White space fix only. Translators can ignore.
Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
8776f26f4f
commit
b453ddaee6
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44163
1 changed files with 248 additions and 252 deletions
|
|
@ -2848,104 +2848,106 @@ rfcomm_sppd[94692]: Starting on /dev/ttyp6...</screen>
|
|||
<primary>bridge</primary>
|
||||
</indexterm>
|
||||
|
||||
<para>It is sometimes useful to divide a network,
|
||||
such as an Ethernet segment, into network
|
||||
segments without having to create <acronym>IP</acronym>
|
||||
subnets and use a router to connect the segments together.
|
||||
A device that connects two networks together in this fashion
|
||||
is called a <quote>bridge</quote>.</para>
|
||||
<para>It is sometimes useful to divide a network, such as an
|
||||
Ethernet segment, into network segments without having to
|
||||
create <acronym>IP</acronym> subnets and use a router to connect
|
||||
the segments together. A device that connects two networks
|
||||
together in this fashion is called a
|
||||
<quote>bridge</quote>.</para>
|
||||
|
||||
<para>A bridge works by learning the <acronym>MAC</acronym>
|
||||
addresses of the devices on each of its
|
||||
network interfaces. It forwards traffic between networks
|
||||
only when the source and destination <acronym>MAC</acronym> addresses are on different
|
||||
networks. In many respects, a bridge is like an Ethernet switch with
|
||||
very few ports. A &os; system with multiple
|
||||
network interfaces can be configured to act as a bridge.</para>
|
||||
<para>A bridge works by learning the <acronym>MAC</acronym>
|
||||
addresses of the devices on each of its network interfaces. It
|
||||
forwards traffic between networks only when the source and
|
||||
destination <acronym>MAC</acronym> addresses are on different
|
||||
networks. In many respects, a bridge is like an Ethernet switch
|
||||
with very few ports. A &os; system with multiple network
|
||||
interfaces can be configured to act as a bridge.</para>
|
||||
|
||||
<para>Bridging can be useful in the following situations:</para>
|
||||
<para>Bridging can be useful in the following situations:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Connecting Networks</term>
|
||||
<listitem>
|
||||
<para>The basic operation of a bridge is to join two or more
|
||||
network segments. There are many reasons to use a
|
||||
host-based bridge instead of networking equipment, such as
|
||||
cabling constraints or firewalling. A bridge can
|
||||
also connect a wireless interface running in hostap mode to
|
||||
a wired network and act as an access point.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<para>The basic operation of a bridge is to join two or more
|
||||
network segments. There are many reasons to use a
|
||||
host-based bridge instead of networking equipment, such as
|
||||
cabling constraints or firewalling. A bridge can also
|
||||
connect a wireless interface running in hostap mode to a
|
||||
wired network and act as an access point.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<varlistentry>
|
||||
<term>Filtering/Traffic Shaping Firewall</term>
|
||||
<listitem>
|
||||
<para>A bridge can be used when firewall functionality is
|
||||
needed without routing or Network Address Translation
|
||||
(<acronym>NAT</acronym>).</para>
|
||||
<para>A bridge can be used when firewall functionality is
|
||||
needed without routing or Network Address Translation
|
||||
(<acronym>NAT</acronym>).</para>
|
||||
|
||||
<para>An example is a small company that is connected via
|
||||
<acronym>DSL</acronym>
|
||||
or <acronym>ISDN</acronym> to an <acronym>ISP</acronym>.
|
||||
There are thirteen public <acronym>IP</acronym>
|
||||
addresses from the <acronym>ISP</acronym> and ten computers
|
||||
on the network. In this situation, using a router-based
|
||||
firewall is difficult because of subnetting issues. A bridge-based firewall can be configured without any
|
||||
<acronym>IP</acronym> addressing issues.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<para>An example is a small company that is connected via
|
||||
<acronym>DSL</acronym> or <acronym>ISDN</acronym> to an
|
||||
<acronym>ISP</acronym>. There are thirteen public
|
||||
<acronym>IP</acronym> addresses from the
|
||||
<acronym>ISP</acronym> and ten computers on the network.
|
||||
In this situation, using a router-based firewall is
|
||||
difficult because of subnetting issues. A bridge-based
|
||||
firewall can be configured without any
|
||||
<acronym>IP</acronym> addressing issues.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Network Tap</term>
|
||||
<listitem>
|
||||
<para>A bridge can join two network segments in order to
|
||||
inspect all Ethernet frames that pass between them using
|
||||
&man.bpf.4; and &man.tcpdump.1; on the bridge interface or
|
||||
by sending a copy of all frames out an additional interface
|
||||
known as a span port.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<para>A bridge can join two network segments in order to
|
||||
inspect all Ethernet frames that pass between them using
|
||||
&man.bpf.4; and &man.tcpdump.1; on the bridge interface or
|
||||
by sending a copy of all frames out an additional
|
||||
interface known as a span port.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Layer 2 <acronym>VPN</acronym></term>
|
||||
<listitem>
|
||||
<para>Two Ethernet networks can be joined across an
|
||||
<acronym>IP</acronym> link by bridging the networks to an
|
||||
EtherIP tunnel or a &man.tap.4; based solution such as
|
||||
<application>OpenVPN</application>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<para>Two Ethernet networks can be joined across an
|
||||
<acronym>IP</acronym> link by bridging the networks to an
|
||||
EtherIP tunnel or a &man.tap.4; based solution such as
|
||||
<application>OpenVPN</application>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Layer 2 Redundancy</term>
|
||||
<listitem>
|
||||
<para>A network can be connected together with multiple links
|
||||
and use the Spanning Tree Protocol (<acronym>STP</acronym>)
|
||||
to block redundant paths.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
<para>A network can be connected together with multiple
|
||||
links and use the Spanning Tree Protocol
|
||||
(<acronym>STP</acronym>) to block redundant paths.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>This section describes how to configure a &os; system as a
|
||||
bridge using &man.if.bridge.4;.
|
||||
A netgraph bridging driver is also available, and is described
|
||||
in &man.ng.bridge.4;.</para>
|
||||
<para>This section describes how to configure a &os; system as a
|
||||
bridge using &man.if.bridge.4;. A netgraph bridging driver is
|
||||
also available, and is described in &man.ng.bridge.4;.</para>
|
||||
|
||||
<note>
|
||||
<note>
|
||||
<para>Packet filtering can be used with any firewall package
|
||||
that hooks into the &man.pfil.9; framework. The bridge can be used as a traffic shaper with
|
||||
&man.altq.4; or &man.dummynet.4;.</para>
|
||||
</note>
|
||||
that hooks into the &man.pfil.9; framework. The bridge can be
|
||||
used as a traffic shaper with &man.altq.4; or
|
||||
&man.dummynet.4;.</para>
|
||||
</note>
|
||||
|
||||
<sect2>
|
||||
<title>Enabling the Bridge</title>
|
||||
|
||||
<para>In &os;, &man.if.bridge.4; is a kernel module which is
|
||||
automatically loaded by &man.ifconfig.8; when creating a
|
||||
bridge interface. It is also possible to compile bridge support
|
||||
into a custom kernel by adding <literal>device if_bridge</literal>
|
||||
to the custom kernel configuration file.</para>
|
||||
bridge interface. It is also possible to compile bridge
|
||||
support into a custom kernel by adding
|
||||
<literal>device if_bridge</literal> to the custom kernel
|
||||
configuration file.</para>
|
||||
|
||||
<para>The bridge is created using interface cloning. To create
|
||||
the bridge interface:</para>
|
||||
|
|
@ -2968,19 +2970,18 @@ bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
|
|||
The other parameters control how <acronym>STP</acronym>
|
||||
operates.</para>
|
||||
|
||||
<para>Next, specify which network interfaces to add as members of the bridge.
|
||||
For the bridge to forward packets, all member interfaces and
|
||||
the bridge need to be up:</para>
|
||||
<para>Next, specify which network interfaces to add as members
|
||||
of the bridge. For the bridge to forward packets, all member
|
||||
interfaces and the bridge need to be up:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 up</userinput>
|
||||
&prompt.root; <userinput>ifconfig fxp0 up</userinput>
|
||||
&prompt.root; <userinput>ifconfig fxp1 up</userinput></screen>
|
||||
|
||||
<para>The bridge can now forward Ethernet frames between
|
||||
<filename>fxp0</filename> and
|
||||
<filename>fxp1</filename>. Add the following lines to
|
||||
<filename>/etc/rc.conf</filename> so the bridge is created
|
||||
at startup:</para>
|
||||
<filename>fxp0</filename> and <filename>fxp1</filename>. Add
|
||||
the following lines to <filename>/etc/rc.conf</filename> so
|
||||
the bridge is created at startup:</para>
|
||||
|
||||
<programlisting>cloned_interfaces="bridge0"
|
||||
ifconfig_bridge0="addm fxp0 addm fxp1 up"
|
||||
|
|
@ -2988,9 +2989,8 @@ ifconfig_fxp0="up"
|
|||
ifconfig_fxp1="up"</programlisting>
|
||||
|
||||
<para>If the bridge host needs an <acronym>IP</acronym>
|
||||
address, set it on the bridge
|
||||
interface, not on the member interfaces.
|
||||
The address can be set statically or via
|
||||
address, set it on the bridge interface, not on the member
|
||||
interfaces. The address can be set statically or via
|
||||
<acronym>DHCP</acronym>. This example sets a static
|
||||
<acronym>IP</acronym> address:</para>
|
||||
|
||||
|
|
@ -3002,48 +3002,44 @@ ifconfig_fxp1="up"</programlisting>
|
|||
<filename>/etc/rc.conf</filename>.</para>
|
||||
|
||||
<note>
|
||||
<para>When packet filtering is enabled, bridged packets will
|
||||
pass through the filter inbound on the originating interface
|
||||
on the bridge interface, and outbound on the appropriate
|
||||
interfaces. Either stage can be disabled. When direction of
|
||||
the packet flow is important, it is best to firewall on the
|
||||
member interfaces rather than the bridge itself.</para>
|
||||
<para>When packet filtering is enabled, bridged packets will
|
||||
pass through the filter inbound on the originating interface
|
||||
on the bridge interface, and outbound on the appropriate
|
||||
interfaces. Either stage can be disabled. When direction
|
||||
of the packet flow is important, it is best to firewall on
|
||||
the member interfaces rather than the bridge itself.</para>
|
||||
|
||||
<para>The bridge has several configurable settings for passing
|
||||
non-<acronym>IP</acronym> and <acronym>IP</acronym> packets,
|
||||
and layer2 firewalling with &man.ipfw.8;. See
|
||||
&man.if.bridge.4; for more information.</para>
|
||||
<para>The bridge has several configurable settings for passing
|
||||
non-<acronym>IP</acronym> and <acronym>IP</acronym> packets,
|
||||
and layer2 firewalling with &man.ipfw.8;. See
|
||||
&man.if.bridge.4; for more information.</para>
|
||||
</note>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Enabling Spanning Tree</title>
|
||||
|
||||
<para>For an Ethernet network to
|
||||
function properly, only one active path can exist between
|
||||
two devices. The <acronym>STP</acronym> protocol detects loops and
|
||||
puts redundant links into a blocked state. Should one
|
||||
of the active links fail, <acronym>STP</acronym>
|
||||
calculates a different tree and enables one of the blocked
|
||||
paths to restore connectivity to all points in the
|
||||
network.</para>
|
||||
<para>For an Ethernet network to function properly, only one
|
||||
active path can exist between two devices. The
|
||||
<acronym>STP</acronym> protocol detects loops and puts
|
||||
redundant links into a blocked state. Should one of the
|
||||
active links fail, <acronym>STP</acronym> calculates a
|
||||
different tree and enables one of the blocked paths to restore
|
||||
connectivity to all points in the network.</para>
|
||||
|
||||
<para>The Rapid Spanning Tree
|
||||
Protocol (<acronym>RSTP</acronym> or 802.1w) provides backwards
|
||||
compatibility with legacy <acronym>STP</acronym>.
|
||||
<acronym>RSTP</acronym> provides
|
||||
faster convergence and
|
||||
exchanges information with neighboring switches
|
||||
to quickly transition to forwarding mode without creating loops.
|
||||
&os; supports <acronym>RSTP</acronym> and
|
||||
<para>The Rapid Spanning Tree Protocol (<acronym>RSTP</acronym>
|
||||
or 802.1w) provides backwards compatibility with legacy
|
||||
<acronym>STP</acronym>. <acronym>RSTP</acronym> provides
|
||||
faster convergence and exchanges information with neighboring
|
||||
switches to quickly transition to forwarding mode without
|
||||
creating loops. &os; supports <acronym>RSTP</acronym> and
|
||||
<acronym>STP</acronym> as operating modes, with
|
||||
<acronym>RSTP</acronym> being the default mode.</para>
|
||||
|
||||
<para><acronym>STP</acronym> can be enabled on member interfaces
|
||||
using &man.ifconfig.8;. For a bridge with
|
||||
<filename>fxp0</filename> and
|
||||
<filename>fxp1</filename> as the current interfaces,
|
||||
enable <acronym>STP</acronym> with:</para>
|
||||
<filename>fxp0</filename> and <filename>fxp1</filename> as the
|
||||
current interfaces, enable <acronym>STP</acronym> with:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 stp fxp0 stp fxp1</userinput>
|
||||
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
|
||||
|
|
@ -3088,163 +3084,163 @@ bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1
|
|||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Bridge Interface Parameters</title>
|
||||
<title>Bridge Interface Parameters</title>
|
||||
|
||||
<para>Several <command>ifconfig</command> parameters are unique
|
||||
to bridge interfaces. This section summarizes some common
|
||||
uses for these parameters. The complete list of available parameters is
|
||||
described in &man.ifconfig.8;.</para>
|
||||
<para>Several <command>ifconfig</command> parameters are unique
|
||||
to bridge interfaces. This section summarizes some common
|
||||
uses for these parameters. The complete list of available
|
||||
parameters is described in &man.ifconfig.8;.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>private</term>
|
||||
<listitem>
|
||||
<para>A private interface does not forward any traffic to any
|
||||
other port that is also designated as a private interface. The traffic is
|
||||
blocked unconditionally so no Ethernet frames will be
|
||||
forwarded, including <acronym>ARP</acronym> packets. If traffic
|
||||
needs to be selectively blocked, a firewall should be used
|
||||
instead.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>private</term>
|
||||
<listitem>
|
||||
<para>A private interface does not forward any traffic to
|
||||
any other port that is also designated as a private
|
||||
interface. The traffic is blocked unconditionally so no
|
||||
Ethernet frames will be forwarded, including
|
||||
<acronym>ARP</acronym> packets. If traffic needs to be
|
||||
selectively blocked, a firewall should be used
|
||||
instead.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>span</term>
|
||||
<listitem>
|
||||
<para>A span port transmits a copy of every Ethernet frame received by the bridge.
|
||||
The number
|
||||
of span ports configured on a bridge is unlimited, but if an
|
||||
interface is designated as a span port, it cannot also be
|
||||
used as a regular bridge port. This is most useful for
|
||||
snooping a bridged network passively on another host
|
||||
connected to one of the span ports of the bridge. For
|
||||
example, to send a copy of all frames out the interface named
|
||||
<filename>fxp4</filename>:</para>
|
||||
<varlistentry>
|
||||
<term>span</term>
|
||||
<listitem>
|
||||
<para>A span port transmits a copy of every Ethernet frame
|
||||
received by the bridge. The number of span ports
|
||||
configured on a bridge is unlimited, but if an
|
||||
interface is designated as a span port, it cannot also
|
||||
be used as a regular bridge port. This is most useful
|
||||
for snooping a bridged network passively on another host
|
||||
connected to one of the span ports of the bridge. For
|
||||
example, to send a copy of all frames out the interface
|
||||
named <filename>fxp4</filename>:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 span fxp4</userinput></screen>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 span fxp4</userinput></screen>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>sticky</term>
|
||||
<listitem>
|
||||
<para>If a bridge member interface is marked as sticky,
|
||||
dynamically learned address entries are treated at static
|
||||
entries in the forwarding cache. Sticky entries are
|
||||
never aged out of the cache or replaced, even if the address
|
||||
is seen on a different interface. This gives the benefit of
|
||||
static address entries without the need to pre-populate the
|
||||
forwarding table. Clients learned on a particular segment
|
||||
of the bridge can not roam to another segment.</para>
|
||||
<varlistentry>
|
||||
<term>sticky</term>
|
||||
<listitem>
|
||||
<para>If a bridge member interface is marked as sticky,
|
||||
dynamically learned address entries are treated at
|
||||
static entries in the forwarding cache. Sticky entries
|
||||
are never aged out of the cache or replaced, even if the
|
||||
address is seen on a different interface. This gives
|
||||
the benefit of static address entries without the need
|
||||
to pre-populate the forwarding table. Clients learned
|
||||
on a particular segment of the bridge can not roam to
|
||||
another segment.</para>
|
||||
|
||||
<para>An example of using sticky addresses is to combine
|
||||
the bridge with <acronym>VLAN</acronym>s in order to isolate
|
||||
customer networks without wasting
|
||||
<acronym>IP</acronym> address space. Consider that
|
||||
<systemitem class="fqdomainname">CustomerA</systemitem> is
|
||||
on <literal>vlan100</literal>, <systemitem
|
||||
class="fqdomainname">CustomerB</systemitem> is on
|
||||
<literal>vlan101</literal>, and the bridge has the address
|
||||
<systemitem class="ipaddress">192.168.0.1</systemitem>:</para>
|
||||
<para>An example of using sticky addresses is to combine
|
||||
the bridge with <acronym>VLAN</acronym>s in order to
|
||||
isolate customer networks without wasting
|
||||
<acronym>IP</acronym> address space. Consider that
|
||||
<systemitem class="fqdomainname">CustomerA</systemitem>
|
||||
is on <literal>vlan100</literal>, <systemitem
|
||||
class="fqdomainname">CustomerB</systemitem> is on
|
||||
<literal>vlan101</literal>, and the bridge has the
|
||||
address <systemitem
|
||||
class="ipaddress">192.168.0.1</systemitem>:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 addm vlan100 sticky vlan100 addm vlan101 sticky vlan101</userinput>
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 addm vlan100 sticky vlan100 addm vlan101 sticky vlan101</userinput>
|
||||
&prompt.root; <userinput>ifconfig bridge0 inet 192.168.0.1/24</userinput></screen>
|
||||
|
||||
<para>In this example, both clients see <systemitem
|
||||
class="ipaddress">192.168.0.1</systemitem> as their
|
||||
default gateway. Since the bridge cache is sticky, one host
|
||||
can not spoof the <acronym>MAC</acronym> address of the
|
||||
other customer in order to intercept their traffic.</para>
|
||||
<para>In this example, both clients see <systemitem
|
||||
class="ipaddress">192.168.0.1</systemitem> as their
|
||||
default gateway. Since the bridge cache is sticky, one
|
||||
host can not spoof the <acronym>MAC</acronym> address of
|
||||
the other customer in order to intercept their
|
||||
traffic.</para>
|
||||
|
||||
<para>Any communication between the <acronym>VLAN</acronym>s
|
||||
can be blocked using a firewall or, as seen in this example,
|
||||
private interfaces:</para>
|
||||
<para>Any communication between the
|
||||
<acronym>VLAN</acronym>s can be blocked using a firewall
|
||||
or, as seen in this example, private interfaces:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 private vlan100 private vlan101</userinput></screen>
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 private vlan100 private vlan101</userinput></screen>
|
||||
|
||||
<para>The customers are completely isolated from each other
|
||||
and the full <systemitem class="netmask">/24</systemitem>
|
||||
address range can be allocated without subnetting.</para>
|
||||
<para>The customers are completely isolated from each
|
||||
other and the full <systemitem
|
||||
class="netmask">/24</systemitem> address range can be
|
||||
allocated without subnetting.</para>
|
||||
|
||||
<para>The number of unique source <acronym>MAC</acronym>
|
||||
addresses behind an interface can be limited. Once the
|
||||
limit is reached, packets with unknown source addresses
|
||||
are dropped until an existing host cache entry expires or
|
||||
is removed.</para>
|
||||
<para>The number of unique source <acronym>MAC</acronym>
|
||||
addresses behind an interface can be limited. Once the
|
||||
limit is reached, packets with unknown source addresses
|
||||
are dropped until an existing host cache entry expires
|
||||
or is removed.</para>
|
||||
|
||||
<para>The following example sets the maximum number of
|
||||
Ethernet devices for <systemitem
|
||||
class="fqdomainname">CustomerA</systemitem> on
|
||||
<literal>vlan100</literal> to 10:</para>
|
||||
<para>The following example sets the maximum number of
|
||||
Ethernet devices for <systemitem
|
||||
class="fqdomainname">CustomerA</systemitem> on
|
||||
<literal>vlan100</literal> to 10:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 ifmaxaddr vlan100 10</userinput></screen>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Bridge interfaces also support monitor mode, where the packets are
|
||||
discarded after &man.bpf.4; processing and are not
|
||||
processed or forwarded further. This can be used to
|
||||
multiplex the input of two or more interfaces into a single
|
||||
&man.bpf.4; stream. This is useful for reconstructing the
|
||||
traffic for network taps that transmit the RX/TX signals out
|
||||
through two separate interfaces. For example,
|
||||
to read the input from four network interfaces as one
|
||||
stream:</para>
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 ifmaxaddr vlan100 10</userinput></screen>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up</userinput>
|
||||
&prompt.root; <userinput>tcpdump -i bridge0</userinput></screen>
|
||||
</sect2>
|
||||
<para>Bridge interfaces also support monitor mode, where the
|
||||
packets are discarded after &man.bpf.4; processing and are not
|
||||
processed or forwarded further. This can be used to
|
||||
multiplex the input of two or more interfaces into a single
|
||||
&man.bpf.4; stream. This is useful for reconstructing the
|
||||
traffic for network taps that transmit the RX/TX signals out
|
||||
through two separate interfaces. For example, to read the
|
||||
input from four network interfaces as one stream:</para>
|
||||
|
||||
<sect2>
|
||||
<title><acronym>SNMP</acronym> Monitoring</title>
|
||||
<screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up</userinput>
|
||||
&prompt.root; <userinput>tcpdump -i bridge0</userinput></screen>
|
||||
</sect2>
|
||||
|
||||
<para>The bridge interface and <acronym>STP</acronym>
|
||||
parameters can be monitored via &man.bsnmpd.1; which is
|
||||
included in the &os; base system. The exported bridge
|
||||
<acronym>MIB</acronym>s conform to
|
||||
<acronym>IETF</acronym> standards so any
|
||||
<acronym>SNMP</acronym> client or monitoring package can be
|
||||
used to retrieve the data.</para>
|
||||
<sect2>
|
||||
<title><acronym>SNMP</acronym> Monitoring</title>
|
||||
|
||||
<para>To enable monitoring on the bridge, uncomment this
|
||||
line in
|
||||
<filename>/etc/snmp.config</filename> by removing the
|
||||
beginning <literal>#</literal> symbol:</para>
|
||||
<para>The bridge interface and <acronym>STP</acronym>
|
||||
parameters can be monitored via &man.bsnmpd.1; which is
|
||||
included in the &os; base system. The exported bridge
|
||||
<acronym>MIB</acronym>s conform to <acronym>IETF</acronym>
|
||||
standards so any <acronym>SNMP</acronym> client or monitoring
|
||||
package can be used to retrieve the data.</para>
|
||||
|
||||
<para>To enable monitoring on the bridge, uncomment this line in
|
||||
<filename>/etc/snmp.config</filename> by removing the
|
||||
beginning <literal>#</literal> symbol:</para>
|
||||
|
||||
<programlisting>begemotSnmpdModulePath."bridge" = "/usr/lib/snmp_bridge.so"</programlisting>
|
||||
|
||||
<programlisting>begemotSnmpdModulePath."bridge" = "/usr/lib/snmp_bridge.so"</programlisting>
|
||||
|
||||
<para>Other configuration settings, such as community
|
||||
names and access lists, may need to be modified in this file. See
|
||||
&man.bsnmpd.1; and &man.snmp.bridge.3; for more
|
||||
information. Once these edits are saved, add this line to
|
||||
<filename>/etc/rc.conf</filename>:</para>
|
||||
|
||||
<programlisting>bsnmpd_enable="YES"</programlisting>
|
||||
|
||||
<para>Then, start
|
||||
&man.bsnmpd.1;:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>service bsnmpd start</userinput></screen>
|
||||
<para>Other configuration settings, such as community names and
|
||||
access lists, may need to be modified in this file. See
|
||||
&man.bsnmpd.1; and &man.snmp.bridge.3; for more information.
|
||||
Once these edits are saved, add this line to
|
||||
<filename>/etc/rc.conf</filename>:</para>
|
||||
|
||||
<para>The following examples use the
|
||||
<application>Net-SNMP</application> software
|
||||
(<package>net-mgmt/net-snmp</package>) to query a bridge
|
||||
from a client system. The
|
||||
<package>net-mgmt/bsnmptools</package> port can also be
|
||||
used. From the <acronym>SNMP</acronym> client which is
|
||||
running <application>Net-SNMP</application>, add the
|
||||
following lines to
|
||||
<filename>$HOME/.snmp/snmp.conf</filename> in order to
|
||||
import the bridge <acronym>MIB</acronym> definitions:</para>
|
||||
<programlisting>bsnmpd_enable="YES"</programlisting>
|
||||
|
||||
<programlisting>mibdirs +/usr/share/snmp/mibs
|
||||
<para>Then, start &man.bsnmpd.1;:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>service bsnmpd start</userinput></screen>
|
||||
|
||||
<para>The following examples use the
|
||||
<application>Net-SNMP</application> software
|
||||
(<package>net-mgmt/net-snmp</package>) to query a bridge
|
||||
from a client system. The
|
||||
<package>net-mgmt/bsnmptools</package> port can also be used.
|
||||
From the <acronym>SNMP</acronym> client which is running
|
||||
<application>Net-SNMP</application>, add the following lines
|
||||
to <filename>$HOME/.snmp/snmp.conf</filename> in order to
|
||||
import the bridge <acronym>MIB</acronym> definitions:</para>
|
||||
|
||||
<programlisting>mibdirs +/usr/share/snmp/mibs
|
||||
mibs +BRIDGE-MIB:RSTP-MIB:BEGEMOT-MIB:BEGEMOT-BRIDGE-MIB</programlisting>
|
||||
|
||||
<para>To monitor a single bridge using the IETF BRIDGE-MIB
|
||||
(RFC4188):</para>
|
||||
<para>To monitor a single bridge using the IETF BRIDGE-MIB
|
||||
(RFC4188):</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>snmpwalk -v 2c -c public bridge1.example.com mib-2.dot1dBridge</userinput>
|
||||
<screen>&prompt.user; <userinput>snmpwalk -v 2c -c public bridge1.example.com mib-2.dot1dBridge</userinput>
|
||||
BRIDGE-MIB::dot1dBaseBridgeAddress.0 = STRING: 66:fb:9b:6e:5c:44
|
||||
BRIDGE-MIB::dot1dBaseNumPorts.0 = INTEGER: 1 ports
|
||||
BRIDGE-MIB::dot1dStpTimeSinceTopologyChange.0 = Timeticks: (189959) 0:31:39.59 centi-seconds
|
||||
|
|
@ -3261,18 +3257,18 @@ BRIDGE-MIB::dot1dStpPortDesignatedPort.3 = Hex-STRING: 03 80
|
|||
BRIDGE-MIB::dot1dStpPortForwardTransitions.3 = Counter32: 1
|
||||
RSTP-MIB::dot1dStpVersion.0 = INTEGER: rstp(2)</screen>
|
||||
|
||||
<para>The <literal>dot1dStpTopChanges.0</literal> value is
|
||||
two, indicating that the <acronym>STP</acronym> bridge
|
||||
topology has changed twice. A topology change means that
|
||||
one or more links in the network have changed or failed
|
||||
and a new tree has been calculated. The
|
||||
<literal>dot1dStpTimeSinceTopologyChange.0</literal> value
|
||||
will show when this happened.</para>
|
||||
<para>The <literal>dot1dStpTopChanges.0</literal> value is two,
|
||||
indicating that the <acronym>STP</acronym> bridge topology has
|
||||
changed twice. A topology change means that one or more links
|
||||
in the network have changed or failed and a new tree has been
|
||||
calculated. The
|
||||
<literal>dot1dStpTimeSinceTopologyChange.0</literal> value
|
||||
will show when this happened.</para>
|
||||
|
||||
<para>To monitor multiple bridge interfaces, the private
|
||||
BEGEMOT-BRIDGE-MIB can be used:</para>
|
||||
<para>To monitor multiple bridge interfaces, the private
|
||||
BEGEMOT-BRIDGE-MIB can be used:</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>snmpwalk -v 2c -c public bridge1.example.com</userinput>
|
||||
<screen>&prompt.user; <userinput>snmpwalk -v 2c -c public bridge1.example.com</userinput>
|
||||
enterprises.fokus.begemot.begemotBridge
|
||||
BEGEMOT-BRIDGE-MIB::begemotBridgeBaseName."bridge0" = STRING: bridge0
|
||||
BEGEMOT-BRIDGE-MIB::begemotBridgeBaseName."bridge2" = STRING: bridge2
|
||||
|
|
@ -3288,10 +3284,10 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeStpTopChanges."bridge2" = Counter32: 1
|
|||
BEGEMOT-BRIDGE-MIB::begemotBridgeStpDesignatedRoot."bridge0" = Hex-STRING: 80 00 00 40 95 30 5E 31
|
||||
BEGEMOT-BRIDGE-MIB::begemotBridgeStpDesignatedRoot."bridge2" = Hex-STRING: 80 00 00 50 8B B8 C6 A9</screen>
|
||||
|
||||
<para>To change the bridge interface being monitored via the
|
||||
<literal>mib-2.dot1dBridge</literal> subtree:</para>
|
||||
<para>To change the bridge interface being monitored via the
|
||||
<literal>mib-2.dot1dBridge</literal> subtree:</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>snmpset -v 2c -c private bridge1.example.com</userinput>
|
||||
<screen>&prompt.user; <userinput>snmpset -v 2c -c private bridge1.example.com</userinput>
|
||||
BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
|
|
|||
Loading…
Reference in a new issue