Bridging is a technique used to connect networks at the data-link layer. As explained in Chapter 2, "Network Hardware," hubs connect networks at the physical layer and are unaware of the data structures operating at the higher layers. When you expand your network by adding another hub, the effect is no different than if you substituted a hub with more ports for the old one; each packet generated by a computer on the network reaches every other computer. A bridge, on the other hand, provides packet filtering at the data-link layer, meaning that it only propagates the packets that are destined for the other side of the network. If you have a large LAN that is experiencing excessive collisions or delays due to high traffic levels, you can reduce the traffic by splitting the network in half with a bridge.
A bridge is a physical unit, typically a box with two ports in it, that you use to connect network segments. You can use a bridge to join two existing LANs or to split one LAN into two segments. Bridges operate in what is called promiscuous mode, meaning that they read and process all of the packets transmitted over the network segments. The network adapters in computers, by contrast, read the destination address in each packet and only process those that are addressed to that computer; all others are discarded. Because a bridge functions at the data-link layer, it is capable of interpreting the information in the data-link layer protocol header. Data packets enter the bridge through either one of the ports, and the bridge then reads the destination address in each packet header and decides how to process that packet. This is called packet filtering. If the destination address of a packet arriving from one network segment is that of a computer on the other segment, the bridge transmits it out through the other port. If the destination address is that of a computer on the same network segment as the computer that generated it, the bridge discards the packet.
Although bridges can read the contents of a packet's data-link layer protocol header, they cannot go any higher up the protocol stack than the data-link layer. A bridge cannot read the contents of the data field in a data-link layer frame, which contains the information generated by a network layer protocol.
Figure 3.1 shows two LANs connected by a bridge. When a computer on one LAN transmits a packet to a computer on the other, the bridge receives that packet and relays it to the other LAN. In this case, the destination system receives the packet just as if the two computers were on the same LAN. If a computer on one LAN transmits a packet to another computer on the same LAN, the bridge receives the packet and discards it, because there is no reason for the packet to go to the other LAN. The use of the bridge (theoretically) cuts the unnecessary traffic passing over each network segment in half because packets not needed on the other network segment don't go there.
Figure 3.1 A bridge filters the packets passing between two LANs or two LAN segments by reading their data-link layer protocol headers
A collision domain is a network (or part of a network) that is constructed so that when two computers transmit packets at precisely the same time, a collision occurs. When you add a new hub to an existing network, the computers connected to that hub become part of the same collision domain as the original network because hubs relay the signals that they receive immediately upon receiving them, without filtering packets.
Bridges, on the other hand, do not relay signals to the other network until they have received the entire packet. For this reason, two computers on different sides of a bridge that transmit at the same time do not cause a conflict. The two network segments connected by the bridge are thus said to be in different collision domains. On an Ethernet network, collisions are a normal and expected part of network operations, but when the number of collisions grows too large, the efficiency of the network decreases because more packets must be retransmitted. An increase in the number of collisions on a network is the natural result of an increase in the number of computers on that network. The more systems there are sharing the network medium, the more likely it is that two will transmit at the same time. When the network is split into two collision domains with a bridge, the reduction in traffic on the two network segments results in fewer collisions, fewer retransmissions, and an improved efficiency.
The broadcast domain is another important concept in bridging technology. A broadcast message is a packet with a special destination address that causes it to be read and processed by every computer that receives it. By contrast, a unicast message is a packet addressed to a single computer on the network, and a multicast message is addressed to a group of computers on the network (but not necessarily all of them). A broadcast domain is a group of computers that all receive a broadcast message transmitted by any one of the computers in the group.
Broadcasts are a crucial part of the networking process. The most common method computers use to locate a particular system on the local network is to transmit a broadcast that essentially asks, "Does any computer here have this Internet Protocol (IP) address or this NetBIOS name?" and wait for that computer to reply (see Figure 3.2). From that reply message, the broadcaster can determine the desired destination computer's hardware address and send subsequent packets to it as unicasts.
Figure 3.2 Computers use broadcast messages to locate specific systems on the LAN
Adding a bridge separates a network into two different collision domains, but the segments on either side of the bridge remain part of the same broadcast domain because the bridge always relays all broadcast messages from both sides. This behavior mitigates the benefit of the bridge somewhat because a portion of the broadcast traffic being relayed is not utilized by the systems on the other side of the network. For example, if a computer generates a series of broadcast messages to locate another computer on the same network segment, the bridge propagates those broadcasts to the other segment, even though they're superfluous. However, the retention of a single broadcast domain is what enables the two network segments to remain part of the same LAN. Using a bridge is not like using a router, which separates the segments into two independent LANs with separate collision and broadcast domains.
The next logical question to ask when you're learning about how bridges filter packets is, "How do the bridges know which computers are located on each network segment?" Bridges maintain an internal address table that lists the hardware addresses of the computers on both segments. When the bridge receives a packet and reads the destination address in the data-link layer protocol header, it checks that address against its lists. If the address is associated with a segment other than that from which the packet arrived, the bridge relays it to that segment.
One of the specifications bridge manufacturers often supply is the number of addresses that the device can maintain in its table. In most cases, bridges can maintain address tables that are far larger than required by any network, but it's still a good idea to check this specification before you make a purchase.
The question still remains, however, of where the bridge gets its information about the locations of the computers. Originally, network administrators had to manually create the lists of hardware addresses for each segment connected to the bridge. This was obviously an onerous chore. Today, bridges use a technique called transparent bridging to automatically compile their own address lists. When you activate a transparent bridge for the first time, it begins processing packets. For each incoming packet, the bridge reads the source address in the data-link layer protocol header and adds it to the address list for the network segment over which the packet arrived. At first, the bridge doesn't have the information needed to decide whether it should relay the packet or discard it, so the bridge errs on the side of caution and relays the packet to the other network segment. When a sufficient number of packets passes through the bridge to enable the compilation of the address tables, the bridge begins using them to selectively forward packets.
It is common for network administrators to install multiple bridges between network segments to provide redundancy in case of an equipment failure. However, this practice can cause data loss when multiple bridges process the same packets and determine that the source computer is on two different network segments. In addition, it's possible for multiple bridges to forward broadcast packets around the network endlessly, in what is called a bridge loop. To prevent these problems, bridges communicate among themselves using a protocol known as the spanning tree algorithm (STA), which selects one bridge to process the packets. All other bridges on that network segment remain idle until the first one fails.
It is typical for Ethernet networks to use transparent bridging and the STA, but Token Ring networks use a different system. Instead of the bridges themselves selecting a designated bridge between two segments, Token Ring systems select for themselves which bridge they will use. The technique these systems use is called source route bridging, and it works when each system transmits All Rings Broadcast (ARB) frames over the network. As each bridge processes these packets (by forwarding them to all connected segments, as with any broadcast), it adds a route designator to them, identifying the bridge and the port through which it received the packet. When ARB packets arrive at the destination, the receiving system sends all of them back to the source. Bridges use the route designators to avoid sending packets to the same bridge twice, and the original source system uses the returned packets to determine which bridge provides the most efficient route through the network to a given destination.
The standard type of bridge used to connect network segments of the same type and the same location is called a local bridge. This is the simplest type of bridge because it doesn't modify the data in the packets; it simply reads the addresses in the data-link layer protocol header and passes the packet on or discards it. There are two other types of bridges you can use to handle segments of different types and those at different locations.
A translation bridge, illustrated in Figure 3.3, is a data-link layer device that connects network segments using different network media or different protocols. This bridge is more complicated than a local bridge because, in addition to reading the headers in the packet, the bridge strips the data-link layer frame off the packets to be relayed to other network segments and packages them in a new frame for transmission on the other segment. The bridge can thus connect an Ethernet segment to a Fiber Distributed Data Interface (FDDI) segment or connect two different types of Ethernet segments (such as 100Base-TX and 100Base-T4) while retaining a single broadcast domain. Because of the additional packet manipulations, translation bridging is slower than local bridging, and translation bridges are more expensive as well. Because there are other types of devices that can connect different network types, such as routers, the use of translation bridges is relatively rare.
Figure 3.3 Translation bridges enable you to build a single network using multiple protocols or media types
A remote bridge is designed to connect two network segments at distant locations using some form of wide area network (WAN) link. The link can be a modem connection, leased telephone line, or any other type of WAN technology. The advantage of using a bridge in this manner is that you reduce the amount of traffic passing over the WAN link, which is usually far slower and more expensive than the local network.
Match the bridging concepts in the left column with the appropriate descriptions in the right column.
| || |