Date: Thu, 6 Mar 2014 19:40:14 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44160 - head/en_US.ISO8859-1/books/handbook/advanced-networking Message-ID: <201403061940.s26JeEqp065717@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Thu Mar 6 19:40:14 2014 New Revision: 44160 URL: http://svnweb.freebsd.org/changeset/doc/44160 Log: Initial prep work for bridging chapter. More commits to come. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 19:25:41 2014 (r44159) +++ head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 19:40:14 2014 (r44160) @@ -2841,9 +2841,6 @@ rfcomm_sppd[94692]: Starting on /dev/tty </authorgroup> </info> - <sect2> - <title>Introduction</title> - <indexterm> <primary><acronym>IP</acronym> subnet</primary> </indexterm> @@ -2867,17 +2864,13 @@ rfcomm_sppd[94692]: Starting on /dev/tty <para>In many respects, a bridge is like an Ethernet switch with very few ports.</para> - </sect2> - <sect2> - <title>Situations Where Bridging Is Appropriate</title> - - <para>There are many common situations in which a bridge is used - today.</para> - - <sect3> - <title>Connecting Networks</title> + <para>Bridging may be appropriate in the following situaitons:</para> + <variablelist> + <varlistentry> + <term>Connecting Networks</term> + <listitem> <para>The basic operation of a bridge is to join two or more network segments together. There are many reasons to use a host based bridge over plain networking equipment such as @@ -2885,18 +2878,12 @@ rfcomm_sppd[94692]: Starting on /dev/tty networks such as a virtual machine interface. A bridge can also connect a wireless interface running in hostap mode to a wired network and act as an access point.</para> - </sect3> - - <sect3> - <title>Filtering/Traffic Shaping Firewall</title> - - <indexterm> - <primary>firewall</primary> - </indexterm> - <indexterm> - <primary>NAT</primary> - </indexterm> + </listitem> + </varlistentry> + <varlistentry> + <term>Filtering/Traffic Shaping Firewall</term> + <listitem> <para>A common situation is where firewall functionality is needed without routing or Network Address Translation (<acronym>NAT</acronym>).</para> @@ -2923,30 +2910,33 @@ rfcomm_sppd[94692]: Starting on /dev/tty into the path just downstream of the <acronym>DSL</acronym> or <acronym>ISDN</acronym> router without any <acronym>IP</acronym> numbering issues.</para> - </sect3> - - <sect3> - <title>Network Tap</title> + </listitem> + </varlistentry> + <varlistentry> + <term>Network Tap</term> + <listitem> <para>A bridge can join two network segments and be used to inspect all Ethernet frames that pass between them using &man.bpf.4; and &man.tcpdump.1; on the bridge interface or by sending a copy of all frames out an additional interface known as a span port.</para> - </sect3> - - <sect3> - <title>Layer 2 <acronym>VPN</acronym></title> + </listitem> + </varlistentry> + <varlistentry> + <term>Layer 2 <acronym>VPN</acronym></term> + <listitem> <para>Two Ethernet networks can be joined across an <acronym>IP</acronym> link by bridging the networks to an EtherIP tunnel or a &man.tap.4; based solution such as <application>OpenVPN</application>.</para> - </sect3> - - <sect3> - <title>Layer 2 Redundancy</title> + </listitem> + </varlistentry> + <varlistentry> + <term>Layer 2 Redundancy</term> + <listitem> <para>A network can be connected together with multiple links and use the Spanning Tree Protocol <acronym>STP</acronym> to block redundant paths. For an Ethernet network to @@ -2957,11 +2947,9 @@ rfcomm_sppd[94692]: Starting on /dev/tty calculate a different tree and enable one of the blocked paths to restore connectivity to all points in the network.</para> - </sect3> - </sect2> - - <sect2> - <title>Kernel Configuration</title> + </listitem> + </varlistentry> + </variablelist> <para>This section covers the &man.if.bridge.4; implementation. A netgraph bridging driver is also available, and is described @@ -2979,7 +2967,6 @@ rfcomm_sppd[94692]: Starting on /dev/tty <para>The bridge can be used as a traffic shaper with &man.altq.4; or &man.dummynet.4;.</para> - </sect2> <sect2> <title>Enabling the Bridge</title> @@ -3034,15 +3021,8 @@ ifconfig_fxp1="up"</programlisting> <para>It is also possible to assign an <acronym>IPv6</acronym> address to a bridge interface.</para> - </sect2> - - <sect2> - <title>Firewalling</title> - - <indexterm> - <primary>firewall</primary> - </indexterm> + <note> <para>When packet filtering is enabled, bridged packets will pass through the filter inbound on the originating interface on the bridge interface, and outbound on the appropriate @@ -3054,6 +3034,7 @@ ifconfig_fxp1="up"</programlisting> non-<acronym>IP</acronym> and <acronym>IP</acronym> packets, and layer2 firewalling with &man.ipfw.8;. See &man.if.bridge.4; for more information.</para> + </note> </sect2> <sect2> @@ -3117,13 +3098,19 @@ bridge0: flags=8843<UP,BROADCAST,RUNN <literal>400000</literal> from this bridge. The path to the root bridge is via <literal>port 4</literal> which is <filename>fxp0</filename>.</para> + + <note> + <para>A private interface does not forward any traffic to any + other port that is also a private interface. The traffic is + blocked unconditionally so no Ethernet frames will be + forwarded, including <acronym>ARP</acronym>. If traffic + needs to be selectively blocked, a firewall should be used + instead.</para> + </note> </sect2> <sect2> - <title>Advanced Bridging</title> - - <sect3> - <title>Reconstruct Traffic Flows</title> + <title>Reconstructing Traffic Flows</title> <para>The bridge supports monitor mode, where the packets are discarded after &man.bpf.4; processing and are not @@ -3138,9 +3125,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN <screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up</userinput> &prompt.root; <userinput>tcpdump -i bridge0</userinput></screen> - </sect3> + </sect2> - <sect3> + <sect2> <title>Span Ports</title> <para>A copy of every Ethernet frame received by the bridge @@ -3155,20 +3142,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN <filename>fxp4</filename>:</para> <screen>&prompt.root; <userinput>ifconfig bridge0 span fxp4</userinput></screen> - </sect3> - - <sect3> - <title>Private Interfaces</title> - - <para>A private interface does not forward any traffic to any - other port that is also a private interface. The traffic is - blocked unconditionally so no Ethernet frames will be - forwarded, including <acronym>ARP</acronym>. If traffic - needs to be selectively blocked, a firewall should be used - instead.</para> - </sect3> + </sect2> - <sect3> + <sect2> <title>Sticky Interfaces</title> <para>If a bridge member interface is marked as sticky, @@ -3209,9 +3185,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN <para>The customers are completely isolated from each other and the full <systemitem class="netmask">/24</systemitem> address range can be allocated without subnetting.</para> - </sect3> + </sect2> - <sect3> + <sect2> <title>Address Limits</title> <para>The number of unique source <acronym>MAC</acronym> @@ -3226,9 +3202,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN <literal>vlan100</literal> to 10:</para> <screen>&prompt.root; <userinput>ifconfig bridge0 ifmaxaddr vlan100 10</userinput></screen> - </sect3> + </sect2> - <sect3> + <sect2> <title><acronym>SNMP</acronym> Monitoring</title> <para>The bridge interface and <acronym>STP</acronym> @@ -3314,7 +3290,6 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeStpDesi <screen>&prompt.user; <userinput>snmpset -v 2c -c private bridge1.example.com</userinput> BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen> - </sect3> </sect2> </sect1>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403061940.s26JeEqp065717>