RE: Taps supporting traffic aggregation ...

[<William_Boyle () NAI com>]

Funny, someone just brought this to my attention 2 days ago.

NetOptics has a 10/100 copper tap that aggregates the link.  It uses a
1Mb buffer on each interface to handle spikes.

Part Number Description
96443 10/100 Port Aggregator Tap, Rack-mount
96444 10/100 Port Aggregator Tap, PCI
96445 10/100 Port Aggregator Tap w/Active Response, Rack-mount
96446 10/100 Port Aggregator Tap w/Active Response, PCI
Accessories:
96045 19" Rack Frame, Holds 3 Rack-mount Taps
96041 19" Rack Frame, Holds 12 Rack-mount Taps

If you are looking for anything larger than 100Mbps or a phy other than
RJ45 then you are looking at a decent switch that has the ability to
mirror.

You still have the problem that port buffers are only so big (regardless
whether it is a port aggregation tap or a switch) and that in sustained
traffic above 50% link utilization, you are dropping packets.  If you
want to make sure you can see ALL the traffic, the Intrushield IDS/IDP
has the ability to handle the multiple stream output of a tap.  Not only
can it handle the full line rate, it can put the streams back together
and maintain state.

-bill

-----Original Message-----
From: Steve Bernard [mailto:sbernard () gmu edu] 
Sent: Tuesday, January 27, 2004 11:37 AM
To: focus-ids () securityfocus com
Subject: RE: Taps supporting traffic aggregation ...


I can't say that I've ever seen a tap that aggregates traffic. Products
from Top Layer, F5, Alteon, and the like are marketed as "IDS load
balancers". I've talked to NetOptics before about building a tap that
actively monitors multiple links and pushes them all down one monitoring
port but, they didn't have anything like that and it didn't seem likely
that they ever would.


Steve


-----Original Message-----
From: Thierry Bole [mailto:tbole () telsys ch]
Sent: Monday, January 26, 2004 8:00 AM
To: focus-ids () securityfocus com
Subject: Taps supporting traffic aggregation ...


Hello,

Has anyone tested taps supporting traffic aggregation (with the
capability to mirror the traffic only on one link)

I know that we can have some bandwidth limitations: if the 2 network
ports are operating at 100mbps and the IDS port is operating at 100mbps
as well, then under sustained aggregate bandwidth of greater than
100mbps, packets will get dropped.

Thank you for your feedback.

Thierry


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---




------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------