Removing bridge ports and bridge interfaces.
If you need to remove a port from a bridge, brctl provides the 'delif' command:
# brctl delif br0 eth1
Should you want to delete a bridge completely, then use 'delbr'. You must shut the interface down before you can do this, however.
# ifconfig br0 down
# brctl delbr br0
Spanning Tree Protocol
Spanning Tree Protocol (STP) is used by switches to handle multiple bridge paths on a network. The ability to have multiple paths within a network handles, amongst other things, one serious flaw with our network as show above: the bridge has become a single point of failure. Should it fail, the two sides of the network will be unable to talk to one another.
We can fix this easily by adding a second bridge, as shown in Figure 2. STP allows these two bridges to negotiate which will be active and which will be passive. The active bridge will take part in all packet transmission between the two segments, while the passive bridge will do nothing until its partner fails.
STP is considerably more complex than can be covered in an introductory article such as this, so we will cover only the basics.
As we saw earlier, every bridge has an id associated with it; this is an eight-byte number, the first two bytes being the bridge priority, which we can set manually, and the next six bytes are the MAC address of the bridge. Under Linux, the default bridge priority is 32768. The bridge's MAC address is that of the lowest numbered MAC address of all the bridge's ports. We generally represent the bridge ID as a two part hexadecimal number, the bridge ID followed by the MAC address as the fractional part. For example, 8000.100001037303 is the ID of a bridge with a priority of 32768 (8000 hex) and a MAC address of 10:00:01:03:73:03.
In a network with multiple bridges, the bridge with the lowest bridge id will be "elected" to be the root bridge. The root bridge then determines a path cost for every redundant path in the network, and where path loops are discovered, certain bridge ports are placed in a "blocking" state, and these ports will no longer forward packets.
STP is off by default, under Linux. You can determine whether it has been turned on or off using "brctl show br0", as outlined above. The state can be changed using:
# brctl stp br0 on
or
# brctl stp br0 off
To see further information about STP settings on a bridge, use the "showstp" command:
bridge01# brctl showstp br0
br0
bridge id 8000.100001037303
designated root 8000.100001037303
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 2.00 bridge hello time 2.00
forward delay 15.00 bridge forward delay 15.00
ageing time 300.00
hello timer 0.17 tcn timer 0.00
topology change timer 0.00 gc timer 0.00
flags
eth0 (1)
port id 8001 state forwarding
designated root 8000.100001037303 path cost 100
designated bridge 8000.100001037303 message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
eth1 (2)
port id 8002 state forwarding
designated root 8000.100001037303 path cost 100
designated bridge 8000.100001037303 message age timer 0.00
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
We can see from the above that this bridge is the root bridge for its network (see "bridge id" and "designated root") and hence, both of its interfaces are in a forwarding state. If we run the same command on the second bridge, we will see a few differences:
bridge02# brctl showstp br0
br0
bridge id 8000.100001087423
designated root 8000.100001037303
root port 1 path cost 100
max age 20.00 bridge max age 20.00
hello time 2.00 bridge hello time 2.00
forward delay 15.00 bridge forward delay 15.00
ageing time 300.00
hello timer 0.00 tcn timer 0.00
topology change timer 0.00 gc timer 238.59
flags
eth1 (1)
port id 8001 state forwarding
designated root 8000.100001037303 path cost 100
designated bridge 8000.100001037303 message age timer 18.63
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
eth2 (2)
port id 8002 state blocking
designated root 8000.100001037303 path cost 100
designated bridge 8000.100001037303 message age timer 18.63
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
This bridge has an ID of 8000.100001087423, but its designated root value shows the id of the other bridge. This makes sense, since only one bridge can be the master on a network. We also see that one of its ports is listed as blocking. This is the whole point of STP: it removes loops on the network. If this bridge receives any packets that need to be sent across to a different network segment, it will ignore them, since the other bridge will handle it.
If, for some reason, you don't like the choice of a root master that your system has elected for itself, it is possible to alter the priority of one or more bridges using the 'setbridgeprio' command. Here, we set a bridge priority of 4096 (1000 hex).
# brctl setbridgeprio br0 4096
Looking at our bridges now, we will see that the bridge id has changed.
# brctl show
bridge name bridge id STP enabled interfaces
br0 1000.100001047106 yes eth0
eth1
It's also possible to set a specific cost to a port. This may be required where, for example, a slower link has been automatically selected to be the designated port instead of a faster one and the operator wishes to override this. Links with lower costs will be selected for use, in preference to those with higher costs.
# brctl setportprio br0 eth1 50
Depending on the topology of the bridge network, this may cause some of the bridge ports to change their status, from "forwarding" to "blocking". While this happens, part of the network may become unreachable for a short period of time, but it should stabilise and become available again within a minute.
For further information on Spanning Tree Protocol, please see the
IEEE 802.1D specification.
Conclusion
Hopefully now you have a good grounding in the basics of Linux bridging and can now experiment with more complex arrangements on your own. You may find it handy to build a large number of virtual machines (eg, with User Mode Linux or QEMU), and bridge together their networks. This makes it very easy to create very involved topologies to investigate the concepts outlined above.
If you found this article helpful, consider making a donation to offset the costs of running this server, to one of these addresses: