Solved: Re: LAN-IDSM2 Inline

learnsec · ‎10-23-2010

Hello all,

If a LAN-IDSM2 installed on a main swx 6500 as a IDS, can we switch it to be inline as an IPS?

how can we know if this IDSM can support the throuput? and how can we know what is the curent throuput passing through this LAN-IDSM2 in order to take a decision about it?

best regards,

Marcin Latosiewicz · ‎10-23-2010

Yes IDSM can be inline device.

Regarding throughput, it's best to do a test.

I beleive a single IDSM can do 500Mbit/s (Marketing numbers, actual performance will depend on features enabled etc etc) via ECLB you can take up to 4 devices to provide up to 2Gbit/s throughput (if traffic is load balanced properly).

If you want to check current load, you can check either stats in IDSM itself or if you want traffic statistics:

show intrusion modu {NUM} data-port {1|2} traffic

example result:
Intrusion-detection module 7 data-port 1

Specified interface is up line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is 0012.4374.290c (bia 0012.4374.290c)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s
input flow-control is off, output flow-control is unsupported
Last input never, output 00:00:44, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     2 packets input, 164 bytes, 0 no buffer
     Received 1 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     188437 packets output, 89695206 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

View solution in original post

Marcin Latosiewicz · ‎10-23-2010

Yes IDSM can be inline device.

Regarding throughput, it's best to do a test.

I beleive a single IDSM can do 500Mbit/s (Marketing numbers, actual performance will depend on features enabled etc etc) via ECLB you can take up to 4 devices to provide up to 2Gbit/s throughput (if traffic is load balanced properly).

If you want to check current load, you can check either stats in IDSM itself or if you want traffic statistics:

show intrusion modu {NUM} data-port {1|2} traffic

example result:
Intrusion-detection module 7 data-port 1

Specified interface is up line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is 0012.4374.290c (bia 0012.4374.290c)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s
input flow-control is off, output flow-control is unsupported
Last input never, output 00:00:44, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     2 packets input, 164 bytes, 0 no buffer
     Received 1 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     188437 packets output, 89695206 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out