I have an IDSM version 6.x set up to monitor both directions of traffic on a Cat6500 VLAN with an average 150mbit/s traffic. Except during low traffic times the missed packet counter is almost always at 23%, is this too high? Is there something I can do about it?
I got the sensor with 6.x installed and don't want to downgrade unless I have to. I have one more sensor installed in a standby 6500, not under the same load though, and I have upgraded that sensor to 6.x but haven't noticed any change.
I guess my options are limited, either etherchannel two sensors or move the source of the SPAN sessin to another interface. Having the IDSM only capture one direction of the VLAN seems as much waste to me as having 23% packet loss.
I have to agree, missing ~ 23% of the packets is highly likely unacceptable from a security standpoint. It sounds as if you are running some SPANs/RSPANs or VACLs to direct traffic to the IDSM-2 in promiscious mode. As opposed to mirroring a VLAN of traffic to a port, have you thought about putting the IPS unit in-line?. Say at a choke point where that VLAN exits into a router or firewall? I believe this may cut your traffic down.
I've been considering the Inline Vlan option alot. I haven't figured out the best place to put the Inline VLAN yet, almost all traffic is handled by the backplane of the 6500 and not much is passed over physical interfaces. I also have to upgrade the IOS since I have SXF3 which doesn't support Inline VLAN.
I guess there isn't any measures I can tune on the IDSM to increase the performance? It seems to me that the specs on the datasheet, 600mbit/s passive performance, is a bit optimistic if I'm getting issues at 230mbit/s.
I know I've seen 5.x datasheets showing a performance decrease when changing from promiscuous IDS mode to in line IPS mode, so I sincerely doubt changing your sensor to inline would help your problem. The current datasheet for 6.x shows the IDSM now rated as a 500Mb/s device. I'm not sure if this decrease of 100 Mb/s is due to additional 6.x overhead (anomaly, OS fingerprinting, etc must count for something) or if Cisco is now rating the sensors for inline mode only.
Tuning could help your problem, retiring the useless and unneeded signatures will decrease load, but this is a time consuming and laborious process. Since you bought a 500 or 600 Mb/s sensor from Cisco, you could ask them to make it run properly and loan you a an additional IDSM-2 to load balance across untill they do come up with your fix.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...