Friday, September 20, 2013

Cisco Integrated Routing and Bridging (IRB)

By default, a router are considered a broadcast terminator, meaning that it doesn't pass the broadcasts from one segment to another like switches (bridges) do.

Integrated Routing and Bridging or IRB leverages the layer 2 switching capabilities to the routers to make it able for forward layer 2 broadcast to other interfaces. Today there are new smarter and more cutting edge technologies that can transfer layer 2 frames over WANs and even between whole data centers like VPLS, OTV, L2TPV3, Pseudo-wires  and the list goes on. Of course each of them has its own application After all that, I needed to test some redundancy test in my lab and I found myself using the good old IRB. so I thought I might blog about it for the sake of good times.

 Let’s see this simple topology.
   





By Default, if PC1 was trying to sending a broadcast, it would have been terminated at R1 F0/0 Interface and would never be forwarded to interface F0/1 knows the broadcast domain for the 192.168.1.0/24 is located at its F0/0 interface.

Now we want PC1 to be able to send an ARP request and the ARP request passes all the way to Broadcast Domain B so that PC2 can reply with its MAC Address, let’s see how we can do that.

This can be done by configuring Bridge groups on Cisco routers, and attach the physical interfaces to that bridge groups as if they’re ports on the same switch (bridge).

Let’s begin our configuration
R1
bridge 1 protocol ieee
bridge irb
interface FastEthernet0/0
 no ip address
 bridge-group 1
!
interface FastEthernet0/1
 no ip address
 bridge-group 1

R2
bridge 1 protocol ieee
bridge irb
interface FastEthernet0/0
 no ip address
 bridge-group 1
!
interface FastEthernet0/1
 no ip address
 bridge-group 1

As you can see the configuration is very easy, at first I configured the bridge group to use IEEE spanning tree protocol for bridge group 1, why? Because if you have redundant links between R1 and R2 without spanning-tree, you are definitely getting a loop! The second command tells the router which type of bridging you’re using. In our case here which is integrated routing and bridging. Finally you assign the interfaces you wanted it to participate in the bridge or broadcast domain by using the command bridge-group 1 under the interface configuration mode.

Let’s do some show commands to verify our configuration

R1#show bridge group
Bridge Group 1 is running the IEEE compatible Spanning Tree protocol
   Port 4 (FastEthernet0/0) of bridge group 1 is forwarding
   Port 5 (FastEthernet0/1) of bridge group 1 is forwarding

R1#show bridge verbose
Total of 300 station blocks, 300 free
Codes: P - permanent, S - self
Flood ports (BG 1)           RX count    TX count
FastEthernet0/0                     0           4
FastEthernet0/1                     4           0

R1#show spanning-tree  summary
Root bridge for: Bridge group 1.
PortFast BPDU Guard is disabled
UplinkFast is disabled
BackboneFast is disabled
Name                 Blocking Listening Learning Forwarding STP Active
-------------------- -------- --------- -------- ---------- ----------
Bridge group 1       0        0         0        2          2
-------------------- -------- --------- -------- ---------- ----------
      1 Bridge Group 0        0         0        2          2

R1#show spanning-tree root
Bridge group 1
  Root ID    Priority    32768
             Address     c200.0cd8.0000
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward


Now let’s try to ping from PC1 to PC2

VPCS[1]> ping 192.168.1.2
192.168.1.2 icmp_seq=1 ttl=64 time=41.964 ms
192.168.1.2 icmp_seq=2 ttl=64 time=41.020 ms
192.168.1.2 icmp_seq=3 ttl=64 time=43.976 ms
192.168.1.2 icmp_seq=4 ttl=64 time=33.977 ms
192.168.1.2 icmp_seq=5 ttl=64 time=38.975 ms

Now let’s see the ARP table of PC1

VPCS[1]> show arp all
00:50:79:66:68:01  192.168.1.2 expires in 113 seconds

The interesting part here is that R1 acted as a transparent bridge, it transparently switched the frame to interface F0/1 and R2 did the same till the frame reached PC2 and PC2 replied with it’s MAC address in the ARP reply packet. Unlike the normal behavior of routers with proxy ARP.

Now we need to configure some sort of interface on the routers for management purposes, or even for routing that subnet, to do that, we will configure a logical interface called the BVI interface which is very similar to the SVI or vlan interface on switches.

R1(config)#interface BVI 1
R1(config-if)#ip add 192.168.1.10 255.255.255.0

R2(config)#interface BVI 1
R2(config-if)#ip add 192.168.1.20 255.255.255.0

Let’s try pinging from R1 to PC1                                    

R1#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

The ping failed, the reason for that is that you need to enable ip routing capability for that bridge on the router.

R1(config)#bridge 1  route ip

R1#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/25/52 ms

That seems to be working fine. Finally, a typical use for that would be providing redundancy for a server with NIC teaming, in case a cable is cut or a router went down, the operation should be seamless. This is an illustrated schematic




Since all first hop redundancy protocols (HSRP, GLBP and VRRP) requires all segments to be in the same broadcast domain, as shown in the figure above, R1 and R2 can easily use IRB to provide redundancy for the server with NIC teaming and use Virtual IP as a gateway for both those NICs.