I got to play with the Gigamon at work today. I was sitting with nothing to do, so Joe suggested I poke the Gigamon to make sure it did everything the vendor claimed it did. I'll have pictures of it tomorrow (my desk is a rat's nest) but suffice to say that it does it's thing beautifully.

It's a 10 gig aggregator. It takes a 10gig span in and pumps out 1 gig to all it's ports. The cool thing about it though is that you're able to do filter trickery to the individual ports. For instance I can apply a filter that says drop all UDP traffic. Once I do that, now if I attach a Snort sensor to the port, the sensor will only scan other protocol data (not udp).

It's one limitation is that you can only specify a single filter for a port. We found a way around this though. You can daisy chain ports with crossover cables. Therefore you go out one port with a filter and into another port where you apply another filter. In the Gigamon software, you then connect the ports so that data flows between them. It's a poor man's multi-filter setup but it works.

Joe suggested that since this works, we can theoretically do much cooler stuff. For instance, we can put the nics of our sensors in passthru mode. When they receive a packet, they'll analyze it and send it out a different NIC. The packet will then travel back to the Gigamon where we can apply another filter. We can also attach machines to each other using the passthru so that the packets sent out the 2nd NIC of the first machine will go to the first NIC of the second machine.

Anyways, Gigamon is cool and only slightly limited. I'll post pictures of him when I get home tomorrow.

