IDS mailing list archives
Re: port bonding and taps
From: Bennett Todd <bet () rahul net>
Date: Thu, 2 Oct 2003 14:34:01 -0400
2003-10-02T11:00:50 PPowenski () oag com:
I am using channel bonding with RH 9 and it works great
I used it with RH7.3, that also worked great. I sniffed bonded eepro100 NICs as well as bonded SysKonnect gigabit fiber NICs.
alias bond0 bonding options bond0 miimon=100 downdelay=0
I only needed the first one, and I coded it in my snort start script along the lines of f=/etc/modules.conf; grep bond0 $f || echo alias bond0 bonding >>$f
ifconfig bond0 up promisc ifconfig eth1 up promisc ifenslave bond0 eth1 ifconfig eth2 up promisc ifenslave bond0 eth2
I believe you can drop the "promisc" off the "ifconfig eth[12] up" lines; as long as you've ifconfiged bond0 up promisc, the promisc will propagate back down to the eth drivers when you ifenslave them. 2003-10-02T11:34:23 Sam f. Stover:
could you let us know what kind of bandwidth you are handling? I looked at this some time ago, but had some real concerns about what kind of traffic it could handle. I never really put it to the test though, so I can't speak authoritatively.
I did captive-net testing, using a pair of generator machines direct patched (xover cables for 100BaseT) to the snorter's NICs, using tcpreplay to inject traffic. I was using completely untuned snort 1.9 on Compaq DL-320 low-end boxes, as I recall PIII-1.25GHz and 640MB RAM. Packet losses started getting noticeable somewhere around 70-80Mbps aggregate, and it made absolutely no difference whether the aggregate was coming in over two bonded interfaces, or over a single NIC with no bonding loaded. Bonding didn't seem to enter into the performance picture at all. If I'd needed to hit higher performance, there were certainly easy measures to take; but as it turned out, I didn't:-).
Also, is there a way to know if you are dropping frames on the bonded interface? Or do you have to query the individual card statistics, just like anything else?
In my case, I could compare sent to received packet counts end-to-end. -Bennett
Attachment:
_bin
Description:
Current thread:
- port bonding and taps John Flynn (Oct 02)
- Re: port bonding and taps Bamm Visscher (Oct 02)
- <Possible follow-ups>
- Re: port bonding and taps Jeffrey . Stebelton (Oct 02)
- Re: port bonding and taps Michael Stone (Oct 02)
- Re: port bonding and taps Sam f. Stover (Oct 02)
- Re: port bonding and taps Bamm Visscher (Oct 06)
- RE: port bonding and taps PPowenski (Oct 02)
- Re: port bonding and taps Sam f. Stover (Oct 02)
- Re: port bonding and taps Bennett Todd (Oct 06)
- Re: port bonding and taps Sam f. Stover (Oct 06)
- Re: port bonding and taps Bennett Todd (Oct 06)
- Re: port bonding and taps Sam f. Stover (Oct 06)
- Re: port bonding and taps Sam f. Stover (Oct 02)