[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

many to many dup-to option?



I'd like to aggregate traffic coming in on several interfaces into one
'pool' of traffic and then send a copy of this traffic to multiple
hosts.  I don't know if this is currently possible, and was wondering
if it is even remotely on the radar of the developers?
Essentially I have multiple SPAN ports coming in from a few switches,
which I would like to aggregate into one feed and then forward to an
IDS, Protocol analyzer, etc.
I've been using a simple hub to aggregate feeds and forward them to
multiple hosts, but excessive collisions are disabling my SPAN ports,
so I need a better way of duplicating traffic.  The key here is it
needs to be many to many:
switch1---|                             |--IDS
switch2---|--traffic aggregator---|--ntop
switch3---|                             |--ethereal
                                            |--etc...
I may be able to do this in an inelegant way, but I haven't tested to
see if it works, or if PF just isn't yelling at me for being dumb:
ext_if="fxp0"  # traffic feed 1
int_if="xl0"     # traffic feed 2
ids_if="xl1"    #port to feed traffic to for IDS / analysis
ids_if2="xl2"    #port to feed traffic to for IDS / analysis
..
pass in on $ext_if dup-to $ids_if
pass in on $ext_if dup-to $ids_if2
pass in on $int_if dup-to $ids_if
pass in on $int_if dup-to $ids_if2
If this is a viable option, it would be nice to have the syntax be like
pass in on ($ext_if $int_if) dup-to ($ids_if $ids_if2)
But that's just a wishlist item and doesn't really matter.
Will this actually work as I described?  pfctl takes these configs and
happily loads it, but I wonder if there is a better way to do this.  I
haven't been able to find a switch that allows multiple destinations
for a single SPAN session.  I think I could combine a netoptics
spyderswitch to aggregate the feeds and then a regeneration tap to
spread it back out to multiple analysis boxes simultaneously, but that
would cost many thousands of dollars.  Wouldn't it be nice if PF could
to this? :)
Matt