What is acceptable % packet missed?

Unanswered Question
Oct 10th, 2007

I have an IDSM version 6.x set up to monitor both directions of traffic on a Cat6500 VLAN with an average 150mbit/s traffic. Except during low traffic times the missed packet counter is almost always at 23%, is this too high? Is there something I can do about it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Wed, 10/10/2007 - 09:23

23% packet loss is is WAY too high, some would argue that any packet loss is unacceptable, or at very least undesirable.

Do you have any packet loss numbers for the same sensor running 5.x? We are about to upgrade and I'd like to know how much degradation to expect on my more heavily loaded sensors.

hoffa2000 Wed, 10/10/2007 - 11:52

I got the sensor with 6.x installed and don't want to downgrade unless I have to. I have one more sensor installed in a standby 6500, not under the same load though, and I have upgraded that sensor to 6.x but haven't noticed any change.

I guess my options are limited, either etherchannel two sensors or move the source of the SPAN sessin to another interface. Having the IDSM only capture one direction of the VLAN seems as much waste to me as having 23% packet loss.

mherald Wed, 10/10/2007 - 13:09

I have to agree, missing ~ 23% of the packets is highly likely unacceptable from a security standpoint. It sounds as if you are running some SPANs/RSPANs or VACLs to direct traffic to the IDSM-2 in promiscious mode. As opposed to mirroring a VLAN of traffic to a port, have you thought about putting the IPS unit in-line?. Say at a choke point where that VLAN exits into a router or firewall? I believe this may cut your traffic down.

Mike

hoffa2000 Wed, 10/10/2007 - 22:44

I've been considering the Inline Vlan option alot. I haven't figured out the best place to put the Inline VLAN yet, almost all traffic is handled by the backplane of the 6500 and not much is passed over physical interfaces. I also have to upgrade the IOS since I have SXF3 which doesn't support Inline VLAN.

hoffa2000 Thu, 10/11/2007 - 04:54

I guess there isn't any measures I can tune on the IDSM to increase the performance? It seems to me that the specs on the datasheet, 600mbit/s passive performance, is a bit optimistic if I'm getting issues at 230mbit/s.

rhermes Thu, 10/11/2007 - 08:58

I know I've seen 5.x datasheets showing a performance decrease when changing from promiscuous IDS mode to in line IPS mode, so I sincerely doubt changing your sensor to inline would help your problem. The current datasheet for 6.x shows the IDSM now rated as a 500Mb/s device. I'm not sure if this decrease of 100 Mb/s is due to additional 6.x overhead (anomaly, OS fingerprinting, etc must count for something) or if Cisco is now rating the sensors for inline mode only.

http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_data_sheet0900aecd805baef2.html

Tuning could help your problem, retiring the useless and unneeded signatures will decrease load, but this is a time consuming and laborious process. Since you bought a 500 or 600 Mb/s sensor from Cisco, you could ask them to make it run properly and loan you a an additional IDSM-2 to load balance across untill they do come up with your fix.

Actions

This Discussion