cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3333
Views
9
Helpful
9
Replies

IPS High Availability Solution

balsheikh
Level 1
Level 1

Hi all,

requirement to have redundancy for IPS appliance placed on data center design, I have digged on Cisco docs but found the Resiliency and HA (High Availability) from the IPS point of view could occur in the switches side (HSRP/Eth channel load-balance).

is there any visible way to implement the High Availability in dynamic way !!

Regards,

Belal

2 Accepted Solutions

Accepted Solutions

Yes Belal, both of the things mentioned by you are correct. There is no feature available that allows 'failover' communications between two IPS boxes like Cisco Firewalls do.

Yes Etherchannel load balances the traffic to each sensor based on unique src-dst IP pairs.

Regards

Farrukh

View solution in original post

Belal

You are correct, only one sensor at a time will pass traffic.

Spanning Tree Protocol uses layer 2 frames called BPDUs to determine if a path to the root bridge (in this case VLAN) exists. If the primary sensor stops passing layer 2 frames (a good indication that the rest of your traffic is not going to get through the sensor) then BPDUs will not pass thru the primary sensor and Spanning Tree will unblock the secondary path through the standby sensor. You may want to watch for an SNMP trap from the switch to know when that happens.

The failover cable is just an ordinary roll over cable between two ports (in the two VLANS) on the switch. I called it a failover cable because it only carries traffic when the sensor has failed to pass layer two (and above) frames.

View solution in original post

9 Replies 9

Farrukh Haroon
VIP Alumni
VIP Alumni

What do you mean by 'dynamic way'? Etherchannel is a dynamic protocol itself. If one of the sensor goes down the etherchannel continus to function with the other sensor interface(s).

Regards

Farrukh

Etherchannel does not solve all the problems HA presents. We have been using Etherchannel for stateful load balanced traffic across several sensors. In order for a sensor to get yanked from the Etherchannel group it has to go down hard, meaning the physical interface of the sensor has to go down before Ehterchannel will remove it from the group. There a plenty of sensor failures that do not involve the sensor's interface going down. Conversely, sensor upgrades (including signature updates) in the past have bounced the interface, throwing a sensor out of the Etherchannel group.

Thanks for your detailed response. To be honest, I should have been more specific, I was talking with regards to the IDSM-2 only. Have seen no such issue so far on it, except an 'unknown' downtime for 10 minutes during a reboot once.

And of course the EC solution does not solve the 'configure each sensor separately' problem anyway. There should definitely be a way from Cisco to Configure multiple IPS pairs 'together' (WITHOUT using CSM).

Regards

Farrukh

I meant by dynamic way that once standby IPS detect any disconnectivity/failure of active IPS will switch over and take the sponsorship, seems impossible till now !!

in case of Eth channel, both IPS's will be on the same port channel and in this way the traffic will balanced between both based on the load-balance method selected, therefor both IPS's will be active at the time. plz correct me if i'm wrong..

Regards,

Belal

Yes Belal, both of the things mentioned by you are correct. There is no feature available that allows 'failover' communications between two IPS boxes like Cisco Firewalls do.

Yes Etherchannel load balances the traffic to each sensor based on unique src-dst IP pairs.

Regards

Farrukh

Hi Farrukh,

many thx for ur useful comments

A common failover method used with in-line IPS is to use a switch with two VLANs, an inside and an outside. The only connections between the two VLANS would be the in-line IPS and a failover cable. Spanning Tree Protocol parmeters are set so that traffic favors the path through the in-line IPS. If the sensor does not pass traffic, Spanning Tree will unblock the standby path and pass traffic around the failed sensor.

The fail over cable could be replaced by your standby sensor. Since traffic will only pass through one sensor at a time, even with both sensors active, you will receive events only from the live sensor.

Hi rhermes,

as I understood from ur comment, both IPS's will be connected in parallel and only one IPS will pass the traffic at a time, STP can recognize ONLY the physical failure (i.e interface goes down) but if the sensor functional abnormally for any reason other the spacified above the switch won't unblock the secondary IPS's interface and traffic will drop or pass through without inspection.

btw, what do u mean by failover cable !!

Regards,

Belal

Belal

You are correct, only one sensor at a time will pass traffic.

Spanning Tree Protocol uses layer 2 frames called BPDUs to determine if a path to the root bridge (in this case VLAN) exists. If the primary sensor stops passing layer 2 frames (a good indication that the rest of your traffic is not going to get through the sensor) then BPDUs will not pass thru the primary sensor and Spanning Tree will unblock the secondary path through the standby sensor. You may want to watch for an SNMP trap from the switch to know when that happens.

The failover cable is just an ordinary roll over cable between two ports (in the two VLANS) on the switch. I called it a failover cable because it only carries traffic when the sensor has failed to pass layer two (and above) frames.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: