A network bridge works at the link layer (L2) of the OSI networking model. When the bridge receives a network frame, it checks the frame's MAC address and, if the MAC does not belong to the same subnet, passes (forwards) this frame to the network segment for which it was destined; if the frame belongs to the same subnet, the bridge does nothing.
An interface bridge can be used in UserGate like a regular network interface. Moreover, you can use a bridge to configure in-transit content filtering at L2 without introducing any changes to the corporate IT infrastructure. The simplest schema for using UserGate as an L2 content filtering solution looks like this:
Figure 4 - Using a bridge
When creating a bridge, you can specify the operating mode for it as Layer 2 or Layer 3.
Note
Simultaneous use of L2 and L3 bridges on UserGate devices is not possible, what is an architecture limitation.
If Layer 2 is selected, the bridge does not need to be assigned an IP address, routes, or gateways for it to work correctly. In this mode, the bridge works at the MAC address level by forwarding packets from one network segment to another. Mail security rules cannot be used in this scenario, but content filtering works.
Note
The functionality of DNS filtering and the L2 bridge are incompatible in the current version. When DNS filtering is enabled, DNS requests through the bridge stop passing.
If Layer 3 is selected, you need to assign the bridge an IP address and specify routes in networks connected to the bridge's interfaces. In this mode, all filtering mechanisms available in UserGate can be used.
If the bridge is created in a UserGate HSC equipped with a network card that supports the bypass mode, you can combine two interfaces into a bypass bridge. A bypass bridge automatically switches the two selected interfaces to the bypass mode (bridging them so that all traffic bypasses UserGate) if:
-
The UserGate HSC is powered off.
-
The self-diagnostics system has encountered a runtime problem in UserGate software.
For more details on the network interfaces that support the bypass mode, see the UserGate HSC hardware specifications.
Using the Add bridge button, the administrator can combine several physical interfaces into a new type of interface, a bridge. Provide the following settings:
|
Name |
Description |
|---|---|
|
Enabled |
Enables the interface bridge. |
|
Name |
The interface name. |
|
Node name |
The UserGate cluster node on which the interface bridge is being created. |
|
Type |
Specify the interface type as Layer 3 or Layer 2. |
|
Zone |
The zone to which the interface bridge belongs. |
|
Netflow profile |
The Netflow profile to send statistical data to the Netflow collector. You can read about Netflow profiles in chapter Netflow Profiles. |
|
Bridge interfaces |
The two interfaces that will be used to build the bridge. |
|
Bypass bridge interfaces |
The interface pair that will be used to build a bypass bridge. UserGate HSC support is required. |
|
STP (Spanning Tree Protocol) |
Enables the use of STP to prevent network loops. |
|
Forward delay |
The delay before the bridge switches to the active (forwarding) mode if STP is enabled. |
|
Maximum age |
The time after which an STP connection is considered lost. |
|
Networking |
The IP address assignment method: no address, a static IP address, or a dynamic IP address obtained using DHCP. |
|
DHCP relay |
This is used to configure DHCP relay for the bridge interface. Enable DHCP relay, enter the IP address of the interface on which the relay function is added in the UserGate address field, and specify one or more DHCP servers where client DHCP requests are to be forwarded. |