Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco version 6 and analysis engines

Looking for information on how many instances of "rulesx" and "sigx" can be run on the different platforms? Example I can configure rules0, rules1, rules2 and the same for sig0, sig1 and sig2, but how many can I do?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco version 6 and analysis engines

Generally you are limited to 4 virtual sensor configurations..vs0 and up to 3 additional named virtual sensors, such as vs1, "this_sensor", and "that_sensor" (see an exception in the next paragraph). The number of defined components (sigX, rulesX, adX) is not capped, but a maximum of 4 will be active at any time...corresponding to the virtual sensors. It should be noted that you can reuse components, e.g. sig0 can be used in both vs0 and vs2 while sig1 is used in vs1. The same for rulesX and adX.

There is a limitation on the "low memory" sensors, currently the 4215 and NM-CIDS, of a single active virutal sensor. These low end sensors do not have the memory capacity to keep multiple configurations active in memory and still meet performance standards.

3 REPLIES
Gold

Re: Cisco version 6 and analysis engines

I've run 2 successfully, but I suspect it depends a great deal on the actual policy configuration and traffic patterns. In our case, in a 4255 we saw memory consumption remain about the same (~50%) but CPU went from about 30-45% to 50-65%. If that holds for a 3rd set of policies (CPU ~70-85%), I personally wouldn't do it, but YMMV.

Cisco Employee

Re: Cisco version 6 and analysis engines

Generally you are limited to 4 virtual sensor configurations..vs0 and up to 3 additional named virtual sensors, such as vs1, "this_sensor", and "that_sensor" (see an exception in the next paragraph). The number of defined components (sigX, rulesX, adX) is not capped, but a maximum of 4 will be active at any time...corresponding to the virtual sensors. It should be noted that you can reuse components, e.g. sig0 can be used in both vs0 and vs2 while sig1 is used in vs1. The same for rulesX and adX.

There is a limitation on the "low memory" sensors, currently the 4215 and NM-CIDS, of a single active virutal sensor. These low end sensors do not have the memory capacity to keep multiple configurations active in memory and still meet performance standards.

New Member

Re: Cisco version 6 and analysis engines

Thanks all, both responses helped

225
Views
10
Helpful
3
Replies