Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Port mirroring across multiple switches

From: "Thomson, Stuart A." <Stuart.Thomson () CIBC com>
Date: Fri, 5 Dec 2003 13:21:48 -0500 

Hasnain,

My thoughts on this are:

IMHO the Hub idea is not a great choice. If frames are firing at a high pace
on multiple connected segments your hub will be a bottleneck and therefore
your granularity of data will be compromised.

RSPAN has been mentioned and it is very cool, although I did hear there were
some issues early on with it...But I never did see anything in print.
(Assumes you have Cisco solution across all these switches)

If you have the gear and you want to use this feature I would seriously look
at your infrastruture, topology diagrams and previous baselines before going
ahead.  Make sure you don't start pumping a lot of traffic over trunks that
are already busy and ensure your switch utilizations are okay before and
during .

Cool summary link on RSPAN:
http://inetd.com/CriticalNetworks/resources/index.html

Someone mentioned ARP Queries are broadcast. True, but lets not forget that
ARP replies are unicast. You want to ensure you get all the conversations.

You didn't provide too much logical detail, but if you are Not using span,
rspan or any other type of port mirroring...Please remember the spanning
tree algorithm! 

Nothing says "fun" like explaining how you accidentally created a spanning
tree explosion on your network to your boss.


From the trade publications...this smells like a job that Sniffer

Distributed would be aimed at. 

Anyone here have thoughts on that product/statement? Please be gentle...I am
a newbie to this list.

:-}

Thanks.



-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu] 
Sent: December 4, 2003 7:29 PM
To: 'Hasnain Atique'; security-basics () securityfocus com
Subject: RE: Port mirroring across multiple switches


  ARP queries are broadcast.  You should be able to sniff them from any port
on the right VLAN.  Mirroring is only needed for 
unicast traffic.

David Gillett



-----Original Message-----
From: Hasnain Atique [mailto:hatique () hasnains com]
Sent: December 4, 2003 02:23
To: security-basics () securityfocus com
Subject: Port mirroring across multiple switches



What's the best approach to port mirror traffic from multiple
switches?
Should I enable mirroring on one port of each switch, and then connect
those ports to a hub and put my sniffer on the same hub? 

My ultimate objective is to collect ARP query information from all 
switches.

Thanks.

-- H


--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: