Since IDS devices are normally bandwidth limited, they benefit from distribution of mirrored data across multiple ports (for example, a 10 Gigabit port mirrored to multiple Gigabit Ethernet ports).
An IDS mirror is a one-to-many port mirror that has been designed for use with an Intrusion Detection System. The target (destination) port of an IDS mirror must be a virtual LAG port that you administratively set, called a static LAG. Once configured, an IDS mirror load-shares traffic among all destination ports in the LAG you set as the port mirror.
An S- or K-Series module hashes the source port conversation based on source and destination IP (SIP/DIP) address pairs and sends the same pairs out the same physical port in the destination mirror. This way, each IDS device will see all of the conversations between a DIP/SIP and will not duplicate the same information out multiple destination ports. When IDS mirroring is enabled, the system performs a Layer 3 lookup for all frames. All non-IP traffic (including control frames) is sent to an arbitrary, “designated” physical out-port. This port is included in the DIP/SIP hash list. If the S- or K-Series module detects a failure of any of the physical ports in the LAG, it will automatically redistribute the DIP/SIP conversations among the remaining ports in the LAG. With IDS mirroring, source traffic is load-shared among all destination ports to ensure no packet loss.
When configuring IDS mirroring on your S- or K-Series device, you must take into consideration the following:
Example: Configuring an IDS Mirror (S-, K-Series) for more information.