RE: RE: IDS taps in a switched network

[dnewman () networktest com (David Newman)]

> Someone wrote:
> > Um, the spy port is just ONE port. So what happens when I define a VLAN
> > with, say, 24 ports and redirect all that traffic to one spy
> port? All those
> > packets ain't gonna fit through that one little narrow doorway. ;-)
>
> That all depends on the aggregate bandwidth of the switch itself.  Lets
> also remember that a 2924 switch has a 3.2 GB backplane.

The backplane rate is irrelevant. If the spy port operates at, say, 100
Mbit/s, then only 100 megabits per second can be passed to a monitor. Any
number of monitored ports greater than 1 will create an overload; as we all
know a system is only as fast as its slowest component, and in this case
that's the spy port.

Another thing: I haven't worked with Cisco VLANs in a while and I forget
whether they set up virtual or real collision domains. If the former (which
I suspect), the above comments apply. If the latter, then the speed of the
spy port isn't an issue since the entire VLAN offers an *aggregate* data
rate of 10 or 100 Mbit/s. But congratulations to the buyer of that
approach--he/she has just purchased a $20,000 (?) hub.

> To echo Rons post, the Shomiti Tap solution is probably the best way to
> monitor traffic in a large enterprise.  It is best used in conjunction
> with a 2900 switch.

In my experience the 5500s, 6000s, and 85X0s are less prone to frame loss
than the 29XX line (I've run those switches at line rate on all ports in a
full-mesh pattern for several minutes without frame loss, but I've seen
considerable loss when running the same test on a 2926).

I agree that the 12-Tap is an effective way to monitor 12 ports at a time.
But many enterprise switches (and virtually all boxes for ISPs and carriers)
have many more than 12 ports. In my opinion it's better to have
hardware-based monitoring built right into the switch.

David Newman