Looking at the traffic should not slow anything down. The IDS blade has its own processor and is a completely separate device from the sup. If anything, the IDS blade may not be able to keep up with the traffic and you may miss some traffic for inspection, ie. the IDS blade might not catch all attacks. This has nothing to do with the sup's or MSFC's ability to move packets.
Access-lists are different in that they are actively inserted in the data path. An IDS is essentially a glorified sniffer. No sniffer, or IDS for that matter, that I have worked with has ever had any effect on traffic flows. It is a watcher only and does not influence the traffic flow. Does that mean that it is impossible that an IDS blade would affect traffic? No it doesn't, but it does mean that it would be a very significant bug and absolutely should not happen. Regards, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Sunday, April 07, 2002 3:14 PM To: [EMAIL PROTECTED] Subject: Re: Core layer question [7:40535] I've always understood that anything in the core (access-lists, FW blades, IDS modules, etc. ) is a bad design as it just slows down traffic as the core is built for speed. I was always told to move everything to the distro or access-layer, depending on the function, AFAIK, the IDS blades have to look at all traffic, which could slow down core, and this core is for a global bank on Wall St. If it's not done right now, when they expand later this year, the network will suck. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com ""Kent Hundley"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > It's not a bad idea to have an IDS blade in the core, but if you have to > pick either the DMZ and server blocks or the core, I would choose the > former. Having an IDS blade in the core should not affect any other > processing of the switch since its a completely self contained module with > its own processor. (course, murphy is always lurking) > > It's also a good idea to have redundant sup's, but cost may be a factor as > well. One can only have as much redundancy as your pocket book allows, and > sup's aren't cheap. :-) > > Regards, > Kent > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Steven A. Ridder > Sent: Thursday, April 04, 2002 2:20 PM > To: [EMAIL PROTECTED] > Subject: Core layer question [7:40535] > > > Has anyone ever designed a network and put either a firewall or IDS blade in > the core switch block? Even if the customer had no money, wouldn't this > never be advisable? Has anyone ever done it? > > As background for the questions, I started a new job, and so I took over > some accounts, and who ever has been doing the configs ( I think some have > been comming from Cisco!) has been making mistakes here and there. One > proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this > one has a wan block going back to the core block (dual 6506's) with only 1 > sup in each and an IDS blade in each! Isn't it advisable to move the IDS's > to the server and DMZ blocks? Also, isn't it always advisable to go with 2 > sups? > > I just want to make sure I'm not crazy, as I'd not like to casue a ton of > waves my first week on the job. > > -- > > RFC 1149 Compliant. > Get in my head: > http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40812&t=40535 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
