Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 6509 & Doing IDS via SPAN Ports

Hello all,

I am hoping you can provide me with some opinions, feedback, thoughts on the following.

We have some Cisco 6509 switches in our environment currently hitting around 60% usage on the Router overall statistics.

Now we are looking at implementing an intrusion detection system but by being as least invasive as possible to the network. Our thoughts are to utilise a SPAN port on the switches to send traffic to the NIDS device but we have concerns of the following.

The limitations of SPAN sessions on 6509's

The overhead on the switch of turning a SPAN session on and leaving it on permanently...

Please be generous and donate your 2c 

Everyone's tags (4)
1 REPLY
Bronze

Re: Cisco 6509 & Doing IDS via SPAN Ports

Ash,

First of all, what's the output of 'sh proc cpu | exc 0.00'?  I'm curious what's causing 60% CPU.

Secondly, I've been using VACL's on a 6500, which allows you to get around the limitations of SPAN.  However, I did have some performance issues when I got crazy with adding many VLAN's to my configuration, as some older line cards sharing ASIC buffers per 8 ports, or something to that effect.  I can't find the article for the life of me.

VACL's:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html#wp1061021

Otherwise, you could utilize taps, and manage them with Anue:

http://www.anuesystems.com/

732
Views
0
Helpful
1
Replies