Master Linux Network Bridges: From Concepts to Full Configuration

Concept of Bridge

In everyday life, a bridge is a structure connecting two places, allowing pedestrians, vehicles, etc., to safely cross obstacles such as rivers or highways.

In computer networking, a bridge is a physical or logical device operating at the data link layer, used to connect two or more LAN segments. It forwards or filters frames based on MAC addresses, effectively dividing broadcast domains.

In Linux, a bridge is a logical device that links two or more network interfaces (e.g., eth0, eth1) so they work as a single interface. Virtualization technologies use bridge devices to connect the host and virtual machines or different VMs.

How a Bridge Works

1. Role of Network Interfaces

In Linux, udev manages device nodes dynamically. When hardware is added or removed, udev creates or removes device nodes according to rules in /lib/udev/rules.d/.

Network interface names (e.g., eth0, ens33) are assigned by udev rules; they are logical identifiers used in user space to reference specific network devices. The name itself does not directly point to physical hardware but is linked to kernel network device structures.

User‑space tools (ifconfig, nmcli, etc.) use these interface names to interact with the kernel network stack, providing a clear reference for configuring or querying a particular device.

Virtual network cards (vnetX) are logical interfaces represented in the Linux kernel without corresponding physical hardware.

2. Bridge Member Interfaces

When a bridge device is created, it is a logical device without physical hardware, similar to a virtual NIC. Bridging a physical NIC and a virtual NIC makes both members of the bridge; at this point eth0 and vnetX communicate through the bridge br0, not directly with the kernel. They share the same network segment and are logically connected to the same data‑link layer subnet.

In simple terms, after bridging, the physical NIC becomes a cable linking external hardware.

Note: Bridging two interfaces requires a bridge device; you cannot bridge two interfaces directly without creating a bridge.

Bridge Explanation

Data flow after bridging: When a physical NIC (e.g., eth0) is added to a bridge (e.g., br0), it no longer communicates directly with the network stack. All data‑link layer traffic is managed and forwarded by the bridge interface, acting like a virtual switch.

IP address assignment: After bridge configuration, the bridge interface (br0) becomes the primary interface for the network stack and should be assigned an IP address. Member interfaces (e.g., vnetX) typically do not need IP addresses because they communicate through the bridge.

Role of the physical NIC: In a bridge, the physical NIC acts as a transmission medium (“cable”) connecting the host to external networks, ensuring the bridge and its members can communicate at the data‑link layer.

Linux Bridge Management

Managing Bridges with Tools

1. Using brctl

brctl is provided by the bridge‑utils package. Modern systems prefer the ip command from iproute2, but brctl is still usable.

Bridges created with brctl are temporary by default and disappear after a reboot.

Create a bridge:

# br0 is the bridge interface name

$ sudo brctl addbr br0

Add member interfaces:

# ens33 and ens37 are physical NICs
$ brctl addif ens33
$ brctl addif ens37

Bring the bridge up (default state is down):

ifconfig br_name up
# or
ip link set br_name up

Delete a bridge:

brctl delbr br_name

Remove a slave interface:

brctl delif br_name device_name

Enable STP:

brctl stp br_name on

2. Configuring Bridges with NetworkManager (nmcli)

Most modern Linux distributions use NetworkManager. nmcli writes configurations to /etc/NetworkManager/system-connections/ so they persist across reboots.

Create a bridge:

nmcli con add type bridge con-name br0 ifname br0

Add a member interface:

# con-name is the connection name for the slave
nmcli con add type bridge-slave con-name br0-eth1 ifname eth1 master br0
# Delete a member
nmcli con delete <connection-name>

Bring the bridge up or down:

nmcli con up br0
nmcli con down br0

Delete the bridge:

nmcli con delete br0

Show bridge configuration:

nmcli con show | grep bridge

Enable STP via nmcli:

nmcli con modify br_name bridge.stp yes

3. Managing Bridges with ip command

The ip command from iproute2 can also manage bridges, but changes are temporary unless persisted via scripts or configuration files.

Create a bridge:

ip link add name br0 type bridge

Add a member interface:

ip link set dev eth1 master br0

Bring the bridge up or down:

# up
ip link set dev br0 up
# down
ip link set dev br0 down

Delete a bridge:

ip link delete dev br0 type bridge

Remove a member interface:

ip link set dev eth1 nomaster

Show bridge configuration:

ip link show type bridge

Enable STP via ip:

sudo ip link set br_name type bridge stp_state 1

Bridge IP Address Configuration

When member interfaces lose their IP addresses after being added to a bridge, assign an IP address to the bridge interface itself so it can participate in network communication.

Example:

# Interface configuration
ip addr add 192.168.1.10/24 dev br0

# Route configuration
ip route add default via 192.168.1.1 dev br0

Managing Bridges via Configuration Files

1. CentOS 7

Ensure the bridge module is loaded and set to load persistently.

lsmod | grep bridge
# load module
modprobe bridge
# make persistent (e.g., add to /etc/modules)

Create bridge configuration file /etc/sysconfig/network-scripts/ifcfg-br0:

DEVICE=br0
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.0.0.20
NETMASK=255.255.255.0
GATEWAY=10.0.0.2
DNS1=180.76.76.76
DNS2=223.6.6.6
STP=on

Modify physical NIC configuration files to attach them to the bridge, e.g., /etc/sysconfig/network-scripts/ifcfg-eth0:

TYPE="Ethernet"
NAME="eth0"
DEVICE="eth0"
ONBOOT="yes"
BRIDGE=br0

Restart NetworkManager:

systemctl restart NetworkManager

2. Ubuntu 16.04

Load the bridge module and install bridge‑utils.

sudo modprobe bridge
sudo apt install bridge-utils

Edit /etc/network/interfaces:

auto lo
iface lo inet loopback

auto br0
iface br0 inet static
    address 192.168.14.108
    netmask 255.255.248.0
    gateway 192.168.12.1
    dns-nameserver 180.76.76.76
    bridge_ports ens33 ens37
    bridge_stp on

auto ens33
iface ens33 inet manual
    up ip link set $IFACE up
    down ip link set $IFACE down

auto ens37
iface ens37 inet manual
    up ip link set $IFACE up
    down ip link set $IFACE down

Restart networking:

sudo systemctl restart networking

3. Ubuntu 20.04 (netplan)

Load the bridge module persistently.

lsmod | grep bridge
sudo modprobe bridge
# add "bridge" to /etc/modules

Create a netplan configuration:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      dhcp4: no
    ens34:
      dhcp4: no
  bridges:
    br0:
      interfaces: [ens33, ens34]
      dhcp4: yes
      parameters:
        stp: true
        forward-delay: 4

Apply the configuration:

sudo netplan apply

Verify:

bridge link show br0

STP Function Introduction

STP (Spanning Tree Protocol) prevents layer‑2 loops in switches. Since a bridge behaves like a switch, enabling STP on bridge ports is necessary to avoid broadcast storms when multiple physical NICs connect to the same switch.

When STP is enabled, each port goes through several states: Blocking, Listening (listening for BPDUs), Learning (learning MAC addresses), and finally Forwarding. The Listening and Learning states each last 15 seconds by default.