[Snort-users] Switched Network Woes - Update
joe at ...3851...
Wed Jan 30 13:08:07 EST 2002
Just a quick update for everyone who helped out or read my FW cluster problem a few weeks back..
briefly I went from 1 FW to 2 (rainwall cluster) and from 2 if to 4, and soon to be 6 or 8.. and I was not sure how I could keep tabs on the net w/o using n+1 NIC cards.. (a drag to build, and a waste of datacenter patch bays IMHO..)
The clean fix was to upgrade the FW & SW rev on the switches (Bay 450's) - the latest code allows sniffing <-->Port X and <--> Port Y from a user specified monitor port.. so I can watch a pair of firewall nics per switch (or logical switch) with one Snorting NIC.. I didn't realize we were on a super old rev of code at the time I posted.. live and learn! Nice part is the 450 code is all free on Nortel's site.
Get tftpd32 (download.com has it) and then DL the firmware and OS image files from Nortel.
Do the FW file FIRST. Both files have the same name, FW ends in '1', OS ends in '2'.. to remind you of the order! If you do the OS first, you'll have to RMA the switch per Nortel support.. (I didn't try to verify this independently! But they were nice enough to give me a leg up despite not having switch support..) also if going from a sub 2.0 rev to a higher one, put 2.0 on first and then go from 2 to whatever.. basically it's like tftp-ing anything else.. pretty painless in my experience.. just make sure the switch is out of production since it will reload after each update, and may lose its IP address.
Big lesson is Never Assume.. (like assuming your switch code was written this century!) Someday I'll learn that one. ;-)
Hope this helps someone.
More information about the Snort-users