Bridging Layer 2 Across the Core

Welcome to netquirks

As this is my first blog I thought I should write a bit of an introduction. This site is dedicated to looking at interesting and, as the name suggests, quirky scenarios in the world of Network Engineering.

I’ve also added some of my study notes, GNS3 labs and other bits and pieces, so feel free to have a look around. Details of the site, including the layout and a bit about myself can be found on the About page.

Generally blogs will be divided up into three sections: the quirk, the search and the work. The quirk describes the scenario, the search describes how a solution was arrived at and the work shows the technical and command line details. I’ll try and add a new blog once a month.

I will add to this site as time goes by. Any feedback is more than welcome…

Bridging Layer 2 Across the Core

This first scenario looks at a case where two remote sites needed to be connected through layer 2 across a Service Provider Core and a single xconnect or changing of a BGP session type was not possible. We ended up having to combine bridging, pseudowires and trunking to provide access…

The quirk

The picture below shows the basic setup. We needed to combine two layer 2 domains across an MPLS core. A new connection was brought into a switch on VLAN 6 at Site A. It needed to connect over to Site B. Under normal circumstances we would build a layer 2 xconnect/pseudowire between the sites, however in this circumstance we were not able to…

For a layer 2 xconnect to be configured the terminating device must be able to determine the next-hop label to push on the top of the frame. However the gateway of the Site B Layer 2 domain was a Cisco 7200 router which ran an Option A eBGP session to our PE. This meant it wasn’t getting labels over BGP. In addition, there was no LDP between the 7200 and the PE.

We couldn’t simply configure an Option B session (and consequently move the xconnect onto the 7200) because this would involve potential downtime for the site which was unacceptable.

To make it worse, there were no cable runs between the two locations to bring up a simple layer 2 point-to-point.

It should also be noted that router-on-stick was used at Site B meaning there were other VLANs, all terminating on their own sub-interface, connected to the 7200.

In summary it looked as follows:


The search

Even though an xconnect could not go the full length, the decision was made to push one as far as was viable. So we began by creating an xconnect from PE1 to PE2. VLAN 6 was added to S1’s uplink trunk and the sub-interface that was created for it on PE1 was added to the xconnect (CLI to follow).

The problem we had to face was how to get the layer 2 connectivity around or through the 7200, with minimal disruption. A solution was found in bridging….

We configured a bridge domain on the 7200 and put two new sub-interfaces into the bridge-domain – one for the LAN interface and one for the WAN interface.

The gateway for this subnet was previously a layer 3 sub-interface on Gi0/0 (standard router-on-a-stick setup). This was changed to a BVI.

In a similar fashion a sub-interface was setup on the connecting interface on PE2. This was added to the other end of the xconnect.

What we ultimately ended up with was something that looked like this:


Once this was setup we could see MAC learning and L2 connectivity across the core.

The work

The below GNS3 topology was put together to test and demonstrate the solution before putting it into practice. This can be downloaded from the GNS3 page.


LDP is running between the service provider routers and loopbacks are distributed via IS-IS. IPv4 and VPNv4 relationships exist between the PEs. This config is not shown but is available on the lab download.

Host 4 represents the new incoming connection to VLAN 6. Host 2 represents a Site B device on VLAN 6. The other hosts are simply representative of other devices on other VLANs for the sake of variation.

If we look at the configuration of CE1 we can see the config behind a the basic bridging setup:

hostname CE1
!enable irb and bridging
bridge irb
bridge 1 protocol ieee
bridge 1 route ip

!Configure the WAN sub-interface beneath the main interface, 
!assign it to the bridge domain and set the encapsulation to 
!vlan 6
interface FastEthernet0/0
 description link to PE2
 ip address
 duplex full
interface FastEthernet0/0.6
 description Bridged link to PE2
 encapsulation dot1Q 6
 !Technically the WAN interface need not have the same 
 !encapsulation as the LAN interface. But the sub-interface on 
 ! the PE must have the same encapsulation as this WAN interface.
 bridge-group 1
!The key here is that VLAN 6's sub-interfaces is added to the 
! bridge group using the bridge-group command
interface FastEthernet1/0.5
 description VLAN 5 GATEWAY
 encapsulation dot1Q 5
 ip address
interface FastEthernet1/0.6
 description L2 INTERFACE FOR VLAN 6
 encapsulation dot1Q 6
 bridge-group 1
!Configure the bridged virtual interfaces that will act as the 
!gateway for VLAN 6.
interface BVI1
 ip address
!Very basic configuration of an IPv4 eBGP neighborship with the 
!PE for the purposes of making the LAB go.
router bgp 100
 bgp log-neighbor-changes
 neighbor remote-as 500
 address-family ipv4
  no synchronization
  redistribute connected
  neighbor activate
  no auto-summary

Then, turning to PE2, we can see that the sub-interface for vlan 6 is pushed into an xconnect.

hostname PE2
!Psueduowire class used to set the encapsulation for the xconnect
pseudowire-class CLASS_ONE
 encapsulation mpls
interface Loopback0
 ip address
!A standard /30 IP address is configured on the main interfaces. 
!The sub-interface, however, listens for a VLAN 6 tag and pushes 
!traffic into an xconnect.
interface FastEthernet1/0
 description link to Site B
 ip address
 duplex full
 speed 100
interface FastEthernet1/0.2
 description VLAN 6 link to CE1
 encapsulation dot1Q 6
 xconnect 100 pw-class CLASS_ONE

Likewise on the PE1 side the configuration of the xconnect is very similar:

hostname PE1
pseudowire-class CLASS_ONE
 encapsulation mpls
interface FastEthernet1/1.6
 description VLAN 6 link to S1
 encapsulation dot1Q 6
 xconnect 100 pw-class CLASS_ONE

We can verify the successful connection of the xconnect using the show xconnect peer <ip> vcid <id> command.

PE1#sh xconnect peer vcid 100
Legend:    XC ST=Xconnect State  S1=Segment1 State  
S2=Segment2 State  UP=Up DN=Down  AD=Admin Down      
IA=Inactive  SB=Standby  RV=Recovering  NH=No Hardware

XC ST  Segment 1                   S1 Segment 2          S2
UP     ac   Fa1/1.6:6(Eth VLAN)    UP mpls    UP

Additionally we can see MAC learning on the bridge group of router CE1 (c208.0d06.0000 is the MAC address for Host 4):

CE1#show bridge 1

Total of 300 station blocks, 298 free
Codes: P - permanent, S - self

Bridge Group 1:

    Address       Action   Interface       Age   RX count   TX count
c206.0d04.0000   forward   Fa1/0.6           0          5          4
c208.0d06.0000   forward   Fa0/0.6           0          5          5

And finally we can see that we are able to run a ping from Host4 to Host2:


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), 
round-trip min/avg/max = 128/167/224 ms

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: