Manual:Interface/Bridge: Difference between revisions
(One intermediate revision by the same user not shown) | |||
Line 13: | Line 13: | ||
<p> | <p> | ||
Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm | Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges are updated with the newest information about changes in network topology. (R)STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID. | ||
</p> | </p> | ||
Line 34: | Line 34: | ||
<tr> | <tr> | ||
<td><var><b>ageing-time</b></var> (<em>time</em>; Default:<b> 00:05:00</b>)</td> | <td><var><b>ageing-time</b></var> (<em>time</em>; Default:<b> 00:05:00</b>)</td> | ||
<td>How long a host information will be kept in the bridge database</td> | <td>How long a host's information will be kept in the bridge database</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>arp</b></var> (<em>disabled | enabled | proxy-arp | reply-only</em>; Default:<b> enabled</b>)</td> | <td><var><b>arp</b></var> (<em>disabled | enabled | proxy-arp | reply-only</em>; Default:<b> enabled</b>)</td> | ||
<td>Address Resolution Protocol setting</td> | <td>Address Resolution Protocol setting <ul class="bullets"> | ||
<li> <var>disabled</var> - the interface will not use ARP | |||
<li> <var>enabled</var> - the interface will use ARP | |||
<li> <var>proxy-arp</var> - the interface will use the ARP proxy feature | |||
<li> <var>reply-only</var> - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the "/ip arp" table. No dynamic entries will be automatically stored in the "/ip arp" table. Therefore for communications to be successful, a valid static entry must already exist. | |||
</ul></td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 65: | Line 70: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>priority</b></var> (<em>integer: 0..65535</em>; Default:<b> 32768</b>)</td> | <td><var><b>priority</b></var> (<em>integer: 0..65535 decimal format or 0x0000-0xffff hex format</em>; Default:<b> 32768 / 0x8000</b>)</td> | ||
<td> | <td> | ||
Line 72: | Line 77: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>protocol-mode</b></var> (<em>none | rstp | stp</em>; Default:<b> | <td><var><b>protocol-mode</b></var> (<em>none | rstp | stp</em>; Default:<b> rstp</b>)</td> | ||
<td>Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP | <td>Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP provides for faster spanning tree convergence after a topology change.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 123: | Line 128: | ||
|type=yes {{!}} no | |type=yes {{!}} no | ||
|default=no | |default=no | ||
|desc= | |desc=Send bridged traffic to also be processed by 'IP firewall' | ||
}} | }} | ||
Line 130: | Line 135: | ||
|type=yes {{!}} no | |type=yes {{!}} no | ||
|default=no | |default=no | ||
|desc= | |desc=Send bridged un-encrypted PPPoE traffic to also be processed by 'IP firewall' (requires <var>use-ip-firewall=yes</var> to work) | ||
}} | }} | ||
Line 137: | Line 142: | ||
|type=yes {{!}} no | |type=yes {{!}} no | ||
|default=no | |default=no | ||
|desc= | |desc=Send bridged VLAN traffic to also be processed by 'IP firewall' (requires <var>use-ip-firewall=yes</var> to work) | ||
}} | }} | ||
Line 156: | Line 161: | ||
<tr> | <tr> | ||
<td><var><b>edge</b></var> (<em>auto | no | no-discover | yes | yes-discover</em>; Default:<b> auto</b>)</td> | <td><var><b>edge</b></var> (<em>auto | no | no-discover | yes | yes-discover</em>; Default:<b> auto</b>)</td> | ||
<td>Set port as edge port or non-edge port, or enable automatic detection. Edge ports are connected to LAN that has no other bridges attached. If the port is configured to discover edge port then as soon as the bridge detects a BPDU coming to an edge port, the port becomes a non-edge port.</td> | <td>Set port as edge port or non-edge port, or enable automatic detection. Edge ports are connected to a LAN that has no other bridges attached. If the port is configured to discover edge port then as soon as the bridge detects a BPDU coming to an edge port, the port becomes a non-edge port.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 173: | Line 178: | ||
<td><var><b>path-cost</b></var> (<em>integer: 0..65535</em>; Default:<b> 10</b>)</td> | <td><var><b>path-cost</b></var> (<em>integer: 0..65535</em>; Default:<b> 10</b>)</td> | ||
<td>Path cost to the interface, used by STP to determine the "best" path</td> | <td>Path cost to the interface, used by STP to determine the "best" path</td> | ||
</tr> | |||
<tr> | |||
<td><var><b>point-to-point</b></var> (<em>auto | yes | no</em>; Default:<b> auto</b>)</td> | |||
<td></td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 266: | Line 275: | ||
<th width="40%">Property</th> | <th width="40%">Property</th> | ||
<th >Description</th> | <th >Description</th> | ||
</tr> | |||
<tr> | |||
<td><var><b>edge-port</b></var> (<em>yes | no</em>)</td> | |||
<td>Whether port is an edge port or not</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>edge-port-discovery</b></var> (<em>yes | no</em>)</td> | <td><var><b>edge-port-discovery</b></var> (<em>yes | no</em>)</td> | ||
<td>Whether port to automatically | <td>Whether port is set to automatically detect edge ports</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 286: | Line 299: | ||
<td><var><b>port-number</b></var> (<em>integer 1..4095</em>)</td> | <td><var><b>port-number</b></var> (<em>integer 1..4095</em>)</td> | ||
<td>Port identifier</td> | <td>Port identifier</td> | ||
</tr> | |||
<tr> | |||
<td><var><b>point-to-point-port</b></var> (<em>yes | no</em>)</td> | |||
<td></td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 390: | Line 407: | ||
*'''filter''' - bridge firewall with three predefined chains: | *'''filter''' - bridge firewall with three predefined chains: | ||
**'''input''' - filters packets, | **'''input''' - filters packets, where the destination is the bridge (including those packets that will be routed, as they are destined to the bridge MAC address anyway) | ||
**'''output''' - filters packets, which come from the bridge (including those packets that has been routed normally) | **'''output''' - filters packets, which come from the bridge (including those packets that has been routed normally) | ||
**'''forward''' - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge) | **'''forward''' - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge) | ||
*'''nat''' - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains: | *'''nat''' - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains: | ||
**'''srcnat''' - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface | **'''srcnat''' - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface | ||
**'''dstnat''' - used for redirecting some | **'''dstnat''' - used for redirecting some packets to other destinations | ||
</p> | </p> | ||
<p> | <p> | ||
You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by mangle. | You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by <code>'/ip firewall mangle'</code>. In this way, packet marks put by bridge firewall can be used in 'IP firewall', and vice versa. | ||
</p> | </p> | ||
Line 415: | Line 432: | ||
<tr> | <tr> | ||
<td><var><b>802.3-sap</b></var> (<em>integer</em>)</td> | <td><var><b>802.3-sap</b></var> (<em>integer</em>)</td> | ||
<td>DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match | <td>DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match a SAP byte</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 435: | Line 452: | ||
<tr> | <tr> | ||
<td><var><b>arp-hardware-type</b></var> (<em>integer; default: 1</em>)</td> | <td><var><b>arp-hardware-type</b></var> (<em>integer; default: 1</em>)</td> | ||
<td>ARP hardware type. This normally Ethernet (Type 1)</td> | <td>ARP hardware type. This is normally Ethernet (Type 1)</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 445: | Line 462: | ||
*'''drarp-reply''' - Dynamic RARP reply, with a temporaty IP address assignment for a host | *'''drarp-reply''' - Dynamic RARP reply, with a temporaty IP address assignment for a host | ||
*'''drarp-request''' - Dynamic RARP request to assign a temporary IP address for the given MAC address | *'''drarp-request''' - Dynamic RARP request to assign a temporary IP address for the given MAC address | ||
*'''inarp-reply''' - | *'''inarp-reply''' - InverseARP Reply | ||
*'''inarp-request''' - | *'''inarp-request''' - InverseARP Request | ||
*'''reply''' - standard ARP reply with a MAC address | *'''reply''' - standard ARP reply with a MAC address | ||
*'''reply-reverse''' - reverse ARP (RARP) reply with an IP address assigned | *'''reply-reverse''' - reverse ARP (RARP) reply with an IP address assigned | ||
Line 452: | Line 469: | ||
*'''request-reverse''' - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service) | *'''request-reverse''' - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service) | ||
</td> | </td> | ||
</tr> | |||
<tr> | |||
<td><var><b>arp-packet-type</b></var> (<em>integer: 0..65535 decimal format or 0x0000-0xffff hex format</em>)</td> | |||
<td>ARP Packet Type</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 490: | Line 511: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>ip-protocol</b></var> (<em>ddp | | <td><var><b>ip-protocol</b></var> (<em>ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | st | tcp | udp | vmtp | vrrp | xns-idp | xtp</em>)</td> | ||
<td> | <td> | ||
IP protocol (only if MAC protocol is set to IPv4) | IP protocol (only if MAC protocol is set to IPv4) | ||
*'''ddp''' - datagram delivery protocol | *'''ddp''' - datagram delivery protocol | ||
*'''egp''' - exterior gateway protocol | *'''egp''' - exterior gateway protocol | ||
*'''encap''' - ip encapsulation | |||
*'''etherip''' - | |||
*'''ggp''' - gateway-gateway protocol | *'''ggp''' - gateway-gateway protocol | ||
*'''gre''' - general routing encapsulation | *'''gre''' - general routing encapsulation | ||
*'''hmp''' - host monitoring protocol | *'''hmp''' - host monitoring protocol | ||
*'''icmp''' - IPv4 internet control message protocol | |||
*'''icmpv6''' - IPv6 internet control message protocol | |||
*'''idpr-cmtp''' - idpr control message transport | *'''idpr-cmtp''' - idpr control message transport | ||
*'''igmp''' - internet group management protocol | *'''igmp''' - internet group management protocol | ||
*'''ipencap''' - ip encapsulated in ip | *'''ipencap''' - ip encapsulated in ip | ||
*'''ipip''' - ip encapsulation | *'''ipip''' - ip encapsulation | ||
*'''ipsec-ah''' - IPsec AH protocol | |||
*'''ipsec-esp''' - IPsec ESP protocol | |||
*'''ipv6''' - | |||
*'''ipv6-frag''' - | |||
*'''ipv6-nonxt''' - | |||
*'''ipv6-opts''' - | |||
*'''ipv6-route''' - | |||
*'''iso-tp4''' - iso transport protocol class 4 | *'''iso-tp4''' - iso transport protocol class 4 | ||
*'''l2tp''' - | |||
*'''ospf''' - open shortest path first | *'''ospf''' - open shortest path first | ||
*'''pim''' - protocol independent multicast | *'''pim''' - protocol independent multicast | ||
*'''pup''' - parc universal packet protocol | *'''pup''' - parc universal packet protocol | ||
*'''rspf''' - radio shortest path first | *'''rspf''' - radio shortest path first | ||
*'''rsvp''' - | |||
*'''rdp''' - reliable datagram protocol | *'''rdp''' - reliable datagram protocol | ||
*'''st''' - st datagram mode | *'''st''' - st datagram mode | ||
Line 517: | Line 546: | ||
*'''udp''' - user datagram protocol | *'''udp''' - user datagram protocol | ||
*'''vmtp''' - versatile message transport | *'''vmtp''' - versatile message transport | ||
*'''vrrp''' - | *'''vrrp''' - Virtual Router Redundancy Protocol | ||
*'''xns-idp''' - xerox ns idp | *'''xns-idp''' - xerox ns idp | ||
*'''xtp''' – xpress transfer protocol | *'''xtp''' – xpress transfer protocol | ||
Line 540: | Line 569: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>mac-protocol</b></var> (<em>arp | ip | ipv6 | ipx | length | pppoe | pppoe-discovery | rarp | vlan</em>)</td> | <td><var><b>mac-protocol</b></var> (<em>802.2 | arp | ip | ipv6 | ipx | length | mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp | vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format</em>)</td> | ||
<td>Ethernet payload type (MAC-level protocol)</td> | <td>Ethernet payload type (MAC-level protocol) | ||
*'''802.2''' | |||
*'''arp''' - Type 0x0806 - ARP | |||
*'''ip''' - Type 0x0800 - IPv4 | |||
*'''ipv6''' - Type 0x86dd - IPv6 | |||
*'''ipx''' - Type 0x8137 - "Internetwork Packet Exchange" | |||
*'''length''' | |||
*'''mpls-multicast''' - Type 0x8848 - MPLS Multicast | |||
*'''mpls-unicast''' - Type 0x8847 - MPLS Unicast | |||
*'''ppoe''' - Type 0x8864 - PPPoE Session | |||
*'''ppoe-discovery''' - Type 0x8863 - PPPoE Discovery | |||
*'''rarp''' - Type 0x8035 - Reverse ARP | |||
*'''vlan''' - Type 0x8100 - 802.1Q tagged VLAN | |||
</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 549: | Line 591: | ||
<tr> | <tr> | ||
<td><var><b>out-interface</b></var> (<em>name</em>)</td> | <td><var><b>out-interface</b></var> (<em>name</em>)</td> | ||
<td>Interface | <td>Interface that the packet is leaving the bridge through</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 580: | Line 622: | ||
<td><var><b>stp-flags</b></var> (<em>topology-change | topology-change-ack</em>)</td> | <td><var><b>stp-flags</b></var> (<em>topology-change | topology-change-ack</em>)</td> | ||
<td> | <td> | ||
The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU | The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU periodically for preventing loops | ||
*'''topology-change''' - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology | *'''topology-change''' - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology | ||
*'''topology-change-ack''' - topology change acknowledgement flag is sen in replies to the notification packets | *'''topology-change-ack''' - topology change acknowledgement flag is sen in replies to the notification packets | ||
Line 634: | Line 676: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>vlan-encap</b></var> (<em>arp | ip | ipv6 | ipx | length | pppoe | pppoe-discovery | rarp | vlan </em>)</td> | <td><var><b>vlan-encap</b></var> (<em>802.2 | arp | ip | ipv6 | ipx | length | mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp | vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format</em>)</td> | ||
<td>the MAC protocol type encapsulated in the VLAN frame</td> | <td>the MAC protocol type encapsulated in the VLAN frame</td> | ||
</tr> | </tr> | ||
Line 651: | Line 693: | ||
*STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also <code>stp</code> should be enabled. | *STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also <code>stp</code> should be enabled. | ||
*ARP matchers are only valid if < | *ARP matchers are only valid if <var>mac-protocol</var> is <code>arp</code> or <code>rarp</code> | ||
*VLAN matchers are only valid for <code>vlan</code> ethernet protocol | *VLAN matchers are only valid for <code>vlan</code> ethernet protocol | ||
*IP-related matchers are only valid if < | *IP-related matchers are only valid if <var>mac-protocol</var> is set as <code>ipv4</code> | ||
*802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards ('''note''': it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets. | *802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards ('''note''': it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets. | ||
Line 662: | Line 704: | ||
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter</code></p> | <p id="shbox"><b>Sub-menu:</b> <code>/interface bridge filter</code></p> | ||
<br /> | <br /> | ||
<p>This section describes bridge packet filter specific filtering options, | <p>This section describes bridge packet filter specific filtering options, that are specific to <code>'/interface bridge filter'</code>.</p> | ||
<h3>Properties</h3> | <h3>Properties</h3> | ||
Line 681: | Line 723: | ||
*'''passthrough''' - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets | *'''passthrough''' - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets | ||
*'''return''' - return to the previous chain, from where the jump took place | *'''return''' - return to the previous chain, from where the jump took place | ||
*'''set-priority''' | *'''set-priority''' - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]] | ||
</td> | </td> | ||
</tr> | </tr> | ||
Line 689: | Line 731: | ||
<p id="shbox"><b>Sub-menu:</b> <code>/interface bridge nat</code></p> | <p id="shbox"><b>Sub-menu:</b> <code>/interface bridge nat</code></p> | ||
<br /> | <br /> | ||
<p>This section describes bridge NAT options, | <p>This section describes bridge NAT options, that are specific to <code>'/interface bridge nat'</code>.</p> | ||
<h3>Properties</h3> | <h3>Properties</h3> | ||
Line 711: | Line 753: | ||
*'''redirect''' - redirect the packet to the bridge itself (only valid in dstnat chain) | *'''redirect''' - redirect the packet to the bridge itself (only valid in dstnat chain) | ||
*'''return''' - return to the previous chain, from where the jump took place | *'''return''' - return to the previous chain, from where the jump took place | ||
*'''set-priority''' | *'''set-priority''' - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). [[WMM#How_to_set_priority | Read more>]] | ||
*'''src-nat''' - change source MAC address of a packet (only valid in srcnat chain) | *'''src-nat''' - change source MAC address of a packet (only valid in srcnat chain) | ||
</td> | </td> |
Revision as of 07:14, 17 July 2014
Summary
Sub-menu: /interface bridge
Standards: IEEE802.1D
Ethernet-like networks (Ethernet, Ethernet over IP, IEEE802.11 in ap-bridge or bridge mode, WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary).
Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges are updated with the newest information about changes in network topology. (R)STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID.
Bridge Interface Setup
Sub-menu: /interface bridge
To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address will be assigned to all the bridged interfaces (the smallest MAC address will be chosen automatically).
Properties
Property | Description |
---|---|
admin-mac (MAC address; Default: ) | Static MAC address of the bridge (takes effect if auto-mac=no ) |
ageing-time (time; Default: 00:05:00) | How long a host's information will be kept in the bridge database |
arp (disabled | enabled | proxy-arp | reply-only; Default: enabled) | Address Resolution Protocol setting
|
auto-mac (yes | no; Default: yes) | Automatically select the smallest MAC address of bridge ports as a bridge MAC address |
forward-delay (time; Default: 00:00:15) | Time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally |
l2mtu (integer; read-only) | Layer2 Maximum transmission unit. read more» |
max-message-age (time; Default: 00:00:20) | How long to remember Hello messages received from other bridges |
mtu (integer; Default: 1500) | Maximum Transmission Unit |
name (text; Default: bridgeN) | Name of the bridge interface |
priority (integer: 0..65535 decimal format or 0x0000-0xffff hex format; Default: 32768 / 0x8000) |
Spanning tree protocol priority for bridge interface. Bridge with the smallest (lowest) bridge ID becomes a Root-Bridge. Bridge ID consists of two numbers - priority and MAC address of the bridge. To compare two bridge IDs, the priority is compared first. If two bridges have equal priority, then the MAC addresses are compared. |
protocol-mode (none | rstp | stp; Default: rstp) | Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP provides for faster spanning tree convergence after a topology change. |
transmit-hold-count (integer: 1..10; Default: 6) | The Transmit Hold Count used by the Port Transmit state machine to limit transmission rate |
(Rapid) Spanning Tree Protocol
http://en.wikipedia.org/wiki/Spanning_Tree_Protocol
Example
To add and enable a bridge interface that will forward all the protocols:
[admin@MikroTik] /interface bridge> add [admin@MikroTik] /interface bridge> print Flags: X - disabled, R - running 0 R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m [admin@MikroTik] /interface bridge>
Bridge Settings
Sub-menu: /interface bridge settings
Property | Description |
---|---|
allow-fast-path (yes | no; Default: yes) | Allows fast path |
use-ip-firewall (yes | no; Default: no) | Send bridged traffic to also be processed by 'IP firewall' |
use-ip-firewall-for-pppoe (yes | no; Default: no) | Send bridged un-encrypted PPPoE traffic to also be processed by 'IP firewall' (requires use-ip-firewall=yes to work) |
use-ip-firewall-for-vlan (yes | no; Default: no) | Send bridged VLAN traffic to also be processed by 'IP firewall' (requires use-ip-firewall=yes to work) |
Port Settings
Sub-menu: /interface bridge port
Port submenu is used to enslave interfaces in a particular bridge interface.
Property | Description |
---|---|
bridge (name; Default: none) | The bridge interface the respective interface is grouped in |
edge (auto | no | no-discover | yes | yes-discover; Default: auto) | Set port as edge port or non-edge port, or enable automatic detection. Edge ports are connected to a LAN that has no other bridges attached. If the port is configured to discover edge port then as soon as the bridge detects a BPDU coming to an edge port, the port becomes a non-edge port. |
external-fdb (auto | no | yes; Default: auto) | Whether to use wireless registration table to speed up bridge host learning |
horizon (none | integer 0..429496729; Default: none) | Use split horizon bridging to prevent bridging loops. read more» |
interface (name; Default: none) | Name of the interface |
path-cost (integer: 0..65535; Default: 10) | Path cost to the interface, used by STP to determine the "best" path |
point-to-point (auto | yes | no; Default: auto) | |
priority (integer: 0..255; Default: 128) | The priority of the interface in comparison with other going to the same subnet |
Example
To group ether1 and ether2 in the already created bridge1 bridge
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether1 [admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether2 [admin@MikroTik] /interface bridge port> print Flags: X - disabled, I - inactive, D - dynamic # INTERFACE BRIDGE PRIORITY PATH-COST HORIZON 0 ether1 bridge1 0x80 10 none 1 ether2 bridge1 0x80 10 none [admin@MikroTik] /interface bridge port>
Bridge Monitoring
Sub-menu: /interface bridge monitor
Used to monitor the current status of a bridge.
Property | Description |
---|---|
current-mac-address (MAC address) | Current MAC address of the bridge |
designated-port-count (integer) | Number of designated bridge ports |
port-count (integer) | Number of the bridge ports |
root-bridge (yes | no) | Shows whether bridge is the root bridge of the spanning tree |
root-bridge-id (text) | The root bridge ID, which is in form of bridge-priority.bridge-MAC-address |
root-path-cost (integer) | The total cost of the path to the root-bridge |
root-port (name) | Port to which the root bridge is connected to |
state (enabled | disabled) | State of the bridge |
Example
To monitor a bridge:
[admin@MikroTik] /interface bridge> monitor bridge1 state: enabled current-mac-address: 00:0C:42:52:2E:CE root-bridge: yes root-bridge-id: 0x8000.00:00:00:00:00:00 root-path-cost: 0 root-port: none port-count: 2 designated-port-count: 0 [admin@MikroTik] /interface bridge>
Bridge Port Monitoring
Sub-menu: /interface bridge port monitor
Statistics of an interface that belongs to a bridge.
Property | Description |
---|---|
edge-port (yes | no) | Whether port is an edge port or not |
edge-port-discovery (yes | no) | Whether port is set to automatically detect edge ports |
external-fdb (yes | no) | Shows whether registration table is used instead of forwarding data base |
forwarding (yes | no) | Port state |
learning (yes | no) | Port state |
port-number (integer 1..4095) | Port identifier |
point-to-point-port (yes | no) | |
role (designated | root port | alternate | backup | disabled) |
(R)STP algorithm assigned role of the port:
|
sending-rstp (yes | no) | Whether the port is sending BPDU messages |
status (in-bridge | inactive) | Port status |
Example
To monitor a bridge port:
[admin@MikroTik] /interface bridge port> monitor 0 status: in-bridge port-number: 1 role: designated-port edge-port: no edge-port-discovery: yes point-to-point-port: no external-fdb: no sending-rstp: no learning: yes forwarding: yes [admin@MikroTik] /interface bridge port>
Bridge Host Monitoring
Sub-menu: /interface bridge host
Property | Description |
---|---|
age (read-only: time) | The time since the last packet was received from the host |
bridge (read-only: name) | The bridge the entry belongs to |
external-fdb (read-only: flag) | Whether the host was learned using wireless registration table |
local (read-only: flag) | Whether the host entry is of the bridge itself (that way all local interfaces are shown) |
mac-address (read-only: MAC address) | Host's MAC address |
on-interface (read-only: name) | Which of the bridged interfaces the host is connected to |
Example
To get the active host table:
[admin@MikroTik] /interface bridge host> print Flags: L - local, E - external-fdb BRIDGE MAC-ADDRESS ON-INTERFACE AGE bridge1 00:00:00:00:00:01 ether2 3s bridge1 00:01:29:FF:1D:CC ether2 0s L bridge1 00:0C:42:52:2E:CF ether2 0s bridge1 00:0C:42:52:2E:D0 ether2 3s bridge1 00:0C:42:5C:A5:AE ether2 0s [admin@MikroTik] /interface bridge host>
Bridge Firewall
Sub-menu: /interface bridge filter, /interface bridge nat
The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridge.
Packet flow diagram shows how packets are processed through router. It is possible to force bridge traffic to go through /ip firewall filter
rules (see: Bridge Settings)
There are two bridge firewall tables:
- filter - bridge firewall with three predefined chains:
- input - filters packets, where the destination is the bridge (including those packets that will be routed, as they are destined to the bridge MAC address anyway)
- output - filters packets, which come from the bridge (including those packets that has been routed normally)
- forward - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)
- nat - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains:
- srcnat - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface
- dstnat - used for redirecting some packets to other destinations
You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by '/ip firewall mangle'
. In this way, packet marks put by bridge firewall can be used in 'IP firewall', and vice versa.
General bridge firewall properties are described in this section. Some parameters that differ between nat and filter rules are described in further sections.
Properties
Property | Description |
---|---|
802.3-sap (integer) | DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match a SAP byte |
802.3-type (integer) | Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B |
arp-dst-address (IP address; default: ) | ARP destination address |
arp-dst-mac-address (MAC address; default: ) | ARP destination MAC address |
arp-gratuitous (yes | no; default: ) | Matches ARP gratuitous packets |
arp-hardware-type (integer; default: 1) | ARP hardware type. This is normally Ethernet (Type 1) |
arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request | inarp-reply | inarp-request | reply | reply-reverse | request | request-reverse) |
ARP opcode (packet type)
|
arp-packet-type (integer: 0..65535 decimal format or 0x0000-0xffff hex format) | ARP Packet Type |
arp-src-address (IP address; default: ) | ARP source address |
arp-src-mac-address (MAC address; default: ) | ARP source MAC address |
chain (text) | Bridge firewall chain, which the filter is functioning in (either a built-in one, or a user defined) |
dst-address (IP address; default: ) | Destination IP address (only if MAC protocol is set to IPv4) |
dst-mac-address (MAC address; default: ) | Destination MAC address |
dst-port (integer 0..65535) | Destination port number or range (only for TCP or UDP protocols) |
in-bridge (name) | Bridge interface through which the packet is coming in |
in-interface (name) | Physical interface (i.e., bridge port) through which the packet is coming in |
ingress-priority (integer 0..63) | Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. read more» |
ip-protocol (ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) |
IP protocol (only if MAC protocol is set to IPv4)
|
jump-target (name) | If action=jump specified, then specifies the user-defined firewall chain to process the packet |
limit (integer/time,integer) |
Restricts packet match rate to a given limit.
|
log-prefix (text) | Defines the prefix to be printed before the logging information |
mac-protocol (802.2 | arp | ip | ipv6 | ipx | length | mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp | vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format) | Ethernet payload type (MAC-level protocol)
|
out-bridge (name) | Outgoing bridge interface |
out-interface (name) | Interface that the packet is leaving the bridge through |
packet-mark (name) | Match packets with certain packet mark |
packet-type (broadcast | host | multicast | other-host) |
MAC frame type:
|
src-address (IP address; default: ) | Source IP address (only if MAC protocol is set to IPv4) |
src-mac-address (MAC address; default: ) | Source MAC address |
src-port (integer 0..65535) | Source port number or range (only for TCP or UDP protocols) |
stp-flags (topology-change | topology-change-ack) |
The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU periodically for preventing loops
|
stp-forward-delay (time 0..65535) | Forward delay timer |
stp-hello-time (time 0..65535) | STP hello packets time |
stp-max-age (time 0..65535) | Maximal STP message age |
stp-msg-age (time 0..65535) | STP message age |
stp-port (integer 0..65535) | STP port identifier |
stp-root-address (MAC address) | Root bridge MAC address |
stp-root-cost (integer 0..65535) | Root bridge cost |
stp-root-priority (integer 0..65535) | Root bridge priority |
stp-sender-address (MAC address) | STP message sender MAC address |
stp-sender-priority (integer 0..65535) | STP sender priority |
stp-type (config | tcn) |
The BPDU type:
|
vlan-encap (802.2 | arp | ip | ipv6 | ipx | length | mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp | vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format) | the MAC protocol type encapsulated in the VLAN frame |
vlan-id (integer 0..4095) | VLAN identifier field |
vlan-priority (integer 0..7) | The user priority field |
Notes
- STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also
stp
should be enabled.
- ARP matchers are only valid if mac-protocol is
arp
orrarp
- VLAN matchers are only valid for
vlan
ethernet protocol
- IP-related matchers are only valid if mac-protocol is set as
ipv4
- 802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards (note: it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets.
Bridge Packet Filter
Sub-menu: /interface bridge filter
This section describes bridge packet filter specific filtering options, that are specific to '/interface bridge filter'
.
Properties
Property | Description |
---|---|
action (accept | drop | jump | log | mark-packet | passthrough | return | set-priority) |
|
Bridge NAT
Sub-menu: /interface bridge nat
This section describes bridge NAT options, that are specific to '/interface bridge nat'
.
Properties
Property | Description |
---|---|
action (accept | drop | jump | mark-packet | redirect | set-priority | arp-reply | dst-nat | log | passthrough | return | src-nat) |
|
to-arp-reply-mac-address (MAC address) | Source MAC address to put in Ethernet frame and ARP payload, when action=arp-reply is selected |
to-dst-mac-address (MAC address) | Destination MAC address to put in Ethernet frames, when action=dst-nat is selected |
to-src-mac-address (MAC address) | Source MAC address to put in Ethernet frames, when action=src-nat is selected |
[ Top | Back to Content ]