https://community.cisco.com/t5/network-security/ips-traffic-over-performace-limit/m-p/1593373#M65543 <HTML><HEAD></HEAD><BODY><P>Hi Radim,</P><P></P><P>Oversubscription in IPS is at Interface level or Virtual Sensor level.</P><P>Hypothetically say IPS has 6 interfaces each being a gig port.</P><P>This does not mean IPS throughput is 6 gigs, since the inspection engine may not be able to handle 6 gig at a time.</P><P></P><P>For interface level oversubscription, if you send more traffic to an interface than it can handle, then you overwhelm its interface buffers.</P><P>The packets get dropped at the interface level.</P><P>The ' FIFO errors' counter under 'show interface' will show this error.</P><P>Packets dropped because too much traffic it being sent to virtual sensor than it can handle will be seen as 'missed packet percentage' counter.</P><P>I shall check if this traffic is dropped or passed through uninspected and let you know.</P><P></P><P>The throughput of the IPS depends on the type of traffic flowing through it.</P><P>Please check the document below which explains IPS performance with some data for 4270.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7283.html">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7283.html</A></P><P></P><P>Hope this helps.</P><P></P><P>Sid Chandrachud</P><P>Cisco TAC - Security Team</P></BODY></HTML> Sat, 05 Mar 2011 22:03:02 GMT Siddharth Chandrachud 2011-03-05T22:03:02Z https://community.cisco.com/t5/network-security/ips-traffic-over-performace-limit/m-p/1593371#M65540 <P>Hi,<BR />I could not find any information about traffic which is over declared IPS appliance performance (throughput) limit.</P><P></P><P>Those packets will be droped or will pass through without inspection?</P><P></P><P>Thanks in advance!</P><P></P><P>Radim</P> Sun, 10 Mar 2019 12:17:07 GMT https://community.cisco.com/t5/network-security/ips-traffic-over-performace-limit/m-p/1593371#M65540 Radim Jurica 2019-03-10T12:17:07Z https://community.cisco.com/t5/network-security/ips-traffic-over-performace-limit/m-p/1593372#M65542 <HTML><HEAD></HEAD><BODY><P>Just for clarification - I mean inline mode.</P><P></P><P>Are there two possibilities depending on implementation? In case interface pairing packets will be bridged without inspection and in case VLAN pairing packets will be simply droped?</P><P></P><P>Thank you</P><P></P><P>Radim</P></BODY></HTML> Thu, 03 Mar 2011 22:29:11 GMT https://community.cisco.com/t5/network-security/ips-traffic-over-performace-limit/m-p/1593372#M65542 Radim Jurica 2011-03-03T22:29:11Z https://community.cisco.com/t5/network-security/ips-traffic-over-performace-limit/m-p/1593373#M65543 <HTML><HEAD></HEAD><BODY><P>Hi Radim,</P><P></P><P>Oversubscription in IPS is at Interface level or Virtual Sensor level.</P><P>Hypothetically say IPS has 6 interfaces each being a gig port.</P><P>This does not mean IPS throughput is 6 gigs, since the inspection engine may not be able to handle 6 gig at a time.</P><P></P><P>For interface level oversubscription, if you send more traffic to an interface than it can handle, then you overwhelm its interface buffers.</P><P>The packets get dropped at the interface level.</P><P>The ' FIFO errors' counter under 'show interface' will show this error.</P><P>Packets dropped because too much traffic it being sent to virtual sensor than it can handle will be seen as 'missed packet percentage' counter.</P><P>I shall check if this traffic is dropped or passed through uninspected and let you know.</P><P></P><P>The throughput of the IPS depends on the type of traffic flowing through it.</P><P>Please check the document below which explains IPS performance with some data for 4270.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7283.html">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7283.html</A></P><P></P><P>Hope this helps.</P><P></P><P>Sid Chandrachud</P><P>Cisco TAC - Security Team</P></BODY></HTML> Sat, 05 Mar 2011 22:03:02 GMT https://community.cisco.com/t5/network-security/ips-traffic-over-performace-limit/m-p/1593373#M65543 Siddharth Chandrachud 2011-03-05T22:03:02Z https://community.cisco.com/t5/network-security/ips-traffic-over-performace-limit/m-p/1593374#M65544 <HTML><HEAD></HEAD><BODY><P>Hi Sid,<BR />thank you for answer. I am specially interested in this for VLAN pairing mode for IPS-4270 connected to Cat6500 through MultiEtherChannel.</P><P></P><P>I thing that like there is no possible hardware bypass in VLAN pairing mode its same for overloading, because of retagging process. But maybe. It depends on where retagging is taken.</P><P></P><P>If you find something relevant, let me know please.</P><P></P><P>Radim</P></BODY></HTML> Sun, 06 Mar 2011 20:13:20 GMT https://community.cisco.com/t5/network-security/ips-traffic-over-performace-limit/m-p/1593374#M65544 Radim Jurica 2011-03-06T20:13:20Z