Table Of Contents
Bridge Mode Configuration Quick Start
Configuring a Bridge Group VLAN
Configuring a Bridge Group to the VLAN
Assigning an ACL to the Bridge Group VLAN
Configuring a Bridge-Group Virtual Interface
Creating a Virtual Routed Interface for a Bridge Group
Configuring an Alias IP Address
Displaying Bridge Group or BVI Information
Bridging Traffic
Clients and servers communicate through the ACE using either Layer 2 (L2) or Layer 3 (L3) in a VLAN configuration. When the client-side and server-side VLANs are on the same subnets, you can configure the ACE to bridge traffic on a single subnet mode.
When the client-side and server-side VLANs are on different subnets, you can configure the ACE to route the traffic. For more information, Chapter 2, "Configuring Routes on the ACE."
In bridge mode, the ACE acts as a "bump in the wire" and is not a routed hop. No dynamic routing protocols are required.
When you configure a bridge group on an interface VLAN, the ACE automatically makes it a bridged interface. The ACE supports a maximum of two Layer 2 interface VLANs per bridge group.
Note
The ACE does not allow shared VLAN configurations on Layer 2 interfaces.
Because L2 VLANs are not associated with an IP address, they require extended ACLs for controlling IP traffic. You can also optionally configure EtherType ACLs for the passing of non-IP traffic. For information on ACLs, see the Cisco Application Control Engine Module Security Configuration Guide.
To enable the bridge group VLANs, you must configure a bridge-group virtual interface (BVI) that is associated with a corresponding bridge group. You must configure an IP address on the BVI. This address is used as a source IP address for traffic from the ACE, for example, ARP requests, or management traffic. The ACE supports 4,094 BVIs per system.
Note
The ACE does not perform MAC address learning on a bridged interface. Instead learning is performed by ARP. Bridge lookup is based on the bridge-group identifier and destination MAC address. A bridged interface automatically sends multicast and broadcast bridged traffic to the other interface of the bridge group.
ARP packets are always passed through an L2 interfaces after their verification and inspection. For information on configuring ARP on the ACE, see Chapter 4, Configuring ARP. Multicast and broadcast packets from the incoming interface are flooded to the other L2 interface in the bridge group.
This chapter contains the following major sections:
•
•
•
•
Bridge Mode Configuration Quick Start
Table 3-1 provides a quick overview of the steps required to configure bridge group for the ACE. Each step includes the CLI command required to complete the task.
Configuring a Bridge Group VLAN
In bridge mode, you can configure two interface VLANs into a group and bridge packets between them. All interfaces are in one broadcast domain and packets from one VLAN are switched to the other VLAN. The ACE bridge mode only supports two L2 VLANs per bridge group. In this mode, L2 VLAN interfaces do not have configured IP addresses.
Before you create a bridge group, you must assign a VLAN to the context and access its mode to configure its attributes. Use the interface vlan command in configuration mode. The syntax for the command is:
interface vlan number
The number argument is the VLAN number you want to assign to the context. For example, enter:
host1/Admin(config)# interface vlan 2To remove a VLAN, use the no interface vlan command. For example, enter:
host1/Admin(config)# no interface vlan 2After you configure the VLAN, configure its attributes as described in the following sections:
•
•
Configuring a Bridge Group to the VLAN
When you configure a bridge group on the VLAN, the ACE automatically makes it bridged. To assign the VLAN to the bridge group, use the bridge-group command in interface configuration mode. The syntax for the command is:
bridge-group number
The number argument is a number from 1 to 4094. For example, to assign bridge group 15 to the VLAN, enter:
host1/Admin(config-if)# bridge-group 15To remove the bridge group from the VLAN, use the no bridge-group command. For example, enter:
host1/Admin(config-if)# no bridge-groupAssigning an ACL to the Bridge Group VLAN
A bridge group VLAN supports extended ACLs for IP traffic, and EtherType ACLs for non-IP traffic. The following is an example of an extended ACL that permits IP traffic:
host1/Admin(config)# access-list ACL1 line 5 extended permit ip any anyFor non-IP traffic, configure an EtherType ACL. EtherType ACLs support Ethernet V2 frames. You can configure the ACE to pass one or any of the following non-IP EtherTypes: Multi-Protocol Label Switching (MPLS), Internet Protocol version 6 (IPv6), and bridge protocol data units (BDPUs).
Note
Note
For example, you can permit or deny BPDUs. By default, all BPDUs are denied. The ACE receives trunk port (Cisco proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the ACE modifies the payload with the outgoing VLAN if you permit BPDUs.
Note
The following is an example of an EtherType ACL that permits BDPUs:
host1/Admin(config)# access-list NONIP ethertype permit bdpuFor more detailed information on extended or EtherType ACLs, see the Cisco Application Control Engine Module Security Configuration Guide.
After you configure an ACL for permitting traffic, assign it to the bridge-group VLAN. To apply an ACL to the inbound or outbound direction of a VLAN, use the access-group command in interface configuration mode. The syntax of this command is:
access-group {input | output} acl_name
The options and arguments are:
•
•
•
For example, to assign ACL1 for inbound traffic to the interface, enter:
host1/Admin(config-if)# access-group input ACL1To assign ACL1 for outbound traffic to the interface, enter:
host1/Admin(config-if)# access-group output ACL1To remove an ACL from an interface, use the no access-group command. For example, enter:
host1/Admin(config-if)# no access-group output ACL1Enabling the Interface
When you create an interface, the interface is in the shutdown state until you enable it. To enable an interface for use, use the no shutdown command. For example, enter:
host1/Admin (config-if)# no shutdownTo disable the VLAN, use the shutdown command. For example, enter:
host1/Admin(config-if)# shutdownAfter you enable the bridge-group VLAN, configure a BVI to bring it into operation.
Configuring a Bridge-Group Virtual Interface
To initiate traffic, such as ARP requests, from the ACE or for management traffic, a bridge group requires an interface with an IP address on the same subnet. This interface is the bridge-group virtual interface (BVI).
A BVI is associated with a corresponding bridge group to routed interfaces within the router, but acts as a routed interface that does not support bridging. The BVI is assigned the number of the associated bridge group. Only one BVI is supported for each bridge group. The MAC address of the BVI is the same as the addresses of the associated bridge-group interfaces. The BVI and associated bridge-group interfaces must be enabled to forward traffic.
To use a BVI to terminate management traffic, apply a management policy to the Layer 2 interface from which the management traffic is expected. To apply this policy, configure the service policy on the bridge-group interface VLAN, and then configure the management IP address to the BVI.
This section provides the following topics:
•
•
•
Creating a Virtual Routed Interface for a Bridge Group
To create a virtual routed interface for a bridge group, use the interface bvi command in configuration mode. The syntax for the command is:
interface bvi group_number
The group_number argument is the bridge-group number configured on the Layer 2 VLAN interfaces.
For example, to create a BVI for bridge group 15, enter:
host1/Admin(config)# interface bvi 15host1/Admin(config-if)#To delete a BVI for bridge group 15, enter:
host1/Admin(config)# no interface bvi 15Configuring a BVI IP Address
To assign an IP address to a BVI, use the ip address command in interface configuration mode for the BVI. The syntax for the command is:
ip address ip_address mask
The ip_address mask arguments are the address and subnet mask of the interface. Enter the IP address and subnet mask in dotted-decimal notation.
For example, to configure an IP address and mask for a BVI, enter:
host1/Admin(config-if)# ip address 10.0.0.10 255.255.255.0To delete the IP address from a BVI, enter:
host1/Admin(config-if)# no ip addressConfiguring an Alias IP Address
When configuring a redundant configuration with active and standby modules, you can configure a VLAN interface that has an IP address that floats between active and standby modules. To configure a floating address for the BVI, use the alias command in its interface configuration mode. The syntax for the command is:
alias ip_address mask
The ip_address mask arguments are the address and subnet mask of the interface. Enter the IP address and subnet mask in dotted-decimal notation.
For example, to configure an IP address and mask for a BVI, enter:
host1/Admin(config-if)# alias 10.0.0.15 255.255.255.0To delete the alias IP address from a BVI, enter:
host1/Admin(config-if)# no alias 10.0.0.15 255.255.255.0Configuring a Peer IP Address
When configuring redundancy, by default, configuration mode on the standby module is disabled and changes on an active module are automatically synchronized on the standby module. However, interface IP addresses on the active and standby modules must be unique. To ensure that the addresses on the interfaces are unique, the IP address of an interface on the active module is synchronized on the standby module as the peer IP address.
To configure an IP address for the interface on the standby module, use the peer ip address command in interface configuration mode. The peer IP address on the active module is synchronized on the standby module as the interface IP address. The syntax for the command is:
peer ip address ip_address mask
The ip_address mask arguments are the address and subnet mask for the peer module.
For example, to configure an IP address and mask of the peer module, enter:
host1/Admin(config-if)# peer ip address 10.0.0.18 255.255.255.0To delete the IP address for the peer module, enter:
host1/Admin(config-if)# no peer ip addressProviding a BVI Description
To provide a description for the BVI, use the description command in interface configuration mode. The syntax for the command is:
description text
The text argument is a text string with a maximum of 240 characters including spaces.
For example, to provide a description for the BVI, enter:
host1/Admin(config-if)# description BVI for Bridge Group 15To delete the description, enter:
host1/Admin(config-if)# no descriptionEnabling a BVI
To enable a BVI, use the no shutdown command in interface configuration mode. The syntax for the command is:
no shutdown
For example, to enable a BVI, enter:
host1/Admin(config-if)# no shutdownTo disable the BVI, enter:
host1/Admin(config-if)# shutdownDisplaying Bridge Group or BVI Information
To display information about a bridge-group VLAN, use the show interface vlan command in Exec mode. For example, enter:
host1/Admin# show interface vlan 15To display information about a BVI, use the show interface bvi command in Exec mode. For example, enter:
host1/Admin# show interface bvi 15For information about the fields in the show interface command, see Table 1-1 in Chapter 1, Configuring VLAN Interfaces.
