Re: Duplex Setting on C&C and Monitoring Interface

nsinghani · ‎11-28-2001

On a 4210 sensor, Does the Duplex and Speed setting of the C&C as well as Monitoring Interface need to be specified for better throughput/performance? I noticed that sometimes the interface links go down and up again for no apparent reason.

rwassom · ‎11-28-2001

The interface settings cannot be hard coded at this time. The auto-negotiate feature should set the speed and duplex appropriately.

marcabal · ‎11-28-2001

My usual reccomendation is to set both interfaces as 100MB Half Duplex.

The difference in performance between Half and Full Duplex is negligible, we haven't even been able to measure any performance difference in our in house tests.

Since the command and control is only sending IDS communication traffic, the difference between half and full duplex has no affect on the ability ofthe sensor to send/receive traffic.

The monitoring interface is generally only receiving traffic (occasionally sends out TCP resets), so the difference between half and full duplex is not really measurable in most circumstances.

The only times that half vs. full duplex is really an issue is when both machines that are connected are trying to send more than 100MB on that single connection.

Since neither command and control or the sniffing interface should be dealing with more than 100MB then half duplex is fine.

So try setting it to 100MB Half Duplex on the switch (not configurable on the sensor side), and see if the port stops going up and down.

nsinghani · ‎12-03-2001

That did not help either.

Some other things we did:

1. Set to 10/Half.

2. Put in a hub instead.

Above did not work either.

This happens with more than one sensor. If you reboot the CSPM box (NT 4.0 SP6A, One NIC), communication establishes again. Then after a random time period, goes down again with another sensor.