Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
5
Replies

Gigabit traffic and IDS

niglio
Level 1
Level 1

‎11-25-2002 08:19 AM - edited ‎03-09-2019 01:11 AM

we need to set an IDS in order to analyze traffic coming from 2 Gigabit Routers on a switch Catalyst 3508XL with all the 8 port occupied. SO any idea about which kind of solution we can use (TAP....)?

Labels:
0 Helpful
5 Replies 5

duchesne_ced
Level 1
Level 1

‎11-25-2002 08:35 AM

I've never tried but have you think about a Fiber splitter (look at Black box) and Cisco IDS4250 with the SX connector ????

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to duchesne_ced

‎11-25-2002 09:00 AM

The finber splitter requires that the sensor have 2 fiber sniffing interfaces.

This is not currently supported in the Cisco sensors.

0 Helpful

ttorgerson
Level 1
Level 1

‎11-26-2002 02:24 PM

Could you reword your post.. .it is a bit confusing! given what you have provided, you would probably need a 4250 appliance ... but are you sure that the switch is being fully utilized? you may only be utilizing 5% of the switch, in which case you could use a 4235 appliance. First thing is to confirm that you are utilizing that much! Even the 4250 is going to peak out far before gigabit speeds and will start dropping packets... but you need to confirm that you are utilizing that much of your switch... the 3508XL has a backplane speed or forwarding bandwidth of 5Gbps... If you have that much traffic... good luck trying to capture and analyze all of it!

0 Helpful

AlelA
Level 1
Level 1
In response to ttorgerson

‎11-27-2002 03:27 AM

You say:

"Even the 4250 is going to peak out far before gigabit speeds and will start dropping packets"

Are there any way to parallelize the use of an IDS? Is it possible split traffic to be monitored between appliances in order to double the capability of the IDS?

Thanks

0 Helpful

ttorgerson
Level 1
Level 1
In response to AlelA

‎11-27-2002 08:43 PM

The fiber splitter will not work going to one sensor... the sensor does not support multiple sniffing interfaces to be used simultaneously... If you use a splitter, you will need multiple sensors...

I would ask this: Is this the optimal place to sniff? Have you looked over the following document to confirm that this section of the network is the optimal point to place the sniffer?

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2113/products_maintenance_guide_book09186a008007d21e.html

It may be that placement should be elsewhere (prior to this hop in the network from both directions, etc.), which would take care of this problem. If placement is confirmed to be in the proper placement, some changes in your network design at this particular point will probably be required in order to perform intrustion detection. IDS, no matter what the product (at this stage in development) cannot support this much information if indeed you are utilizing the switches backplane. Have you confirmed that you are having a full utilization at this point of the network! If not, then you should be covered with a 4250...

hope this helps... will be back on friday...

0 Helpful
Customers Also Viewed These Support Documents