Bridging

christian-n · ‎12-05-2015

Hi guys! First post here...

I was wondering if any of you could help me out a litte. I'm getting a fiber connection in about a month and I plan on using my own equipment instead of the ISP equipment. I have a 3845 router and a 4948 L3 switch.

My ISP will deliver internet through VLAN 102 with DHCP and IPTV (multicast) over VLAN 101. I need to transport VLAN 101 through the router to the switch. The switch is, btw, acting as the router in L3 mode. The router is basically there just to NAT, since the switch doesn't NAT.

I have googled a lot about bridging, but I'm not satisfied with what I have found. Could any of you help me with the config to make this happen?

Thank you very much!

Reza Sharifi · ‎12-05-2015

Hi Christian and Welcome to the forum.

For Internet access some providers will have a router on your premise and some don't. It depends on their policy.

It is not very common for providers to give you Internet connection using a vlan. Most of them use layer-3 routed interface to connect to their customers. Layer-2 is usually provided for point-to-point WAN connectivity. Can you clarify if both Internet and IPTV are provided over a layer-2 connection? If they are using vlans (as you mentioned in your post) you would need to connect their fiber to your switch and tag both vlans. Than connect the switch to the router using a layer-3 link with public IPs and then use the router to do NAT.

HTH

christian-n · ‎12-05-2015

My ISP (to be) delivers over tagged VLAN 101 & 102 as stated. And they also provide a router, but Idon't want to use it. I want to connect my router directly to the fiber.

Internet connection is not layer-2, it's normal L3 with DHCP (to get an official IP). Only VLAN 101, the IPTV VLAN is L2. That's why I need to bridge the VLAN so I can transport the multicast traffic/VLAN to the switch and distribute it from there...

scott.pendleton · ‎12-07-2015

Hi Reza,

I've actually seen this quite a lot recently, especially from small-medium ISPs and consumer class business services providers like Comcast and Time Warner that provide voice, video, and internet. They are deploying a topology that resembles the LAN Core-Distribution-Access model with Ethernet at the edge. They use VLANs to distinguish traffic the edge and at the distribution level they put them in their own MPLS VPNs for traffic engineering.

However to answer Christian's question specifically, Peter is right. Though it is technically possibly to setup bridging on a router you are better off connecting it to the switch an let the switch do what its made to do and bridge the VLANs separately.

However I do have to ask why is it necessary that 101 pass-through to the switch? What's the technical requirement for that? The only situation I can thing of is that they expecting your IPTV system to be a flat layer-2 network. However you mention the switch is going to be a layer-3 device so that leads me to believe that's not the case. Is there a reason you can't terminate both networks at the router using sub-interfaces?

**Mark all helpful posts and solutions**

christian-n · ‎12-07-2015

101 is a flat L2 network. So no IP's to configure on subinterface. The TV decoder box gets its IP (10.0.0.0/8 range) address directly from the ISP, as far as I know, not from DHCP in the CPE. Only 102 has a DHCP server running on the CPE.

So, what I'm thinking conserning the config to make this happen, is WAN sub-int 102 and 101 in a bridge-group and BVI interface with ip address dhcp and ip nat outside.

Is this the correct way of doing it? Or do I also need to put LAN sub-int of vlan 101 in the bridge-group as well??

scott.pendleton · ‎12-07-2015

So basicaly what you'd need to do is create subinterfaces on the WAN and LAN for each VLAN and put the IPTV sub-int for both WAN and LAN in a bridge group. You don't need to use the same VLAN numbers on the LAN side as this is obscured by the router. You may want to for ease of management, but it not a requirement. You won't need a BVI (similar to an SVI or Vlan interface) as you won't need to route between Internet and IPTV networks. Set the protocol for the bridge group to be ieee. That should allow you to pass-thru the IPTV.

For example

bridge irb

!

int gig0/1.1

desc WAN internet

encap dot1q 102

ip address dhcp

ip nat outside

int gig0/1.2

desc IPTV

encap dot1q 101

bridge-group 1

!

int gi0/0.1

desc inside

encap dot1q 10

ip address 10.1.1.1 255.255.255.0

ip nat inside

int gig0/0.2

desc IPTV

encap dot1q 20

bridge-group 1

bridge 1 protocl ieee

You may also need to configure IGMP static groups for your multicast to work properly.

**Mark all helpful posts and solutions**

christian-n · ‎12-07-2015

Thank you! That's what I thought as well. Unfortunately I wont be able to test for a while - need to get the fiber first... ;)

scott.pendleton · ‎12-07-2015

It could easily be mocked up in VIRL.

**Mark all helpful posts and solutions**

Joseph W. Doherty · ‎12-07-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

From a performance standpoint, I believe Peter's approach is "better" as it avoids sending traffic to the 3845 it doesn't need to deal with.

It's unclear why you want to bridge through the 3845 unless you believe the 3845 hosting the actual WAN VLANs is more secure than the 4948 doing so.

scott.pendleton · ‎12-07-2015

I agree, but he stated he wanted to do it through the router anyway.

**Mark all helpful posts and solutions**

scott.pendleton · ‎12-11-2015

Mocked it up real quick in VIRL the other night and it worked without having to do static IGMP groups.

**Mark all helpful posts and solutions**

Peter Paluch · ‎12-05-2015

Hi Christian,

If I understand correctly, your ISP will essentially bring a trunk to your premises with VLANs 101 (IPTV) and 102 (internet). You want to connect your 3845 router to this trunk and have the VLAN 101 pass transparently through your router while having the VLAN102 routed and NATted. Is that right?

If that is so, wouldn't it be easier to connect your switch directly to the provider's trunk and have it sort out VLANs 101 and 102 to different access ports? The router would be connected to the access port with VLAN 102 while the access port(s) with VLAN 101 would be connected to whatever you intended to connect them originally.

Routers are not particularly good at bridging, and I am afraid that a more intense multicast flow could be quite a burden to your router.

Perhaps you could draw a topology of your network and the intended way you want to connect the devices so that we can better understand why you need to do things in a particular way.

Best regards,
Peter

christian-n · ‎12-05-2015

If I understand correctly, your ISP will essentially bring a trunk to your premises with VLANs 101 (IPTV) and 102 (internet). You want to connect your 3845 router to this trunk and have the VLAN 101 pass transparently through your router while having the VLAN102 routed and NATted. Is that right?

That is absolutely correct!

Yes, I suppose I could connect the fiber to switch, but I was hoping to be able the bridge the VLAN's instead.