[NCLUG] Egress Filtering
John L. Bass
jbass at dmsd.com
Wed Aug 15 17:02:44 MDT 2001
Ok, where do you set up a monitor pod to catch these things? You put it on
the core switch on a port with monitoring enabled? At that point you get a
packet that says it's from 10.1 -- what good is that? Best-case is that
you may know what router it came from via the hardware-level address if
your logging system dumps that. If not, all you know is that *SOMONE* is
using it, so how do you complain to them?
If you have the MAC address, all you know is what router was sending them.
Most places don't have a router for every DSL connection though, so...
Sean
You forgot to tell everybody, that it's necessary to itterate the above loop.
And that for a well designed shop all the monitor ports are wired to the same
work table where you keep one or more machines setup as monitors. It's also
good practice to keep an inventory of site MAC addresses searchable at that
location. With most PC having only 4-5 PCI slots, it sometimes takes several
machines full of the right mix of NIC's.
It's also a good idea to keep a few non-switching hubs around, tyically left
in key places that lack monitor ports.
Gee with a little planning, this is almost easy.
John
More information about the NCLUG
mailing list