Link to home
Start Free TrialLog in
Avatar of spencerturbine

asked on

Bonding two NIC Ubuntu 12.04.1 LTS

OS is currently Ubuntu 12.04.1 LTS with a network tap (not aggregator).

I have a new nTap device and I am trying to create a bonded interface so I canput the two streams of traffic back together so my snort IDS can evaluate the traffic.

I have tried many, many different settings in several different files but I cannot seem to get both NICS to become slaves to the bond0 interface.

Might anyone be interesting in working through the possible configurations that would allow me to accomplish my goal?

Avatar of arnold
Flag of United States of America image

Unfortunately you did not include what you tried or what has not worked.

Do you have a managed switch where you can combined the two switch ports into which you areplugging the two cards from the system?

The mode of the bonded interface needs to be set to match.
Avatar of spencerturbine


I don't have a switch connected to these two ports of the Ubuntu server. I have an network tap (splitter, not aggregator).

I have followed the guide provided at the link you provided. However this is the output of the cat /proc/net/bonding/bond0 command:

root@ids:/etc/modprobe.d# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: IEEE 802.3ad Dynamic link aggregation
Transmit Hash Policy: layer2 (0)
MII Status: up
MII Polling Interval (ms): 0
Up Delay (ms): 0
Down Delay (ms): 0

802.3ad info
LACP rate: fast
Min links: 0
Aggregator selection policy (ad_select): stable
Active Aggregator Info:
        Aggregator ID: 8
        Number of ports: 1
        Actor Key: 17
        Partner Key: 1
        Partner Mac Address: 00:00:00:00:00:00

Slave Interface: eth2
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:02:a5:4e:da:39
Aggregator ID: 8
Slave queue ID: 0

Slave Interface: eth1
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:02:a5:4e:da:38
Aggregator ID: 9
Slave queue ID: 0

Open in new window

To do what you need, you need a switch that will aggregate the connections to make it appear as one.
What is it connecting to on the other side? Do you have a disaggregator or do you split the feed back out before connecting it into a switch?

What is the issue? You are using 802.3ad which requires a bonding of the ports on the switch side.
I have the following connections Internet --> Cisco Perim Router --> Cisco ASA --> nTAP

The nTap feed one leg to our Cisco stack of switches.  Now I have two other ports to use to connect to my IDS each having one side of the conversation. (Hence why its a splitter and not an aggregator).

Now I must combine those two streams back together so my IDS can do its job.

I have connected the two ports on the nTap to two ports on a single NIC I have on the IDS server. I have a third single port NIC serving as my management connection.

eth1 sees outbound traffic
eth2 sees inbound traffic

eth0 is my managment traffic.

I need the eth1 and eth2 bonded together so as to the two seperate streams merged into one so the IDS can understand the stateful traffic.

The major point here is that there is NO switch between the nTAP and the Server.
From the nTAP site:

Q: The NIC in my analysis device has a single “receive” port. Will I get visibility into a full-duplex connection with an nTAP?

A: Yes, but you will only be able to view one side of the full-duplex link at a time. This is not recommended. An nTAP sends copies of the TX and RX of a full-duplex signal out through separate “send” ports to the monitoring device. If your monitoring device is equipped with a dual-receive capture card, you will be able to view both streams of data. However, if your monitoring device is equipped with only one receive port, it will only be able to view one stream of data. To view the entire full-duplex stream for analysis, the monitoring device should have two receive ports and the ability to aggregate TX and RX into a single stream.

I have equiped the server with a dual port capture card and I am trying to bond them together so at the applicaiton layer, the IDS sees both sides of the conversation.
To do what you want you need to aggregate.
You are working on the premise that a single 1GB is not enough to handle the inbound traffic and pass it on?

You can use ASA as the aggregator.

Not sure what the purpose of yuur setup is.

Internet <=> cisco perimeter<=> asa <=> Ubuntu IDS router <=> LAN
I am not bonding to handle increased traffic. I am bonding to get both the RX and the TX back into one stream.
The whole point of IDS/IPS is detect and prevent the incorrect data from passing.

Your setup seems to be an observer is watching the door and records when a thief enters the premises.

What is it you want from the setup?
The split in TX/RX is the tap configuration and not something you can control.
Are you planing on adding an IPS using iptables/snort?

Your setup is a one feed there is no reason anything will be transmitted out from your IDS setup.
The IDS's job is just to monitor. It does not transmit traffic. It will never run in inline mode so it is strictly a monitoring device.

What I want from the set up is for the IDS to monitor traffic going to the firewall and alerting me based on configuration rules and preprocessor configuration.

The IDS cannot do its job if the traffic is split over the two links (one with RX and one with TX). The two streams must be recombined and thats what I want to use bonding to accomplish.

This set up should work according to NetOptics the problem is just me, I am missing something in the configuration.
Looking at the display of your hardware, one port is incoming traffic while the other is outgoing traffic.

I.e. RX stream is a stream from the router into the tap,
TX stream is the data from the ASA to the router.
I.e. eth1 will detect intrusive packets coming while eth2 will see traffic originating from the LAN. I.e. detects intrusive packets originating from your LAN in the event you have hacker on your network attacking external resources or have a local compromised system.
Perform the following exercise using tcpdump connect in eth1 as you have without bonding in permisous mode and at the same time debug the inbound traffic from the router on the ASA and you should see the two being identical.
Repeating the same in reverse using the debug on the outgoing traffic from the ASA To the router should match the eth2 TX traffic.
Well yes... that's what I would expect. The nTAP splits the traffic. Bonding two NICS should recombine the split traffic.
A managed switch with port monitoring configuration would combine the stream of data that you want.
Placing the monitor on the port from the ASA feeding the LAN will reduce the monitoring to traffic that passes your ASA configured rules versus looking at data of no significance.

I.e. the difference whether you place an observer outside the door or behind the door.

The outside the door will note individuals who pass by the door who have no intention of or do are denied the option to enter while the one inside the door, only records those who have gained access.

Provides an illustration of the various monitoring options.
I appreciate your comments Arnold, but we are sort of off track. We are more or less talking about architecture now instead of focusing on how to bond two NICS.

I previously used switchport monitoring using a Dell switch. The reason for the change to an nTAP was to understand how to set up a network tap in situations where it is required.

I have seen quite a few talks, and read a number of white papers over the years that talked about using a network tap instead of a hub/ switch with port mirroring or span port.

So you see I have serveral goals in mind here, learn more about networking in Ubuntu/Linux and increasing my understanding of network taps.
Dual-receive means that
the network card on the analysis device has two receive channels rather than the transmit and receive channels associated with a
standard full-duplex link.

I find this statement to be somewhat of a problem. Try can google a nic with dual receive channels. I couldn't find one. This prompted a call to NetOptics in which I was told that meant two full duplex ports and in that case I would need to use bonding to bring them back to a single stream so the IDS could function properly.
I read through this trying to make sense.  I understand what you are attempting to do, but I don't think it work work.  What I think is the problem is your statement:

     "Bonding two NICS should recombine the split traffic."

I don't think it will.  The problem, as I see it, is that whatever is capturing the traffic will see both steams as input.

I'm not sure if you ran tcpdump or not or what the results were.

If you run tcpdump on the Ubuntu box using "-i any" does wireshark see the data from both NIC's?  Does it see everything being related as you would expect?
What happens when you do tcpdump -i bond0?
Bonding works without switch assistance too.
ntap requires bonding mode 2 and miimon ( are you sure your wires are plugged into right ports?)

mode 4 that you have configured needs "port-channel" on CCO side.
I am certain I have the cables plugged into the correct ports.

tcpdump on bond0 currenttly on shows ingress traffic only. I do not see the egress traffic.

tcpdump eth1 shows only ingress traffic.

tcpdump eth2 shows only egress traffic.
Change the mode of your bond0 interface to mode-4/802.3ab.
To mode 5 balance-tlb and see if that combines the two data streams.

The tap you have is often to analyze one side, you would need to configure your IDS to review each feed/interface.
Avatar of giltjr
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Mode 4 needs port-channel configured on cisco. It will not work without it (and it in turn needs some IOS hi-end options). Documentation says it needs  assistance form switch but does not detail enough.

You might  try mode 0 or mode 2. Modes 5 and 6 are for generic switches like unmanaged ones. 1 is for low-function network cards like 100Mbps or realtek. 3 is in the event you ever replace switch with hub (and as such it does not apply where gigabit is involved)
I think you all contributed but giltjr seemed to be the only one that suggested the mode that actually ended up working for me.