Manual:Interface/Bridge: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
No edit summary
Line 18: Line 18:
==Bridge Interface Setup==
==Bridge Interface Setup==
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code></p>
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge</code></p>
<br />
<p>To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address will be assigned to all the bridged interfaces (the smallest MAC address will be chosen automatically).</p>
<p>To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address will be assigned to all the bridged interfaces (the smallest MAC address will be chosen automatically).</p>



Revision as of 10:54, 30 April 2010

Applies to RouterOS: v3, v4+

Summary

Sub-menu: /interface bridge
Standards: IEEE802.1D


Ethernet-like networks (Ethernet, Ethernet over IP, IEEE802.11 in ap-bridge or bridge mode, WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary).

Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchange configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges would be updated with the newest information about changes in network topology. (R)STP selects root bridge which is responosible for network reconfiguration, such as blocking and opening ports of the other bridges. The root bridge is the bridge with lowest bridge ID.

Bridge Interface Setup

Sub-menu: /interface bridge


To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address will be assigned to all the bridged interfaces (the smallest MAC address will be chosen automatically).

Properties

Property Description
admin-mac (MAC address; Default: ) Static MAC address of the bridge (takes effect if auto-mac=no)
ageing-time (time; Default: 00:05:00) How long a host information will be kept in the bridge database
arp (disabled | enabled | proxy-arp | reply-only; Default: enabled) Address Resolution Protocol setting
auto-mac (yes | no; Default: yes) Automatically select the smallest MAC address of bridge ports as a bridge MAC address
forward-delay (time; Default: 00:00:15) Time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally
l2mtu (integer; read-only) Layer2 Maximum transmission unit. read more»
max-message-age (time; Default: 00:00:20) How long to remember Hello messages received from other bridges
mtu (integer; Default: 1500) Maximum Transmission Unit
name (text; Default: bridgeN) Name of the bridge interface
priority (integer: 0..65535; Default: 32768) Bridge interface priority. The priority argument is used by Spanning Tree Protocol to determine, which port remains enabled if at least two ports form a loop
protocol-mode (none | rstp | stp; Default: none) Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP provides provides for faster spanning tree convergence after a topology change.
transmit-hold-count (integer: 1..10; Default: 6) The Transmit Hold Count used by the Port Transmit state machine to limit transmission rate

(Rapid) Spanning Tree Protocol

(R)STP eliminate the possibility for the same MAC addresses to be seen on multiple bridge ports by disabling secondary ports to that MAC address.

  • First root bridge is elected based on smallest bridge ID
  • Then breadth-first search algorithm is used taking root bridge as starting point
    • If algorithm reaches the MAC address for the first time – it leaves the link active
    • If algorithm reaches the MAC address for the second time – it disables the link

File:Rstptopology.png

Example

To add and enable a bridge interface that will forward all the protocols:

[admin@MikroTik] /interface bridge> add 
[admin@MikroTik] /interface bridge> print 
Flags: X - disabled, R - running 
 0  R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled 
      mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 
[admin@MikroTik] /interface bridge>

Bridge Settings

Sub-menu: /interface bridge settings


Property Description
use-ip-firewall (yes | no; Default: no) Makes bridged traffic to be processed through IP firewall
use-ip-firewall-for-pppoe (yes | no; Default: no) Makes bridged unencrypted PPPoE traffic to be processed through IP firewall (requires use-ip-firewall=yes to work)
use-ip-firewall-for-vlan (yes | no; Default: no) Makes bridged VLAN traffic to be processed through IP firewall (requires use-ip-firewall=yes to work)

Port Settings

Sub-menu: /interface bridge port

Port submenu is used to enslave interfaces in a particular bridge interface.

Property Description
bridge (name; Default: none) The bridge interface the respective interface is grouped in
edge (auto | no | no-discover | yes | yes-discover; Default: auto) Set port as edge port or non-edge port, or enable automatic detection
external-fdb (auto | no | yes; Default: auto) Whether to use wireless registration table to speed up bridge host learning
horizon (none | integer 0..429496729; Default: none) Use split horizon bridging to prevent bridging loops. read more»
interface (name; Default: none) Name of the interface
path-cost (integer: 0..65535; Default: 10) Path cost to the interface, used by STP to determine the "best" path
point-to-point (auto | no | yes; Default: auto) This feature can be turned on for point to point interface to increase STP/RSTP performance
priority (integer: 0..255; Default: 128) The priority of the interface in comparison with other going to the same subnet

Example

To group ether1 and ether2 in the already created bridge1 bridge

[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether1
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether2
[admin@MikroTik] /interface bridge port> print 
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE              BRIDGE              PRIORITY PATH-COST  HORIZON   
 0    ether1                 bridge1             0x80     10         none      
 1    ether2                 bridge1             0x80     10         none      
[admin@MikroTik] /interface bridge port> 

Bridge Monitoring

Sub-menu: /interface bridge monitor

Used to monitor the current status of a bridge.

Property Description
current-mac-address (MAC address) Current MAC address of the bridge
designated-port-count (integer) Number of designated bridge ports
port-count (integer) Number of the bridge ports
root-bridge (yes | no) Shows whether bridge is the root bridge of the spanning tree
root-bridge-id (text) The root bridge ID, which is in form of bridge-priority.bridge-MAC-address
root-path-cost (integer) The total cost of the path to the root-bridge
root-port (name) Port to which the root bridge is connected to
state (enabled | disabled) State of the bridge

Example

To monitor a bridge:

[admin@MikroTik] /interface bridge> monitor bridge1 
                  state: enabled
    current-mac-address: 00:0C:42:52:2E:CE
            root-bridge: yes
         root-bridge-id: 0x8000.00:00:00:00:00:00
         root-path-cost: 0
              root-port: none
             port-count: 2
  designated-port-count: 0

[admin@MikroTik] /interface bridge>

Bridge Port Monitoring

Sub-menu: /interface bridge port monitor

Statistics of an interface that belongs to a bridge.

Property Description
edge-port (yes | no) Whether port is an edge-port of the spanning tree
edge-port-discovery (yes | no) Whether port to automatically detects edge ports
external-fdb (yes | no) Shows whether registration table is used instead of forwarding data base
forwarding (yes | no) Port state
learning (yes | no) Port state
point-to-point-port (yes | no) Indicates whether this port is connected only to one network device (WDS, wireless in bridge mode)
port-number (integer 1..4095) Port identifier
role (designated | root port | alternate | backup | disabled)

(R)STP algorithm assigned role of the port:

  • Disabled port - for looped ports
  • Root port – a path to the root bridge
  • Alternative port – backup root port (only in RSTP)
  • Designated port – forwarding port
  • Backup port – backup designated port (only in RSTP)
sending-rstp (yes | no) Whether the port is sending BPDU messages
status (in-bridge | inactive) Port status

Example

To monitor a bridge port:

[admin@MikroTik] /interface bridge port> monitor 0     
               status: in-bridge
          port-number: 1
                 role: designated-port
            edge-port: no
  edge-port-discovery: yes
  point-to-point-port: no
         external-fdb: no
         sending-rstp: no
             learning: yes
           forwarding: yes

[admin@MikroTik] /interface bridge port>

Bridge Host Monitoring

Sub-menu: /interface bridge host

Property Description
age (read-only: time) The time since the last packet was received from the host
bridge (read-only: name) The bridge the entry belongs to
external-fdb (read-only: flag) Whether the host was learned using wireless registration table
local (read-only: flag) Whether the host entry is of the bridge itself (that way all local interfaces are shown)
mac-address (read-only: MAC address) Host's MAC address
on-interface (read-only: name) Which of the bridged interfaces the host is connected to

Example

To get the active host table:

[admin@MikroTik] /interface bridge host> print 
Flags: L - local, E - external-fdb 
  BRIDGE           MAC-ADDRESS       ON-INTERFACE          AGE                 
  bridge1          00:00:00:00:00:01 ether2                3s                  
  bridge1          00:01:29:FF:1D:CC ether2                0s                  
L bridge1          00:0C:42:52:2E:CF ether2                0s                  
  bridge1          00:0C:42:52:2E:D0 ether2                3s                  
  bridge1          00:0C:42:5C:A5:AE ether2                0s                  
[admin@MikroTik] /interface bridge host>

Bridge Firewall

Sub-menu: /interface bridge filter, /interface bridge nat

The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridge.

Packet flow diagram shows how packets are processed through router. It is possible to force bridge traffic to go through /ip firewall filter rules (see: Bridge Settings)

There are two bridge firewall tables:

  • filter - bridge firewall with three predefined chains:
    • input - filters packets, which destination is the bridge (including those packets that will be routed, as they are anyway destined to the bridge MAC address)
    • output - filters packets, which come from the bridge (including those packets that has been routed normally)
    • forward - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)
  • nat - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains:
    • srcnat - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface
    • dstnat - used for redirecting some pakets to another destinations

You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by mangle. So packet marks put by bridge firewall can be used in IP firewall, and vice versa.

General bridge firewall properties are described in this section. Some parameters that differ between nat and filter rules are described in further sections.

Properties

Property Description
802.3-sap (integer) DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match an SAP byte
802.3-type (integer) Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B
arp-dst-address (IP address; default: ) ARP destination address
arp-dst-mac-address (MAC address; default: ) ARP destination MAC address
arp-gratuitous (yes | no | auto; default: auto) Matches ARP gratuitous packets
arp-hardware-type (integer; default: 1) ARP hardware type. This normally Ethernet (Type 1)
arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request | inarp-reply | inarp-request | reply | reply-reverse | request | request-reverse)

ARP opcode (packet type)

  • arp-nak - negative ARP reply (rarely used, mostly in ATM networks)
  • drarp-error - Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated
  • drarp-reply - Dynamic RARP reply, with a temporaty IP address assignment for a host
  • drarp-request - Dynamic RARP request to assign a temporary IP address for the given MAC address
  • inarp-reply -
  • inarp-request -
  • reply - standard ARP reply with a MAC address
  • reply-reverse - reverse ARP (RARP) reply with an IP address assigned
  • request - standard ARP request to a known IP address to find out unknown MAC address
  • request-reverse - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service)
arp-src-address (IP address; default: ) ARP source address
arp-src-mac-address (MAC address; default: ) ARP source MAC address
chain (text) Bridge firewall chain, which the filter is functioning in (either a built-in one, or a user defined)
dst-address (IP address; default: ) Destination IP address (only if MAC protocol is set to IPv4)
dst-mac-address (MAC address; default: ) Destination MAC address
dst-port (integer 0..65535) Destination port number or range (only for TCP or UDP protocols)
in-bridge (name) Bridge interface through which the packet is coming in
in-interface (name) Physical interface (i.e., bridge port) through which the packet is coming in
ingress-priority (integer 0..63) Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. read more»
ip-protocol (ddp | ggp | icmp | igmp | ipsec-ah | ospf | rdp | tcp | vrrp | egp | gre | icmpv6 | ipencap | ipsec-esp | pim | rspf | udp | xns-idp | encap | hmp | idpr-cmtp | ipip | iso-tp4 | pup | st | vmtp | xtp)

IP protocol (only if MAC protocol is set to IPv4)

  • ipsec-ah - IPsec AH protocol
  • ipsec-esp - IPsec ESP protocol
  • ddp - datagram delivery protocol
  • egp - exterior gateway protocol
  • ggp - gateway-gateway protocol
  • gre - general routing encapsulation
  • hmp - host monitoring protocol
  • idpr-cmtp - idpr control message transport
  • icmp - internet control message protocol
  • icmpv6 -
  • igmp - internet group management protocol
  • ipencap - ip encapsulated in ip
  • encap - ip encapsulation
  • ipip - ip encapsulation
  • iso-tp4 - iso transport protocol class 4
  • ospf - open shortest path first
  • pim - protocol independent multicast
  • pup - parc universal packet protocol
  • rspf - radio shortest path first
  • rdp - reliable datagram protocol
  • st - st datagram mode
  • tcp - transmission control protocol
  • udp - user datagram protocol
  • vmtp - versatile message transport
  • vrrp -
  • xns-idp - xerox ns idp
  • xtp – xpress transfer protocol
jump-target (name) If action=jump specified, then specifies the user-defined firewall chain to process the packet
limit (integer/time,integer)

Restricts packet match rate to a given limit. Usefull to reduce the amount of log messages

  • count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option
  • time - specifies the time interval over which the packet rate is measured
  • burst - number of packets to match in a burst
log-prefix (text) Defines the prefix to be printed before the logging information
mac-protocol (arp | ip | ipv6 | ipx | length | pppoe | pppoe-discovery | rarp | vlan) Ethernet payload type (MAC-level protocol)
out-bridge (name) Outgoing bridge interface
out-interface (name) Interface via packet is leaving the bridge
packet-mark (name) Match packets with certain packet mark
packet-type (broadcast | host | multicast | other-host)

MAC frame type:

  • broadcast - broadcast MAC packet
  • host - packet is destined to the bridge itself
  • multicast - multicast MAC packet
  • other-host - packet is destined to some other unicast address, not to the bridge itself
src-address (IP address; default: ) Source IP address (only if MAC protocol is set to IPv4)
src-mac-address (MAC address; default: ) Source MAC address
src-port (integer 0..65535) Source port number or range (only for TCP or UDP protocols)
stp-flags (topology-change | topology-change-ack)

The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU peridiocally for preventing from loop

  • topology-change - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology
  • topology-change-ack - topology change acknowledgement flag is sen in replies to the notification packets
stp-forward-delay (time 0..65535) Forward delay timer
stp-hello-time (time 0..65535) STP hello packets time
stp-max-age (time 0..65535) Maximal STP message age
stp-msg-age (time 0..65535) STP message age
stp-port (integer 0..65535) STP port identifier
stp-root-address (MAC address) Root bridge MAC address
stp-root-cost (integer 0..65535) Root bridge cost
stp-root-priority (integer 0..65535) Root bridge priority
stp-sender-address (MAC address) STP message sender MAC address
stp-sender-priority (integer 0..65535) STP sender priority
stp-type (config | tcn)

The BPDU type:

  • config - configuration BPDU
  • tcn - topology change notification
vlan-encap (arp | ip | ipv6 | ipx | length | pppoe | pppoe-discovery | rarp | vlan ) the MAC protocol type encapsulated in the VLAN frame
vlan-id (integer 0..4095) VLAN identifier field
vlan-priority (integer 0..7) The user priority field

Notes

  • STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also stp should be enabled.
  • ARP matchers are only valid if mac-protocol is arp or rarp
  • VLAN matchers are only valid for vlan ethernet protocol
  • IP-related matchers are only valid if mac-protocol is set as ipv4
  • 802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards (note: it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets.

Bridge Packet Filter

Sub-menu: /interface bridge filter

This section describes bridge packet filter specific filtering options, which were omitted in the general firewall description.

Properties

Property Description
action (accept | drop | jump | log | mark-packet | passthrough | return | set-priority)
  • accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain
  • drop - silently drop the packet (without sending the ICMP reject message)
  • jump - jump to the chain specified by the value of the jump-target argument
  • log - log the packet
  • mark - mark the packet to use the mark later
  • passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets
  • return - return to the previous chain, from where the jump took place
  • set-priority

Bridge NAT

Sub-menu: /interface bridge nat

This section describes bridge NAT options, which were omitted in the general firewall description.

Properties

Property Description
action (accept | drop | jump | mark-packet | redirect | set-priority | arp-reply | dst-nat | log | passthrough | return | src-nat)
  • accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain
  • arp-reply - send a reply to an ARP request (any other packets will be ignored by this rule) with the specified MAC address (only valid in dstnat chain)
  • drop - silently drop the packet (without sending the ICMP reject message)
  • dst-nat - change destination MAC address of a packet (only valid in dstnat chain)
  • jump - jump to the chain specified by the value of the jump-target argument
  • log - log the packet
  • mark - mark the packet to use the mark later
  • passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets
  • redirect - redirect the packet to the bridge itself (only valid in dstnat chain)
  • return - return to the previous chain, from where the jump took place
  • set-priority
  • src-nat - change source MAC address of a packet (only valid in srcnat chain)
to-arp-reply-mac-address (MAC address) Source MAC address to put in Ethernet frame and ARP payload, when action=arp-reply is selected
to-dst-mac-address (MAC address) Destination MAC address to put in Ethernet frames, when action=dst-nat is selected
to-src-mac-address (MAC address) Source MAC address to put in Ethernet frames, when action=src-nat is selected

[ Top | Back to Content ]