cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
412
Views
0
Helpful
6
Replies

4235 with Multiple Monitoring Interfaces?

cgiulini
Level 1
Level 1

This is a general question as to whether anyone is running the 4235 sensor on 4.0 code with multiple monitoring interfaces?

Basically I am wondering if you have any comments on performance or if you have run into any issues with the configuration. I have not seen too much documentation for actually configuring this, so I'm wondering if there are any additional requirements or considerations.

2 Accepted Solutions

Accepted Solutions

ovanjara
Cisco Employee
Cisco Employee

Hi Chad,

With IDS 4.0 you can only montior using one sniffing interface. With 4.1 you will have support for multiple monitoring interfaces.

As far as performance goes, I don't see any issues besides to make sure the management station is able to handle the amount of alarms coming in when using multiple interfaces.

Thanks,

Obaid.

View solution in original post

bkubesh
Level 1
Level 1

We are currently testing 4.1, which has support for multiple interfaces on the 4235. I have a configuration running in the lab with a 4235 that has a quad nic card installed. Performance is very good. I think we rate the 4235 about 300 mbit or so with 4.1, so you should have a aggregate bandwidth support for the 300 Mbit divided among your monitoring interfaces.

You are correct , no docs out yet, because 4.1 is not yet shipping. Expected very soon.

View solution in original post

6 Replies 6

ovanjara
Cisco Employee
Cisco Employee

Hi Chad,

With IDS 4.0 you can only montior using one sniffing interface. With 4.1 you will have support for multiple monitoring interfaces.

As far as performance goes, I don't see any issues besides to make sure the management station is able to handle the amount of alarms coming in when using multiple interfaces.

Thanks,

Obaid.

Obaid,

That would explain the lack of documentation on this! The product overview did mention that this was possible with version 4.0, but I couldn't find any supporting documentation on actually configuring this in the technical docs.

This begs the question: Do you have a rough estimate on a timeframe for the 4.1 release?

And now that we're talking about a new version, I have another question: Will one sensor configured to monitor two segments be able to apply different response options to the two separate networks. For example, let's say that I have a sensor watching an internet DMZ and a DMZ connecting a partner. I trust the partner connection and permit some signature matches that I would not permit on the internet DMZ. Will 4.1 let me watch both segments and have different responses for each, or will both segments be held to the same response profile?

I'm not too concerned about alarm volume to the management console given the planned deployment. I was more concerned about additional memory or CPU requirements on the sensor to monitor multiple segments.

Thanks very much for this information. Quite a big help!

Regards,

Chad

Chad,

With multiple interfaces in 4.1 all interfaces will be inspected with the same configuration. We have the concept of virtual sensors in the works and it will come out in a version after 4.1. With virtual sensors you will be able to handle the example you mentioned.

So in summary 4.1 will give you multiple interfaces with the same IDS configuration. We will be adding the virtual sensors in a future version.

--Mike

Performance is based on the aggregate bandwidth you are monitoring across multiple interfaces, so management requirements should not be any higher than with a single interface.

bkubesh
Level 1
Level 1

We are currently testing 4.1, which has support for multiple interfaces on the 4235. I have a configuration running in the lab with a 4235 that has a quad nic card installed. Performance is very good. I think we rate the 4235 about 300 mbit or so with 4.1, so you should have a aggregate bandwidth support for the 300 Mbit divided among your monitoring interfaces.

You are correct , no docs out yet, because 4.1 is not yet shipping. Expected very soon.

Exactly the information I was looking for. Thanks to all of you for responding. I'll certainly keep an eye out for the 4.1 release.

Thanks again.

Chad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: