[c-nsp] 65xx or 76xx for 'Distribution Layer'?

Justin Shore justin at justinshore.com
Thu Oct 18 13:05:54 EDT 2007 

Drew Weaver wrote:
> I'm trying to get opinions on two things.

I have a opinion on something else that you said that I thought I'd share.

> The main reason for this switch is we want to be able to add things like IDS / DDOS mitigation, etc to our network and it seems like a wiser choice to aggregate all of the connections than to hang them off separately.

In case you are considering the IDSM2 module for your 7600 I would 
strongly recommend against it.  Inline is not supported on the 7600; I 
don't know if this is a BU thing or something with the SR code.  Neither 
I nor the AS SMEs that helped deploy it and other SMs could find any 
public or private docs that stated as such.  However the SME did find on 
an internal Cisco mailing/forum of some sort that said it isn't 
supported or even configurable.  Also, passive requires a span port in 
the 7600 which is limited to two regular spans.  On our 7600s one is 
consumed automatically with a type of "Service Module Session".  I 
haven't been able to figure out what's chewing up this one yet.  I'm 
using the other for troubleshooting and monitoring, thus rendering our 
IDSM2s unusable for passive monitoring unless I use RSPANs.

If memory serves me correctly the IDSM2 isn't VRF aware either, forcing 
you to move traffic around in VLANs.  You're also limited to 4 sensors 
per IDSM2.  We were under the impression that the limit was based on 
throughput and CPU load, not on the number of configurable sensors. 
Since we were buying the IDSM2s for a data center application with 
hundreds of customers this really didn't scale well for us; plus we 
didn't think any customers would be willing to pony up $15k for IDS/IPS 
functionality to buy their 1/4 of a pair of IDSM2s ($30k list/4 = $7.5k 
* 2 IDSM2s = $15k).  We came to realize that it was more cost-effective 
for our needs and our customer needs to buy dedicated IPS 4200s as 
needed for customers that wanted the functionality.  Plus it could sit 
in that customer's rack space and not reduce our own sellable rack 
space.  YMMV on this of course depending on your needs and design.  It 
wasn't right for us though.

We're returning our IDSM2s because of these shortcomings and are 
applying the proceeds to a 2 sets of 7600 Anomaly Detectors and Guards. 
  For your design you could use the standalone appliances instead which 
would probably serve you well.

http://tinyurl.com/w48za
http://tinyurl.com/29h8mn

Justin

More information about the cisco-nsp mailing list