• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 964
  • Last Modified:

port mirroring and performance

we're installing an IDS here and need to do port mirroring on two modules on our core switch. How much impact am I looking at? is there an easier/better way to do this?

  • 2
1 Solution
there is not significant performance impact.  I use the port mirroring on my core switches, which or Cisco 6509s.  I almost always have two mirroring sessions running.  One is used for IDS and one is used to span all traffic over to another monitoring device.  Cisco limits the number of span sessions to two.

Looking at my 6509 right now, the CPU is less than 10% and the memory usage is about 110 megs.

The only other way to do this is to put your IDS inline or use a hub.  A hub will send all traffic received to all ports.  If you have a connection to your ISP router, then you can take that cable out of you ISP router and plug it into a 4 port hub.  Use one of the ports to complete the connection to your ISP router, then you can take another port and connect it to your IDS device.

There are also some other 3rd party devices that do the same exact thing.  I look into these in the past though, and they were not cheap.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now