Re: Fallback Bridging
From: mahmoud genidy (ccie.mahmoud@gmail.com)
Date: Fri Feb 27 2009 - 21:13:49 ARST
Thanks Narbik for this test scenario. I labed it and I got partial success.
I have only 3560s. So I used the IPX addressing.
- I was able to ping the IPX addresses normally between the two VLANs
- I tried to disable the Auto learning of MAC addresses (no bridge 1
acquire) But again it is not working. I still can ping between IPX addresses
and I can see the Dynamic MAC addresses learned and in FORWARD state.
- Discarding specific MAC as well didn't work. I tried to discard specif MAC
(bridge 1 address 0000.1111.1111 discard) and of course I kept dynamic
learning enabled. I still can see the MAC address in FOWARD state in the
bridge table.
It may be a bug in my Catalyst IOS [Version 12.2(25)SEE4, RELEASE SOFTWARE
(fc1)]. Because the configuration and the concept is straighforward. :(
Thansk,
M Genidy
On Sat, Feb 28, 2009 at 2:54 AM, Narbik Kocharians <narbikk@gmail.com>wrote:
> *Try this lab and see if it helps.*
> **
> *Use the following topology:*
>
>
>
> The F0/0 interface of BB2 is connected to SW1 which is a 3560 and F0/1
> interface of this switch is connected to SW3 which is a 3550. This port
> should be in VLAN 20.
>
>
>
> The F0/0 interface of BB3 is connected to SW1 which is a 3560 and F0/1
> interface of this switch is connected to SW3 which is a 3550. This port
> should be in VLAN 30.
>
>
>
> *Layer 3 addressing:*
>
> *BB2�s FastEthernet (which one? To be determined by you, read on you will
> see):*
>
> *IPX net address: ABCD, IPv6 address = 23::2 /64, Mac-address =
> 0000.2222.2222*
>
> * *
>
> *BB3�s FastEthernet (which one? To be determined by you, read on you will
> see):*
>
> *IPX net address: ABCD, IPv6 address = 23::3 /64, Mac-address =
> 0000.3333.3333*
>
> * *
>
> *You see by assigning the addressing to F0/0, you will be dealing with
> 3560 switch and by assigning the addressing to F0/1, you will be dealing
> with 3550 switch so you need to determine that based on the task. *
>
> * *
>
> *Task 1*
>
>
>
> Configure the appropriate switch such that routers BB2 and BB3 can forward
> NON-IP traffic between VLAN 20 and 30; Fallback Bridging should be
> configured to accomplish this task. If this task is configured properly,
you
> should be able to use �Ping� to test this configuration using IPv6 or IPX
> addressing identified in the IP addressing chart.
>
>
>
> * *
>
> *Note since the task specifies that the test should be conducted using
> IPv6 and IPX, 3550 switches will be the only choice. Since these switches
do
> NOT have inherent support for IPv6, these switches looked at IPv6 traffic
as
> NON-IP, just like IPX.*
>
> * *
>
> *To configure Fallback Bridging:*
>
> * *
>
> *On SW3*
>
> * *
>
> *The following command assigns a bridge group number (In this case number
> 1) and it also specifies the VLAN bridge spanning-tree protocol to run in
> this bridge group. *
>
>
>
> SW3(config)#*bridge 1 protocol vlan-bridge*
>
>
>
> *The following configuration assigns the bridge group that was created
> with the �Bridge 1 protocol vlan-bridge� global configuration command to
> interface VLAN 20 and 30.*
>
>
>
> SW3(config)#int vlan 20
>
> SW3(config-if)#*bridge-group 1*
>
>
>
> SW3(config-if)#int vlan 30
>
> SW3(config-if)#*bridge-group 1*
>
>
>
> *To verify the configuration*
>
> * *
>
> *On SW3*
>
> * *
>
> *If the output of your �Show bridge� command does NOT reveal the MAC
> address of BB2 and BB3, you should generate some traffic (For example:
> Pinging BB3 from BB2 using the IPv6 or IPX) so the bridge will see the MAC
> addresses.*
>
>
>
> *SW3#Show bridge*
>
>
>
> Br Group Mac Address State Type Ports
>
> -------- ----------------- ------- ------
> ------
>
> 1 0000.2222.2222 *Forward DYNAMIC * Vl20 Fa0/12
>
> 1 0000.3333.3333 *Forward DYNAMIC* Vl30 Fa0/13
>
>
>
> *To test the configuration:*
>
> * *
>
> *On BB2*
>
>
>
> *BB2#Ping 23::3*
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte ICMP Echos to 23::3, timeout is 2 seconds:
>
> *!!!!!*
>
> *Success rate is 100 percent (5/5),* round-trip min/avg/max = 0/0/4 ms
>
>
>
> *BB2#Ping IPX ABCD.0000.3333.3333*
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte IPX Novell Echoes to ABCD.0000.3333.3333, timeout is 2
> seconds:
>
> *!!!!!*
>
> *Success rate is 100 percent (5/5),* round-trip min/avg/max = 1/2/4 ms
>
>
>
> *Note IPv6 and IPX pings worked.*
>
> * *
>
> * *
>
> *Task 2*
>
> * *
>
> Configure the switch such that ONLY static entries are bridged, if this
> switch is configured properly, the switch should NOT bridge dynamically
> learnt Mac addresses.
>
>
>
>
>
> *On SW3*
>
>
>
> *In the previous task, the switch (SW3) learned the MAC addresses
> dynamically, and it bridged the traffic between the VLANs. The following
> command prevents the switch to forward frames to stations that it has
> learned dynamically. *
>
>
>
> SW3(config)#*no bridge 1 acquire*
>
>
>
> * *
>
> *To verify the configuration:*
>
> * *
>
> *Note the output of the following �Show� command reveals that the
> dynamically learned MAC addresses are discarded:*
>
> * *
>
> *On SW3*
>
>
>
> *SW3#Show bridge*
>
>
>
> Br Group Mac Address State Type Ports
>
> -------- ----------------- ------- ------
> ------
>
> 1 0000.2222.2222 *discard DYNAMIC * Vl20 Fa0/12
>
> 1 0000.3333.3333 *discard DYNAMIC* Vl30 Fa0/13
>
>
>
> *To test the configuration:*
>
> * *
>
> *On BB2*
>
>
>
> *BB2#Ping IPX ABCD.0000.3333.3333*
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte IPX Novell Echoes to ABCD.0000.3333.3333, timeout is 2
> seconds:
>
> *.....*
>
> *Success rate is 0 percent (0/5)*
>
>
>
> *BB2#Ping 23::3 *
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte ICMP Echos to 23::3, timeout is 2 seconds:
>
> *.....*
>
> *Success rate is 0 percent (0/5)*
>
>
>
> *To complete the configuration:*
>
> * *
>
> *The following two commands add the MAC addresses of BB2 and BB3
> statically, therefore, since the traffic from dynamically learned MAC
> addresses are discarded, the traffic with statically configured MAC
> addresses will be forwarded.*
>
> * *
>
> *On SW3*
>
>
>
> SW3(config)#*Bridge 1 address 0000.2222.2222 forward*
>
> SW3(config)#*Bridge 1 address 0000.3333.3333 forward*
>
>
>
> *To verify the configuration:*
>
> * *
>
> *On BB2*
>
>
>
> *SW3#Show bridge*
>
>
>
> Br Group Mac Address State Type Ports
>
> -------- ----------------- ------- ------
> ------
>
> 1 0000.2222.2222 *Forward Static * -
>
> 1 0000.3333.3333 *Forward Static* -
>
> * *
>
> *To test the configuration:*
>
> * *
>
> *BB2#Ping 23::3*
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte ICMP Echos to 23::3, timeout is 2 seconds:
>
> *!!!!!*
>
> *Success rate is 100 percent (5/5),* round-trip min/avg/max = 0/1/4 ms
>
>
>
> *BB2#Ping IPX ABCD.0000.3333.3333*
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte IPX Novell Echoes to ABCD.0000.3333.3333, timeout is 2
> seconds:
>
> *!!!!!*
>
> *Success rate is 100 percent (5/5),* round-trip min/avg/max = 1/2/4 ms
>
>
>
>
>
> *Task 3*
>
> * *
>
> Configure the appropriate switch such that routers BB2 and BB3 can forward
> NON-IP traffic between VLAN 20 and 30; you should configure Fallback
> Bridging to accomplish this task. If this task is configured properly, you
> should be able to use �Ping� to test this configuration using IPX
addressing
> identified in the addressing chart. *IPv6 addressing should NOT work* when
> conducting tests using the Ping command.
>
>
>
>
>
> *Note because 3560 switches support IPv6, they do not consider IPv6 as
> NON-IP traffic; therefore, they do not bridge IPv6 traffic.*
>
>
>
> *On BB2*
>
>
>
> BB2(config)#default interface f0/1
>
>
>
> BB2(config)#int f0/0
>
> BB2(config-if)#mac-address 000.2222.2222
>
>
>
> BB2(config-if)#ipx Network ABCD
>
> BB2(config-if)#ipv6 address 23::2/64
>
> BB2(config-if)#no shut
>
>
>
> *On BB3*
>
>
>
> BB3(config)#default interface f0/1
>
>
>
> BB3(config)#int f0/0
>
> BB3(config-if)#mac-address 0000.3333.3333
>
> BB3(config-if)#ipx Network ABCD
>
> BB3(config-if)#ipv6 address 23::3/64
>
> BB3(config-if)#no shut
>
>
>
> *On SW1*
>
>
>
> SW1(config)#int f0/10
>
> SW1(config-if)#swi mode acc
>
> SW1(config-if)#swi acc v 20
>
>
>
> SW1(config-if)#int f0/11
>
> SW1(config-if)#swi mode acc
>
> SW1(config-if)#swi acc v 30
>
>
>
> SW1(config)#int vlan 20
>
> SW1(config-if)#bridge-group 1
>
>
>
> SW1(config-if)#int vlan 30
>
> SW1(config-if)#bridge-group 1
>
>
>
> SW1(config)#Bridge 1 protocol vlan-bridge
>
>
>
> *To verify the configuration:*
>
> * *
>
> *On SW1*
>
>
>
> *SW3#Show bridge*
>
>
>
> Br Group Mac Address State Type Ports
>
> -------- ----------------- ------- ------
> ------
>
> 1 0000.2222.2222 *Forward DYNAMIC * Vl20
>
> 1 0000.3333.3333 *Forward DYNAMIC* Vl30
>
>
>
> *To test the configuration:*
>
> * *
>
> *On SW1*
>
>
>
> *BB2#Ping 23::3*
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte ICMP Echos to 23::3, timeout is 2 seconds:
>
> *.....*
>
> *Success rate is 0 percent (0/5)*
>
>
>
> *Note the above Ping failed but the following Ping worked.*
>
>
>
> *BB2#Ping ipx ABCD.0000.3333.3333*
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte IPX Novell Echoes to ABCD.0000.3333.3333, timeout is 2
> seconds:
>
> *!!!!!*
>
> *Success rate is 100 percent (5/5),* round-trip min/avg/max = 1/2/4 ms
>
> * *
>
> *Note IPX pings worked, whereas, IPv6 pings did not work.*
>
>
>
>
>
> *Task 5*
>
>
>
> Configure R1 based on the following; this router should have reachability
> to the other two routers
>
> R1, FastEthernet:
>
> IPX Net address = ABCD, IPv6 address = 23::1 /64, VLAN = Default,
> MAC-address = 0000.1111.1111
>
>
>
>
>
> *On R1*
>
>
>
> R1(config)#ipx routing
>
>
>
> R1(config)#int f0/0
>
> R1(config-if)#mac-address 0000.1111.1111
>
> R1(config-if)#ipx Network ABCD
>
> R1(config-if)#ipv6 address 23::1/64
>
> R1(config-if)#no shut
>
>
>
> *On SW1*
>
> * *
>
> SW1(config)#interface f0/0
>
> SW1(config-if)#no Shut
>
>
>
> SW1(config)#int vlan 1
>
> SW1(config-if)#bridge-group 1
>
> SW1(config-if)#no shut
>
> * *
>
> *To test the configuration:*
>
> * *
>
> *On R1*
>
>
>
> *R1#ping ipx abcd.0000.2222.2222*
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte IPX Novell Echoes to ABCD.0000.2222.2222, timeout is 2
> seconds:
>
> *!!!!!*
>
> *Success rate is 100 percent (5/5),* round-trip min/avg/max = 1/1/4 ms
>
> * *
>
> *To verify the configuration:*
>
> * *
>
> *On SW1*
>
>
>
> *SW1#Show bridge*
>
>
>
> Br Group Mac Address State Type Ports
>
> -------- ----------------- ------- ------
> ------
>
> 1 0000.1111.1111 *Forward DYNAMIC* Vl1
>
> 1 0000.2222.2222 *Forward DYNAMIC * Vl20
>
> 1 0000.3333.3333 *Forward DYNAMIC* Vl30
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> * *
>
>
>
>
>
>
> On Fri, Feb 27, 2009 at 3:37 AM, mahmoud genidy
<ccie.mahmoud@gmail.com>wrote:
>
>> Hi GS,
>>
>> Any body know how you can statically deny or forward specific MAC
>> addresses
>> through a bridge? Also how to disable the dynamic learning of the MAC
>> addresses on the bridge?
>>
>> I used what the DOC CD says and it is not working with me. To disable
>> dynamic mac learning we have to use NO BRIDGE 1 ACQUIRE command. I used it
>> and I still can see the dynamic MAC on the bridge group I have configured.
>> Also I used Bridge forward and discard commands but also doesn't work.
>> Here
>> is my config:
>>
>> {
>> bridge 1 protocol vlan-bridge
>> no bridge 1 acquire
>> bridge 1 address 1234.1234.1234 forward
>> bridge 1 address 9876.9876.9876 discard
>>
>> interface Vlan13
>> ip address 51.51.10.7 255.255.255.0
>> bridge-group 1
>> !
>> interface FastEthernet0/12
>> no switchport
>> no ip address
>> bridge-group 1
>> !
>> }
>>
>> Any hidden fact or concept here?
>>
>> Thanks
>> M Genidy
>>
>> On Fri, Feb 27, 2009 at 3:50 PM, Nitro Drops <nitrodrops@hotmail.com>
>> wrote:
>>
>> > Hi All,
>> >
>> > Like to hijack this thread. Was practising Fallback Bridging yesterday,
>> > encountered this issue.
>> >
>> > IPv4 : R6 G0/1 (106.0.0.6) >> (106.0.0.10) F1/6 SW4 F1/4 (vlan104
>> > 104.0.0.10)
>> > >> (104.0.0.4)F0/1 R4
>> > IPv6 : R6 G0/1 (2001::6/64) >> F1/6 SW4 F1/4 >> (2001::4/64)F0/1 R4
>> >
>> > IPv6 is setup to test on the fallback bridging
>> > After i enabled Fallback Bridging on the 'int vlan104' & 'f0/6' of SW4.
>> My
>> > results are as follows
>> >
>> >
>> >
>> > 1.) R4 F0/1 (ipv6 - 2001::4/64) is able to ping/trace R6 F0/1 (ipv6 -
>> > 2001::6/64)
>> > 2.) R4 F0/1 (ipv4 - 106.0.0.6) is NOT able to ping/trace R6 F0/1 (ipv4 -
>> > 104.0.0.4). if i remove bridging on SW4, R4 F0/1 (ipv4) is ABLE to
>> > ping/trace
>> > R6 F0/1 (ipv4)
>> >
>> >
>> >
>> > I am using Dynamips running - (C3725-ADVENTERPRISEK9-M)
>> >
>> > For my troubleshooting, i did
>> >
>> > - sh ip routes on R4 and R6, i can see the RIP routes on both routers
>> >
>> > - did 'debug ip packet' & 'debug ip routing', when i tried to ping from
>> R4
>> > to
>> > R6, i dont see any packets hitting SW4.
>> >
>> > My understanding of Fallback bridging, it bridges non-routed protocol
>> > between SVIs and L3 routed interfaces. So i assum routed protocol will
>> > remain as routable?
>> >
>> > Any kind advises?
>> >
>> >
>> >
>> > Cheers
>> >
>> > Nit
>> >
>> >
>> >
>> >
>> > > Date: Fri, 20 Feb 2009 05:03:01 +0000
>> > > From: joe_astorino@comcast.net
>> > > To: joe_astorino@comcast.net
>> > > CC: ccielab@groupstudy.com; raghavbhargava12@gmail.com
>> > > Subject: Re: Fallback Bridging
>> > >
>> > > Let me rephrase what I said in my most recent post. Suppose ports 1-5
>> AND
>> > ports 6-10 are running the SAME non-IP protocol and they want to talk
>> but
>> > are
>> > in different VLANs. The switch can not route between the 2 VLANs if it
>> is
>> > not
>> > IP. Thus, you bridge them. What I said before about appletalk
>> communicating
>> > with DECNET I don't think made any sense :)
>> > >
>> > > - Joe
>> > > ----- Original Message -----
>> > > From: "joe astorino" <joe_astorino@comcast.net>
>> > > To: "Raghav Bhargava" <raghavbhargava12@gmail.com>
>> > > Cc: "Cisco certification" <ccielab@groupstudy.com>
>> > > Sent: Thursday, February 19, 2009 11:44:14 PM GMT -05:00 US/Canada
>> > Eastern
>> > > Subject: Re: Fallback Bridging
>> > >
>> > > Raghav,
>> > >
>> > > The way I understand it is this -- VLANs in general, and thus
>> inter-vlan
>> > routing on a switch were designed around the IP protocol. Fallback
>> bridging
>> > basically allows you to bridge non-ip protocols between VLANs. Since it
>> is
>> > not
>> > IP it cannot be routed normally like an IP packet between vlans, so it
>> can
>> > be
>> > bridged. I hope that helps
>> > >
>> > > - Joe
>> > > ----- Original Message -----
>> > > From: "Raghav Bhargava" <raghavbhargava12@gmail.com>
>> > > To: "Cisco certification" <ccielab@groupstudy.com>
>> > > Sent: Thursday, February 19, 2009 11:27:03 PM GMT -05:00 US/Canada
>> > Eastern
>> > > Subject: Fallback Bridging
>> > >
>> > > Hi Experts,
>> > >
>> > > I was reading Fallback Bridging but somehow could not understand it.
>> > > Can someone please explain in simple terms.
>> > >
>> > > Appreciate all the help..
>> > >
>> > > --
>> > > Warm Regards
>> > > Raghav
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> > _________________________________________________________________
>> > It's simple! Sell your car for just $50
>> >
>> >
>>
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2E
>> >
>> >
>>
com%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%
<
>>
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2E
%0Acom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2F
ai%
>> >
>> > 5F859641&_t=762955845&_r=tig_OCT07&_m=EXT
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Narbik Kocharians
> CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining.com
> www.Net-Workbooks.com
> Sr. Technical Instructor
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4
: Sun Mar 01 2009 - 09:44:13 ARST