cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
463
Views
10
Helpful
3
Replies

Cisco version 6 and analysis engines

5creedus
Level 1
Level 1

Looking for information on how many instances of "rulesx" and "sigx" can be run on the different platforms? Example I can configure rules0, rules1, rules2 and the same for sig0, sig1 and sig2, but how many can I do?

1 Accepted Solution

Accepted Solutions

Generally you are limited to 4 virtual sensor configurations..vs0 and up to 3 additional named virtual sensors, such as vs1, "this_sensor", and "that_sensor" (see an exception in the next paragraph). The number of defined components (sigX, rulesX, adX) is not capped, but a maximum of 4 will be active at any time...corresponding to the virtual sensors. It should be noted that you can reuse components, e.g. sig0 can be used in both vs0 and vs2 while sig1 is used in vs1. The same for rulesX and adX.

There is a limitation on the "low memory" sensors, currently the 4215 and NM-CIDS, of a single active virutal sensor. These low end sensors do not have the memory capacity to keep multiple configurations active in memory and still meet performance standards.

View solution in original post

3 Replies 3

mhellman
Level 7
Level 7

I've run 2 successfully, but I suspect it depends a great deal on the actual policy configuration and traffic patterns. In our case, in a 4255 we saw memory consumption remain about the same (~50%) but CPU went from about 30-45% to 50-65%. If that holds for a 3rd set of policies (CPU ~70-85%), I personally wouldn't do it, but YMMV.

Generally you are limited to 4 virtual sensor configurations..vs0 and up to 3 additional named virtual sensors, such as vs1, "this_sensor", and "that_sensor" (see an exception in the next paragraph). The number of defined components (sigX, rulesX, adX) is not capped, but a maximum of 4 will be active at any time...corresponding to the virtual sensors. It should be noted that you can reuse components, e.g. sig0 can be used in both vs0 and vs2 while sig1 is used in vs1. The same for rulesX and adX.

There is a limitation on the "low memory" sensors, currently the 4215 and NM-CIDS, of a single active virutal sensor. These low end sensors do not have the memory capacity to keep multiple configurations active in memory and still meet performance standards.

Thanks all, both responses helped

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: