Dropping vlan traffic to an IDS device

We have a very busy vlan that we're capturing traffic from and sending it to a Gig port connected to an IDS device. Approximately 20% of the traffic is either being dropped by the switch capture port or the IDS device. We've been told 3% dropped traffic is acceptable and we're trying to figure out how to limit the dropped traffic for that vlan. Any ideas? Thanks,
Dave Magorty
Network Infrastructure

Here's a pretty good description that includes an example of what you're trying to do:
http://www.flukenetworks.com/fnet/en-us/supportAndDownloads/KB/IT+Networking/SuperAgent/How_do_I_limit_traffic_spanned_to_SuperAgent_on_a_Cisco_6500.htm
note the "layered" application of ACL's and the use of "action forward" and "action forward capture"

Similar Messages

  • Vlan traffic is not passing through Wireless Bridge

    Hi,
    Recently we have placed wireless bridge in our network (Cisco AIR-BR1410A-E-K9 model). Now after installing the bridge we are facing the issue like only the management interface traffic is reachable through bridge, but not able to reach other vlan traffic.
    like management range is in vlan 1 (which inlcudes AP' Switch and router) and the bridge IP's are also in Vlan 1.
    Switch port is kept in trunk mode both ends of bridge. still other vlan traffic is not reachable, do we have to place any special configuration for this ?
    all the business users are in Vlan 3
    all the sale team users are in vlan 123.
    now problem is other end switches are reachable for me through bridge that is in vlan 1, but vlan 3 and vlan 123 are not reachable for me.users are not getting IP's, when we assigned the static ip address and tested still it is not working.
    i am attaching my wireless bridge configuration in the discussion, please help on this issue.
    Root Bridge ---- Non--Rootbridge--- Cisco Switch--Cisco Switch..
    now i am able to those two switch also, but not able to reach the vlan 3 users who are connected to that switches.

    Hi,
    infrastructure-ssid has been placed at both end still not able to get IP's to the devices.
    I am not able to attach txt files in the reply, could you please let me know your email ID so that i will send the config files to your ID.

  • Drag and dropping of ebooks in to iOS devices

    Hi-
    Has anyone else noticed that the Drag and dropping of ebooks / pdfs onto iOS devices, in iTunes has dissapeared?
    Is there ANY other way to get ebooks, and PDFs on the ios devices OTHER than setting up an iTunes sync?
    It would be nice if there was an option in the Mavericks iBooks application to "add to iPad" or to drag it in from there.
    Thanks

    Hi Sarojamaly,
    According to your description, when you create a Data Source View in BIDS/SSDT, you can't see the tables in the pane. Right?
    In this scenario, when creating data source, please make sure you select a correct data provider. For example, it you connect to SQL Server database, you should use
    Native OLE DB\SQL Server Native Client. Then please test your connection to the data source.
    If the tables still can't be displayed, please make sure you select proper database and the check tables existence in the database.
    Best Regards,
    Simon Hou
    TechNet Community Support

  • IDS device signature import - some help

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman","serif";
    mso-fareast-font-family:"Times New Roman";}
    Hi there,
    Has anyone ever imported a signature set in an IDS device?
    So you can export signatures to a CSV, but can you import them back in this way? If not, when you create an ‘export file’ in CSM, can you merge that .cfg to the IDS and only affect the signature set?
    I am asking in order to do some deployments to multiple IDS sensors when CSM isn’t function / cant be used to deploy, but only to generate config file.
    Thanks guys!

    CSM has the concept of Signature Policies that do what you want.
    Take your reference sensor that has the signatures tuned the way you want and "share" that signature policy.
    Once shared your can apply this policy to as many other sensors you like. (don't forget to submit and deploy your changes)
    The CSV export is only for makeing spreadsheet or reports of your signature settings/policy.
    If you don;t have CSM you can spill the config of a sensor (show conf) and paste the signature configurations into another sensor via the command line.
    - Bob

  • Wireshark capture on access port displays different vlan traffic

    Hi Guys,
    i have a nexus 4001i Blade Center Switch where i have a server connected in mode access to a particular vlan.
    when i use wireshark on this port, i see different traffic conversations of different servers in different vlans which seems strange to me.
    anybody have an idea why a server in mode access with wireshark is able to view different vlan traffic? I also see non multicast and non broadcast converations.
    the port the server is connected to is not a monitor port but only in switch port mode access.
    thanks in advance for you feedback

    Hi,
    So it looks like you're getting unicast traffic flooded to all ports. There are a couple of reasons I've come across that can cause this.
    Asymmetric routing: See Unicast Flooding in Switched Campus Networks and/or Case Study #8: Asymmetric Routing and HSRP (Excessive Flooding of Unicast Traffic in Network with Routers That Run HSRP) for details of why it happens and how to prevent it.
    Microsoft Network Load Balancing. As per the Microsoft Troubleshooting NLB:
    In unicast mode (the default Forefront TMG cluster operation mode) NLB induces switch flooding, by design, relaying packets sent to the VIP addresses to all cluster hosts. Switch flooding is part of the NLB strategy for obtaining the best throughput for any specific load of client requests. However, if the NLB interfaces share the switch with other (non-cluster) computers, switch flooding can add to the other computers' network overhead by including them in the flooding and consequently have a detrimental effect on network and/or server performance.
    Regards

  • After installing Mountain Lion on my MBP Retina, WiFi connection drops frequently (not happening to other devices around); it also takes a lot to reconnect after wake up.

    After installing Mountain Lion on my MBP Retina, the WiFi connection drops frequently (not happening to other devices around, like on an iPhone); it also takes a lot to reconnect after wake up. Does anybody have a solution for this?

    After installing Mountain Lion on my MBP Retina, the WiFi connection drops frequently (not happening to other devices around, like on an iPhone); it also takes a lot to reconnect after wake up. Does anybody have a solution for this?

  • QoS Marking Traffic Generated by Network Device

    I am working on defining QoS configuration standards for Catalyst 3750, 4500 and 6500 platforms. I would like to provide preferred treatment to some of the protocols commonly used for network management (i.e. telnet, ssh, etc...). I have no issues with classifying and marking traffic generated by a NMS or PC connected to a switch but I can not figure out how to classify and mark traffic generated by the switch itself. It won't do any good if traffic from the NMS or PC to the device is preferred but the response from the device is unmarked/best effort.
    The only way that I can see to do this is to apply an input policy on the upstream device to classify and mark the network management traffic. I would prefer to do it on the device itself. Does anyone know if that is possible?
    I'm assuming that any traffic generated by the switch would be ignored by an output policy, similar to the way that traffic generated by the device will by-pass access-lists. Even if this is a bad assumption the 3750 does not support output policies, so I'd still be stuck there.
    It was suggested that I look into applying the policy to the control plane however on the platforms that options is available, policies can only be applied to the input. Which I believe is the wrong direction.
    Anyone have other suggestions on how to accomplish this or is this a lost cause?

    You can use local PBR to do this. Check out the local policy-map
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm#wp1001002

  • Audio MIDI Setup - drop-down menu of mfrs. and devices empty?

    As the subject says, I'm trying to set up my small arsenal of MIDI gear, and the drop-down lists of manufacturer and device names in the Audio MIDI Setup->MIDI window are empty (there are supposed to be dozens of items to choose from). I've just recently performed a new installation of Snow Leopard, and everything is up to date. I even installed Garage Band, thinking that its installation might fix the missing MIDI device list, but no luck. Another odd thing is that my MOTU MTP AV is recognized by name within System Profiler (as an attached USB device), but I had to install drivers for it to appear in the MIDI Setup window.
    Anyone experience this and/or have a solution? I own Pacifist, and if someone knows where the missing files are located within the SL installer disc I could try a custom installation. Help...

    same problem here, no more device manufacturers and names, but a bigger problem to me is that I see no way of reorganizing the view in the MIDI window anymore, it puts all my devices next to each other, with 30 devices that makes it totally unusable.

  • Monitoring VLAN traffic

    I moved from 2500 series routers to a switched network using a Catalyst 3750 and 3560 switches over the course of the last year. In my routed network I used MRTG to monitor traffic on my interfaces. In my switched network environment I have not been able to find a free or low cost tool that will monitor VLAN traffic. Any suggestions?

    I have the same problem and found these links that provided answers:
    http://forums.cacti.net/about29656.html&highlight=
    http://www.experts-exchange.com/Hardware/Networking_Hardware/Switches/Q_23738165.html
    Vlans on 3560s, 3750s and 3550s do not show stats.  The packets are forwarded with the ASIC chips and do not cross the CPU for actual processing.  To actually see the traffic you will need to turn off CEF, which decrases the performance significantly (not recommended, see links above).

  • VLAN Traffic Monitoring

    Hi all
    I have a 2900XL core switches which in turn connected to several 2950 switches. All are connected to VLAN 1.
    I have a few questions:
    When people say broadcast traffic should not be more than 20% of the VLAN traffic.
    1. Does it mean the broadcast of a single port in the 2950 switch or the core switch ?
    2. How do i know the VLAN traffic ?
    Any tools etc and how is the setup?
    Hope comeone can help. :)
    Thanks in Advance.
    Alan

    Hi Narayanan,
    This is Guru Prasad.R from Saksoft Ltd. I am working as Network Engineer for past 1 year here. Also i had worked as part-time technical assistace in Networking Environment for 3 years too.
    Since, i am new guy to this networking world i may require your guidance, support for making my career the best one.
    I had finished my CCNA & 2-MCP exams one for Server 03 & another for Exchange Server 03. Also currently i doing with CCNP-Switching[BCMSN] exam.
    Kindly help me to make my career the best one. Expeting your kindness on the same.
    I had noted down ur contact number in Cisco profile. Below given my contact details:
    Guru Prasad.R
    Mobile: +91-9840822258
    Mail id: [email protected]
    Expecting your reply mail for the same.
    Thanks & Regards,
    Guru Prasad .R

  • IDS Device Manager not working

    IDSM2 when on version 4.1.4S48 was working properly. The IDS device manager at address https://<ip address> was working.
    After upgrading to 4.1.5S189, it broke the IDS Device Manager. I cannot access the device manager using IE. It says page not found. Also when I use the IDS Event Viewer, I donot see any alarms.

    The event manager willnot work with 5.0, the reporting facility (SDE) is not supported in IEV. IDM or VMS/SecMon need to be used to see alarms.
    The most common reason for IDM to not work is because permit lists get reset when you upgrade to 5.0. Run setup and ensure that there is a permit statement that includes the machine you are launching IDM from.

  • Routing VLAN traffic

    Is it possible to route VLAN traffic?
    We have two buildings, each with several Catalyst 2950s and a 2651 router hosting several VLANS.
    Can we connect the 2651s together and expand the VLANs into the other building?

    HI
    Can u give info about how these two buildings are connected to each-other.and as far routing in concerned u can configure sub-interfaces under u r physical inteface on u r router.Are this 2950's connected in 2651,if they how r u r vlans spread.r u using any sort of vtp.if u r 2950's are connected to 2651 then u can go for sub-interfaces per vlan.
    for example if u r having 3 vlans then u can configure the the physical interface on u r router as
    interface f0/0.1
    encapsulation dot1q 1
    ip address 192.168.1.1 255.255.255.0
    and so on
    Thanks
    Mahmood

  • 3750X - Dropped multicat traffic flooding on all switchport vlan interfaces

    Hello forum, 
    I have a problem on source  multicast blocking. I have a switch with a vlan interface (Ex. vlan 20 )and on that vlan interface an extended ACL is present. That ACL block specific multicast groups. Furtehrmore I have many switchport access interfaces on vlan 20 with different sources connected. 
    If one source start streaming with multicast destination IP blocked  by ACL, dropped traffic is flooaded on all switchports on source's vlan
    IGMP snooping on this vlan is enabled but seems that dropped  traffic stay on L2 vlan without it.
    Device used: C3750X
    IOS:  15.0(2)SE5
    Thank you for help

    Hi Michal,
    thanks for your reply!
    Yes, probably i've captured all lines of access-list... but I've to change my approach because my access-list is a extended "named" access-list and, on other post, I've read that "named" access-list cannot be debugged...
    Now i've deleted all access-lists entries that refer to vlan2 and I've created new one "numerical":
    #ip access-list extended 100
    #10 ip permit 172.16.2.0 0.0.0.15 any log
    In this mode the debug shows only access-list 100 traffic + bcast + mcast.
    But, the strange thing is another one now...
    I've bought a multifunction printer, that send scanned document to a email account, the printer haven't internal smtp, it makes a connection to hp servers that forward scans to real destination address...
    I was curious to find out how this connection works because, my private/confidential documents are send on internet and, i would hope that hp use a secure connection from my printer to its server...
    Well, if I add "log" switch command at the end of access-list, or I enable access-list debug, the printer stop to comunicate to hp services/server... if I turn off debug or rewrite access-list without "log" feature, incredibly the printer re-start to comunicate with hp...
    Have you any idea that explain that? I'm going crazy...

  • How to isolate vlan traffic

    I want to create two vlan's, VLAN 1 and VLAN 2. The setup is that VLAN 1 can communicate with VLAN 2, but VLAN 2 don't may have any permission to communicatie with VLAN 1. My switch is a Cisco 3750x. How can I configure this?        

    Hi,
    Don't forget that IP communication is bidirectional and that ACLs are stateless so unless you use a stateful feature like reflexive ACL or firewall feature you can't permit all communication from vlan 1 to vlan 2 and at the same time block from vlan 2 to vlan 1 because then you'll block the reply traffic in response to permitted traffic from vlan 1 to vlan 2.
    On access/distribution switches like 29xx/35xx there is no such feature so your only solution is to do the intervlan routing on a router or firewall and apply filtering policy on this device.
    Regards
    Alain
    Don't forget to rate helpful posts.

  • RV220W - VLAN traffic filtering

    Hi all,
    Can I please ask if anyone knows of how to filter traffic between VLANs on the RV220W? I cannot seem to see a way.
    I only have two VLANs. The main VLAN and a seperate VLAN for guest WiFi access. I have inter-VLAN routing disabled on the guest VLAN but I do want guest to have access to a couple of devices on the main VLAN. Printers etc. Also, using a PPTP connection remotely I would like to be able to access the guest VLAN.
    Thanks in advance.
    Damien

    Hi Tom,
    I was under the impression that the RV220W does support full tunnel but then again I might be mistaken.  I have not used the SSL VPN yet but I will give it a try.
    Thanks,
    Jose

Maybe you are looking for

  • How do I get the new iPod to work with iTunes

    I recently purchased a new iPod--I think it's the "Shuffle," whichever one retails for $150. When I plugged it into my iMac, it said I needed to install iTunes 10 to run it. When I checked for updates, it said that iTunes 9.xyz (whatever came after t

  • Lenovo Beacon Cloud Storage HDMI MP3, DD and DTS Audio Passthrough

    Hello,  Is there any knowledge on whether it's possible to make the Lenovo Beacon pass DD 5.1(and/or DTS) audio through it's HDMI? I just bought a Beacon and it plays avi files without audio at all, it plays MP4 and MKV with AAC 2ch audio just fine,

  • Dynamic Parameter - Login Prompt

    I created a command which has a paramenter in it. Crystal Reports automatically created the paramenter in the report. My problem is that when I run the report in infoview I am prompted for the database username and password. I have already set the da

  • Two Boot Camps installs on the same Mac Pro?

    Is it possible to install two Boot Camps on two different internal drives on a Mac Pro? Can I rename the Boot Camps disks to, say, BOOTCAMPXP and BOOTCAMP7? Will this confuse the startup disk system preference in OS X or the Boot Camp control panel i

  • Non deductible tax problem

    Hello,   Created one condition type: ZVSB (VAT non-deductible) Condition class: D, Calculation type: A, Cond. category: N, Access sequence: MWST, item condition.    In Tax calculation procedure: (T/code OBQ3) - TAXINN   ZVSB condition type calculatio