Configures VLAN Ethernet bridging parameters. Use this command to configure a Bridge NAT or Bridge VLAN settings

Configuring bridge NAT (Network Address Translation) parameters, allows management of Internet traffic originating at a remote site. In addition to traditional NAT functionality, bridge NAT provides a means of configuring NAT for bridged traffic through an access point. NAT rules are applied to bridged traffic through the access point, and matching packets are NATed to the WAN link instead of being bridged on their way to the router. Using bridge NAT, a tunneled VLAN (extended VLAN) is created between the NOC and a remote location. When a remote client needs to access the Internet, Internet traffic is routed to the NOC, and from there routed to the Internet. This increases the access time for the end user on the client. To resolve latency issues, bridge NAT identifies and segregates traffic heading towards the NOC and outwards towards the Internet. Traffic towards the NOC is allowed over the secure tunnel. Traffic towards the Internet is switched to a local WLAN link with access to the Internet.

A VLAN (Virtual LAN) is a separately administrated virtual network within the same physical managed network. VLANs are broadcast domains defined within wireless controllers or service platforms to allow control of broadcast, multicast, unicast, and unknown unicast within a layer 2 device. Administrators often need to route traffic between different VLANs. Bridging VLANs are only for non-routable traffic, like tagged VLAN frames destined to some other device, which will untag it. When a data frame is received on a port, the VLAN bridge determines the associated VLAN based on the port of reception. Using forwarding database information, the bridge VLAN forwards the data frame on the appropriate port(s). VLANs are useful to set separate networks to isolate some computers from others, without actually having to have separate cabling and Ethernet switches. Controllers can do this on their own, without need for the computer or other gear to know itself what VLAN it is on (this is called port-based VLAN, since it is assigned by port of the switch). Another common use is to put specialized devices like VoIP Phones on a separate network for easier configuration, administration, security, or service quality.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000


bridge [nat|vlan]
bridge nat source list <IP-ACCESS-LIST-NAME> precedence <1-500> 
interface [<LAYER3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] 
[(address|interface| overload|pool <NAT-POOL-NAME>)]
bridge vlan [<1-4094>|<VLAN-ALIAS-NAME>]


bridge nat source list <IP-ACCESS-LIST-NAME> precedence <1-500> interface 
[<LAYER3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [(address|interface|overload|
pool <NAT-POOL-NAME>)]
nat Configures bridge NAT parameters
source Configures NAT source addresses
list <IP-ACCESS-LIST-NAME> precedence <1-500> Associates an access control list (ACL) with this bridge NAT policy. The ACL specifies the IP address permit/deny rules applicable to this bridge NAT policy.
  • <IP-ACCESS-LIST-NAME> – Specify access list name.
    • precedence <1-500> – Specifies a precedence value for this bridge NAT policy.
interface [<LAYER3-INTERFACE-NAME>| pppoe1|vlan <1-4094>| wwan1] Selects one of the following as the primary interface (between the source and destination points):
  • <LAYER3-INTERFACE-NAME> – A router interface. Specify interface name.
  • pppoe1 – A PPP over Ethernet interface.
  • vlan <1-4094> – A VLAN interface. Specify the VLAN interface index from 1 - 4094.
  • wwan1 – A Wireless WAN interface.
[(address|interface| overload|pool <NAT-POOL-NAME>)] The following keywords are recursive and common to all interface types:
  • address – Configures the interface IP address used for NAT
  • interface – Configures the failover interface (default setting)
  • overload – Enables use of one global address for multiple local addresses (terminates command)
  • pool <NAT-POOLNAME> – Configures the NAT pool used with this bridge NAT policy. Specify the NAT pool name. For more information on configuring a NAT pool, see nat-pool-config-instance.
bridge vlan [<1-4094>|<VLAN-ALIAS-NAME>]
vlan <1-4094> Configures the numerical identifier for the Bridge VLAN when it was initially created.
  • <1-4094> – Specify a VLAN index from 1 - 4094.
vlan <VLAN-ALIAS-NAME> Configures the VLAN alias (should be existing and configured) identifying the bridge VLAN
  • <VLAN-ALIAS-NAME> – Specify a VLAN alias name.

Usage Guidelines

Creating customized filter schemes for bridged networks limits the amount of unnecessary traffic processed and distributed by the bridging equipment.

If a bridge does not hear Bridge Protocol Data Units (BPDUs) from the root bridge within the specified interval, defined in the max-age (seconds) parameter, assume the network has changed and recomputed the spanning-tree topology.


nx9500-6C8809(config-profile-default-rfs4000)#bridge vlan 1
Bridge VLAN Mode commands:
  Bridge VLAN Mode commands:
  bridging-mode                              Configure how packets on this
                                             VLAN are bridged
  captive-portal                             Captive Portal
  captive-portal-enforcement                 Enable captive-portal enforcement
                                             on this extended VLAN
  description                                Vlan description
  edge-vlan                                  Enable edge-VLAN mode
  firewall                                   Enable vlan firewall(IPv4)
  http-analyze                               Forward URL and Data to
  ip                                         Internet Protocol (IP)
  ipv6                                       Internet Protocol version 6
  l2-tunnel-broadcast-optimization           Enable broadcast optimization
  l2-tunnel-forward-additional-packet-types  Forward additional packet types
                                             not normally forwarded by l2
                                             broadcast optimization
  mac-auth                                   Enable mac-auth for this bridge
  name                                       Vlan name

  no                                         Negate a command or set its
  stateful-packet-inspection-l2              Enable stateful packet inspection
                                             in layer2 firewall
  registration                               Enable dynamic registration of
                                             device (or) user
  tunnel                                     Vlan tunneling settings
  tunnel-over-level2                         Tunnel extended VLAN traffic over
                                             level 2 MiNT links
  use                                        Set setting to use

  clrscr                                     Clears the display screen
  commit                                     Commit all changes made in this
  do                                         Run commands from Exec mode
  end                                        End current mode and change to
                                             EXEC mode
  exit                                       End current mode and down to
                                             previous mode
  help                                       Description of the interactive
                                             help system
  revert                                     Revert changes
  service                                    Service Commands
  show                                       Show running system information
  write                                      Write running configuration to
                                             memory or terminal