Thought I would reply to multiple responses in one post to cut down on noise...
> I do not believe that this will work, as only the last matching rule > (or first matching rule that has 'quick') is used. Yes, this was my gut feeling too, but I have been unable to find any validation of this in the docs or through google. Also, someone else suggested using creating a bridge, but I don't think thats necessary here because bridges are used for two-way communications where I'm just looking for a forwarding of packets to multiple destinations. If the bridge configuration allows me to aggregate network feed like I want and dup-to doesn't then of course I'll go that route. Another concern with using bridge is that since it is a two way connection there might be additional overhead in maintaining communications (maybe it would try to keep state?) and I don't know what the impact that the added functionality would have on performance. >Maybe you can to use multicast address as destination. Unfortunately dup-to requires you to specify a physical network interface for where to send the traffic to. You can specify an address associated with that network interface, but I'm not really sure what benefit this has because your ids/analyzer/etc still has to be attached to that rj45 port. I'm at that point where my network feeds are so intensive that a hub is no longer sufficient, but I don't think my current operation is large enough to justify the hefty expense of netoptics regeneration equipment. I was hoping maybe one of the power user ISP types around here (Henning and others?) might have tried something like this already and could save me the effort of testing all these scenarios.
