Solution for IPS/HA needed.

Unanswered Question
Apr 10th, 2008

Hi,

I need some help here.

I have to integrate an IPS into an existent redundant network. This network always has two redundant switch links. There is also a redundant pair of Checkpoint firewalls. I have to implement two ASA/IPS in front of these firewalls and keep the redundancy. I also need to use the transparent mode to reduce the implantation impact, and an active/standby failover mode.

So I decided to use the following physical topology (ignore the dots):

sw1--ips1--sw3--fw1

|....................|

|....................|

sw2--ips2--sw4--fw2

The problem with this topology is the L2 loop and STP. The SPT will block a port to avoid this loop. But the converged topology will have problems.

If the STP topology is like this one bellow, traffic from a host connect to sw1 to a host connected to sw2 will have to pass both IPS, including the standby unit.

sw1--ips1--sw3--fw1

|

|

sw2--ips2--sw4--fw2

On other side, if the STP topology is like this one bellow, traffic from fw1 to fw2 will have to pass both IPS, including the standby unit.

sw1--ips1--sw3--fw1

|

|

sw2--ips2--sw4--fw2

Moreover, if the STP topology is like one of the two bellow, I can force the topology to direct traffic to the active IPS. But the STP topology should change, if the active IPS fail.

sw1--ips1 sw3--fw1

|.......................|

|.......................|

sw2--ips2--sw4--fw2

-----------------------

sw1--ips1--sw3--fw1

|......................|

|......................|

sw2--ips2 sw4--fw2

Am I missing anything here? Is there any other solution for HA/IPS?

Any comment will be appreciated.

Paulo Roque

Network Engineer

SPCBrasil

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Fri, 04/11/2008 - 14:28

Paul0 -

Traffic should not normally be passing over your standby rail. Use your spanning tree root bridge assignment and bridge ID assignments to keep the blocked ports on the standby path. In order to allow spanning tree BPDUs to pass thru the ASAs you need to create an ethertype ACL for the BPDUs. The ASA should have some bypass capibility in the event of an AIP failure as well.

- Robert

pauloroque Sun, 04/13/2008 - 18:26

Hi chickman.

I stated that I have to implement this using a ASA/IPS.

pauloroque Sun, 04/13/2008 - 18:24

Thx Robert.

I have considered a solution similar to yours, but a question raised from that solution: if I issue a 'no failover active' command to force the standby unit to become active, the STP topology should also be modified to make the traffic pass thru the new active ASA.

This STP topology change will not be automatic. And even worst, this will never happen in a situation were the ASA fails over by other reason.

Actions

This Discussion