Cisco version 6 and analysis engines

Answered Question
Nov 26th, 2007

Looking for information on how many instances of "rulesx" and "sigx" can be run on the different platforms? Example I can configure rules0, rules1, rules2 and the same for sig0, sig1 and sig2, but how many can I do?

I have this problem too.
0 votes
Correct Answer by scothrel about 9 years 1 week ago

Generally you are limited to 4 virtual sensor configurations..vs0 and up to 3 additional named virtual sensors, such as vs1, "this_sensor", and "that_sensor" (see an exception in the next paragraph). The number of defined components (sigX, rulesX, adX) is not capped, but a maximum of 4 will be active at any time...corresponding to the virtual sensors. It should be noted that you can reuse components, e.g. sig0 can be used in both vs0 and vs2 while sig1 is used in vs1. The same for rulesX and adX.

There is a limitation on the "low memory" sensors, currently the 4215 and NM-CIDS, of a single active virutal sensor. These low end sensors do not have the memory capacity to keep multiple configurations active in memory and still meet performance standards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
mhellman Tue, 11/27/2007 - 06:43

I've run 2 successfully, but I suspect it depends a great deal on the actual policy configuration and traffic patterns. In our case, in a 4255 we saw memory consumption remain about the same (~50%) but CPU went from about 30-45% to 50-65%. If that holds for a 3rd set of policies (CPU ~70-85%), I personally wouldn't do it, but YMMV.

Correct Answer
scothrel Tue, 11/27/2007 - 07:11

Generally you are limited to 4 virtual sensor configurations..vs0 and up to 3 additional named virtual sensors, such as vs1, "this_sensor", and "that_sensor" (see an exception in the next paragraph). The number of defined components (sigX, rulesX, adX) is not capped, but a maximum of 4 will be active at any time...corresponding to the virtual sensors. It should be noted that you can reuse components, e.g. sig0 can be used in both vs0 and vs2 while sig1 is used in vs1. The same for rulesX and adX.

There is a limitation on the "low memory" sensors, currently the 4215 and NM-CIDS, of a single active virutal sensor. These low end sensors do not have the memory capacity to keep multiple configurations active in memory and still meet performance standards.

Actions

This Discussion