Hi, we do not sniffing the Gbps ethernet link, and the box I mentioned in previous message is not oversubscribed at all. In fact, the 10Gbps switch is newly installed and only two link connected ( one to catalyst6509, one to firewall).
Anyway, thanks for your analysis and I want to know what's the name of the scripts checking ARP on switch? thanks. Joe --- Jeff Kell <[EMAIL PROTECTED]> wrote: > > If you're sniffing one gigabit port from a switch > with much higher > bandwidth, you're going to lose something. Our > primary sensor sits on > an aggregation switch just prior to hitting the net, > and we have a 2Gb > fast etherchannel span port defined and lose > relatively little in terms > of packet loss. If course, the more aggregate > traffic you have, the > higher the probability you will max out the span > port and it's buffers. > Unless you're just drilling the heck out of the > server farm(s) on that > switch, you won't lose all that much with an > etherchannel of 2 Gig > ports. We have 2Gb etherchannel uplinks back to the > core, and the most > the switch could throw at us would be 2Gb > etherchannel traffic. So we > are spanning the uplinks there. > > Just as your switches/routers can be "over > subscribed" the the 4506 > backplane is only 6Gb/slot, and we don't lose that > much, and some of > that loss is due to buffer constraints on the > switch. Not perfect, but > it works. In less critical ennvironments, we can > sniff with a 100Mb > interface and still do well. > > The only caution here is that you can seldom catch > local traffic. If > there's a local scanner (like Blaster started out to > be) it doesn't show > up except for excessive arps. We have some cron'ed > scripts that > periodically (1) look at connection counts in the > PIX, if they're out of > "range), we quarantine them to the Perfigo dungeon. > Similarly there is > a script that counts ARP requests (just the dorms > specifically right > now) and for every 1000 it forks itself to start > anew, and analyzes the > numer of ARPS per station. Local scanners get eaten > up here really > quickly and they are also quarantined. > > Not how sure this fits into NANOG, this is more of a > local > ISP/Universiity setting. I don't know that an ISP > can do that much, > they're too busy keeping the packets flowing and > being only minimally > intrusive on your traffic without special > arrangements, at least as a > usual case. Special cases like Slammer, Blaster, > and the initial > Bagel/MyDoom mix some may have initiated > ingress/egress filters for > those, temporarily. > > You should be able to handle an OC-12 with a gig > interface or two on the > sensor. I wouldn't make any claims for an OC-48 or > above. These things > don't scale well into the certral peering points > (MAE, Abilene, etc);. > > Jeff > __________________________________________________ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
