[Snort-users] Cisco Catalyst - SNORT

Lukasz Bromirski lbromirski at ...9575...
Fri Jun 27 13:23:02 EDT 2003


Hello,

RA> Most  current  switches  have  either 8 or 16 port chip sets.

That's quite correct.

RA> Someone  is  likely  to say that Cisco's mirroring (as an example only)
RA> functions  at  wire  speeds  even  on  gig  ports,  when  in fact their
RA> experience  involved other unknown conditions (such as port 1 to port 4
RA> on the same chip set) for which they have little/no real knowledge.

Well, the Catalyst 2950 and 3550 boxes for example do SPAN with wire-speed,
regardless  of  which  port  is  actually  source  port,  and  which one is
destination port. However, Cisco states clearly, that highly oversubscribed
destination  port  can slow down source ports - which is logical because it
come  down  to  buffers  capacity.  With  Snort  installations  the  highly
oversubscribed  situation  can  surface  quite  easily  (one  port sniffing
traffic other 23 or 47 ones for example).

RA> There  are  many  switches  on the market today that will do wire speed
RA> mirroring  on adjacent gig ports, but may drop packets between ports on
RA> different  chip  sets or differnet blades.

Indeed. It's just a question of detailed documentation available (including
some architectural details), which most of the off-the-shelf switches lack.

Just my 0,05PLN

-- 
Łukasz Bromirski                                lbromirski[at]mr0vka.eu.org
PGP key http://mr0vka.eu.org/pgp.asc                   http://mr0vka.eu.org
PGP finger               5C3B 723F A1FA A2BA E57A  E959 62A8 63C2 093B 6C49





More information about the Snort-users mailing list