Re: Hub recommendations

[Richard Bejtlich <taosecurity () gmail com>]

Matt Van Mater wrote:

> I have 3 separate SPAN ports on Cisco switches feeding traffic to a
> soho Netgear 8 port hub, which I then connect to my IDS as well as
> other network analysis boxes.  I'm having a problem where one of my
> SPAN ports gets errDisabled because of too many collisions coming back
> from the hub.  This isn't a big surprise because the hub is now seeing
> an average of 5000 packets per sec.

Hi Matt,

You're bound to have collisions when one SPAN port transmits at the
same time another SPAN port transmits.  I am not sure if either SPAN
port will try to retransmit.  If they do not retransmit when a
collision occurs, you're dropping all that traffic.

You might first want to consider exactly what you need to monitor. 
Why do you need to dump all of that traffic in one place?  Could you
deploy one sensor per SPAN port, or deploy a very robust single sensor
with a fast bus/hardware/etc and PCI-X gigabit NIC per SPAN port?

You mentioned feeding all of these SPAN ports to another switch for
aggregation.  That might work (I'd like to hear the list's thoughts on
that), since the switch would be built to handle contention and higher
traffic loads.

Sincerely,

Richard
http://www.taosecurity.com


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users