Snort mailing list archives

Re: Hub recommendations

From: Matt Van Mater <matt.vanmater () gmail com>
Date: Thu, 2 Dec 2004 12:24:52 -0500

I won't claim to fully grasp how it works, but the RSPAN ability in
some Cisco switches sounds like what you want.

Whatever you end up doing, I suspect there are more than a few of us
who would like to hear how it works out.

I looked into RSPAN as well, and I think it has the same limitations
as SPAN where you can only define a single destination port for the
traffic feed.  The main difference with RSPAN is that the source of
all your traffic and the destination port where you want it to end up
don't have to be on the same physical switch.  Like you, I'm not an
expert but I've been reading up on this for a while so I think I've
got a pretty good grasp of it. :)

I have one other implementation idea on how to set this up more
cheaply than spending $50k or more on bunches of netoptics hardware:

Feed all your SPAN sessions into a Switch and then SPAN all your
traffic coming in on that switch to a single destination port.  This
destination port connects to a netoptics regeneration tap or similar
device that makes copies of the aggregated data and sends it to
multiple devices.  (I might be able to do this with OpenBSD's PF
dup-to option and save even more money)

It seems pretty simple and I don't know why I didn't suggest it
earlier.  I think in a high load environment you would need some beefy
switches to support this, but I think the network analysis devices
will remain the bottle neck in the equation.

SPAN1---|                                                             
            |--IDS
SPAN2---|-----Cisco switch                                            
     |--ntop
SPAN3---|         SPAN--------netoptics regeneration tap----------|ethereal
SPANx---|                                                             
            |-...


Comments?


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Hub recommendations Matt Van Mater (Dec 01)
- Re: Hub recommendations Rich Adamson (Dec 01)
  - Re: Hub recommendations Matt Van Mater (Dec 01)
    - Re: Hub recommendations Matt Van Mater (Dec 01)
    - Re: Hub recommendations Shane Williams (Dec 02)
    - Re: Hub recommendations Matt Van Mater (Dec 02)
    - Re: Hub recommendations Matt Van Mater (Dec 02)
    - RE: Hub recommendations Joe Patterson (Dec 02)
- <Possible follow-ups>
- Re: Hub recommendations Richard Bejtlich (Dec 01)
- RE: Hub recommendations Basselgia, Barry A Mr (NAF Atsugi) (Dec 02)
  - RE: Hub recommendations Shane Williams (Dec 03)