[c-nsp] 6500 under DDoS
Sam Stickland
sam_ml at spacething.org
Wed Jul 28 09:38:50 EDT 2004
On Wed, 28 Jul 2004 Fredrik.Jacobsson at enskilda.se wrote:
> Hi!
>
> I was about to try NBAR in our lab, but now I'm hesitating since I
> cant see how we could take it into production with this knowledge :)
> Would it be possible to create a span to a port where you connect a
> router that has NBAR enabled? Or wont that give you any intresting info?
Never tried this for NBAR specifically, but I can't see any reason why
this wouldn't work. We use span ports internally for this kind of
monitoring, and analyse the traffic on end-stations rather than routers.
IMO, well built servers, out of the routing path, make for far better
analysis boxes than software switched routers ;)
> How about Netflow? Does that have the same drawbacks?
Netflow will be in the hardware path, but it's not going to give you
nearly the same amount of information as NBAR as it won't do any kind of
payload analysis.
Sam
More information about the cisco-nsp
mailing list