Вы находитесь на странице: 1из 8

4/23/2016 EthernetBridgesunderLinuxiomem

EthernetBridgesunderLinux
iomem

RecentEntries RSSFeeds EthernetBridgesunderLinux


Saturday,May13.2006
UsingNXwithLinuxMint
Wednesday,April Tenyearsago,shortlyafterIstartedmyfirstjobasanetwork
112012 programmeratanAustralianuniversity,Ireceivedacallfromaperson
SYNCDHCPwithFreeBSD workinginonefacultywhowashavingsomenetworkdifficulties.Allof
Wednesday,March theircomputerswereconnectedtogetherby50ohmcoaxialcableethernet,andtwoof
212012 thecomputersonthisnetworksentaconsiderableamountofdatatoeachother.
RedirectingTCPandUDP
traffictotheAndroid Thisdata,naturally,wasechoedalongtheentirenetworkcableandwastheprimary
emulator AddtoGoogle causeofdelaysandpacketlosstootherusersofthenetwork.Thecallerwantedto
Friday,February knowofawaytosolvethisproblem.Mymanagersuggestedtheuseofabridgethe
242012 SubscribeinNewsGator twonoisycomputerscouldbeplacedbehindthisdeviceandtheirtraffictoeachother
Emacskeybindingswith Online wouldbeconfinedtotheirsegment.Thissolutionwasparticularlyattractiveasitwould
XFCE
SubscribewithBloglines notrequireanyotherchangestothenetworkorthenetworknumberingitcouldbe
Tuesday,October
182011 StumbleuponThisSite! insertedandwouldworkimmediately.
Buildingaredundant
mailstorewithDRBDand Foranumberofyearsnow,theLinuxkernelhashadtheabilitytoturnanyhostwith
GFS morethanonenetworkinterfaceintoabridge.Thisarticleexplainshowitworks.
Sunday, Savetodel.icio.us Whatisbridging?
September18
2011
RunalocalDNSresolver Categories Bridgingistheprocessoftransparentlyconnectingtwonetworkssegmentstogether,so
withOpenWRT android thatpacketscanpassbetweenthetwoasiftheywereasinglelogicalnetwork.Bridging
Monday,August isperformedonthedatalinklayerhenceitisindependentofthenetworkprotocol
asterisk
292011
freebsd beinguseditdoesn'tmatterifyouuseIP,Appletalk,Netwareoranyotherprotocol,as
Avoidingtestswhen
thebridgeoperatesupontherawethernetpackets.
buildingDebianpackages java
Wednesday,July linux
272011 Typically,inanonbridgedsituation,acomputerwithtwonetworkcardswouldbe
Ratelimitingwith debian connectedtoaseparatenetworkoneachwhilethecomputeritselfmayormaynot
sch_htb fedora routepacketsbetweenthetwo,intheIPrealm,eachnetworkinterfacewouldhavea
Wednesday,July6 linuxmint differentaddressanddifferentnetworknumber.Whenbridgingisused,however,each
2011 networksegmentiseffectivelypartofthesamelogicalnetwork,thetwonetworkcards
openwrt
DemoronisingUbuntu arelogicallymergedintoasinglebridgedeviceanddevicesconnectedtobothnetwork
Natty redhat segmentsareassignedaddressesfromthesamenetworkaddressrange.
Sunday,June12 ubuntu
2011 netbsd
TheHuaweie169mobile
network
broadbandmodemand
Ubuntulucid openbsd
Saturday,March review
192011 software
solaris

Archives Go!
April2016
Allcategories
March2016
February2016
Recent... Linoleum
Older... Onlythosepacketsthatneedtocrossfromonesegmentofthe
networktoanotherarepassedfromonephysicalinterfacetothe
Erroronline137of
/var/www/iomem/bundled
otherabridgewilllearntheMACaddressesoftheequipment
libs/Onyx/RSS.php:The attachedtoeachofitssegments,sothatitcandeterminewhich
Quicksearch
specifiedfilecouldnotbe packetsneedtoberetransmitted.Thismakesbridgesidealfor
opened.(#404) reducingtrafficonheavynetworks,bysegmentingoffanydevices
> thattalktoeachotherfrequently.

Thesedaysalmostallnewlydeployednetworkswouldusea
dedicatedbridgingdevicecalledaswitch.Thisdeviceiseffectivelya
networkhubwithabridgesegmentoneveryport.Allsegmentsare
consideredtobeonthesamenetwork,buttrafficbetweentwo
segmentsisnotbroadcasttoeverysegmentrather,itisconfined
onlytothosetwosegmentsthemselves.

Whyusebridging?

There'sprobablynotmuchpointusingaLinuxboxasadedicatedbridgeorswitch
switchesarenowavailableverycheaplyandaremuchquieterandconsiderablymore
powerefficientthanyouraveragePC.

Additionally,anyinterfacethatispartofabridgemustbeinpromiscuousmodesothat
itwillreceivepacketsthataren'tspecificallydestinedforitthiswillincreasetheloadon

http://iomem.com/index.php?archives/4EthernetBridgesunderLinux.html&serendipity%5Bentrypage%5D=3&serendipity%5Bentrypage%5D=all&serendipity 1/8
4/23/2016 EthernetBridgesunderLinuxiomem
themachine.Forthisreason,itisbettertouseadedicatedmachineforbridgingrather
thanonethathasotherimportantfunctions.

Thatsaid,therearemanythingsthattheLinuxbridgingcodecandowhichisn't
possiblewithcommodityswitchesbridgingoneofyourethernetnetworkswithappp
interface,forexample,orbridgingtogetheranumberofvirtualprivatenetworks.

Justrecently,IhadaneedtobeabletosnoopthetrafficbetweenanADSLrouterand
AmazonFireTVStick asmallembeddedVOIPdevice.Therouter'sfunctionalitywasquitelimited,soitwasn't
Amazon abletodothisitselfinstead,IgrabbedaPCwithLinuxonit,putanextraethernetcard
New$39.99
Best$39.99 init,andbridgedthenetworkbetweentherouterandtheVOIPdevice.Thislettraffic
flowunimpeded,andIwasabletoseewhatwaspassingbyrunningtcpdumponthe
Fire,7"Display,WiFi,8 Linuxbox.
GBIncludesSpecial
Offer...
Amazon
New$49.99
Best$30.59

KindlePaperwhite,6"
HighResolutionDisplay LinuxBridgingSupport
Amazon
New$119.99
Best$119.99
SupportforbridginghasbeenavailableinstableLinuxkernelsfrom
AmazonBasicsApple version2.4.0onwards.Previously,patcheswereavailablefor
CertifiedLightningto versions2.2,howeverthesearenolongermaintainedfornewer
USBCable...
AmazonBasics 2.2.xreleases.
New$7.99
Best$7.99

FitbitChargeHR
Kernelconfiguration
WirelessActivity
Wristband,Black,L...
FitbitInc
New$128.89
Best$128.89 Ifyou'reusingadistributionsuppliedkernel,chancesarethatyoualreadyhavesupport
forEthernetbridgesonyoursystem.Mostlikelyitwillbecompiledasamodule,inwhich
caseyouwillneedtoloaditbeforeyoucanuseit:

PrivacyInformation
#modprobebridge

Links
WorldMobileNet
Linoleum
LastCarriage Ifyouneedtorecompileyourkernel,youwillneedtosetthe'CONFIG_BRIDGE'option
Distrowatch to'y'or'm'duringtheconfigurationstage.
Linux.com
LXer
UserspaceTools

Allthepopulardistributionshavethebridginguserspacetoolsalreadypackagedfor
easyinstallationunderDebian,Ubuntu,Fedora,RedhatEnterpriseandSuSELinux,
thispackageiscalled'bridgeutils'.Thepackageprovidesthe'brctl'command,whichis
usedtocontrolalloftheLinuxbridgingcapabilitiesdiscussedhere.

Ifyoursystemdoesn'thaveaprecompiledpackageavailable,youwillneedtodownload
thesourcefromtheLinuxethernetbridgingsourceforgepage.Atthetimeofwriting,
thelateststableversionavailableofthebridgeutilspackagewas1.1.

Compilationandinstallationisquitestraightforward:

#tarxzfbridgeutils1.1.tar.gz
#cdbridgeutils1.1
#./configureprefix=/usr/local
#make
#su
#makeinstall

OtherthanthestandardGNUautoconfoptions,therearenospecialcompiletime
directivestoalterthebehaviourofthebridgeutilspackage.

Creatingandusingbridges

Forsimplicity'ssake,wewillassumethatwewanttobridgetogethertwoethernet
networks,interfaceseth0andeth1.Figure1showsafairlybasicnetwork:ourbridging
linuxbox(bridge01)withtwonetworksegments,whichhavetwoLinuxmachineson
each(linux01andlinux02onthefirst,andlinux03andlinux04onthesecond).

http://iomem.com/index.php?archives/4EthernetBridgesunderLinux.html&serendipity%5Bentrypage%5D=3&serendipity%5Bentrypage%5D=all&serendipity 2/8
4/23/2016 EthernetBridgesunderLinuxiomem

Beforewecreatethebridge,weshouldensurethatbothinterfacesaredown,andhave
noIPaddressassignedtothem:

#ifconfigeth00down
#ifconfigeth10down

Now,wecancreatethebridgeinterface.Hereweseetheuseofthebrctl'addbr'
command,whichaddsabridgeinterfacenamed'br0'.

#brctladdbrbr0

Therearenorestrictionsontheinterfacenameusedforthebridgeanynamecanbe
used,aslongasthesystemdoesnotalreadyhaveaninterfacewiththatname.The
convention,however,istonamebridgesbr0,br1andsoforth.

Oncethebridgeinterfacehasbeencreated,wecanaddtherealethernetinterfacesto
itasports:

#brctladdifbr0eth0
#brctladdifbr0eth1

That'sallthereistoit.Atthispoint,wecannowtreatthebridgeinterfaceaswewould
anyothernetworkinterfaceonaLinuxboxsothefirstthingwecandoisgiveitan
interfaceandbringituponthenetwork:

#ifconfigbr010.1.9.1netmask255.255.255.0broadcast10.1.9.255up

#ifconfigbr0
br0Linkencap:EthernetHWaddr10:00:01:04:71:06
inetaddr:10.1.9.1Bcast:10.1.9.255Mask:255.255.255.0
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:0errors:0dropped:0overruns:0frame:0
TXpackets:49errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:0
RXbytes:0(0.0b)TXbytes:9442(9.2KiB)

Thebrctlcommandprovidesa'show'function,sothatitispossibletoseethestateof
bridgesonthemachine:

#brctlshow
bridgenamebridgeidSTPenabledinterfaces
br08000.100001047106yeseth0
eth1

Ofnoteisthe"bridgeid".ThisnumberisusedwithSpanningTreeProtocol,whichwill
bediscussedlateron.

Atthispoint,itshouldbepossibletopingtheclientmachinesoneachofthenetwork
segments,fromthebridge:

bridge01:/#pingc1n10.1.9.2
PING10.1.9.2(10.1.9.2)56(84)bytesofdata.

http://iomem.com/index.php?archives/4EthernetBridgesunderLinux.html&serendipity%5Bentrypage%5D=3&serendipity%5Bentrypage%5D=all&serendipity 3/8
4/23/2016 EthernetBridgesunderLinuxiomem
64bytesfrom10.1.9.2:icmp_seq=1ttl=64time=20.6ms

bridge01:/#pingc1n10.1.9.4
PING10.1.9.4(10.1.9.4)56(84)bytesofdata.
64bytesfrom10.1.9.4:icmp_seq=1ttl=64time=20.6ms

Itwillalsobepossibletosendtrafficfromoneofthemachinesononesegmenttoa
machineontheothersegment:

linux01:/#pingc1n10.1.9.5
PING10.1.9.5(10.1.9.5)56(84)bytesofdata.
64bytesfrom10.1.9.5:icmp_seq=1ttl=64time=20.6ms

Moreimportantly,itcanbeseenthatfortrafficbetweentwodevicesonasinglenetwork
segment,thebridgewillconfinethetraffictothatsegment.Thiscanbeseenbyrunning
tcpdumpon,say,linux03,whilesendingICMPpacketsfromlinux01tolinux02.

linux03:/#tcpdumpnieth0icmp

linux01:/#pingn10.1.9.3
PING10.1.9.3(10.1.9.3)56(84)bytesofdata.
64bytesfrom10.1.9.3:icmp_seq=1ttl=64time=20.6ms

Ifthebridgeisworkingcorrectly,linux03shouldnotseeanyofthetrafficbetween
linux01andlinux02,eventhoughtheyarepartofthesamelogicalnetwork.

Ontheotherhand,ifweweretosendanICMPpackettothebroadcastaddressonthe
network,thebridgewillpassthispacketacrosstothesecondnetworksegment:

linux01:/#pingc1b10.1.9.255
WARNING:pingingbroadcastaddress
PING10.1.9.255(10.1.9.255)56(84)bytesofdata.
64bytesfrom10.1.9.2:icmp_seq=1ttl=64time=0.251ms

linux03:/#tcpdumpnieth0icmp
tcpdump:listeningoneth0
19:39:48.27380610.1.9.2>10.1.9.255:icmp:echorequest(DF)
19:39:48.27396510.1.9.4>10.1.9.2:icmp:echoreply
19:39:48.27458210.1.9.5>10.1.9.2:icmp:echoreply

ThistcpdumpoutputshowsthebroadcastICMPrequestfrom
linux01,andtworeplies,onefromlinux03andonefromlinux04.
linux01andlinux02wouldalsohavesentICMPresponses,asindeed
wouldthebridgeitself,sinceweconfiguredittohaveabroadcast
addressonthisnetwork.

Itisworthmentioningatthispointthatitisperfectlypossibleforthe
bridgetobeabletooperatewithouthavinganIPaddressassigned
toit.Ifthiswerethecase,itwouldbridgepacketsbetweenthetwo
segmentsasshownabove,butwouldnotactuallytakepartinany
networkexchangesonanIPlevel.

Usingthe'showmacs'command,wecanseealistofthedevicesonthenetwork,along
withtheporttowhichtheyareconnected:

bridge01:/#brctlshowmacsbr0
portnomacaddrislocal?ageingtimer
210:00:01:02:24:04no0.49
110:00:01:02:95:35no0.98
110:00:01:02:34:56no3.84
210:00:01:03:26:02no9.19
110:00:01:03:73:03yes0.00
210:00:01:04:71:06yes0.00

http://iomem.com/index.php?archives/4EthernetBridgesunderLinux.html&serendipity%5Bentrypage%5D=3&serendipity%5Bentrypage%5D=all&serendipity 4/8
4/23/2016 EthernetBridgesunderLinuxiomem
ThislistdisplaystheMACaddressesofthesixethernetcardsconnectedtoourbridged
networkfirstlytheethernetcardsineachofourfourclientPCs(listedasnotlocal)and
thenthetwoethernetcardsinourbridgeitself(andhence,local).

TheAgeingTimerepresentstheperiodoftimesincethebridgelastsawapacketfroma
devicewithaparticularMACaddress.Afteracertainamountoftimehaspassed,the
bridgewillpurgeanaddressfromitsdatabase.Thisisdonetohandlemachinesthat
mightchangeportsoveraperiodoftime(forexample,alaptopcomputerwhichis
physicallymovedfromonelocationtoanother).

Theageingtimeoutforabridgecanbechangedwiththe'setageingtime'command:

#brctlsetageingtimebr040

Theabovecommandwouldsetabridgetopurgeaddressesafter40seconds.

Removingbridgeportsandbridgeinterfaces.

Ifyouneedtoremoveaportfromabridge,brctlprovidesthe'delif'command:

#brctldelifbr0eth1

Shouldyouwanttodeleteabridgecompletely,thenuse'delbr'.Youmustshutthe
interfacedownbeforeyoucandothis,however.

#ifconfigbr0down
#brctldelbrbr0

SpanningTreeProtocol

SpanningTreeProtocol(STP)isusedbyswitchestohandlemultiplebridgepathsona
network.Theabilitytohavemultiplepathswithinanetworkhandles,amongstother
things,oneseriousflawwithournetworkasshowabove:thebridgehasbecomea
singlepointoffailure.Shoulditfail,thetwosidesofthenetworkwillbeunabletotalkto
oneanother.

Wecanfixthiseasilybyaddingasecondbridge,asshowninFigure2.STPallowsthese
twobridgestonegotiatewhichwillbeactiveandwhichwillbepassive.Theactivebridge
willtakepartinallpackettransmissionbetweenthetwosegments,whilethepassive
bridgewilldonothinguntilitspartnerfails.

STPisconsiderablymorecomplexthancanbecoveredinanintroductoryarticlesuch
asthis,sowewillcoveronlythebasics.

http://iomem.com/index.php?archives/4EthernetBridgesunderLinux.html&serendipity%5Bentrypage%5D=3&serendipity%5Bentrypage%5D=all&serendipity 5/8
4/23/2016 EthernetBridgesunderLinuxiomem

Aswesawearlier,everybridgehasanidassociatedwithitthisisan
eightbytenumber,thefirsttwobytesbeingthebridgepriority,which
wecansetmanually,andthenextsixbytesaretheMACaddressof
thebridge.UnderLinux,thedefaultbridgepriorityis32768.The
bridge'sMACaddressisthatofthelowestnumberedMACaddressof
allthebridge'sports.WegenerallyrepresentthebridgeIDasatwo
parthexadecimalnumber,thebridgeIDfollowedbytheMACaddress
asthefractionalpart.Forexample,8000.100001037303istheIDof
abridgewithapriorityof32768(8000hex)andaMACaddressof
10:00:01:03:73:03.

Inanetworkwithmultiplebridges,thebridgewiththelowestbridge
idwillbe"elected"tobetherootbridge.Therootbridgethen
determinesapathcostforeveryredundantpathinthenetwork,andwherepathloops
arediscovered,certainbridgeportsareplacedina"blocking"state,andtheseports
willnolongerforwardpackets.

STPisoffbydefault,underLinux.Youcandeterminewhetherithasbeenturnedonor
offusing"brctlshowbr0",asoutlinedabove.Thestatecanbechangedusing:

#brctlstpbr0on

or

#brctlstpbr0off

ToseefurtherinformationaboutSTPsettingsonabridge,usethe"showstp"
command:

bridge01#brctlshowstpbr0
br0
bridgeid8000.100001037303
designatedroot8000.100001037303
rootport0pathcost0
maxage20.00bridgemaxage20.00
hellotime2.00bridgehellotime2.00
forwarddelay15.00bridgeforwarddelay15.00
ageingtime300.00
hellotimer0.17tcntimer0.00
topologychangetimer0.00gctimer0.00
flags

eth0(1)
portid8001stateforwarding
designatedroot8000.100001037303pathcost100
designatedbridge8000.100001037303messageagetimer0.00
designatedport8001forwarddelaytimer0.00
designatedcost0holdtimer0.00
flags

eth1(2)
portid8002stateforwarding
designatedroot8000.100001037303pathcost100
designatedbridge8000.100001037303messageagetimer0.00
designatedport8002forwarddelaytimer0.00
designatedcost0holdtimer0.00
flags

Wecanseefromtheabovethatthisbridgeistherootbridgeforitsnetwork(see
"bridgeid"and"designatedroot")andhence,bothofitsinterfacesareinaforwarding
state.Ifwerunthesamecommandonthesecondbridge,wewillseeafewdifferences:

bridge02#brctlshowstpbr0
br0
bridgeid8000.100001087423
designatedroot8000.100001037303
rootport1pathcost100
maxage20.00bridgemaxage20.00
hellotime2.00bridgehellotime2.00
forwarddelay15.00bridgeforwarddelay15.00
ageingtime300.00
hellotimer0.00tcntimer0.00
topologychangetimer0.00gctimer238.59
flags

eth1(1)

http://iomem.com/index.php?archives/4EthernetBridgesunderLinux.html&serendipity%5Bentrypage%5D=3&serendipity%5Bentrypage%5D=all&serendipity 6/8
4/23/2016 EthernetBridgesunderLinuxiomem
portid8001stateforwarding
designatedroot8000.100001037303pathcost100
designatedbridge8000.100001037303messageagetimer18.63
designatedport8001forwarddelaytimer0.00
designatedcost0holdtimer0.00
flags

eth2(2)
portid8002stateblocking
designatedroot8000.100001037303pathcost100
designatedbridge8000.100001037303messageagetimer18.63
designatedport8002forwarddelaytimer0.00
designatedcost0holdtimer0.00
flags

ThisbridgehasanIDof8000.100001087423,butitsdesignatedrootvalueshowsthe
idoftheotherbridge.Thismakessense,sinceonlyonebridgecanbethemasterona
network.Wealsoseethatoneofitsportsislistedasblocking.Thisisthewholepointof
STP:itremovesloopsonthenetwork.Ifthisbridgereceivesanypacketsthatneedto
besentacrosstoadifferentnetworksegment,itwillignorethem,sincetheother
bridgewillhandleit.

If,forsomereason,youdon'tlikethechoiceofarootmasterthatyoursystemhas
electedforitself,itispossibletoalterthepriorityofoneormorebridgesusingthe
'setbridgeprio'command.Here,wesetabridgepriorityof4096(1000hex).

#brctlsetbridgepriobr04096

Lookingatourbridgesnow,wewillseethatthebridgeidhaschanged.

#brctlshow
bridgenamebridgeidSTPenabledinterfaces
br01000.100001047106yeseth0
eth1

It'salsopossibletosetaspecificcosttoaport.Thismayberequiredwhere,for
example,aslowerlinkhasbeenautomaticallyselectedtobethedesignatedport
insteadofafasteroneandtheoperatorwishestooverridethis.Linkswithlowercosts
willbeselectedforuse,inpreferencetothosewithhighercosts.

#brctlsetportpriobr0eth150

Dependingonthetopologyofthebridgenetwork,thismaycausesomeofthebridge
portstochangetheirstatus,from"forwarding"to"blocking".Whilethishappens,part
ofthenetworkmaybecomeunreachableforashortperiodoftime,butitshould
stabiliseandbecomeavailableagainwithinaminute.

ForfurtherinformationonSpanningTreeProtocol,pleaseseetheIEEE802.1D
specification.

Conclusion

HopefullynowyouhaveagoodgroundinginthebasicsofLinuxbridgingandcannow
experimentwithmorecomplexarrangementsonyourown.Youmayfindithandyto
buildalargenumberofvirtualmachines(eg,withUserModeLinuxorQEMU),and
bridgetogethertheirnetworks.Thismakesitveryeasytocreateveryinvolved
topologiestoinvestigatetheconceptsoutlinedabove.
Pages:PREVIOUS|1|2|3|NEXT|All

http://iomem.com/index.php?archives/4EthernetBridgesunderLinux.html&serendipity%5Bentrypage%5D=3&serendipity%5Bentrypage%5D=all&serendipity 7/8
4/23/2016 EthernetBridgesunderLinuxiomem

PostedbyPaulinlinux,networkat09:32|Comments(0)|Trackbacks(0)
Ifyoufoundthisarticlehelpful,considermakingadonationtooffsetthecostsof
runningthisserver,tooneoftheseaddresses:

Dogecoin:DBu2vJEKBE8QzZgp7nuSHXhAeyUn9vXpCS

Bitcoin:16oaJfmt8ARXibVuKBmAtU833BLDVoPY7r

Litecoin:LerLMqzbtXyjMG2vKt8Hg6Wq1RjSmC9MZj

Trackbacks
TrackbackspecificURIforthisentry

NoTrackbacks

Comments
Displaycommentsas(Linear|Threaded)

Nocomments

AddComment
Name

Email

Homepage

Inreplyto [Toplevel]

Comment

Enclosingasterisksmarkstextasbold(*word*),underscorearemadevia
_word_.
Standardemoticonslike:)and)areconvertedtoimages.
Toleaveacommentyoumustapproveitviaemail,whichwillbesentto
youraddressaftersubmission.

Typethetext
Privacy&Terms

RememberInformation?

Subscribetothisentry

SubmitComment Preview

http://iomem.com/index.php?archives/4EthernetBridgesunderLinux.html&serendipity%5Bentrypage%5D=3&serendipity%5Bentrypage%5D=all&serendipity 8/8