VPN Wired

Your Online Security Advisor

Nord_W

What is a bridge in VPN?

Bridge in VPN

The topic for today is bridging. Most of us may not have heard this term, but essentially it is synonymous with networking. That’s because forwarding and connecting multiple networks both utilize bridging. But does this technology have any bearing on virtual networks? The answer is yes. A bridge is also applicable within a VPN (Virtual Private Network), as it can effortlessly combine multiple VPNs. Although some may think it only joins a few VPN tunnels, it is not so.

A bridge can bring together numerous networks (tunnels included) and combine them into a singular central network. You can also understand it by imagining multiple LANs (Local Area Networks) coming together to form a WAN (Wide Area Network). But is it useful to use bridging, and what functions does it have? Let’s find out more about what a bridge does in a VPN.

What is a bridge in networking?

A bridge is a networking device that creates a single aggregate network from multiple ones. It can be a physical device (hardware with dedicated firmware installed) or software (virtual). The process of connecting multiple networks into a single one is what we know as bridging. However, it is distinct from routing. Routing also combines multiple networks for communication but doesn’t merge them. Yet, bridging is essentially combining numerous networks into one entity. If you have read our article on VPN concentrators, then you can safely assume that a bridge functions the same as a concentrator, at least in principle.

The operation happens on layer 2 (data link layer) of the OSI model. If the bridging consists of a wireless network, the device used will be a wireless bridge. The role of this device (wireless or not) is to store and forward frames between different segments of network architecture, connected via bridging. Traditionally, it uses Media Access Control (MAC) addresses for transferring frames. By accessing these addresses, a bridge can effortlessly block or allow data flow.

Sadly, this technology has fallen from grace as more and more alternates to a bridging device have seen the day. With modern networking tools such as hubs, switches, advanced routers (concentrators), and gateways with additional features paving the way forward, fewer people rely on the bridge devices. This doesn’t negate the fact that these modern devices themselves are capable of bridging. As such, the bridge as a device may be obsolete soon, but bridging as a method will continue forward.

How does bridging work?

Bridging includes filtering data packets, referred to as frames, for addresses and then forwarding it accordingly. A bridge accepts all data packets and amplifies them to the other side. Since they are intelligent devices (they work on predefined protocols), bridges only allow the forwarding of select packets. The process entails passing a data packet originating from a node in network A to a node in network B.

Another thing to note is: that a bridge is incapable of altering the format or the content of the incoming data. However, it does rely on a bridging table which is dynamic. A closer look at how bridging works:

  • First, it receives packets or frames from LAN A and B.
  • Then, it constructs a table of addresses to identify incoming/outgoing traffic.
  • It then forwards the information within LAN A or LAN B.

Types of bridges

Based on its usage, there are different types of a bridge, such as:

Transparent Bridge

A transparent or Learning bridge is not visible to other stations or devices on the network. It doesn’t require reconfiguration of the station, as it is either wholly added or deleted from the entire network. A learning bridge aims to block or forward data packets according to MAC addresses. Consequently, it is one of the most popular brides used in networking. Due to its architecture, it enjoys a well-earned reputation. It is a plug-and-play device that can self-update bridging tables.

Translational Bridge

It plays the role of a convertor when it completely changes one networking system to another. Meaning, translation bridges can translate received data. Due to this feature, users can easily combine two fundamentally different networks. Additionally, it can also add and or remove data from a frame when required.

Source-Route Bridge

Designed by IBM, we used it for Token ring networks. A source-route bridge allows all the frame routes to get embedded into a singular frame. It also aims to decide how that particular frame will be forwarded. The best thing about this bridge is its ability to conjoin two networks at layer 2 of the OSI model.

MAC-Layer/Local Bridge

Also known as the local bridge, a MAC-layer bridge offers packet filtering and repeating services for network segments of similar types. However, it doesn’t require buffering because it simply broadcasts the incoming data packets to the accurate port or removes them.

Remote Type Bridge

A remote bridge is capable of connecting two networks at remote locations. It uses the WAN link as a modem or leased line. However, the speed it relishes differ according to the network links. It has an internal buffer that helps to hold the data grabbed from the LAN network.

Functions of a bridge

Bridging is a multifaceted activity that entails numerous functions. Some functions of bridges are:

  • It can divide the LAN into multiple smaller segments.
  • Similarly, it can stitch up multiple LANs into a larger one.
  • A bridge works at the OSI layer 2.
  • It can store MAC addresses, which it uses to filter data packets.
  • It’s adept at reducing network traffic.
  • It interconnects multiple LANs relying on a single, identical protocol.
  • It can switch between any data packet, be it the Apple Talk or the IP (Internet Protocol).
  • A bridge can do so because the payload field of the data frame is absent from consideration.

Benefits of a bridge

At times, it is fruitful to use a bridge. Albeit the devices are almost obsolete, the bridge technology is still prevalent as it offers advantages such as:

  • A bridge can effortlessly increase the capacity of a network multifold as long as it can connect and create a single network from multiple ones.
  • It is rather intelligent in operations and capable of either allowing or discarding any data received.
  • The data frame is passed and discarded when it contains MAC addresses.
  • Any data is forwarded towards a bridge only if it contains a MAC address.
  • It can also help the network to broadcast every node in the absence of MAC addresses.
  • Bridging also allows for the joining of multiple wireless networks by using a wireless bridge.
  • It can connect two or more similar LANs with the same protocols to facilitate inter-network communication.
  • It doesn’t require any heavy hardware, software, or architectural upgrade at installation.
  • Bridging can connect multiple VPNs.

What is a bridge in VPN?

It is similar to the networking bridges. A bridge in VPN is capable of interconnecting two or more VPNs together. However, it doesn’t need to be a hardware-specific device. Most VPN bridges are software. They are installed at core points to establish joints between multiple VPNs. By using bridging in VPN, we can effortlessly combine hundreds of tunnels into one. Not only will it take the load off the CPU, but it will also make the network more responsive.

The bridging in VPNs is not dependent on bridges. VPN routers and now even gateways are somewhat capable of bridging entire virtual networks due to the advancement of technology. With the arrival of VPN concentrators, most corporates do not rely on the bridging technology any longer.

A VPN bridge is fully able to manifest the ability of a hardware bridge. Although most corporate establishments use hardware-specific tools for their bridging needs, those are not bridges. By establishing a bridge, a VPN can expand the network by merging with the various connected networks. You can also say that bridging in VPNs allows remote LANs to unite with the central WAN. Doing so will grant the off-site networks the same functionality as a central system. Together, they will function as a central hub — a network as a whole.

Bridging reminds most of us of VPN concentrators, as they are the latest devices that can fully emulate this process. However, while a concentrator can combine multiple networks into a single entity, they use routing instead of bridging. Meaning, they route data packets and do not practice forwarding. It’s important to know that you can install specific software to support bridging on concentrators.

Listed below are three major VPN devices capable of bridging but are not bridges in and of themselves.

VPN routers

A VPN router can’t bridge networks, but it routes communication between multiple networks. However, in VPNs, routing and bridging are essentially identical. Well, save for the function that bridges can pass on packets. But, a VPN router is also capable of that if properly configured. It can primarily connect multiple remote VPNs and facilitate two-way communication between them. Most of the time, a VPN router is more efficient than a bridge — at least when it concerns VPNs. Adding on to it the benefit of encryption that generic bridges can’t provide no matter what, a router often comes up as a suitable and prominent choice in place of a bridge.

When the VPN technology has seen an uptrend in advancements, especially in recent times, VPN routers have left brides far behind in the race. If you need packet forwarding, you do not want to get a specific bridging software. After all, adding firmware on routers can help you. Far cheaper, easier, and quicker, mind you. These routers are also mobile as they can easily support wireless networks. This allows you to bridge wireless networks without changing devices.

True, a router in all its glory is unable to bridge the connection. But it won’t matter in a VPN, as routing and bridging are the same at their cores. Additionally, routers are more advanced than bridges. And even if you want to use a bridge, you will have to use software instead of hardware, which will render the effort moot.

VPN gateways

Similar to bridges, a VPN gateway is a networking device. It is capable of connecting multiple networks or devices over a public network. The best thing about a gateway is the ability to bridge connections and communications between numerous remote sites, networks, or products. As such, it can fully utilize the ability to combine multiple VPNs into one single central network.

Now, gateways are hardware-centric devices but are too similar to bridges. It is one of the reasons why VPNs don’t adopt bridges for their bridging needs. But even a gateway is unable to pass packets. It can only forward it to the server node or the router, and then the data packet will be routed. If you want to enjoy a network with bridging capacity, you still have to configure routers to bridge gateways to nodes. Otherwise, they will, by default, route the traffic as they have always done.

Although gateways in a VPN infrastructure tend to be hardware, they can similarly be software installed on other networking devices. You install them on the core VPN infrastructure, such that you can configure them to bridge the connection by allowing data forwarding. Remember, a gateway can pass IP packets, but the pockets will end up routed due to the standing of gateways in the infrastructure.

VPN concentrators

VPN concentrators are renowned for combining thousands of tunnels into a central network. They are by far the most potent networking device of the three. That is why VPNs do not use bridges, as it will be moot with a concentrator in place. They are advanced routers that can easily handle thousands of tunnels. Being such a compelling device, they can create a centralized network by joining and combining remote VPNs. As such, they also reduce the network overhead and CPU load. A bridge can’t do that.

However, they only route the traffic, like routers, and do not forward it based on an address. Meaning, if they encounter a dull packet, they won’t broadcast it, resulting in packet loss. However, with the computational power they offer, such a setback is still within an acceptable range. They have even outed routers from the corporate VPN game. A concentrator can be both hardware and software, although most are biased towards the hardware version as they need it specifically to share the load of the network.

By using a concentrator, you can simplify the whole network at once. Even if you add multiple networks to a central one with the aid of a concentrator, the process will be smooth and the operation seamless. Regarding the ability to packet forwarding, it is true that a VPN concentrator does not have it. Thankfully, it more than makes up for it by its efficient handling of thousand of tunnels without lagging.

How is bridging different from routing?

Before we start, let us declare that routing and bridging are fundamentally the same, except for one glaring difference: a routed VPN will not pass IP broadcasts while a bridged VPN will. The ability to pass on the packets makes a bridge different from routing. When a client uses bridging to connect to a remote network, it is assigned an IP address. The IP is part of an off-site physical Ethernet subnet. The IP then interacts with other machines on the remote subnet as if it were connected locally.

However, when a client connects via routing, it uses a separate subnet. The network establishes the routes on both the client and remote gateway. It does so to facilitate a seamless transit of data within the VPN. Thus, for a VPN, bridging or routing does not make a significant difference. It’s also easy to facilitate any one of these modes, as the VPN doesn’t require specified hardware for doing so. It relies on the same few devices for both functionalities, which can be added or removed with a single installation of particular software.

Usage and functions of a VPN bridge

A VPN bridge is optimal for two functions: creating a cascade connection to a VPN server and creating a bridge with a physical network using a local bridge connection. Almost all other features of a VPN bridge have met with elimination with the advancement in technology. However, these functions are mentioned below for reference:

  • Virtual Hub on a VPN Bridge
  • Cascade Connection Function on VPN Bridges
  • Receiving a Connection on a Bridge in VPN
  • Local Bridge Function on VPN Bridges
  • SecureNAT Function on a VPN Bridge
  • Virtual Layer 3 Switch Function for VPN Bridges
  • Coexistence of VPN Bridge and VPN Server