Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide, Cisco IOS XE 17 - Configuring Bridge Domain Interfaces [Cisco IOS XE 17] (2024)

An Ethernet Virtual Circuit (EVC) is an end-to-end representation of a single instance of a Layer 2 service that is offered by a provider. It embodies the different parameters on which the service is being offered. In the Cisco EVC Framework, the bridge domains are made up of one or more Layer 2 interfaces known as service instances. A service instance is the instantiation of an EVC on a given port on a given router. Service instance is associated with a bridge domain based on the configuration.

An incoming frame can be classified as service instance based on the following criteria:

• Single 802.1Q VLAN tag, priority-tagged, or 802.1ad VLAN tag

• Both QinQ (inner and outer) VLAN tags, or both 802.1ad S-VLAN and C-VLAN tags

• Outer 802.1p CoS bits, inner 802.1p CoS bits, or both

• Payload Ethernet type (five choices are supported: IPv4, IPv6, PPPoE-all, PPoE-discovery, and PPPoE-session)

Service instance also supports alternative mapping criteria:

• Untagged—Mapping to all the frames lacking a 802.1Q or 802.1ad header

  See Also

  Bridging and VLANs | Junos OSCisco Learning NetworkLayer 2 InterfacesHow Do VLANs Work | Intelligent Technologies, Inc.

• Default—Mapping to all the frames

For more information on the EVC architecture, see the section Configuring Ethernet Virtual Connections on the Cisco ASR 1000 Router in the Carrier Ethernet Configuration Guide .

Security Group classification includes both Source and Destination Group, which is specified by source SGT and DGT. SGT Based PBR feature provides the PBR route-map match clause for SGT/DGT based packet classification. SGT Based PBR feature supports configuration of unlimited number of tags, but it is recommended to configure the tags based on memory available in the platform.

An EVC provides the ability to employ different encapsulations on each Ethernet flow point (EFP) present in a bridge domain. A BDI egress point may not be aware of the encapsulation of an egress packet because the packet may have egressed from one or more EFPs with different encapsulations.

In a bridge domain, if all the EFPs have different encapsulations, the BDI must be untagged (using the no 802.1Q tag). Encapsulate all the traffic in the bridge domain (popped or pushed) at the EFPs. Configure rewrite at each EFP to enable encapsulation of the traffic on the bridge domain.

In a bridge domain, if all the EFPs have the same encapsulation, configure the encapsulations on the BDI using the encapsulation command. Enabling encapsulation at the BDI ensures effective pushing or popping of tags, thereby eliminating the need for configuring the rewrite command at the EFPs. For more information on configuring the encapsulations on the BDI, see the How to Configure a Bridge Domain Interface.

All the bridge domain interfaces on the Cisco ASR 1000 chassis share a common MAC address. The first bridge domain interface on a bridge domain is allocated a MAC address. Thereafter, the same MAC address is assigned to all the bridge domain interfaces that are created in that bridge domain.

Note	You can configure a static MAC address on a bridge domain interface using the mac-address command.

Bridge domain interfaces enable the Cisco ASR 1000 Series Aggregation Services Routers to act as a Layer 3 endpoint on the Layer 2 bridge domain for the following IP-related protocols:

• ARP

• DHCP

• HTTP

• ICMP

• NTP

• RARP

• SNMP

• TCP

• Telnet

• TFTP

• UDP

Bridge domain interface supports the following IP forwarding features:

• IPv4 input and output access control lists (ACL)
• IPv4 input and output QoS policies. The operations supported for the input and output service policies on a bridge domain interface are:
  • Classification
  • Marking
  • Policing
• IPv4 L3 VRFs

A bridge domain interface provides bridging and forwarding services between the Layer 2 and Layer 3 network infrastructure.

Bridge domain interface acts as a routable IOS interface on Layer 3 and as a port on a bridge domain. Both bridge domain interfaces and bridge domains operate with individual administrative states.

Shutting down a bridge domain interface stops the Layer 3 data service, but does not override or impact the state of the associated bridge domain.

Shutting down a bridge domain stops Layer 2 forwarding across all the associated members including service instances and bridge domain interfaces. The associated service instances influence the operational state of a bridge domain. Bridge domain interface cannot be operational unless one of the associated service instances is up.

Note	Because a bridge domain interface is an internal interface, the operational state of bridge domain interface does not affect the bridge domain operational state.

For virtual interfaces, such as the bridge domain interface, protocol counters are periodically queried from the QFP.

When packets flow from a Layer 2 bridge domain network to a Layer 3 routing network through the bridge domain interface, the packets are treated as bridge domain interface input packets and bytes. When packets arrive at a Layer 3 interface and are forwarded through the bridge domain interface to a Layer 2 bridge domain, the packets are treated as output packets and bytes, and the counters are updated accordingly.

A BDI maintains a standard set of Layer 3 packet counters as the case with all Cisco IOS interfaces. Use the show interface command to view the Layer 3 packet counters.

The convention of the counters is relative to the Layer 3 cloud. For example, input refers to the traffic entry to the Layer 3 cloud from the Layer 2 BD, while output refers to the traffic exit from the Layer 3 cloud to the Layer 2 BD.

Use the show interfaces accounting command to display the statistics for the BDI status. Use the show interface <if-name> command to display the overall count of the packets and bytes that are transmitted and received.

When you define an interface or subinterface for a Cisco IOS router, you name it and specify how it is assigned an IP address. You can create a bridge domain interface before adding a bridge domain to the system. This new bridge domain interface will be activated after the associated bridge domain is configured.

Note	When a bridge domain interface is created, a bridge domain is automatically created.

When you create the bridge domain interface and the bridge domain, the system maintains the required associations for mapping the bridge domain-bridge domain interface pair.

The mapping of bridge domain and bridge domain interface is maintained in the system. The bridge domain interface uses the index of the associated bridge domain to show the association.

The following table lists the bridge domain interface scalability numbers, based on the type of Cisco ASR 1000 Series Aggregation Services Router’s Forwarding Processors.

The Virtual IP Interface (VIF) feature helps to associate multiple BDI interfaces with a BD instance. The BD-VIF interface inherits all the existing L3 features of IOS logical IP interface.

Note	You must configure every BD-VIF interface with a unique MAC address and it should belong to a different VRF.

The Virtual IP Interface (VIF) feature has the following limitations:

• BD-VIF interface does not support IP multicast.

• Number of BD-VIF interfaces with automatically generated MAC address varies on the basis of platforms.

• BD-VIF Interface does not support MPLS.

• The maximum number of BD-VIF interfaces per bridge-domain and the total number of BD-VIF interface for per system vary based on the type of platforms.

The maximum number of BD-VIF supported on different platforms varies:

• ASR 1000 supports maximum 100 BD-VIF for a Bridge Domain

• CSR 1000v supports maximum 16 BD-VIF for a Bridge Domain

• ISR 4000 support maximum 16 BD-VIF for a Bridge Domain

From Cisco IOS XE 17.7.1a release, BD-VIF supports Flexible Netflow (FNF).

SUMMARY STEPS

1. enable
2. configure terminal
3. interface BDI {interface number}
4. encapsulation encapsulation dot1q <first-tag> [second-dot1q <second-tag>]
5. Do one of the following:
6. match security-group destination tag sgt-number
7. mac address {mac-address}
8. no shut
9. shut

DETAILED STEPS

Router> enable

Router# configure terminal

Router(config-if)# interface BDI3

Router(config-if)# encapsulation dot1Q 1 second-dot1q 2

ip address ip-address mask 

ipv6 address {X:X:X:X::X link-local | X:X:X:X::X/prefix [ anycast |  eui-64 ] | autoconfig  [ default ]} 

Router(config-if)# ip address 10.2.2.1 255.255.255.0

Router(config-if)# ipv6 address AB01:CD1:123:C::/64 eui-64

Router(config-route-map)# match security-group destination tag 150

Router(config-if)# mac-address 1.1.3

Router(config-if)# no shut

Router(config-if)# shut

SUMMARY STEPS

1. enable
2. show interfaces bdi
3. show platform software interface fp active name
4. show platform hardware qfp active interface if-name
5. debug platform hardware qfp feature
6. platform trace runtime process forwarding-manager module
7. platform trace boottime process forwarding-manager module interfaces

DETAILED STEPS

Router> enable 

Router# show interfaces BDI3 

Router# show platform software interface fp active name BDI4 

Router# show platform hardware qfp active interface if-name BDI4 

Router# debug platform hardware qfp active feature l2bd client all 

Router(config)# platform trace runtime slot F0 bay 0 process forwarding-manager module interfaces level info 

Router(config)# platform trace boottime slot R0 bay 1 process forwarding-manager forwarding-manager level max 

enableconfigure terminalbridge-domain bridge-domain number[no] member BD-VIF interface-numberexit

To dissociate the VIF interface, use the 'no' form of the command.

All existing show commands for interface and IP interface can be used for the BD-VIF interface.

show interface bd-vif bd-vif-id

show ip interface bd-vif bd-vif-id

show bd-vif interfaces in fman-fp

show pla sof inter fp ac brief | i BD_VIF

SUMMARY STEPS

1. enable
2. configure terminal
3. interface type number
4. {ip | ipv6}flow monitor monitor-name [sampler sampler-name] {input | output}
5. exit

DETAILED STEPS

Device> enable

Device# configure terminal

Device (config)# interface BD-VIF 100

Device(config-if)# ip flow monitor FLOW-MONITOR-1 input

Device(config-if)# exit

The following is a sample output for the show platform hardware qfp active interface if-name command showing the QFP information and flow direction for flow monitors. The table below provides the key to the CLI output.

Device# show run interface bd-vif2Building configuration...Current configuration: 227 bytes!interface BD-VIF2vrf forwarding vrf1ip flow monitor test1 inputip flow monitor test1 outputip address 10.11.11.11 255.255.255.0ipv6 flow monitor test2 inputipv6 flow monitor test2 outputipv6 address 2001:DB8::1/32endDevice# show platform hardware qfp active interface if-name BD-VIF 2 General interface information Interface Name: BD-VIF2 Interface state: VALID Platform interface handle: 20 QFP interface handle: 17 Rx uidb: 262138 Tx uidb: 262127 Channel: 0Interface RelationshipsBGPPA/QPPB interface configuration information Ingress: BGPPA/QPPB not configured. flags: 0000 Egress: BGPPA not configured. flags: 0000ipv4_input enabled. ipv4_output enabled. ipv6_input enabled. ipv6_output enabled. layer2_input enabled. layer2_output enabled. ess_ac_input enabled. Features Bound to Interface:2 GIC FIA state66 PUNT INJECT DB70 cpp_l2bd_svr43 icmp_svr45 ipfrag_svr46 ipreass_svr47 ipv6reass_svr44 icmp6_svr58 stileProtocol 0 - ipv4_inputFIA handle - CP:0x55a7f59df038 DP:0x3fff1000 IPV4_INPUT_DST_LOOKUP_ISSUE (M) IPV4_INPUT_ARL_SANITY (M) IPV4_INPUT_SRC_LOOKUP_ISSUE IPV4_INPUT_DST_LOOKUP_CONSUME (M) IPV4_INPUT_SRC_LOOKUP_CONSUME IPV4_INPUT_FOR_US_MARTIAN (M) IPV4_INPUT_STILE_LEGACY IPV4_INPUT_FNF_FIRST IPV4_INPUT_LOOKUP_PROCESS (M) IPV4_INPUT_FNF_FINAL IPV4_INPUT_IPOPTIONS_PROCESS (M) IPV4_INPUT_GOTO_OUTPUT_FEATURE (M)Protocol 1 - ipv4_outputFIA handle - CP:0x55a7f59df0d8 DP:0x3ffeff00 IPV4_VFR_REFRAG (M) IPV4_OUTPUT_SRC_LOOKUP_ISSUE IPV4_OUTPUT_L2_REWRITE (M) IPV4_OUTPUT_SRC_LOOKUP_CONSUME IPV4_OUTPUT_STILE_LEGACY IPV4_OUTPUT_FRAG (M) IPV4_BDI_OUTPUT_FNF_FINAL. BDI_VLAN_TAG_ATTACH_AND_LAYER2_LOOKUP_GOTO LAYER2_BRIDGE BDI_OUTPUT_GOTO_OUTPUT_FEATURE IPV4_OUTPUT_DROP_POLICY (M) DEF_IF_DROP_FIA (M)Protocol 6 - ipv6_inputFIA handle - CP:0x55a7f59dee58 DP:0x3fff4300 IPV6_INPUT_SANITY_CHECK (M) IPV6_INPUT_DST_LOOKUP_ISSUE (M) IPV6_INPUT_SRC_LOOKUP_ISSUE IPV6_INPUT_ARL (M) IPV6_INPUT_DST_LOOKUP_CONT (M) IPV6_INPUT_SRC_LOOKUP_CONT IPV6_INPUT_DST_LOOKUP_CONSUME (M) IPV6_INPUT_SRC_LOOKUP_CONSUME IPV6_INPUT_STILE_LEGACY IPV6_INPUT_FNF_FIRST IPV6_INPUT_FOR_US (M) IPV6_INPUT_LOOKUP_PROCESS (M) IPV6_INPUT_FNF_FINAL IPV6_INPUT_LINK_LOCAL_CHECK (M) IPV6_INPUT_GOTO_OUTPUT_FEATURE (M)Protocol 7 - ipv6_outputFIA handle - CP:0x55a7f59dee08 DP:0x3fff4b80 IPV6_VFR_REFRAG (M) IPV6_OUTPUT_SRC_LOOKUP_ISSUE IPV6_OUTPUT_SRC_LOOKUP_CONT IPV6_OUTPUT_SRC_LOOKUP_CONSUME IPV6_OUTPUT_L2_REWRITE (M) IPV6_OUTPUT_STILE_LEGACY IPV6_OUTPUT_FRAG (M) IPV6_BDI_OUTPUT_FNF_FINAL BDI_VLAN_TAG_ATTACH_AND_LAYER2_LOOKUP_GOTO LAYER2_BRIDGE BDI_OUTPUT_GOTO_OUTPUT_FEATURE IPV6_OUTPUT_DROP_POLICY (M) DEF_IF_DROP_FIA (M)⋮

The following is a sample out of the show flow monitor [[name] [cache [format {csv | record | table}]] [statistics]] command showing the cache output in record format.

Device# show flow monitor name FLOW-MONITOR-1 cache format recordCache type:NormalCache size:1000Current entries:4High Watermark:4Flows added:101Flows aged:97- Active timeout(1800 secs)3- Inactive timeout (15 secs)94- Event aged0- Watermark aged0- Emergency agedIPV4 DESTINATION ADDRESS:198.51.100.10ipv4 source address:10.10.11.1trns source port:25trns destination port:25counter bytes:72840counter packets:1821IPV4 DESTINATION ADDRESS:198.51.100.2ipv4 source address:10.10.10.2trns source port:20trns destination port:20counter bytes:3913860counter packets:7326IPV4 DESTINATION ADDRESS:198.51.100.200ipv4 source address:192.168.67.6trns source port:0trns destination port:3073counter bytes:51072counter packets:1824Device# show flow monitor name FLOW-MONITOR-2 cache format recordCache type: NormalCache size:1000Current entries:2High Watermark:3Flows added:95Flows aged:93- Active timeout(1800 secs)0- Inactive timeout (15 secs)93- Event aged0- Watermark aged0- Emergency aged0IPV6 DESTINATION ADDRESS:2001:DB8:0:ABCD::1ipv6 source address:2001:DB8:0:ABCD::2trns source port:33572trns destination port:23counter bytes:19140counter packets:349IPV6 DESTINATION ADDRESS:FF02::9ipv6 source address:2001:DB8::A8AA:BBFF:FEBBtrns source port:521trns destination port:521counter bytes:92counter packets:1

The following is a sample out of the show flow interface command showing the flow status for an interface.

Device# show flow interface BD-VIF2001Interface GigabitEthernet0/0/0FNF: monitor:FLOW-MONITOR-1direction:Inputtraffic(ip):onFNF: monitor:FLOW-MONITOR-2direction: Input traffic(ipv6):onDevice# show flow interface BD-VIF2002Interface GigabitEthernet1/0/0FNF: monitor:FLOW-MONITOR-1direction:Outputtraffic(ip):onFNF: monitor:FLOW-MONITOR-2direction: Input traffic(ipv6):on

The following is a sample output of the show platform hardware qfp active interface if-name | in FNF command showing the QFP information and flow direction for flow monitors in Flexible NetFlow configuration. The table below provides the key to the CLI output.

Device# show run interface bd-vif2Building configuration... Current configuration : 227 bytes!interface BD-VIF2vrf forwarding vrf1ip flow monitor test1 inputip flow monitor test1 outputip address 10.11.11.11 255.255.255.0ipv6 flow monitor test2 inputipv6 flow monitor test2 outputipv6 address 2001::8/64end Device# show platform hardware qfp active interface if-name BD-VIF 2 | in FNF IPV4_INPUT_FNF_FIRST IPV4_INPUT_FNF_FINAL IPV4_BDI_OUTPUT_FNF_FINAL. IPV6_INPUT_FNF_FIRST IPV6_INPUT_FNF_FINAL IPV6_BDI_OUTPUT_FNF_FINAL 

The clear flow monitor name monitor-name [cache [force-export] | force-export | statistics] command clears a Flexible NetFlow flow monitor, flow monitor cache, or flow monitor statistics, and can be used to force the export of the data in the flow monitor cache.

For more details on configuring Flexible NetFlow, see the Flexible NetFlow Configuration Guide, Cisco IOS XE 17.