Network bridge

A network bridge connects multiple network segments at the data link layer. Bridges are similar to repeaters or network hubs, devices that connect network segments at the physical layer, however a bridge works by using bridging where traffic from one network is managed rather than simply rebroadcast to adjacent network segments. In Ethernet networks, the term "bridge" formally means a device that behaves according to the IEEE 802.1D standard - this is most often referred to as a network switch in marketing literature.

Since bridging takes place at the data link layer of the OSI model, a bridge processes the information from each frame of data it receives. In an Ethernet frame, this provides the MAC address of the frame's source and destination. Bridges use two methods to resolve the network segment that a MAC address belongs to.

Transparent Bridging – This method uses a forwarding database to send frames across network segments. The forwarding database is initially empty and entries in the database are built as the bridge receives frames. If an address entry is not found in the forwarding database, the frame is rebroadcast to all ports of the bridge, forwarding the frame to all segments except the source address. By means of these broadcast frames, the destination network will respond and a route will be created. Along with recording the network segment to which a particular frame is to be sent, bridges may also record a bandwidth metric to avoid looping when multiple paths are available.

Source route bridging – With source route bridging two frame types are used in order to find the route to the destination network segment. Single-Route (SR) frames comprise most of the network traffic and have set destinations, while All-Route(AR) frames are used to find routes. Bridges send AR frames by broadcasting on all network branches; each step of the followed route is registered by the bridge performing it. Each frame has a maximum hop count, which is determined to be greater than the diameter of the network graph, and is decremented by each bridge. Frames are dropped when this hop count reaches zero, to avoid indefinite looping of AR frames. The first AR frame which reaches its destination is considered to have followed the best route, and the route can be used for subsequent SR frames; the other AR frames are discarded. This method of locating a destination network can allow for indirect load balancing among multiple bridges connecting two networks. As the more a bridge is loaded, the more it is unlikely to take part in the route finding process for a new destination as it will be slow to forward packets. A new AR packet will find a different route over a less busy path if one exists. This method is very different from transparent bridge usage, where redundant bridges will be inactivated; however, more overhead is introduced to find routes, and space is wasted to store them in frames. A switch with a faster backplane can be just as good for performance, if not for fault tolerance.

Advantages of Network bridge

Self configuring

Primitive bridges are very cheap

Reduce size of collision domain

Transparent to protocols above the MAC layer

Allows the introduction of management - performance information and access control

LANs interconnected are separate and physical contraints such as number of stations, repeaters and segment length do apply

[Back to top ]

Disadvantages of a Network bridge

Does not limit the scope of broadcasts

Does not scale to extremely large networks

Buffering introduces store and forward delays - on average traffic destined for bridge will be related to the number of stations on the rest of the LAN

Bridging of different MAC protocols introduces errors

[Back to top ]

Bridging VS Routing

Bridging and Routing are both ways of performing data control, but work on through different methods. Bridging takes place at OSI Model Layer 2 (Data-Link Layer) while Routing takes place at the OSI Model Layer 3 (Network Layer). This difference means that a bridge directs frames according to hardware assigned MAC Addresses while a router makes its decisions according to arbitrarily assigned IP Addresses. As a result of this, bridges are not concerned with and are unable to distinguish networks while routers can.

When designing a network, you can choose to put multiple segments into one bridged network or to divide it into different networks interconnected by routers. If a host is physically moved from one network area to another in a routed network, it has to get a new IP address; if this system is moved within a bridged network, it doesn't have to reconfigure anything.

[Back to top ]

Specific uses of the term "bridge"

A description of the Network Bridge in Windows XP is given here - it allows a Windows XP system to function as a bridge between the various networking devices connecting to it.

Documentation on Linux bridging can be found in the Linux networking wiki in here. Linux bridging allows filtering and routing

Network switch

A network switch (or just switch) is a networking device that performs transparent bridging (connection of multiple network segments with forwarding based on MAC addresses) at full wire speed in hardware. The use of specially designed hardware also makes it possible to have large numbers of ports (unlike a PC based bridge which is very limited by expansion slot count).

If a network has only switches and no hubs then the collision domains are either reduced to a single link or, if both ends support full duplex, eliminated altogether. The principle of a fast hardware forwarding device with many ports can be extended to higher layers giving the multilayer switch.

Switch's operation

A switch can connect Ethernet, Token Ring, Fibre Channel or other types of packet switched network segments together to form a heterogeneous network operating at OSI Layer 2 (though there may be complications caused by the different MTUs of the standards).

As a frame comes into a switch, the switch saves the originating MAC address and the originating (hardware) port in the switch's MAC address table. This table often uses content-addressable memory, so it is sometimes called the "CAM table". The switch then selectively transmits the frame from specific ports based on the frame's destination MAC address and previous entries in the MAC address table. If the destination MAC address is unknown, for instance, a broadcast address or (for simpler switches) a multicast address, the switch simply transmits the frame out of all of the connected interfaces except the incoming port. If the destination MAC address is known, the frame is forwarded only to the corresponding port in the MAC address table. If the destination port is the same as the originating port, the frame is filtered out and not forwarded.

Switches, unlike hubs, use microsegmentation to create collision domains, one per connected segment. This way, only the NICs which are directly connected via a point-to-point link, or directly connected hubs are contending for the medium. If the switch and the equipment (other than a hub) it connects to support full-duplex then the collision domain is eliminated entirely.

The higher level operation also allows some more advanced features that would be impractical with simple hubs. For example Virtual LANs can be used in switches to reduce the size of the broadcast domains and at the same time increase security and switches can also implement spanning tree protocol allowing use of redundant links.

[Back to top ]

Forwarding methods

There are four forwarding methods a switch can use:

Store and forward - the switch buffers and typically, performs a checksum on each frame before forwarding it on.

Cut through - the switch only reads up to the frame's hardware address before starting to forward it. There is no error checking with this method.

Fragment free - A method which attempts to retain the benefits of both Store and Forward and Cut-through. Fragment Free checks the first 64 bytes of the frame, where addressing information is stored. This way the frame will always reach its intended destination. Error checking of the actual data in the packet is left for the end device in Layer 3 or Layer 4 (OSI).

Adaptive switching - a method automatically switching between the other three modes.

Note that "cut through" switches have to fall back to "store and forward" if the outgoing port is busy at the time the packet arrives. Some switches will begin to function as a network hub if the buffer/queue overflows from heavy traffic.

Note that these forwarding methods are not controlled by the user and are configured only by the switch itself.

[Back to top ]

Types of switches

[Back to top ]

Form factor

Rack mounted

Non rack mounted

[Back to top ]

Possibility of configuration

Non managed

Managed

Smart / intelligent

Unmanaged switches have no configuration interface. They are typically found in SOHO environment. Configuration options for managed switches vary with manufacturers and models. You can access the configuration interface for managing your switch (hence the name). Older models use a serial console, more recent devices use a web interface. (Sometimes you can configure them via pushing buttons on the switch also.) They are found in medium/large network environment and come at a higher price and quality (eg. backplane with higher transfer speeds). The task of managing usually requires understanding of Layer 2 networks (eg. Ethernet). Smart (or intelligent) switches are usually managed switches with a limited set of features.

Possible features (slightly in the order of basic to advanced features):

Turn some particular port on or off

Link speed and duplex settings

Priority settings for ports

MAC filtering

Use of Spanning Tree Protocol

SNMP monitoring of device and link health

Port mirroring (also named: monitoring port, spanning port, SPAN port, Roving Analysis Port, link mode port)

Link aggregation (also called: bonding/trunking)

VLAN settings

Performance specs? - Switch Fabric (definition needed) - MAC table size - RAM buffer size - Network Protocol and Standards - optional ports (fiber, SFP Expansion Slots, etc) - auto port speed detection, configuration

Frame capturing (and other network administration tasks) can be difficult in a switched ethernet. Port monitoring addresses this problem with replicating the traffic from all ports (or VLANs) onto a single port, on which you can set up an isolated monitoring network. Link aggregation allows you to use multiple ports for the same connection achieving higher data transfer speeds. Creating VLANs can solve collision problems and serve security goals (by reducing the broadcast/collision domain).

[Back to top ]

Form of power source

Standard

Power over Ethernet

[Back to top ]

Hubs vs switches

A hub, or repeater, is a fairly unsophisticated broadcast device. Any packet entering any port is broadcast out on every port and thus hubs do not manage any of the traffic that comes through their ports. Since every packet is constantly being sent out through every port, this results in packet collisions, which greatly impedes the smooth flow of traffic.

A switch isolates ports, meaning that every received packet is sent out only to the port on which the target may be found (assuming the proper port can be found; if it is not, then the switch will broadcast the packet to all ports except the port the request originated from). Since the switch intelligently sends packets only where they need to go the performance of the network can be greatly increased.

More expensive switches can also do several other operations, such as isolating ports from each other by placing them in different VLANs, or allowing snooping by copying all packets on some set of ports to a special "sniffer" port.

This leaves the question of when a switch is most appropriate, versus a hub. If most of the network traffic involves only a few ports, then there will be little performance gain achieved by upgrading from a hub to a switch. But if the traffic involves more than a few ports, using a switch can yield a significant improvement in performance. Also, modern Fast Ethernet switches designed for small office / home office (SOHO) use are priced comparably to hubs, making use of a hub somewhat pointless if new equipment must be purchased anyway.

Because data is only routed through the correct port and not broadcast indiscriminately as with hubs, switches are somewhat more secure. Were a user with the intent of capturing other users' data to run Ethereal in promiscuous mode while connected through a switch, they'd find that they'd only see their own data. In contrast, a hub would broadcast all traffic that is not encrypted to all users. This said, even the extra security provided by switches can still be breached with techniques such as MAC flooding and ARP spoofing.

[Back to top ]

Flaws

It is difficult to monitor traffic that is bridged using a switch, because all ports are isolated until one transmits data, and even then only the sending and receiving ports are connected.

Two popular methods that are specifically designed to allow a network manager to monitor traffic are:

Port mirroring - the switch sends a copy of network packets to a monitoring network connection.

SMON - "Switch Monitoring" is described by RFC 2613 and is a protocol for controlling facilities such as port mirroring.

Other methods (which could be classified as attacks) have been devised to allow snooping on another computer on the network without the cooperation of the switch:

ARP spoofing - fooling the target computer into using your own MAC address for the network gateway, or alternatively getting it to use the broadcast MAC.

MAC flooding - overloading the switch with a large number of MAC addresses, so that it drops into a "failopen mode".

Network address translation

NAT first became popular as a way to deal with the IPv4 address shortage and to avoid the difficulty of reserving IP addresses. Use of NAT has proven particularly popular in countries other than the United States, which (for historical reasons) have fewer address-blocks allocated per capita. It has become a standard feature in routers for home and small-office Internet connections, where the price of extra IP addresses would often outweigh the benefits.

In a typical configuration, a local network uses one of the designated "private" IP address subnets (the RFC 1918 Private Network Addresses are 192.168.x.x, 172.16.x.x through 172.31.x.x, and 10.x.x.x), and a router on that network has a private address (such as 192.168.0.1) in that address space. The router is also connected to the Internet with a single "public" address (known as "overloaded" NAT) or multiple "public" addresses assigned by an ISP. As traffic passes from the local network to the Internet, the source address in each packet is translated on the fly from the private addresses to the public address(es). The router tracks basic data about each active connection (particularly the destination address and port). When a reply returns to the router, it uses the connection tracking data it stored during the outbound phase to determine where on the internal network to forward the reply; the TCP or UDP client port numbers are used to demultiplex the packets in the case of overloaded NAT, or IP address and port number when multiple public addresses are available, on packet return. To a system on the Internet, the router itself appears to be the source/destination for this traffic.

[Back to top ]

Drawbacks

Hosts behind a NAT-enabled router do not have true end-to-end connectivity and cannot participate in some Internet protocols. Services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination. Some protocols can accommodate one instance of NAT between participating hosts ("passive mode" FTP, for example), sometimes with the assistance of an Application Layer Gateway (see below), but fail when both systems are separated from the internet by NAT. Use of NAT also complicates security protocols such as IPsec.

End-to-end connectivity has been a core principle of the Internet, supported for example by the Internet Architecture Board. Some people thus regard NAT as a detriment to the Public Internet. Some internet service providers (ISPs) only provide their customers with "local" IP addresses. Thus, these customers must access services external to the ISP's network through NAT. As a result, some may argue that such companies do not properly provide "Internet" service.

Depending on one's point of view, another drawback of NAT is that it greatly slowed the acceptance of IPv6, relegating it to research networks and limited public use.

[Back to top ]

Benefits

In addition to the convenience and low cost of NAT, the lack of full bidirectional connectivity can be regarded in some situations as a "feature", rather than a "limitation". To the extent that NAT depends on a machine on the local network to initiate any connection to hosts on the other side of the router, it prevents malicious activity initiated by outside hosts from reaching those local hosts. This can enhance the reliability of local systems by stopping worms and enhance privacy by discouraging scans. Many NAT-enabled firewalls use this as the core of the protection they provide.

The greatest benefit of NAT is that it is a practical solution to the impending exhaustion of IPv4 address space. Networks that previously required a Class B IP range or a block of Class C network addresses can now be connected to the Internet with as little as a single IP address (many home networks are set up this way). The more common arrangement is having machines that require true bidirectional and unfettered connectivity supplied with a 'real' IP addresses, while having machines that do not provide services to outside users (e.g. a secretary's computer) tucked away behind NAT with only a few IP addresses used to enable Internet access.

[Back to top ]

Basic NAT vs port number translation

Two kinds of network address translation exist. The type often popularly called simply "NAT" (also sometimes named "Network Address Port Translation" or "NAPT") refers to network address translation involving the mapping of port numbers, allowing multiple machines to share a single IP address. The other, technically simpler, form - also called NAT or "one-to-one NAT" or "basic NAT" or "static NAT" - involves only address translation, not port mapping. This requires an external IP address for each simultaneous connection. Broadband routers often use this feature, sometimes labelled "DMZ host", to allow a designated computer to accept all external connections even when the router itself uses the only available external IP address.

NAT with port-translation comes in two sub-types: source address translation (source NAT), which re-writes the IP address of the computer which initiated the connection; and its counterpart, destination address translation (destination NAT). In practice, both are usually used together in coordination for two-way communication.

[Back to top ]

Applications affected by NAT

Some higher-layer protocols (such as FTP and SIP) send network layer address information inside application payloads. FTP in active mode, for example, uses separate connections for control traffic (commands) and for data traffic (file contents). When requesting a file transfer, the host making the request identifies the corresponding data connection by its layer 3 and layer 4 addresses. If the host making the request lies behind a simple NAT firewall, the translation of the IP address and/or TCP port number makes the information received by the server invalid.

An Application Layer Gateway (ALG) can fix this problem. An ALG software module running on a NAT firewall device updates any payload data made invalid by address translation. ALGs obviously need to understand the higher-layer protocol that they need to fix, and so each protocol with this problem requires a separate ALG.

Another possible solution to this problem is to use NAT traversal techniques using protocols such as STUN or ICE or proprietary approaches in a session border controller. NAT traversal is possible in both TCP- and UDP-based applications, but the UDP-based technique is simpler, more widely understood, and more compatible with legacy NATs. In either case, the high level protocol must be designed with NAT traversal in mind, and it does not work reliably across symmetric NATs or other poorly-behaved legacy NATs.

Yet another possibility is UPnP (Universal Plug and Play) or Bonjour but this requires the cooperation of the NAT device.

Most traditional client-server protocols (FTP being the main exception), however, do not send layer 3 contact information and therefore do not require any special treatment by NATs. In fact, avoiding NAT complications is practically a requirement when designing new higher-layer protocols today.

NATs can also cause problems where IPsec encryption is applied and in cases where multiple devices such as SIP phones are located behind a NAT. Phones which encrypt their signalling with IPsec encapsulate the port information within the IPsec packet meaning that NA(P)T devices cannot access and translate the port. In these cases the NA(P)T devices revert to simple NAT operation. This means that all traffic returning to the NAT will be mapped onto one client causing the service to fail. There are a couple of solutions to this problem, one is to use TLS which operates at level 4 in the OSI Reference Model and therefore does not mask the port number, or to Encapsulate the IPsec within UDP - the latter being the solution chosen by TISPAN to achieve secure NAT traversal.

[Back to top ]

Different types of NAT

Applications that deal with NAT sometimes need to characterize NAT by type. The STUN protocol [1] proposed to characterize Network address translation as Full cone NAT, restricted cone NAT, port restricted cone NAT or symmetric NAT.[2] Note that it is indeed called "cone" and not possibly a type of "clone".

With full cone NAT, also known as one-to-one NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port. An external host can send a packet to the internal host, by sending a packet to the mapped external address.

With restricted cone NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host can send a packet to the internal host only if the internal host had previously sent a packet to it.

Port restricted cone NAT or symmetric NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet to a particular port on the internal host only if the internal host had previously sent a packet from that port to the external host.

With symmetric NAT all requests from the same internal IP address and port to a specific destination IP address and port are mapped to a unique external source IP address and port. If the same internal host sends a packet with the same source address and port to a different destination, a different mapping is used. Only an external host that receives a packet can send a UDP packet back to the internal host.

This classification is now abandoned, because many NAT implementations oscillate between the various types. For example, many NAT follow a port preservation design. For most communications, they will use the same values as internal and external port numbers. However, if two internal hosts attempt to communicate with the same external hosts using the same port number, the external port number used by the second host will be chosen at random. Such NAT will be sometimes perceived as restricted cone NAT and other times as symmetric NAT.

[Back to top ]

Other examples of use

Load Balancing: Destination NAT can redirect connections pointed at some server to randomly selected servers.

Fail over: Destination NAT can be used to set up a service requiring high availability. If a system involves a critical server accessed through a router, and if the router detects that that server has gone down, it could use destination NAT to transparently re-route a connection to arrive on a backup server.

Transparent proxying: NAT can redirect HTTP connections targeted at the Internet to a special HTTP proxy which can cache content and filter requests. Some internet service providers use this technique to reduce bandwidth usage without requiring their clients to configure their web browser for proxy support.

[Back to top]