[Snort-users] Linux and switch problem???

Jim Burwell jimb at ...6373...
Fri Jul 19 13:45:09 EDT 2002


OOPS.  Just read this after I sent my reply to your previous post Twig. 
 I see why spanning a 29XX/35XX could cause problems with high traffic 
rates.  I wasn't aware how the 'switching fabric' architecture worked 
(basically copies packets into shared memory and signals other ports to 
forward those packets).  I guess the shared memory buffers can get 
filled up if your monitor port can't pull the data fast enough for your 
buffer not to get filled.  This can lead to 'slow downs' (and I assume 
dropped packets) on the ports which you're monitoring.  Ack.  Luckily, 
the traffic on the monitored port won't come close oversubscribing the 
monitor port, even when both directions are considered (monitored port 
is FD).

- Jim

twig les wrote:

>K, I don't know Extreme, but check this out before
>migrating to the 2912:
>
>http://www.cisco.com/warp/public/473/41.html#archXL
>
>As for the snort box doing any voodoo, I don't buy it.
> If there's a problem then it's on the switch and
>simply putting the switch config back to pre-slowdown
>config and seeing if the problem goes away should do
>it.
>
>






More information about the Snort-users mailing list