Sorry for the lack of updates lately but I spent the whole last week skiing and recharging my
batteries and now I’m back fully motivated to continue my path to the lab.
This time we will be talking about Integrated Routing and Bridging (IRB). Before studying for
the lab I had never used this feature. I’m not sure why we would use this feature in a
production network, maybe because we need to bridge two networks instead of routing
them due to some badly written application. If you have used it in real networks please post
in the comments. It is fair game for the lab so we need to know about it.
IRB is a feature used on routers that lets us bridge between a bridged domain and a
routed domain. Remember that in order for a VLAN to span a router the router must
be able to forward frames from one interface to another while maintaining the VLAN
header. If a network protocol is configured on a router interface (IP) it will terminate
the VLAN. This means that the VLAN header will not be maintained. When configuring
IRB we will be using a Bridged Virtual Interface (BVI), this can be compared to a SVI
on a switch. A BVI gives the bridged interfaces a connection to the routed world.
When IRB is configured and traffic comes in on a routed interface (IP address configured)
that is destined for a host in the bridge group the traffic will first be routed to the BVI.
The packet will then be forwarded to the bridging engine which forwards it through a
bridged interface, the forwarding is based on the destination MAC address. If a packet
comes in on a bridged interface destined for a host in a routed network the traffic will
first go to the BVI and then be sent to the routing engine before it sends it out the
routed interface. If bridging between two interfaces with no routed protocols the traffic
will not pass the BVI interface. Think of the bridge-group as an external switch and
the BVI lets us connect this external switch to the router.
The image below describes the scenario. R1 and R3 are in different VLANs but in
the same subnet, we need communication between the two routers. Between the
routers we have a couple of switches.
The configuration on R1 and R3 is straightforward. They have physical interfaces
with an IP address.
R1:
interface FastEthernet0/0
ip address 136.1.136.1 255.255.255.0
R3:
interface FastEthernet0/1
ip address 136.1.136.3 255.255.255.0
R1 is connected to SW1 and R3 to SW3. The switch configuration is just a basic access port.
SW1:
interface FastEthernet0/1
switchport access vlan 16
SW3:
interface FastEthernet0/3
switchport access vlan 36
Router R6 is connected to SW2 and it needs a trunk port.
SW2:
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,36
switchport mode trunk
Now we need to configure R6 to bridge between the two different VLANs. We start by activating IRB.
bridge irb
Then we need to tie the interfaces to the bridge-group.
interface FastEthernet0/0.16
bridge-group 1
!
interface FastEthernet0/0.36
bridge-group 1
Now we create a BVI interface in the subnet.
interface BVI1
ip address 136.1.136.6 255.255.255.0
Lastly we need to activate spanning-tree and activate routing for the bridged interfaces.
bridge 1 protocol ieee
bridge 1 route ip
So using IRB we can both bridge and route between interfaces on a
router, something that is not possible otherwise.
Finally, these are some useful commands to show what is going on when using IRB.
show interfaces irb
show bridge
show spanning-tree
I’ve used bridging for 2 solutions in the last 6 months.
We had a customer that wanted a router on each site. Circuits were ordered. Most were ethernet circuits but do to cost issues they had 2 sites terminated via E1. At the last minute the customer wanted it changed to a layer2 solution so he could do the routing himself. It was easy to change the ethernet sites, but the E1 sites needed to have routers still. The solution was to bridge across the E1 and Lan interface and create a BVI for management.
The second usage was for a customer that had a spanned DMZ. They have multiple sites and 2 data-centres. They used us for shared site internet access through a hosted firewall, but also had another internet breakout at their primary datacentre. This was behind a firewall as well.
In the event that their internet breakout died, they wanted to be able to change their DNS records and then be able to get to their servers via our firewall.
The DMZ was bridged across the WAN. All servers were in the same subnet and had a default gateway pointing to the primary firewall in their hosting centre. If that dies, they quickly change their DNS to point to the public range given by my company. Traffic then flows from the internet to the hosted firewall where there are NAT rules and policies pre-arranged. They then change their servers default gateways to the hosted firewall and it all works.
It sounds a bit convoluted, but it takes about 5 minutes for failover and it works beautifully.
Thanks for some interesting examples Darren. How is your studying going?
I’ve taken a few weeks break after the lab. My wife wants some time 😛
Once I start my lab studies I won’t stop!
This doesn’t seem accurate….”A BVI ties the interfaces together that need to be bridged.”
As understand the bvi isn’t required to make the bridged interfaces operable, but is required to give the bridged interfaces a way out of the bridge group via a layer 3 interface on the routers forwarding plane.
My company recently bought (2) asr 9000’s…. They aren’t your typical layer 2/3 multilayer device like 3550,3560,4500,6500,7600…. No, the asr9k is a natural router…..like 2500,3600,4000,7500,7200…. So I had to create some bridge groups on the asr and use bvi’s to route between bridge groups. I had 12 video devices I wanted to attach to my asr and I wanted them all in the same subnet, so I need a bg w/bvi. My cisco account team and the tac assured my that this was a sufficient design for what I needed to do. There IS a second lookup that has to occur to forward pdu’s from one input asr interface to the output interface, but for the 2.5 gbps of video I would be doing, they weren’t concerned about additional lookup….. However at max’d out line rate to all interfaces, then there might be a concern.
Hi Aaron,
You are correct, I made a mistake while writing this up, thanks for noticing.
Great Post, Just started Lab 3 Wb2 and was looking for some info on IRB.
I wil use it next month in ISP environnment on Two Cisco ASR 9006!
Thanks for this post.
Jerome
I’m interested in this topic while I’m working on this with a Cisco 1841 router plus a HWIC card of AP. I don’t know how to configure it as the router tells me “Integrated Routing and Bridging is not configured”. It’s casued I failed to set IP address to the BVI.
Pingback:Integrated Routing and Bridging or IRB – Kennie's Abode