Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
4
Replies

CSIDSv4 network configuration

kimu
Level 1
Level 1

‎08-24-2004 07:34 PM - edited ‎03-09-2019 08:35 AM

Hello,

The network configuration of CSIDSv4 is below.

$ dmesg | grep duplex

e100: eth1 NIC Link is Up 100 Mbps Half duplex

e100: eth1 NIC Link is Up 100 Mbps Half duplex

e100: eth0 NIC Link is Up 100 Mbps Half duplex

If We use "Half duplex", Does IDS drop alerts sometimes? In a general way, We use better Full

than Half.

Labels:
0 Helpful
4 Replies 4

marcabal
Cisco Employee
Cisco Employee

‎08-25-2004 06:26 AM

The Duplex of the sensor is not configurable by the user. You will need to let the sensor auto detect what duplex to use.

As for whether or not Full is better than Half.

Either works just fine, and you should not see any dropped alerts or issues with using either for a promiscuous sensor.

The performance difference between Half and Full duplex is primarily when the incoming traffic added to the outgoing traffic is higher than the rating on the NIC.

If you have 70Mbps incoming on a 100Mbps NIC, then with Half Duplex you could only send out a maximum of 30Mbps (100Mbps total), while in Full Duplex you could still send out 100Mbps (170Mbps total).

So full duplex helps when you have traffic going both in and out of the NIC.

For most machines that both receive and send traffic, the Full duplex will give you a possible performance improvement.

When dealing with a sensor the first thing you realize is that the ONLY packets the sensor ever sends out are the TCP Resets. And unless you are over using the TCP Resets they should account for less than 1Mbps.

So 99% of the traffic on the line is coming into the sensor.

So with Full Duplex 100Mbps, you could send in 100Mbps and send out the 1Mbps for the TCP Resets for a total 101Mbps.

With Half Duplex 100Mbps, you could send in 99Mbps, and send out the 1 Mbps for the TCP Resets for a total 100Mbps.

So the performance capability difference for the sensor is only the 1Mbps that the TCP Resets would take up when in Half Duplex.

If you are worried about this 1Mbps difference, then you have bigger problems because you should never be sending close to 100Mbps to a 100Mbps NIC because traffic bursts when running close to 100Mbps will generally go higher than 100Mbps and be dropped by the switch regardless of what the Duplex setting is.

If you are running at rates close to 100Mbps on a 100Mbps link, then you should upgrade your sensor to a IDS-4235 or IDS-4250 that support 1Gbps connections and connect to a gig port on the switch.

So for promiscuous sensors the Half Duplex performs just fine, and you should just let the sensor auto detect its Duplex setting.

NOTE: This is true for the promiscuous sensor, but for other machines that do generate/send alot of traffic then the Full Duplex connection will make a difference.

NOTE: This does change when the sensor becomes an inline device and needs to transmit as much traffic as it receives. When that functionality gets added to the sensor, the ability to control the Speed and Duplex settings will also be made user controllable.

0 Helpful

csmeriglio
Level 1
Level 1
In response to marcabal

‎09-22-2004 10:48 AM

Can you tell me if the NIC Link messages(up/down) are recorded to a log, that would indicate the date/timestamps that the activity occurred???

0 Helpful

bennettg
Level 1
Level 1
In response to marcabal

‎11-12-2004 11:32 AM

Recently came across the same issue regarding half versus full duplex. Sensors were autonegotiating half duplex. I wanted to set the command and control interface eth1 to 100 Full Duplex. Would the following command placed in /etc/rc.local cause any issues or cause this device not to be supported by Cisco:

/sbin/mii-tool -F 100baseTx-FD

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to bennettg

‎11-12-2004 01:26 PM

Making changes like this are not supported by Cisco.

There has been no testing to know what affect this could have on the sensor.

Any problems found on the sensor would require a reload of the image before the TAC would attempt to troubleshoot the problem.

You should let the sensor auto negotiate it's speed and duplex in version 4.1

Because of so many requests for speed and duplex hard coding we will be adding it into a future version. Untill then just let it auto negotiate.

Understand that the command and control interface should never be generating or receiving anywhere close to 100Mbps. In fact it should be much closer to less than 1 Mbps unless the sensor is very heavily utilized.

So you should see no real world performance difference between half and full duplex.

0 Helpful
Customers Also Viewed These Support Documents