Bridging allows you to create a software switch that connects two ports at Layer 2 of the OSI model. A bridge consists of two or more ports that are members of a bridge group. This document was created on VyOS 1.2.0.
Bridge Interface Names
Bridge interfaces are named with
br in front of a number, for example,
br0 would be bridge interface zero. Bridge interfaces can be called a bridge interface or a bridge group interchangeably.
Creating a Bridge
Creating a bridge interface is very simple. For this example, let's create a bridge between two physical interfaces on a VyOS router. More example use cases will be given below. This example uses
set interfaces bridge br0 set interfaces ethernet eth0 bridge-group bridge br0 set interfaces ethernet eth1 bridge-group bridge br0
The Spanning Tree Protocol (STP) is supported on bridge interfaces, and is disabled by default. For our example, STP can be enabled by issuing
set interfaces bridge br0 stp true. STP can be tweaked per bridge as well. Let's change some of the default values:
NOTE: These are not changes you should make unless you know the impact they can have on your network! The values below are purely for demonstration, and will be different for many networks. If you don't know what these are for, don't touch them!
set interfaces bridge br0 priority 4096 set interfaces bridge br0 forwarding-delay 5 set interfaces bridge br0 hello-time 1 set interfaces bridge br0 max-age 10
You can also tweak spanning tree settings on the physical interfaces that are members of the bridge group:
set interfaces ethernet eth0 bridge-group cost 1 set interfaces ethernet eth0 bridge-group priority 0
Bridge interfaces show just like any other interface when running
vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- br0 - u/u BridgeExample eth0 - u/u eth1 - u/u eth2 - u/u eth3 10.0.2.2/24 u/u lo 127.0.0.1/8 u/u ::1/128
Since bridge interfaces are essentially a software switch, showing the MAC addresses learned on the bridge is possible. For the example above, we can issue
show bridge br0 macs and get this output:
vyos@vyos:~$ show bridge br0 macs port no mac addr is local? ageing timer 2 08:00:27:a6:56:5a yes 0.00 2 08:00:27:a6:56:5a yes 0.00 1 08:00:27:ae:5b:d5 yes 0.00 1 08:00:27:ae:5b:d5 yes 0.00
Bridge groups even support the Spanning Tree Protocol (STP), which can be viewed by issuing
show bridge br0 spanning-tree. In our example we get this output:
vyos@vyos:~$ show bridge br0 spanning-tree br0 bridge id 1000.080027a6565a designated root 1000.080027a6565a root port 0 path cost 0 max age 10.00 bridge max age 10.00 hello time 1.00 bridge hello time 1.00 forward delay 5.00 bridge forward delay 5.00 ageing time 300.00 hello timer 0.78 tcn timer 0.00 topology change timer 0.00 gc timer 72.02 flags eth0 (1) port id 8001 state forwarding designated root 1000.080027a6565a path cost 100 designated bridge 1000.080027a6565a message age timer 0.00 designated port 8001 forward delay timer 0.00 designated cost 0 hold timer 0.78 flags eth1 (2) port id 8002 state forwarding designated root 1000.080027a6565a path cost 100 designated bridge 1000.080027a6565a message age timer 0.00 designated port 8002 forward delay timer 0.00 designated cost 0 hold timer 0.78 flags
Example Use Cases
Below is a collection of use cases for Bridges. This is by no means exhaustive, but is just some of the handy ways I have used bridges in the past.
Layer 2 GRE Bridge
This is very useful when you have that one annoying piece of equipment that requires broadcast communication, but you need to operate it across one or more Layer 3 boundaries.
NOTE: This isn't encrypted in any way shape or form, so this should only be used across links that you have control over. If you need to do this over a network out of your control, such as the Internet, you should use IPSec, similar to what is outlined here on the GRE and IPSec tutorial page.
To perform this simple GRE bridge, you will need two routers, one for each segment that needs Layer 2 connectivity. Here is an example config:
set interfaces bridge br1 set interfaces ethernet eth3 bridge‐group bridge br1 set interfaces tunnel tun0 local‐ip <SourceIP to use for tunnel> set interfaces tunnel tun0 remote‐ip <DestinationIP to use for tunnel endpoint> set interfaces tunnel tun0 encapsulation gre‐bridge set interfaces tunnel tun0 parameters ip bridge-group bridge br1
After you have this router setup, you just need to do the same thing on the other router, and voila, you will have the ability to broadcast over Layer 3 Segments!
Adding VLANs to a Bridge
If you don't have a switch, or want to use your VyOS router as a root switch, you may want to trunk the same VLANs over multiple ports. Bridges are helpful in this case. Here is an example config:
set interfaces bridge br2 set interfaces ethernet eth2 vif 2 bridge-group bridge br2 set interfaces ethernet eth2 vif 2 address 192.0.2.1/24
If you don't want to bother with VLANs, you can simply add an address to the bridge interface just like any other interface:
set interfaces bridge br2 address 192.0.2.1/24