RE: Hub vs. Tap vs. SpanPort

From: shannong (shannong@texas.net)
Date: 10/10/02 

From: "shannong" <shannong@texas.net>
To: <focus-ids@securityfocus.com>
Date: Thu, 10 Oct 2002 10:15:17 -0500

Span ports on Cisco switches can allow "normal" transmission of traffic
from attached hosts or disallow it. The option is "inpkts enable" or
"inpkts disable". In otherwords, you can mirror traffic out a port and
the host attached to that port can still send/receive traffic to the
network.

You can specify the direction of traffic to mirror: Tx, Rx, or both.

You can also turn on MAC address learning on the SPAN port to prevent
communications.

On the 4000 and 6000 Cisco switches, spanning doesn't impact the switch
performace at all due to architecture. On 2900/3500s, it could impact
the device if the traffic levels are high on the mirrored port.
Although the impact should be minor and show up as reduced available
memory and perhaps minor increase in delay for the ports being mirrored.

Spanning doesn't cause "broadcast" messages. I don't even know what that
is referring to.

If you have Cisco switches, spanning is better in my opinion. You get
both directions(tx/rx)....Spanning from multiple ports and VLANs out a
single port..... All for the cost of a single port. The only thing you
miss is ingress frame errors which won't traverse the switch fabric.

If you decide to use a reactive IDS (which I don't recommend), use a
sensor that has two interfaces. One without an IP address for
inspecting the traffic via a span port, and another for network
management, alerting and RST packets. This is the best approach in my
opinion.

-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net]
Sent: Wednesday, October 02, 2002 1:25 PM
To: 'Orlando Diaz,TRI'; jef@linuxbe.org; focus-ids@securityfocus.com
Subject: RE: Hub vs. Tap vs. SpanPort

How do SPAN ports cause broadcast messages? As I know it in Cisco-land,
they're only capable of showing traffic, not receiving it. And how do
they cause network performance problems (assuming the switch isn't
overloaded on processing to begin with)?

And I don't see how changing an IDS wouldn't require unplugging cables
with a tap any less than it would with a switch...

-----Original Message-----
From: Orlando Diaz,TRI [mailto:ODiaz@tricom.com.do]
Sent: Wednesday, October 02, 2002 11:33 AM
To: jef@linuxbe.org; focus-ids@securityfocus.com
Subject: RE: Hub vs. Tap vs. SpanPort

I don't agree.
SpanPort cause a lot of broadcast messages and reduce network
performance. And(of course) you need an available port to span to. Tap's
give you a way to monitor the traffic without interrupt the network, you
don't need to unplug cables and disconnect the switch or servers anytime
you want to use a different sniffer or IDS; and tap's dont affect
network performance and are fault tolerant.

And like you say HUB's are a problem.

-----Original Message-----
From: Jean-Francois Dive [mailto:jef@linuxbe.org]
Sent: Tuesday, October 01, 2002 6:34 PM
To: focus-ids@securityfocus.com
Subject: Re: Hub vs. Tap vs. SpanPort

Hub: the most easy bit, but does not fit in most environement due to the

lack of hub , adding one beeing somehow seen as a problem (hardware
quality, etc..etc..).

Tap: An easy way to the do, but may be expensive in certain case and may
need a shutdown of the network when setting up and is not very easy to
move, change the traffic beeing monitored.

SpanPort: clearly the most easy and flexible solution, but need to be
used smoothly as it could kill your switch.It however give you the great
possibility to change the traffic beeing monitored.
(tip: on a cisco catalyst, use spanport and set the port as a trunk: you
have the vlan tags on the packet as well, which is cool for traffic
repartition and analysis, this at least used to work on a 5500 when i
tested it a year ago).

Jochen Vogel wrote:
> hi,
>
> what are the pros and cons between capturing on an Hub, Tap or
> SpanPort?
>
> thx for infos
> Jo
>

#################################################################
#################################################################
#################################################################
#####
#####
##### #################################################################
#################################################################
#################################################################

#################################################################
#################################################################
#################################################################
#####
#####
##### #################################################################
#################################################################
#################################################################

Relevant Pages

  • Re: Cat 2924
    ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ...
    (comp.dcom.sys.cisco)
  • Re: Cat 2924
    ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ...
    (comp.dcom.sys.cisco)
  • Gigabit Flexibility with Magnum 6K32T Managed Switch from GarrettCom, Inc.
    ... THROUGHPUT WITH MAGNUM 6K32T MANAGED SWITCH ... Gigabit port capability to four Gb ports when compared to the ...
    (comp.dcom.lans.ethernet)
  • Gigabit Flexibility with Magnum 6K32T Managed Switch from GarrettCom, Inc.
    ... OF GB THROUGHPUT WITH MAGNUM 6K32T MANAGED SWITCH ... Gigabit port capability to four Gb ports when compared to the ...
    (sci.engr.control)
  • Re: new BSD user
    ... A long time ago (pre auto negotiate) when the very earliest ... plug the NIC of a PC up to a switch port. ... set for DHCP as the modem/router contains a built in DHCP server. ...
    (comp.unix.bsd.freebsd.misc)