Date: Tue, 07 Feb 2006 11:18:41 -0500 From: Chuck Swiger <cswiger@mac.com> To: Shawn Saunders <saundersconsult@hotmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Trying to make a Host into a gigabit hub for testing Message-ID: <43E8C861.5070209@mac.com> In-Reply-To: <BAY115-DAV1891BFB3E942B7849542A8BA010@phx.gbl> References: <BAY115-F27FDBF43C06E52B9B7431ABA0A0@phx.gbl> <BAY115-DAV1891BFB3E942B7849542A8BA010@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
Shawn Saunders wrote: > The following is a layout of the type of configuration, and I have tried > one2many and hub, but was unable to obtain the desired results. Whenever I > try to set multiple hooks to the same interface it fails, and trying to > bring a group of interfaces to a virtual interface, and then take that > virtual interface out multiple different interfaces, seems to fail (I can't > even make the connection to the virtual interface to go to multiple outs.) > > I will have 11 interfaces inbound from 11 different networks. > I will have 4 outbound to 4 different IDS's and sensors. > I would like to have 11 interfaces come into a single virtual interface. > This way I could run tcpdump and/or snort on the box itself and obtain quick > info, and do validation of packet data, between the capture system and the > IDS and sensors. I would like to redirect all the traffic from that one > virtual interface to a group of 4 physical interfaces so the sensors can work > on it. What you're trying to do doesn't seem to make a lot of sense. While you can use ng_fec to channel-bond two NICs on the same subnet/collision domain for redundancy, or you could implement bridging instead, but you can't use either when the NICs are on different interfaces. Tools like tcpdump prefer to work on a per-interface basis for a reason, this is how the underlying BPF mechanism looks at things, although I believe there is a flag to listen on all interfaces (might be Linux-only?). Unless you've got remarkable hardware, you're not going to be able to fastforward eleven GB NIC's worth of traffic, much less "do validation of packet data". About the closest thing that would do what you've asked for is a Cisco PIX 535, and even that can only take nine GB interfaces (at a $40,000 pricetag, give or take). I guess you could buy two of them, though. Maybe you could get a 12-port GB managed switch with a "roving analysis" port, and configure each interface to a different VLAN, and connect your existing machine to that. Of course, if the other interfaces are busy enough, you're not going to fit all of that traffic into the analysis port. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43E8C861.5070209>