Configure bridge domain interfaces

The Cisco 8500 Series Catalyst Edge Platform supports the bridge domain interface (BDI) feature, which enables packaging Layer 2 Ethernet segments into Layer 3 IP.

Restrictions for bridge domain interfaces

General Restrictions

Only 4096 bridge domain interfaces are supported per system.
For a bridge domain interface, the maximum transmission unit (MTU) size can be configured between 1500 and 9216 bytes.

Supported Features

Bridge domain interfaces support these features:

IPv4 Multicast
QoS marking and policing. Shaping and queuing are not supported
IPv4 VRF
IPv6 unicast forwarding
Dynamic routing such as BGP, OSPF, EIGRP, RIP, IS-IS, and STATIC
Hot Standby Router Protocol (HSRP)
Virtual Router Redundancy Protocol (VRRP) from IOS XE 3.8.0 onwards.

Unsupported Features

Bridge domain interfaces do not support these features:

PPP over Ethernet (PPPoE)
Bidirectional Forwarding Detection (BFD) protocol
QoS
Network-Based Application Recognition (NBAR) or Advanced Video Coding (AVC)

Information about bridge domain interface

Bridge domain interface is a logical interface that allows bidirectional flow of traffic between a Layer 2 bridged network and a Layer 3 routed network traffic. Bridge domain interfaces are identified by the same index as the bridge domain. Each bridge domain represents a Layer 2 broadcast domain. Only one bridge domain interface can be associated with a bridge domain.

Bridge domain interface supports these features:

IP termination
Layer 3 VPN termination
Address Resolution Protocol (ARP), G-ARP, and P-ARP handling
MAC address assignment

Prior to configuring a bridge domain interface, you must understand these concepts:

Ethernet Virtual Circuit Overview
Bridge Domain Interface Encapsulation
Assigning a MAC Address
Support for IP Protocols
Support for IP Forwarding
Packet Forwarding
Bridge Domain Interface Statistics

Ethernet virtual circuit overview

An Ethernet Virtual Circuit (EVC) is an end-to-end representation of a single instance of a Layer 2 service that is offered by a provider. The EVC defines the service parameters.

In the Cisco EVC Framework, bridge domains consist of one or more Layer 2 interfaces called service instances. A service instance is the instantiation of an EVC on a specific port of a router and is associated with a bridge domain based on the configuration.

An incoming frame can be classified as a service instance based on these criteria:

Single 802.1Q VLAN tag, priority-tagged, or 802.1ad VLAN tag
Both QinQ (inner and outer) VLAN tags, or both 802.1ad S-VLAN and C-VLAN tags
Outer 802.1p CoS bits, inner 802.1p CoS bits, or both
Payload Ethernet type (IPv4, IPv6, PPPoE-all, PPPoE-discovery, and PPPoE-session)

Service instance also supports alternative mapping criteria:

Untagged—Maps to all frames lacking an 802.1Q or 802.1ad header
Default—Maps to all frames

Bridge domain interface encapsulation

Security Group classification includes both Source and Destination Group, which is specified by source SGT and DGT. SGT Based PBR feature provides the PBR route-map match clause for SGT/DGT based packet classification. SGT Based PBR feature supports configuration of an unlimited number of tags. Configure the tags according to the memory available on the platform.

An EVC provides the ability to employ different encapsulations on each Ethernet flow point (EFP) present in a bridge domain. A BDI egress point may not be aware of the encapsulation of an egress packet. The packet may have exited from one or more EFPs with different encapsulations.

Encapsulation in a bridge domain is a configuration method that dictates how traffic is tagged and untagged within the domain, depending on the encapsulation settings of its Ethernet Flow Points (EFPs).

If all EFPs have different encapsulations, the Bridge Domain Interface (BDI) must be untagged (using the no 802.1Q tag), and you must configure traffic encapsulation (popped or pushed) and rewriting at each EFP.
If all EFPs have the same encapsulation, configure the encapsulations directly on the BDI using the encapsulation command.
Enabling encapsulation at the BDI when EFPs have the same encapsulation ensures effective pushing or popping of tags. This eliminates the need to configure the rewrite command at the EFPs.

Assign a MAC address

Important information about assigning a MAC Address includes:

All bridge domain interfaces on Cisco Catalyst 8500 Series Edge Platforms share one MAC address. The first interface within a bridge domain receives a MAC address, and each additional bridge domain interface in the same domain uses that address.
You can configure a static MAC address on a bridge domain interface using the mac-address command.

Support for IP protocols

Bridge domain interfaces allow the Cisco 8500 Series Catalyst Edge Platform to function as a Layer 3 endpoint on a Layer 2 bridge domain for these IP-related protocols:

ARP
DHCP
HTTP
ICMP
NTP
RARP
SNMP
TCP
Telnet
TFTP
UDP

IP forward support

Bridge domain interface supports these IP forwarding features:

IPv4 input and output access control lists (ACL)
IPv4 input and output QoS policies. The operations supported for the input and output service policies on a bridge domain interface are:
- Classification
- Marking
- Policing
IPv4 L3 VRFs

Packet forwarding

A bridge domain interface provides bridging and forwarding services between the Layer 2 and Layer 3 network infrastructure.

Layer 2 to Layer 3

During a packet flow from a Layer 2 network to a Layer 3 network, the packet or a copy of the packet is forwarded to the bridge domain interface in these cases.

If the destination MAC address matches the bridge domain interface MAC address, the packet is forwarded to the bridge domain interface.
If the destination MAC address is a multicast address, a copy of the packet is forwarded to the bridge domain interface.

Note

MAC address learning cannot not be performed on the bridge domain interface.

Layer 3 to Layer 2

When a packet arrives at a Layer 3 physical interface of a router, a route lookup action is performed. If the route lookup points to a bridge domain interface, the bridge domain interface adds layer 2 encapsulation and forwards the frame to the correct bridge domain.

During a Layer 2 lookup on a bridge domain to which the bridge domain interface belongs, the bridge domain forwards the packets to the correct service instance based on the destination MAC address.

Link states of a bridge domain and a bridge domain interface

Bridge domain interface acts as a routable IOS interface on Layer 3 and as a port on a bridge domain. Both bridge domain interfaces and bridge domains operate with individual administrative states.

Shutting down a bridge domain interface stops the Layer 3 data service, but does not override or impact the state of the associated bridge domain.

Shutting down a bridge domain has several impacts on its associated components

It stops Layer 2 forwarding across all associated members, including service instances and bridge domain interfaces.
The operational state of a bridge domain is influenced by its associated service instances.
A bridge domain interface can only become operational if at least one of its associated service instances is active.

Because a bridge domain interface is an internal interface, the operational state of bridge domain interface does not affect the bridge domain operational state.

Bridge domain interface-initial state

The initial administrative state of a BDI depends on how the BDI is created. When you create a BDI at boot time in the startup configuration, the default administrative state for the BDI is up. It will remain in this state unless the startup configuration includes the shutdown command.

This behavior is consistent with all the other interfaces. When you create a BDI dynamically at command prompt, the default administrative state is down.

Bridge domain interface-link state

A BDI maintains a link state that comprises of three states: administratively down, operationally down, and up. The link state of a BDI is derived from two independent inputs: the BDI administrative state set by the corresponding users and the fault indication state from the lower levels of the interface states. It defines a BDI link state based on the state of the two inputs.


Fault Indication State	BDI Admin{start straddle 2 columns}{end straddle 2 columns}
{start emdash}{end emdash}	Shutdown	No Shutdown
No faults asserted	Admin-down	Up
At least one fault asserted	Admin-down	Operationally-Down

Bridge domain interface statistics

For virtual interfaces, such as the bridge domain interface, protocol counters are periodically queried from the QFP.

When packets flow from a Layer 2 bridge domain network to a Layer 3 routing network through the bridge domain interface, the packets are treated as bridge domain interface input packets and bytes.

When packets arrive at a Layer 3 interface and are forwarded through the bridge domain interface to a Layer 2 bridge domain, the packets are treated as output packets and bytes, and the counters are updated accordingly.

A BDI maintains a standard set of Layer 3 packet counters, as is the case with all Cisco IOS interfaces.

The convention of the counters is relative to the Layer 3 cloud. For example, input refers to the traffic entry to the Layer 3 cloud from the Layer 2 BD, while output refers to the traffic exit from the Layer 3 cloud to the Layer 2 BD.

Use the show interfaces accounting command to display the statistics for the BDI status. Use the show interface <if-name> command to display the overall count of the packets and bytes that are transmitted and received.

Create or delete a bridge domain interface

When you define an interface or subinterface for a Cisco IOS router, you name it and specify how it is assigned an IP address. You can create a bridge domain interface before adding a bridge domain to the system. The new bridge domain interface is activated after the associated bridge domain is configured.

When you create the bridge domain interface and the bridge domain, the system maintains the required associations for mapping the bridge domain-bridge domain interface pair.

The system maintains the mapping between bridge domains and bridge domain interfaces. The bridge domain interface uses the index of the associated bridge domain to show the association.

Note

When a bridge domain interface is created, a bridge domain is automatically created.

Bridge domain virtual IP interface

The Virtual IP Interface (VIF) feature helps to associate multiple BDI interfaces with a BD instance. The BD-VIF interface inherits all the existing L3 features of IOS logical IP interface.

The Virtual IP Interface (VIF) feature has these limitations:

BD-VIF interface does not support IP multicast.
The number of BD-VIF interfaces with automatically generated MAC addresses varies depending on the platform.
BD-VIF Interface does not support MPLS.
The maximum number of BD-VIF interfaces per bridge-domain and the total number of BD-VIF interface for per system vary based on the type of platforms.

Note

You must configure every BD-VIF interface with a unique MAC address and it should belong to a different VRF.

The maximum number of BD-VIF supported on Cisco Catalyst 8500 Series Edge Platforms are:

C8500-12X4QC supports a maximum of 100 BD-VIF interfaces for a bridge domain.
C8500-12X supports a maximum of 16 BD-VIFs for a bridge domain.

Note

From Cisco IOS XE 17.7 release, BD-VIF supports Flexible Netflow (FNF).

How to configure a bridge domain interface

To configure a bridge domain interface, perform the these steps:

Procedure

Step 1	enable Example: `Router> enable` Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Router# configure terminal` Enters global configuration mode.
Step 3	interfaceBDI `{interfacenumber}` Example: `Router(config-if)# interface BDI3` Specifies a bridge domain interface on a Cisco 8500 Series Catalyst Edge Platform.
Step 4	encapsulation `encapsulationdot1q<first-tag>[second-dot1q<second-tag>]` Example: `Router(config-if)# encapsulation dot1Q 1 second-dot1q 2` Defines the encapsulation type. The example shows how to define dot1q as the encapsulation type.
Step 5	Do one of these steps: Example: `ipaddress ip-addressmask` Example: `ipv6address {X:X:X:X::X link-local \|X:X:X:X::X/prefix[ anycast \| eui-64 ]\| autoconfig [ default ]}` Example: `Router(config-if)# ip address 2.2.2.1 255.255.255.0` Example: `Router(config-if)# ipv6 address AB01:CD1:123:C::/64 eui-64` Specifies either the IPv4 or IPv6 address for the bridge domain interface.
Step 6	matchsecurity-groupdestinationtag `sgt-number` Example: `Router(config-route-map)# match security-group destination tag 150` Configures the value for security-group destination security tag.
Step 7	macaddress `{mac-address}` Example: `Router(config-if)# mac-address 1.1.3` Specifies the MAC address for the bridge domain interface.
Step 8	noshut Example: `Router(config-if)# no shut` Enables the bridge domain interface on the Cisco 8500 Series Catalyst Edge Platform.
Step 9	shut Example: `Router(config-if)# shut` Disables the bridge domain interface on the Cisco 8500 Series Catalyst Edge Platform.

Bridge domain interface is configured.

Display and verify bridge domain interface configuration

To display and verify bridge domain interface configuration, follow these steps.

Procedure

Step 1	enable Example: `Router> enable` Enables privileged EXEC mode. Enter your password if prompted.
Step 2	showinterfacesbdi Example: `Router#showinterfacesBDI3` Displays the configuration summary of the corresponding BDI.
Step 3	showplatformsoftwareinterfacefpactivename Example: `Router# showplatformsoftwareinterfacefpactivenameBDI4` Displays the bridge domain interface configuration in a Forwarding Processor.
Step 4	showplatformhardwareqfpactiveinterfaceif-name Example: `Router# showplatformhardwareqfpactiveinterfaceif-nameBDI4` Displays the bridge domain interface configuration in a data path.
Step 5	debugplatformhardwareqfpfeature Example: `Router# debugplatformhardwareqfpactivefeaturel2bdclientall` The selected CPP L2BD Client debugging is on.
Step 6	platformtraceruntimeprocessforwarding-managermodule Example: `Router(config)#platformtraceruntimeslotF0bay0processforwarding-managermoduleinterfaceslevelinfo` Enables the Forwarding Manager Route Processor and Embedded Service Processor trace messages for the Forwarding Manager process.
Step 7	platformtraceboottimeprocessforwarding-managermoduleinterfaces Example: `Router(config)#platformtraceboottimeslotR0bay1processforwarding-managerforwarding-managerlevelmax` Enables the Forwarding Manager Route Processor and Embedded Service Processor trace messages for the Route Processor Forwarding Manager process during bootup.

Bridge domain interface configuration is verified.

What to do next

For additional information on the commands and the options available with each command, see the Cisco IOS Configuration Fundamentals Command Reference Guide located at:

{start hypertext}http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_book.html{end hypertext}

Configure bridge domain virtual IP interface

To configure bridge-domain virtual IP interface.

enable
configure terminal
[no] interface BD-VIF interface-number
  [[no] vrf forwarding vrf-name]
  [[no] mac address mac-address]
  [[no] ip address ip-address mask]
  [[no] ipv6 address {X:X:X:X::X link-local| X:X:X:X::X/prefix [anycast | eui-64] | autoconfig [default]}]

exit

Note

To delete BD-VIF interface, use the 'no' form of the command.

Associate VIF interface with a bridge domain

To associate VIF interface with a bridge domain.

enable
configure terminal
bridge-domain bridge-domain number
[no] member BD-VIF interface-number
exit

Verify bridge domain virtual IP interface

To verify bridge-domain virtual IP interface.

All existing show commands for interface and IP interface can be used for the BD-VIF interface.

show interface bd-vif bd-vif-id
show ip interface bd-vif bd-vif-id
show bd-vif interfaces in fman-fp
show pla sof inter fp ac brief | i BD_VIF

Example configuration bridge domain virtual IP interface

Example configuration for Bridge-Domain virtual IP interface.

Detail sample:
interface Port-channel1
mtu 9000
no ip address
 !Ethernet service endpoint one per neutron network
service instance 1756 ethernet
  description 4e8e5957-649f-477b-9e5b-f1f75b21c03c
  encapsulation dot1q 1756
  rewrite ingress tag pop 1 symmetric
  bridge-domain 1756
!
interface BD-VIF5001
no shutdown
vrf forwarding vrf5001
ip address 10.0.0.1 255.255.255.0
interface BD-VIF5002
no shutdown
vrf forwarding vrf5002
ip address 10.0.0.2 255.255.255.0
bridge-domain 1756
member Port-channel1 service-instance 1756
member bd-vif5001
member bd-vif5002

Cisco Catalyst 8500 and 8500L Series Edge Platforms Software Configuration Guide

Bias-Free Language

Results

Chapter: Configure bridge domain interfaces

Configure bridge domain interfaces

Restrictions for bridge domain interfaces

General Restrictions

Supported Features

Unsupported Features

Information about bridge domain interface

Ethernet virtual circuit overview

Bridge domain interface encapsulation

Assign a MAC address

Support for IP protocols

IP forward support

Packet forwarding

Layer 2 to Layer 3

Layer 3 to Layer 2

Link states of a bridge domain and a bridge domain interface

Bridge domain interface-initial state

Bridge domain interface-link state

Bridge domain interface statistics

Create or delete a bridge domain interface

Bridge domain virtual IP interface

How to configure a bridge domain interface

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Display and verify bridge domain interface configuration

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

What to do next

Configure bridge domain virtual IP interface

Associate VIF interface with a bridge domain

Verify bridge domain virtual IP interface

Example configuration bridge domain virtual IP interface

Was this Document Helpful?

Contact Cisco