Sunday, July 16, 2006

Bridge or Trunk?

When I had been asked whether to use either trunk interface or bridge interface when connecting OpenBSD box to the network tap with RX/TX separated, I suggest trunk. The main reason is that bridge interface that you created is not doing network bonding, which means that it doesn't actually aggregate the network traffics that flowing into both network interfaces that been added to bridge interface. On the other hand, trunk interface creates a single channel for the network interfaces that bound to it. The advantage of this feature that lacking in bridge interface makes whole lots of differences. While trunk can survive in heavy load since it uses roundrobin mechanism by default to process the packets where you can share the load between network interfaces that binded to trunk interface, bridge won't do so. If one of the network interface in heavy loaded traffcs, it may cause packet loss since bridge doesn't create single channel to load the network traffics across multiple network interfaces. This is total failure because it will make deployment of IDS useless at all. I have blogged about it previously in case you didn't notice, here's the link. You may need to check out the screenshot below where I run vmstat ifstat command to understand how trunk interface works comparing to bridge.


I only show the screenshot of trunk interface, the bridge interface shows the common result where each separated network interface has its own load based on the packets it intercepted.

Peace (;])

No comments: