svn commit: r44162 - head/en_US.ISO8859-1/books/handbook/advanced-networking
Dru Lavigne
dru at FreeBSD.org
Thu Mar 6 23:00:14 UTC 2014
Author: dru
Date: Thu Mar 6 23:00:13 2014
New Revision: 44162
URL: http://svnweb.freebsd.org/changeset/doc/44162
Log:
Editorial pass through the bridging chapter.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 22:58:56 2014 (r44161)
+++ head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 23:00:13 2014 (r44162)
@@ -2848,34 +2848,31 @@ rfcomm_sppd[94692]: Starting on /dev/tty
<primary>bridge</primary>
</indexterm>
- <para>It is sometimes useful to divide one physical network,
- such as an Ethernet segment, into two separate network
+ <para>It is sometimes useful to divide a network,
+ such as an Ethernet segment, into network
segments without having to create <acronym>IP</acronym>
subnets and use a router to connect the segments together.
A device that connects two networks together in this fashion
- is called a <quote>bridge</quote>. A &os; system with two
- network interface cards can act as a bridge.</para>
+ is called a <quote>bridge</quote>.</para>
- <para>The bridge works by learning the <acronym>MAC</acronym>
- layer (Ethernet) addresses of the devices on each of its
- network interfaces. It forwards traffic between two networks
- only when the source and destination are on different
- networks.</para>
+ <para>A bridge works by learning the <acronym>MAC</acronym>
+ addresses of the devices on each of its
+ network interfaces. It forwards traffic between networks
+ only when the source and destination <acronym>MAC</acronym> addresses are on different
+ networks. In many respects, a bridge is like an Ethernet switch with
+ very few ports. A &os; system with multiple
+ network interfaces can be configured to act as a bridge.</para>
- <para>In many respects, a bridge is like an Ethernet switch with
- very few ports.</para>
-
- <para>Bridging may be appropriate in the following situaitons:</para>
+ <para>Bridging can be useful in the following situations:</para>
<variablelist>
<varlistentry>
<term>Connecting Networks</term>
<listitem>
<para>The basic operation of a bridge is to join two or more
- network segments together. There are many reasons to use a
- host based bridge over plain networking equipment such as
- cabling constraints, firewalling, or connecting pseudo
- networks such as a virtual machine interface. A bridge can
+ network segments. There are many reasons to use a
+ host-based bridge instead of networking equipment, such as
+ cabling constraints or firewalling. A bridge can
also connect a wireless interface running in hostap mode to
a wired network and act as an access point.</para>
</listitem>
@@ -2884,39 +2881,25 @@ rfcomm_sppd[94692]: Starting on /dev/tty
<varlistentry>
<term>Filtering/Traffic Shaping Firewall</term>
<listitem>
- <para>A common situation is where firewall functionality is
+ <para>A bridge can be used when firewall functionality is
needed without routing or Network Address Translation
(<acronym>NAT</acronym>).</para>
<para>An example is a small company that is connected via
<acronym>DSL</acronym>
or <acronym>ISDN</acronym> to an <acronym>ISP</acronym>.
- There are thirteen globally-accessible <acronym>IP</acronym>
+ There are thirteen public <acronym>IP</acronym>
addresses from the <acronym>ISP</acronym> and ten computers
on the network. In this situation, using a router-based
- firewall is difficult because of subnetting issues.</para>
-
- <indexterm>
- <primary>router</primary>
- </indexterm>
- <indexterm>
- <primary><acronym>DSL</acronym></primary>
- </indexterm>
- <indexterm>
- <primary><acronym>ISDN</acronym></primary>
- </indexterm>
-
- <para>A bridge-based firewall can be configured and dropped
- into the path just downstream of the <acronym>DSL</acronym>
- or <acronym>ISDN</acronym> router without any
- <acronym>IP</acronym> numbering issues.</para>
+ firewall is difficult because of subnetting issues. A bridge-based firewall can be configured without any
+ <acronym>IP</acronym> addressing issues.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Network Tap</term>
<listitem>
- <para>A bridge can join two network segments and be used to
+ <para>A bridge can join two network segments in order to
inspect all Ethernet frames that pass between them using
&man.bpf.4; and &man.tcpdump.1; on the bridge interface or
by sending a copy of all frames out an additional interface
@@ -2938,41 +2921,34 @@ rfcomm_sppd[94692]: Starting on /dev/tty
<term>Layer 2 Redundancy</term>
<listitem>
<para>A network can be connected together with multiple links
- and use the Spanning Tree Protocol <acronym>STP</acronym>
- to block redundant paths. For an Ethernet network to
- function properly, only one active path can exist between
- two devices. <acronym>STP</acronym> will detect loops and
- put the redundant links into a blocked state. Should one
- of the active links fail, <acronym>STP</acronym> will
- calculate a different tree and enable one of the blocked
- paths to restore connectivity to all points in the
- network.</para>
+ and use the Spanning Tree Protocol (<acronym>STP</acronym>)
+ to block redundant paths.</para>
</listitem>
</varlistentry>
</variablelist>
- <para>This section covers the &man.if.bridge.4; implementation.
+ <para>This section describes how to configure a &os; system as a
+ bridge using &man.if.bridge.4;.
A netgraph bridging driver is also available, and is described
in &man.ng.bridge.4;.</para>
- <para>In &os;, &man.if.bridge.4; is a kernel module which is
- automatically loaded by &man.ifconfig.8; when creating a
- bridge interface. It is also possible to compile the bridge
- in to the kernel by adding <literal>device if_bridge</literal>
- to a custom kernel configuration file.</para>
-
+ <note>
<para>Packet filtering can be used with any firewall package
- that hooks in via the &man.pfil.9; framework. The firewall
- can be loaded as a module or compiled into the kernel.</para>
-
- <para>The bridge can be used as a traffic shaper with
+ that hooks into the &man.pfil.9; framework. The bridge can be used as a traffic shaper with
&man.altq.4; or &man.dummynet.4;.</para>
+ </note>
<sect2>
<title>Enabling the Bridge</title>
+ <para>In &os;, &man.if.bridge.4; is a kernel module which is
+ automatically loaded by &man.ifconfig.8; when creating a
+ bridge interface. It is also possible to compile bridge support
+ into a custom kernel by adding <literal>device if_bridge</literal>
+ to the custom kernel configuration file.</para>
+
<para>The bridge is created using interface cloning. To create
- a bridge use &man.ifconfig.8;:</para>
+ the bridge interface:</para>
<screen>&prompt.root; <userinput>ifconfig bridge create</userinput>
bridge0
@@ -2992,7 +2968,7 @@ bridge0: flags=8802<BROADCAST,SIMPLEX
The other parameters control how <acronym>STP</acronym>
operates.</para>
- <para>Next, add the member network interfaces to the bridge.
+ <para>Next, specify which network interfaces to add as members of the bridge.
For the bridge to forward packets, all member interfaces and
the bridge need to be up:</para>
@@ -3000,7 +2976,7 @@ bridge0: flags=8802<BROADCAST,SIMPLEX
&prompt.root; <userinput>ifconfig fxp0 up</userinput>
&prompt.root; <userinput>ifconfig fxp1 up</userinput></screen>
- <para>The bridge is now forwarding Ethernet frames between
+ <para>The bridge can now forward Ethernet frames between
<filename>fxp0</filename> and
<filename>fxp1</filename>. Add the following lines to
<filename>/etc/rc.conf</filename> so the bridge is created
@@ -3012,17 +2988,20 @@ ifconfig_fxp0="up"
ifconfig_fxp1="up"</programlisting>
<para>If the bridge host needs an <acronym>IP</acronym>
- address, the correct place to set this is on the bridge
- interface itself rather than one of the member interfaces.
- This can be set statically or via
- <acronym>DHCP</acronym>:</para>
+ address, set it on the bridge
+ interface, not on the member interfaces.
+ The address can be set statically or via
+ <acronym>DHCP</acronym>. This example sets a static
+ <acronym>IP</acronym> address:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 inet 192.168.0.1/24</userinput></screen>
<para>It is also possible to assign an <acronym>IPv6</acronym>
- address to a bridge interface.</para>
+ address to a bridge interface. To make the changes permanent,
+ add the addressing information to
+ <filename>/etc/rc.conf</filename>.</para>
- <note>
+ <note>
<para>When packet filtering is enabled, bridged packets will
pass through the filter inbound on the originating interface
on the bridge interface, and outbound on the appropriate
@@ -3038,16 +3017,24 @@ ifconfig_fxp1="up"</programlisting>
</sect2>
<sect2>
- <title>Spanning Tree</title>
+ <title>Enabling Spanning Tree</title>
+
+ <para>For an Ethernet network to
+ function properly, only one active path can exist between
+ two devices. The <acronym>STP</acronym> protocol detects loops and
+ puts redundant links into a blocked state. Should one
+ of the active links fail, <acronym>STP</acronym>
+ calculates a different tree and enables one of the blocked
+ paths to restore connectivity to all points in the
+ network.</para>
- <para>The bridge driver implements the Rapid Spanning Tree
- Protocol (<acronym>RSTP</acronym> or 802.1w) with backwards
+ <para>The Rapid Spanning Tree
+ Protocol (<acronym>RSTP</acronym> or 802.1w) provides backwards
compatibility with legacy <acronym>STP</acronym>.
- <acronym>STP</acronym> is used to detect and remove loops
- in a network topology. <acronym>RSTP</acronym> provides
- faster convergence than legacy <acronym>STP</acronym>, the
- protocol will exchange information with neighboring switches
- to quickly transition to forwarding without creating loops.
+ <acronym>RSTP</acronym> provides
+ faster convergence and
+ exchanges information with neighboring switches
+ to quickly transition to forwarding mode without creating loops.
&os; supports <acronym>RSTP</acronym> and
<acronym>STP</acronym> as operating modes, with
<acronym>RSTP</acronym> being the default mode.</para>
@@ -3098,74 +3085,67 @@ bridge0: flags=8843<UP,BROADCAST,RUNN
<literal>400000</literal> from this bridge. The path to the
root bridge is via <literal>port 4</literal> which is
<filename>fxp0</filename>.</para>
+ </sect2>
- <note>
+ <sect2>
+ <title>Bridge Interface Parameters</title>
+
+ <para>Several <command>ifconfig</command> parameters are unique
+ to bridge interfaces. This section summarizes some common
+ uses for these parameters. The complete list of available parameters is
+ described in &man.ifconfig.8;.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>private</term>
+ <listitem>
<para>A private interface does not forward any traffic to any
- other port that is also a private interface. The traffic is
+ other port that is also designated as a private interface. The traffic is
blocked unconditionally so no Ethernet frames will be
- forwarded, including <acronym>ARP</acronym>. If traffic
+ forwarded, including <acronym>ARP</acronym> packets. If traffic
needs to be selectively blocked, a firewall should be used
instead.</para>
- </note>
- </sect2>
-
- <sect2>
- <title>Reconstructing Traffic Flows</title>
-
- <para>The bridge supports monitor mode, where the packets are
- discarded after &man.bpf.4; processing and are not
- processed or forwarded further. This can be used to
- multiplex the input of two or more interfaces into a single
- &man.bpf.4; stream. This is useful for reconstructing the
- traffic for network taps that transmit the RX/TX signals out
- through two separate interfaces.</para>
-
- <para>To read the input from four network interfaces as one
- stream:</para>
-
- <screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up</userinput>
-&prompt.root; <userinput>tcpdump -i bridge0</userinput></screen>
- </sect2>
-
- <sect2>
- <title>Span Ports</title>
+ </listitem>
+ </varlistentry>
- <para>A copy of every Ethernet frame received by the bridge
- will be transmitted out a designated span port. The number
+ <varlistentry>
+ <term>span</term>
+ <listitem>
+ <para>A span port transmits a copy of every Ethernet frame received by the bridge.
+ The number
of span ports configured on a bridge is unlimited, but if an
interface is designated as a span port, it cannot also be
used as a regular bridge port. This is most useful for
snooping a bridged network passively on another host
- connected to one of the span ports of the bridge.</para>
-
- <para>To send a copy of all frames out the interface named
+ connected to one of the span ports of the bridge. For
+ example, to send a copy of all frames out the interface named
<filename>fxp4</filename>:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 span fxp4</userinput></screen>
- </sect2>
-
- <sect2>
- <title>Sticky Interfaces</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>sticky</term>
+ <listitem>
<para>If a bridge member interface is marked as sticky,
dynamically learned address entries are treated at static
- once entered into the forwarding cache. Sticky entries are
+ entries in the forwarding cache. Sticky entries are
never aged out of the cache or replaced, even if the address
is seen on a different interface. This gives the benefit of
static address entries without the need to pre-populate the
forwarding table. Clients learned on a particular segment
of the bridge can not roam to another segment.</para>
- <para>Another example of using sticky addresses is to combine
- the bridge with <acronym>VLAN</acronym>s to create a router
- where customer networks are isolated without wasting
+ <para>An example of using sticky addresses is to combine
+ the bridge with <acronym>VLAN</acronym>s in order to isolate
+ customer networks without wasting
<acronym>IP</acronym> address space. Consider that
<systemitem class="fqdomainname">CustomerA</systemitem> is
- on <literal>vlan100</literal> and <systemitem
+ on <literal>vlan100</literal>, <systemitem
class="fqdomainname">CustomerB</systemitem> is on
- <literal>vlan101</literal>. The bridge has the address
- <systemitem class="ipaddress">192.168.0.1</systemitem> and
- is also an Internet router.</para>
+ <literal>vlan101</literal>, and the bridge has the address
+ <systemitem class="ipaddress">192.168.0.1</systemitem>:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 addm vlan100 sticky vlan100 addm vlan101 sticky vlan101</userinput>
&prompt.root; <userinput>ifconfig bridge0 inet 192.168.0.1/24</userinput></screen>
@@ -3185,10 +3165,6 @@ bridge0: flags=8843<UP,BROADCAST,RUNN
<para>The customers are completely isolated from each other
and the full <systemitem class="netmask">/24</systemitem>
address range can be allocated without subnetting.</para>
- </sect2>
-
- <sect2>
- <title>Address Limits</title>
<para>The number of unique source <acronym>MAC</acronym>
addresses behind an interface can be limited. Once the
@@ -3202,7 +3178,23 @@ bridge0: flags=8843<UP,BROADCAST,RUNN
<literal>vlan100</literal> to 10:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 ifmaxaddr vlan100 10</userinput></screen>
- </sect2>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>Bridge interfaces also support monitor mode, where the packets are
+ discarded after &man.bpf.4; processing and are not
+ processed or forwarded further. This can be used to
+ multiplex the input of two or more interfaces into a single
+ &man.bpf.4; stream. This is useful for reconstructing the
+ traffic for network taps that transmit the RX/TX signals out
+ through two separate interfaces. For example,
+ to read the input from four network interfaces as one
+ stream:</para>
+
+ <screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up</userinput>
+&prompt.root; <userinput>tcpdump -i bridge0</userinput></screen>
+</sect2>
<sect2>
<title><acronym>SNMP</acronym> Monitoring</title>
@@ -3210,19 +3202,30 @@ bridge0: flags=8843<UP,BROADCAST,RUNN
<para>The bridge interface and <acronym>STP</acronym>
parameters can be monitored via &man.bsnmpd.1; which is
included in the &os; base system. The exported bridge
- <acronym>MIB</acronym>s conform to the
+ <acronym>MIB</acronym>s conform to
<acronym>IETF</acronym> standards so any
<acronym>SNMP</acronym> client or monitoring package can be
used to retrieve the data.</para>
- <para>On the bridge, uncomment the
- <literal>begemotSnmpdModulePath."bridge" =
- "/usr/lib/snmp_bridge.so"</literal> line from
- <filename>/etc/snmp.config</filename> and start
- &man.bsnmpd.1;. Other configuration, such as community
- names and access lists, may need to be modified. See
+ <para>To enable monitoring on the bridge, uncomment this
+ line in
+ <filename>/etc/snmp.config</filename> by removing the
+ beginning <literal>#</literal> symbol:</para>
+
+ <programlisting>begemotSnmpdModulePath."bridge" = "/usr/lib/snmp_bridge.so"</programlisting>
+
+ <para>Other configuration settings, such as community
+ names and access lists, may need to be modified in this file. See
&man.bsnmpd.1; and &man.snmp.bridge.3; for more
- information.</para>
+ information. Once these edits are saved, add this line to
+ <filename>/etc/rc.conf</filename>:</para>
+
+ <programlisting>bsnmpd_enable="YES"</programlisting>
+
+ <para>Then, start
+ &man.bsnmpd.1;:</para>
+
+ <screen>&prompt.root; <userinput>service bsnmpd start</userinput></screen>
<para>The following examples use the
<application>Net-SNMP</application> software
More information about the svn-doc-head
mailing list