4235 with Multiple Monitoring Interfaces?

Answered Question
Jun 6th, 2003
User Badges:

This is a general question as to whether anyone is running the 4235 sensor on 4.0 code with multiple monitoring interfaces?


Basically I am wondering if you have any comments on performance or if you have run into any issues with the configuration. I have not seen too much documentation for actually configuring this, so I'm wondering if there are any additional requirements or considerations.





Correct Answer by bkubesh about 14 years 2 months ago

We are currently testing 4.1, which has support for multiple interfaces on the 4235. I have a configuration running in the lab with a 4235 that has a quad nic card installed. Performance is very good. I think we rate the 4235 about 300 mbit or so with 4.1, so you should have a aggregate bandwidth support for the 300 Mbit divided among your monitoring interfaces.


You are correct , no docs out yet, because 4.1 is not yet shipping. Expected very soon.

Correct Answer by ovanjara about 14 years 2 months ago

Hi Chad,


With IDS 4.0 you can only montior using one sniffing interface. With 4.1 you will have support for multiple monitoring interfaces.


As far as performance goes, I don't see any issues besides to make sure the management station is able to handle the amount of alarms coming in when using multiple interfaces.


Thanks,


Obaid.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
ovanjara Fri, 06/06/2003 - 07:37
User Badges:
  • Cisco Employee,

Hi Chad,


With IDS 4.0 you can only montior using one sniffing interface. With 4.1 you will have support for multiple monitoring interfaces.


As far as performance goes, I don't see any issues besides to make sure the management station is able to handle the amount of alarms coming in when using multiple interfaces.


Thanks,


Obaid.

cgiulini Fri, 06/06/2003 - 07:45
User Badges:

Obaid,


That would explain the lack of documentation on this! The product overview did mention that this was possible with version 4.0, but I couldn't find any supporting documentation on actually configuring this in the technical docs.


This begs the question: Do you have a rough estimate on a timeframe for the 4.1 release?


And now that we're talking about a new version, I have another question: Will one sensor configured to monitor two segments be able to apply different response options to the two separate networks. For example, let's say that I have a sensor watching an internet DMZ and a DMZ connecting a partner. I trust the partner connection and permit some signature matches that I would not permit on the internet DMZ. Will 4.1 let me watch both segments and have different responses for each, or will both segments be held to the same response profile?


I'm not too concerned about alarm volume to the management console given the planned deployment. I was more concerned about additional memory or CPU requirements on the sensor to monitor multiple segments.


Thanks very much for this information. Quite a big help!


Regards,


Chad

mlhall Fri, 06/06/2003 - 08:27
User Badges:

Chad,


With multiple interfaces in 4.1 all interfaces will be inspected with the same configuration. We have the concept of virtual sensors in the works and it will come out in a version after 4.1. With virtual sensors you will be able to handle the example you mentioned.


So in summary 4.1 will give you multiple interfaces with the same IDS configuration. We will be adding the virtual sensors in a future version.


--Mike

rwassom Fri, 06/06/2003 - 07:48
User Badges:

Performance is based on the aggregate bandwidth you are monitoring across multiple interfaces, so management requirements should not be any higher than with a single interface.

Correct Answer
bkubesh Fri, 06/06/2003 - 08:50
User Badges:
  • Cisco Employee,

We are currently testing 4.1, which has support for multiple interfaces on the 4235. I have a configuration running in the lab with a 4235 that has a quad nic card installed. Performance is very good. I think we rate the 4235 about 300 mbit or so with 4.1, so you should have a aggregate bandwidth support for the 300 Mbit divided among your monitoring interfaces.


You are correct , no docs out yet, because 4.1 is not yet shipping. Expected very soon.

cgiulini Fri, 06/06/2003 - 09:35
User Badges:

Exactly the information I was looking for. Thanks to all of you for responding. I'll certainly keep an eye out for the 4.1 release.


Thanks again.


Chad



Actions

This Discussion