INTRODUCTION

 

niccard

A bridge is a way to connect two Ethernet  segments together in a protocol independent way. Packets are forwarded based on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.

The Linux bridge code implements a subset of the ANSI/IEEE 802.1d standard. The original Linux bridging was first done in Linux 2.2, then rewritten by Lennert Buytenhek. The code for bridging has been integrated into 2.4 and 2.6 kernel series.

A Linux bridge is more powerful than a pure hardware bridge because it can also filter and shape traffic.

Kernel Configuration

You need to enable bridging in the kernel. Set “networking -> 802.1d Ethernet Bridging” to either yes or module

Manual Configuration

Network cards

Before you start make sure both network cards are set up and working properly. Don’t set the IP address, and don’t let the startup scripts run DHCP on the ethernet interfaces either. The IP address needs to be set after the bridge has been configured.

The command ifconfig should show both network cards, and they should be DOWN.

Module loading

In most cases, the bridge code is built as a module. If the module is configured and installed correctly, it will get automatically loaded on the first brctl command.

If your bridge-utilities have been correctly built and your kernel and bridge-module are OK, then issuing a brctl should show a small command synopsis.

#brctl


 

Creating a bridge device

The command

  #brctl addbr “bridgename”

creates a logical bridge instance with the name bridgename. You will need at least one logical instance to do any bridging at all. You can interpret the logical bridge as a container for the interfaces taking part in the bridging. Each bridging instance is represented by a new network interface. The corresponding shutdown command is:

  #brctl delbr bridgename

 

 

Adding devices to a bridge

The command

  #brctl addif bridgename device

adds the network device device to take part in the bridging of “bridgename.” All the devices contained in a bridge act as one big network. It is not possible to add a device to multiple bridges or bridge a bridge device, because it just wouldn’t make any sense! The bridge will take a short amount of time when a device is added to learn the Ethernet addresses on the segment before starting to forward. The corresponding command to take an interface out of the bridge is:

  #brctl delif  bridgename device

 

 

Showing devices in a bridge

The brctl show command gives you a summary about the overall bridge status, and the instances running as shown below:

    #brctl addbr br0
    #brctl addif br0 eth0
    #brctl addif br0 eth1
    #brctl show bridge name
     bridge id               STP                               enabled     interfaces
     br0           8000.00004c9f0bd2             no                 eth0
                                                                                                        eth1

Once a bridge is running the brctl showmacs will show information about network addresses of traffic being forwarded (and the bridge itself).

    #brctl showmacs br0
       port no                            mac addr                is local                ageing timer
        1                                00:00:4c:9f:0b:ae       no                        17.84 1
                                          00:00:4c:9f:0b:d2       yes                      0.00 2
                                          00:00:4c:9f:0b:d3       yes                      0.00 1
                                          00:02:55:1a:35:09       no                        53.84 1
                                           00:02:55:1a:82:87       no                       11.53
 NOTE:The aging time is the number of seconds a MAC address will be kept in the forwarding database after having received a packet from this MAC address. The entries in the forwarding database are periodically timed out to ensure they won't stay around forever. Normally there should be no need to modify this parameter, but it can be changed with (time is in seconds).

#brctl setageing bridgename time

Setting ageing time to zero makes all entries permanent.

Spanning Tree Protocol

If you are running multiple or redundant bridges, then you need to enable the Spanning Tree Protocol (STP) to handle multiple hops and avoid cyclic routes.

#brctl stp br0 on

You can see the STP parameters with:

 #brctl showstp br0

Br0

bridge id              8000.00004c9f0bd2

designated root        0000.000480295a00

root port                        1                          path cost                     104

max age                        20.00              bridge max age            200.00

hello time                      2.00               bridge hello time          20.00

forward delay                 150.00       bridge forward delay     15.00

ageing time                    300.00         gc interval                   0.00

hello timer                      0.00              tcn timer                      0.00

topology change timer     0.00           gc timer                      0.33

flags

eth0 (1)

port id                                        8001                            state                                        forwarding

designated root        0000.000480295a00       path cost                              100

designated bridge    001e.00048026b901   message age timer                 17.84

designated port        80c1                                      forward delay timer                0.00

designated cost        4                                                      hold timer                         0.00

flags

eth1 (2)

port id                     8002                                                 state                   disabled

designated root        8000.00004c9f0bd2       path cost                 100

designated bridge     8000.00004c9f0bd2    message age timer   0.00

designated port        8002                                    forward delay timer  0.00

designated cost           0                                             hold timer                0.00

flags

STP tuning

There are a number of parameters related to the Spanning Tree Protocol that can be configured. The code autodetects the speed of the link and other parameters, so these usually don’t need to be changed.

Bridge priority

Each bridge has a relative priority and cost. Each interface is associated with a port (number) in the STP code. Each has a priority and a cost, that is used to decide which is the shortest path to forward a packet. The lowest cost path is always used unless the other path is down. If you have multiple bridges and interfaces then you may need to adjust the priorities to achieve optimium performance.

#brctl setbridgeprio bridgename priority

The bridge with the lowest priority will be elected as the root bridge. The root bridge is the “central” bridge in the spanning tree.

Path priority and cost

Each interface in a bridge could have a different speed and this value is used when deciding which link to use. Faster interfaces should have lower costs.

#brctl setpathcost bridge port cost

For multiple ports with the same cost there is also a priority

Forwarding delay
Forwarding delay time is the time spent in each of the Listening and Learning states before the Forwarding state is entered. This delay is so that when a new bridge comes onto a busy network it looks at some traffic before participating.

#brctl setfd bridgename time

Hello time

Periodically, a hello packet is sent out by the Root Bridge and the Designated Bridges. Hello packets are used to communicate information about the topology throughout the entire Bridged Local Area Network.

#brctl sethello bridgename time

Max age

If a another bridge in the spanning tree does not send out a hello packet for a long period of time, it is assumed to be dead. This timeout is set with:

#brctl maxage  bridgename time

Sample setup

The basic setup of a bridge is done like:

#ifconfig eth0 0.0.0.0

#ifconfig eth1 0.0.0.0

#brctl addbr br0

#brctl addif br0 eth0

#brctl addif br0 eth1

#ifconfig br0 up

This will set the host up as a pure bridge, it will not have an IP address for itself, so it can not be remotely accessed (or hacked) via TCP/IP.

Optionally you can configure the virtual interface mybridge to take part in your network. It behaves like one interface (like a normal network card). Exactly that way you configure it, replacing the previous command with something like:

#ifconfig br0 192.168.31.1 netmask 255.255.255.0

If you want your bridge to automatically get its IP address from the ADSL modem via DHCP (or a similar configuration), do this:

#ifconfig eth0 0.0.0.0

#ifconfig eth1 0.0.0.0

#brctl addbr br0

#brctl addif br0 eth0

#brctl addif br0 eth1

# dhclient br0

If you do this many times, you may end up with lots of dhclient processes.

Configuration with /etc/net

In    /etc/net    we  first configure two Ethernet  devices port0 and port1:

#cat  >> /etc/net/iftab
Port0   mac   00:13:46:66:01:5e
Port1  mac    00:13:46:66:01:5f

#mkdir  /etc/net/ifaces/port0

#cat  >  /etc/net/ifaces/port1/options
TYPE=eth
MODULE=via-rhine

#mkdir  /etc/net/ifaces/port1

#cat  >  /etc/net/ifaces/port1/options
TYPE=eth
MODULE=via-rhine

Then we describe the bridge:

#mkdir  /etc/net/ifaces/br0

#cat   >  /etc/net/ifaces/br0/options
TYPE=bri
HOST=’port0 port1’

#cat  >  /etc/net/ifaces/br0/brctl
Stp AUTO  on

Description: a network bridge is a forwarding technique very useful when you have to deal with virtualization and you want to give your virtual machines direct access to your real network, without using NAT.

In this example, I’m going to use a bridge (br0) to access a wired network interface (eth1). I use eth1 for the bridge instead of eth0 because I prefer to use the first network interface to access the machine using SSH and fix any problems that could appear while configuring the bridge.

INSTALLATION

# yum install bridge-utils

#vi /etc/sysconfig/network-script/ifcfg-eth1

DEVICE=eth1
HWADDR=00:11:22:33:44:55
ONBOOT=yes
BRIDGE=br0

#vi /etc/sysconfig/network-scripts/ifcfg-br0

DEVICE=br0
TYPE=Bridge
ONBOOT=yes
DELAY=0
BOOTPROTO=static
BROADCAST=192.168.31.255
IPADDR=192.168.31.1
NETMASK=255.255.255.0
NETWORK=192.168.31.0
GATEWAY=192.168.31.1

#vi /etc/sysctl.conf

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

This improves the bridge’s performance. I recommend to use packet filtering in the computers which connect through the bridge, but not in the bridge itself

 #sysctl -p /etc/sysctl.conf

#service network restart

#chkconfig NetworkManager off

#chkconfig network on

#service NetworkManager stop