Interface (optional if routed only)
interface BVI1
ip address 192.168.1.1 255.255.255.0
bridge-group 1
On the Remote Router
You must mirror the exact same setup with matching bridge groups and VRFs. This way, each VRF-to-VRF traffic can pass across the trunk while remaining logically separated.

Things to Watch Out For
This type of config is rarely used and not always supported on all platforms.
Use bridge-domain and BVI on IOS-XE and IOS-XR, not classic bridge-group in newer setups.
BVI will be the L3 gateway for all interfaces in that bridge domain.
You cannot bridge directly between VRFs—this config only works because the L2 VLAN is shared between the VRFs.

Thank you!

MHM Cisco World · ‎05-02-2025

https://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/200650-Understanding-Bridge-Virtual-Interface.html <<- this for BDI for vlan

for BVI with vrf aware you need to route leak from one vrf to other

MHM

Stefan Mihajlov · ‎05-02-2025

Hey @BRENDON-WALSH

most docs either focus on traditional switching or assume you’re doing this on gear from 10 years ago. But what you're trying to do can be done with a bit of creativity, especially if you're working on a router that supports bridging and VRFs together (like an ASR or ISR with the right license)

here's the basic idea:

you want one Layer 3 interface (probably a routed port) that carries traffic from multiple VRFs.
these VRFs are connected via bridge domains (or bridge groups), each mapping to a VLAN.
then you want to hand it all off to another router doing the same thing.

u're essentially trying to simulate switch-like behavior (bridging) on a router, but with VRF isolation per bridge.