The Cable Guy - January 2002
How the Windows XP Network Bridge Works
Network Bridge is a new feature of Windows XP that uses Layer 2 and Layer 3 bridging to transparently combine multiple LAN segments to form a single network segment. A LAN segment is collection of network nodes on the same Data Link layer link. For example, all of the computers that are connected to the same Ethernet hub comprise a LAN segment. A network segment is a collection of network nodes that share the same Network layer address. For example, a TCP/IP network segment is a subnet. All nodes on the same TCP/IP subnet share the same IP network identifier.
Layer 2 Bridging
Layer 2 bridging in the Network Bridge is an implementation of IEEE 802.1D transparent bridging that has been used in bridges and Layer 2 switches for many years.
The Network Bridge places the network adapters of the bridge in promiscuous mode and checks the destination media access control (MAC) address of each incoming frame. If the MAC address is assigned to the bridge computer, the frame is processed by it as the destination. If the MAC address is not assigned to the bridge computer, the Network Bridge notes the source address of the frame and the port on which the frame was received and either creates or refreshes an entry in a Layer 2 bridge table. The port is a number that identifies the network adapter and its corresponding LAN segment. Each entry in the Layer 2 bridge table consists of a MAC address, the port number corresponding to the LAN segment on which a frame from the MAC address was received, and a timeout value. Entries in the Layer 2 bridge table persist for 5 minutes before being removed.
Because the Layer 2 bridge table is built on the basis of the source MAC address of incoming frames, it never contains entries for broadcast or multicast MAC addresses.
Filtering, selective forwarding, and flooding
When a valid frame not destined for the bridge is received, the bridge computer looks up the destination MAC address in the Layer 2 bridge table and takes one of the following actions:
- If the destination address is found and is on the same port from which the frame was received, the frame is silently discarded. This operation is known as filtering. The bridge computer prevents intra-segment frames from being forwarded beyond the LAN segment on which it originated.
- If the destination address is found and is on a different port from which the frame was received, the frame is forwarded out through the port that corresponds to the destination's LAN segment. This operation is known as selective forwarding. The transparent bridge intelligently forwards inter-segment frames with a known destination MAC address. The filtering and selective forwarding operations of transparent bridges are used in large networks to segment network traffic.
- If the destination address is not found, the frame is forwarded out through all of the ports except the one on which the frame was received. This operation is known as flooding. To maintain LAN segment connection transparency, the bridge computer blindly forwards frames with an unknown destination MAC address. All broadcast and multicast MAC traffic is flooded because there are never any broadcast or multicast entries in the Layer 2 bridge table.
Flooding, loops, and the Spanning Tree Algorithm
The flooding operation of transparent bridges, while useful for maintaining the transparency of the connection LAN segments, creates forwarding storms for frames with an unknown destination address whenever bridges that have forwarding enabled on all ports are connected in a loop. The easiest way to observe this behavior is by sending a MAC-level broadcast frame from a node in a simple looped configuration, as demonstrated in the following figure.
- Node A sends a broadcast frame and it is received by both Bridge 1 and Bridge 2.
- Bridge 1 floods the broadcast frame to Segment 2, creating the first copy of the broadcast frame (Copy 1).
- Bridge 2 floods the broadcast frame to Segment 2, creating a second copy of the broadcast frame (Copy 2).
- Bridge 2 receives Copy 1 and floods it to Segment 1.
- Bridge 1 receives Copy 2 and floods it to Segment 1.
- Bridge 1 receives Copy 1 and floods it to Segment 2.
- Bridge 2 receives Copy 2 and floods it to Segment 2.
- Repeat starting at step 4.
The result for this example is that one broadcast frame has become two broadcast frames that are endlessly forwarded between the two LAN segments as quickly as the bridges can process them. This condition is known as Ethernet meltdown.
To prevent this and other problems, the IEEE 802.1D specification includes the Spanning Tree Algorithm (STA), a mechanism that ensures that a forwarding loop never occurs. The STA uses Bridge Protocol Data Units (BPDUs) to automatically configure individual ports on bridges in either a forwarding or blocking state. BPDUs are messages sent by the bridges to a reserved multicast MAC address (01-80-C2-00-00-00 for Ethernet) on which all transparent bridges are listening. In the blocking state, the port does not learn or forward received frames. The end result of the STA is a loop-free bridged environment that exists at all times, regardless of LAN segment topology changes.
For more information about the Spanning Tree Algorithm, see the IEEE 802.1D-1990 specification.
Layer 3 bridging
Layer 3 bridging is used if the network adapter does not support promiscuous mode. Layer 3 bridging does not require any special network adapter functionality. Layer 3 bridging only works for TCP/IP traffic. For broadcast and multicast IP traffic, a packet that is received by the Network Bridge is retransmitted out through all ports except the port on which the packet was received.
For unicast traffic, Layer 3 bridging is based on the Address Resolution Protocol (ARP). ARP is used by TCP/IP nodes to resolve the MAC address that corresponds to the next-hop address of an outbound IP packet. If the destination of the outbound IP packet is on the local subnet, the next-hop address is the destination address and ARP is used to resolve the MAC address of the destination node. If the destination of the outbound IP packet is not on the local subnet, the next-hop address is the default gateway address and ARP is used to resolve the MAC address of the default gateway (assuming that this is a typical host configuration).
A Network Bridge acts as an ARP proxy, answering ARP requests from a node on one LAN segment on behalf of a node on another segment and transferring unicast packets between nodes on different LAN segments. An example network configuration is shown in the following figure.
The Network Bridge (Node B) connects Segments 1 and 2 and has a single IP address (IP_B). When Node A sends an IP packet to Node C, it first sends an ARP request that contains Node A's MAC address (MAC_A), Node A's IP address (IP_A), and Node C's IP address (IP_C). Node B receives the broadcast ARP request and checks its Layer 3 forwarding table.
The Layer 3 forwarding table is maintained by the Network Bridge and contains entries with the following information: node IP address, node MAC address, and port (the network adapter on which the node is located). An entry for the sender of an ARP request in the Layer 3 forwarding table is created when it is received. Entries are refreshed upon each use. Unused entries are timed out after 5 minutes. In this example, the Network Bridge either creates or refreshes the following entry in the Layer 3 forwarding table: IP_A, MAC_A, Port 1.
If an entry for the target IP address of the ARP request is found in the Layer 3 forwarding table and is on a different port, the Network Bridge responds to the ARP request with an ARP reply, which contains its own MAC address for the port on which the request was received. If an entry for the target IP address of the ARP request is found in the Layer 3 forwarding table and is on the same port, the sending and destination nodes are on the same LAN segment and the ARP Request is ignored.
In this example, the Network Bridge unicasts an ARP reply to Node A with the following information: Node B's MAC address on port 1 (MAC_B_1), Node C's IP address (IP_C), Node A's MAC address, and Node A's IP address (IP_A). When Node A sends packets to Node C's IP address, they are sent to Node B's MAC address on port 1 (MAC_B_1).
If the destination IP address of a received unicast IP packet is assigned to the Network Bridge, it is passed to IP and upper layers for processing. If the destination IP address of a received unicast IP packet is not assigned to the Network Bridge, it must determine which of the following is true:
- The destination is a node on another LAN segment of the local subnet.
- The destination is a node on another subnet and the packet is being forwarded to the Network Bridge because it is an IP router.
- The destination is a node on another subnet and the packet is being forwarded to a router on another LAN segment of the local subnet.
The Network Bridge uses the following algorithm to determine which of these cases is true:
- Look up the destination address in the Layer 3 forwarding table.
- If an entry is found, forward the packet to the destination (Case 1 above).
- If an entry is not found, use the IP routing table to determine the next-hop address for the destination address.
- If a next-hop address is determined, look up the next-hop address in the Layer 3 forwarding table.
- If an entry for the next-hop address is found, forward the packet to the node that corresponds to the next-hop address (Case 3 above).
- If an entry for the next-hop address is not found, send the packet to IP and upper layers for processing (Case 2 above).
- If a next-hop address is not determined, send the packet to IP and upper layers for processing (Case 2 above).
In this example, Node B receives the packet that is forwarded by Node A to the destination IP address (IP_C). Because the Layer 3 forwarding table contains an entry for Node C (the entry IP_C, MAC_C, Port 2), the Network Bridge forwards the packet from the MAC address MAC_B_2 (which corresponds to port 2 on the Network Bridge) to the MAC address MAC_C.
If the Network Bridge receives an ARP request and the target IP address is not found in the Layer 3 forwarding table, the Network Bridge stores the contents of the ARP request in an ARP Pending table. The Network Bridge then sends its own ARP request message out all ports except the port on which the original ARP request was received. When a unicast ARP reply to the Network Bridge's request is received, it is matched to the entry in the ARP Pending table. The Network Bridge then sends a unicast ARP reply to the original requestor. The entry in the ARP Pending table is eventually timed out.
Manipulation of DHCP Packets
When a Dynamic Host Configuration Protocol (DHCP) client starts on a network, it sends out broadcast DHCPDiscover or DHCPRequest messages. These messages are sent as MAC-level broadcasts to the limited broadcast IP address (255.255.255.255). A DHCP server or relay agent on the DHCP client's subnet sends the response to these messages to the unicast MAC address of the DHCP client (assuming that the Broadcast flag in the DHCPDiscover or DHCPRequest message is set to 0).
The DHCP messages sent by the client include the following fields:
The Chaddr (client hardware address) field stores the MAC address of the DHCP client.
The XID (transaction ID) is selected by the DHCP client and is included in all of the DHCP messages in a specific exchange. Both the DHCP client and DHCP server use the XID to identify the set of DHCP messages for a DHCP exchange.
Note that in a DHCP exchange that includes broadcast DHCP messages, ARP is not used to resolve MAC addresses because the IP address that is being allocated is not considered valid for use until the DHCP configuration process is complete.
Because the DHCP client's MAC address is embedded in the DHCP message (the Chaddr field), the Network Bridge provides special handing for broadcast DHCP messages so that clients on Layer 3-bridged LAN segments can receive these messages for automatic TCP/IP configuration. When the Network Bridge computer receives a broadcast DHCPDiscover or DHCPRequest message on a port that is providing Layer 3 bridging, it performs the following steps:
- If an entry does not already exist, add an entry to a DHCP Pending table that includes the XID of the DHCP message, the original value of Chaddr, and the port on which the broadcast message was received.
- Broadcast the DHCP message out all ports except the one on which it was received, changing the Chaddr field to the MAC address of the sending port.
When the response is sent by the DHCP server or relay agent, it is unicast to the Network Bridge computer. When the Network Bridge computer receives the DHCP response, it performs the following steps:
- Look up the XID of the DHCP response in the DHCP Pending table. If a match is found, the table entry is used to determine the DHCP client's MAC address and the port on which to forward the DHCP response. If a match is not found and the Network Bridge is not performing its own DHCP configuration, silently discard the DHCP response.
- Change the Chaddr field to the value found in the DHCP Pending table (the DHCP client's MAC address).
- Unicast the DHCP message to the client using the appropriate port.
For More Information
For more information about the Network Bridge in Windows XP, consult the following resources:
For a list of all The Cable Guy articles, click here.