cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
363
Views
0
Helpful
4
Replies

Dropping vlan traffic to an IDS device

davmag
Level 1
Level 1

We have a very busy vlan that we're capturing traffic from and sending it to a Gig port connected to an IDS device. Approximately 20% of the traffic is either being dropped by the switch capture port or the IDS device. We've been told 3% dropped traffic is acceptable and we're trying to figure out how to limit the dropped traffic for that vlan. Any ideas? Thanks,

Dave Magorty

Network Infrastructure

4 Replies 4

mhellman
Level 7
Level 7

Depending on the switch, you might be able to switch to using VACL's, which would allow you to be more selective about the traffic you send to the capture port.

It's a 6509E running IOS 12.2(18)SXE4. Do you have any specifics on the ACL? Or do I need to ask under a different forum? Thanks,

Dave

Here's a pretty good description that includes an example of what you're trying to do:

http://www.flukenetworks.com/fnet/en-us/supportAndDownloads/KB/IT+Networking/SuperAgent/How_do_I_limit_traffic_spanned_to_SuperAgent_on_a_Cisco_6500.htm

note the "layered" application of ACL's and the use of "action forward" and "action forward capture"

attmidsteam
Level 1
Level 1

Where are you getting the dropped % packet #? On the sensor CLI, type 'sh event status'; if you see 'Missed packet %' messages flowing by it is a sensor issue (meaning it can't keep up).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: