[Snort-users] Cisco Catalyst - SNORT
lbromirski at ...9575...
Fri Jun 27 13:23:02 EDT 2003
RA> Most current switches have either 8 or 16 port chip sets.
That's quite correct.
RA> Someone is likely to say that Cisco's mirroring (as an example only)
RA> functions at wire speeds even on gig ports, when in fact their
RA> experience involved other unknown conditions (such as port 1 to port 4
RA> on the same chip set) for which they have little/no real knowledge.
Well, the Catalyst 2950 and 3550 boxes for example do SPAN with wire-speed,
regardless of which port is actually source port, and which one is
destination port. However, Cisco states clearly, that highly oversubscribed
destination port can slow down source ports - which is logical because it
come down to buffers capacity. With Snort installations the highly
oversubscribed situation can surface quite easily (one port sniffing
traffic other 23 or 47 ones for example).
RA> There are many switches on the market today that will do wire speed
RA> mirroring on adjacent gig ports, but may drop packets between ports on
RA> different chip sets or differnet blades.
Indeed. It's just a question of detailed documentation available (including
some architectural details), which most of the off-the-shelf switches lack.
Just my 0,05PLN
Łukasz Bromirski lbromirski[at]mr0vka.eu.org
PGP key http://mr0vka.eu.org/pgp.asc http://mr0vka.eu.org
PGP finger 5C3B 723F A1FA A2BA E57A E959 62A8 63C2 093B 6C49
More information about the Snort-users