Home > Uncategorized > CentOS el6 configure a dummy NIC and set up a network bridge

CentOS el6 configure a dummy NIC and set up a network bridge

It’s encouraged that you test, but this will work.

In order to have the kernel pass all packets that are received on the NIC through the stack, you must configure a NIC bridge. If you do not do this and the NIC attempts to pass packets destined for an IP that isn’t routable (out of a different interface) or living on the box, the kernel will drop the packet, regardless of if the NIC is in promiscuous mode.

[09:31] == mbrownnyc [gateway/web/freenode/] has joined #Netfilter
[09:36] <whaffle> It is perfectly valid to have a "half-bridge" with only a single interface in it.
[09:37] <whaffle> Promisc mode will cause packets with {a dst MAC address that does not equal the interface's MAC address} to be delivered from the NIC into the kernel nevertheless.
[09:39] <whaffle> Furthermore, the linux kernel itself has a check for {packets with a non-local MAC address}, so that packets that will not enter a bridge will be discarded as well, even in the face of PROMISC.

This is relevant if you want to use your box as a netflow sensor or possibly many other reason.

Make sure that the dummy kernel module is loaded at run time and load it now

echo "modprobe dummy" >/etc/sysconfig/modules/rcsysinit.modules
chmod +x /etc/sysconfig/modules/rcsysinit.modules
modprobe -a dummy

Warning the following can lead to loss of connectivity. Test and set a cron job to reverse your work.

Create a NIC bridge
You must create a bridge interface. This bridge interface will own the IP address of your current NIC. This is tricky, but it’ll work out okay.

Install bridge-utils (you must do this in order for the bridge to be built):

yum -y install bridge-utils

Create the bridge br0:

cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-br0
vim /etc/sysconfig/network-scripts/ifcfg-br0

Make sure the following is set (remove all other values):

NETWORK=[as it is/was for eth0]
NETMASK=[as it is/was for eth0]
IPADDR=[as it is/was for eth0]
GATEWAY=[as it is/was for eth0]
DEVICE=br0
ONBOOT=yes
TYPE=Bridge
BOOTPROTO=static
NM_CONTROLLED=no
DELAY=0

Configure eth0 to be part of the bridge:

vim /etc/sysconfig/network-scripts/ifcfg-eth0

Make sure the following is set (remove all other values):

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
HOTPLUG=no
NM_CONTROLLED=no
BRIDGE=br0
PROMISC=yes

Configure dummy0 to be part of the bridge

vim /etc/sysconfig/network-scripts/ifcfg-dummy0

make sure the following is set:

DEVICE=dummy0
BOOTPROTO=none
ONBOOT=yes
HOTPLUG=no
NM_CONTROLLED=no
BRIDGE=br0
PROMISC=yes

Restart network:

service network restart

Review your Bridge members:

brctl show

Multicast and multicast routing:

By default, the above configuration (with eth0 on the wire), would cause multicast packets to be seen by eth0 and br0, even if membership to the group is not requested. It doesn’t appear that the NIC responds to IGMP queries to the allhosts group after the bridge is enabled. Check out the switches that are configured for your NICs (NOARP, PROMISC, MULTICAST, etc).

If you configure your box to be a multicast router, it will route all multicast at through the bridge.

Adjusting multicast_router to a value of 2 below /sys/devices does not seem to subscribe to all multicast groups.

According to some dude, you can probably use igmpproxy, iptables TRACE target, and/or pimd.

With reference:
Loading modules at boot time
redhat docs: Persistent Module Loading
NST’s Dummy Interface
Set up the bridge
Creating a CentOS KVM Networked Bridge Interface
Bridging and Multicast
ServerFault: Multicast is black magic

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: