svn commit: r44160 - head/en_US.ISO8859-1/books/handbook/advanced-networking
Dru Lavigne
dru at FreeBSD.org
Thu Mar 6 19:40:14 UTC 2014
Author: dru
Date: Thu Mar 6 19:40:14 2014
New Revision: 44160
URL: http://svnweb.freebsd.org/changeset/doc/44160
Log:
Initial prep work for bridging chapter.
More commits to come.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 19:25:41 2014 (r44159)
+++ head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml Thu Mar 6 19:40:14 2014 (r44160)
@@ -2841,9 +2841,6 @@ rfcomm_sppd[94692]: Starting on /dev/tty
</authorgroup>
</info>
- <sect2>
- <title>Introduction</title>
-
<indexterm>
<primary><acronym>IP</acronym> subnet</primary>
</indexterm>
@@ -2867,17 +2864,13 @@ rfcomm_sppd[94692]: Starting on /dev/tty
<para>In many respects, a bridge is like an Ethernet switch with
very few ports.</para>
- </sect2>
- <sect2>
- <title>Situations Where Bridging Is Appropriate</title>
-
- <para>There are many common situations in which a bridge is used
- today.</para>
-
- <sect3>
- <title>Connecting Networks</title>
+ <para>Bridging may be appropriate in the following situaitons:</para>
+ <variablelist>
+ <varlistentry>
+ <term>Connecting Networks</term>
+ <listitem>
<para>The basic operation of a bridge is to join two or more
network segments together. There are many reasons to use a
host based bridge over plain networking equipment such as
@@ -2885,18 +2878,12 @@ rfcomm_sppd[94692]: Starting on /dev/tty
networks such as a virtual machine interface. A bridge can
also connect a wireless interface running in hostap mode to
a wired network and act as an access point.</para>
- </sect3>
-
- <sect3>
- <title>Filtering/Traffic Shaping Firewall</title>
-
- <indexterm>
- <primary>firewall</primary>
- </indexterm>
- <indexterm>
- <primary>NAT</primary>
- </indexterm>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Filtering/Traffic Shaping Firewall</term>
+ <listitem>
<para>A common situation is where firewall functionality is
needed without routing or Network Address Translation
(<acronym>NAT</acronym>).</para>
@@ -2923,30 +2910,33 @@ rfcomm_sppd[94692]: Starting on /dev/tty
into the path just downstream of the <acronym>DSL</acronym>
or <acronym>ISDN</acronym> router without any
<acronym>IP</acronym> numbering issues.</para>
- </sect3>
-
- <sect3>
- <title>Network Tap</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Network Tap</term>
+ <listitem>
<para>A bridge can join two network segments and be used to
inspect all Ethernet frames that pass between them using
&man.bpf.4; and &man.tcpdump.1; on the bridge interface or
by sending a copy of all frames out an additional interface
known as a span port.</para>
- </sect3>
-
- <sect3>
- <title>Layer 2 <acronym>VPN</acronym></title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Layer 2 <acronym>VPN</acronym></term>
+ <listitem>
<para>Two Ethernet networks can be joined across an
<acronym>IP</acronym> link by bridging the networks to an
EtherIP tunnel or a &man.tap.4; based solution such as
<application>OpenVPN</application>.</para>
- </sect3>
-
- <sect3>
- <title>Layer 2 Redundancy</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Layer 2 Redundancy</term>
+ <listitem>
<para>A network can be connected together with multiple links
and use the Spanning Tree Protocol <acronym>STP</acronym>
to block redundant paths. For an Ethernet network to
@@ -2957,11 +2947,9 @@ rfcomm_sppd[94692]: Starting on /dev/tty
calculate a different tree and enable one of the blocked
paths to restore connectivity to all points in the
network.</para>
- </sect3>
- </sect2>
-
- <sect2>
- <title>Kernel Configuration</title>
+ </listitem>
+ </varlistentry>
+ </variablelist>
<para>This section covers the &man.if.bridge.4; implementation.
A netgraph bridging driver is also available, and is described
@@ -2979,7 +2967,6 @@ rfcomm_sppd[94692]: Starting on /dev/tty
<para>The bridge can be used as a traffic shaper with
&man.altq.4; or &man.dummynet.4;.</para>
- </sect2>
<sect2>
<title>Enabling the Bridge</title>
@@ -3034,15 +3021,8 @@ ifconfig_fxp1="up"</programlisting>
<para>It is also possible to assign an <acronym>IPv6</acronym>
address to a bridge interface.</para>
- </sect2>
-
- <sect2>
- <title>Firewalling</title>
-
- <indexterm>
- <primary>firewall</primary>
- </indexterm>
+ <note>
<para>When packet filtering is enabled, bridged packets will
pass through the filter inbound on the originating interface
on the bridge interface, and outbound on the appropriate
@@ -3054,6 +3034,7 @@ ifconfig_fxp1="up"</programlisting>
non-<acronym>IP</acronym> and <acronym>IP</acronym> packets,
and layer2 firewalling with &man.ipfw.8;. See
&man.if.bridge.4; for more information.</para>
+ </note>
</sect2>
<sect2>
@@ -3117,13 +3098,19 @@ bridge0: flags=8843<UP,BROADCAST,RUNN
<literal>400000</literal> from this bridge. The path to the
root bridge is via <literal>port 4</literal> which is
<filename>fxp0</filename>.</para>
+
+ <note>
+ <para>A private interface does not forward any traffic to any
+ other port that is also a private interface. The traffic is
+ blocked unconditionally so no Ethernet frames will be
+ forwarded, including <acronym>ARP</acronym>. If traffic
+ needs to be selectively blocked, a firewall should be used
+ instead.</para>
+ </note>
</sect2>
<sect2>
- <title>Advanced Bridging</title>
-
- <sect3>
- <title>Reconstruct Traffic Flows</title>
+ <title>Reconstructing Traffic Flows</title>
<para>The bridge supports monitor mode, where the packets are
discarded after &man.bpf.4; processing and are not
@@ -3138,9 +3125,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN
<screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up</userinput>
&prompt.root; <userinput>tcpdump -i bridge0</userinput></screen>
- </sect3>
+ </sect2>
- <sect3>
+ <sect2>
<title>Span Ports</title>
<para>A copy of every Ethernet frame received by the bridge
@@ -3155,20 +3142,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN
<filename>fxp4</filename>:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 span fxp4</userinput></screen>
- </sect3>
-
- <sect3>
- <title>Private Interfaces</title>
-
- <para>A private interface does not forward any traffic to any
- other port that is also a private interface. The traffic is
- blocked unconditionally so no Ethernet frames will be
- forwarded, including <acronym>ARP</acronym>. If traffic
- needs to be selectively blocked, a firewall should be used
- instead.</para>
- </sect3>
+ </sect2>
- <sect3>
+ <sect2>
<title>Sticky Interfaces</title>
<para>If a bridge member interface is marked as sticky,
@@ -3209,9 +3185,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN
<para>The customers are completely isolated from each other
and the full <systemitem class="netmask">/24</systemitem>
address range can be allocated without subnetting.</para>
- </sect3>
+ </sect2>
- <sect3>
+ <sect2>
<title>Address Limits</title>
<para>The number of unique source <acronym>MAC</acronym>
@@ -3226,9 +3202,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNN
<literal>vlan100</literal> to 10:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 ifmaxaddr vlan100 10</userinput></screen>
- </sect3>
+ </sect2>
- <sect3>
+ <sect2>
<title><acronym>SNMP</acronym> Monitoring</title>
<para>The bridge interface and <acronym>STP</acronym>
@@ -3314,7 +3290,6 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeStpDesi
<screen>&prompt.user; <userinput>snmpset -v 2c -c private bridge1.example.com</userinput>
BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
- </sect3>
</sect2>
</sect1>
More information about the svn-doc-all
mailing list