From owner-svn-doc-head@FreeBSD.ORG Thu Mar 6 23:00:14 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2FE87987; Thu, 6 Mar 2014 23:00:14 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1BE62893; Thu, 6 Mar 2014 23:00:14 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s26N0E47048133; Thu, 6 Mar 2014 23:00:14 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s26N0E65048132; Thu, 6 Mar 2014 23:00:14 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201403062300.s26N0E65048132@svn.freebsd.org> From: Dru Lavigne Date: Thu, 6 Mar 2014 23:00:14 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44162 - head/en_US.ISO8859-1/books/handbook/advanced-networking X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 23:00:14 -0000 Author: dru Date: Thu Mar 6 23:00:13 2014 New Revision: 44162 URL: http://svnweb.freebsd.org/changeset/doc/44162 Log: Editorial pass through the bridging chapter. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 22:58:56 2014 (r44161) +++ head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 23:00:13 2014 (r44162) @@ -2848,34 +2848,31 @@ rfcomm_sppd[94692]: Starting on /dev/tty bridge - It is sometimes useful to divide one physical network, - such as an Ethernet segment, into two separate network + It is sometimes useful to divide a network, + such as an Ethernet segment, into network segments without having to create IP subnets and use a router to connect the segments together. A device that connects two networks together in this fashion - is called a bridge. A &os; system with two - network interface cards can act as a bridge. + is called a bridge. - The bridge works by learning the MAC - layer (Ethernet) addresses of the devices on each of its - network interfaces. It forwards traffic between two networks - only when the source and destination are on different - networks. + A bridge works by learning the MAC + addresses of the devices on each of its + network interfaces. It forwards traffic between networks + only when the source and destination MAC addresses are on different + networks. In many respects, a bridge is like an Ethernet switch with + very few ports. A &os; system with multiple + network interfaces can be configured to act as a bridge. - In many respects, a bridge is like an Ethernet switch with - very few ports. - - Bridging may be appropriate in the following situaitons: + Bridging can be useful in the following situations: Connecting Networks The basic operation of a bridge is to join two or more - network segments together. There are many reasons to use a - host based bridge over plain networking equipment such as - cabling constraints, firewalling, or connecting pseudo - networks such as a virtual machine interface. A bridge can + network segments. There are many reasons to use a + host-based bridge instead of networking equipment, such as + cabling constraints or firewalling. A bridge can also connect a wireless interface running in hostap mode to a wired network and act as an access point. @@ -2884,39 +2881,25 @@ rfcomm_sppd[94692]: Starting on /dev/tty Filtering/Traffic Shaping Firewall - A common situation is where firewall functionality is + A bridge can be used when firewall functionality is needed without routing or Network Address Translation (NAT). An example is a small company that is connected via DSL or ISDN to an ISP. - There are thirteen globally-accessible IP + There are thirteen public IP addresses from the ISP and ten computers on the network. In this situation, using a router-based - firewall is difficult because of subnetting issues. - - - router - - - DSL - - - ISDN - - - A bridge-based firewall can be configured and dropped - into the path just downstream of the DSL - or ISDN router without any - IP numbering issues. + firewall is difficult because of subnetting issues. A bridge-based firewall can be configured without any + IP addressing issues. Network Tap - A bridge can join two network segments and be used to + A bridge can join two network segments in order to inspect all Ethernet frames that pass between them using &man.bpf.4; and &man.tcpdump.1; on the bridge interface or by sending a copy of all frames out an additional interface @@ -2938,41 +2921,34 @@ rfcomm_sppd[94692]: Starting on /dev/tty Layer 2 Redundancy A network can be connected together with multiple links - and use the Spanning Tree Protocol STP - to block redundant paths. For an Ethernet network to - function properly, only one active path can exist between - two devices. STP will detect loops and - put the redundant links into a blocked state. Should one - of the active links fail, STP will - calculate a different tree and enable one of the blocked - paths to restore connectivity to all points in the - network. + and use the Spanning Tree Protocol (STP) + to block redundant paths. - This section covers the &man.if.bridge.4; implementation. + This section describes how to configure a &os; system as a + bridge using &man.if.bridge.4;. A netgraph bridging driver is also available, and is described in &man.ng.bridge.4;. - In &os;, &man.if.bridge.4; is a kernel module which is - automatically loaded by &man.ifconfig.8; when creating a - bridge interface. It is also possible to compile the bridge - in to the kernel by adding device if_bridge - to a custom kernel configuration file. - + Packet filtering can be used with any firewall package - that hooks in via the &man.pfil.9; framework. The firewall - can be loaded as a module or compiled into the kernel. - - The bridge can be used as a traffic shaper with + that hooks into the &man.pfil.9; framework. The bridge can be used as a traffic shaper with &man.altq.4; or &man.dummynet.4;. + Enabling the Bridge + In &os;, &man.if.bridge.4; is a kernel module which is + automatically loaded by &man.ifconfig.8; when creating a + bridge interface. It is also possible to compile bridge support + into a custom kernel by adding device if_bridge + to the custom kernel configuration file. + The bridge is created using interface cloning. To create - a bridge use &man.ifconfig.8;: + the bridge interface: &prompt.root; ifconfig bridge create bridge0 @@ -2992,7 +2968,7 @@ bridge0: flags=8802<BROADCAST,SIMPLEX The other parameters control how STP operates. - Next, add the member network interfaces to the bridge. + Next, specify which network interfaces to add as members of the bridge. For the bridge to forward packets, all member interfaces and the bridge need to be up: @@ -3000,7 +2976,7 @@ bridge0: flags=8802<BROADCAST,SIMPLEX &prompt.root; ifconfig fxp0 up &prompt.root; ifconfig fxp1 up - The bridge is now forwarding Ethernet frames between + The bridge can now forward Ethernet frames between fxp0 and fxp1. Add the following lines to /etc/rc.conf so the bridge is created @@ -3012,17 +2988,20 @@ ifconfig_fxp0="up" ifconfig_fxp1="up" If the bridge host needs an IP - address, the correct place to set this is on the bridge - interface itself rather than one of the member interfaces. - This can be set statically or via - DHCP: + address, set it on the bridge + interface, not on the member interfaces. + The address can be set statically or via + DHCP. This example sets a static + IP address: &prompt.root; ifconfig bridge0 inet 192.168.0.1/24 It is also possible to assign an IPv6 - address to a bridge interface. + address to a bridge interface. To make the changes permanent, + add the addressing information to + /etc/rc.conf. - + When packet filtering is enabled, bridged packets will pass through the filter inbound on the originating interface on the bridge interface, and outbound on the appropriate @@ -3038,16 +3017,24 @@ ifconfig_fxp1="up" - Spanning Tree + Enabling Spanning Tree + + For an Ethernet network to + function properly, only one active path can exist between + two devices. The STP protocol detects loops and + puts redundant links into a blocked state. Should one + of the active links fail, STP + calculates a different tree and enables one of the blocked + paths to restore connectivity to all points in the + network. - The bridge driver implements the Rapid Spanning Tree - Protocol (RSTP or 802.1w) with backwards + The Rapid Spanning Tree + Protocol (RSTP or 802.1w) provides backwards compatibility with legacy STP. - STP is used to detect and remove loops - in a network topology. RSTP provides - faster convergence than legacy STP, the - protocol will exchange information with neighboring switches - to quickly transition to forwarding without creating loops. + RSTP provides + faster convergence and + exchanges information with neighboring switches + to quickly transition to forwarding mode without creating loops. &os; supports RSTP and STP as operating modes, with RSTP being the default mode. @@ -3098,74 +3085,67 @@ bridge0: flags=8843<UP,BROADCAST,RUNN 400000 from this bridge. The path to the root bridge is via port 4 which is fxp0. + - + + Bridge Interface Parameters + + Several ifconfig parameters are unique + to bridge interfaces. This section summarizes some common + uses for these parameters. The complete list of available parameters is + described in &man.ifconfig.8;. + + + + private + A private interface does not forward any traffic to any - other port that is also a private interface. The traffic is + other port that is also designated as a private interface. The traffic is blocked unconditionally so no Ethernet frames will be - forwarded, including ARP. If traffic + forwarded, including ARP packets. If traffic needs to be selectively blocked, a firewall should be used instead. - - - - - Reconstructing Traffic Flows - - The bridge supports monitor mode, where the packets are - discarded after &man.bpf.4; processing and are not - processed or forwarded further. This can be used to - multiplex the input of two or more interfaces into a single - &man.bpf.4; stream. This is useful for reconstructing the - traffic for network taps that transmit the RX/TX signals out - through two separate interfaces. - - To read the input from four network interfaces as one - stream: - - &prompt.root; ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up -&prompt.root; tcpdump -i bridge0 - - - - Span Ports + + - A copy of every Ethernet frame received by the bridge - will be transmitted out a designated span port. The number + + span + + A span port transmits a copy of every Ethernet frame received by the bridge. + The number of span ports configured on a bridge is unlimited, but if an interface is designated as a span port, it cannot also be used as a regular bridge port. This is most useful for snooping a bridged network passively on another host - connected to one of the span ports of the bridge. - - To send a copy of all frames out the interface named + connected to one of the span ports of the bridge. For + example, to send a copy of all frames out the interface named fxp4: &prompt.root; ifconfig bridge0 span fxp4 - - - - Sticky Interfaces + + + + sticky + If a bridge member interface is marked as sticky, dynamically learned address entries are treated at static - once entered into the forwarding cache. Sticky entries are + entries in the forwarding cache. Sticky entries are never aged out of the cache or replaced, even if the address is seen on a different interface. This gives the benefit of static address entries without the need to pre-populate the forwarding table. Clients learned on a particular segment of the bridge can not roam to another segment. - Another example of using sticky addresses is to combine - the bridge with VLANs to create a router - where customer networks are isolated without wasting + An example of using sticky addresses is to combine + the bridge with VLANs in order to isolate + customer networks without wasting IP address space. Consider that CustomerA is - on vlan100 and vlan100, CustomerB is on - vlan101. The bridge has the address - 192.168.0.1 and - is also an Internet router. + vlan101, and the bridge has the address + 192.168.0.1: &prompt.root; ifconfig bridge0 addm vlan100 sticky vlan100 addm vlan101 sticky vlan101 &prompt.root; ifconfig bridge0 inet 192.168.0.1/24 @@ -3185,10 +3165,6 @@ bridge0: flags=8843<UP,BROADCAST,RUNN The customers are completely isolated from each other and the full /24 address range can be allocated without subnetting. - - - - Address Limits The number of unique source MAC addresses behind an interface can be limited. Once the @@ -3202,7 +3178,23 @@ bridge0: flags=8843<UP,BROADCAST,RUNN vlan100 to 10: &prompt.root; ifconfig bridge0 ifmaxaddr vlan100 10 - + + + + + Bridge interfaces also support monitor mode, where the packets are + discarded after &man.bpf.4; processing and are not + processed or forwarded further. This can be used to + multiplex the input of two or more interfaces into a single + &man.bpf.4; stream. This is useful for reconstructing the + traffic for network taps that transmit the RX/TX signals out + through two separate interfaces. For example, + to read the input from four network interfaces as one + stream: + + &prompt.root; ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up +&prompt.root; tcpdump -i bridge0 + <acronym>SNMP</acronym> Monitoring @@ -3210,19 +3202,30 @@ bridge0: flags=8843<UP,BROADCAST,RUNN The bridge interface and STP parameters can be monitored via &man.bsnmpd.1; which is included in the &os; base system. The exported bridge - MIBs conform to the + MIBs conform to IETF standards so any SNMP client or monitoring package can be used to retrieve the data. - On the bridge, uncomment the - begemotSnmpdModulePath."bridge" = - "/usr/lib/snmp_bridge.so" line from - /etc/snmp.config and start - &man.bsnmpd.1;. Other configuration, such as community - names and access lists, may need to be modified. See + To enable monitoring on the bridge, uncomment this + line in + /etc/snmp.config by removing the + beginning # symbol: + + begemotSnmpdModulePath."bridge" = "/usr/lib/snmp_bridge.so" + + Other configuration settings, such as community + names and access lists, may need to be modified in this file. See &man.bsnmpd.1; and &man.snmp.bridge.3; for more - information. + information. Once these edits are saved, add this line to + /etc/rc.conf: + + bsnmpd_enable="YES" + + Then, start + &man.bsnmpd.1;: + + &prompt.root; service bsnmpd start The following examples use the Net-SNMP software