RE: Can anyone recommend a small port-mirroring switch?

[Martin Olsson <elof () sentor se>]

The reason to buy a small swith instead of bying a tap is that a switch
is much cheaper than a "single NIC tap".

It seems like you even can get a switch with one or two gigabit ports for
a low cost, then you should be able to mirror both directions of a 100Mbps
port  to a 1Gbps port without any problem (100M + 100M < 1G).

In Sweden, a "single NIC tap" costs 12000 SEK ($1700) while a small switch
costs ~ 2500 SEK ($350).

There you have your reason. :-)

The environment where this particular snort is to be located isn't
important enough to spend those extra $1350 for the tap.

/Martin



On Wed, 6 Oct 2004, Eric Hines wrote:
> Can you help me understand as to why you would purchase a switch capable of
> doing port mirroring? The reason people implement Taps most often than not
> is to eliminate the need to do port mirroring, which degrades the
> performance of your switch.
>
>
> [switch]--[tap]----[router]
>             |
>           [snort]
>
> Best Regards,
>
> Eric Hines, GCIA, CISSP
> Applied Watch Technologies, Inc.
> http://www.appliedwatch.com
> Direct: (877) 262-7593 x327
> 1134 N. Main St.
> Algonquin, IL 60102
>
>
>
>
> -----Original Message-----
> From: Martin Olsson [mailto:elof () sentor se]
> Sent: Wednesday, October 06, 2004 9:58 AM
> To: snort-users mailinglist
> Subject: [Snort-users] Can anyone recommend a small port-mirroring switch?
>
>
> Thanks for the responses to my previous mail.
>
>
> Ok, now I know of NetOptics taps, both the normal one that need a bond0 on
> my snort machine and the "Port Aggressor" model that let me sniff using a
> single NIC.
>
> If we continue on the single NIC approach... Could anyone recommend a small
> (and preferably cheap) switch that can mirror traffic?
>
> All I need is three 100Mbps ports really:
>
>   A----Switch----B
>          |
>        Snort
>
> (I know that A+B will never (or very seldom) total more than 100Mbps)
>
>
>
> I have only worked with "real" switches like Cisco Catalyst 3500, so I have
> no frame of reference as to where to begin looking. I don't want to buy
> cheap crappy stuff that overheat and die after a week.
>
> What switch brand and model should I take a look at?
>
> /Martin
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use
> IT products in your business? Tell us what you think of them. Give us Your
> Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users