[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: many to many dup-to option?

> > switch1---|                             |--IDS
> > switch2---|--traffic aggregator---|--ntop
> > switch3---|                             |--ethereal
> >                                             |--etc...
> You state that collisions on your hub, sitting in the "traffic
> aggregator" position are causing your switches to disable their span ports.
> Is the issue the collisions themselves, or just the switches disabling
> the ports?
Both things you mentioned are issues for me, but the switches
disabling the ports are my primary concern since losing my main
traffic feed is a bit of a show stopper.  Every time there is a
collision I am losing traffic into a black hole.  This is because a
SPAN session will not retransmit a collided packet as far as I know,
therefore the IDS never sees a small but potentially important part of
my traffic.
> If it's the ports, then couldn't you use your obsd dup-to box to
> aggregate the traffic, and put the hub AFTER it?
I'm going to give this a try, I think it is essentially the same idea
that the previous responder on this list had.
> Alternatively, how about a "hub matrix" (As it seems to me if you have
> enough traffic to swamp a hub, you're obsd box would have to be so buff
> as to rival netoptics taps in expense):
> switch1 --- hub1 -|--- IDS(int1)
>                   |--- ntop(int1)
>                   |--- etc(int1)
> switch2 --- hub2 -|--- IDS(int2)
>                   |--- ntop(int2)
>                   |--- etc(int2)
This is no good because then I need to either have multiple
IDS/ntop/ethereal boxes doing the same job or at a minimum have
multiple network cards in each box.  In either case, I think this
setup is a little more complex than I'm looking for.  More importantly
I'm trying to make something that I can scale up to more traffic feeds
and destinations without a total redesign.
I think for the time being I'm going to try running all my traffic
feeds to a switch, and then have that feed SPANed to a hub that is
only recieving traffic from one source, which will hopefully allow it
to duplicate the traffic without the collisions.
I'll let the list know how it works out (if it works).