802.1q for packet filtering

Discussion in 'Cisco' started by Vicky, Apr 4, 2005.

  1. Vicky

    Vicky Guest

    Just wondering if it is possible to use 802.1q aware nic (support vlan
    tagging) on a packet filtering box to monitor traffic off multiple vlan
    domains as opposed to having SPAN enabled on a switch?

    Any pointers will be appreciated.


    regards,
    /vicky
     
    Vicky, Apr 4, 2005
    #1
    1. Advertising

  2. In article <>,
    Vicky <> wrote:
    :Just wondering if it is possible to use 802.1q aware nic (support vlan
    :tagging) on a packet filtering box to monitor traffic off multiple vlan
    :domains as opposed to having SPAN enabled on a switch?

    Not really.

    When you use 802.1Q, you are almost always using switching -- you
    are just confining the list of places that might be switched to.
    But the switching still occurs.

    Thus, if you have vlan #217 going to ports #27 and 31
    and if you add vlan #217 to port #47 for the purpose of using
    port #47 to monitor traffic over ports #27 and 31, then you run
    into the problem that -all- you will get on #47 would be broadcast
    and flooded traffic: any traffic that comes in over #27 that the
    switch knows the MAC is on #31 is going to go directly to #31 without
    a copy of it being copied to #47.

    If you want to monitor switched traffic involving multiple ports,
    you pretty much have to SPAN (or RSPAN) the traffic.
    --
    "I want to make sure [a user] can't get through ... an online
    experience without hitting a Microsoft ad"
    -- Steve Ballmer [Microsoft Chief Executive]
     
    Walter Roberson, Apr 4, 2005
    #2
    1. Advertising

  3. Vicky

    Vicky Guest

    hmm..I thought since 802.1q nic is running in trunk mode and I even
    have promiscious mode enabled on the nic, I should be able to sniff
    traffic from these vlans?



    regards,
    /vicky
     
    Vicky, Apr 4, 2005
    #3
  4. Vicky

    Brad Guest

    Sounds good Vicky. Never done it, but it sounds like it should work.
    Seems like Walter is a little confused about trunking and/or vlans.

    If you try it be sure to let us know if it works. :)
     
    Brad, Apr 4, 2005
    #4
  5. Vicky

    Brad Guest

    I just reread Walter's post and this time I understood what he was
    saying. I guess I'm a little slow. Sorry Walter! Anyways, he makes a
    valid point. Just because it's a trunk doesn't mean you're getting all
    the traffic within one vlan. Remember the switch will still do the
    filter/forward process based on the source mac addresses.
     
    Brad, Apr 4, 2005
    #5
  6. In article <>,
    Brad <> wrote:
    :Just because it's a trunk doesn't mean you're getting all
    :the traffic within one vlan.

    Right. Just what -needs- to go over the trunk.

    :Remember the switch will still do the
    :filter/forward process based on the source mac addresses.

    Make that based upon the -destination- MAC address.
    --
    Beware of bugs in the above code; I have only proved it correct,
    not tried it. -- Donald Knuth
     
    Walter Roberson, Apr 4, 2005
    #6
  7. Vicky

    Vicky Guest

    Ok, which means I could have a server with 1 802.1q nic card to support
    multiple vlans basically trunking between the server and switches,
    correct?



    regards,
    /vicky
     
    Vicky, Apr 4, 2005
    #7
  8. In article <>,
    Vicky <> wrote:
    :Ok, which means I could have a server with 1 802.1q nic card to support
    :multiple vlans basically trunking between the server and switches,
    :correct?

    Yes, if supported by the server NIC and server software.
    --
    'ignorandus (Latin): "deserving not to be known"'
    -- Journal of Self-Referentialism
     
    Walter Roberson, Apr 4, 2005
    #8
  9. Vicky

    polleke Guest

    ANY nic can do 801.1Q trunking (even the 10Mbit ones)
    So if you like to snif a trunk port with etherreal, it's possible :) ( i
    did that allready)
    There might be only a problem with the HUB if you are using one to intercept
    trunkdata _between_ two switches. The problem is that trunking should not
    pass over a hub offcourse, and they might have trouble with the (from the
    hubs point a view) strange layer2 encapsulation .1Q or worse ISL

    Secondly
    It all depends on your OS if it will understand the data it receives
    Linux can handle it without having more special needs (only have to rebuild
    the kernel)

    For OTHER OSs that cannot handle .1Q there exsist nics from major vendors
    that let you connect to .1Q ports (very expensive) and having each VLAN as a
    separate virtual NIC (for example
    http://www.3com.com/other/pdfs/products/en/3c996b_dsheet.pdf )
    From whereon you can run services specific for each.
     
    polleke, Apr 5, 2005
    #9
  10. Vicky

    thrill5 Guest

    Trunking is only allowing multiple VLAN's to share the same physical media,
    by adding a VLAN (802.1q) tag to the Ethernet frame. This would allow you
    to have a server with multiple IP addresses, each on a different VLAN,
    sharing a single Ethernet NIC. The only difference between a "trunk" port
    and a non-trunk port is that trunk port allows traffic from multiple vlans
    on the same port. When switching packets, the switch does not care if a
    port is trunked or not trunked. The switch builds a table of all
    destination MAC addresses and destination port. A packet is received, the
    destination mac is examined, and looked up in a the table. If it is found,
    the packet is "switched" to the port that MAC is assigned to. If the MAC
    address is unknown it is sent to all ports. If the destination port is
    configured as trunk, an 802.1q VLAN tag is added to frame before it is sent
    out of the port with the appropriate VLAN tag.

    This is very over simplified but you get the idea.

    Scott

    "Vicky" <> wrote in message
    news:...
    > Ok, which means I could have a server with 1 802.1q nic card to support
    > multiple vlans basically trunking between the server and switches,
    > correct?
    >
    >
    >
    > regards,
    > /vicky
    >
     
    thrill5, Apr 5, 2005
    #10
  11. In article <>,
    polleke <> wrote:
    :ANY nic can do 801.1Q trunking (even the 10Mbit ones)

    - Not if the NICs have hard limits on the packet sizes and full-sized
    802.1Q packets are being used.
    - Not of the DMA buffers aren't big enough to accomedate the
    extra bytes
    - Not if the NIC firmware cannot understand the frame format.
    Yes, some NICs are limited to 802.2 or 802.3 or SNAP at the
    *nic* level.
    - If you look within Cisco's product line, you will find that
    some of the older devices are simply unable to handle 802.1Q trunking
    at 10 Mb.
    --
    'ignorandus (Latin): "deserving not to be known"'
    -- Journal of Self-Referentialism
     
    Walter Roberson, Apr 5, 2005
    #11
  12. In article <>,
    thrill5 <> wrote:
    :Trunking is only allowing multiple VLAN's to share the same physical media,
    :by adding a VLAN (802.1q) tag to the Ethernet frame.

    True.

    :If the destination port is
    :configured as trunk, an 802.1q VLAN tag is added to frame before it is sent
    :eek:ut of the port with the appropriate VLAN tag.

    Other way around: the 802.1Q tag is always added at ingress time, and
    if it turns out that the egress port is untagged for that VLAN then
    the VLAN tag is stripped off at egress.

    You need this "always add first" mechanism in order to prevent
    "vlan hopping", in which a user packet adds an 802.1Q header
    and the destination port doesn't know to strip off that 802.1Q header...
    --
    "This was a Golden Age, a time of high adventure, rich living and
    hard dying... but nobody thought so." -- Alfred Bester, TSMD
     
    Walter Roberson, Apr 5, 2005
    #12
  13. Vicky

    polleke Guest

    Yes, thats true walter
    But it will be harder to find a NIC that doenst support .1Q than one that
    does.
    Ofcourse I was talking only about ehternet NICs :)

    In general the "standard" used at cisco is to provide trunking only on
    100Mbit(or more) interfaces.
    Some of their older products support trunking at 10Mbit too.
    But considered the problem of Vicky, she better go for a 1Gbit one

    Anyway, good luck Vicky, let us know how you have solved the problem

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:d2t05c$6v5$...
    > In article <>,
    > polleke <> wrote:
    > :ANY nic can do 801.1Q trunking (even the 10Mbit ones)
    >
    > - Not if the NICs have hard limits on the packet sizes and full-sized
    > 802.1Q packets are being used.
    > - Not of the DMA buffers aren't big enough to accomedate the
    > extra bytes
    > - Not if the NIC firmware cannot understand the frame format.
    > Yes, some NICs are limited to 802.2 or 802.3 or SNAP at the
    > *nic* level.
    > - If you look within Cisco's product line, you will find that
    > some of the older devices are simply unable to handle 802.1Q trunking
    > at 10 Mb.
    > --
    > 'ignorandus (Latin): "deserving not to be known"'
    > -- Journal of Self-Referentialism
     
    polleke, Apr 5, 2005
    #13
  14. In article <>,
    polleke <> wrote:
    :Yes, thats true walter
    :But it will be harder to find a NIC that doenst support .1Q than one that
    :does.
    :Ofcourse I was talking only about ehternet NICs :)

    Perhaps you are used to working with PCs, devices that get more
    or less scrapped every time Microsoft brings out a new OS
    (whose -minimum- requirements usually surpass the top end of
    what was available at the time of the previous OS was released.)

    The systems I use as my desktops (both at home and work) were
    discontinued in 1994, which is the same year we installed the
    main server that I do my work on. We bought the desktops used,
    3 years after they'd been discontinued -- which is to say that
    even 3 years after they'd been discontinued, they still had
    substantial value.

    We're about to send 3 of those teenaged desktops out to our remote
    offices, so that we can have stable servers there to do our
    network administration work from. Sure they aren't 2.5 GHz, but
    their uptimes are typically half a year at a stretch:
    we can *rely* on them.
    --
    'The short version of what Walter said is "You have asked a question
    which has no useful answer, please reconsider the nature of the
    problem you wish to solve".' -- Tony Mantler
     
    Walter Roberson, Apr 5, 2005
    #14
  15. Vicky

    stephen Guest

    "Vicky" <> wrote in message
    news:...
    > Just wondering if it is possible to use 802.1q aware nic (support vlan
    > tagging) on a packet filtering box to monitor traffic off multiple vlan
    > domains as opposed to having SPAN enabled on a switch?


    separate thread to earlier answers....

    1. any NIC should be able to "see" a 802.1Q packet once it is operating in
    promiscuous mode - but some drivers cut off over length packets. but any
    analyser s/w then has to know what to do with it.

    if you want to try this, use your favorite sniffer - or download the trial
    of Netassyst (based on Sniffer Pro code)from sniffer.com - it works for 7 or
    14 days without the magic key - i use this at work and it does pick up
    VLANs.

    FWIW i suspect that using an 802.1q NIC with a sniffer may strip the tags
    before they get to the sniffer - depends on whether the driver gives you a
    logical card looking at a vlan or a port. or, even more likely, the driver
    writer didnt think of this and it will crash and burn....

    2. you need some way to get the packets to arrive at the sniffer - an inline
    hub may work (but there are some that dont like long packets), or a
    specialsed device called a "network tap".

    setting up a SPAN port means you will see copies of something - usually a
    port or a vlan is feasible, but there may be others depending on the switch
    and the config. Some of those would send you packets complete with 802.1q
    tags, some would strip them 1st (again switch dependent).

    if you dont have any of these then you will only see what arrives at the
    port your PC is plugged into

    in a typical switched network this is all multicast / broadcast in any VLAN
    sent to your port, anything sent to your PC if you have a protocol stack set
    up (which may be per VLAN), and any packets to MAC addresses that have aged
    out of the switch tables.

    >
    > Any pointers will be appreciated.
    >
    >
    > regards,
    > /vicky

    --
    Regards

    Stephen Hope - return address needs fewer xxs
     
    stephen, Apr 6, 2005
    #15
  16. In article <YJY4e.1264$>,
    stephen <> wrote:
    :setting up a SPAN port means you will see copies of something - usually a
    :port or a vlan is feasible, but there may be others depending on the switch
    :and the config. Some of those would send you packets complete with 802.1q
    :tags, some would strip them 1st (again switch dependent).

    Seeing your message triggered a memory: in some switches/routers,
    when you SPAN or RSPAN, the source MAC address of each packet will
    be the MAC associated with the output interface of the SPAN,
    rather than the original source MAC. This can be sometimes be a pain
    in the fundament, but sometimes you are able to deduce the
    missing information.
    --
    Oh, to be a Blobel!
     
    Walter Roberson, Apr 6, 2005
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oli
    Replies:
    3
    Views:
    907
  2. BigKev
    Replies:
    2
    Views:
    3,030
  3. lfnetworking
    Replies:
    3
    Views:
    5,036
    lfnetworking
    Aug 27, 2006
  4. Ron Martell

    Linux Kernel Fragmented IPv6 Packet Filtering Bypass

    Ron Martell, Nov 7, 2006, in forum: Computer Support
    Replies:
    18
    Views:
    729
    The Ghost In The Machine
    Nov 9, 2006
  5. Giuen
    Replies:
    0
    Views:
    1,518
    Giuen
    Sep 12, 2008
Loading...

Share This Page