IPS High Availability Solution

Answered Question
Jun 29th, 2008

Hi all,

requirement to have redundancy for IPS appliance placed on data center design, I have digged on Cisco docs but found the Resiliency and HA (High Availability) from the IPS point of view could occur in the switches side (HSRP/Eth channel load-balance).

is there any visible way to implement the High Availability in dynamic way !!

Regards,

Belal

I have this problem too.
0 votes
Correct Answer by rhermes about 8 years 6 months ago

Belal

You are correct, only one sensor at a time will pass traffic.

Spanning Tree Protocol uses layer 2 frames called BPDUs to determine if a path to the root bridge (in this case VLAN) exists. If the primary sensor stops passing layer 2 frames (a good indication that the rest of your traffic is not going to get through the sensor) then BPDUs will not pass thru the primary sensor and Spanning Tree will unblock the secondary path through the standby sensor. You may want to watch for an SNMP trap from the switch to know when that happens.

The failover cable is just an ordinary roll over cable between two ports (in the two VLANS) on the switch. I called it a failover cable because it only carries traffic when the sensor has failed to pass layer two (and above) frames.

Correct Answer by Farrukh Haroon about 8 years 6 months ago

Yes Belal, both of the things mentioned by you are correct. There is no feature available that allows 'failover' communications between two IPS boxes like Cisco Firewalls do.

Yes Etherchannel load balances the traffic to each sensor based on unique src-dst IP pairs.

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (4 ratings)
Loading.
Farrukh Haroon Mon, 06/30/2008 - 03:03

What do you mean by 'dynamic way'? Etherchannel is a dynamic protocol itself. If one of the sensor goes down the etherchannel continus to function with the other sensor interface(s).

Regards

Farrukh

rhermes Mon, 06/30/2008 - 09:12

Etherchannel does not solve all the problems HA presents. We have been using Etherchannel for stateful load balanced traffic across several sensors. In order for a sensor to get yanked from the Etherchannel group it has to go down hard, meaning the physical interface of the sensor has to go down before Ehterchannel will remove it from the group. There a plenty of sensor failures that do not involve the sensor's interface going down. Conversely, sensor upgrades (including signature updates) in the past have bounced the interface, throwing a sensor out of the Etherchannel group.

Farrukh Haroon Mon, 06/30/2008 - 12:06

Thanks for your detailed response. To be honest, I should have been more specific, I was talking with regards to the IDSM-2 only. Have seen no such issue so far on it, except an 'unknown' downtime for 10 minutes during a reboot once.

And of course the EC solution does not solve the 'configure each sensor separately' problem anyway. There should definitely be a way from Cisco to Configure multiple IPS pairs 'together' (WITHOUT using CSM).

Regards

Farrukh

balsheikh Mon, 06/30/2008 - 22:46

I meant by dynamic way that once standby IPS detect any disconnectivity/failure of active IPS will switch over and take the sponsorship, seems impossible till now !!

in case of Eth channel, both IPS's will be on the same port channel and in this way the traffic will balanced between both based on the load-balance method selected, therefor both IPS's will be active at the time. plz correct me if i'm wrong..

Regards,

Belal

Correct Answer
Farrukh Haroon Mon, 06/30/2008 - 23:51

Yes Belal, both of the things mentioned by you are correct. There is no feature available that allows 'failover' communications between two IPS boxes like Cisco Firewalls do.

Yes Etherchannel load balances the traffic to each sensor based on unique src-dst IP pairs.

Regards

Farrukh

rhermes Tue, 07/01/2008 - 07:19

A common failover method used with in-line IPS is to use a switch with two VLANs, an inside and an outside. The only connections between the two VLANS would be the in-line IPS and a failover cable. Spanning Tree Protocol parmeters are set so that traffic favors the path through the in-line IPS. If the sensor does not pass traffic, Spanning Tree will unblock the standby path and pass traffic around the failed sensor.

The fail over cable could be replaced by your standby sensor. Since traffic will only pass through one sensor at a time, even with both sensors active, you will receive events only from the live sensor.

balsheikh Tue, 07/01/2008 - 14:17

Hi rhermes,

as I understood from ur comment, both IPS's will be connected in parallel and only one IPS will pass the traffic at a time, STP can recognize ONLY the physical failure (i.e interface goes down) but if the sensor functional abnormally for any reason other the spacified above the switch won't unblock the secondary IPS's interface and traffic will drop or pass through without inspection.

btw, what do u mean by failover cable !!

Regards,

Belal

Correct Answer
rhermes Wed, 07/02/2008 - 07:58

Belal

You are correct, only one sensor at a time will pass traffic.

Spanning Tree Protocol uses layer 2 frames called BPDUs to determine if a path to the root bridge (in this case VLAN) exists. If the primary sensor stops passing layer 2 frames (a good indication that the rest of your traffic is not going to get through the sensor) then BPDUs will not pass thru the primary sensor and Spanning Tree will unblock the secondary path through the standby sensor. You may want to watch for an SNMP trap from the switch to know when that happens.

The failover cable is just an ordinary roll over cable between two ports (in the two VLANS) on the switch. I called it a failover cable because it only carries traffic when the sensor has failed to pass layer two (and above) frames.

Actions

This Discussion