Date: Thu, 6 Mar 2014 23:00:14 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44162 - head/en_US.ISO8859-1/books/handbook/advanced-networking Message-ID: <201403062300.s26N0E65048132@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Thu Mar 6 23:00:13 2014 New Revision: 44162 URL: http://svnweb.freebsd.org/changeset/doc/44162 Log: Editorial pass through the bridging chapter. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 22:58:56 2014 (r44161) +++ head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 23:00:13 2014 (r44162) @@ -2848,34 +2848,31 @@ rfcomm_sppd[94692]: Starting on /dev/tty <primary>bridge</primary> </indexterm> - <para>It is sometimes useful to divide one physical network, - such as an Ethernet segment, into two separate network + <para>It is sometimes useful to divide a network, + such as an Ethernet segment, into network segments without having to create <acronym>IP</acronym> subnets and use a router to connect the segments together. A device that connects two networks together in this fashion - is called a <quote>bridge</quote>. A &os; system with two - network interface cards can act as a bridge.</para> + is called a <quote>bridge</quote>.</para> - <para>The bridge works by learning the <acronym>MAC</acronym> - layer (Ethernet) addresses of the devices on each of its - network interfaces. It forwards traffic between two networks - only when the source and destination are on different - networks.</para> + <para>A bridge works by learning the <acronym>MAC</acronym> + addresses of the devices on each of its + network interfaces. It forwards traffic between networks + only when the source and destination <acronym>MAC</acronym> addresses are on different + networks. In many respects, a bridge is like an Ethernet switch with + very few ports. A &os; system with multiple + network interfaces can be configured to act as a bridge.</para> - <para>In many respects, a bridge is like an Ethernet switch with - very few ports.</para> - - <para>Bridging may be appropriate in the following situaitons:</para> + <para>Bridging can be useful in the following situations:</para> <variablelist> <varlistentry> <term>Connecting Networks</term> <listitem> <para>The basic operation of a bridge is to join two or more - network segments together. There are many reasons to use a - host based bridge over plain networking equipment such as - cabling constraints, firewalling, or connecting pseudo - networks such as a virtual machine interface. A bridge can + network segments. There are many reasons to use a + host-based bridge instead of networking equipment, such as + cabling constraints or firewalling. A bridge can also connect a wireless interface running in hostap mode to a wired network and act as an access point.</para> </listitem> @@ -2884,39 +2881,25 @@ rfcomm_sppd[94692]: Starting on /dev/tty <varlistentry> <term>Filtering/Traffic Shaping Firewall</term> <listitem> - <para>A common situation is where firewall functionality is + <para>A bridge can be used when firewall functionality is needed without routing or Network Address Translation (<acronym>NAT</acronym>).</para> <para>An example is a small company that is connected via <acronym>DSL</acronym> or <acronym>ISDN</acronym> to an <acronym>ISP</acronym>. - There are thirteen globally-accessible <acronym>IP</acronym> + There are thirteen public <acronym>IP</acronym> addresses from the <acronym>ISP</acronym> and ten computers on the network. In this situation, using a router-based - firewall is difficult because of subnetting issues.</para> - - <indexterm> - <primary>router</primary> - </indexterm> - <indexterm> - <primary><acronym>DSL</acronym></primary> - </indexterm> - <indexterm> - <primary><acronym>ISDN</acronym></primary> - </indexterm> - - <para>A bridge-based firewall can be configured and dropped - into the path just downstream of the <acronym>DSL</acronym> - or <acronym>ISDN</acronym> router without any - <acronym>IP</acronym> numbering issues.</para> + firewall is difficult because of subnetting issues. A bridge-based firewall can be configured without any + <acronym>IP</acronym> addressing issues.</para> </listitem> </varlistentry> <varlistentry> <term>Network Tap</term> <listitem> - <para>A bridge can join two network segments and be used to + <para>A bridge can join two network segments in order to inspect all Ethernet frames that pass between them using &man.bpf.4; and &man.tcpdump.1; on the bridge interface or by sending a copy of all frames out an additional interface @@ -2938,41 +2921,34 @@ rfcomm_sppd[94692]: Starting on /dev/tty <term>Layer 2 Redundancy</term> <listitem> <para>A network can be connected together with multiple links - and use the Spanning Tree Protocol <acronym>STP</acronym> - to block redundant paths. For an Ethernet network to - function properly, only one active path can exist between - two devices. <acronym>STP</acronym> will detect loops and - put the redundant links into a blocked state. Should one - of the active links fail, <acronym>STP</acronym> will - calculate a different tree and enable one of the blocked - paths to restore connectivity to all points in the - network.</para> + and use the Spanning Tree Protocol (<acronym>STP</acronym>) + to block redundant paths.</para> </listitem> </varlistentry> </variablelist> - <para>This section covers the &man.if.bridge.4; implementation. + <para>This section describes how to configure a &os; system as a + bridge using &man.if.bridge.4;. A netgraph bridging driver is also available, and is described in &man.ng.bridge.4;.</para> - <para>In &os;, &man.if.bridge.4; is a kernel module which is - automatically loaded by &man.ifconfig.8; when creating a - bridge interface. It is also possible to compile the bridge - in to the kernel by adding <literal>device if_bridge</literal> - to a custom kernel configuration file.</para> - + <note> <para>Packet filtering can be used with any firewall package - that hooks in via the &man.pfil.9; framework. The firewall - can be loaded as a module or compiled into the kernel.</para> - - <para>The bridge can be used as a traffic shaper with + that hooks into the &man.pfil.9; framework. The bridge can be used as a traffic shaper with &man.altq.4; or &man.dummynet.4;.</para> + </note> <sect2> <title>Enabling the Bridge</title> + <para>In &os;, &man.if.bridge.4; is a kernel module which is + automatically loaded by &man.ifconfig.8; when creating a + bridge interface. It is also possible to compile bridge support + into a custom kernel by adding <literal>device if_bridge</literal> + to the custom kernel configuration file.</para> + <para>The bridge is created using interface cloning. To create - a bridge use &man.ifconfig.8;:</para> + the bridge interface:</para> <screen>&prompt.root; <userinput>ifconfig bridge create</userinput> bridge0 @@ -2992,7 +2968,7 @@ bridge0: flags=8802<BROADCAST,SIMPLEX The other parameters control how <acronym>STP</acronym> operates.</para> - <para>Next, add the member network interfaces to the bridge. + <para>Next, specify which network interfaces to add as members of the bridge. For the bridge to forward packets, all member interfaces and the bridge need to be up:</para> @@ -3000,7 +2976,7 @@ bridge0: flags=8802<BROADCAST,SIMPLEX &prompt.root; <userinput>ifconfig fxp0 up</userinput> &prompt.root; <userinput>ifconfig fxp1 up</userinput></screen> - <para>The bridge is now forwarding Ethernet frames between + <para>The bridge can now forward Ethernet frames between <filename>fxp0</filename> and <filename>fxp1</filename>. Add the following lines to <filename>/etc/rc.conf</filename> so the bridge is created @@ -3012,17 +2988,20 @@ ifconfig_fxp0="up" ifconfig_fxp1="up"</programlisting> <para>If the bridge host needs an <acronym>IP</acronym> - address, the correct place to set this is on the bridge - interface itself rather than one of the member interfaces. - This can be set statically or via - <acronym>DHCP</acronym>:</para> + address, set it on the bridge + interface, not on the member interfaces. + The address can be set statically or via + <acronym>DHCP</acronym>. This example sets a static + <acronym>IP</acronym> address:</para> <screen>&prompt.root; <userinput>ifconfig bridge0 inet 192.168.0.1/24</userinput></screen> <para>It is also possible to assign an <acronym>IPv6</acronym> - address to a bridge interface.</para> + address to a bridge interface. To make the changes permanent, + add the addressing information to + <filename>/etc/rc.conf</filename>.</para> - <note> + <note> <para>When packet filtering is enabled, bridged packets will pass through the filter inbound on the originating interface on the bridge interface, and outbound on the appropriate @@ -3038,16 +3017,24 @@ ifconfig_fxp1="up"</programlisting> </sect2> <sect2> - <title>Spanning Tree</title> + <title>Enabling Spanning Tree</title> + + <para>For an Ethernet network to + function properly, only one active path can exist between + two devices. The <acronym>STP</acronym> protocol detects loops and + puts redundant links into a blocked state. Should one + of the active links fail, <acronym>STP</acronym> + calculates a different tree and enables one of the blocked + paths to restore connectivity to all points in the + network.</para> - <para>The bridge driver implements the Rapid Spanning Tree - Protocol (<acronym>RSTP</acronym> or 802.1w) with backwards + <para>The Rapid Spanning Tree + Protocol (<acronym>RSTP</acronym> or 802.1w) provides backwards compatibility with legacy <acronym>STP</acronym>. - <acronym>STP</acronym> is used to detect and remove loops - in a network topology. <acronym>RSTP</acronym> provides - faster convergence than legacy <acronym>STP</acronym>, the - protocol will exchange information with neighboring switches - to quickly transition to forwarding without creating loops. + <acronym>RSTP</acronym> provides + faster convergence and + exchanges information with neighboring switches + to quickly transition to forwarding mode without creating loops. &os; supports <acronym>RSTP</acronym> and <acronym>STP</acronym> as operating modes, with <acronym>RSTP</acronym> being the default mode.</para> @@ -3098,74 +3085,67 @@ bridge0: flags=8843<UP,BROADCAST,RUNN <literal>400000</literal> from this bridge. The path to the root bridge is via <literal>port 4</literal> which is <filename>fxp0</filename>.</para> + </sect2> - <note> + <sect2> + <title>Bridge Interface Parameters</title> + + <para>Several <command>ifconfig</command> parameters are unique + to bridge interfaces. This section summarizes some common + uses for these parameters. The complete list of available parameters is + described in &man.ifconfig.8;.</para> + + <variablelist> + <varlistentry> + <term>private</term> + <listitem> <para>A private interface does not forward any traffic to any - other port that is also a private interface. The traffic is + other port that is also designated as a private interface. The traffic is blocked unconditionally so no Ethernet frames will be - forwarded, including <acronym>ARP</acronym>. If traffic + forwarded, including <acronym>ARP</acronym> packets. If traffic needs to be selectively blocked, a firewall should be used instead.</para> - </note> - </sect2> - - <sect2> - <title>Reconstructing Traffic Flows</title> - - <para>The bridge supports monitor mode, where the packets are - discarded after &man.bpf.4; processing and are not - processed or forwarded further. This can be used to - multiplex the input of two or more interfaces into a single - &man.bpf.4; stream. This is useful for reconstructing the - traffic for network taps that transmit the RX/TX signals out - through two separate interfaces.</para> - - <para>To read the input from four network interfaces as one - stream:</para> - - <screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up</userinput> -&prompt.root; <userinput>tcpdump -i bridge0</userinput></screen> - </sect2> - - <sect2> - <title>Span Ports</title> + </listitem> + </varlistentry> - <para>A copy of every Ethernet frame received by the bridge - will be transmitted out a designated span port. The number + <varlistentry> + <term>span</term> + <listitem> + <para>A span port transmits a copy of every Ethernet frame received by the bridge. + The number of span ports configured on a bridge is unlimited, but if an interface is designated as a span port, it cannot also be used as a regular bridge port. This is most useful for snooping a bridged network passively on another host - connected to one of the span ports of the bridge.</para> - - <para>To send a copy of all frames out the interface named + connected to one of the span ports of the bridge. For + example, to send a copy of all frames out the interface named <filename>fxp4</filename>:</para> <screen>&prompt.root; <userinput>ifconfig bridge0 span fxp4</userinput></screen> - </sect2> - - <sect2> - <title>Sticky Interfaces</title> + </listitem> + </varlistentry> + <varlistentry> + <term>sticky</term> + <listitem> <para>If a bridge member interface is marked as sticky, dynamically learned address entries are treated at static - once entered into the forwarding cache. Sticky entries are + entries in the forwarding cache. Sticky entries are never aged out of the cache or replaced, even if the address is seen on a different interface. This gives the benefit of static address entries without the need to pre-populate the forwarding table. Clients learned on a particular segment of the bridge can not roam to another segment.</para> - <para>Another example of using sticky addresses is to combine - the bridge with <acronym>VLAN</acronym>s to create a router - where customer networks are isolated without wasting + <para>An example of using sticky addresses is to combine + the bridge with <acronym>VLAN</acronym>s in order to isolate + customer networks without wasting <acronym>IP</acronym> address space. Consider that <systemitem class="fqdomainname">CustomerA</systemitem> is - on <literal>vlan100</literal> and <systemitem + on <literal>vlan100</literal>, <systemitem class="fqdomainname">CustomerB</systemitem> is on - <literal>vlan101</literal>. The bridge has the address - <systemitem class="ipaddress">192.168.0.1</systemitem> and - is also an Internet router.</para> + <literal>vlan101</literal>, and the bridge has the address + <systemitem class="ipaddress">192.168.0.1</systemitem>:</para> <screen>&prompt.root; <userinput>ifconfig bridge0 addm vlan100 sticky vlan100 addm vlan101 sticky vlan101</userinput> &prompt.root; <userinput>ifconfig bridge0 inet 192.168.0.1/24</userinput></screen> @@ -3185,10 +3165,6 @@ bridge0: flags=8843<UP,BROADCAST,RUNN <para>The customers are completely isolated from each other and the full <systemitem class="netmask">/24</systemitem> address range can be allocated without subnetting.</para> - </sect2> - - <sect2> - <title>Address Limits</title> <para>The number of unique source <acronym>MAC</acronym> addresses behind an interface can be limited. Once the @@ -3202,7 +3178,23 @@ bridge0: flags=8843<UP,BROADCAST,RUNN <literal>vlan100</literal> to 10:</para> <screen>&prompt.root; <userinput>ifconfig bridge0 ifmaxaddr vlan100 10</userinput></screen> - </sect2> + </listitem> + </varlistentry> + </variablelist> + + <para>Bridge interfaces also support monitor mode, where the packets are + discarded after &man.bpf.4; processing and are not + processed or forwarded further. This can be used to + multiplex the input of two or more interfaces into a single + &man.bpf.4; stream. This is useful for reconstructing the + traffic for network taps that transmit the RX/TX signals out + through two separate interfaces. For example, + to read the input from four network interfaces as one + stream:</para> + + <screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up</userinput> +&prompt.root; <userinput>tcpdump -i bridge0</userinput></screen> +</sect2> <sect2> <title><acronym>SNMP</acronym> Monitoring</title> @@ -3210,19 +3202,30 @@ bridge0: flags=8843<UP,BROADCAST,RUNN <para>The bridge interface and <acronym>STP</acronym> parameters can be monitored via &man.bsnmpd.1; which is included in the &os; base system. The exported bridge - <acronym>MIB</acronym>s conform to the + <acronym>MIB</acronym>s conform to <acronym>IETF</acronym> standards so any <acronym>SNMP</acronym> client or monitoring package can be used to retrieve the data.</para> - <para>On the bridge, uncomment the - <literal>begemotSnmpdModulePath."bridge" = - "/usr/lib/snmp_bridge.so"</literal> line from - <filename>/etc/snmp.config</filename> and start - &man.bsnmpd.1;. Other configuration, such as community - names and access lists, may need to be modified. See + <para>To enable monitoring on the bridge, uncomment this + line in + <filename>/etc/snmp.config</filename> by removing the + beginning <literal>#</literal> symbol:</para> + + <programlisting>begemotSnmpdModulePath."bridge" = "/usr/lib/snmp_bridge.so"</programlisting> + + <para>Other configuration settings, such as community + names and access lists, may need to be modified in this file. See &man.bsnmpd.1; and &man.snmp.bridge.3; for more - information.</para> + information. Once these edits are saved, add this line to + <filename>/etc/rc.conf</filename>:</para> + + <programlisting>bsnmpd_enable="YES"</programlisting> + + <para>Then, start + &man.bsnmpd.1;:</para> + + <screen>&prompt.root; <userinput>service bsnmpd start</userinput></screen> <para>The following examples use the <application>Net-SNMP</application> software
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403062300.s26N0E65048132>