Ethernet Bridges & Switches

A bridge is a LAN interconnection device which operates at the data link layer (layer 2) of the OSI reference model. It may be used to join two LAN segments (A,B), constructing a larger LAN. A bridge is able to filter traffic passing between the two LANs and may enforce a security policy separating different work groups located on each of the LANs. Bridges were first specified in IEEE 802.1D (1990) and later by ISO (in 1993).

The format of PDUs at this layer in an Ethernet LAN is defined by the Ethernet frame format (also known as MAC - Medium Access Control). It consists of two 6 byte addresses and a one byte protocol ID / length field. The address field allows a frame to be sent to single and groups of stations. The MAC protocol is responsible for access to the medium and for the diagnosis of failure in either the medium or the transceiver which attaches to the medium.

Operation of a Bridge

The simplest type of bridge, and that most frequently used is the Transparent Bridge (meaning that the nodes using a bridge are unaware of its presence). The bridge therefore has to forward (receive and subsequently transmit) frames from one LAN (e.g. LAN A below) to another (e.g. LAN B). Obviously, the bridge could forward all frames, but then it would behave rather like a repeater; it would be much smarter if the bridge only forwarded frames which need to travel from one LAN to another. To do this, the bridge need to learn which computers are connected to which LANs. More formally, it need to learn whether to forward to each address.

A bridge connecting two LAN segments (A and B).

To learn which addresses are in use, and which ports (interfaces on the bridge) theory are closest to, the bridge observes the headers of received Ethernet frames. By examining the MAC source address of each received frame, and recording the port on which it was received, the bridge may learn which addresses belong to the computers connected via each port. This is called "learning". In the figure above, consider three computers X,Y,Z. Assume each sends frames to the other computers. The source addresses X,Y are observed to be on network A, while the address of computer Z will be observed to be on network B.

A bridge stores the hardware addresses observed from frames received by each interface and uses this information to learn which frames need to be forwarded by the bridge.

The learned addresses are stored in the an interface address table associated with each port (interface). Once this table has been setup, the bridge examines the destination address of all received frames, it then scans the interface tables to see if a frame has been received from the same address (i.e. a packet with a source address matching the current destination address). Three possibilities exist:

  1. If the address is not found, no frames have been received from the source. The source may not exist, or it may not have sent any frames using this address. (The address may also have been deleted by the bridge because the bridge software was recently restarted, ran short of address entries in the interface table, or deleted the address because it was too old). Since the bridge does not know which port to use to forward the frame, it will send it to all output ports, except that on which it was received. (It is clearly unnecessary to send it back to the same cable segment from which it was received, since any other computer/bridges on this cable must already have received the packet.) This is called flooding.
  2. If the address is found in an interface table and the address is associated with the port on which it was received, the frame is discarded. (It must already have been received by the destination.)
  3. If the address is found in an interface table and the address is not associated with the port on which it was received, the bridge forwards the frame to the port associated with the address.

Packets with a source of X and destination of Y are received and discarded, since the computer Y is directly connected to the LAN A, whereas packets from X with a destination of Z are forwarded to network B by the bridge.

Broadcast and Multicast

Bridges forward a broadcast frame out of all connected ports except that on which the frame was received. The normal action for multicast frame is to treat them as broadcast frame. This is clearly suboptimal, since a bridge may send multicast frames to parts of the network for which there are no interested receivers. Some bridges implement extra processing to control the flooding of multicast frames.

Managing the Interface Tables

A bridge may implement an interface table using a software data structure or use a Contents Addressable Memory (CAM) chip. In either case, the size of the table is finite, and usually constrained to 1000's - 10 000's of entries. In a large LAN this may be a limit. To help keep the table small, most bridges maintain a check of how recently each address was used. Addresses which have not been used for a long period of time (e.g. minutes) are deleted. This has the effect of removing unused entries, but if the address is again used, before a frame is received from the same source, it will require the frame to be flooded to all ports.

A useful side effect of deleting old addresses is that the bridge interface table records only working MAC addresses. If a NIC stops sending, its address will be deleted from the table. If the NIC is subsequently reconnected, the entry will be restored, but if the connection is made to another port (the cable is changed) a different (updated) entry will be inserted corresponding to the actual port associated with the address. (The bridge always updates the interface table for each source address in a received MAC frame, therefore even if a computer changes the point at which it is connected without first having the interface table entry removed, the bridge will still update the table entry).

Filter Tables

In some managed bridges, a system administrator may override the normal forwarding by inserting entries in a filter table to inhibit forwarding between different work groups (for example to provide security for a particular set of MAC addresses). The filter table contains a list of source or destination addresses. Frames which match entries in the filter table will only be forwarded to specific configured ports. This can be used to implement security polcies and also to constrcut Virtual LANs.

Multiple Port Bridges (Switches)

A bridge with more than two interfaces (ports) is also known as a switch. There are important differences between switches and hubs. In particular, the way in which they forward frames.

A Hub sending a packet form F to C.

A hub (or repeater) forwards a received frame out of all the interfaces (ports), resulting in the frame reaching all connected equipment, even though the frame may be only destined for a system connected to one particular interface (C, in the above diagram).

A switch, on the other hand, forwards the frame to only the required interface. The switch learns the association between the systems MAC addresses and the interface ports in the same way as a bridge (see above). By sending the packet only where it need to go, the switch reduces the number of packets on the other LAN segments (and hence the load on these segments), increasing the overall performance of the connected LANs. The switch also improves security, since frames only travel where they are intended (and can not in this case, for instance, be observed by an unauthorised computer attached to segment A).

A Switch sending a packet from F to C

Switches (like bridges) normally forward all multicast and broadcast packets to all receivers (some switches have extra processing to help improve performance of multicast forwarding). More details about this, and the operation of switches may be found in a related page (see below).

A Switch sending a frame from F to a multicast / broadcast address


Bridges receive Ethernet frames using a port set in promiscuous mode, and hence see all frames that are sent over the LAN. the decide whether to forward the frames that they receive based on the Ethernet MAC destination address of a received frame. This results in reduced traffic on other ports, since traffic is only forwarded when it has to be.

Connecting Bridges and Switches Together

There is a special rule controlling the inetrconnection of bidges and switches (as there is for Ethernet Hubs). The rule says simply, that a bridge / switch /hub LAN must form a tree, and not a ring. That is, there must be only one path between any two computers. If more than one parallel path were to exist, a loop would be formed, resulting in endless circulation of frames over the loop. This would soon result in overload of the network. To prevent this happening, the IEEE (in IEEE 802.1D) has defined the Spanning Tree Algorithm (STA) which automaticallt detects loops and disables one of the parallel paths. The Spanning Tree Algorithm may also be used to build fault-tolerent networks, since if the chosen path becomes invalid (e.g. due to a cable / bridge / switch fault), and an alternate path exists, the alternate path is enabled automatically.

See also:

More about Ethernet Switching (optional for EG3567)

Ethernet Hubs

Managed Switches (VLANs and Priority)


There is also a page showing examples of various types of networking equipment, include Bridges and Switches for Ethernet.

Gorry Fairhurst - Date: 18/03/2012 EG3557