[Bro] arista & cpacket experience

Vincent Stoffer vstoffer at lbl.gov
Mon Oct 20 17:54:51 PDT 2014 

Hi Juan,

We use both the cPacket (cVue 240) and Arista (7150s) and both are quite
capable of handling the traffic you suggest.  In our older setups we use a
custom cPacket device to do MAC re-writing from 10G input to 1G Bro worker
nodes.  As Mike mentioned, load-balancing traffic to workers on a
multi-core box with specialized NIC driver is a more common and often more
cost effective configuration these days.  We're currently ramping up our
100G Bro cluster with a combination of Arista hardware and collection of
Myricom 10G workers on FreeBSD.  I would suggest that you use the device
you choose to aggregate, filter and distribute your traffic to the
different tools and then experiment with running a Bro cluster on a single
box.  I think with the traffic volumes you mention you should be able to
monitor everything with a single 10G card and multiple worker threads.

One thing not to forget is that you'll need 1 port for each direction of
"input" traffic on these devices to monitor full duplex taps, so make sure
you take that into account when counting ports.  The cVue is a very nice
piece of hardware with great flexibility, however, the cost is not
comparable with the Arista.  The Arista feature set is quite good and they
have been receptive to our feature requests.  We're also very excited to be
using Arista's API which lets us do dynamic shunting based on feedback from
Bro.  If you have specific questions, let me know and I'd be happy to
answer them.

Thank you,

Vince

On Mon, Oct 20, 2014 at 3:31 AM, Juan Caballero <juan.caballero at imdea.org>
wrote:

> Hi everyone,
> We would like to deploy a Bro Cluster at a 10 Gbps at about 35% peak usage.
> We already have a splitter in place and are discussing options for a
> front-end that can merge both traffic directions and load balance sessions
> to Bro workers based on session hash and MAC rewriting. Ideally we would
> like some equipment that supports multi-port mirroring so that we can add
> other monitoring tools in addition to the Bro Cluster (e.g., Snort,
> TimeMachine or other Storage).
> Robin mentioned to me that people are using Arista and CPacket switches for
> this kind of setup. After looking at their webpages the Arista 7150 seems
> like a possibility for us (I see on the web page the San Diego SDSC and
> Cornell use the larger 7500 series) and CPacket's cVu240NG may be another
> (although there is less  information about CPacket products online).
>
> Does anyone have experience with these products? Do those models make sense
> for the description above?
> Any recommendations or things to consider for people without prior
> experience in such setups?
>
> Thanks!
>
> Juan Caballero
> Assistant Research Professor
> IMDEA Software Institute
> Madrid, Spain
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Vincent Stoffer, Cyber Security Engineer
Cyber Security, Information Technology Division
Lawrence Berkeley National Laboratory
(510) 486-4531
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141020/6bd68a8b/attachment.html

More information about the Bro mailing list