Changeset View
Changeset View
Standalone View
Standalone View
head/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml
Show First 20 Lines • Show All 3,225 Lines • ▼ Show 20 Lines | <varlistentry> | ||||
<listitem> | <listitem> | ||||
<para>If a bridge member interface is marked as sticky, | <para>If a bridge member interface is marked as sticky, | ||||
dynamically learned address entries are treated as | dynamically learned address entries are treated as | ||||
static entries in the forwarding cache. Sticky entries | static entries in the forwarding cache. Sticky entries | ||||
are never aged out of the cache or replaced, even if the | are never aged out of the cache or replaced, even if the | ||||
address is seen on a different interface. This gives | address is seen on a different interface. This gives | ||||
the benefit of static address entries without the need | the benefit of static address entries without the need | ||||
to pre-populate the forwarding table. Clients learned | to pre-populate the forwarding table. Clients learned | ||||
on a particular segment of the bridge can not roam to | on a particular segment of the bridge cannot roam to | ||||
another segment.</para> | another segment.</para> | ||||
<para>An example of using sticky addresses is to combine | <para>An example of using sticky addresses is to combine | ||||
the bridge with <acronym>VLAN</acronym>s in order to | the bridge with <acronym>VLAN</acronym>s in order to | ||||
isolate customer networks without wasting | isolate customer networks without wasting | ||||
<acronym>IP</acronym> address space. Consider that | <acronym>IP</acronym> address space. Consider that | ||||
<systemitem class="fqdomainname">CustomerA</systemitem> | <systemitem class="fqdomainname">CustomerA</systemitem> | ||||
is on <literal>vlan100</literal>, <systemitem | is on <literal>vlan100</literal>, <systemitem | ||||
class="fqdomainname">CustomerB</systemitem> is on | class="fqdomainname">CustomerB</systemitem> is on | ||||
<literal>vlan101</literal>, and the bridge has the | <literal>vlan101</literal>, and the bridge has the | ||||
address <systemitem | address <systemitem | ||||
class="ipaddress">192.168.0.1</systemitem>:</para> | class="ipaddress">192.168.0.1</systemitem>:</para> | ||||
<screen>&prompt.root; <userinput>ifconfig bridge0 addm vlan100 sticky vlan100 addm vlan101 sticky vlan101</userinput> | <screen>&prompt.root; <userinput>ifconfig bridge0 addm vlan100 sticky vlan100 addm vlan101 sticky vlan101</userinput> | ||||
&prompt.root; <userinput>ifconfig bridge0 inet 192.168.0.1/24</userinput></screen> | &prompt.root; <userinput>ifconfig bridge0 inet 192.168.0.1/24</userinput></screen> | ||||
<para>In this example, both clients see <systemitem | <para>In this example, both clients see <systemitem | ||||
class="ipaddress">192.168.0.1</systemitem> as their | class="ipaddress">192.168.0.1</systemitem> as their | ||||
default gateway. Since the bridge cache is sticky, one | default gateway. Since the bridge cache is sticky, one | ||||
host can not spoof the <acronym>MAC</acronym> address of | host cannot spoof the <acronym>MAC</acronym> address of | ||||
the other customer in order to intercept their | the other customer in order to intercept their | ||||
traffic.</para> | traffic.</para> | ||||
<para>Any communication between the | <para>Any communication between the | ||||
<acronym>VLAN</acronym>s can be blocked using a firewall | <acronym>VLAN</acronym>s can be blocked using a firewall | ||||
or, as seen in this example, private interfaces:</para> | or, as seen in this example, private interfaces:</para> | ||||
<screen>&prompt.root; <userinput>ifconfig bridge0 private vlan100 private vlan101</userinput></screen> | <screen>&prompt.root; <userinput>ifconfig bridge0 private vlan100 private vlan101</userinput></screen> | ||||
▲ Show 20 Lines • Show All 2,002 Lines • Show Last 20 Lines |