[Snort-users] SPAN groups and network taps

Jefferson, Shawn Shawn.Jefferson at ...14448...
Thu May 21 11:51:53 EDT 2009


Hi,

So when you say two full duplex span ports, does that mean two full duplex SOURCE ports, and is that two per switch, or per span group?

I have 4 ports that I want to mirror to one port that snort watches-currently that only one of those ports is setup as full duplex, the others are received traffic only.  The total aggregated bandwidth is less than 1GB for the four ports.

Depending on whether the 6500 can actually support more than 2 full duplex span ports per switch will change what I'll need in the way of network taps/port aggregator devices, I think.

________________________________
From: David Thomason [mailto:david at ...14585...]
Sent: May 20, 2009 5:51 PM
To: Jefferson, Shawn
Cc: David Thomason
Subject: Re: [Snort-users] SPAN groups and network taps

Sean,

I'm not an expert when it comes to Cisco, but I do know that the 6500 can support two full duplex span ports.  As far as limitations, that really depends on how much traffic you are sending to SPAN port.  It is possible to overflow a 1G Span port with more than 1G of data.  In this case the switch starts dropping packets to the Span port.  The span port gets the lowest priority of service, but overflowing the SPAN port can impact performance on the entire switch.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090521/9012154b/attachment.html>


More information about the Snort-users mailing list