Dear all
we're running a network with more than a dozen vlans and use an OpenBSD
(3.6) box connected to a Cisco switch's trunk port (802.1q). I
configured virtual vlan interfaces in OpenBSD to have monitoring and
management access. So far it worked fine.
The plan was, to use the arpwatch port to monitor for new machines
joining any of our vlans.
* My first try was to run one instance of arpwatch per configured
virtual vlan interface. This worked fine for up to 10 sessions, but not
more (maybe the amount of concurrent libpcap sessions is limited?).
Q: Is this a configurable parameter?
* Second thought was to run just one instance of arpwatch on the
physical interface connected to the Cisco trunk. This implied, that I
would need to modify arpwatch to remove the vlan tag. I had a look in
the sourcecode (arpwatch.c) and found this section with the filter
string "arp or rarp":
pcap_compile(pd, &code, "arp or rarp", 1, netmask)
>From playing with tcpdump on a linux box, I found the filter string to
"vlan arp or rarp" could do exactly what I need. Trying the same filter
string on OpenBSD3.6 and 3.8 did not support the "vlan" keyword (tcpdump
version 3.4.0 / libpcap version 0.5).
Q: Did I do everything right? Is there a newer version for OpenBSD which
I missed?
* Third idea was to ask for a (new) feature like this:
ifconfig vlanAll vlan * vlandev em1
This should configure a virtual vlan interface which strips off all the
vlan taggings for any vlan numbers.
This solution would also work for any other monitoring software apart
from arpwatch and therefore if my preference.
Q: As I'm still new to OpenBSD, I wanted to know your oppinion about
this idea (and the other ideas).
Thanks for taking the time to read through my long story :-)
Raphael
