Community discussions

MUM Europe 2020
 
airnet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 83
Joined: Thu Feb 09, 2006 12:46 pm

Port Mirroring ?

Thu Mar 02, 2006 2:24 pm

Not really a router job, usually the task of a switch....

but

Does anyone know if there is a way of hacking up MT to get it to do this ?

Dont want to do netflows or anything like that... just good ol' dumb layer 2 mirroring of ethernet port. Filtering would be a bonus.
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Re: Port Mirroring ?

Thu Mar 02, 2006 4:03 pm

sorry, not an exact answer but maybe helpful:

Simple port-mirroring has some problems, especially with full-duplex traffic, for professional analysis, IDS, etc. therefore a TAP-device is needed, e.g.:

http://www.netoptics.com/products/produ ... =NetOptics

http://www.vssmonitoring.com/solutions/ ... tion01.asp
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1730
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Thu Mar 02, 2006 5:45 pm

1)take latest routerOS version

2) enable rstp-bridge package

3) create bridge interface

4) put all the ethernet ports in the bridge

5) disable connection tracking ( necessary only for mangle, firewall, nat)

6) disable network discovery

in the end you have managable switch

I use RB564 (9 ethernet ports) work like a charm - managable switch with total throughput above 200 Mbps

You can use PC and fill it up with something like RB44 (4 ethernets in 1 PCI) and you will get 6 PCI = 24 ethernet port managable switch with vlan traffic shapping, firewall filtering and so on!
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
dot-bot
Member Candidate
Member Candidate
Posts: 164
Joined: Tue Oct 11, 2005 7:05 pm

Thu Mar 02, 2006 6:03 pm

You mean acting like a HUB and send the same data to two (or more ports)?
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1730
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Thu Mar 02, 2006 6:10 pm

NO it is switch! data will be transmited only to specific host!
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
jager
Trainer
Trainer
Posts: 296
Joined: Mon Oct 31, 2005 2:44 am
Location: Sierra Leone
Contact:

Thu Mar 02, 2006 9:38 pm

You can use PC and fill it up with something like RB44 (4 ethernets in 1 PCI) and you will get 6 PCI = 24 ethernet port managable switch with vlan traffic shapping, firewall filtering and so on!
WoW! Wonderful idea! A very good maximaly managable "switch" that replaces x.000USD cisco/3com/etc equipment!
Macgaiver, you are genious! :)
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Thu Mar 02, 2006 10:30 pm

Yes. But look at the throughput, and compare that with an ASIC based switch. If you want switching then use a switch, especially at the network core. IMHO, routers are Edge devices.

Regards

Andrew
 
User avatar
jager
Trainer
Trainer
Posts: 296
Joined: Mon Oct 31, 2005 2:44 am
Location: Sierra Leone
Contact:

Fri Mar 03, 2006 12:32 am

OK, I agree. But, idea for another Mikrotik implementation: as switch, was not even close to my mind :)
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1730
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Fri Mar 03, 2006 8:47 am

WoW! Wonderful idea! A very good maximaly managable "switch" that replaces x.000USD cisco/3com/etc equipment!
Macgaiver, you are genious! :)
Xe, xe! Thx!

Yes. But look at the throughput, and compare that with an ASIC based switch. If you want switching then use a switch, especially at the network core. IMHO, routers are Edge devices.
That total throughput - more than 200Mbps was only for RB500 (CPU 333MHz)

I think if you take latest hardware (intel ethernet cards, P4 3000+ you will get plenty of traffic - the main thing tht I like in this configuration - you can protect one customer from another ( no more virus problems in whole "switch network") simple by using firewall filters.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
jager
Trainer
Trainer
Posts: 296
Joined: Mon Oct 31, 2005 2:44 am
Location: Sierra Leone
Contact:

Fri Mar 03, 2006 11:23 pm

That total throughput - more than 200Mbps was only for RB500 (CPU 333MHz)
Well, it`s worth trying with P4 3GHz and test what throughput will come out :)
 
airnet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 83
Joined: Thu Feb 09, 2006 12:46 pm

Sat Mar 04, 2006 10:56 am

Certainly a great concept I had never considered.

Am now using the latest packages and indeed, yes it works very well as a switch with a lot of features only ever found in high-end L2 switching devices. However I am still trying to work out a 'hack' for port mirroring and have had no luck as yet.

How can it physically Xmit data 'nowhere' just like port mirroring in a normal managed switch?

There's gotta be a way... bridge dst-nat maybe ?

In some ways I guess it is kinda like how a HUB works, but just want to replicate all data on one port and spit it out to another port with a 'sniffing' device attached to the end of it.

I realise the proper way to do this is with a real switch (go figure), however this patch-up is required asap until the gear in question arrives in another week or two....
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Sat Mar 04, 2006 11:57 am

I think if you take latest hardware (intel ethernet cards, P4 3000+ you will get plenty of traffic
This depends on how you define plenty.

The other problem that requires consideration with a software based router/bridge is latency. A router has to read a complete packet before forwarding it. With large packets this represents a considerable (and variable) delay. Compare this to cut-through switching (switch decision after 6 bytes) or fragment-free (64 bytes) where you have a very low and predictable latency on each packet.

The number of switch ports that you require is also problematic. Four 4 port ethernet cards in a PC are going to overload the PCI bus completely, but you still have only 16 ports.

Not knocking the ideas here, just trying to introduce some of the other factors.

Regards

Andrew
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Sat Mar 04, 2006 6:19 pm

There's gotta be a way... bridge dst-nat maybe ?
Like I said earlier - setup packet sniffer to stream to another machine, then use trafr to receive it, and tcpreplay to rebroadcast on an interface. Not a very great hack but it works. Had to do this for a few months on a T1 interface since you can't mirror a T1 port on a switch.

Sam

Who is online

Users browsing this forum: bradfordbb, eworm, Google [Bot], mbovenka, slimmerwifi and 126 guests