Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
876
Views
0
Helpful
1
Replies

Cisco 6509 & Doing IDS via SPAN Ports

ashminhas
Level 1
Level 1

‎12-14-2011 02:17 AM - edited ‎03-07-2019 03:53 AM

Hello all,

I am hoping you can provide me with some opinions, feedback, thoughts on the following.

We have some Cisco 6509 switches in our environment currently hitting around 60% usage on the Router overall statistics.

Now we are looking at implementing an intrusion detection system but by being as least invasive as possible to the network. Our thoughts are to utilise a SPAN port on the switches to send traffic to the NIDS device but we have concerns of the following.

The limitations of SPAN sessions on 6509's

The overhead on the switch of turning a SPAN session on and leaving it on permanently...

Please be generous and donate your 2c 

Labels:
0 Helpful
1 Reply 1

cflory
Level 1
Level 1

‎12-16-2011 09:08 PM

Ash,

First of all, what's the output of 'sh proc cpu | exc 0.00'?  I'm curious what's causing 60% CPU.

Secondly, I've been using VACL's on a 6500, which allows you to get around the limitations of SPAN.  However, I did have some performance issues when I got crazy with adding many VLAN's to my configuration, as some older line cards sharing ASIC buffers per 8 ports, or something to that effect.  I can't find the article for the life of me.

VACL's:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html#wp1061021

Otherwise, you could utilize taps, and manage them with Anue:

http://www.anuesystems.com/

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card