A bridge is a LAN interconnection device which operates at the data link layer (layer 2) of the OSI reference model. It may be used to join two LAN segments (A,B), constructing a larger LAN. A bridge is able to filter traffic passing between the two LANs and may enforce a security policy separating different work groups located on each of the LANs. Bridges were first specified in IEEE 802.1D (1990) and later by ISO (in 1993).
The format of PDUs at this layer in an Ethernet LAN is defined by the Ethernet frame format (also known as MAC - Medium Access Control). It consists of two 6 byte addresses and a one byte protocol ID / length field. The address field allows a frame to be sent to single and groups of stations. The MAC protocol is responsible for access to the medium and for the diagnosis of failure in either the medium or the transceiver which attaches to the medium.
The simplest type of bridge, and that most frequently used is the Transparent Bridge (meaning that the nodes using a bridge are unaware of its presence). The bridge therefore has to forward (receive and subsequently transmit) frames from one LAN (e.g. LAN A below) to another (e.g. LAN B). Obviously, the bridge could forward all frames, but then it would behave rather like a repeater; it would be much smarter if the bridge only forwarded frames which need to travel from one LAN to another. To do this, the bridge need to learn which computers are connected to which LANs. More formally, it need to learn whether to forward to each address.
To learn which addresses are in use, and which ports (interfaces on the bridge) theory are closest to, the bridge observes the headers of received Ethernet frames. By examining the MAC source address of each received frame, and recording the port on which it was received, the bridge may learn which addresses belong to the computers connected via each port. This is called "learning". In the figure above, consider three computers X,Y,Z. Assume each sends frames to the other computers. The source addresses X,Y are observed to be on network A, while the address of computer Z will be observed to be on network B.
The learned addresses are stored in the an interface address table associated with each port (interface). Once this table has been setup, the bridge examines the destination address of all received frames, it then scans the interface tables to see if a frame has been received from the same address (i.e. a packet with a source address matching the current destination address). Three possibilities exist:
Packets with a source of X and destination of Y are received and discarded, since the computer Y is directly connected to the LAN A, whereas packets from X with a destination of Z are forwarded to network B by the bridge.
Bridges forward a broadcast frame out of all connected ports except that on which the frame was received. The normal action for multicast frame is to treat them as broadcast frame. This is clearly suboptimal, since a bridge may send multicast frames to parts of the network for which there are no interested receivers. Some bridges implement extra processing to control the flooding of multicast frames.
A bridge may implement an interface table using a software data structure or use a Contents Addressable Memory (CAM) chip. In either case, the size of the table is finite, and usually constrained to 1000's - 10 000's of entries. In a large LAN this may be a limit. To help keep the table small, most bridges maintain a check of how recently each address was used. Addresses which have not been used for a long period of time (e.g. minutes) are deleted. This has the effect of removing unused entries, but if the address is again used, before a frame is received from the same source, it will require the frame to be flooded to all ports.
A useful side effect of deleting old addresses is that the bridge interface table records only working MAC addresses. If a NIC stops sending, its address will be deleted from the table. If the NIC is subsequently reconnected, the entry will be restored, but if the connection is made to another port (the cable is changed) a different (updated) entry will be inserted corresponding to the actual port associated with the address. (The bridge always updates the interface table for each source address in a received MAC frame, therefore even if a computer changes the point at which it is connected without first having the interface table entry removed, the bridge will still update the table entry).
In some managed bridges, a system administrator may override the normal forwarding by inserting entries in a filter table to inhibit forwarding between different work groups (for example to provide security for a particular set of MAC addresses). The filter table contains a list of source or destination addresses. Frames which match entries in the filter table will only be forwarded to specific configured ports. This can be used to implement security polcies and also to constrcut Virtual LANs.
A bridge with more than two interfaces (ports) is also known as a switch. There are important differences between switches and hubs. In particular, the way in which they forward frames.
A hub (or repeater) forwards a received frame out of all the interfaces (ports), resulting in the frame reaching all connected equipment, even though the frame may be only destined for a system connected to one particular interface (C, in the above diagram).
A switch, on the other hand, forwards the frame to only the required interface. The switch learns the association between the systems MAC addresses and the interface ports in the same way as a bridge (see above). By sending the packet only where it need to go, the switch reduces the number of packets on the other LAN segments (and hence the load on these segments), increasing the overall performance of the connected LANs. The switch also improves security, since frames only travel where they are intended (and can not in this case, for instance, be observed by an unauthorised computer attached to segment A).
Switches (like bridges) normally forward all multicast and broadcast packets to all receivers (some switches have extra processing to help improve performance of multicast forwarding). More details about this, and the operation of switches may be found in a related page (see below).
Bridges receive Ethernet frames using a port set in promiscuous mode, and hence see all frames that are sent over the LAN. the decide whether to forward the frames that they receive based on the Ethernet MAC destination address of a received frame. This results in reduced traffic on other ports, since traffic is only forwarded when it has to be.
There is a special rule controlling the inetrconnection of bidges and switches (as there is for Ethernet Hubs). The rule says simply, that a bridge / switch /hub LAN must form a tree, and not a ring. That is, there must be only one path between any two computers. If more than one parallel path were to exist, a loop would be formed, resulting in endless circulation of frames over the loop. This would soon result in overload of the network. To prevent this happening, the IEEE (in IEEE 802.1D) has defined the Spanning Tree Algorithm (STA) which automaticallt detects loops and disables one of the parallel paths. The Spanning Tree Algorithm may also be used to build fault-tolerent networks, since if the chosen path becomes invalid (e.g. due to a cable / bridge / switch fault), and an alternate path exists, the alternate path is enabled automatically.
More about Ethernet Switching (optional for EG3567)
Managed Switches (VLANs and Priority)
There is also a page showing examples of various types of networking equipment, include Bridges and Switches for Ethernet.