Bridge Interface (Bridge Function)

Summary

The bridge interface is a function that accommodates multiple interfaces in one virtual interface and bridges those interfaces.

Each accommodated interface connected to a physical segment is handled as one segment.

Notes

  • The bridge processing in this function does not guarantee wire speed.
  • The QoS function is not supported.
    Therefore, the Dynamic Traffic Control function that uses the QoS function cannot be used.
  • The Spanning Tree Protocol is not supported.
    BPDU frames are allowed to pass through.
  • Packets with IEEE802.1Q tags are allowed to pass through.
    However, if a LAN division interface (lan1.N or vlanN) is accommodated by the bridge, packets with IEEE802.1Q tags will not be allowed to pass through.
  • If you use this function, check the restrictions described in "Functions that can use bridge interfaces as an endpoint" and "Fastpath restrictions".

Compatible Models & Firmware Revisions

The Yamaha RT series supports the bridge interface with the following models and firmware.

Model Firmware
FWX120 Rev.11.03.16 or later

Definition of Terms

If you use the bridge interface function, the relationship between each interface during the bridging process needs to be understood.

In particular, if a filter is applied, it is important to know which interface each filter should be applied to.

Therefore, the terms that need to be differentiated when using the bridge interface are defined below.

Bridge interface

The virtual interface that accommodates the actual interfaces. The accommodated interfaces are bridged.
If a bridge interface is defined without a special description, it indicates the interface name as seen from the IP layer (L3).

Accommodated interfaces

The actual interfaces accommodated by the bridge interface.
If accommodated interfaces are defined without a special description, it indicates the interface name as seen from the data link layer (L2).

When applying filters, refer to "Relationship between interfaces and filters" in conjunction with the above definitions.

Details

Functions that can use bridge interfaces as an endpoint

The following functions are supported by communications (self-originating or self-addressed communications) with the virtual bridge interface as the endpoint. Other functions are not supported.

  • IP filter function
    Note: If you apply the IP filter to the bridge interface, the only packets evaluated by the filter are self-originating and self-addressed. The IP filter cannot be applied to accommodated interfaces.
  • DHCP client
  • DNS name resolution (excluding the server function)
  • Firmware writing and configuration file reading by TFTP
  • HTTP revision updates
  • URL filter with external database inquiries
  • Clock configuration by NTP
  • SYSLOG packet transmission (system log host configuration)
  • Mail notifications
  • Server function
    • HTTP server (Web GUI)
    • TELNET server
    • SSH server

Functions other than the above cannot be used.

Bridge function

If you use the bridge function, you need to accommodate the actual interface with which you want to perform bridging in the bridge interface.

A bridge interface is a virtual interface. Bridging is performed between interfaces accommodated in the bridge interface.

Packets received by the accommodated interface are processed (e.g., filtered), their output destination is determined, and, if necessary, packets are copied only for the number of output destinations (bridging). Packets for which the destination is determined are processed at the policy filter and are then output from the determined output interface.

Set the bridge learning function and the output interface

If you configure the bridge interface and enable the bridge function, it will automatically learn the MAC address origin of the packets received on the accommodated interface and the receiving interface, and register the information in the learning table. If the maximum learnable number is reached, the oldest entry is deleted and the new information is registered.

When performing bridging, the endpoint MAC address of the received packet is looked up to see if it matches the MAC address registered in the learning table. If an entry that matches is found, the packet is output to only the supported interface(s).

Through this, you can suppress unnecessary packets from being output to other interfaces. If there is no match with any learned entries, the packet is output to all the accommodated interfaces with the exception of the received interface.

The maximum number of learnable MAC addresses for each model are listed below.

Model Maximum learnable number
FWX120 256

In addition to automatically learning MAC addresses, you can also statically register MAC addresses. If you want to explicitly register a MAC address of a server that exists inside physical segment, statically register it.

The maximum number of statically registrable MAC addresses for each model are listed below.

Model Maximum registrable number
FWX120 32

The automatically learned MAC addresses and the statically registrable MAC addresses are managed in separate areas internally. When referencing the registered content during bridging, statically registered entries are referenced first.

Bridge interface

The bridge interface is handled as one interface from the IP layer (L3). Thus, you can configure the IPv4 and IPv6 addresses in the bridge interface.

The interface name that can be used on each model is listed below.

Model Bridge interface name
FWX120 bridge1

For example, you would configure the address 192.168.100.100/24 on the bridge interface as follows:

# ip bridge1 address 192.168.100.100/24
# ip route default gateway 192.168.100.1 

If you need to access the Internet from the bridge interface (when using a URL filter with an external database, for example), you need to configure a route to access the Internet as above.

Relationship between interfaces and filters (Transparency firewall)

You can configure the following filters on the accommodated interfaces:

  • Ethernet filter
  • Intrusion detection (IDS)
  • Inbound filter
  • URL filter with external/internal database
  • Policy filter

Conversely, you can configure the following filters on the bridge interface:

  • IP filter

If you apply filters to the accommodated interfaces, those filters will be processed as per the bridging process in the diagram below. In other words, these filters are applied at the data link layer (L2). (The processing itself occurs at L2, but if necessary the packet is checked from the IP header onwards.)

[Conceptual Diagram of Filters in Transparent Type Operations]

Conceptual Diagram of Filters in Transparent Type Operations
  • *1 In the out (send) direction, the intrusion detection function is applied after the policy filter.
  • *2 In the out (send) direction, the inbound filter is not applied. It is only applied in the in (receive) direction.

Thus, by applying the Ethernet filter, intrusion detection, inbound filter, URL filter, and policy filter to each accommodated interface, it can be used as a transparency firewall.

The following needs to be noted when configuring the filters.

Self-addressed packets are handled as transmitted on the accommodated bridge interface when processed on the IP layer (L3) and lower. For example, in the above diagram, if received packets on the lan1 interface on the LAN side were self-addressed (the destination MAC address is its own address), the reception interface is handled as bridge1 after being received on the IP layer. In other words, if you want to apply a filter above the IP layer, you need to specify the bridge interface name rather than the accommodated interface name.

Therefore, the bridge interface name is specified on the host access control for the applied IP filter and server function above the IP layer. Note that even if you specify the accommodated interface on the IP filter and host access control, packets will not be evaluated.

Furthermore, if the accommodated interface is an interface that possesses a switching hub, filters cannot be applied to completed communications between switching hub ports.

When used as a transparency firewall, the specifiable interface name and the relationship of each filter is listed in the following chart.

✓ : Applicable
⚠ : Not Applicable

  Applicable filters during bridging
Ethernet filter
ethernet IF filter
Intrusion detection
ip IF intrusion detection
Inbound filter
ip IF inbound filter
ipv6 IF inbound filter
URL filter
url IF filter
Policy filter
ip policy filter
ipv6 policy filter
IP filter
ip IF secure filter
ipv6 IF secure filter
lanX
pp
tunnel
bridgeX (*1) (*2)
  • *1 Packets transmitted on the bridge interface include LOCAL (self-addressed and self-originating).
  • *2 The IP filter will be applied to packets received on the bridge interface (self-addressed packets) in the IP layer.

If using the bridge interface to use the transparency firewall function, also see Related Documents.

Bridge Function & Fastpath

If bridging packets received on the accommodated interface, bridging is also processed on a model as a router that supports Fastpath.

In the same manner as using Fastpath as a router, packets that meet the following conditions will operate as the normal path.

  • Packets that the endpoint is themselves (packets transmitted on the bridge interface).
  • Packets other than IPv4 and IPv6
  • Of IPv4, IPv6 packets, packets that meet the following conditions:
    • Packets at the beginning of a flow
    • TCP packets with SYN/FIN/RST bits set
    • FTP control session packets
    • IPv6 multicast packets
    • When the flow table becomes full and packets cannot be added to the flow table

In the same manner as a router, whether IPv4 and IPv6 packets are processed using Fastpath depends on the following command settings:

  • "ip routing process" command
  • "ipv6 routing process" command

Fastpath restrictions

For packets processed using Fastpath, the following restrictions apply:

  • A log cannot be collected for packets that pass through a pass-log filter
  • The intrusion detection (IDS) function does not work

As the above restrictions apply to only packets that were processed using Fastpath, if packets are processed on a normal path, these functions work correctly. For example, if a pass-log filter is not used, only the first packet is processed on a normal path to record it in a log in order to create a flow table. However, packets after that will not be recorded so that they can be processed on Fastpath.

For more details about Fastpath in the router operation, see Related Documents.

SYSLOG Message list

The SYSLOG messages output by this function are listed below. Note the prefix "[Bridge interface name]" is added to the beginning of the output message.

Level Output message Meaning
INFO link up The bridge interface is working
INFO link down The bridge interface is not working
DEBUG suspicious learning MAC address (output interface name) An output interface that supports MAC addresses is not accommodated by the bridge

Command

Configuring member interfaces for bridge interface

[Syntax]
bridge member BRIDGE_INTERFACE INTERFACE INTERFACE [...]
no bridge member BRIDGE_INTERFACE [INTERFACE ...]
[Setting Value]
  • BRIDGE_INTERFACE ... Bridge interface name
  • INTERFACE
    • lanN ... LAN interface name
    • lanN.M ... LAN division interface name
    • vlanN ... VLAN interface name
[Description]

Defines the interface that will be a member of the bridge virtual interface. The bridge operates between interfaces that are members.

[Note]
  • About member LAN interfaces
    IPv4,IPv6 addresses are not assigned to actual interfaces that are members. The IPv6 link local address of an actual interface that is a member is deleted. The MTU value must be identical for all member LAN interfaces. An actual interface that is a member of one bridge interface cannot be a member of a different bridge interface. If the member interface has a switching hub, the bridge operation for this feature does not operate on the communications between the ports of the switching hub, but it is processed internally within the switching hub LSI. Specification of VLAN interface name is only supported on models that have the expanded features for the LAN division feature.
  • About bridge interfaces
    The link status of the bridge interface depends on the link status of the member LAN interfaces. If either of the member interfaces is up, the bridge interface is up. If all interfaces are down, the bridge interface is down. The smallest interface number of all the member LAN interfaces is used as the MAC address of the bridge interface.

Setting whether to automatically execute learning

[Syntax]
bridge learning BRIDGE_INTERFACE SWITCH
no bridge learning BRIDGE_INTERFACE [SWITCH]
[Setting Value]
  • BRIDGE_INTERFACE ... Bridge interface name
  • SWITCH
    • on ... Learning is active
    • off ... Learning is disabled
[Initial Value]
  • SWITCH ... on
[Description]

Configure whether or not the bridge feature will automatically learn MAC addresses. BRIDGE_INTERFACE specifies the affected bridge interface name. If learning is executed, when a packet is received by the interface inside the bridge interface, the MAC address and receiving interface of that packet will be learned and registered in the learning table.

The learned information will be referenced during bridge processing, and the packet will reduce unnecessary output by the interface.

[Note]

If the learning table exceeds the maximum limit during learning, the oldest entry will be deleted and the new entry will be registered. When the learning table is referenced during bridge processing, if a corresponding entry does not exist, all included interfaces (with the exception of the receiving interface) will output the packet. It operates in the same way as a repeater.

Setting the deletion timer for bridge learning information

[Syntax]
bridge learning BRIDGE_INTERFACE timer TIME
no bridge learning BRIDGE_INTERFACE timer [TIME]
[Setting Value]
  • BRIDGE_INTERFACE ... Bridge interface name
  • TIME
    • 30..32767 ... Number of seconds
    • off ... Timer is not configured
[Initial Value]
  • TIME ... 300
[Description]

Configures the lifetime for the information that the bridge automatically learns. The bridge interface name is specified by BRIDGE_INTERFACE. If a packet with a certain source MAC address is not received within the specified time, the learned information for that MAC address will be deleted.

If off is selected, the learned information will not be automatically deleted.

Clearing the bridge learning information

[Syntax]
clear bridge learning BRIDGE_INTERFACE
[Setting Value]
  • BRIDGE_INTERFACE ... Bridge interface name
[Description]

Erase all dynamically acquired bridge learning information.

[Note]

Statically specified registration information is not erased.

Showing bridge learning information

[Syntax]
show bridge learning BRIDGE_INTERFACE
[Setting Value]
  • BRIDGE_INTERFACE ... Bridge interface name
[Description]

Shows the MAC address learning information for the bridge.

Configuring the static learning information

[Syntax]
bridge learning BRIDGE_INTERFACE static MAC_ADDRESS INTERFACE
no bridge learning BRIDGE_INTERFACE static MAC_ADDRESS [INTERFACE]
[Setting Value]
  • BRIDGE_INTERFACE ... Bridge interface name
  • MAC_ADDRESS ... MAC address
  • INTERFACE ... LAN interface name
[Description]

Configures the static registration information that the bridge will reference. The bridge interface name is specified by BRIDGE_INTERFACE. The address packet with the MAC address specified in MAC_ADDRESS will be output to the interface specified in INTERFACE. INTERFACE specifies the LAN interface that is a member of the BRIDGE_INTERFACE.

[Note]

Information that has been statically registered is given precedence over automatically learned information. If the LAN interface specified in INTERFACE is not a member of BRIDGE_INTERFACE, the registered information will be ignored.

Set the IPv4 Address in the bridge interface

[Syntax]
ip BRIDGE_INTERFACE address IP_ADDRESS/MASK [broadcast BROADCAST_IP]
ip BRIDGE_INTERFACE address dhcp [autoip=SWITCH]
no ip BRIDGE_INTERFACE address [IP_ADDRESS/MASK [broadcast BROADCAST_IP]]
no ip BRIDGE_INTERFACE address [dhcp]
[Setting Value]
  • BRIDGE_INTERFACE ... Bridge interface name
  • IP_ADDRESS ... IP address xxx.xxx.xxx.xxx where xxx is a decimal number
  • dhcp ... Keyword indicating that the IP address is obtained as a DHCP client
  • MASK
    • xxx.xxx.xxx.xxx where xxx is a decimal number
    • Hexadecimal number following 0x
    • Number of mask bits
  • BROADCAST_IP ... Broadcast IP address
  • SWITCH
    • on ... Use the AutoIP function
    • off ... Not use the AutoIP function
[Description]

Sets the IP address and netmask of the interface. A broadcast address can be specified by specifying "broadcast BROADCAST_IP". If omitted, a directed broadcast address is used. If dhcp is specified, the IP address is obtained as a DHCP client immediately after this command is set. If no ip INTERFACE address is entered when dhcp is specified, a release message of the obtained IP address is sent to the DHCP server.
When "Use the AutoIP function" is set, and the retry count of dhcp in the ip BRIDGE_INTERFACE dhcp retry setting is finite, the 169.254.0.0/16 address is automatically decided when dhcp fails to allocate an address.

[Note]

If an IP address is not set on a LAN interface, the router tries to obtain the IP address through RARP.
If an IP address is not set on a PP interface, the interface operates as unnumbered.
The client ID that is obtained when the router is operated as a DHCP client can be checked using the show status dhcpc command.

Set the IPv6 Address in the bridge interface

[Syntax]
ipv6 INTERFACE address IPV6_ADDRESS/PREFIX_LEN [ADDRESS_TYPE]
no ipv6 INTERFACE address IPV6_ADDRESS/PREFIX_LEN [ADDRESS_TYPE]
[Setting Value]
  • INTERFACE ... LAN or loopback interface name
  • IPV6_ADDRESS ... IPv6 address section
  • PREFIX_LEN ... IPv6 prefix length
  • ADDRESS_TYPE
    • unicast ... Unicast
    • anycast ... Anycast
[Initial Value]
  • ADDRESS_TYPE ... unicast
[Description]

Grants an IPv6 address to the interface.

[Note]

The address granted by this command can be checked using the show ipv6 address command.
The auto address configuration function can be used on multiple LAN interfaces. In precise, two functions are available: the function with which an IPv6 address is created based on a prefix obtained with RA and an interface ID, and another function with which an IPv6 address is created based on a prefix obtained with DHCPv6 and an interface ID.
When specifying them, the default route is directed to the interface that completed the auto configuration last.

When a loopback interface is specified, ADDRESS_TYPE cannot be specified.
A loopback interface cannot be specified for PREFIX_INTERFACE.

[Example]

Add ::1 to the prefix of RA received by LAN2 to create an IPv6 address, and grant it to LAN1

# ipv6 lan1 address ra-prefix@lan2::1/64

Set the Security by Filtering on the bridge interface (IPv4)

[Syntax]
ip INTERFACE secure filter DIRECTION [FILTER_LIST...] [dynamic FILTER_LIST...]
no ip INTERFACE secure filter DIRECTION [FILTER_LIST]
[Setting Value]
  • INTERFACE ... LAN interface name, WAN interface name, loopback interface name, null interface name, or Bridge interface name
  • DIRECTION
    • in ... Filtering of received packets
    • out ... Filtering of packets to be transmitted
  • FILTER_LIST ... Ordering of white-space separated file numbers (The total number of static and active filters is up to 128)
  • dynamic ... Specify the dynamic filter number immediately after the keyword
[Description]

Limits the type of packets that pass the interface by combining packet filters specified by the ip filter command.

In the syntax that specifies a direction, the filter sequence applied to each direction is specified by filter numbers. The specified filters are applied in order, and when a filter that matches the packet is found, that filter determines whether the packet is passed or discarded. Subsequent filters are not applied. Packets that do not meet any of the filters are discarded.

[Note]

The filter list is scanned. When a match is found, the relevant filter determines whether the packet is passed or discarded.

# ip filter 1 pass 192.168.0.0/24 *
# ip filter 2 reject 192.168.0.1
# ip lan1 secure filter in 1 2

In this setting, packets whose source IP address is 192.168.0.1 are not checked by filter 2, because filter 1 determines that the packet is to be passed. Therefore, filter 2 carries no meaning.
Packets that do not match any of the filters in the filter list are discarded.

If RADIUS authentication is used in PP anonymous and the Access-Response sent from the RADIUS server contains the ‘Filter-Id’ attribute, the filter set specified by the value is applied, and the settings of the ip pp secure filter command are ignored.
If the ‘Filter-Id’ attribute does not exist, the settings of the ip pp secure filter command are used as the filter.
Dynamic filtering cannot be used with a loopback or null interface.
You cannot set DIRECTION to ‘in’ for a null interface.

Set the Security by Filtering on the bridge interface (IPv6)

[Syntax]
ipv6 INTERFACE secure filter DIRECTION [FILTER_LIST ...] [dynamic FILTER_LIST]
no ipv6 INTERFACE secure filter DIRECTION
[Setting Value]
  • INTERFACE ... LAN, loopback, null, or bridge interface name
  • DIRECTION
    • in ... Filtering of received packets
    • out ... Filtering of sent packets
  • FILTER_LIST ... Series of filter numbers delimited by spaces (total of the number of static filters and dynamic filters: up to 128)
[Description]

Applies the IPv6 filter to the interface.

[Note]

Dynamic filtering cannot be used with a loopback or null interface.
You cannot set DIRECTION to 'in' for a null interface.

Configuration/Operation Examples

  1. Bridge LAN1 and LAN2.
    # bridge member bridge1 lan1 lan2 
    
  2. Configure the IPv4 addresses in the bridge1 bridge interface.
    # ip bridge1 address 192.168.100.1/24 
    
  3. Check the bridge settings.
    # show status bridge1
    BRIDGE1 
    link status:                 UP 
    Bridge:                      LAN1 LAN2 
    Ethernet address:            00:a0:de:01:02:03 
    Sent packets:                1 packet (78 octets)
      IPv4:                      0 packets
      IPv6:                      1 packet 
    Received packets:            243 packets (18912 octets)
      IPv4:                      16 packets
      IPv6:                      17 packets 
    Non-IP packets:              101 packets 
    LAN1 
    Explanation: 
    Ethernet address:            00:a0:de:01:02:03 
    Operation mode setting:      Type (link status)
                   PORT1:        Auto Negotiation (100BASE-TX Full Duplex)
                   PORT2:        Auto Negotiation (link Down)
                   PORT3:        Auto Negotiation (link Down)
                   PORT4:        Auto Negotiation (link Down) 
    Maximum packet length (MTU): 1500 octets
    Promiscuous mode:            ON 
    Sent packets:                856 packets (676350 octets)
      IPv4 (All/Fastpath):       727 packets / 597 packets
      IPv6 (All/Fastpath):       11 packets/ 0 packets
    Received packets:            570 packets (85036 octets)
      IPv4:                      553 packets
      IPv6:                      10 packets
    LAN2
    Description: 
    Ethernet address:            00:a0:de:1:02:04 AM 
    Operation mode settings:     Auto Negotiation (100BASE-TX Full Duplex) 
    Maximum packet length (MTU): 1500 octets
    Promiscuous mode:            ON 
    Sent packets:                571 packets (85114 octets)
      IPv4 (All/Fastpath):       553 packets / 449 packets
      IPv6 (All/Fastpath):       11 packets / 0 packets 
    Received packets:            903 packets (679446 octets)
      IPv4:                      727 packets
      IPv6:                      10 packets 
    #
    
    
    # show bridge learning bridge1 
    Count:  4
    MAC address            Interface TTL (seconds) 
    00:0a:de:11:03:01      LAN2            240
    00:0a:de:11:02:01      LAN2            262
    00:0a:de:11:01:02      LAN2            260
    00:0a:de:11:01:01      LAN1            159
    # 
    

Reference

Relationship between interfaces and filters in router type operations

This section explains the differences in filter operations between being used as a transparency firewall and being used as a router firewall.

For router operations, only Ethernet filters are applied in the data link layer (L2). All other filters are applied in the IP layer (L3) or higher as shown in the diagram below.

[Conceptual Diagram of Filters in Router Type Operations]

Conceptual Diagram of Filters in Router Type Operations
  • *1 In the out (send) direction, the intrusion detection function is applied after the policy filter.
  • *2 In the out (send) direction, the inbound filter is not applied. It is only applied in the in (receive) direction.
  • *3 In the out (send) direction, the IP filter is applied before the URL filter.

Self-addressed packets are handled as transmitted as is when received on the interface for IP layer and below processing. For example, in the above diagram, if received packets on the lan1 interface on the LAN side were self-addressed (the destination IP address is its own address), the filter is applied on the received interface.

When used as a router firewall, the specifiable interface name and the relationship of each filter is listed in the following chart.

✓ : Applicable
⚠ : Not Applicable

  Applicable filters during routing
Ethernet filter
ethernet IF filter
Intrusion detection
ip IF intrusion detection
Inbound filter
ip IF inbound filter
ipv6 IF inbound filter
URL filter
url IF filter
Policy filter
ip policy filter
ipv6 policy filter
IP filter
ip IF secure filter
ipv6 IF secure filter
lanX
pp
tunnel
bridgeX

Return to Top

Product Categories