From owner-svn-doc-all@FreeBSD.ORG Thu Mar 6 19:40:14 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BEA3975B; Thu, 6 Mar 2014 19:40:14 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9F5FD102; Thu, 6 Mar 2014 19:40:14 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s26JeEp0065718; Thu, 6 Mar 2014 19:40:14 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s26JeEqp065717; Thu, 6 Mar 2014 19:40:14 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201403061940.s26JeEqp065717@svn.freebsd.org> From: Dru Lavigne Date: Thu, 6 Mar 2014 19:40:14 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44160 - head/en_US.ISO8859-1/books/handbook/advanced-networking X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 19:40:14 -0000 Author: dru Date: Thu Mar 6 19:40:14 2014 New Revision: 44160 URL: http://svnweb.freebsd.org/changeset/doc/44160 Log: Initial prep work for bridging chapter. More commits to come. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 19:25:41 2014 (r44159) +++ head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 19:40:14 2014 (r44160) @@ -2841,9 +2841,6 @@ rfcomm_sppd[94692]: Starting on /dev/tty - - Introduction - IP subnet @@ -2867,17 +2864,13 @@ rfcomm_sppd[94692]: Starting on /dev/tty In many respects, a bridge is like an Ethernet switch with very few ports. - - - Situations Where Bridging Is Appropriate - - There are many common situations in which a bridge is used - today. - - - Connecting Networks + Bridging may be appropriate in the following situaitons: + + + Connecting Networks + The basic operation of a bridge is to join two or more network segments together. There are many reasons to use a host based bridge over plain networking equipment such as @@ -2885,18 +2878,12 @@ rfcomm_sppd[94692]: Starting on /dev/tty networks such as a virtual machine interface. A bridge can also connect a wireless interface running in hostap mode to a wired network and act as an access point. - - - - Filtering/Traffic Shaping Firewall - - - firewall - - - NAT - + + + + Filtering/Traffic Shaping Firewall + A common situation is where firewall functionality is needed without routing or Network Address Translation (NAT). @@ -2923,30 +2910,33 @@ rfcomm_sppd[94692]: Starting on /dev/tty into the path just downstream of the DSL or ISDN router without any IP numbering issues. - - - - Network Tap + + + + Network Tap + A bridge can join two network segments and be used to inspect all Ethernet frames that pass between them using &man.bpf.4; and &man.tcpdump.1; on the bridge interface or by sending a copy of all frames out an additional interface known as a span port. - - - - Layer 2 <acronym>VPN</acronym> + + + + Layer 2 VPN + Two Ethernet networks can be joined across an IP link by bridging the networks to an EtherIP tunnel or a &man.tap.4; based solution such as OpenVPN. - - - - Layer 2 Redundancy + + + + Layer 2 Redundancy + A network can be connected together with multiple links and use the Spanning Tree Protocol STP to block redundant paths. For an Ethernet network to @@ -2957,11 +2947,9 @@ rfcomm_sppd[94692]: Starting on /dev/tty calculate a different tree and enable one of the blocked paths to restore connectivity to all points in the network. - - - - - Kernel Configuration + + + This section covers the &man.if.bridge.4; implementation. A netgraph bridging driver is also available, and is described @@ -2979,7 +2967,6 @@ rfcomm_sppd[94692]: Starting on /dev/tty The bridge can be used as a traffic shaper with &man.altq.4; or &man.dummynet.4;. - Enabling the Bridge @@ -3034,15 +3021,8 @@ ifconfig_fxp1="up" It is also possible to assign an IPv6 address to a bridge interface. - - - - Firewalling - - - firewall - + When packet filtering is enabled, bridged packets will pass through the filter inbound on the originating interface on the bridge interface, and outbound on the appropriate @@ -3054,6 +3034,7 @@ ifconfig_fxp1="up" non-IP and IP packets, and layer2 firewalling with &man.ipfw.8;. See &man.if.bridge.4; for more information. + @@ -3117,13 +3098,19 @@ bridge0: flags=8843<UP,BROADCAST,RUNN 400000 from this bridge. The path to the root bridge is via port 4 which is fxp0. + + + A private interface does not forward any traffic to any + other port that is also a private interface. The traffic is + blocked unconditionally so no Ethernet frames will be + forwarded, including ARP. If traffic + needs to be selectively blocked, a firewall should be used + instead. + - Advanced Bridging - - - Reconstruct Traffic Flows + Reconstructing Traffic Flows The bridge supports monitor mode, where the packets are discarded after &man.bpf.4; processing and are not @@ -3138,9 +3125,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN &prompt.root; ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up &prompt.root; tcpdump -i bridge0 - + - + Span Ports A copy of every Ethernet frame received by the bridge @@ -3155,20 +3142,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN fxp4: &prompt.root; ifconfig bridge0 span fxp4 - - - - Private Interfaces - - A private interface does not forward any traffic to any - other port that is also a private interface. The traffic is - blocked unconditionally so no Ethernet frames will be - forwarded, including ARP. If traffic - needs to be selectively blocked, a firewall should be used - instead. - + - + Sticky Interfaces If a bridge member interface is marked as sticky, @@ -3209,9 +3185,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN The customers are completely isolated from each other and the full /24 address range can be allocated without subnetting. - + - + Address Limits The number of unique source MAC @@ -3226,9 +3202,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN vlan100 to 10: &prompt.root; ifconfig bridge0 ifmaxaddr vlan100 10 - + - + <acronym>SNMP</acronym> Monitoring The bridge interface and STP @@ -3314,7 +3290,6 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeStpDesi &prompt.user; snmpset -v 2c -c private bridge1.example.com BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2 -