12-05-2006 01:32 PM - edited 03-10-2019 03:21 AM
My current configuration is two CAT 6500's with 1 IDSM installed in each monitoring different VLAN's through SPAN. My question is what happens when there is say "too much" traffic? traffic is not qued is it? or is it left alone to pass. I dont want to introduce any latency/bottlenecks to the network. I cant seem to find any documents on how they react to situations like this. Any help would be great thank you.
Solved! Go to Solution.
12-05-2006 04:59 PM
Normally, if the monitored network traffic/stream is high and beyond the SPAN capability, other traffic will just flow through, not kept in queue and subsequently delayed the traffic flow.
This is a nature of SPAN where it will only capture a snapshot of passing traffic, and this works fine in conjunction with IDSM's promiscuous mode that monitor traffic in passive mode.
Passive mode cannot drop packets to block a network intrusion attempt, but can send TCP resets to both sides of the network connection to try to break the connection.
HTH
AK
12-05-2006 04:59 PM
Normally, if the monitored network traffic/stream is high and beyond the SPAN capability, other traffic will just flow through, not kept in queue and subsequently delayed the traffic flow.
This is a nature of SPAN where it will only capture a snapshot of passing traffic, and this works fine in conjunction with IDSM's promiscuous mode that monitor traffic in passive mode.
Passive mode cannot drop packets to block a network intrusion attempt, but can send TCP resets to both sides of the network connection to try to break the connection.
HTH
AK
12-06-2006 10:11 AM
Ok thank you very much but that link isnt working for me.
12-06-2006 04:53 PM
12-06-2006 07:10 PM
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide