RE: Hub vs. Tap vs. SpanPort

From: Greg Shipley (gshipley@neohapsis.com)
Date: 10/10/02

• Previous message: pbsarnac@ThoughtWorks.com: "Re: IDS Report"
• In reply to: shannong: "RE: Hub vs. Tap vs. SpanPort"
• Next in thread: Clint Byrum: "RE: Hub vs. Tap vs. SpanPort"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 10 Oct 2002 13:26:13 -0500 (CDT)
From: Greg Shipley <gshipley@neohapsis.com>
To: focus-ids@securityfocus.com

On Thu, 10 Oct 2002, shannong wrote:

> On the 4000 and 6000 Cisco switches, spanning doesn't impact the switch
> performace at all due to architecture. On 2900/3500s, it could impact
> the device if the traffic levels are high on the mirrored port. Although
> the impact should be minor and show up as reduced available memory and
> perhaps minor increase in delay for the ports being mirrored.

Just a side note: This is what Cisco's white papers say, but unfortunately
this does NOT appear to be reality. We've managed to impact switch
performance on the 6xxx platform using "SPAN" pretty heavily in our lab,
and while there are theories at Cisco as to why this is (I know some
people at Cisco internally that have had the same experience), I have yet
to get a real answer out of the Cat team.

I was rambling about this back in 2001 if anyone is interested:
http://archives.neohapsis.com/archives/sf/ids/2001-q4/0311.html

It is important to note that this was done "SPANing" multiple 10/100 ports
to a gig port. This does not appear to happen in a gig-to-gig span
scenario. The running theory is that you can overflow the port buffering
on a per-port basis, and in certain traffic scenarios not everything can
"get out onto" the gig port before things start breaking.

People may want to explore the packet capture ACLs as an alternative to
SPANing. We have not been able to get that method to fail, however, I
believe it only allows you to capture layer-3 (IP) traffic.

Hope this helps,

-Greg

---

• Previous message: pbsarnac@ThoughtWorks.com: "Re: IDS Report"
• In reply to: shannong: "RE: Hub vs. Tap vs. SpanPort"
• Next in thread: Clint Byrum: "RE: Hub vs. Tap vs. SpanPort"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Cat 2924 ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ... (comp.dcom.sys.cisco) Re: Cat 2924 ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ... (comp.dcom.sys.cisco) Re: Enterasys D.I.R Vs. Cisco ... Dragon IDS detecting attacks and, when integrated with NetSight Atlas, ... applying restrictions to the attacker's switch port. ... Cisco does have a similar solution but it ... (Security-Basics) Re: Restricting Admin Access to 2924 ... requests on port 1 of the switch and ignore any requests on any other ... access isn't controlled that way on cisco. ... You need to configure layer-3 management access control based on the ... (comp.dcom.sys.cisco) Re: IOS exploit: please disclose vehicle, not mechanism ... > Know the difference between an IP protocol and a TCP/UDP port! ... router ACL citing an explicit IP protocol. ... acls provided by Cisco mitigated the problem. ... (comp.security.firewalls)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-10