RE: Taps supporting traffic aggregation ...

[<Josh.Berry () compucom com>]

Instead of a tap, you could use something like the IDS Balancer from
TopLayer.  The device can aggregate data and then balance that load
across multiple ports, or just pipe it all through the same port.

-----Original Message-----
From: Matthew Jonkman [mailto:matt () infotex com] 
Sent: Tuesday, January 27, 2004 9:40 PM
To: sbernard () gmu edu
Cc: focus-ids () securityfocus com
Subject: Re: Taps supporting traffic aggregation ...

The big issue in taps bringing traffic together is that you have 
different networks that are not aware of each other. If both go down the

same wire you'll have collisions, and thus lost data. If you're 
aggregating 2 links that are high load you'll lose most of the traffic.

I've successfully had multiple taps feeding into a dedicated switch and 
then did a span of that switch. The switch was able (if you get a good 
quality one) to buffer the packets and thus avoid the collisions. All 
the data still flows if you do an ingress span of the ports from the
taps.

The key is a very good quality switch though. The 100 dollar staples 
cheapo won't cut it.

Matt


Steve Bernard wrote:
> I can't say that I've ever seen a tap that aggregates traffic.
Products from
> Top Layer, F5, Alteon, and the like are marketed as "IDS load
balancers".
> I've talked to NetOptics before about building a tap that actively
monitors
> multiple links and pushes them all down one monitoring port but, they
didn't
> have anything like that and it didn't seem likely that they ever
would.
> Steve
>
>
> -----Original Message-----
> From: Thierry Bole [mailto:tbole () telsys ch]
> Sent: Monday, January 26, 2004 8:00 AM
> To: focus-ids () securityfocus com
> Subject: Taps supporting traffic aggregation ...
>
>
> Hello,
>
> Has anyone tested taps supporting traffic aggregation (with the
> capability to mirror the traffic only on one link)
>
> I know that we can have some bandwidth limitations: if the 2 network
> ports are operating at 100mbps and the IDS port is operating at
100mbps
> as well, then under sustained aggregate bandwidth of greater than
> 100mbps, packets will get dropped.
>
> Thank you for your feedback.
>
> Thierry
------------------------------------------------------------------------
---
>
------------------------------------------------------------------------
---
>
------------------------------------------------------------------------
---
>
------------------------------------------------------------------------
---
>

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---




---------------------------------------------------------------------------
---------------------------------------------------------------------------