CAPÍTULO 3: NORMATIVA 37
3.2. ISO 27001: 40
Transparent bridges connect two or more LAN segments. The term segment defines a LAN in
terms of older Ethernet terminology. For example, a 10Base2 network was a series of coaxial cables with taps for each device, so the whole series of cables was one segment. As a LAN segment grew, eventually it became too crowded with collisions or exceeded cabling length restrictions. So, the one segment was separated into two segments, and a bridge was placed between the two segments. As you will soon see, this separated the world into two collision domains, meaning that frames sent by devices on one side of the bridge could not collide with frames sent by devices on the other side of the bridge. Because the bridge does not forward all traffic, traffic to each node was reduced. In short, transparent bridges were created to alleviate congestion problems on a single Ethernet segment and to extend allowed cabling distances because the segments on each side of the bridge conformed to the same distance limitation as a single segment.
Transparent bridging is called “transparent” because the endpoint devices do not need to know that the bridge(s) exist(s). In other words, the computers attached to the LAN do not behave any differently in the presence or absence of transparent bridges.
Transparent bridges forward frames when necessary and do not forward when there is no need to do so, thus reducing overhead. To accomplish this, transparent bridges perform three actions:
•
Learning MAC addresses by examining the source MAC address of each frame receivedby the bridge
•
Deciding when to forward a frame or when to filter (not forward) a frame, based on the destination MAC address166 Chapter 4: LANs, Bridges, and Switches
To fully understand transparent bridging logic, consider Figure 4-8. A client first asks for DNS name resolution and then connects to a Web server. All three devices are on the same LAN segment. The LAN segment is drawn as if it is a 10Base2 or 10Base5 network, but it could be 10BaseT using a shared hub. Regardless, focus on the Ethernet addresses and the bridges actions in the figure.
Figure 4-8 Example Protocol Flows—Single Ethernet Segment
0200.3333.3333 Web Server Client DNS DMAC = FFFF.FFFF.FFFF SMAC = 0200.1111.1111 ARP (DNS) 0200.2222.2222 0200.1111.1111 1 DMAC = 0200.1111.1111 SMAC = 0200.2222.2222 ARP 2 DMAC = 0200.2222.2222 SMAC = 0200.1111.1111 DNS request 3 DMAC = 0200.1111.1111 SMAC = 0200.2222.2222 DNS reply 4 DMAC = FFFF.FFFF.FFFF SMAC = 0200.1111.1111 ARP (Web) 5 DMAC = 0200.1111.1111 SMAC = 0200.3333.3333 ARP 6 DMAC = 0200.3333.3333 SMAC = 0200.1111.1111 Connect to Web 7
Bridging and Switching 167
In this example, the devices send messages just like they would if the user, the Web server, and the DNS were on the same segment. The destination and source MAC addresses are listed in the figure. The following list provides some additional text relating the steps shown in Figure 4-8:
1 The PC is preconfigured with the IP address of the DNS; it must use ARP to find the DNS’s MAC address.
2 The DNS replies to the ARP request with its MAC address, 0200.2222.2222. 3 The PC requests name resolution by the DNS for the Web server’s name. 4 The DNS returns the IP address of the Web server to the PC.
5 The PC does not know the Web server’s MAC address, but it does know its IP address, so the PC sends an ARP broadcast to learn the MAC address of the Web server.
6 The Web server replies to the ARP, stating that its MAC address is 0200.3333.3333. 7 The PC now can send frames directly to the Web server.
One somewhat obvious point must be made: All frames are received by all devices. In this case, the single LAN segment is a bus, or a 10BaseT hub, which creates a single bus. Ethernet is considered a broadcast medium because when one device sends, all the rest receive the electrical signal. Each device then must decide whether to process the frame.
Why bother to point out that everyone gets each frame? Well, a transparent bridge would not always forward a copy of each frame on each segment. Now consider the same protocol flow, but with the DNS on a separate segment and a transparent bridge separating the segments, as shown in Figure 4-9. The computers act no differently, sending the same frames and packets. (Remember, “transparent” bridges are transparent to the end user devices.) The transparent bridge forwards all broadcasts, all unicast destination frames not in its bridge table, and multicasts.
168 Chapter 4: LANs, Bridges, and Switches
Figure 4-9 Example Protocol Flows—Using a Transparent Bridge
Figure 4-9 illustrates several important ideas related to segmentation. To see the real end goal of the bridge, consider Step 7 and the state of the address table after Step 6. Because the bridge knows the unicast MAC addresses of all three devices, when the client sends the frame to the Web server (Step 7), the bridge simply asks itself, “Should I forward this frame?” Because the frame came in the bridge’s E0 port and the Web server (0200.3333.3333) is also out its E0 port, there is no need to forward the frame.
0200.3333.3333 Web Server Client E0 E1 DNS DMAC = FFFF.FFFF.FFFF SMAC = 0200.1111.1111 0200.1111.1111 E0 Address table after Step 1 ARP (DNS) 0200.1111.1111 1 DMAC = 0200.1111.1111 SMAC = 0200.2222.2222 ARP 2 DMAC = 0200.2222.2222 SMAC = 0200.1111.1111 DNS Request 3 DMAC = 0200.1111.1111 SMAC = 0200.2222.2222 DNS Reply 4 DMAC = FFFF.FFFF.FFFF SMAC = 0200.1111.1111 ARP (Web) 5 DMAC = 0200.1111.1111 SMAC = 0200.3333.3333 ARP 6 DMAC = 0200.3333.3333 SMAC = 0200.1111.1111 Connect to Web 7 0200.2222.2222 0200.1111.1111 E0 0200.2222.2222 E1 Address table after Step 2
0200.1111.1111 E0 0200.2222.2222 E1 Address table after Step 3
0200.1111.1111 E0 0200.2222.2222 E1 0200.3333.3333 E0 Address table after Step 6
Bridging and Switching 169
The following list outlines the logic used at each step in the process of Figure 4-9:
1 The first frame is a broadcast, so the bridge forwards the frame. The source MAC address, 0200.1111.1111, is added to the address table.
2 The ARP reply is a unicast destined to 0200.1111.1111, so the bridge knows to forward it out its E0 port, according to the address table. The source MAC of the frame,
0200.2222.2222, is added to the address table.
3 The DNS request is a unicast frame, and the bridge knows where the destination, 0200.2222.222, is. The bridge forwards the frame. The bridge checks the source address (0200.1111.1111) and notices that it is already in the table.
4 The DNS reply is a unicast, with a known destination (0200.1111.1111) and a known source (0200.2222.2222). The bridge forwards the frame.
5 The ARP broadcast is destined to MAC address FFFF.FFFF.FFFF, so it is forwarded by the bridge, in spite of the fact that the ARP broadcast will reach the Web server without the bridge forwarding the frame.
6 The ARP reply from the Web server is a unicast to 0200.1111.1111, and the bridge has that MAC in its address table. The bridge does not forward the frame because it came in its E0 interface and it is destined out that same interface. The source MAC address, 0200.3333.3333, is added to the address table.
7 The last frame is a unicast whose destination MAC (0200.3333.3333) is in the address table, and the bridge should not forward it.
Networks using bridges have the following general characteristics:
•
Broadcasts and multicast frames are forwarded by a bridge.•
Transparent bridges perform switching of frames using Layer 2 headers and Layer 2 logic and are Layer 3 protocol-independent. This means that installation is simple because no Layer 3 address group planning or address changes are necessary. For example, because the bridge retains a single broadcast domain, all devices on all segments attached to the bridge can look like a single subnet.•
Store-and-forward operation is typical in transparent bridging devices. Because an entire frame is received before being forwarded, additional latency is introduced (as compared to a single LAN segment).•
The transparent bridge must perform processing on the frame, which also can increase latency (as compared to a single LAN segment).170 Chapter 4: LANs, Bridges, and Switches