IDSM-2 Performance
IDSM-2 gives 500Mbps in IPS mode and 600Mbpgs in IDS mode. Bundling 4 IDSM-2 in single chassis gives 2Gbps performance with Sup 32. But the FWSM provides 5Gbps throughput and the Sup 720 supports 40Gbps switching. What is the disconnect here? How do you design your IDSM-2s to support 5Gbps throughput when you have a single FWSM supporting 5Gbps?
If you exceed the monitoring capability of the sensor, then packets that can not be monitored will be dropped by the sensor.
NOTE: 500Mbps is not an absolute performance number for the sensor. It is a performance level that the sensor has been testeed to be able to handle for specific types of traffic used in the performance test. It is unknown exactly how much traffic the sensor will be able to handle for your network. The IDSM-2 will likely handle AROUND 500 Mbps is many and even most customer networks. However, networks do vary and in some networks it may handle quite a bit less traffic, and in other networks might handle even more.
So the question isn't what will happen if you send more than 500 Mbps, but rather what will happen if you send more of your traffic than what the sensor is able to monitor. And the answer is that any traffic that can not be monitored because of performance limitations will be dropped by the sensor.
The only time packets are forwarded without inspection is if sensorApp has stopped monitoring ALL packets (either a reconfiguration or upgrade is taking place, or the sensorApp process has crashed) AND the auot software bypass functionality has kicked in. In which case ALL packets would be forwarded without analysis.
Similar Messages
-
What happens when IDSM-2 performance is exceeded
Hi,
we have IDSM-2 with about 20 inline vlan pairs in test environment. What happens to inline traffic when we exceed declared throughput of 500 Mbps? Is traffic dropped or is it forwarded without IPS inspection.If you exceed the monitoring capability of the sensor, then packets that can not be monitored will be dropped by the sensor.
NOTE: 500Mbps is not an absolute performance number for the sensor. It is a performance level that the sensor has been testeed to be able to handle for specific types of traffic used in the performance test. It is unknown exactly how much traffic the sensor will be able to handle for your network. The IDSM-2 will likely handle AROUND 500 Mbps is many and even most customer networks. However, networks do vary and in some networks it may handle quite a bit less traffic, and in other networks might handle even more.
So the question isn't what will happen if you send more than 500 Mbps, but rather what will happen if you send more of your traffic than what the sensor is able to monitor. And the answer is that any traffic that can not be monitored because of performance limitations will be dropped by the sensor.
The only time packets are forwarded without inspection is if sensorApp has stopped monitoring ALL packets (either a reconfiguration or upgrade is taking place, or the sensorApp process has crashed) AND the auot software bypass functionality has kicked in. In which case ALL packets would be forwarded without analysis. -
How can i use IDSM-2 in inline mode for more than two VLANs?
can i use the IDSM-2 in inline mode to be ips to more than two VLANS
like this or it isn't
intrusion-detection module 5 data port 1 access-vlan 10,20,30,40,50
intrusion-detection module 5 data port 1 access-vlan 100,200
thank u all for your helpThe IDSM-2 ports need to be configured as trunk ports with multiple vlans rather than as access ports.
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517eb.html#wp1068377
And instead of creating an inline interface pair by pairing Gig0/7 with Gig0/8 within the IDSM-2 configuration, you would create inline vlan pairs.
With an inline vlan pair you pair 2 vlans on the same interface.
You can have up to 255 inline vlan pairs on each interface (assumining you keep the total traffic from all of the pairs within the IDSM-2s performance limit of around 500Mbps)
How to create inline vlan pairs:
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517bb.html#wp1047852
The other aspect you need to be aware of is that not all IOS versions will support configuring the IDSM-2 data ports as trunk ports for inline vlan pairs.
Your best bet is to use 12.2(18)SXF4 or a later version on the 12.2(18)SXF train.
The 12.2(33)SR train does not currently support the trunk feature for the IDSM-2. -
Need Help to see why the performance is not good
Hi,
We have an application that all process are developed in PL/SQL on Oracle 9i Database :
Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production
PL/SQL Release 9.2.0.6.0 - Production
Why I have created this package. the application is a production management on chemical industries. I need to sometimes trace the Manufacturing order execution to eventually answer some incoherent data. If I analyze directly the data in the Table is not always responding because the origin of problem can be provide of some execution that perform some calculation.
In the procedure or function a use my package PAC_LOG_ERROR.PUT_LINE(xxxxxx) to save the information. This command save the information in the memory before. At the end of the procedure or function a perform the insert with the COMMIT calling PAC_LOG_ERROR.LOGS or PAC_LOG_ERROR.ERRORS on the catch exception.
This package is always call. On each routines performed I execute it. In the trace log of the database we have see a problem we the procedure GET_PROC_NAME in the package. We have identify that is called more that 800x and increase the performance. Who increase is this select command :
SELECT * INTO SOURCE_TEXT
FROM (SELECT TEXT FROM all_source
WHERE OWNER = SOURCE_OWNER AND
NAME=SOURCE_NAME AND
TYPE IN ('PROCEDURE','FUNCTION','PACKAGE BODY') AND
LINE <= SOURCE_LINE AND SUBSTR(TRIM(TEXT),1,9) IN ('PROCEDURE','FUNCTION ')
ORDER BY LINE DESC)
WHERE ROWNUM = 1;I use it to get the procedure or function name where my log proc is called. I now that I can pass in parameters, but I have think to use an automatic method, that can help to not have some problem with others developer team to make a copy/past and not update the parameters. Because the Log info is read by the Help Desk and if we have an error on the information, it not a good help.
COULD YOU PLEASE HELP ME TO OPTIMIZE OR SAID THE BETTER METHOD TO DO IT ?
Here my package :
create or replace
PACKAGE PAC_LOG_ERROR AS
-- Name : pac_log_error.sql
-- Author : Calà Salvatore - 02 July 2010
-- Description : Basic Error and Log management.
-- Usage notes : To active the Log management execute this statement
-- UPDATE PARAM_TECHNIC SET PRM_VALUE = 'Y' WHERE PRM_TYPE = 'TRC_LOG';
-- COMMIT;
-- To set the period in day before to delete tracability
-- UPDATE PARAM_TECHNIC SET PRM_VALUE = 60 WHERE PRM_TYPE = 'DEL_TRC_LOG';
-- COMMIT;
-- To set the number in day where the ERROR is save before deleted
-- UPDATE PARAM_TECHNIC SET PRM_VALUE = 60 WHERE PRM_TYPE = 'DEL_TRC_LOG';
-- COMMIT;
-- Requirements : Packages PAC_PUBLIC and OWA_UTIL
-- Revision History
-- --------+---------------+-------------+--------------------------------------
-- Version | Author | Date | Comment
-- --------+---------------+-------------+--------------------------------------
-- 1.0.0 | S. Calà | 02-Jul-2010 | Initial Version
-- --------+---------------+-------------+--------------------------------------
-- | | |
-- --------+---------------+-------------+--------------------------------------
PROCEDURE INITIALIZE;
PROCEDURE CLEAN;
PROCEDURE RESETS(IN_SOURCE IN VARCHAR2 DEFAULT NULL);
PROCEDURE PUT_LINE(TXT IN VARCHAR2);
PROCEDURE ERRORS(REF_TYPE IN VARCHAR2 DEFAULT 'SITE', REF_VALUE IN VARCHAR2 DEFAULT '99', ERR_CODE IN NUMBER DEFAULT SQLCODE, ERR_MSG IN VARCHAR2 DEFAULT SQLERRM);
PROCEDURE LOGS(REF_TYPE IN VARCHAR2 DEFAULT 'SITE', REF_VALUE IN VARCHAR2 DEFAULT '99');
END PAC_LOG_ERROR;
create or replace
PACKAGE BODY PAC_LOG_ERROR
AS
/* Private Constant */
CR CONSTANT CHAR(1) := CHR(13); -- Retour chariot
LF CONSTANT CHAR(1) := CHR(10); -- Saut de ligne
CR_LF CONSTANT CHAR(2) := LF || CR; --Saut de ligne et retour chariot
TAB CONSTANT PLS_INTEGER := 50;
sDelay CONSTANT PLS_INTEGER := 30;
/* Private Record */
TYPE REC_LOG IS RECORD(
ERR_DATE TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
ERR_TXT VARCHAR2(4000)
/* Private Type Table */
TYPE TAB_VALUE IS TABLE OF REC_LOG INDEX BY PLS_INTEGER;
TYPE TAB_POINTER IS TABLE OF TAB_VALUE INDEX BY VARCHAR2(80);
/* Private Variables Structures */
LOG_TRC PARAM_TECHNIC.PRM_VALUE%TYPE;
LIST_PARAM TAB_POINTER;
/* Private Programs */
FUNCTION GET_PROC_NAME( SOURCE_OWNER IN all_source.OWNER%TYPE
,SOURCE_NAME IN all_source.NAME%TYPE
,SOURCE_LINE IN all_source.LINE%TYPE) RETURN VARCHAR2
AS
SOURCE_TEXT all_source.TEXT%TYPE;
TYPE RECORD_TEXT IS TABLE OF all_source.TEXT%TYPE;
RETURN_TEXT RECORD_TEXT;
BEGIN
SELECT * INTO SOURCE_TEXT
FROM (SELECT TEXT FROM all_source
WHERE OWNER = SOURCE_OWNER AND
NAME=SOURCE_NAME AND
TYPE IN ('PROCEDURE','FUNCTION','PACKAGE BODY') AND
LINE <= SOURCE_LINE AND SUBSTR(TRIM(TEXT),1,9) IN ('PROCEDURE','FUNCTION ')
ORDER BY LINE DESC)
WHERE ROWNUM = 1;
IF SOURCE_TEXT IS NOT NULL OR SOURCE_TEXT != '' THEN
SOURCE_TEXT := TRIM(SUBSTR(SOURCE_TEXT,1,INSTR(SOURCE_TEXT,'(')-1));
SOURCE_TEXT := LTRIM(LTRIM(TRIM(SOURCE_TEXT),'PROCEDURE'),'FUNCTION');
SOURCE_TEXT := SOURCE_NAME||'.'|| TRIM(SOURCE_TEXT);
ELSE
SOURCE_TEXT := 'ANONYMOUS BLOCK';
END IF;
RETURN SOURCE_TEXT;
END GET_PROC_NAME;
PROCEDURE SELECT_MASTER(REF_TYPE IN VARCHAR2, PARAM_VALUE IN VARCHAR2, SITE OUT VARCHAR2, REF_MASTER OUT VARCHAR2)
AS
BEGIN
REF_MASTER := '';
SITE := '99';
CASE UPPER(REF_TYPE)
WHEN 'PO' THEN -- Process Order
SELECT SITE_CODE INTO SITE FROM PO_PROCESS_ORDER WHERE PO_NUMBER = PARAM_VALUE;
WHEN 'SO' THEN -- Shop Order
SELECT P.SITE_CODE,P.PO_NUMBER INTO SITE,REF_MASTER FROM SO_SHOP_ORDER S
INNER JOIN PO_PROCESS_ORDER P ON P.PO_NUMBER = S.PO_NUMBER
WHERE S.NUMOF = PARAM_VALUE;
WHEN 'SM' THEN -- Submixing
SELECT SITE_CODE,NUMOF INTO SITE,REF_MASTER FROM SO_SUBMIXING WHERE IDSM = PARAM_VALUE;
WHEN 'IDSM' THEN -- Submixing
SELECT SITE_CODE,NUMOF INTO SITE,REF_MASTER FROM SO_SUBMIXING WHERE IDSM = PARAM_VALUE;
WHEN 'PR' THEN -- Pourring
SELECT B.SITE_CODE,P.NUMOF INTO SITE,REF_MASTER FROM SO_POURING P
INNER JOIN SO_SUBMIXING B ON B.IDSM=P.IDSM
WHERE P.IDSM = PARAM_VALUE;
WHEN 'NUMSMP' THEN -- Pourring
SELECT SITE_CODE,NUMOF INTO SITE,REF_MASTER FROM SAMPLE WHERE NUMSMP = TO_NUMBER(PARAM_VALUE);
-- WHEN 'MSG' THEN -- Messages
-- SELECT SITE_CODE,PO_NUMBER INTO SITE,REF_MASTER FROM CMS_INTERFACE.MAP_ITF_PO WHERE MSG_ID = PARAM_VALUE;
ELSE
SITE := sys_context('usr_context', 'site_attribute');
END CASE;
EXCEPTION
WHEN OTHERS THEN
REF_MASTER := '';
SITE := sys_context('usr_context', 'site_attribute');
END SELECT_MASTER;
PROCEDURE ADD_LIST_PROC
AS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
MERGE INTO LOG_PARAM A
USING (SELECT OWNER, TYPE
,NAME PROC
, CASE NAME WHEN SUBNAME THEN NULL
ELSE SUBNAME
END SUBPROC
FROM (
SELECT owner,TYPE,UPPER(NAME) NAME,UPPER(trim(substr(substr(trim(text),1,instr(trim(text),'(')-1),instr(substr(trim(text),1,instr(trim(text),'(')-1),' ')))) SUBNAME
FROM ALL_SOURCE where owner in ('CMS_ADM','CMS_INTERFACE')
and type in ('FUNCTION','PROCEDURE','PACKAGE BODY')
and (instr(substr(trim(text),1,instr(trim(upper(text)),'(')-1),'FUNCTION') = 1 or instr(substr(trim(text),1,instr(trim(upper(text)),'(')-1),'PROCEDURE')=1)
)-- ORDER BY OWNER,PROC,SUBPROC NULLS FIRST
) B
ON (A.OWNER = B.OWNER AND A.TYPE = B.TYPE AND A.PROC=B.PROC AND NVL(A.SUBPROC,' ') = NVL(B.SUBPROC,' '))
WHEN NOT MATCHED THEN
INSERT (OWNER,TYPE,PROC,SUBPROC) VALUES (B.OWNER,B.TYPE,B.PROC,B.SUBPROC)
WHEN MATCHED THEN
UPDATE SET ACTIVE = ACTIVE;
DELETE LOG_PARAM A
WHERE NOT EXISTS (SELECT OWNER, TYPE
,NAME PROC
, CASE NAME WHEN SUBNAME THEN NULL
ELSE SUBNAME
END SUBPROC
FROM (
SELECT owner,TYPE,NAME,upper(trim(substr(substr(trim(text),1,instr(trim(text),'(')-1),instr(substr(trim(text),1,instr(trim(text),'(')-1),' ')))) SUBNAME
FROM ALL_SOURCE where owner in ('CMS_ADM','CMS_INTERFACE')
and type in ('FUNCTION','PROCEDURE','PACKAGE BODY')
and (instr(substr(trim(text),1,instr(trim(text),'(')-1),'FUNCTION') = 1 or instr(substr(trim(text),1,instr(trim(text),'(')-1),'PROCEDURE')=1)
) WHERE A.OWNER = OWNER AND A.TYPE = TYPE AND A.PROC=PROC AND NVL(A.SUBPROC,' ') = NVL(SUBPROC,' '));
COMMIT;
EXCEPTION
WHEN OTHERS THEN
NULL;
END ADD_LIST_PROC;
PROCEDURE INITIALIZE
AS
BEGIN
LIST_PARAM.DELETE;
CLEAN;
-- ADD_LIST_PROC;
EXCEPTION
WHEN OTHERS THEN
NULL;
END INITIALIZE;
PROCEDURE CLEAN
AS
PRAGMA AUTONOMOUS_TRANSACTION;
dtTrcLog DATE;
dtTrcErr DATE;
BEGIN
BEGIN
SELECT dbdate-NUMTODSINTERVAL(to_number(PRM_VALUE),'DAY') INTO dtTrcLog
FROM PARAM_TECHNIC WHERE PRM_TYPE = 'DEL_TRC_LOG';
EXCEPTION
WHEN OTHERS THEN
dtTrcLog := dbdate -NUMTODSINTERVAL(sDelay,'DAY');
END;
BEGIN
SELECT dbdate-NUMTODSINTERVAL(to_number(PRM_VALUE),'DAY') INTO dtTrcErr
FROM PARAM_TECHNIC WHERE PRM_TYPE = 'DEL_TRC_ERR';
EXCEPTION
WHEN OTHERS THEN
dtTrcErr := dbdate -NUMTODSINTERVAL(sDelay,'DAY');
END;
DELETE FROM ERROR_LOG WHERE ERR_TYPE ='LOG' AND ERR_DATE < dtTrcLog;
DELETE FROM ERROR_LOG WHERE ERR_TYPE ='ERROR' AND ERR_DATE < dtTrcErr;
COMMIT;
EXCEPTION
WHEN OTHERS THEN
NULL; -- Do nothing if error occurs and catch exception
END CLEAN;
PROCEDURE RESETS(IN_SOURCE IN VARCHAR2 DEFAULT NULL)
AS
SOURCE_OWNER all_source.OWNER%TYPE;
SOURCE_NAME all_source.NAME%TYPE;
SOURCE_LINE all_source.LINE%TYPE;
SOURCE_TEXT all_source.TEXT%TYPE;
SOURCE_PROC VARCHAR2(32727);
BEGIN
OWA_UTIL.WHO_CALLED_ME(owner => SOURCE_OWNER,
name => SOURCE_NAME,
lineno => SOURCE_LINE,
caller_t => SOURCE_TEXT);
IF SOURCE_PROC IS NULL THEN
SOURCE_PROC := SUBSTR(GET_PROC_NAME(SOURCE_OWNER,SOURCE_NAME,SOURCE_LINE),1,125);
ELSE
SOURCE_PROC := IN_SOURCE;
END IF;
LIST_PARAM.DELETE(SOURCE_PROC);
EXCEPTION
WHEN OTHERS THEN
NULL;
END RESETS;
PROCEDURE PUT_LINE(TXT IN VARCHAR2)
AS
PRAGMA AUTONOMOUS_TRANSACTION;
SOURCE_OWNER all_source.OWNER%TYPE;
SOURCE_NAME all_source.NAME%TYPE;
SOURCE_LINE all_source.LINE%TYPE;
SOURCE_TEXT all_source.TEXT%TYPE;
SOURCE_PROC VARCHAR2(128);
BEGIN
IF TXT IS NULL OR TXT = '' THEN
RETURN;
END IF;
OWA_UTIL.WHO_CALLED_ME(owner => SOURCE_OWNER,
name => SOURCE_NAME,
lineno => SOURCE_LINE,
caller_t => SOURCE_TEXT);
SOURCE_PROC := GET_PROC_NAME(SOURCE_OWNER,SOURCE_NAME,SOURCE_LINE);
IF LIST_PARAM.EXISTS(SOURCE_PROC) THEN
LIST_PARAM(SOURCE_PROC)(LIST_PARAM(SOURCE_PROC).COUNT+1).ERR_TXT := TXT;
ELSE
LIST_PARAM(SOURCE_PROC)(1).ERR_TXT := TXT;
END IF;
EXCEPTION
WHEN OTHERS THEN
NULL;
END PUT_LINE;
PROCEDURE LOGS(REF_TYPE IN VARCHAR2 DEFAULT 'SITE', REF_VALUE IN VARCHAR2 DEFAULT '99')
AS
PRAGMA AUTONOMOUS_TRANSACTION;
MASTER_VALUE ERROR_LOG.ERR_MASTER%TYPE;
SITE PARAMTAB.SITE_CODE%TYPE;
SOURCE_OWNER all_source.OWNER%TYPE;
SOURCE_NAME all_source.NAME%TYPE;
SOURCE_LINE all_source.LINE%TYPE;
SOURCE_TEXT all_source.TEXT%TYPE;
SOURCE_PROC VARCHAR2(128);
ERR_KEY NUMBER;
BEGIN
-- NULL;
OWA_UTIL.WHO_CALLED_ME(owner => SOURCE_OWNER,
name => SOURCE_NAME,
lineno => SOURCE_LINE,
caller_t => SOURCE_TEXT);
SOURCE_PROC := SUBSTR(GET_PROC_NAME(SOURCE_OWNER,SOURCE_NAME,SOURCE_LINE),1,128);
LIST_PARAM.DELETE(SOURCE_PROC);
-- SELECT NVL(MAX(ACTIVE),'N') INTO LOG_TRC FROM LOG_PARAM WHERE TRIM(UPPER((PROC||'.'||SUBPROC))) = TRIM(UPPER(SOURCE_PROC))
-- AND OWNER =SOURCE_OWNER AND TYPE = SOURCE_TEXT ;
-- IF LOG_TRC = 'N' THEN
-- LIST_PARAM.DELETE(SOURCE_PROC);
-- RETURN;
-- END IF;
-- SELECT_MASTER(REF_TYPE => UPPER(REF_TYPE), PARAM_VALUE => REF_VALUE, SITE => SITE, REF_MASTER => MASTER_VALUE);
-- ERR_KEY := TO_CHAR(LOCALTIMESTAMP,'YYYYMMDDHH24MISSFF6');
-- FOR AIX IN 1..LIST_PARAM(SOURCE_PROC).COUNT LOOP
-- INSERT INTO ERROR_LOG (ERR_KEY, ERR_SITE,ERR_SLAVE ,ERR_MASTER ,ERR_TYPE ,ERR_PROC,ERR_DATE,ERR_TXT)
-- VALUES (ERR_KEY,SITE,REF_VALUE,MASTER_VALUE,'LOG',SOURCE_PROC,LIST_PARAM(SOURCE_PROC)(AIX).ERR_DATE ,LIST_PARAM(SOURCE_PROC)(AIX).ERR_TXT);
-- END LOOP;
-- UPDATE SESSION_CONTEXT SET SCX_ERR_KEY = ERR_KEY WHERE SCX_ID = SYS_CONTEXT('USERENV','SESSIONID');
-- LIST_PARAM.DELETE(SOURCE_PROC);
-- COMMIT;
EXCEPTION
WHEN OTHERS THEN
LIST_PARAM.DELETE(SOURCE_PROC);
END LOGS;
PROCEDURE ERRORS(REF_TYPE IN VARCHAR2 DEFAULT 'SITE', REF_VALUE IN VARCHAR2 DEFAULT '99', ERR_CODE IN NUMBER DEFAULT SQLCODE, ERR_MSG IN VARCHAR2 DEFAULT SQLERRM)
AS
PRAGMA AUTONOMOUS_TRANSACTION;
MASTER_VALUE ERROR_LOG.ERR_MASTER%TYPE;
SITE PARAMTAB.SITE_CODE%TYPE;
SOURCE_OWNER all_source.OWNER%TYPE;
SOURCE_NAME all_source.NAME%TYPE;
SOURCE_LINE all_source.LINE%TYPE;
SOURCE_TEXT all_source.TEXT%TYPE;
SOURCE_PROC VARCHAR2(4000);
ERR_KEY NUMBER := TO_CHAR(LOCALTIMESTAMP,'YYYYMMDDHH24MISSFF6');
BEGIN
OWA_UTIL.WHO_CALLED_ME(owner => SOURCE_OWNER,
name => SOURCE_NAME,
lineno => SOURCE_LINE,
caller_t => SOURCE_TEXT);
SOURCE_PROC := SUBSTR(GET_PROC_NAME(SOURCE_OWNER,SOURCE_NAME,SOURCE_LINE),1,125);
SELECT_MASTER(REF_TYPE => UPPER(REF_TYPE), PARAM_VALUE => REF_VALUE, SITE => SITE, REF_MASTER => MASTER_VALUE);
IF LIST_PARAM.EXISTS(SOURCE_PROC) THEN
FOR AIX IN 1..LIST_PARAM(SOURCE_PROC).COUNT LOOP
INSERT INTO ERROR_LOG (ERR_KEY,ERR_SITE,ERR_SLAVE,ERR_MASTER,ERR_PROC,ERR_DATE,ERR_TXT,ERR_CODE,ERR_MSG)
VALUES (ERR_KEY,SITE,REF_VALUE,MASTER_VALUE,SOURCE_PROC,LIST_PARAM(SOURCE_PROC)(AIX).ERR_DATE, LIST_PARAM(SOURCE_PROC)(AIX).ERR_TXT,ERR_CODE,ERR_MSG);
END LOOP;
LIST_PARAM.DELETE(SOURCE_PROC);
ELSE
INSERT INTO ERROR_LOG (ERR_KEY,ERR_SITE,ERR_SLAVE,ERR_MASTER,ERR_PROC,ERR_DATE,ERR_TXT,ERR_CODE,ERR_MSG)
VALUES (ERR_KEY,SITE,REF_VALUE,MASTER_VALUE,SOURCE_PROC,CURRENT_TIMESTAMP,'Error info',ERR_CODE,ERR_MSG);
END IF;
UPDATE SESSION_CONTEXT SET SCX_ERR_KEY = ERR_KEY WHERE SCX_ID = sys_context('usr_context', 'session_id');
COMMIT;
EXCEPTION
WHEN OTHERS THEN
LIST_PARAM.DELETE(SOURCE_PROC);
END ERRORS;
END PAC_LOG_ERROR;This package is always call. On each routines performed I execute it. In the trace log of the database we have see a problem we the procedure GET_PROC_NAME in the package. We have identify that is called more that 800x and increase the performance. Who increase is this select command :
SELECT * INTO SOURCE_TEXT
FROM (SELECT TEXT FROM all_source
WHERE OWNER = SOURCE_OWNER AND
NAME=SOURCE_NAME AND
TYPE IN ('PROCEDURE','FUNCTION','PACKAGE BODY') AND
LINE <= SOURCE_LINE AND SUBSTR(TRIM(TEXT),1,9) IN ('PROCEDURE','FUNCTION ')
ORDER BY LINE DESC)
WHERE ROWNUM = 1;Complex SQL like inline views and views of views can overwhelm the cost-based optimizer resulting in bad execution plans. Start with getting an execution plan of your problem query to see if it is inefficient - look for full table scans in particular. You might bet better performance by eliminating the IN and merging the results of 3 queries with a UNION. -
NeedHelp Is it bug at IDSM-2 with IPS-K9-7.0-2-E3.pkg??
Dear All,
i have idsm with IPS-K9-7.0-2-E3.pkg installed,
i use inline mode for this idsm, and idsm place is front on server farm
but i have some problem that one segment in my network cant access the server
but another segment can access that server,
that server is oracle database aplication (real time)
in this is happend only for that server.
when i filter the traffic with idsm, the result that transaction match with
signature number 7000, evenly that signature dont have action to deny the traffic,
the traffic still cannot bypass, then ill try to disable but nothing impact to that segment
evenly other segment can access that server normally.
anyone can explain to me why this happen??
ill try to downgrade to IPS-K9-7.0-2-E3.pkg with IME but always error..
anyone can help me please..Hi Josh..
This is my answer
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
First off, you cannot downgrade the version without a re-image. You can only downgrade signatures. Second, you mention 7.0(2)E3 as the version you are on and the version you want to downgrade to. Can you verify what version you are running?
Im not yet downgrade to 7.0(2) because I don’t have yet permission from my bos . And now my isdm still use 7.0(2)E3
This is capture from my isdm
OTIDSM# sh ver
Application Partition:
Cisco Intrusion Prevention System, Version 7.0(2)E3
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S425.0 2009-08-17
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
Platform: WS-SVC-IDSM-2
Serial Number: SAD132802TL
Licensed, expires: 20-Oct-2010 UTC
Sensor up-time is 2 days.
Using 1415421952 out of 1983504384 bytes of available memory (71% usage)
system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
application-data is using 38.6M out of 166.8M bytes of available disk space (24% usage)
boot is using 41.5M out of 68.6M bytes of available disk space (64% usage)
MainApp B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500 Running
AnalysisEngine B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500 Running
CollaborationApp B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500 Running
CLI B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500
Upgrade History:
IPS-K9-7.0-2-E3 07:43:07 UTC Thu Oct 15 2009
Maintenance Partition Version 2.1(3)
Recovery Partition Version 1.1 - 7.0(2)E3
Host Certificate Valid from: 27-Apr-2010 to 27-Apr-2012
On the traffic not passing issue, if you put the sensor in bypass does that resolve the issue. That will eliminate any signature related actions from impacting the traffic. If you are still unable to access the servers then you should look for a routing or network layer issue
What you mean about bypass? Is it to released the idsm from network? If that so, I had do that and the server can access from segment that before cant access it. I had done to check the network layer problem but everything is ok,
And I want to clarify the other segment that cant access the server only for some application (real time application) in that server but the server can ping and telnet from that segment ( I think this is to clarify the network issue problem)
If that clears things up, the next step would be to create an Event Action Override to produce alert for all signatures. Then you can review IME for any signatures firing related to these servers. Please remove the Override once you are done testing as this can have a performance impact on the sensor over time and should only be used temporarily to troubleshoot a specific issue.
Well, I will try your suggestion, But I will wait permission to execute it. I hope this is work for my idsm-2
If you are still having trouble, if may help to get some info about the config of the sensor and the switch. Specifically, how the VLAN or Interface Pairs are setup, etc.
Oke, I will…
Btw, thanks for your help boss
GBU … -
IDSM-2 Throughput in Bypass Mode?
HI,i cisco documentation idsm-2 has 500Mbps throughput in inline mode and 600Mbps throughput in passive.so suppose that our idam-2 is in inline mode,then if we put our idsm-2 in Bypass mode,how much traffic idsm-2 can handle without any inspection?(throughput?)
thanks.The IDSM-2 would only be supported at the same 500Mbps for both inspection and ByPass mode.
There is not a separate rating for ByPass mode.
With that said, the IDSM-2 will do much higher than 500Mbps while in ByPass mode (assuming nothing else happening on the sensor).
But I am not sure how much more since we don't generally test performance while in ByPass mode.
You would not want to plan your network on the ByPass performance capability.
The other reason is that when the sensor goes into ByPass there be something else going on in the sensor.
In the case of a Signature Update there will be signature processing consuming much of the CPU and memory so ByPass will not perform at its top performance. -
IDSM on catalyst 6500 to provide IOS Inline mode support
I am currently evaluating what kind of method to apply in my 6500. I would like to ask if IOS Version 12.2(33)SXI2a support inline mode and inline vlan pair mode with IDSM-2???what configuration should be done with the switch in order for the multiple vlan traffic to flow with an inline interface of the IDSM2??? In my case I have 16 user vlans and 1 server vlan on catalyst 6500...The task is to protect the servers from users....The requirement is to configure inline mode to monitor the traffic from these 16 vlans when they access the servers...But as we know the IDSM-2 has only two logical sensing ports...So my question is how will you configure the switch to forward the traffic from these 16 vlans to the IDSM-2 module via only ONE sensing port, since the other sensing port will be configured in the server vlan??? Because as far as i know, when you configure inline mode on IOS,you will have to configure the sensing ports in access mode( While in CatOS, you configure these as TRUNK ports)...But this will work when you have only two vlans...But in my case, I have 16 vlans to monitor in inline mode..Please suggest any solution.
Any urgent reply will be much grateful...
Many Thanks in advanceHi Mubin,
If you're looking to monitor all the traffic from the user VLANs to the server VLANs then the simplest way to configure the IDSM-2 would be inline on the server VLAN segment. All traffic destined to the servers (from the users or anywhere else) has to traverse that VLAN. Assuming you have something like this to start:
VLAN 100-120 (users) ====== Switch ------ VLAN 200 (servers)
you'd drop the IDSM-2 inline on VLAN 200 by using a helper VLAN:
VLAN 100-120 (users) ====== Switch ----- VLAN 201 (server gateway) ----- IDSM-2 (bridging 201 to 200) ----- VLAN 200 (servers)
To do this you'll need to perform the following steps:
1. Designate a new VLAN to use as a helper VLAN for your current server VLAN. I'll use 201 for this example and assume your current server VLAN is 200.
Create the helper VLAN on the switch:
switch# conf t
switch(config)# vlan 201
2. Configure the IDSM-2 to bridge the helper VLAN and the server VLAN (200-201)
sensor# conf t
sensor(config)# service interface
sensor(config-int)# phsyical-interface GigabitEthernet0/7
sensor(config-int-phy)# admin-state enabled
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 1
sensor(config-int-phy-inl-sub)# vlan1 200
sensor(config-int-phy-inl-sub)# vlan2 201
sensor(config-int-phy-inl-sub)# description Server-Helper pair
sensor(config-int-phy-inl-sub)# exit
sensor(config-int-phy-inl)# exit
sensor(config-int-phy)# exit
sensor(config-int)# exit
Apply Changes:?[yes]:
3. Configure the switch to trunk the helper and server VLANs to the IDSM-2 module. I assume the module is in slot 5 in the example. Replace the 5 with the correct slot for your deployment:
switch# conf t
switch(config)# intrusion-detection module 5 data-port 1 trunk allowed-vlan 200,201
switch(config)# intrusion-detection module 5 data-port 1 autostate include
*Warning! This next step may cause an outage if everything is configured correctly. You'll probably want to schedule a window to do this.*
4. Finally, force the traffic from the server VLAN through the IDSM-2 by moving the server VLAN gateway from VLAN 200 (where it is currently) to the helper VLAN you created. To do this, remove the SVI from VLAN 200 and apply the same IP address to VLAN 201. I assume the current server gateway is 192.168.1.1/24
switch# conf t
switch(config)#int vlan 200
switch(config-int)#no ip addr
switch(config-int)#int vlan 201
switch(config-int)#ip addr 192.168.1.1 255.255.255.0
switch(config-int)#exit
switch(config)#exit
switch# wr mem
Now, when the servers try to contact 192.168.1.1 (their gateway) they'll have to be bridged through the IDSM-2 to reach VLAN 201 and in the process all traffic destined to them or sourced from them will be inspected. Do not put any hosts or servers in the helper VLAN (201) or they will not be inspected.
Best Regards,
Justin -
Is there any limitation for number of VLAN pairs with IDSM-2 module in 6500 to configure in in-line mode ?
Each interface has a limit of around 255 inline vlan pairs. The IDSM-2 has 2 monitoring interfaces, and so has an upport limit of around 510 inline vlan pairs.
I wouldn't recommend using near that many.
The biggest limiting factors you are going to face is performance, and number of virtual sensors.
From a performance perspective the IDSM-2 is limited to around 500 Mbps regardless of how many inline vlan pairs are used.
The IDSM-2 is also limited to only 4 virtual sensors. So you can only have 4 sets of signature settings, and 4 sets of filters. So the 510 inline vlan pairs would have to be grouped within these 4 virtual sensors. -
Hi, there
Can I put TWO IDSM-2 in a single C6500 Chassis and bunle them together to run in IDS mode, in order to have higher throughtput, and I am reluctant to run IPS mode, thanks.Hi,
You can use two - in fact Cisco sell a bundle of four in one chassis to get 2-Gbps Performance:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet0900aecd804b91d7.html
The maximum supported is 8 in one chassis.
HTH
Andrew. -
Hi,
I have been trying to figure out how to get TCP reset working in IDSM-2.
Switch config,
monitor session 2 destination intrusion-detection-module 9 data-port 1
monitor session 2 source remote vlan 99
Custom testattack signature,
Log shows the signature has been triggered,
On the attacker, I ran a wireshark capture, but did not see any attempt to reset the TCP session.
Any idea what did I mis-configure ?
From what I have read, for native IOS, I don't have to configure anything for the TCP reset interface System0/1.
Regards.Hi,
IDSM2 has a separate tcp-reset interface - System0/1 .In IDSM2, there is no need to explicitly configure the TCP Reset interface. The TCP Reset interface is automatically added to all necessary VLANs by the switch.
Once a signature is configured to perform the reset action, and if this is triggered, the reset will be sent out the reset port with the appropriate vlan tag attached. From the switch this is then sent to the appropriate vlan.
Thanks and Regards,
Thulasi Shankar -
Hi Netpros,
I am getting this error when I trying to re-image the IDSM-2 in maintenance partition. Actually I dont know the password for the administrator account and re-image was only option according to documentation. This is the step i am following:
[email protected]#upgrade ftp://[email protected]//WS-SVC-IDSM2-K9-sys-1.1-a-6.0-2-E1.bin.gz --install
Downloading the image. This may take several minutes...
Password for [email protected]:
ftp://[email protected]//WS-SVC-IDSM2-K9-sys-1.1-a-6.0-2-E1.bin.gz (25662K)
/tmp/upgrade.gz [########################] 25662K | 8838.99K/s
26278451 bytes transferred in 2.90 sec (8838.70k/sec)
ERROR: /tmp/upgrade.gz: not in gzip format
Am i missing anything?
Thanks
-- FAIZIt looks like you are following the instructions for installing an IDSM system image in this guide:
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliImage.html#wp1031992
If you have performed each step as described and are still getting this error message, you might want to open a TAC case on your IDSM.
If your IDSM is defective, they can RMA it (assuming you have a maintainence contract).
- Bob -
Cisco 6500 IDSM Signature Updates
Hi,
One of my client has recently purchased Cisco IDSM-2 for their core router i.e. 7609, however the client has missed purchasing the SUSA licencing for signature updates.
Can the client still configure the IDSM-2 without Signatue updates( in any mode) and what would be the limitations if he does not buys the SUSA in future too.
ManmeetThe only thing that can not be done without the SUSA license (IPS Subscription license) is to update the signature to the latest signature update file.
You can still configure the IDSM2, the only thing that can't be performed is updating the signature to the latest.
Hope that answers your question. -
Hi everyone ...
I have two 6509 configured with VSS, in each 6509 we have one FWSM and IDSM2.
We have configured the FWSM with contexts and we have Failover working fine.
Now we want to configure IDMS as IPS inline but we want to use both IDSM in load balance for improve the performance and get high availability with security.
Is this possible ?
I know we can get load balance with IPS appliances using etherchannel in switching (ECLB) but I don't know if we can do this with the IDSM modules in catalyst 6509 considering VSS.
Any suggestions ?The VSS is a special configuration.
You can configure the FWSM modules to be Failover partners but in IDSM modules you need to configure the same input/output VLANs to get the Failover or balance behaviour. The Cisco IPS architecture has not Failover configuration. you can find some examples with Etherchannels or Port-Channels configuration shared with some IPS units to balance the bandwith. That's the case in VSS solucion, both chasis shared the VLANs and it's necesary to configure the input/output VLANs pairs shared between the modules to balance the bandwith. -
Hi,
I have two 6500s in to different DCs both with a single IDSM-2 module, is it possible to the join the modules logically together so they are sharing the traffic analysis? Like you can if you put mulitple cards within the same 6500 chassis.
Regards MSupervisor Engines in the Catalyst 6500 series chassis recognize IDSM2 devices that are running IPS 5.x and greater as EtherChannel devices. This lets you install up to eight IDSM2 devices in the same chassis.
The IDSM2 in the Catalyst 6500 series switch has eight internal ports. Only four of these ports are used. Port 1 is a TCP/IP reset port. Port 2 is the command and control port. Ports 7 and 8 are the sensing ports for Catalyst software and data ports 1 and 2 for Cisco IOS software. The other ports are not used.
The backplane is 1000 Mbps, which is why the IDSM2 shows 1000 Mbps even though it can only handle about 600 Mbps of performance. ECLB allows up to eight IDSM2 devices to participate in the load balancing on either port 7 or port 8.
more information is available here
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1210166
Regards,
Sachin -
IDSM with IPS5.1 " blocking" ?
IDSM2 with IPS5.1 (on cat65K sup 720 IOS 12.2SXF) will support ? Inline ? mode.But does it support ? blocking? as well ? ??
? CCO document says ?Supervisor 720 with Cisco IOS supports VACL deny statements; however, IDSM-2 cannot block with Cisco IOS-style VACLs.
? Here VACL deny means ? not consider to monitor that particular VLAN or IP address ? right ? OR is it like totally blocking the user traffic? Or blocking the connection from the respective host/connection/IP.Hi Rajan,
All sensors can block on supported network devices
regardless of whether the sensor is configured as
inline. In the case where an IDSM2 is installed on
a Catalyst switch running IOS, and the user wants
the sensor to block on the switch, the blocking
device should be specifed as a router. The sensor
will block with ACLs, not VACLs. Blocks can either
be unconditional (denying all packets from the
attacker) or connection oriented.
One point to keep in mind is that a sensor in inline
mode can also perform inline deny actions like "deny packet inline", "deny attacker inline", etc. These
deny actions are unrelated to the sensor blocking
response.
Regards,
Sean
Maybe you are looking for
-
Broadcasting multiple reports to one email adress
Dear All, we have the requirement to generate multiple single reports and to broadcast them via PDF. We have everything working but the individual reports are sent to one e-mail adress, so that one e-mail adress can receive multiple emails. We would
-
EAS Error: Could not connect to Administration Server
Hi Genius, I have installed and configured Hyperion (11.1.2.1) Essbase & Planning successfully on windows server 2008 64 bit. For that I installed Oracle 10g Standard Edition as supported RDBMS. Due to RAM consumption I planned to install the Oracle
-
Firefox saves user preferences to prefs.js when exit it, is this redundant?
I have a question regarding to why Firefox saves user preferences to prefs.js when exit it. My observation is that Firefox saves changes immediately to prefs.js when users modify preferences either through Option (Windows)/Preferences (Mac, Linux) me
-
What id my scratch off code doesn't allow me to redeem? Says "invalid code"
When I input my scratch off code it says "invalid code" and I've tired four times, my mom twice!
-
Can i save more than one timeline ?
i lost all content from a timeline i had been working on for 3 days anyway of retrieving it ? and can i have 2 different projects running ? e.