How to‎ > ‎

Configure ethernet bridging on CentOS

An ethernet bridge can be used as a firewall, traffic shaper, etc.
To make use of an ethernet bridge on CentOS, there are some prerequisites:

Install the 'bridge-utils' package:

# yum install bridge-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * addons: ftp.ines.lug.ro
 * base: ftp.ines.lug.ro
 * extras: ftp.ines.lug.ro
 * updates: ftp.ines.lug.ro
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bridge-utils.i386 0:1.1-2 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================
 Package                       Arch                  Version                  Repository             Size
==========================================================================================================
Installing:
 bridge-utils                  i386                  1.1-2                    base                   27 k

Transaction Summary
==========================================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 27 k
Is this ok [y/N]: y
Downloading Packages:
bridge-utils-1.1-2.i386.rpm                                                        |  27 kB     00:00    
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : bridge-utils                                                                       1/1

Installed:
  bridge-utils.i386 0:1.1-2                                                                              

Complete!


Afterwards, the ethernet devices which will participate in the bridge need to be identified. These can be real ethernet devices, but can be 802.1q tagged virtual interfaces.
I will use one bridge, linking vlan id 10 from eth0 with vlan10 on eth1. The bridges will be identified 'br10' and 'br11'.

On my example, eth0 and eth1 will be used as physical devices without an IP address assigned. The following files need adjustment:

/etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)
DEVICE=eth0
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet

Afterwards, the 802.1q tagged VLAN require configuration:



VLAN id 10 on eth0:

/etc/sysconfig/network-scripts/ifcfg-eth0.10

# Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)
DEVICE=eth0.10
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet
VLAN=yes
BRIDGE=br10

VLAN id 11 on eth0:

/etc/sysconfig/network-scripts/ifcfg-eth0.11

# Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)
DEVICE=eth0.11
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet
VLAN=yes
BRIDGE=br11

A similar configuration is required for the secondary ethernet interface:

/etc/sysconfig/network-scripts/ifcfg-eth1
# Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)
DEVICE=eth1
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet

VLAN id 10 on eth1:

/etc/sysconfig/network-scripts/ifcfg-eth1.10

# Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)
DEVICE=eth1.10
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet
VLAN=yes
BRIDGE=br10

VLAN id 11 on eth0:

/etc/sysconfig/network-scripts/ifcfg-eth1.11

# Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)
DEVICE=eth1.11
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet
VLAN=yes
BRIDGE=br11



The bridges need to be configured too:

/etc/sysconfig/network-scrips/ifcfg-br10
DEVICE=br10
TYPE=Bridge
#IPADDR=1.2.3.4
#GATEWAY=1.2.3.1
#NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
IPV6INIT=no
IPV6_AUTOCONF=no
DELAY=5
STP=yes

/etc/sysconfig/network-scrips/ifcfg-br11
DEVICE=br11
TYPE=Bridge
#IPADDR=1.2.4.4
#GATEWAY=1.2.3.1
#NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
IPV6INIT=no
IPV6_AUTOCONF=no
DELAY=5
STP=yes



Now, the system is able to use the two bridges, after enabling the current configuration.

# service network restart

Of course, for management purposes, an IP address needs to be configured somewhere, either on a different physical interface, or one of the bridges, if the system needs to be accessed remotely. This configuration can also be used as a transparent bridge for traffic classification and shaping, using TC.
Comments