I'm in the process of setting up a network security lab and want to monitor all packets leaving and entering the network. I'll get a 2Gbit/sec uplink as a channel terminated on a CISCO 3750 switch and a /24, the other end is a 6500 which is being run in production. Now I have a machine with two 1Gbit/sec NICs and want to use it to log the traffic with minimal changes to the 6500 which our network depends on.
What is the best way in terms of network structure to do this?
I thought of using SPAN on the 3750 side to mirror the traffic to my packet logger. But this means the system would not run in our datacenter.
I thought of using only 1Gbit/sec and setting the system up as a bridge, but this would put another throughput/latency penalty on the link.
I'm kind of anxious to create the SPAN on the 6500 because the concerning CISCO document says it would increase the load (which is a no-go).
Am I missing something here? Any other suggestions? Maybe use the system as a router for the /24? But then I'd be stuck with 1Gbit/sec.
When you say that you want to monitor all traffic entering or exiting your network I assume you're referring to internet traffic and not intranet traffic, right? If so, you could look at setting up Netflow on the interface that is the ingress/egress for your network and export the flow data to a Netflow collector.
I've run span successfully on a Cat6k with Sup720. There's also a handy option called RSPAN which encapsulates SPAN packets in a UDP frame and lets them send them to a machine elsewhere in the network.
You don't mention how much active traffic you have on the link you want to capture.
Full tcpdumps for achival will quickly fill up.
Do the math: 100Mbps is 12.5MBps is 45GB/hour or roughly 1TB/day.
Stripping out unwanted information asap will be key.
Turn on span during off hours and see how your CPU load changes.
I believe you can also SPAN only traffic matching certain profiles (eg, only port 80)
If you have some money to spend, you can get yourself an ethernet Tap. Here's one from Blackbox that does 10/100/1000. (you didn't specify what type of interconnect you were using,)