How Do Switches And Bridges Learn Where Devices Are Located

Table of Contents

bridge

Translations: russian ,Turkish

A bridge is a way to connect two Ethernet segments together in a protocol contained fashion. Packets are forwarded based on Ethernet address, rather than IP accost (like a router). Since forwarding is done at Layer 2, all protocols tin can become transparently through a bridge.

The Linux bridge code implements a subset of the ANSI/IEEE 802.1d standard. [1]. The original Linux bridging was first done in Linux 2.2, then rewritten by Lennert Buytenhek. The code for bridging has been integrated into 2.iv and 2.6 kernel series.

Bridging and Firewalling

A Linux bridge is more powerful than a pure hardware span because it tin also filter and shape traffic. The combination of bridging and firewalling is washed with the companion projectebtables.

Condition

The lawmaking is updated as part of the 2.4 and 2.6 kernels available at kernel.org.

Possible future enhancements are:

• Document STP filtering

• Netlink interface to control bridges (prototype in 2.6.eighteen)

• STP should exist in user infinite

• Support RSTP and other 802.1d STP extensions

Downloading

Kernel Configuration

You need to enable bridging in the kernel. Set "networking → 802.1d Ethernet Bridging" to either yes or module

Manual Configuration

Network cards

Earlier you first make sure both network cards are set and working properly. Don't set the IP address, and don't permit the startup scripts run DHCP on the ethernet interfaces either. The IP address needs to be set up afterward the bridge has been configured.

The control ifconfig should prove both network cards, and they should be DOWN.

Module loading

In most cases, the bridge code is built as a module. If the module is configured and installed correctly, it will go automatically loaded on the starting time brctl command.

If your bridge-utilities have been correctly built and your kernel and span-module are OK, so issuing a brctl should show a small command synopsis.

# brctl # commands:         addbr           <span>                add bridge         delbr           <span>                delete bridge         addif           <bridge> <device>       add interface to bridge         delif           <bridge> <device>       delete interface from span         setageing       <bridge> <time>         set ageing time         setbridgeprio   <bridge> <prio>         set span priority         setfd           <span> <time>         set bridge forward filibuster         sethello        <bridge> <time>         gear up how-do-you-do time         setmaxage       <bridge> <time>         set max bulletin age         setpathcost     <bridge> <port> <price>  set path price         setportprio     <bridge> <port> <prio>  prepare port priority         show                                    show a list of bridges         showmacs        <bridge>                show a list of mac addrs         showstp         <bridge>                show bridge stp info         stp             <bridge> <state>        turn stp on/off

Creating a bridge device

The command

            brctl addbr "bridgename"

creates a logical bridge instance with the proper noun bridgename. You will need at least one logical instance to do any bridging at all. Yous tin can interpret the logical span every bit a container for the interfaces taking office in the bridging. Each bridging case is represented by a new network interface.

The corresponding shutdown command is:

            brctl delbr //bridgename//

Adding devices to a span

The control

            brctl addif //bridgename// //device//

adds the network device device to take office in the bridging of "bridgename." All the devices independent in a span human activity as one big network. It is not possible to add a device to multiple bridges or span a bridge device, because it just wouldn't make any sense! The bridge will take a curt corporeality of time when a device is added to learn the Ethernet addresses on the segment earlier starting to forward.

The respective command to take an interface out of the bridge is:

            brctl delif//bridgename// //device//

Showing devices in a span

The brctl bear witness control gives you a summary about the overall bridge status, and the instances running as shown below:

            # brctl addbr br549  # brctl addif br549 eth0  # brctl addif br549 eth1  # brctl show  bridge name     bridge id               STP enabled     interfaces  br549           8000.00004c9f0bd2       no              eth0                                                          eth1

Once a bridge is running the brctl showmacs will show information about network addresses of traffic beingness forwarded (and the span itself).

            # brctl showmacs br549  port no mac addr                is local?       ageing timer    1     00:00:4c:9f:0b:ae       no                17.84    1     00:00:4c:9f:0b:d2       yes                0.00    2     00:00:4c:9f:0b:d3       yes                0.00    1     00:02:55:1a:35:09       no                53.84    one     00:02:55:1a:82:87       no                11.53   ...

The aging time is the number of seconds a MAC accost will be kept in the forwarding database afterward having received a package from this MAC address. The entries in the forwarding database are periodically timed out to ensure they won't stay effectually forever. Ordinarily in that location should be no demand to change this parameter, but it can be changed with (time is in seconds).

            # brctl setageing //bridgename// //time//

Setting ageing time to zero makes all entries permanent.

Spanning Tree Protocol

If you are running multiple or redundant bridges, so you need to enable the Spanning Tree Protocol (STP) to handle multiple hops and avoid cyclic routes.

            # brctl stp br549 on

You can see the STP parameters with:

            # brctl showstp br549  br549   span id              8000.00004c9f0bd2   designated root        0000.000480295a00   root port                 1                    path cost                104   max age                  20.00                 bridge max age           200.00   hello time                2.00                 bridge hello fourth dimension         twenty.00   forrard filibuster           150.00                 bridge forward delay      xv.00   ageing time             300.00                 gc interval                0.00   hello timer               0.00                 tcn timer                  0.00   topology alter timer     0.00                 gc timer                   0.33   flags    eth0 (1)   port id                8001                    state                   forwarding   designated root        0000.000480295a00       path cost                100   designated bridge      001e.00048026b901       message age timer         17.84   designated port        80c1                    frontward delay timer        0.00   designated toll           iv                    hold timer                 0.00   flags    eth1 (2)   port id                8002                    state                   disabled   designated root        8000.00004c9f0bd2       path cost                100   designated bridge      8000.00004c9f0bd2       message age timer          0.00   designated port        8002                    frontward filibuster timer        0.00   designated cost           0                    hold timer                 0.00   flags

STP tuning

In that location are a number of parameters related to the Spanning Tree Protocol that tin be configured. The code autodetects the speed of the link and other parameters, so these usually don't need to be changed.

Bridge priority

Each bridge has a relative priority and cost. Each interface is associated with a port (number) in the STP code. Each has a priority and a price, that is used to determine which is the shortest path to forward a packet. The lowest toll path is always used unless the other path is downward. If you lot accept multiple bridges and interfaces then you may need to adjust the priorities to achieve optimium operation.

            # brctl setbridgeprio //bridgename// //priority//

The bridge with the lowest priority will be elected every bit the root bridge. The root bridge is the "central" bridge in the spanning tree.

Path priority and price

Each interface in a bridge could have a different speed and this value is used when deciding which link to employ. Faster interfaces should have lower costs.

            # brctl //setpathcost span port price//

For multiple ports with the aforementioned cost there is also a priority

Forwarding delay

Forwarding delay time is the time spent in each of the Listening and Learning states before the Forwarding state is entered. This delay is so that when a new bridge comes onto a decorated network information technology looks at some traffic earlier participating.

            #  brctl setfd //bridgename// //fourth dimension//

Hello time

Periodically, a hello packet is sent out by the Root Bridge and the Designated Bridges. Hello packets are used to communicate information about the topology throughout the entire Bridged Local Expanse Network.

            # brctl sethello //bridgename// //time//

Max historic period

If a another bridge in the spanning tree does not send out a hullo packet for a long menses of time, it is assumed to be expressionless. This timeout is set with:

            # brctl maxage//bridgename// //time//

Multicast (IGMP) snooping

IGMP snooping support is not all the same included in span-utils or iproute2, but it can exist easily controlled through sysfs interface. For brN, the settings can exist found nether /sys/devices/virtual/cyberspace/brN/span.

multicast_snooping

This option allows the user to disable IGMP snooping completely. It also allows the user to reenable snooping when information technology has been automatically disabled due to hash collisions. If the collisions have non been resolved nonetheless the system will reject to reenable snooping.

multicast_router

This allows the user to forcibly enable/disable ports equally having multicast routers attached. A port with a multicast router will receive all multicast traffic.

The value 0 disables it completely. The default is one which lets the organization automatically find the presence of routers (currently this is express to picking up queries), and two ways that the ports will always receive all multicast traffic.

Notation: this setting can be enabled/disable on a per-port basis, too through sysfs interface (e.thousand. if eth0 is some bridge's active port, then y'all can suit /sys/…../eth0/brport/multicast_router)

hash_{max,elasticity}

These settings allow the user to control the hash elasticity/max parameters. The elasticity setting does not have event until the next new multicast grouping is added. At which point it is checked and if later rehashing it still can't be satisfied and so snooping volition exist disabled.

The max setting on the other hand takes effect immediately. It must be a ability of two and cannot be set to a value less than the electric current number of multicast grouping entries. This is the only way to compress the multicast hash.

remaining multicast_* options

These allow the user to control various values related to IGMP snooping.

More details about the options, some discussions and rationale can be found in http://thread.gmane.org/gmane.linux.network/153338

Sample setup

The basic setup of a bridge is washed like:

            # ifconfig eth0 0.0.0.0  # ifconfig eth1 0.0.0.0  # brctl addbr mybridge  # brctl addif mybridge eth0  # brctl addif mybridge eth1   # ifconfig mybridge up

This will gear up the host up as a pure bridge, it will not have an IP address for itself, so it can not be remotely accessed (or hacked) via TCP/IP.

Optionally you can configure the virtual interface mybridge to take part in your network. It behaves like one interface (like a normal network card). Exactly that fashion yous configure it, replacing the previous control with something like:

            # ifconfig mybridge 192.168.100.5 netmask 255.255.255.0

If you want your span to automatically get its IP address from the ADSL modem via DHCP (or a similar configuration), practise this:

            # ifconfig eth0 0.0.0.0  # ifconfig eth1 0.0.0.0  # brctl addbr mybridge  # brctl addif mybridge eth0  # brctl addif mybridge eth1   # dhclient mybridge

If you do this many times, you may end up with lots of dhclient processes. Either kill them impolitely or acquire about omshell(1).

Configuration with /etc/net

In /etc/cyberspace we first configure two ethernet devices port0 and port1:

            # true cat >> /etc/net/iftab  port0 mac 00:xiii:46:66:01:5e  port1 mac 00:13:46:66:01:5f  ^D  # mkdir /etc/net/ifaces/port0  # cat > /etc/net/ifaces/port0/options  TYPE=eth  MODULE=via-rhine  # mkdir /etc/net/ifaces/port1  # cat > /etc/net/ifaces/port1/options  Blazon=eth  MODULE=via-rhine  ^D

Then we describe the bridge:

            # mkdir /etc/net/ifaces/mybridge  # cat > /etc/net/ifaces/mybridge/options  Blazon=bri  HOST='port0 port1'  ^D  # cat > /etc/internet/ifaces/mybridge/brctl  stp AUTO on  ^D

Now nosotros can use "ifup mybridge" to bring it up. port0 and port1 will be brought upwards automatically.

FAQ

What does a bridge practise?

A bridge transparently relays traffic between multiple network interfaces. In plain English this ways that a span connects 2 or more concrete Ethernets together to course one bigger (logical) Ethernet.

Is it protocol contained?

Yes. The bridge knows nothing about protocols, information technology but sees Ethernet frames. As such, the bridging functionality is protocol contained, and there should be no trouble relaying IPX, NetBEUI, IP, IPv6, etc.

Why is this lawmaking better than a switch?

Please annotation that this code wasn't written with the intent of having Linux boxes take over from dedicated networking hardware. Don't see the Linux bridging code as a replacement for switches, but rather every bit an extension of the Linux networking capabilities. Merely every bit there are situations where a Linux router is improve than a defended router (and vice versa), there are situations where a Linux bridge is better than a dedicated bridge (and vice versa).

Most of the power of the Linux bridging lawmaking lies in its flexibility. There is a whole lot of bizarre stuff you tin do with Linux already (read Linux Advanced Routing and Traffic Control document to come across some of the possiblities), and the bridging lawmaking adds some more filter into the mix.

One of the most significant advantages of a Linux solution over a defended solution that come to mind is Linux' extensive firewalling capabilities. It is possible to utilise the full functionality of netfilter (iptables) in combination with bridging, which provides way more than functionality than most proprietary offerings practice.

Why is this code worse than a switch?

In lodge to act a a bridge, the network device must be placed into promiscuous mode which means it receives all traffic on a network. On a really busy network, this can eat significant bandwidth out of the processor, retentiveness slowing the system down. The reply is to setup either a divide dedicated Linux box every bit the span, or use a hardware switch.

What is the operation of the bridge?

The performance is limited by the network cards used and the processor. A enquiry paper was washed by James Yu at Depaul University comparing Linux bridging with a Catalyst switchYu-Linux-TSM2004.pdf

My span does not show upwardly in traceroute!

Information technology's non supposed to. The performance of a span is (supposed to exist) fully transparent to the network, the networks that a bridge connects together are actually to exist viewed every bit one large network. That's why the bridge does not evidence up in traceroute; the packets do non experience similar they are crossing a subnet purlieus.

For more information on this, read a book nearly TCP/IP networking.

Information technology doesn't work!

Information technology says: "br_add_bridge: bad address" when I try to add a bridge!

Either your kernel is old (2.2 or earlier), or y'all forgot to configure Ethernet bridging into your kernel.

No traffic gets trough (except ARP and STP)

Your kernel might accept ethernet filtering (ebtables, span-nf, arptables) enabled, and traffic gets filtered. The easiest way to disable this is to become to /proc/sys/cyberspace/bridge. Check if the bridge-nf-* entries in at that place are prepare to 1; in that instance, set them to null and endeavor again.

            # cd /proc/sys/net/bridge  # ls  bridge-nf-telephone call-arptables  span-nf-call-iptables  bridge-nf-call-ip6tables  bridge-nf-filter-vlan-tagged  # for f in bridge-nf-*; do echo 0 > $f; done

Does bridging work on two.2?

The base kernel for 2.two, did not support the current bridging code. The original development was on 2.2, and there used to be patches available for information technology. Only these patches are no longer maintained.

Are there plans for RSTP (802.1w) support?

Aye, piece of work is beingness done to integrate RSTP support in a hereafter two.6 release. The lawmaking was washed for a version of 2.4 and needs to exist cleaned up, tested and updated.

What can exist bridged?

Linux bridging is very flexible; the LAN's can exist either traditional Ethernet device'south, or pseudo-devices such as PPP, VPN'south or VLAN's. The only restrictions are that the devices:

• All devices share the same maximum packet size (MTU). The bridge doesn't fragment packets.

• Devices must look like Ethernet. i.e accept half dozen byte source and destination address.

• Support promiscuous operation. The bridge needs to be able to receive all network traffic, not just traffic destined for its ain accost.

• Allow source address spoofing. The span must exist able to send data over network as if it came from another host.

Can I practice bridging in combination with netfilter/iptables?

Yep. The lawmaking for this is available in most kernels. See ebtables projection. Does information technology work with Token Band , FDDI, or Firewire?

No, the addressing and frame sizes are unlike.

I keep getting the message **retransmitting tcn bpdu**!

It means that your Linux span is retransmitting a Topology Change Notification Span Protocol Data Unit (so now you know what the letters are for. Seriously, at that place is probably another switch (or Linux bridge) nearby that isn't complying to the rules of the spanning tree protocol (which is what bridges speak).

In each bridged local area network, there is one 'main bridge', which is as well chosen the root bridge. You can find out which bridge this is using brctl.

When the topology of a bridged local surface area network changes (f.e. somebody unplugs a cable between two bridges), the bridge which detects this sends a topology modify notification to the root bridge. The root bridge will respond to this by setting a 'topology inverse' bit in the hello packets it sends out for the next X seconds (Ten usually being xxx). This manner, all bridges volition acquire of the topology change, so that they tin can have measures like timing out learned MAC entries faster for example.

After having sent out a topology change notification, if a span does non notice the 'topology changed' bit ready in the hello packets received (which in essence serves as the 'acknowledgment' of the topology change notification), information technology concludes that the topology change notification was lost. So it will retransmit it. Still, some bridges run lobotomized implementations of the Spanning Tree Protocol which causes them not to acknowledge topology change notifications. If you take one of those bridges as your root bridge, all of the other bridges will keep retransmitting their topology changed notifications. Which will pb to these kinds of syslog messages.

There are a number of things you tin do:

• Discover out which bridge is the root bridge, find out where it is located, and what internetworking software it runs. Please report this info to the mailing list (or to me directly), so that I tin keep a blacklist.

• Force the linux bridge to be the root bridge. See what the priority of the current root span is, and use the brctl 'setbridgeprio' command to set the priority of the linux bridge to 1 lower. (The bridge with the everyman priority always becomes the root bridge.)

• Disable the spanning tree protocol on your linux bridge altogether. In this case, watch out for bridging loops! If you have loops in your topology, and if no bridge in the loop is running the spanning tree protocol, commotion will come your fashion, every bit packets will be forwarded forever. Don't Do This(TM).

Information technology doesn't piece of work with my regular Ethernet card!

Unfortunately, some network cards accept buggy drivers that fail under load. The situation is improving, and so having a current kernel and network driver can help. Also effort swapping with some other brand.

Delight report all issues to the Bridge mailing listing: bridge@osdl.org. If your network carte doesn't piece of work (even without bridging) so try the Linux networking mailing listing linux-net@vger.kernel.org

It doesn't work with my Wireless carte du jour!

This is a known problem, and it is not acquired by the bridge code. Many wireless cards don't allow spoofing of the source accost. It is a firmware restriction with some chipsets. Y'all might notice some data in the span mailing listing archives to aid. Has anyone found a manner to get around Wavelan not allowing anything only its ain MAC accost? (answer by Michael Renzmann (mrenzmann at compulan.de))

Well, for 99% of computer users at that place will never exist a fashion to go rid of this. For this function a special firmware is needed. This firmware can be loaded into the RAM of any WaveLAN card, so it could practice its job with bridging. But there is no documentation on the interface available to the public. The merely mode to reach this is to take a total version of the hcf library which controls every part of the card and also allows accessing the card'due south RAM. To get this full version Lucent wants to know that it will be a financial win for them, also you have to sign an NDA. And so be sure that you won't most probably get access to this peace of software until Lucent does not modify its listen in this (which I doubtfulness never will happen).

I still don't sympathize!!

Doing full bridging of wireless (802.eleven) requires supporting WDS . The current implementation doesn't do information technology.

It is possible to do limited wireless to Ethernet functionality with some wireless drivers. This requires the device to be able to support a dissimilar sender address and source address. That is what WDS provides.

There are means to make it piece of work, simply it is not always straightforward and you probably won't get it correct without a pretty solid understanding of 802.11, information technology's modes, and the frame header format.

I get the error 'too much work in interrupt'

This is because the network menu is getting lots of packets. There are a few things you can attempt. First, build the driver with NAPI support (if it isn't on by default). NAPI means the driver will do the receive processing at soft IRQ, non at the low level interrupt.

If the driver doesn't support NAPI, you can endeavor to increment the amount of piece of work a commuter will endeavor to do in an interrupt. For 3c59x this is done with the pick max_interrupt_work (so add something like 'options 3c59x max_interrupt_work=10000' to your /etc/modules.conf file), other cards might have like options.

Does DHCP work over/through a bridge?

The bridge will forward DHCP traffic (broadcasts) and responses. You can also apply DHCP to fix the local IP accost of the span pseudo-interface.

One common fault is that the default bridge forwarding delay setting is 30 seconds. This means that for the first thirty seconds after an interface joins a bridge, it won't send anything. This is because if the span is existence used in a complex topology, it needs to discover other bridges and not create loops. This problem was one of the reasons for the cosmos of Rapid Spanning Tree Protocol (RSTP).

If the span is being used standalone (no other bridges near by). So it is safe to plow the forwarding filibuster off (set it to nix), before adding interface to a span. So you can run DHCP client right away.

            # brctl setfd br0 0  # brctl addif br0 eth0  # dhclient eth0

External Links

Source: https://wiki.linuxfoundation.org/networking/bridge

Posted by: poindexterdwellied.blogspot.com

Share this post