[Snort-users] Configuring Cisco switches...

Erek Adams erek at ...577...
Fri Sep 21 07:33:05 EDT 2001

On Fri, 21 Sep 2001, Bryan Childs wrote:

> Ok - after talking to my net admin chappy - he has another question, and I
> quote :
> "it would be better to ask of the best way to set up an ethernet network to
> optimise your chances of capturing information whilst maintaining high
> performance switched networks"
> and he said to ignore any smart arses that suggested going back to using
> hubs :)
> Well ?

Well, I can't say 'Use a Hub' so...  I'll say use a tap.

> Anyone got any good advice on this...
> On the face of it - turning on the port mirroring on the switch sounds like
> it will do the job - but will anything suffer noticeably after we've done
> it? (Apart from the snort box, we're expecting that!)

OK, serious answer here (Yeah, I know, it's not like me...  :) :  Depending on
the switch processor and backplane is the main factor in losing network
performance.  If you switch is a billy-bad-ass 6509, for example, and you only
have 5mb of traffic, then you'll be fine.  If it's a 2924 and you're pushing
70mbs, you might have issues.

If you want to skip the switch, you could use a Shomiti Tap for it.  Shomiti
just got aquired or name changed to Finisar Systems...  You can find them
here: http://www.finisar-systems.com/products/taps_and_splitters.html  The
cost is a bit high, but cheaper than a new switch if that's not an option.

Now, see why a hub is just simpler?  ;-)

Erek Adams

