[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: many to many dup-to option?



Maybe you can to use multicast address as destination.

On Wed, 1 Dec 2004 14:55:38 -0500, Matt Van Mater <[email protected]> wrote:

I'd like to aggregate traffic coming in on several interfaces into one
'pool' of traffic and then send a copy of this traffic to multiple
hosts.  I don't know if this is currently possible, and was wondering
if it is even remotely on the radar of the developers?

Essentially I have multiple SPAN ports coming in from a few switches,
which I would like to aggregate into one feed and then forward to an
IDS, Protocol analyzer, etc.

I've been using a simple hub to aggregate feeds and forward them to
multiple hosts, but excessive collisions are disabling my SPAN ports,
so I need a better way of duplicating traffic.  The key here is it
needs to be many to many:

switch1---|                             |--IDS
switch2---|--traffic aggregator---|--ntop
switch3---|                             |--ethereal
                                            |--etc...

I may be able to do this in an inelegant way, but I haven't tested to
see if it works, or if PF just isn't yelling at me for being dumb:

ext_if="fxp0"  # traffic feed 1
int_if="xl0"     # traffic feed 2
ids_if="xl1"    #port to feed traffic to for IDS / analysis
ids_if2="xl2"    #port to feed traffic to for IDS / analysis
..
pass in on $ext_if dup-to $ids_if
pass in on $ext_if dup-to $ids_if2
pass in on $int_if dup-to $ids_if
pass in on $int_if dup-to $ids_if2

If this is a viable option, it would be nice to have the syntax be like
pass in on ($ext_if $int_if) dup-to ($ids_if $ids_if2)
But that's just a wishlist item and doesn't really matter.

Will this actually work as I described?  pfctl takes these configs and
happily loads it, but I wonder if there is a better way to do this.  I
haven't been able to find a switch that allows multiple destinations
for a single SPAN session.  I think I could combine a netoptics
spyderswitch to aggregate the feeds and then a regeneration tap to
spread it back out to multiple analysis boxes simultaneously, but that
would cost many thousands of dollars.  Wouldn't it be nice if PF could
to this? :)

Matt



-- Best Regards, Dan

Using Opera's revolutionary e-mail client: http://www.opera.com/m2/