|
Firewall Wizards
mailing list archives
Re: Shomiti Taps, Cisco Port Mirroring and IDS
From: Paul Cardon <paul () moquijo com>
Date: Sat, 05 Jan 2002 10:44:33 -0500
Ryan Russell wrote:
No, using a hub could lead to collisions and loss of packets when
combining the two directions. Use a switch that can queue the packets.
I would tend to disagree with that. If a collision occurs, then no one
gets the frame, neither the IDS nor the intended recipient. Any lost
frames by the IDS in that situation are the fault of the IDS. On the
other hand, because of the fact that switches do buffering and selective
forwarding, there IS an opportunity for a frame to not get copied to the
IDS.
I think you misunderstood what I was saying. I didn't mean to say that
a switch or a hub should replace the tap. I was saying that instead of
aggregating the two tap outputs into a hub, they should be aggregated
into a switch. I apparently was too terse in my response.
If you are tapping a full-duplex link then both directions of the
original link get stuffed into the hub going in the same direction
(full-duplex -> simplex) hence the potential for collision. However,
the collision occurs only on the hub where the two outputs from the tap
are aggregated because the tap is a completely passive device and does
not interfere with the original link in any way, so it is not true that
the intended recipient will miss the frame, only the IDS will.
You are correct that with a switch, if the total traffic seen on the
full-duplex connection exceeds what the aggregation switch can buffer
then the IDS will not see all frames.
-paul
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
