Ethernet splitters

Carter Bullard cbullard at nortelnetworks.com
Fri Jul 30 17:11:28 EDT 1999


Hey Jerry,
   Still I can mirror 5 full duplex 10Mbps links onto
a single 100Mbps output link, no problem.  One of the
nice things about 10/100 ethernet switches/hubs ;o)

Carter

Carter Bullard
Principal Consultant
Nortel Networks
320 Park Avenue  16th Floor
New York, New York 10022
Email  cbullard at nortelnetworks.com
Phone +1 212 317 4230
Fax   +1 212 317 4324
Pager +1 800 217-7496 


-----Original Message-----
From: jwlundy at aafes.com [mailto:jwlundy at aafes.com]
Sent: Friday, July 30, 1999 4:58 PM
To: nfr-users at nfr.net
Cc: argus at lists.andrew.cmu.edu
Subject: Re: Ethernet splitters


Greetings,

I use both the passive hub and mirrored port solutions in my current network
monitoring.  Unfortunately, solutions that work for low speed half duplex
links 
have problems at higher speeds with full duplex.

Chas DiFatta wrote:
> 
> If you use a Cisco switch and you wish to monitor the link that supplies all
> the traffic (like to/from a router) just set up a spanning port to send
> all tx/rv traffic from the router port to another port where your Argus host
> resides.  We usually use a separate interface for monitoring on the Argus
> host, IP addr 0.0.0.0 to keep in stealth mode.  Other switches may work,
> but we're not familiar with them.  We've been able to monitor at a sustained
> load of 30 Mb/s for hours with this configuration and Argus 1.8.

Not quite.  Full duplex traffic is potentially twice the bandwidth of the receive
lines on a given port, possibly dropping packets.  Spanning multiple switch
ports 
to a single port increases the probability of dropped packets. Spanning and
port 
mirroring become less useful as utilization levels increase.
 
> If you don't have a Cisco, use a 10 or 100baseT hub just in front the
> router.
> Since your only using two ports, i.e. router and switch, monitoring the
> traffic
> on a 3rd port does the trick without any degradation in traffic due to
> collisions.

Substituting a shared hub for a full duplex link effectively halves the 
bandwidth on the link.

Taps provide the visibility of a shared hub while preserving full duplex capability.
Two receiving interfaces on the sensor allow full line speed collection.
If you manage and query the sensor from a separate management interface, the
sniff is
totally unobtrusive.

 
Jerry W. Lundy, CISSP	
The Greentree Group



More information about the argus mailing list