Hi Drew,
Thanks for posting back.
The diagram below depicts something I had previously thought of, not tried and tested but don't see why it shouldn't work - which uses an S-Series as a kind of tap aggregator.
Basically it takes a port mirror from all ports on each of the cores and sends that to an S-Series switch like the SSA shown in the diagram below. Configure an IDS mirror to get two copies of each of the mirrored ports from the cores. One copy gets fed as a raw port mirror into the forensic tool and the other is feedback to the switch where I do a policy mirror and netflow for Analytics.
The only fallback I can see is that there is a possibility packets could be dropped, and its not really designed for this purpose so there could be some other side effects?
When the case answered with 'put another switch in-line' I assume this is what it meant? With regards to overlay I'm thinking it could mean taking policy mirrors from one location and port mirrors from another?
The reason I haven't gone for the later is I don't believe I could implement that in a fashion were I could be sure I was capturing all the flows / packets of all traffic. For example; taking a port mirror between cores but policy mirrors on the all the other ports; if traffic flowed between ports on the same core this would be missed by the port mirrors.
That was my interpretation of the case but not sure 100% that is correct, if yourself or anyone is able to confirm or elaborate that would be really helpful?
Many thanks in advance.
Thanks for posting back.
The diagram below depicts something I had previously thought of, not tried and tested but don't see why it shouldn't work - which uses an S-Series as a kind of tap aggregator.
Basically it takes a port mirror from all ports on each of the cores and sends that to an S-Series switch like the SSA shown in the diagram below. Configure an IDS mirror to get two copies of each of the mirrored ports from the cores. One copy gets fed as a raw port mirror into the forensic tool and the other is feedback to the switch where I do a policy mirror and netflow for Analytics.
The only fallback I can see is that there is a possibility packets could be dropped, and its not really designed for this purpose so there could be some other side effects?
When the case answered with 'put another switch in-line' I assume this is what it meant? With regards to overlay I'm thinking it could mean taking policy mirrors from one location and port mirrors from another?
The reason I haven't gone for the later is I don't believe I could implement that in a fashion were I could be sure I was capturing all the flows / packets of all traffic. For example; taking a port mirror between cores but policy mirrors on the all the other ports; if traffic flowed between ports on the same core this would be missed by the port mirrors.
That was my interpretation of the case but not sure 100% that is correct, if yourself or anyone is able to confirm or elaborate that would be really helpful?
Many thanks in advance.
