[Bro] Network taps necessary for Bro
dopheide at gmail.com
Tue Jul 26 09:57:38 PDT 2016
Granted, budget will enter into the equation, but I would highly recommend
following LBL's model. I'd feed a passive 100G tap into a smarter tap/agg
switch before your Bro cluster. If you setup shunting for elephant flows
you'll likely be able to get by with a small Bro cluster simply by
filtering out that large traffic. This is especially true for typical
ScienceDMZ traffic. You'll want a tap/agg switch that can also load
balance to the tool ports.
If you were to choose an Arista switch, the shunting code already exists.
On Tue, Jul 26, 2016 at 8:24 AM, Daniel Manzo <daniel.manzo at bayer.com>
> Hi all,
> My team is looking into using the Bro IDS for monitoring of a science DMZ
> with a 100 Gbps network. I was wondering how to choose which network tap(s)
> is necessary for this type of connection and if you have any
> recommendations/methods for setting up the hardware for Bro. I have been
> looking at the passive Ixia Flex taps, but after reading the paper on
> bro.org about the 100G connection in Berkeley Labs, I’m not so sure this
> is the right direction.
> Thanks for the help,
> Daniel Manzo
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro