os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Update Bridging section for if_bridge(4), the deprecated bridge(4)

Browse source 
driver has been removed.  The two last advanced bridging features
documented at the end of the page will be available on 6.3-R (in fact
one will be MFC next week and the other one with 6.3-R), but I chose
to not add "this feature is avaiblable on 6.3 blah blah" since they
are advanced features for experts and since they will be available on
RELENG_6 soon.

Submitted by:	thompsa@
This commit is contained in:
Marc Fonvieille 2007-08-02 08:21:53 +00:00
parent 81ee6816ab
commit a8025867ba
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=30565
1 changed files with 298 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

417
en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
View file

@ -2392,8 +2392,8 @@ rfcomm_sppd[94692]: Starting on /dev/ttyp6...</screen>
<sect1info>
<authorgroup>
<author>
<firstname>Steve</firstname>
<surname>Peterson</surname>
<firstname>Andrew</firstname>
<surname>Thompson</surname>
<contrib>Written by </contrib>
</author>
</authorgroup>
@ -2424,30 +2424,19 @@ rfcomm_sppd[94692]: Starting on /dev/ttyp6...</screen>
<sect2>
<title>Situations Where Bridging Is Appropriate</title>
<para>There are two common situations in which a bridge is used
<para>There are many common situations in which a bridge is used
today.</para>
<sect3>
<title>High Traffic on a Segment</title>
<title>Connecting Networks</title>
<para>Situation one is where your physical network segment is
overloaded with traffic, but you do not want for whatever reason to
subnet the network and interconnect the subnets with a
router.</para>
<para>Let us consider an example of a newspaper where the Editorial and
Production departments are on the same subnetwork. The Editorial
users all use server <hostid>A</hostid> for file service, and the Production users
are on server <hostid>B</hostid>. An Ethernet network is used to connect all users together,
and high loads on the network are slowing things down.</para>
<para>If the Editorial users could be segregated on one
network segment and the Production users on another, the two
network segments could be connected with a bridge. Only the
network traffic destined for interfaces on the
<quote>other</quote> side of the bridge would be sent to the
other network, reducing congestion on each network
segment.</para>
<para>The basic operation of a bridge is to join two or more
network segments together. There are many reasons to use a
host based bridge over plain networking equipment such as
cabling constraints, firewalling or connecting pseudo
networks such as a Virtual Machine interface. A bridge can
also connect a wireless interface running in hostap mode to
a wired network and act as an access point.</para>
</sect3>
<sect3>
@ -2455,8 +2444,8 @@ rfcomm_sppd[94692]: Starting on /dev/ttyp6...</screen>
<indexterm><primary>firewall</primary></indexterm>
<indexterm><primary>NAT</primary></indexterm>
<para>The second common situation is where firewall functionality is
needed without network address translation (NAT).</para>
<para>A common situation is where firewall functionality is
needed without routing or network address translation (NAT).</para>
<para>An example is a small company that is connected via DSL
or ISDN to their ISP. They have a 13 globally-accessible IP
@ -2471,127 +2460,317 @@ rfcomm_sppd[94692]: Starting on /dev/ttyp6...</screen>
path just downstream of their DSL/ISDN router without any IP
numbering issues.</para>
</sect3>
<sect3>
<title>Network Tap</title>
<para>A bridge can join two network segments and be used to
inspect all Ethernet frames that pass between them. This can
either be from using &man.bpf.4;/&man.tcpdump.1; on the
bridge interface or by sending a copy of all frames out an
additional interface (span port).</para>
</sect3>
<sect3>
<title>Layer 2 VPN</title>
<para>Two Ethernet networks can be joined across an IP link by
bridging the networks to an EtherIP tunnel or a &man.tap.4;
based solution such as OpenVPN.</para>
</sect3>
<sect3>
<title>Layer 2 Redundancy</title>
<para>A network can be connected together with multiple links
and use the Spanning Tree Protocol to block redundant paths.
For an Ethernet network to function properly only one active
path can exist between two devices, Spanning Tree will
detect loops and put the redundant links into a blocked
state. Should one of the active links fail then the
protocol will calculate a different tree and reenable one of
the blocked paths to restore connectivity to all points in
the network.</para>
</sect3>
</sect2>
<sect2>
<title>Configuring a Bridge</title>
<title>Kernel Configuration</title>
<sect3>
<title>Network Interface Card Selection</title>
<para>This section covers &man.if.bridge.4; bridge
implementation, a netgraph bridging driver is also available,
for more information see &man.ng.bridge.4; manual page.</para>
<para>A bridge requires at least two network cards to function.
Unfortunately, not all network interface cards
support bridging. Read &man.bridge.4; for details on the cards that
are supported.</para>
<para>The bridge driver is a kernel module and will be
automatically loaded by &man.ifconfig.8; when creating a
bridge interface. It is possible to compile the bridge in to
the kernel by adding <literal>device if_bridge</literal> to
your kernel configuration file.</para>
<para>Install and test the two network cards before continuing.</para>
</sect3>
<para>Packet filtering can be used with any firewall package
that hooks in via the &man.pfil.9; framework. The firewall
can be loaded as a module or compiled into the kernel.</para>
<sect3>
<title>Kernel Configuration Changes</title>
<indexterm>
<primary>kernel options</primary>
<secondary>BRIDGE</secondary>
</indexterm>
<para>To enable kernel support for bridging, add the:</para>
<programlisting>options BRIDGE</programlisting>
<para>statement to your kernel configuration file, and rebuild your
kernel.</para>
</sect3>
<sect3>
<title>Firewall Support</title>
<indexterm><primary>firewall</primary></indexterm>
<para>If you are planning to use the bridge as a firewall, you
will need to add the <literal>IPFIREWALL</literal> option as
well. Read <xref linkend="firewalls"> for general
information on configuring the bridge as a firewall.</para>
<para>If you need to allow non-IP packets (such as ARP) to flow
through the bridge, there are three options available.
The first is to add the following option to the kernel and
rebuild:</para>
<programlisting>option IPFIREWALL_DEFAULT_TO_ACCEPT</programlisting>
<para>The second is to set the firewall type to <quote><literal>open</literal></quote> in the
<filename>rc.conf</filename> file:</para>
<programlisting>firewall_type="open"</programlisting>
<para>Note that these options will make the firewall seem completely
transparent; any packet or connection will be permitted by default.
This may require significant changes to the firewall ruleset.</para>
<para>The third option is to apply the following &man.ipfw.8;
rule:</para>
<screen>&prompt.root; <userinput>ipfw add allow mac-type arp layer2</userinput></screen>
<para>Or add it to the current firewall ruleset. This rule effectively
allows &man.arp.8; packets through, so it must be be applied near the
beginning of the ruleset for early evaluation.</para>
</sect3>
<sect3>
<title>Traffic Shaping Support</title>
<para>If you want to use the bridge as a traffic shaper, you will need
to add the <literal>DUMMYNET</literal> option to your kernel
configuration. Read &man.dummynet.4; for further
information.</para>
</sect3>
<para>The bridge can be used as a traffic shaper with
&man.altq.4; or &man.dummynet.4;.</para>
</sect2>
<sect2>
<title>Enabling the Bridge</title>
<para>Add the line:</para>
<para>The bridge is created using interface cloning. To create
a bridge use &man.ifconfig.8;, if the bridge driver is not
present in the kernel then it will be loaded
automatically.</para>
<programlisting>net.link.ether.bridge.enable=1</programlisting>
<screen>&prompt.root; <userinput>ifconfig bridge create</userinput>
bridge0
&prompt.root; <userinput>ifconfig bridge0</userinput>
bridge0: flags=8802&lt;BROADCAST,SIMPLEX,MULTICAST&gt; metric 0 mtu 1500
ether 96:3d:4b:f1:79:7a
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0</screen>
<para>to <filename>/etc/sysctl.conf</filename> to enable the bridge at
runtime, and the line:</para>
<para>A bridge interface is created and is automatically
assigned a randomly generated Ethernet address. The
<literal>maxaddr</literal> and <literal>timeout</literal>
parameters control how many MAC addresses the bridge will keep
in its forwarding table and how many seconds before each entry
is removed after it is last seen. The other parameters
control how Spanning Tree operates.</para>
<programlisting>net.link.ether.bridge.config=<replaceable>if1</replaceable>,<replaceable>if2</replaceable></programlisting>
<para>Add the member network interfaces to the bridge. For the
bridge to forward packets all member interfaces and the bridge
need to be up:</para>
<para>to enable bridging on the specified interfaces (replace
<replaceable>if1</replaceable> and
<replaceable>if2</replaceable> with the names of your two
network interfaces). If you want the bridged packets to be
filtered by &man.ipfw.8;, you should add:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 up</userinput>
&prompt.root; <userinput>ifconfig fxp0 up</userinput>
&prompt.root; <userinput>ifconfig fxp1 up</userinput></screen>
<programlisting>net.link.ether.bridge.ipfw=1</programlisting>
<para>The bridge is now forwarding Ethernet frames between
<devicename>fxp0</devicename> and
<devicename>fxp1</devicename>. The equivalent configuration
in <filename>/etc/rc.conf</filename> so the bridge is created
at startup is:</para>
<para>as well.</para>
<programlisting>cloned_interfaces="bridge0"
ifconfig_bridge0="addm fxp0 addm fxp1 up"
ifconfig_fxp0="up"
ifconfig_fxp1="up"</programlisting>
<para>For versions prior to &os;&nbsp;5.2-RELEASE, use instead the following
lines:</para>
<para>If the bridge host needs an IP address then the correct
place to set this is on the bridge interface itself rather
than one of the member interfaces. This can be set statically
or via DHCP:</para>
<programlisting>net.link.ether.bridge=1
net.link.ether.bridge_cfg=<replaceable>if1</replaceable>,<replaceable>if2</replaceable>
net.link.ether.bridge_ipfw=1</programlisting>
<screen>&prompt.root; <userinput>ifconfig bridge0 inet 192.168.0.1/24</userinput></screen>
<para>It is also possible to assign an IPv6 address to a bridge
interface.</para>
</sect2>
<sect2>
<title>Other Information</title>
<title>Firewalling</title>
<indexterm><primary>firewall</primary></indexterm>
<para>If you want to be able to &man.ssh.1; into the bridge from the network,
it is correct to assign one of the network cards an IP address. The
consensus is that assigning both cards an address is a bad
idea.</para>
<para>When packet filtering is enabled, bridged packets will
pass through the filter inbound on the originating interface,
on the bridge interface and outbound on the appropriate
interfaces. Either stage can be disabled. When direction of
the packet flow is important it is best to firewall on the
member interfaces rather than the bridge itself.</para>
<para>If you have multiple bridges on your network, there cannot be more
than one path between any two workstations. Technically, this means
that there is no support for spanning tree link management.</para>
<para>The bridge has several configurable settings for passing
non-IP and ARP packets, and layer2 firewalling with IPFW. See
&man.if.bridge.4; for more information.</para>
</sect2>
<para>A bridge can add latency to your &man.ping.8; times, especially for
traffic from one segment to another.</para>
<sect2>
<title>Spanning Tree</title>
<para>The bridge driver implements the Rapid Spanning Tree
Protocol (RSTP or 802.1w) with backwards compatibility with
the legacy Spanning Tree Protocol (STP). Spanning Tree is
used to detect and remove loops in a network topology. RSTP
provides faster Spanning Tree convergence than legacy STP, the
protocol will exchange information with neighbouring switches
to quickly transition to forwarding without creating
loops.</para>
<para>The following table shows the supported operating
modes:</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="3">
<thead>
<row>
<entry>OS Version</entry>
<entry>STP Modes</entry>
<entry>Default Mode</entry>
</row>
</thead>
<tbody>
<row>
<entry>&os; 5.4&mdash;&os; 6.2</entry>
<entry>STP</entry>
<entry>STP</entry>
</row>
<row>
<entry>&os; 6.3+</entry>
<entry>RSTP or STP</entry>
<entry>STP</entry>
</row>
<row>
<entry>&os; 7.0+</entry>
<entry>RSTP or STP</entry>
<entry>RSTP</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>Spanning Tree can be enabled on member interfaces using
the <literal>stp</literal> command. For a bridge with
<devicename>fxp0</devicename> and
<devicename>fxp1</devicename> as the current interfaces,
enable STP with the following:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 stp fxp0 stp fxp1</userinput>
bridge0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; metric 0 mtu 1500
ether d6:cf:d5:a0:94:6d
id 00:01:02:4b:d4:50 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:01:02:4b:d4:50 priority 32768 ifcost 0 port 0
member: fxp0 flags=1c7&lt;LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP&gt;
port 3 priority 128 path cost 200000 proto rstp
role designated state forwarding
member: fxp1 flags=1c7&lt;LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP&gt;
port 4 priority 128 path cost 200000 proto rstp
role designated state forwarding</screen>
<para>This bridge has a spanning tree ID of
<literal>00:01:02:4b:d4:50</literal> and a priority of
<literal>32768</literal>. As the <literal>root id</literal>
is the same it indicates that this is the root bridge for the
tree.</para>
<para>Another bridge on the network also has spanning tree
enabled:</para>
<screen>bridge0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; metric 0 mtu 1500
ether 96:3d:4b:f1:79:7a
id 00:13:d4:9a:06:7a priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:01:02:4b:d4:50 priority 32768 ifcost 400000 port 4
member: fxp0 flags=1c7&lt;LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP&gt;
port 4 priority 128 path cost 200000 proto rstp
role root state forwarding
member: fxp1 flags=1c7&lt;LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP&gt;
port 5 priority 128 path cost 200000 proto rstp
role designated state forwarding</screen>
<para>The line <literal>root id 00:01:02:4b:d4:50 priority 32768
ifcost 400000 port 4</literal> shows that the root bridge is
<literal>00:01:02:4b:d4:50</literal> as above and has a path
cost of <literal>400000</literal> from this bridge, the path
to the root bridge is via <literal>port 4</literal> which is
<devicename>fxp0</devicename>.</para>
</sect2>
<sect2>
<title>Advanced Bridging</title>
<sect3>
<title>Reconstruct Traffic Flows</title>
<para>The bridge supports monitor mode, where the packets are
discarded after &man.bpf.4; processing, and are not
processed or forwarded further. This can be used to
multiplex the input of two or more interfaces into a single
&man.bpf.4; stream. This is useful for reconstructing the
traffic for network taps that transmit the RX/TX signals out
through two separate interfaces.</para>
<para>To read the input from four network interfaces as one
stream:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up</userinput>
&prompt.root; <userinput>tcpdump -i bridge0</userinput></screen>
</sect3>
<sect3>
<title>Span Ports</title>
<para>A copy of every Ethernet frame received by the bridge
will be transmitted out a designated span port. The number
of span ports configured on a bridge is unlimited, if an
interface is designated as a span port then it may not also
be used as a regular bridge port. This is most useful for
snooping a bridged network passively on another host
connected to one of the span ports of the bridge.</para>
<para>To send a copy of all frames out the interface named
<devicename>fxp4</devicename>:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 span fxp4</userinput></screen>
</sect3>
<sect3>
<title>Private Interfaces</title>
<para>A private interface does not forward any traffic to any
other port that is also a private interface. The traffic is
blocked unconditionally so no Ethernet frames will be
forwarded, including ARP. If traffic needs to be
selectively blocked then a firewall should be used
instead.</para>
</sect3>
<sect3>
<title>Sticky Interfaces</title>
<para>If a bridge member interface is marked as sticky then
dynamically learned address entries are treated at static once
entered into the forwarding cache. Sticky entries are never
aged out of the cache or replaced, even if the address is seen
on a different interface. This gives the benefit of static
address entries without the need to pre-populate the
forwarding table, clients learnt on a particular segment of
the bridge can not roam to another segment.</para>
<para>Another example of using sticky addresses would be to
combine the bridge with VLANs to create a router where
customer networks are isolated without wasting IP address
space. Consider that <hostid
role="Hostname">CustomerA</hostid> is on
<literal>vlan100</literal> and <hostid
role="hostname">CustomerB</hostid> is on
<literal>vlan101</literal>. The bridge has the address
<hostid role="ipaddr">192.168.0.1</hostid> and is also an
internet router.</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 addm vlan100 sticky vlan100 addm vlan101 sticky vlan101</userinput>
&prompt.root; <userinput>ifconfig bridge0 inet 192.168.0.1/24</userinput></screen>
<para>Both clients see <hostid
role="ipaddr">192.168.0.1</hostid> as their default gateway
and since the bridge cache is sticky they can not spoof the
MAC address of the other customer to intercept their
traffic.</para>
<para>Any communication between the VLANs can be blocked using
private interfaces (or a firewall):</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 private vlan100 private vlan101</userinput></screen>
<para>The customers are completely isolated from each other,
the full <hostid role="netmask">/24</hostid> address range
can be allocated without subnetting.</para>
</sect3>
</sect2>
</sect1>