[c-nsp] ISR IPS module
Łukasz Bromirski
lukasz at bromirski.net
Mon Feb 8 14:27:01 EST 2010
On 2010-02-08 18:55, Jay Nakamura wrote:
> Any opinions? How effective is it? Is it worth using?
It is a appliance on a card, so it is as effective as the real
box, however with less performance due to slower CPU.
> Also, what is your opinion on doing IPS without the hardware card on
> an ISR? My experience is it boggs down the router too much and you
> have to be so careful about what to include in scanning that it wasn't
> worth the effort. But that was before Cisco changed the signature
> format and how it scanned traffic at around 12.4(11)T.
Performance should be better at 12.4(15)T and later, but as You said,
doing inspection on a traffic requires a lot of CPU cycles. CPUs
driving ISRs are in that term a lot slower than the x86-family CPUs
driving addon modules so the outcome is obvious.
--
"Everything will be okay in the end. | Łukasz Bromirski
If it's not okay, it's not the end. | http://lukasz.bromirski.net
More information about the cisco-nsp
mailing list