I had a customer issue and I'm hoping for some insight.
They have a NIDS solution hanging off of a Cisco switch. They are utilizing the switch to the extent that it is not possible to set up any more VLAN sessions, if I understand their description. The NIDS is unable to handle traffic it's getting, even when throughput is far below its rating, and is failing to alert on hostile traffic.
We captured packets and there are a lot of duplicates flying around (bit for bit copies, not just TCP retransmits).
The Cisco onsites swear alternately that
1) they know of no conditions that could cause such a condition, and
2) the observed ~60% dupes was "normal" for any enterprise.
We spoke with the vendor and they said their NIDS solution would in fact choke on this kind of traffic since it will cause overutilization, effectively driving down the throughput from 2g/s to some absurd level like 100m/s.
I'm not a Cisco expert but I was hoping for some possible ideas, or ways to troubleshoot this further.
It's kind of a nonissue since the customer is going to go with an inline IPS at some point in the future, but I kept wishing we could find root cause and eliminate the problem once and for all. Any ideas?