INTRODUCTION

 

niccard

A bridge is a way to connect two Ethernet  segments together in a protocol independent way. Packets are forwarded based on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.

The Linux bridge code implements a subset of the ANSI/IEEE 802.1d standard. The original Linux bridging was first done in Linux 2.2, then rewritten by Lennert Buytenhek. The code for bridging has been integrated into 2.4 and 2.6 kernel series.

A Linux bridge is more powerful than a pure hardware bridge because it can also filter and shape traffic.

Kernel Configuration

You need to enable bridging in the kernel. Set “networking -> 802.1d Ethernet Bridging” to either yes or module

Manual Configuration

Network cards

Before you start make sure both network cards are set up and working properly. Don’t set the IP address, and don’t let the startup scripts run DHCP on the ethernet interfaces either. The IP address needs to be set after the bridge has been configured.

The command ifconfig should show both network cards, and they should be DOWN.

Module loading

In most cases, the bridge code is built as a module. If the module is configured and installed correctly, it will get automatically loaded on the first brctl command.

If your bridge-utilities have been correctly built and your kernel and bridge-module are OK, then issuing a brctl should show a small command synopsis.

#brctl



 


Creating a bridge device


The command


  #brctl addbr “bridgename”


creates a logical bridge instance with the name bridgename. You will need at least one logical instance to do any bridging at all. You can interpret the logical bridge as a container for the interfaces taking part in the bridging. Each bridging instance is represented by a new network interface. The corresponding shutdown command is:


  #brctl delbr bridgename


 




 


Adding devices to a bridge


The command


  #brctl addif bridgename device


adds the network device device to take part in the bridging of “bridgename.” All the devices contained in a bridge act as one big network. It is not possible to add a device to multiple bridges or bridge a bridge device, because it just wouldn’t make any sense! The bridge will take a short amount of time when a device is added to learn the Ethernet addresses on the segment before starting to forward. The corresponding command to take an interface out of the bridge is:


  #brctl delif  bridgename device


 




 


Showing devices in a bridge


The brctl show command gives you a summary about the overall bridge status, and the instances running as shown below:


    #brctl addbr br0


    #brctl addif br0 eth0


    #brctl addif br0 eth1


    #brctl show bridge name


     bridge id               STP                               enabled     interfaces


     br0           8000.00004c9f0bd2             no                 eth0


                                                                                                        eth1


Once a bridge is running the brctl showmacs will show information about network addresses of traffic being forwarded (and the bridge itself).


    #brctl showmacs br0


       port no                            mac addr                is local                ageing timer


        1                                00:00:4c:9f:0b:ae       no                        17.84 1


                                          00:00:4c:9f:0b:d2       yes                      0.00 2


                                          00:00:4c:9f:0b:d3       yes                      0.00 1


                                          00:02:55:1a:35:09       no                        53.84 1


                                           00:02:55:1a:82:87       no                       11.53


 NOTE:The aging time is the number of seconds a MAC address will be kept in the forwarding database after having received a packet from this MAC address. The entries in the forwarding database are periodically timed out to ensure they won't stay around forever. Normally there should be no need to modify this parameter, but it can be changed with (time is in seconds).




#brctl setageing bridgename time




Setting ageing time to zero makes all entries permanent.


Spanning Tree Protocol


If you are running multiple or redundant bridges, then you need to enable the Spanning Tree Protocol (STP) to handle multiple hops and avoid cyclic routes.




#brctl stp br0 on




You can see the STP parameters with:




 #brctl showstp br0


Br0


bridge id              8000.00004c9f0bd2


designated root        0000.000480295a00


root port                        1                          path cost                     104


max age                        20.00              bridge max age            200.00


hello time                      2.00               bridge hello time          20.00


forward delay                 150.00       bridge forward delay     15.00


ageing time                    300.00         gc interval                   0.00


hello timer                      0.00              tcn timer                      0.00


topology change timer     0.00           gc timer                      0.33


flags


eth0 (1)


port id                                        8001                            state                                        forwarding


designated root        0000.000480295a00       path cost                              100


designated bridge    001e.00048026b901   message age timer                 17.84


designated port        80c1                                      forward delay timer                0.00


designated cost        4                                                      hold timer                         0.00


flags


eth1 (2)


port id                     8002                                                 state                   disabled


designated root        8000.00004c9f0bd2       path cost                 100


designated bridge     8000.00004c9f0bd2    message age timer   0.00


designated port        8002                                    forward delay timer  0.00


designated cost           0                                             hold timer                0.00


flags








STP tuning


There are a number of parameters related to the Spanning Tree Protocol that can be configured. The code autodetects the speed of the link and other parameters, so these usually don’t need to be changed.


Bridge priority


Each bridge has a relative priority and cost. Each interface is associated with a port (number) in the STP code. Each has a priority and a cost, that is used to decide which is the shortest path to forward a packet. The lowest cost path is always used unless the other path is down. If you have multiple bridges and interfaces then you may need to adjust the priorities to achieve optimium performance.




#brctl setbridgeprio bridgename priority




The bridge with the lowest priority will be elected as the root bridge. The root bridge is the “central” bridge in the spanning tree.


Path priority and cost


Each interface in a bridge could have a different speed and this value is used when deciding which link to use. Faster interfaces should have lower costs.




#brctl setpathcost bridge port cost




For multiple ports with the same cost there is also a priority


Forwarding delay


Forwarding delay time is the time spent in each of the Listening and Learning states before the Forwarding state is entered. This delay is so that when a new bridge comes onto a busy network it looks at some traffic before participating.




#brctl setfd bridgename time






Hello time


Periodically, a hello packet is sent out by the Root Bridge and the Designated Bridges. Hello packets are used to communicate information about the topology throughout the entire Bridged Local Area Network.




#brctl sethello bridgename time






Max age


If a another bridge in the spanning tree does not send out a hello packet for a long period of time, it is assumed to be dead. This timeout is set with:




#brctl maxage  bridgename time






Sample setup


The basic setup of a bridge is done like:




#ifconfig eth0 0.0.0.0


#ifconfig eth1 0.0.0.0


#brctl addbr br0


#brctl addif br0 eth0


#brctl addif br0 eth1


#ifconfig br0 up




This will set the host up as a pure bridge, it will not have an IP address for itself, so it can not be remotely accessed (or hacked) via TCP/IP.


Optionally you can configure the virtual interface mybridge to take part in your network. It behaves like one interface (like a normal network card). Exactly that way you configure it, replacing the previous command with something like:




#ifconfig br0 192.168.31.1 netmask 255.255.255.0




If you want your bridge to automatically get its IP address from the ADSL modem via DHCP (or a similar configuration), do this:




#ifconfig eth0 0.0.0.0


#ifconfig eth1 0.0.0.0


#brctl addbr br0


#brctl addif br0 eth0


#brctl addif br0 eth1


# dhclient br0




If you do this many times, you may end up with lots of dhclient processes.


Configuration with /etc/net


In    /etc/net    we  first configure two Ethernet  devices port0 and port1:


#cat  >> /etc/net/iftab

Port0   mac   00:13:46:66:01:5e

Port1  mac    00:13:46:66:01:5f


#mkdir  /etc/net/ifaces/port0


#cat  >  /etc/net/ifaces/port1/options

TYPE=eth

MODULE=via-rhine


#mkdir  /etc/net/ifaces/port1


#cat  >  /etc/net/ifaces/port1/options

TYPE=eth

MODULE=via-rhine


Then we describe the bridge:


#mkdir  /etc/net/ifaces/br0


#cat   >  /etc/net/ifaces/br0/options

TYPE=bri

HOST=’port0 port1’


#cat  >  /etc/net/ifaces/br0/brctl

Stp AUTO  on


Description: a network bridge is a forwarding technique very useful when you have to deal with virtualization and you want to give your virtual machines direct access to your real network, without using NAT.


In this example, I’m going to use a bridge (br0) to access a wired network interface (eth1). I use eth1 for the bridge instead of eth0 because I prefer to use the first network interface to access the machine using SSH and fix any problems that could appear while configuring the bridge.


INSTALLATION




# yum install bridge-utils






#vi /etc/sysconfig/network-script/ifcfg-eth1


DEVICE=eth1

HWADDR=00:11:22:33:44:55

ONBOOT=yes

BRIDGE=br0






#vi /etc/sysconfig/network-scripts/ifcfg-br0


DEVICE=br0

TYPE=Bridge

ONBOOT=yes

DELAY=0

BOOTPROTO=static

BROADCAST=192.168.31.255

IPADDR=192.168.31.1

NETMASK=255.255.255.0

NETWORK=192.168.31.0

GATEWAY=192.168.31.1






#vi /etc/sysctl.conf


net.bridge.bridge-nf-call-ip6tables = 0

net.bridge.bridge-nf-call-iptables = 0

net.bridge.bridge-nf-call-arptables = 0




This improves the bridge’s performance. I recommend to use packet filtering in the computers which connect through the bridge, but not in the bridge itself




 #sysctl -p /etc/sysctl.conf


#service network restart


#chkconfig NetworkManager off


#chkconfig network on


#service NetworkManager stop



		

			

				Advertisements