Trying to make a Host into a gigabit hub for testing

Chuck Swiger cswiger at mac.com
Tue Feb 7 08:18:35 PST 2006 

Shawn Saunders wrote:
> The following is a layout of the type of configuration, and I have tried
> one2many and hub, but was unable to obtain the desired results.  Whenever I
> try to set multiple hooks to the same interface it fails, and trying to
> bring a group of interfaces to a virtual interface, and then take that
> virtual interface out multiple different interfaces, seems to fail (I can't
> even make the connection to the virtual interface to go to multiple outs.)
> 
> I will have 11 interfaces inbound from 11 different networks.
> I will have 4 outbound to 4 different IDS's and sensors.
> I would like to have 11 interfaces come into a single virtual interface.
> This way I could run tcpdump and/or snort on the box itself and obtain quick 
> info, and do validation of packet data, between the capture system and the 
> IDS and sensors. I would like to redirect all the traffic from that one
> virtual interface to a group of 4 physical interfaces so the sensors can work
> on it.

What you're trying to do doesn't seem to make a lot of sense.  While you can use
ng_fec to channel-bond two NICs on the same subnet/collision domain for
redundancy, or you could implement bridging instead, but you can't use either
when the NICs are on different interfaces.

Tools like tcpdump prefer to work on a per-interface basis for a reason, this is
how the underlying BPF mechanism looks at things, although I believe there is a
flag to listen on all interfaces (might be Linux-only?).

Unless you've got remarkable hardware, you're not going to be able to
fastforward eleven GB NIC's worth of traffic, much less "do validation of packet
data".  About the closest thing that would do what you've asked for is a Cisco
PIX 535, and even that can only take nine GB interfaces (at a $40,000 pricetag,
give or take).  I guess you could buy two of them, though.

Maybe you could get a 12-port GB managed switch with a "roving analysis" port,
and configure each interface to a different VLAN, and connect your existing
machine to that.  Of course, if the other interfaces are busy enough, you're not
going to fit all of that traffic into the analysis port.

-- 
-Chuck

More information about the freebsd-net mailing list