IDS mailing list archives

Re: port bonding and taps

From: Bennett Todd <bet () rahul net>
Date: Thu, 2 Oct 2003 14:34:01 -0400

2003-10-02T11:00:50 PPowenski () oag com:

I am using channel bonding with RH 9 and it works great


I used it with RH7.3, that also worked great. I sniffed bonded
eepro100 NICs as well as bonded SysKonnect gigabit fiber NICs.

alias bond0 bonding
options bond0 miimon=100 downdelay=0


I only needed the first one, and I coded it in my snort start script
along the lines of

    f=/etc/modules.conf; grep bond0 $f || echo alias bond0 bonding >>$f

ifconfig bond0 up promisc
ifconfig eth1 up promisc
ifenslave bond0 eth1
ifconfig eth2 up promisc
ifenslave bond0 eth2


I believe you can drop the "promisc" off the "ifconfig eth[12] up"
lines; as long as you've ifconfiged bond0 up promisc, the promisc
will propagate back down to the eth drivers when you ifenslave them.

2003-10-02T11:34:23 Sam f. Stover:

could you let us know what kind of bandwidth you are handling?  I
looked at this some time ago, but had some real concerns about
what kind of traffic it could handle.  I never really put it to
the test though, so I can't speak authoritatively.


I did captive-net testing, using a pair of generator machines direct
patched (xover cables for 100BaseT) to the snorter's NICs, using
tcpreplay to inject traffic. I was using completely untuned snort
1.9 on Compaq DL-320 low-end boxes, as I recall PIII-1.25GHz and
640MB RAM. Packet losses started getting noticeable somewhere around
70-80Mbps aggregate, and it made absolutely no difference whether
the aggregate was coming in over two bonded interfaces, or over a
single NIC with no bonding loaded. Bonding didn't seem to enter into
the performance picture at all.

If I'd needed to hit higher performance, there were certainly easy
measures to take; but as it turned out, I didn't:-).

Also, is there a way to know if you are dropping frames on the
bonded interface?  Or do you have to query the individual card
statistics, just like anything else?


In my case, I could compare sent to received packet counts
end-to-end.

-Bennett

Attachment: _bin
Description:

Current thread:

port bonding and taps John Flynn (Oct 02)
- Re: port bonding and taps Bamm Visscher (Oct 02)
- <Possible follow-ups>
- Re: port bonding and taps Jeffrey . Stebelton (Oct 02)
  - Re: port bonding and taps Michael Stone (Oct 02)
  - Re: port bonding and taps Sam f. Stover (Oct 02)
  - Re: port bonding and taps Bamm Visscher (Oct 06)
- RE: port bonding and taps PPowenski (Oct 02)
  - Re: port bonding and taps Sam f. Stover (Oct 02)
    - Re: port bonding and taps Bennett Todd (Oct 06)
    - Re: port bonding and taps Sam f. Stover (Oct 06)
    - Re: port bonding and taps Bennett Todd (Oct 06)
    - Re: port bonding and taps Sam f. Stover (Oct 06)
- Re: port bonding and taps Aaron Cheek (Oct 06)
- RE: port bonding and taps Bradberry, John (Oct 06)