Category Archives: Networking

Koala

ARP SPOOFING

This paper deals with the subject of ARP spoofing. Spoofing basically means to deceive someone.Now in what ways this has been done , gives it a name.For instance IP Spoofing ,ARP spoofing etc.In this article i would be explaining what exactly is ARP(Address Resolution Protocol), ARP Spoofing and how this is done.One more thing, this article has been written with the assumption that the reader has the basic knowledge of OSI(OPEN SYSTEMS INTERCONNECTION) reference model.
BASICS
Before getting into ARP Spoofing, let us understand how two machines connected to intranet communicate. A computer connected to an IP/Ethernet LAN has two addresses. One is the address of the lan card called the MAC address. The MAC(Media Access Control) is a globally unique and unchangeable address which is stored on the network card itself. This address is unique just like your public IP addresses.No two machines can have the same MAC address on their lan cards.The concept of MAC address comes at the 2nd layer(Data Link Layer) of OSI model. MAC addresses are necessary so that the Ethernet protocol can send data back and forth, independent of whatever application protocols are used on top of it. Ethernet builds frames of data, consisting of 1500 byte blocks. Each frame has an Ethernet header, containing the MAC address of the source and the destination computer.
The second address is the IP address. IP is a protocol used by applications, independent of whatever network technology operates underneath it. Each computer on a network must have a unique IP address to communicate.The concept of IP Addresses come at the 3rd layer(Network Layer) of OSI model.
IP Addresses basically have two parts —host and the network portions which helps one machine to determine the network of other machine and then finally the host with which it is communicating.MAC addresses, unlike IP addresses are not divided into “host” and “network” portions, so a host cannot determine, from the MAC address of another host, whether that host is on the same layer 2 network segment as the sending host or a network segment bridged to that network segment and, if it’s not, cannot determine the MAC address of a router that is on the same network segment as the sending host or a segment bridged to that network segment and that can help route the packet to the destination host.For this IP and Ethernet must work together. IP communicates by constructing “packets” which are similar to frames, but have a different structure. These packets cannot be delivered without the data link layer. Hence they are delivered by Ethernet which splits the packets into frames, adds an Ethernet header for delivery, and sends them down the cable to the switch. The switch then decides which port to send the frame to, by comparing the destination address of the frame to an internal table which maps port numbers to MAC addresses.When an Ethernet frame is constructed, it must be built from an IP packet. However, at the time of construction, Ethernet has no idea what the MAC address of the destination machine is, which it needs to create an Ethernet header. The only information it has available is the destination IP from the packet’s header. Hence there has to be a way for the Ethernet protocol to find the MAC address of the destination machine, given a destination IP. This is where ARP, the Address Resolution Protocol, comes in.
What is ADDRESS RESOLUTION PROTOCOL (ARP)?
ARP is commonly used to convert from addresses in a layer 3 protocol such as Internet Protocol (IP) to the layer 2 MAC address. ARP operates by sending out “ARP request” packets. An ARP request asks the question, “Is your IP address x.x.x.x? If so, send your MAC back to me.” These packets are broadcast to all computers on the LAN, even on a switched network. Each computer examines the ARP request, checks if it is currently assigned the specified IP, and sends an ARP reply containing its MAC address.Operating systems keep a cache of ARP replies to minimize the number of ARP Requests being broadcast.When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association.
To explain all the above here’s an example.Run the following command on your linux machine.
secaudi@secaudi.com# arp -an
which gives the output in the following syntax
— IP ADDR at MAC ADDR on Ethernet device
The output you receive should be in the above format which shows that your system has the entry of the MAC Address of this particular IP address in its cache.Now try to ping some another host in your intranet and then again run the same above command.You will be able to see the entry of this IP with its MAC Address in your system cache.
Having explained all that, how does that result in ARP Spoofing and what exactly is it.
What is ARP SPOOFING ?
ARP spoofing involves constructing forged ARP replies. By sending forged ARP replies, a target computer could be convinced to send frames destined for computer A to instead go to computer B. When done properly, computer A will have no idea that this redirection took place. The process of updating a target computer’s ARP cache with a forged entry is referred to as “poisoning”.Switches determine which frames go to which ports by comparing the destination MAC on a frame against a table. This table contains a list of ports and the attached MAC address. The table is built when the switch is powered on, by examining the source MAC from the first frame transmitted on each port. Network cards can enter a state called “promiscuous mode” where they are allowed to examine frames that are destined for MAC addresses other than their own. On switched networks this is not a concern, because the switch routes frames based on the table described above. This prevents sniffing of other people’s frames.
However, using ARP spoofing, there are several ways that sniffing can be performed on a switched network.
A “man-in-the-middle” attack is one of these. When a MiM is performed, a malicious user inserts his computer between the communications path of two target computers. Sniffing can then be performed. The malicious computer will forward frames between the two target computers so communications are not interrupted. The attack is performed as follows (where X is the attacking computer, and T1 and T2 are targets):
A poisons the ARP cache of C1 and C2.
-
C1 associates C2’s IP with A’s MAC.
-
C2 associates C1’s IP with A’s MAC.
-
All of C1 and C2’s IP traffic will then go to A first, instead of directly to each other.
-
To get this whole stuff lets play with an example.
HOST IP ADDR MAC ADDR

A 192.168.0.1 ABCDEF000001
B 192.168.0.2 ABCDEF000002
C 192.168.0.3 ABCDEF000003
Let host C is my machine and i do have to cause the all explained above. As explained above , pinging these two hosts will give me an entry of their MAC Addresses in my cache.Once got the MAC Addresses for the corresponding IP’s of hosts A and B ,now I do have to spoof their caches in such a way that for host A IP it has the entry of my(host C) MAC Address.Similarly for Host B.This can be easily done with many tools being available, one of them being arpoison.With arpoison installed on the system , execute it in this manner on HOST C.
hostC@secaudi.com# arpoison -i eth0 -d 192.168.0.1 -s 192.168.0.2 -t ABCERF000001 -r ABCDEF000003 (poisoning host A)
hostC@secaudi.com# arpoison -i eth0 -d 192.168.0.2 -s 192.168.0.1 -t ABCDEF000002 -r ABCDEF000003 (poisoning host B)
where arpoison usage as: arpoison -i -d -s -t -r
With arpoison what we have done is simply pointed the host B IP entry on host A to MAC address of host C and host A entry on host B to MAC address of host C. So when these two machines would be communicating , say when host A is sending data to host B it will check out the MAC address of host B in its cache which has been poisoned to point to host C. So both will be directing their traffic to host C. Simply that easy.Normally the cache entries are flushed out every 60 or 30 seconds , so you do have to send continuous packets to keep poisoning the caches of these two hosts.
However it is to be noted that Host C must allow the data from Host A to pass to Host B and from Host B to Host A so that communication prevails between the two hosts.This type of attack is in particular called man in the middle attack.If you do have to cause this attack simply as DOS attack then point the mac addresses of these two hosts to something which is not valid, hence no ip found bound to that MAC , no data could be delivered.
To have a visual lesson of all the above visit the following URL

http://www.oxid.it/downloads/apr-intro.swf

Conclusion
With ARP poisoning you can do various things, first of all is sniffing at switched based segments by poisoning the remote hosts or switches.
Second, and most times much worse is altering ARP tables of routers, which renders LAN segments isolated from the other segments.
I strongly believe that in short time these kind of attacks will grow in number fast worldwide.
There are defense methods against ARP spoofing, one of the most probable being ARPWATCH which is a tool that listens for arp replies on a network. It basically builds a table of IP/MAC associations and store them in a file. Whenever the MAC address associated with an IP changes, an email is sent to the administrator.

Posted in Network Edit
htaccess Tricks
Posted on April 10, 2011
htaccess is used for many custom configurations for a web site. This is a plain text file that should be placed in DocumentRoot of your web site to achieve variety of effects.

Various directives can be used in this file to different things. Generally htaccess is used for the password protection of the directories on a web site.

To use these features on a site, we need to create a file named .htaccess in plain test. It will take single directive per line. upload this file to your DocumentRoot and get the desired results according to the use of directives used.

This articles is about advance htaccess techniques such as redirection and php directives.

PHP & HTACCESS

In case of shared hosting, The site owner do not have root or administrator rights to change the php directives according to his site code. e.g Some developers like to use “safe_mode on” while others like “safe_mode off”.

Now what if in /etc/php.ini file has “safe_mode off” you need “safe_mode on” for your site. Since you don’t have root/administrator rights on shared server, you cannot change this in /etc/php.ini file on the server.

In this case .htaccess file is very important for you.

You have to use php_flag directive to set desired php flags for your sites DocumentRoot, no matter what is there in /etc/php.ini file.

If you want to use “safe_mode on” just use the following directive in .htaccess file

php_flag safe_mode on

similarly,

php_flag magic_quotes_gpc on

php_value register_globals on

Not only this you can also customize your DocumentRoot options other than the globle settings for your apache web server.

# AddEncoding x-gzip gz

i.e. your webserver is not using directive through its main configuration file, but you want to use this for your site, again .htaccess file will help you in this, just enter following to this file:

AddEncoding x-gzip gz

AddEncoding x-compress Z

Many such Directives can be used to enhanced the working features of your site.

Some important Directives, I am going to explain here.

Action

Syntax: Action mime-type cgi-script

This directive adds an action, which will activate cgi-script when a file of content type mime-type is requested. It sends the URL and file path of the requested document using the standard CGI PATH_INFO and PATH_TRANSLATED environment variables.

AddDescription

Syntax: AddDescription string file file …..

This sets the description to display for a file, for FancyIndexing. File is a file extension, partial filename, wild-card expression or full filename for files to describe. String is enclosed in double quotes (”).
Example:

AddDescription “The mother” /pics/earth.gif

AddEncoding

Syntax: AddEncoding mime-enc extension extension….

The AddEncoding directive adds to the list of filename extensions which filenames may end in for the specified encoding type. Mime-enc is the mime encoding to use for documents ending in extension.

Examples:

AddEncoding x-gzip gz
AddEncoding x-compress Z

This will cause files ending in .gz to be marked as encoded using the x-gzip encoding, and .Z files to be marked as encoded with x-compress.

AddIcon

Syntax: AddIcon icon name name ….

This sets the icon to display next to a file ending in name for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Name is either ^^DIRECTORY^^ for directories, ^^BLANKICON^^ for blank lines (to format the list correctly), a file extension, a wildcard expression, a partial filename or a complete filename.
Examples:

AddIcon (IMG,/icons/image.xbm) .gif .xbm
AddIcon /icons/dir.xbm ^^DIRECTORY^^
AddIcon /icons/backup.xbm *~

AddIconByType should be used in preference to AddIcon, when possible.

AddIconByType

This sets the icon to display next to files of type mime-type for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Mime-type is a wildcard expression matching required the mime types.
Example:

AddIconByType (IMG,/icons/sd.xbm) image/*

AddType

Syntax: AddType type ext

Context:.htaccess

The AddType directive allows you to add a mime type to your site.

Example:

AddType application/x-httpd-xx xx

ErrorDocument

Syntax: ErrorDocument error-code document

In the event of a problem or error, Apache can be configured to do one of four things,

behave like NCSA httpd 1.3
output a customized message
redirect to a local URL to handle the problem/error
redirect to an external URL to handle the problem/error
2-4 are configured using ErrorDocument, which is followed by the HTTP response code and a message or URL.

Messages in this context, begin with a single quote (”), which does not form part of the message itself. Apache will sometime offer additional information regarding the problem/error.

URLs will begin with a slash (/) for local URLs, or will be a full URL which the client can resolve.

Examples:

ErrorDocument 500 /cgi-bin/tester
ErrorDocument 404 /cgi-bin/bad_urls.pl
ErrorDocument 401 http://www2.foo.bar/subscription_info.html
ErrorDocument 403 “Sorry can’t allow you access today
The directive provides for access control by filename. It is comparable to the directive and directives. It should be matched with a directive. Directives that apply to the filename given should be listed within. sections are processed in the order they appear in the configuration file, after the sections and .htaccess files are read, but before sections.

unlike and sections, sections can be used inside .htaccess files. This allows users to control access to their own files, at a file-by-file level. When used in an .htaccess file, if the filename does not begin with a / character, the directory being applied will be prefixed automatically.

Redirect

Syntax: Redirect url-path url

The Redirect directive maps an old URL into a new one. The new URL is returned to the client which attempts to fetch it again with the new address.

Example:

Redirect /service http://foo2.bar.com/service

If the client requests http://myserver/service/foo.txt, it will be told to access http://foo2.bar.com/service/foo.txt instead.

RedirectTemp

Syntax: RedirectTemp url-path url

This directive makes the client know that the Redirect is only temporary. (Status 302). Exactly equivalent to Redirect temporary

RedirectPermanent

Syntax: RedirectPermanent url-path url

Context: directory, .htaccess

This directive makes the client know that the Redirect is permanent. (Status 301). Exactly equivalent to Redirect permanent

XBitHack

Syntax: XBitHack status

The XBitHack directives controls the parsing of ordinary html documents. Status can have the following values:

off

No special treatment of executable files.
on
Any file that has the user-execute bit set will be treated as a server-parsed html document.
full

As for on but also test the group-execute bit. If it is set, then set the Last-modified date of the returned file to be the last modified time of the file. If it is not set, then no last-modified date is sent. Setting this bit allows clients and proxies to cache the result of the request.htaccess is used for many custom configurations for a web site. This is a plain text file that should be placed in DocumentRoot of your web site to achieve variety of effects.
Various directives can be used in this file to different things. Generally htaccess is used for the password protection of the directories on a web site.

To use these features on a site, we need to create a file named .htaccess in plain test. It will take single directive per line. upload this file to your DocumentRoot and get the desired results according to the use of directives used.

This articles is about advance htaccess techniques such as redirection and php directives.

PHP & HTACCESS

In case of shared hosting, The site owner do not have root or administrator rights to change the php directives according to his site code. e.g Some developers like to use “safe_mode on” while others like “safe_mode off”.

Now what if in /etc/php.ini file has “safe_mode off” you need “safe_mode on” for your site. Since you don’t have root/administrator rights on shared server, you cannot change this in /etc/php.ini file on the server.

In this case .htaccess file is very important for you.

You have to use php_flag directive to set desired php flags for your sites DocumentRoot, no matter what is there in /etc/php.ini file.

If you want to use “safe_mode on” just use the following directive in .htaccess file

php_flag safe_mode on

similarly,

php_flag magic_quotes_gpc on

php_value register_globals on

Not only this you can also customize your DocumentRoot options other than the globle settings for your apache web server.

# AddEncoding x-gzip gz

i.e. your webserver is not using directive through its main configuration file, but you want to use this for your site, again .htaccess file will help you in this, just enter following to this file:

AddEncoding x-gzip gz

AddEncoding x-compress Z

Many such Directives can be used to enhanced the working features of your site.

Some important Directives, I am going to explain here.

Action

Syntax: Action mime-type cgi-script

This directive adds an action, which will activate cgi-script when a file of content type mime-type is requested. It sends the URL and file path of the requested document using the standard CGI PATH_INFO and PATH_TRANSLATED environment variables.

AddDescription

Syntax: AddDescription string file file …..

This sets the description to display for a file, for FancyIndexing. File is a file extension, partial filename, wild-card expression or full filename for files to describe. String is enclosed in double quotes (”).
Example:

AddDescription “The mother” /pics/earth.gif

AddEncoding

Syntax: AddEncoding mime-enc extension extension….

The AddEncoding directive adds to the list of filename extensions which filenames may end in for the specified encoding type. Mime-enc is the mime encoding to use for documents ending in extension.

Examples:

AddEncoding x-gzip gz
AddEncoding x-compress Z

This will cause files ending in .gz to be marked as encoded using the x-gzip encoding, and .Z files to be marked as encoded with x-compress.

AddIcon

Syntax: AddIcon icon name name ….

This sets the icon to display next to a file ending in name for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Name is either ^^DIRECTORY^^ for directories, ^^BLANKICON^^ for blank lines (to format the list correctly), a file extension, a wildcard expression, a partial filename or a complete filename.
Examples:

AddIcon (IMG,/icons/image.xbm) .gif .xbm
AddIcon /icons/dir.xbm ^^DIRECTORY^^
AddIcon /icons/backup.xbm *~

AddIconByType should be used in preference to AddIcon, when possible.

AddIconByType

This sets the icon to display next to files of type mime-type for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Mime-type is a wildcard expression matching required the mime types.
Example:

AddIconByType (IMG,/icons/sd.xbm) image/*

AddType

Syntax: AddType type ext

Context:.htaccess

The AddType directive allows you to add a mime type to your site.

Example:

AddType application/x-httpd-xx xx

ErrorDocument

Syntax: ErrorDocument error-code document

In the event of a problem or error, Apache can be configured to do one of four things,

behave like NCSA httpd 1.3
output a customized message
redirect to a local URL to handle the problem/error
redirect to an external URL to handle the problem/error
2-4 are configured using ErrorDocument, which is followed by the HTTP response code and a message or URL.

Messages in this context, begin with a single quote (”), which does not form part of the message itself. Apache will sometime offer additional information regarding the problem/error.

URLs will begin with a slash (/) for local URLs, or will be a full URL which the client can resolve.

Examples:

ErrorDocument 500 /cgi-bin/tester
ErrorDocument 404 /cgi-bin/bad_urls.pl
ErrorDocument 401 http://www2.foo.bar/subscription_info.html
ErrorDocument 403 “Sorry can’t allow you access today
The directive provides for access control by filename. It is comparable to the directive and directives. It should be matched with a directive. Directives that apply to the filename given should be listed within. sections are processed in the order they appear in the configuration file, after the sections and .htaccess files are read, but before sections.

unlike and sections, sections can be used inside .htaccess files. This allows users to control access to their own files, at a file-by-file level. When used in an .htaccess file, if the filename does not begin with a / character, the directory being applied will be prefixed automatically.

Redirect

Syntax: Redirect url-path url

The Redirect directive maps an old URL into a new one. The new URL is returned to the client which attempts to fetch it again with the new address.

Example:

Redirect /service http://foo2.bar.com/service

If the client requests http://myserver/service/foo.txt, it will be told to access http://foo2.bar.com/service/foo.txt instead.

RedirectTemp

Syntax: RedirectTemp url-path url

This directive makes the client know that the Redirect is only temporary. (Status 302). Exactly equivalent to Redirect temporary

RedirectPermanent

Syntax: RedirectPermanent url-path url

Context: directory, .htaccess

This directive makes the client know that the Redirect is permanent. (Status 301). Exactly equivalent to Redirect permanent

XBitHack

Syntax: XBitHack status

The XBitHack directives controls the parsing of ordinary html documents. Status can have the following values:

off

No special treatment of executable files.
on
Any file that has the user-execute bit set will be treated as a server-parsed html document.
full

As for on but also test the group-execute bit. If it is set, then set the Last-modified date of the returned file to be the last modified time of the file. If it is not set, then no last-modified date is sent. Setting this bit allows clients and proxies to cache the result of the request.

NETWORK DEBUGGING..

Network debugging….
A) Tcpdump:- is a packet analyzer
Note: tcpdump uses || (or), &&(and), !(not) concept
i) will show source and destination for 80 port through eth0 10 times:
# tcpdump -c 10 port 80 -i eth0

ii) # tcpdump dst 192.168.1.2 or dst 192.168.1.3 or dst 192.168.1.3 and tcp port 80

iii) You can use wireshark to get clear picture of tcpdump (using -w)
# tcpdump -w savingfile.txt
You can read the file using
# tcpdump -r savingfile.txt

iv) # tcpdump -n host 192.168.1.2 and src 122.53.66.20 and ! port 22
(-n = print IP not resolving.)

====================================================================

B) Network issues:
i) Trace the complete route:
# traceroute google.com
ii) add default gateway if not added (route -n):
# route add default gw 192.168.1.254 eth0
ii) add ip address/netmask:
# ifconfig eth0 192.168.1.13 netmask 255.255.255.0
iv) Lookup local ip address (equivalent to host `hostname`)
# hostname -i

NETWORK BONDING…

Network Bonding
Bonding:-Bonding allows you to aggregate multiple ports into a single group such that you can aggregate 3MB ports of 3 cards (1MB each). This provides faults tolerance as well as Load Balancing.
————————————————————————————————
Firstly check whether bonding driver is installed & ‘ifenslave’ user level control program installed. If not:- Configure kernel with ‘make menuconfig’ then select “configure drivers with modules” –> “Network device support”–> “Bonding driver support”
=====================================================================
Now enable the modules:-
# vi /etc/modprobe.conf
alias bond0 bonding
alias bond1 bonding
options bond0 max_bonds=2 miimon=100 mode=1
options bond1 miimon=100 mode=0

——————————————————————————————-
max_bonds= Specifies the no. of bonding devices to create for this bonding driver
miimon= Specifies the MII link monitoring frequency in milliseconds. This determines how often the link state of each slave is inspected for link failure. 0- disables MII link monitoring.
primary= Specifies which slave device will always be active
——————————————————————————————-
# modprobe bond0 bonding
(to load module without restart)

Configure the devices:
# cd /etc/sysconfig/network-scripts
# vi ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=NO

# vi ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=NO

# vi ifcfg-bond0
DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
NETWORK=192.168.1.0
NETMASK=255.255.255.0
IPADDR=192.168.1.2
USERCTL=NO

# vi ifcfg-bond1
DEVICE=bond1
BOOTPROTO=none
ONBOOT=yes
NETWORK=192.168.1.0
NETMASK=255.255.255.0
IPADDR=192.168.1.3
USERCTL=NO

Confirm: # cat /proc/net/bonding/bond0

————————————————————————————————

Modes:
i) balance-rr or 0 (Default):- Round Robin policy: Transmit packets in sequential manner. Provide load balancing & fault tolerance.
ii) active-backup or 1:- Only one slave in bond is active.
iii) balance-x or 1:- XOR policy. This selects the same slave for each destination MAC address. Provides fault tolerance and load balancing.
iv) Broadcast or 3:- Transmit everything on all slave interfaces. Provides fault tolerance.
v) 802.3ad or 4:- Only for IEEE 802.3ad links devices.
vi) balance-tlb or 5:- Transmit load balancing. The outgoing traffic is distributed according to current load on each slave. Incoming traffic is received by current slave. if receiving slave fails, another slave takes over the MAC address of the failed slave.
vii)balance-alb or 6:- adaptive LB = TLB + receive load balance. The bonding driver intercepts the APR replies sent by the local system on their way out and overwrites the source H/W address with the unique hardware address of one of the slaves in the bond such that different peers use different H/W address for the server.

XEN Networking: ”Bridging plus VLAN”

Xen Networking: Bridging plus VLAN
A bridge is a device that separates two or more network segments within one logical network (e.g. a single IP-subnet).The job of the bridge is to examine the destination of the data packets one at a time and decide whether or not to pass the packets to the other side of the Ethernet segment. The result is a faster, quieter network with less collisions.The bridging code decides whether to bridge data or to drop it not by looking at the protocol type (IP, IPX, NetBEUI), but by looking at the MAC-address unique to each NIC.

Preliminary steps:

>) Now first step is to remove libvirt default.xml file which creates a NAT bridge which we don’t recommend.
# rm -f /etc/libvirt/qemu/networks/autostart/default.xml
Now reboot to get rid of virtbr0 shows with ifconfig.

>) Since we are going to configure the network manually, we don’t want Xen to mess up with the configuration. In order to keep Xen from reconfiguring the network, simply make sure none of the following lines appear uncommented in the file /etc/xen/xend-config.sxp:
(network-script network-bridge)
(network-script network-route)
(network-script network-nat)

Configuration:
Well this can be accomplished with brctl command too(brctl addbr xenbr2) but let’s just do the configuration part ourselves to having us full control and making us independent from possible further naming changes in Xen.
————————–
# vi /etc/sysconfig/network-scripts/ifcfg-xenbr0
DEVICE=xenbr0
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.1.10
NETMASK=255.255.255.0
DELAY=0
STP=off

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BRIDGE=xenbr0
HWADDR=00:23:CD:B2:02:D1
ONBOOT=yes
BOOTPROTO=none
HOTPLUG=no
———————-

Setting up the VLAN interfaces and add them up to the existing bridging interfaces:
This can be done manually, by invoking vconfig add |ifname| |vlan| to configure VLAN number |vlan| by using 802.1q tagging on interface |ifname|. This will active a virtual interface named |ifname|.|vlan|:
# vconfig add eth0 2
# vconfig add eth0 10
Such that: > Any traffic sent to this interface will get tagged for VLAN |vlan|.
> Any traffic received from interface |ifname| carrying an 802.1q VLAN tag matching |vlan| will be untagged and received by this interface.

Once the VLAN interfaces are ready, we add them to their corresponding bridging interfaces by using brctl addif |brname| |ifname|.|vlan|. OR as earlier said:
—————————–
# /etc/sysconfig/network-scripts/ifcfg-xenbr0_2
DEVICE=xenbr0_2
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=none
DELAY=0
STP=off
[* Due to latest Xen incompatibility, you can't use .(dot) instead of _(underscore) in xenbr0_2 bridging interface.]

# vi /etc/sysconfig/network-scripts/ifcfg-eth0.2
DEVICE=eth0.2
ONBOOT=yes
BOOTPROTO=none
BRIDGE=xenbr0_24
HOTPLUG=no
VLAN=yes
—————————-

***JOB DONE***
=======================================================================

When working with networking, you usually asked to comment “network-bridge” and let “vif-bridge” uncommented. Below is the reason:

network-bridge:
When xend starts up, it runs the network-bridge script, which:
creates a new bridge named xenbr0
“real” ethernet interface eth0 is brought down
the IP and MAC addresses of eth0 are copied to virtual network interface veth0
real interface eth0 is renamed peth0
virtual interface veth0 is renamed eth0
peth0 and vif0.0 are attached to bridge xenbr0. Please notice that in xen 3.3, the default bridge name is the same than the interface it is attached to. Eg: bridge name eth0, eth1 or ethX.VlanID
the bridge, peth0, eth0 and vif0.0 are brought up.
It is good to have the physical interface and the dom0 interface separated; thus you can e.g. setup a firewall on dom0 that does not affect the traffic to the domUs (just for protecting dom0 alone).

vif-bridge:
When a domU starts up, xend (running in dom0) runs the vif-bridge script, which:
attaches vif.0 to xenbr0
vif.0 is brought up
=====================================================================
Extra:

a) Also sometimes UDP traffic gets stuck at the network stack and does not flow through unless we load the ip_conntrack.ko kernel module.
Failing to load the ip_conntrack.ko kernel module, even with an unconfigured, empty firewall, allows ICMP and TCP traffic to flow from and to the guest network stack, but UDP traffic, like DNS queries, gets stuck and doesn’t even touch the physical network interface.

b) The bridging interface, |brname| is named after the following convention: xenbr|vlan|:
e.g. xenbr2 is the bridging interface standing on VLAN2.

c) Xen manages several virtual network interfaces, named in the form of vif|X|.|Y|, where |X| equals the Xen domain numeric ID and |Y| is a sequential interface index.