[nsp] multiple port monitoring - switch sought

Jonathan Maiman Jonathan_Maiman at cnt.com
Tue Dec 9 17:08:56 EST 2003 

 Gert,

     Toplayer makes a device that can do this.  Basically it can take a set
of GigE inputs slice and dice them based on anything up to layer 4
information and send the results out one or more GigE ports.   The device
has hardware ASIC's  and can truly do wirespeed.  There typically used in
centralized IDS environment but would work fine for your application.  Not
sure on the cost.  I saw one in action in an IDS bakeoff using Chariot to
generate traffic at varying levels.   I don't have any connection with the
manufacturer.  Just was impressed with the device during the bakeoff.  Hope
this helps....

               --Jon


-----Original Message-----
From: Gert Doering
To: cisco-nsp at puck.nether.net
Sent: 12/9/2003 4:52 PM
Subject: [nsp] multiple port monitoring - switch sought

Hi,

I'm looking for a GigE switch (or some other affordable equipment) that
can
solve a somewhat peculiar requirement.

I have a GigE port, delivered over ZX fibre.  Everything coming in over
that port needs to be mirrored to other ports on the "device" (that's
easy), and I need it to be mirrored to up to *4* other GE ports (SX or
TX).


 traffic ---- ZX ---- magic box - mirror 1
				- mirror 2
				- mirror 3
				- mirror 4

the traffic that needs to be mirrored is not actually passing the 
"switch" (or "magic box") - the other end of the ZX fibre is connected
to a SPAN port of a 6509, some 30 kilometers away.

So what we really need is some sort of "multiplying device" that will
just take all packets coming in from the left, and send it out to 
(up to) 4 ports on the right.  Nothing will ever be received from the 
ports on the right, and nothing will ever be sent to the left.

[Disclaimer: all of this is perfectly legal and with consent of the
owner
of the infrastructure, of course!  It's university work relating to
understanding of traffic patterns and so on]

Are there (affordable) cisco switches that can do a SPAN from a single
source to four different destinations ports?  With full GE line rate
*and* capable of taking a ZX-GBIC?  In theory, the 4912G or 3550-12T
should be able to do it, but I have none of them to test whether
"single source port, 4 destination ports" SPAN is going to work.


Something we have been thinking of is to just make the switch flood
all packets to all ports (that would suit the application), but that
isn't going to work - the destination MAC of all packets will appear
sooner or later on the left side (input), so the switch knows that it
does not have to forward the packet.   Switching off MAC learning on
the ingress port might work, but I don't think it can be done with CatOS
or IOS switches.  Can it?  (Heck, all we want is a "Gbit *hub*", but I 
know that those do not exist).


Any other ideas?

gert
-- 
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list