[Snort-users] Configuring Cisco switches...
erek at ...577...
Fri Sep 21 07:33:05 EDT 2001
On Fri, 21 Sep 2001, Bryan Childs wrote:
> Ok - after talking to my net admin chappy - he has another question, and I
> quote :
> "it would be better to ask of the best way to set up an ethernet network to
> optimise your chances of capturing information whilst maintaining high
> performance switched networks"
> and he said to ignore any smart arses that suggested going back to using
> hubs :)
> Well ?
Well, I can't say 'Use a Hub' so... I'll say use a tap.
> Anyone got any good advice on this...
> On the face of it - turning on the port mirroring on the switch sounds like
> it will do the job - but will anything suffer noticeably after we've done
> it? (Apart from the snort box, we're expecting that!)
OK, serious answer here (Yeah, I know, it's not like me... :) : Depending on
the switch processor and backplane is the main factor in losing network
performance. If you switch is a billy-bad-ass 6509, for example, and you only
have 5mb of traffic, then you'll be fine. If it's a 2924 and you're pushing
70mbs, you might have issues.
If you want to skip the switch, you could use a Shomiti Tap for it. Shomiti
just got aquired or name changed to Finisar Systems... You can find them
here: http://www.finisar-systems.com/products/taps_and_splitters.html The
cost is a bit high, but cheaper than a new switch if that's not an option.
Now, see why a hub is just simpler? ;-)
More information about the Snort-users