06-29-2008 12:22 PM - edited 03-10-2019 04:10 AM
Hi all,
requirement to have redundancy for IPS appliance placed on data center design, I have digged on Cisco docs but found the Resiliency and HA (High Availability) from the IPS point of view could occur in the switches side (HSRP/Eth channel load-balance).
is there any visible way to implement the High Availability in dynamic way !!
Regards,
Belal
Solved! Go to Solution.
06-30-2008 11:51 PM
Yes Belal, both of the things mentioned by you are correct. There is no feature available that allows 'failover' communications between two IPS boxes like Cisco Firewalls do.
Yes Etherchannel load balances the traffic to each sensor based on unique src-dst IP pairs.
Regards
Farrukh
07-02-2008 07:58 AM
Belal
You are correct, only one sensor at a time will pass traffic.
Spanning Tree Protocol uses layer 2 frames called BPDUs to determine if a path to the root bridge (in this case VLAN) exists. If the primary sensor stops passing layer 2 frames (a good indication that the rest of your traffic is not going to get through the sensor) then BPDUs will not pass thru the primary sensor and Spanning Tree will unblock the secondary path through the standby sensor. You may want to watch for an SNMP trap from the switch to know when that happens.
The failover cable is just an ordinary roll over cable between two ports (in the two VLANS) on the switch. I called it a failover cable because it only carries traffic when the sensor has failed to pass layer two (and above) frames.
06-30-2008 03:03 AM
What do you mean by 'dynamic way'? Etherchannel is a dynamic protocol itself. If one of the sensor goes down the etherchannel continus to function with the other sensor interface(s).
Regards
Farrukh
06-30-2008 09:12 AM
Etherchannel does not solve all the problems HA presents. We have been using Etherchannel for stateful load balanced traffic across several sensors. In order for a sensor to get yanked from the Etherchannel group it has to go down hard, meaning the physical interface of the sensor has to go down before Ehterchannel will remove it from the group. There a plenty of sensor failures that do not involve the sensor's interface going down. Conversely, sensor upgrades (including signature updates) in the past have bounced the interface, throwing a sensor out of the Etherchannel group.
06-30-2008 12:06 PM
Thanks for your detailed response. To be honest, I should have been more specific, I was talking with regards to the IDSM-2 only. Have seen no such issue so far on it, except an 'unknown' downtime for 10 minutes during a reboot once.
And of course the EC solution does not solve the 'configure each sensor separately' problem anyway. There should definitely be a way from Cisco to Configure multiple IPS pairs 'together' (WITHOUT using CSM).
Regards
Farrukh
06-30-2008 10:46 PM
I meant by dynamic way that once standby IPS detect any disconnectivity/failure of active IPS will switch over and take the sponsorship, seems impossible till now !!
in case of Eth channel, both IPS's will be on the same port channel and in this way the traffic will balanced between both based on the load-balance method selected, therefor both IPS's will be active at the time. plz correct me if i'm wrong..
Regards,
Belal
06-30-2008 11:51 PM
Yes Belal, both of the things mentioned by you are correct. There is no feature available that allows 'failover' communications between two IPS boxes like Cisco Firewalls do.
Yes Etherchannel load balances the traffic to each sensor based on unique src-dst IP pairs.
Regards
Farrukh
07-01-2008 12:17 AM
Hi Farrukh,
many thx for ur useful comments
07-01-2008 07:19 AM
A common failover method used with in-line IPS is to use a switch with two VLANs, an inside and an outside. The only connections between the two VLANS would be the in-line IPS and a failover cable. Spanning Tree Protocol parmeters are set so that traffic favors the path through the in-line IPS. If the sensor does not pass traffic, Spanning Tree will unblock the standby path and pass traffic around the failed sensor.
The fail over cable could be replaced by your standby sensor. Since traffic will only pass through one sensor at a time, even with both sensors active, you will receive events only from the live sensor.
07-01-2008 02:17 PM
Hi rhermes,
as I understood from ur comment, both IPS's will be connected in parallel and only one IPS will pass the traffic at a time, STP can recognize ONLY the physical failure (i.e interface goes down) but if the sensor functional abnormally for any reason other the spacified above the switch won't unblock the secondary IPS's interface and traffic will drop or pass through without inspection.
btw, what do u mean by failover cable !!
Regards,
Belal
07-02-2008 07:58 AM
Belal
You are correct, only one sensor at a time will pass traffic.
Spanning Tree Protocol uses layer 2 frames called BPDUs to determine if a path to the root bridge (in this case VLAN) exists. If the primary sensor stops passing layer 2 frames (a good indication that the rest of your traffic is not going to get through the sensor) then BPDUs will not pass thru the primary sensor and Spanning Tree will unblock the secondary path through the standby sensor. You may want to watch for an SNMP trap from the switch to know when that happens.
The failover cable is just an ordinary roll over cable between two ports (in the two VLANS) on the switch. I called it a failover cable because it only carries traffic when the sensor has failed to pass layer two (and above) frames.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide