[Bro] Network taps necessary for Bro

Mike Dopheide dopheide at gmail.com
Tue Jul 26 09:57:38 PDT 2016

Granted, budget will enter into the equation, but I would highly recommend
following LBL's model.  I'd feed a passive 100G tap into a smarter tap/agg
switch before your Bro cluster.  If you setup shunting for elephant flows
you'll likely be able to get by with a small Bro cluster simply by
filtering out that large traffic.  This is especially true for typical
ScienceDMZ traffic.  You'll want a tap/agg switch that can also load
balance to the tool ports.

If you were to choose an Arista switch, the shunting code already exists.


On Tue, Jul 26, 2016 at 8:24 AM, Daniel Manzo <daniel.manzo at bayer.com>

> Hi all,
> My team is looking into using the Bro IDS for monitoring of a science DMZ
> with a 100 Gbps network. I was wondering how to choose which network tap(s)
> is necessary for this type of connection and if you have any
> recommendations/methods for setting up the hardware for Bro. I have been
> looking at the passive Ixia Flex taps, but after reading the paper on
> bro.org about the 100G connection in Berkeley Labs, I’m not so sure this
> is the right direction.
> Thanks for the help,
> Daniel Manzo
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160726/5ba8cf82/attachment-0001.html 

More information about the Bro mailing list