VLAN Bridging/Bonding in the OS

From NSMWiki

Jump to: navigation, search

I'm (edward) not a fan of patching this and that, to get things up and running. I like to take what tools I have, and work with that. So when I entered the problem of VLANs, I was not planing to patch and repack my .debs...

So I have played with VLANs and bridging/bonding before, so I knew that it had to be a way around this. The task I was facing, was that I had a network with 7 VLANs, and I was only to sniff two..

This is what I did on my Ubuntu system today.. (should work for other Linuxes as well, with some variation):

I have my traffic on eth1, so I add my VLANs, 503 and 505

* Bonding on a Ubuntu/debian system:

You need ifenslave:

# aptitude install ifenslave

I have my VLAN traffic on eth1, so I add my VLANs, etc 503 and 505

# vconfig add eth1 503

# vconfig add eth1 505

Then I add bonding to the kernel

# modprobe bonding

# ifconfig bond0 up

Then I add my VLAN's to my bonded interface:

# ifenslave bond0 eth1.503 eth1.505

To check that you are happy, and it worked:

# tcpdump -nn -i bond0

This should give you only traffic from VLAN 503 and 505 without the VLAN tags.


* Bridging on a Ubuntu/debian system:

# vconfig add eth1 503

# vconfig add eth1 505

Then I bring them online

# ifconfig eth1.503 up

# ifconfig eth1.505 up

If you want to at this point, you can just sniff eth1.50X and you will get the traffic of VLAN 50X without the VLAN tag.

Then I make a bridge to add my two VLANs and brings it up

# brctl addbr vlans

# ifconfig vlans up

Finaly I add my VLANs to the bridge

# brctl addif vlans eth1.503

# brctl addif vlans eth1.505

To check that you are happy, and it worked:

# tcpdump -nn -i vlans


This will display all the traffic for the VLAN 503 and 505 on the interface VLANs without the VLAN tags... :D mission accomplished?
(You can add more interfaces, etc other VLANs, or even the raw interface eth1 if you like to the bridge/bond...)
Change sancp, snort (and log_packets.sh) to use the interface vlans/bond0 and restart.

Add the things you need in your startup scripts. In debian distros, its /etc/networks/interfaces

Hope this is useful, original post is found here.
Edward

PS: Be careful if you bridge traffic.. Make sure that you use a TAP. Hench it is not possible to send traffic from your sensor back into the network. If not... you might just make a nice 'opening' between networks, which might be the worst thing you ever did!

Retrieved from "http://nsmwiki.org/VLAN_Bridging/Bonding_in_the_OS"