Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
362
Views
0
Helpful
1
Replies

How long should it take to deploy config on 4240?

Go to solution
k.lapczuk
Level 1
Level 1

‎07-25-2005 11:26 PM - edited ‎03-10-2019 01:33 AM

I noticed very long config deployment on 4240. In CLI I make several changes to the virtualSensor config, answering yes for the "Apply changes?" prompt and it takes about 20 minutes to start to sniff interfaces (traffic flow started) again. What does the box do in the meanwhile and how to shorten that time. I have about six hundred signatures tuned (other config that built-in) - can it be bottle neck?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎07-27-2005 04:22 AM

The sensor is most likely regenerating regular expression cache tables.

Instead of analyzing each signature's regular expression independantly when a packet comes in, it will instead combine the regular expressions of all of the signatures into one giant regular expression and generate a state table, and then write the new state table to the disk/compactflash. (We term these the regular expression cache tables).

When you enable or disable a signature, or when you add in custom signatures, it will have to regenerate these cache tables, because that combined regex has now changed.

(NOTE: Version 5.0 has large improvements in this area. Cache tables are now shipped directly from Cisco for the standard unretired signatures as part of the signature update process. But if you add custom signatures or unretire signatures that Cisco has retired, then even 5.0 can take time to make the changes)

Creating these tables is very CPU intensive, so the sensor is not able to monitor traffic while the tables are being created.

So it is best to save modifications like enable/disabling, retiring/unretiring, changing regular expressions, and creating custom signatures for times when you can afford the sensor downtime.

NOTE: Modifications to severity, actions, summarizations, and filters do not affect the cache tables and should be able to be applied in a matter of seconds.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎07-27-2005 04:22 AM

The sensor is most likely regenerating regular expression cache tables.

Instead of analyzing each signature's regular expression independantly when a packet comes in, it will instead combine the regular expressions of all of the signatures into one giant regular expression and generate a state table, and then write the new state table to the disk/compactflash. (We term these the regular expression cache tables).

When you enable or disable a signature, or when you add in custom signatures, it will have to regenerate these cache tables, because that combined regex has now changed.

(NOTE: Version 5.0 has large improvements in this area. Cache tables are now shipped directly from Cisco for the standard unretired signatures as part of the signature update process. But if you add custom signatures or unretire signatures that Cisco has retired, then even 5.0 can take time to make the changes)

Creating these tables is very CPU intensive, so the sensor is not able to monitor traffic while the tables are being created.

So it is best to save modifications like enable/disabling, retiring/unretiring, changing regular expressions, and creating custom signatures for times when you can afford the sensor downtime.

NOTE: Modifications to severity, actions, summarizations, and filters do not affect the cache tables and should be able to be applied in a matter of seconds.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card