Bridging and Routing: is there a difference?

In his comment to one of my TRILL posts, Petr Lapukhov has asked the fundamental question: “how is bridging different from routing?”. It’s impossible to give a concise answer (let alone something as succinct as 42) as the various kludges and workarounds (including bridges and their IBM variants) have totally muddied the waters. However, let’s be pragmatic and compare Ethernet bridging with IP (or CLNS) routing. Throughout this article, bridging refers to transparent bridging as defined by the IEEE 802.1 series of standards.

Design scope. IP was designed to support global packet switching network infrastructure. Ethernet bridging was designed to emulate a single shared cable. Various design decisions made in IP or Ethernet bridging were always skewed by these perspectives: scalability versus transparency.

Forwarding. IP routers forward IP datagrams according to their IP routing tables and never make multiple copies of the same datagram. They drop datagrams sent to unknown destinations and tell the sending hosts they did so. Bridges have to emulate a shared cable and thus forward frames sent to unknown destinations to all active ports but the one on which the frame was received (flooding). In short, routing is “forwarding based on presumption of knowledge”, bridging is “forwarding by guessing”.

Loop detection. IP (and most other layer-3 protocols) has a hop count in its header. Ethernet header does not have a hop count (neither do most other layer-2 protocols). Using hop count, loops can be detected even when they cannot be prevented (uRPF does a decent job of loop prevention in non-asymmetric networks, but that’s a different story).

Even worse, the forwarding by guessing bridging paradigm can create multiple copies of a looped packet sent to unknown destination. The number of copies grows exponentially with each iteration of the loop, quickly resulting in a total network meltdown.

Multicast. Routers stop multicast or broadcast packets unless they are configured to forward them. Decent multicast implementations allow hosts to register to multicast streams and the routers deliver multicast packets only to those hosts or segments that actually need them.

Transparent bridges have to emulate a shared cable where every station can receive a broadcast or multicast frame. They are thus bound to flood multicast/broadcast frames.

Some layer-2 bridges support IGMP snooping and other mechanisms that should limit the amount of IP multicast propagated in unwanted directions. These measures work only for known (IP) multicast addresses; bridges still have to flood frames sent to unknown multicast destinations.

Most bridges can rate-limit the flooding process, reducing the chances of a single runaway host bringing the whole network to a standstill. Nonetheless, a determined intruder can use the rate-limiting mechanisms for an effective DoS attack where the bogus multicast traffic interferes with crucial protocols like ARP.

Forwarding tables. IP routing tables are built by routers exchanging (somewhat) authoritative information: their connected subnets and their static routes. Bridging tables are built by guessing – by listening to the traffic and extracting source MAC addresses from the frames. The guessed information is never exchanged between the bridges (ESADI in TRILL is an exception, but even ESADI information is not authoritative).

Addressing. Layer-3 addresses are configurable and usually include some topology information, allowing the layer-3 routing to scale. Layer-2 addresses are supposed to be static (hardwired) and are (within a single network) randomly scattered around the network.

Scalability. All layer-3 protocols have some mechanism that aggregates forwarding information, allowing them to scale. The “desktop protocols” (Cisco’s invention, not mine), including AppleTalk, IPX and Banyan Vines performed routing based on networks (cable ranges in Appletalk), which were very similar to fixed-prefix IP subnets. DECnet, CLNS and SNA have areas and perform host-based routing within an area, but still use only area addresses in “long-distance” (inter-area) routing to scale. Classless routing with IP prefixes allows you to build a multi-layer hierarchy.

Transparent bridging forwards frames to randomly scattered layer-2 addresses and thus cannot have a scaling mechanism.

Novel approaches to bridging (TRILL and 802.1ad) introduce a bridging hierarchy (or a bridging/routing hierarchy in case of TRILL), in which inner bridges (provider bridges in 802.1ad) know just the MAC address of edge bridges. VLANs deployed on edge bridges further limit the amount of information a single edge bridge must carry. Still, a single bridged domain cannot scale.

Spoofing. The “forwarding by learning” paradigm makes it extremely easy to spoof a bridged network: send frames with wrong source MAC address. Spoofing a routed network is somewhat harder; you have to hack the routing protocol.

Bridges reduce the risk of spoofing by implementing port security, dynamic ARP inspection and DHCP snooping; workaround measures trying to solve a problem that shouldn’t have existed in the first place. You cannot secure an environment designed to emulate a single shared cable (at least not without breaking some eggs).

Fragmentation. IP was designed to span a multitude of physical media with different characteristics and supports datagram fragmentation and path MTU discovery. Bridging was designed to connect segments with uniform technology, which was fine as long as the maximum Ethernet MTU was constant. Introduction of jumbo frames has created a “somewhat more complex” environment, where bridging between Ethernet segments can fail spectacularly.

Out-of-order packets. Out-of-order packets are a fact of life in any multipath topology (including any layer-3 network). Layer-3 protocols were thus designed to deal with them, either rearranging them (TCP) or dropping them (most UDP applications).

Protocols that pretend the hosts communicate on a shared cable tend to ignore the out-of-order problems; some protocols might even terminate the session when receiving one. SNA was one of those protocols, forcing Cisco to implement FST, which dropped any out-of-order packets. The requirement to deliver packets in order significantly complicates any advanced bridging implementation (for example, TRILL).

Mixed media. IP can (by definition) be used on all data link layer technologies. You can mix-and-match various technologies as needed: Ethernet for access LAN, Gigabit Ethernet with large MTU for data center, HDLC, PPP, Frame Relay or ATM for WAN links. Datagram transport across all the media is always (close to) optimal.

Bridging forces you to use a single layer-2 technology (for example, Ethernet) everywhere and emulate the chosen layer-2 technology across all other media. This requirement leads to baroque architecture used in DSL networks and emulation jumbles like LANE or VPLS.

Anything else? I've listed some more differences between routing and bridging in the Bridging and Routing - Part II post. If I have still missed something, please let me know in the comments.

More information

You'll find a comprehensive overview of routing-versus-bridging as it applies to data center, server and storage technologies in my Data Center 3.0 for Networking Engineers webinar (buy a recording or yearly subscription). The roles of bridging and routing in modern Service Provider networks are described in the Market trends in Service Provider networks webinar.

11 comments:

  1. Pavel Smirnov14 July, 2010 09:46

    You can control routing and you can't control bridging.
    what is the criteria to choose bridging path ? only source mac address.Whole bridging process looks like rpf check.

    ReplyDelete
  2. Dmitri Kalintsev14 July, 2010 13:02

    Couple of additional points:

    - Interface cost

    - Zero-configuration vs. almost universally required some sort of manual-ish configuration (at least for IP)

    But, stepping back a bit, I am confused - why is there a comparison of routing with bridging? Why not just use whatever is more optimal in a particular circumstance? Surely there are some cases where bridging works better (or is the only option), some others where there is a choice and yet others where routing is the only option?

    This discussion really reminds me the eternal argument about "which is better - IP VPN or VPLS?". The answer, in my opinion, is "use that which makes sense in the particular circumstances".

    Than again, I may be missing something here.

    ReplyDelete
  3. Excellent work, Ivan! I think a lot of people might underestimate how difficult it can be to compile such a list of contrasts that we rarely ponder in our day-to-day work.

    ReplyDelete
  4. You forgot troubleshooting and operations. It's very, very, very difficult to troubleshoot a broken L2 network due to the inherent stateless nature of its forwarding.

    So when it breaks, you don't have good tools to fix it.

    ReplyDelete
  5. The point is that bridging is never optimal. It only looks that way.

    ReplyDelete
  6. Jeff Loughridge14 July, 2010 22:07

    etherealmind beat me to the punch. The operational advantages of well-designed L3 networks can't be overlooked. L2 networks typically extend fault domains to the point that outages are very painful and widespread.

    Nice article, Ivan.

    ReplyDelete
  7. Dmitri Kalintsev15 July, 2010 00:38

    > bridging is never optimal

    Yes, not "by itself" (untill TRILL comes, anyway). It can be designed to be fairly optimal by using hierarchical topology, multiple MST regions and bridge priorities. Agreed, this won't work in *all* circumstances, but when it does, cost savings often far outweigh the inconvenience.

    ReplyDelete
  8. Guillermo Ibáñez13 January, 2011 18:05

    There are many things yet to be invented in bridging without the need of routing protocols.
    We think that transparent bridging can evolve in a pure bridging form, without hybridating with IS-IS protocols en layer two.
    Our proposal for shortest path bridges without rooting is ARP-Path (aka FastPath), abstracted in:

    http://adrian.idv.hk/doku.php/paper/icgara10-fastpath

    And implemented in (best demo award in LCN 2010):

    http://www.ieeelcn.org/prior/LCN35/lcn35demos/lcn-demo2010_ibanez.pdf

    The key new mechanism is locking for some time the address learning to the first port where the source address of a broadcast packet is received, discarding all other frames.
    The other one is to use this mechanism with standard ARP Requests and Replys to find and learn the shortest path between two hosts when needed.

    ReplyDelete
  9. Guillermo Ibáñez15 February, 2011 11:51

    This is additional and recent info for those interested in bridging without routing.
    ARP-Path sets up low latency unicast path and multicast trees with the same simple mechanism. Being the paths set up when needed based on the fastest to reach destination, it then performs automatic load distribution among redundant paths.
    This is a link to a presentation recently uploaded to IEEE 802.1 (references at the end contain links to papers):
    http://www.ieee802.org/1/files/public/docs2011/fyi-ibanez-arp-path-0111-v03.pdf

    ReplyDelete
  10. Guillermo Ibáñez15 February, 2011 11:57

    A short animated video explaining operation:
    http://www.youtube.com/watch?v=IhwCYAu_E7E

    ReplyDelete
  11. How about complexity of routing and bridging

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.