Solved: What happens when IDSM-2 performance is exceeded

m.petrovic · ‎12-10-2008

Hi,

we have IDSM-2 with about 20 inline vlan pairs in test environment. What happens to inline traffic when we exceed declared throughput of 500 Mbps? Is traffic dropped or is it forwarded without IPS inspection.

marcabal · ‎12-16-2008

If you exceed the monitoring capability of the sensor, then packets that can not be monitored will be dropped by the sensor.

NOTE: 500Mbps is not an absolute performance number for the sensor. It is a performance level that the sensor has been testeed to be able to handle for specific types of traffic used in the performance test. It is unknown exactly how much traffic the sensor will be able to handle for your network. The IDSM-2 will likely handle AROUND 500 Mbps is many and even most customer networks. However, networks do vary and in some networks it may handle quite a bit less traffic, and in other networks might handle even more.

So the question isn't what will happen if you send more than 500 Mbps, but rather what will happen if you send more of your traffic than what the sensor is able to monitor. And the answer is that any traffic that can not be monitored because of performance limitations will be dropped by the sensor.

The only time packets are forwarded without inspection is if sensorApp has stopped monitoring ALL packets (either a reconfiguration or upgrade is taking place, or the sensorApp process has crashed) AND the auot software bypass functionality has kicked in. In which case ALL packets would be forwarded without analysis.

View solution in original post

bwilmoth · ‎12-16-2008

Cisco IOS Software Intrusion Prevention System (Cisco IOS IPS), with inline intrusion capabilities, is the first system in the industry to provide an inline, deep-packet-inspection-based IPS solution that helps enable Cisco routers to effectively mitigate a wide range of network attacks. Armed with the intelligence to accurately identify, classify, and stop malicious or damaging traffic in real time, Cisco IOS IPS is a core component of the Cisco Self-Defending Network, which helps the network protect itself. This technology uses Cisco IPS Sensor Software and signatures. Because Cisco IOS IPS is inline, it can drop traffic, send an alarm, or reset a connection-facilitating immediate router response to security threats.

marcabal · ‎12-16-2008

If you exceed the monitoring capability of the sensor, then packets that can not be monitored will be dropped by the sensor.

NOTE: 500Mbps is not an absolute performance number for the sensor. It is a performance level that the sensor has been testeed to be able to handle for specific types of traffic used in the performance test. It is unknown exactly how much traffic the sensor will be able to handle for your network. The IDSM-2 will likely handle AROUND 500 Mbps is many and even most customer networks. However, networks do vary and in some networks it may handle quite a bit less traffic, and in other networks might handle even more.

So the question isn't what will happen if you send more than 500 Mbps, but rather what will happen if you send more of your traffic than what the sensor is able to monitor. And the answer is that any traffic that can not be monitored because of performance limitations will be dropped by the sensor.

The only time packets are forwarded without inspection is if sensorApp has stopped monitoring ALL packets (either a reconfiguration or upgrade is taking place, or the sensorApp process has crashed) AND the auot software bypass functionality has kicked in. In which case ALL packets would be forwarded without analysis.