Mailing List Archive: nscrub config

nscrub config

Nov 27, 2017, 3:44 AM

Post #1 of 3 (727 views)

Hi all,

I'm need some help configuring nscrub. My setup is routed/symmetric for now:
Internet <---> ens160 (native vlan) <----> ens160.838 (servers)

with just one phy interface (--wan-interface=zc:ens160).

ens160    Link encap:Ethernet HWaddr 3c:fd:fe:18:0c:e0
          inet addr:x.y.z.34 Bcast:x.y.z.63 Mask:255.255.255.224
ens160.838 Link encap:Ethernet HWaddr 3c:fd:fe:18:0c:e0
          inet addr:x.y.z.129 Bcast:x.y.z.255 Mask:255.255.255.128

nscrub-cli:
katharistis>
localhost:8880> vlan id 1 reforge 838
src_vlan_id: 1
dst_vlan_id: 838

katharistis> list targets
targets:
id: ntuanocnet
subnet:
   x.y.z.128/28

routingtable:
destination: 0.0.0.0/0
gw: x.y.z.33

The setup is not working. I can't actually ping my server at x.y.z.130
(on ens160.838).
Questions:
- What is the correct setup for this?
- Is the vlan reforging as it supposed to be? I don't really understand
what is supposed to do... I would like to set the output vlan, but
reforge needs to do a rewrite. What exactly is rewriting?
- I guess in pfring_zc mode, packets don't go up the kernel. So, who is
doing arp reuqests for x.y.z.130 or x.y.z.33 (gw)?
- When nscrub is running, can i see the packets with tcpdump on en160
and ens160.838?

Thanx,
Sp

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: nscrub config [ In reply to ]

cardigliano at ntop

Nov 27, 2017, 3:52 AM

Post #2 of 3 (727 views)

Permalink

Hi Spiros
please read below

> On 27 Nov 2017, at 12:44, Spiros Papageorgiou <papage@noc.ntua.gr> wrote:
>
> Hi all,
>
> I'm need some help configuring nscrub. My setup is routed/symmetric for now:
> Internet <---> ens160 (native vlan) <----> ens160.838 (servers)
>
> with just one phy interface (--wan-interface=zc:ens160).
>
> ens160 Link encap:Ethernet HWaddr 3c:fd:fe:18:0c:e0
> inet addr:x.y.z.34 Bcast:x.y.z.63 Mask:255.255.255.224
> ens160.838 Link encap:Ethernet HWaddr 3c:fd:fe:18:0c:e0
> inet addr:x.y.z.129 Bcast:x.y.z.255 Mask:255.255.255.128
>
> nscrub-cli:
> katharistis>
> localhost:8880> vlan id 1 reforge 838
> src_vlan_id: 1
> dst_vlan_id: 838
>
> katharistis> list targets
> targets:
> id: ntuanocnet
> subnet:
> x.y.z.128/28
>
> routingtable:
> destination: 0.0.0.0/0
> gw: x.y.z.33
>
>
> The setup is not working. I can't actually ping my server at x.y.z.130 (on ens160.838).
> Questions:
> - What is the correct setup for this?

You need to configure 2 VLANs (e.g. 1 and 838 as in your current nscrub configuration),
nScrub will reforge the VLAN from 1 to 838. This means that ingress packets should be tagged with vlan 1,
and they will be sent to VLAN 838.

> - Is the vlan reforging as it supposed to be? I don't really understand what is supposed to do... I would like to set the output vlan, but reforge needs to do a rewrite. What exactly is rewriting?
> - I guess in pfring_zc mode, packets don't go up the kernel. So, who is doing arp reuqests for x.y.z.130 or x.y.z.33 (gw)?

Kernel is bypassed, however kernel is still involved for ARP traffic.

> - When nscrub is running, can i see the packets with tcpdump on en160 and ens160.838?

With ZC kernel is bypassed, thus the only way to see packets with tcpdump is attaching to the nscrub mirror queues (please refer to the user’s guide)

Alfredo

>
> Thanx,
> Sp
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: nscrub config [ In reply to ]

papage at noc

Nov 27, 2017, 4:01 AM

Post #3 of 3 (727 views)

Permalink

Hi Alfredo,

Thank you for the answer.

It seems that I have done the config right. I am reforging 1 to 838 and
the routing table seems to be fine.

So why it not working?
Packets from the internet are not reaching my server at ens160.838.. (I
am tcpdumping on the server).
One clarification: You say "ingress packets should be tagged with vlan
1". My input packets are untagged (which usually means vlan1). Is that a
problem?

Sp

On 27/11/2017 1:52 ??, Alfredo Cardigliano wrote:
> Hi Spiros
> please read below
>
>> On 27 Nov 2017, at 12:44, Spiros Papageorgiou <papage@noc.ntua.gr> wrote:
>>
>> Hi all,
>>
>> I'm need some help configuring nscrub. My setup is routed/symmetric for now:
>> Internet <---> ens160 (native vlan) <----> ens160.838 (servers)
>>
>> with just one phy interface (--wan-interface=zc:ens160).
>>
>> ens160 Link encap:Ethernet HWaddr 3c:fd:fe:18:0c:e0
>> inet addr:x.y.z.34 Bcast:x.y.z.63 Mask:255.255.255.224
>> ens160.838 Link encap:Ethernet HWaddr 3c:fd:fe:18:0c:e0
>> inet addr:x.y.z.129 Bcast:x.y.z.255 Mask:255.255.255.128
>>
>> nscrub-cli:
>> katharistis>
>> localhost:8880> vlan id 1 reforge 838
>> src_vlan_id: 1
>> dst_vlan_id: 838
>>
>> katharistis> list targets
>> targets:
>> id: ntuanocnet
>> subnet:
>> x.y.z.128/28
>>
>> routingtable:
>> destination: 0.0.0.0/0
>> gw: x.y.z.33
>>
>>
>> The setup is not working. I can't actually ping my server at x.y.z.130 (on ens160.838).
>> Questions:
>> - What is the correct setup for this?
> You need to configure 2 VLANs (e.g. 1 and 838 as in your current nscrub configuration),
> nScrub will reforge the VLAN from 1 to 838. This means that ingress packets should be tagged with vlan 1,
> and they will be sent to VLAN 838.
>
>> - Is the vlan reforging as it supposed to be? I don't really understand what is supposed to do... I would like to set the output vlan, but reforge needs to do a rewrite. What exactly is rewriting?
>> - I guess in pfring_zc mode, packets don't go up the kernel. So, who is doing arp reuqests for x.y.z.130 or x.y.z.33 (gw)?
> Kernel is bypassed, however kernel is still involved for ARP traffic.
>
>> - When nscrub is running, can i see the packets with tcpdump on en160 and ens160.838?
> With ZC kernel is bypassed, thus the only way to see packets with tcpdump is attaching to the nscrub mirror queues (please refer to the user’s guide)
>
> Alfredo
>
>> Thanx,
>> Sp
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Mailing List Archive

Mailing List Archive

Attached Files: