Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Monitoring traffic in Asymettric networks with IDS blade

Hello All

I am putting together an iDS solution for a large ISP & they have asymettric traffic paths in the network.

Traffic can enter in across 1 cat 6500 leave across the other.

How can the IDS blade picks up attacks in this scenario & will it not be a lot of false positives.

If you have any info on this I would appreciate it.

Thanks in advance

Micheal Reynolds

Cisco Employee

Re: Monitoring traffic in Asymettric networks with IDS blade

We talk about this a little bit in the 3.0 config note:

Note: Since the writing of the document we have found that the performance of the sensor is worse when only one side of the connections are seen. The sensor attempts to keep state but is unabel to because no data is seen from the server. So when seeing both sides of the connection the sensor may be able to keep up with 120 Mbps give or take. But it can not necessarily see 120 Mbps of traffic going one direction.

Why? Generally the number of connections required to fill 120 Mbps where both sides are monitored compared to 120 Mbps where only 1 side is monitored. Usually web requests are fairly small while web replies are fairly large. So if you remove the web replies it takes multiple more web requests (5-10 times as many in some cases) to fill the bacndwidth back up to 120 Mbps. The sensor can not keep up with that many web requests. Your performance is likely, therefore, going to be much less than 100 Mbos if the majority of the traffic is small web requests. Mainly because of the many stream states it has to track and the amount of regular expression checking since most of our sigs are for web servers.

When deploying pay special attention to the 993 sigs. It will tell you when the IDSM has been saturated with packets, and you have to filter down what you send to it.