Bridge Interfaces

Bridges connect multiple interfaces together bidirectionally, linking the networks on bridge members together into a single bridge domain. The net effect is similar to the members being connected to the same layer 2 or switch.

This is commonly used to connect interfaces across different types of links, such as Ethernet to VXLAN. Another common use is to enable filtering between two segments of the same network. It could also be used to allow individual ports on TNSR to act in a manner similar to a switch, but unless filtering is required between the ports, this use case is not generally desirable.

Warning

Bridges connect together multiple layer 2 networks into a single larger network, thus it is easy to unintentionally create a layer 2 loop if two bridge members are already connected to the same layer 2. For example, the same switch and VLAN.

There are two components to a bridge: The bridge itself, and the interfaces which are members of the bridge.

Bridge Configuration

Creating a Bridge

A bridge is created by the interface bridge domain <bdi> command, available in config mode. This command enters config-bridge mode where the following options are available:

arp entry ip <ip-addr> mac <mac-addr>:

Configures a static ARP entry on the bridge. Entries present will be used directly, rather than having TNSR perform an ARP request flooded on all bridge ports to locate the target. Additionally, when a bridge is not set to learn MACs, these entries must be created manually to allow devices to communicate across the bridge.

arp term:

Boolean value that when present enables ARP termination on this bridge. When enabled, TNSR will terminate and respond to ARP requests on the bridge. Disabled by default.

description <text>:

A brief description of the bridge for reference purposes.

flood:

Boolean value that when present enables Layer 2 flooding. When TNSR cannot locate the interface where a request should be directed on the bridge, it is flooded to all ports.

forward:

Boolean value that when present enables Layer 2 unicast forwarding. Allows unicast traffic to be forwarded across the bridge.

learn:

When present, enables Layer 2 learning on the bridge.

mac-age <minutes>:

When set, enables MAC aging on the bridge using the specified aging time.

uu-flood:

When present, enables Layer 2 unknown unicast flooding.

Warning

At least one of flood, forward, learn, or uu-flood must be enabled when creating a bridge for it to be valid.

Bridge Interface Settings

To add an interface to a bridge as a member, the following settings are available from within config-interface mode:

bridge domain <domain-id> [bvi] [shg <n>]
domain id:

Bridge Domain ID, corresponding to the ID given when creating the bridge interface previously.

bvi:

Boolean value that when present indicates that this is a Bridged Virtual Interface (BVI). A bridge connects multiple interfaces together but it does not connect them to TNSR. A BVI interface, typically a loopback, allows TNSR to participate in the bridge for routing and other purposes.

An L3 packet routed to the BVI will have L2 encapsulation added and then is handed off to the bridge domain. Once on the bridge domain, the packet may be flooded to all bridge member ports or sent directly if the destination is known or static. A packet arriving from the bridge domain to a BVI will be routed as usual.

Note

A bridge domain may only contain one BVI member.

shg <n>:

A Split Horizon Group (SHG) identifier. Can be used with any interface that carries Layer 2 data (e.g. Hardware interfaces, L2 GRE tunnels, etc.), but is primarily used with VXLAN interfaces.

When a non-zero SHG is configured on a member of a bridge domain, TNSR will not forward packets arriving on that interface to any other members of the bridge domain configured with the same SHG identifier. This can be useful to prevent packets from looping back across member interfaces which are meshed between peers.

A value of 0 disables the SHG check.

Using ACLs with Bridges

There are two main scenarios to consider when crafting ACLs (Access Lists) for use with bridges and their member interfaces:

Packets forwarded within a bridge domain

The first scenario is filtering packets forwarded within a single bridge domain. For example, packets which arrive on one bridge domain member interface and are sent on another bridge domain member interface.

In this case, apply the access list to one or more individual member interfaces of the bridge domain. Applying an access list to the BVI loopback interface will not have any effect on these packets as the packet does not enter or exit the bridge or the BVI interface.

Packets routed between a bridge and an L3 hardware interface

The second scenario is filtering packets routed between a bridge domain and an L3 hardware interface which is not a member of the bridge.

In this case, packets are entering or exiting the bridge, thus access lists can be applied to the bridge domain BVI loopback interface and/or the L3 hardware interface.

Bridge Example

This example will setup a bridge between GigabitEthernet3/0/0 and GigabitEthernet0/14/1, joining them into one network. Further, a loopback interface is used to allow TNSR to act as a gateway for clients on these bridged interfaces.

First, create the bridge with the desired set of options:

tnsr(config)# interface bridge domain 10
tnsr(config-bridge)# flood
tnsr(config-bridge)# uu-flood
tnsr(config-bridge)# forward
tnsr(config-bridge)# learn
tnsr(config-bridge)# exit

Next, add both interfaces to the bridge:

tnsr(config)# int GigabitEthernet3/0/0
tnsr(config-interface)# bridge domain 10
tnsr(config-interface)# enable
tnsr(config-interface)# exit
tnsr(config)# int GigabitEthernet0/14/1
tnsr(config-interface)# bridge domain 10
tnsr(config-interface)# enable
tnsr(config-interface)# exit
tnsr(config)# interface loopback bridgeloop
tnsr(config-loopback)# instance 1
tnsr(config-loopback)# exit
tnsr(config)# interface loop1
tnsr(config-interface)# ip address 10.25.254.1/24
tnsr(config-interface)# bridge domain 10 bvi
tnsr(config-interface)# enable
tnsr(config-interface)# exit

Bridge Status

To view the status of bridges, use the show interface bridge domain [<id>] command:

tnsr(config)# show interface bridge domain 10
Bridge Domain Id: 10
    flood: true
    uu-flood: true
    forward: true
    learn: true
    arp-term: false
    mac-age: 0
    BVI IF: loop1
    Domain Interface Members
        IF: GigabitEthernet0/14/1    SHG: 0
        IF: GigabitEthernet3/0/0    SHG: 0
        IF: local0    SHG: 0
        IF: loop1    SHG: 0
    ARP Table Entries

If the id value is omitted, TNSR will print the status of all bridges.