Re: Gb ethernet interface keeping dropping packet in ingress

[Joe Shen <joe_hznm () yahoo com sg>]

Hi,

we do not sniffing the Gbps ethernet link, and the box
I mentioned in previous message is not oversubscribed
at all. In fact, the 10Gbps switch is newly installed
and only two link connected ( one to catalyst6509, one
to firewall). 

Anyway, thanks for your analysis and I want to know
what's the name of the scripts checking ARP on switch?

thanks.

Joe


 --- Jeff Kell <jeff-kell () utc edu> wrote:  
> If you're sniffing one gigabit port from a switch
> with much higher 
> bandwidth, you're going to lose something.  Our
> primary sensor sits on 
> an aggregation switch just prior to hitting the net,
> and we have a 2Gb 
> fast etherchannel span port defined and lose
> relatively little in terms 
> of packet loss.  If course, the more aggregate
> traffic you have, the 
> higher the probability you will max out the span
> port and it's buffers.  
> Unless you're just drilling the heck out of the
> server farm(s) on that 
> switch, you won't lose all that much with an
> etherchannel of 2 Gig 
> ports.  We have 2Gb etherchannel uplinks back to the
> core, and the most 
> the switch could throw at us would be 2Gb
> etherchannel traffic.  So we 
> are spanning the uplinks there.
>
> Just as your switches/routers can be "over
> subscribed" the the 4506 
> backplane is only 6Gb/slot, and we don't lose that
> much, and some of 
> that loss is due to buffer constraints on the
> switch.  Not perfect, but 
> it works.  In less critical ennvironments, we can
> sniff with a 100Mb 
> interface and still do well.
>
> The only caution here is that you can seldom catch
> local traffic.  If 
> there's a local scanner (like Blaster started out to
> be) it doesn't show 
> up except for excessive arps.  We have some cron'ed
> scripts that 
> periodically (1) look at connection counts in the
> PIX, if they're out of 
> "range), we quarantine them to the Perfigo dungeon. 
> Similarly there is 
> a script that counts ARP requests (just the dorms
> specifically right 
> now) and for every 1000 it forks itself to start
> anew, and analyzes the 
> numer of ARPS per station.  Local scanners get eaten
> up here really 
> quickly and they are also quarantined.
>
> Not how sure this fits into NANOG, this is more of a
> local 
> ISP/Universiity setting.  I don't know that an ISP
> can do that much, 
> they're too busy keeping the packets flowing and
> being only minimally 
> intrusive on your traffic without special
> arrangements, at least as a 
> usual case.  Special cases like Slammer, Blaster,
> and the initial 
> Bagel/MyDoom mix some may have initiated
> ingress/egress filters for 
> those, temporarily.
>
> You should be able to handle an OC-12 with a gig
> interface or two on the 
> sensor.  I wouldn't make any claims for an OC-48 or
> above.  These things 
> don't scale well into the certral peering points
> (MAE, Abilene, etc);.
>
> Jeff
>  

__________________________________________________
Do You Yahoo!?
Download the latest ringtones, games, and more!
http://sg.mobile.yahoo.com