Bridge
====================

You can find the Bridge Settings at **Interfaces → Assign → Bridge**.

.. image:: img/Interfaces-Bridges.png
    :width: 100%
    :align: center
    :alt: Interface Configuration

Bridges are VLAN aware meaning that you can define VLANs on them and assign them to ports as either
tagged or one of them as untagged.

A VLAN aware Bridge works like a switch.

Bridge can only be configured on top of:

    * Physical Interfaces
    * Bond
    * OpenVPN Interface

You can pick and change the interfaces in a Bridge on the Edit or Add option of the Bridge.

Create New Bridge
*********************

In order to create a Bridge between two or more Interfaces, the corresponding Interfaces need to be enabled in their
settings page (see :ref:`Configure Interfaces`). 

.. seealso:: To create a Bridge between an Interface and a GRETAP Tunnel Interface, the Tunnel Interface needs to be 
    configured and activated first. See :ref:`Tunnel` and :ref:`Bridging Scenarios` for reference. 

Go to **Interfaces → Assign → Bridge** and click **Add** to create a new Bridge and define which Interfaces should be 
bridged together.

.. image:: img/GRETAP-Bridge-Creation.png
    :width: 100%
    :align: center
    :alt: GRETAP Bridge Creation

.. raw:: html

    <p>
    <iframe width="560" height="315" src="https://www.youtube.com/embed/PceyvJ9pN40" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
    </p>

Bridge VLAN
*************

The bridge must have a default (non tagged) VLAN defined.
The bridge will not be active and enabled unless you assign the Bridge to an interface and enable it.

You can then define additional VLANs either single VLANs or a range (e.g. 100-200).
Only defined VLANs will be forwarded on the Bridge.

In Order to use IP Addresses or firewall rules on the Bridge you have to create a VLAN on the bridge under :ref:`VLAN`
and assign it to an Interface.

You can not filter traffic on the bridge itself but only on VLAN interfaces on the bridge.
The bridge automatically passes all other traffic through the firewall.

STP/RSTP
**********

.. image:: img/Interfaces-Bridges2.png
    :width: 100%
    :align: center
    :alt: Interface Configuration

VT AIR supports RSTP which works with STP and MSTP.
You can enable RSTP and also set the STP Treepriority.


**Assign to new Interface** is an option shown when you create a new VLAN and it will automatically assign the Interfaces
as described in :ref:`Assign Interfaces`.

Bridge Port Settings
*********************

After you saved the Bridge, you an also configure settings for each individual bridge port.

**MTU** can be set on a per port basis

**Speed and Duplex** can be set on a per port basis

**Enable Untagged VLAN** if you want an untagged VLAN on the port.
You can also have only tagged VLANs by disabling this option.

**Untagged Port VLAN** sets the untagged VLAN.

**Bridgevlans** can be enabled individually when they are defined on the Bridge.
Be aware that you can not enable a subset of the defined VLANS.
You would need to define each VLAN or VLAN range that you want to enable individually
and enable them on the corresponding ports.


Bridge Port Settings STP/RSTP
*******************************

Bridge Ports have different options and settings for STP.

**STP Port BPDU Filter** Filters out the STP BDPU Packets on this port and basically removes any STP information that come into the port

**STP Port BPDU Guard** BPDU guard prevents loops by moving a nontrunking port into an errdisable state

**STP Port Path Costs** The path costs are an important part of STP and give the fastest direction to the root bridge. A lower cost is better.
0 means the speed of the interface is used to automatically set a speed. Be aware that interfaces that have no speed get a high cost. This includes tunnels and vpn ports.

**STP Restricted Root Port** If enabled the port can not take root role of the port.

The automatic STP Port Path Costs are set the following way

+-------------------------------+--------------------------------+
| Link Speed                    | Costs                          |
+===============================+================================+
| 10 Mb/s                       | 2000000                        |
+-------------------------------+--------------------------------+
| 100 Mb/s                      | 200000                         |
+-------------------------------+--------------------------------+
| 1 Gb/s                        | 20000                          |
+-------------------------------+--------------------------------+
| 10 Gb/s                       | 2000                           |
+-------------------------------+--------------------------------+
| 100 Gb/s                      | 200                            |
+-------------------------------+--------------------------------+

Bridging Scenarios
****************************

**Bridging multiple sites together**

In order to create a single network out of multiple physical networks, Tunnels and Bridging can be used.
First create a GRETAP Tunnel Interface as described in :ref:`Tunnel`. 

Create a new Bridge (as described above) that bridges the local Interface to the GRETAP Tunnel Interface.

.. image:: img/Bridge-Overview.png
    :width: 100%
    :align: center
    :alt: Bridge example

.. note:: Pay special attention that none of the selected Interfaces has a local IP address assigned to it! For physical
    Interfaces set the **IPvX Type** to None. For the GRETAP Tunnel Interface leave the **Local Tunnel IP Address** empty.

Next, create a VLAN under **Interfaces → Assign → VLANs** as described in :ref:`VLAN` on the Bidge's Interface (e.g. br0), 
and assign an ID. 

.. image:: img/VLAN-Bridge.png
    :width: 100%
    :align: center
    :alt: Bridge VLAN

Enter the VLAN's ID in the VLAN settings of the Bridge under **Interfaces → Assign → Bridge**.

.. image:: img/Bridge-VLAN-Settings.png
    :width: 100%
    :align: center
    :alt: Bridge VLAN Settings

Go to **Interfaces → Assign** and change your LAN Interface's settings to the VLAN on the Bridge's Interface (e.g. br0.1 
for Bridge br0 and VLAN 1). Alternatively you can create a new Interface.

Configure your LAN/Interface with your desired **IPvX Type** and activate the Interface.

.. image:: img/Bridge-Interface-Assignment.png
    :width: 100%
    :align: center
    :alt: Bridge Interface Assignment

In order for traffic to move through the Tunnel you need to create a set of Firewall rules.

If your GRETAP Tunnel Interface was configured with the WAN address as the Tunnel endpoint go to 
**Firewall → Rules → WAN** and click **Add**. 

Select GRE as the **Protocol**, enter the **Remote Public IP address** of your GRETAP Tunnel as the **Source IP**
and select WAN address as the destination.

.. image:: img/Firewall-Rules-Creation.png
    :width: 100%
    :align: center
    :alt: Firewall Rules Creation

Save the new Firewall Rule. You may wish to encrypt your site-to-site traffic with an IPsec VPN on top of your GRETAP tunnel.
See :ref:`GRE over IPsec` for further details.

.. image:: img/Firewall-Rules-Overview.png
    :width: 100%
    :align: center
    :alt: Firewall Rules Overview