LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/BRIDGE-STP-HOWTO/advanced-bridge.html

724 lines
13 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Advanced Bridge Features</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
"><LINK
REL="HOME"
TITLE="Linux BRIDGE-STP-HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Set Up The Bridge"
HREF="set-up-the-bridge.html"><LINK
REL="NEXT"
TITLE="A Practical Setup Example"
HREF="practical-example.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Linux BRIDGE-STP-HOWTO: About The Linux Modular Bridge And STP</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="set-up-the-bridge.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="practical-example.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="ADVANCED-BRIDGE"
>7. Advanced Bridge Features</A
></H1
><P
>Here we will cover some advanced features of the new bridge code.
</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="STP"
>7.1. Spanning Tree Protocol</A
></H2
><DIV
CLASS="FORMALPARA"
><P
><B
>Tell me... </B
> <P
></P
><UL
><LI
><P
>You are a networkadmin...?
</P
></LI
><LI
><P
>You have a switch on top of your ethernet tree...?
</P
></LI
><LI
><P
>You have nightmares of a switch emmiting smoke...?
</P
></LI
><LI
><P
>Your company is not extremely rich and con provide
another redundant switch just waiting for you to plug the
patchwires..?
</P
></LI
><LI
><P
>You don't feel like placing your bed close to your
main network node to plug the wires...?
</P
></LI
></UL
>
</P
></DIV
><DIV
CLASS="FORMALPARA"
><P
><B
>Don't wait until you're just another nervous wreck. </B
>Join linux bridge community and enjoy the relaxment a
stp-enabled inhouse scenario is offering to you.
</P
></DIV
><P
>Ok, let's leave that commercial and get back linux and the bridge.
Take a look on this small thread from the linux-bridge mailing list.
</P
><DIV
CLASS="QANDASET"
><H3
CLASS="TITLE"
>STP Thread from bridge@openrock.net (no more valid)</H3
><DL
><DT
> <A
HREF="advanced-bridge.html#AEN487"
>Could you give me some hints about multi-bridge scenarios.
</A
></DT
><DT
> <A
HREF="advanced-bridge.html#AEN506"
>Does the <SPAN
CLASS="ACRONYM"
>STP</SPAN
> <SPAN
CLASS="QUOTE"
>"heartbeat"</SPAN
> mechanism also work
with bridges with more than two cards?
</A
></DT
><DT
> <A
HREF="advanced-bridge.html#AEN515"
>How fast does it get up, and what can I do about it?
</A
></DT
></DL
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN487"
></A
><B
> </B
>Could you give me some hints about multi-bridge scenarios.
</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>You can just set up two <SPAN
CLASS="QUOTE"
>"mirrored"</SPAN
> bridges.
You have two network interfaces in your bridge?
Set up the mirror bridge so that it has two network interfaces
as well, and connect each of the interfaces to one subnet.
This will work without the need of configuration.
</P
><P
> <DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>Be sure that you have the spanning tree protocol
enabled.
If you didn't use <B
CLASS="COMMAND"
>brctl</B
>, this should
be fine, because in Linux, it is on by default.
To check, you could check whether the bridge sends a
packet to <TT
CLASS="COMPUTEROUTPUT"
>0180c2000000</TT
>
every 2 seconds.
If it does, the <SPAN
CLASS="ACRONYM"
>STP</SPAN
> is on.
The <SPAN
CLASS="ACRONYM"
>STP</SPAN
> is needed so that only one bridge will be active
at any given time.
</P
></BLOCKQUOTE
></DIV
>
<DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>To be able to see nicely formatted stp packages in your
network take a look at at the bridge homepage for the patches
to tcpdump.
</P
></BLOCKQUOTE
></DIV
>
</P
><P
> The <SPAN
CLASS="QUOTE"
>"master"</SPAN
> bridge will send out <SPAN
CLASS="ACRONYM"
>STP</SPAN
> packets every
2 seconds by default.
The <SPAN
CLASS="QUOTE"
>"slave"</SPAN
> bridge will receive these packets,
and will notice that the master is still up.
If the slave hasn't received a packet in 20 seconds (max.
message age parameter), it will start the takeover procedure.
From the moment the takeover procedure starts, it will take
about 30 seconds (twice the forward delay parameter) for the
bridge to become fully operational.
</P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN506"
></A
><B
> </B
>Does the <SPAN
CLASS="ACRONYM"
>STP</SPAN
> <SPAN
CLASS="QUOTE"
>"heartbeat"</SPAN
> mechanism also work
with bridges with more than two cards?
</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>Yes, it works with any number of interfaces.
You can invent bizarre topologies to your heart's desire.
You can use multiple (redundant) bridge-bridge connects,
you can insert loops, whatever.
The <SPAN
CLASS="ACRONYM"
>STP</SPAN
> code will always find the minimal spanning tree.
The bridge code will even deal with the loss of any number
of interfaces.
If there are two redundant bridges with identical connections,
the loss of an interface on one of the bridges will cause the
other bridge to take over forwarding to that specific
interface.
<EM
>Now isn't that great? :)</EM
>
</P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN515"
></A
><B
> </B
>How fast does it get up, and what can I do about it?
</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>If you think 50 seconds is too much -- and I guess you
should; alas, the IEEE specs gives us these default values
-- you can tweak these parameters.
If you set the hello time (the <SPAN
CLASS="ACRONYM"
>STP</SPAN
> packet interval) from 2 to 1
second, you can safely set the message age parameter to 4
seconds.
Then you can set the forward delay to 4 seconds, and this will
in total give you a takeover time of ~12 seconds.
</P
></DIV
></DIV
></DIV
><P
>The great thing which is made possible by <SPAN
CLASS="ACRONYM"
>STP</SPAN
> is
a redundant parallel bridging scenario, with automated take over
features.
Within a network basing on stp the bridges always try to send a
datagram the (by path cost) shortest path.
Only on that path the bridges are forwarding, all other paths between
this shortest way are blocked.
If there is a broken path, the bridges agree about the next shortest.
So doubled paths don't break the net, but are bringing more security...
For a example setup of a fail secured connection see
<A
HREF="practical-example.html"
>Section 8</A
>.
</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="IPCHAINS"
>7.2. Bridge And The IP-Chains</A
></H2
><P
>The normal idea about a bridge would not allow anything like
firewalling, but since several people have asked Lennert for ipchains
firewalling on bridge forwarding he implemented it.
</P
><DIV
CLASS="IMPORTANT"
><BLOCKQUOTE
CLASS="IMPORTANT"
><P
><B
>Important: </B
>If you want to do this, you will need to apply the
special ip-chain-bridge-patch (also available at
<A
HREF="http://www.math.leidenuniv.nl/~buytenh/bridge/"
TARGET="_top"
>the bridge homepage</A
>).
</P
></BLOCKQUOTE
></DIV
><P
>As soon you have everything up correctly, the bridging code will
check each to-be-forwarded packet against the ipchains chain which has
the same name as the bridge.
</P
><P
>So.. if a packet on eth0 is to be forwarded to eth1, and those
interfaces are both part of the bridge group br0, the
bridging code will check the packet against the chain called 'br0'.
</P
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
BORDER="1"
WIDTH="100%"
><TR
><TD
ALIGN="CENTER"
><B
>Warning</B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
>If the chain does not exist, the packet will be forwarded.
So if you want to do firewalling, you'll have to create the chain
yourself.
</P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="EXAMPLE"
><A
NAME="SIMPLE-FW-CONFIG"
></A
><P
><B
>Example 10. A Simple Bridge Firewall Setup</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
>Example:
# brctl addbr <TT
CLASS="USERINPUT"
><B
>br0</B
></TT
> <A
NAME="IPCH-ADDBR"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
>
# brctl addif br0 eth0 <A
NAME="IPCH-ADDIF-ETH0"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
>
# brctl addif br0 eth1 <A
NAME="IPCH-ADDIF-ETH1"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
>
# ifconfig br0 10.0.0.254 <A
NAME="IPCH-IFCONFIG"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
>
# ipchains -N <TT
CLASS="USERINPUT"
><B
>br0</B
></TT
> <A
NAME="IPCH-ADDCHAIN"
><IMG
SRC="../images/callouts/5.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(5)"></A
>
# ipchains -A br0 -s 10.0.0.1/8 -i eth0 -j DENY <A
NAME="IPCH-DEN-ETH0"
><IMG
SRC="../images/callouts/6.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(6)"></A
>
</PRE
></TD
></TR
></TABLE
><DIV
CLASS="CALLOUTLIST"
><DL
COMPACT="COMPACT"
><DT
><A
HREF="advanced-bridge.html#IPCH-ADDBR"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
></DT
><DD
>Creating a bridge interface named <TT
CLASS="USERINPUT"
><B
>br0</B
></TT
>
</DD
><DT
><A
HREF="advanced-bridge.html#IPCH-ADDIF-ETH0"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
><A
HREF="advanced-bridge.html#IPCH-ADDIF-ETH1"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
></DT
><DD
>Placing eth0 and eth1 into the bridge.
</DD
><DT
><A
HREF="advanced-bridge.html#IPCH-IFCONFIG"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
></DT
><DD
>Assigning a regular IP address to the bridge.
The IP is taken from private network 10.X.X.X (Class A).
</DD
><DT
><A
HREF="advanced-bridge.html#IPCH-ADDCHAIN"
><IMG
SRC="../images/callouts/5.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(5)"></A
></DT
><DD
>Creating a ip-chain named <TT
CLASS="USERINPUT"
><B
>br0</B
></TT
>
</DD
><DT
><A
HREF="advanced-bridge.html#IPCH-ADDBR"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
><A
HREF="advanced-bridge.html#IPCH-ADDCHAIN"
><IMG
SRC="../images/callouts/5.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(5)"></A
></DT
><DD
> <DIV
CLASS="CAUTION"
><P
></P
><TABLE
CLASS="CAUTION"
BORDER="1"
WIDTH="100%"
><TR
><TD
ALIGN="CENTER"
><B
>Caution</B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
>It's vital to have the same name here
(<TT
CLASS="USERINPUT"
><B
>br0</B
></TT
> or whatever you have selected,
as long as you have the same in all places).
</P
></TD
></TR
></TABLE
></DIV
>
</DD
><DT
><A
HREF="advanced-bridge.html#IPCH-DEN-ETH0"
><IMG
SRC="../images/callouts/6.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(6)"></A
></DT
><DD
>Denying all trafic with source 10.X.X.X on eth0.
</DD
></DL
></DIV
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="set-up-the-bridge.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="practical-example.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Set Up The Bridge</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>A Practical Setup Example</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink