IPS Inline Interface Mode - Can you use a port-channel?

Answered Question
Jun 11th, 2009

Hi,

I'm trying to determine if you can have a 2-gig Layer-3 Port-channel going thru an IPS 4260 appliance. See attached diagram. Is this possible?

The client I'm working with would prefer not to break this Port-channel into equal-cost 1-gig links (I don't think there will be any performance difference...) However I'm thinking if they want the appliance inline like the diagram shows - they will need to break the port-channel. Is that a correct assumption?

Thanks,

Brad

I have this problem too.
0 votes
Correct Answer by marcabal about 7 years 6 months ago

Asymmetric traffic will prevent the sensor functioning the best it is capable. There is a configuration that can be made to allow the sensor to deployed in an asymmetric environment, BUT it can negatively affect the sensor ability to detect attacks, allows through evasions that would have otherwise been prevented, and will in general affect sensor performance.

So running in asymetric mode should be avoided if at all possible. Bt in those situations where it can't then the sensor can still be used with degraded functionality.

Traffic spikes above what the sensor can handle will cause dropped packets. There is no fail-open for too much traffic.

The fail-open you are referring to I am assuming is the bypass mode feature. The bypass feature does not affect over subscription of the sensor. The bypass feature will only kick in if the analysis engine crashes because of a bug.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
marcabal Thu, 06/11/2009 - 10:59

Yes this is possible.

It will require 2 InLine Interface Pairs on the sensor and both pairs should be added into the same Virtual Sensor.

The 4260 will not be aware that etherchannels are used on both sides, and does not need to be aware.

This may,however, require manual enablement of the etherchannels.

Also keep in mind that the performance in this setup will be limited to what the IPS-4260 is able to perform with that traffic.

If the IPS is only able to monitor 1 Gbps (which is its rating for Transactional traffic tests), then having the 2 InLine Interface Pairs will not give them any more performance than a single pair would.

If the IPS is able to monitor more than 1Gbps of their traffic (it is rated at 2Gbps for Media Rich tests), then the additional pair will allow the sensor to get to the above 1 Gbps monitoring.

If the 4260 is not able to keep with the traffic, then an upgrade to a 4270 using the same deployment setup may be necessary.

NOTE: This also assumes that only the left or right path are actively passing traffic at any one time. If both paths are passing traffic, then asymmetric traffic patterns can result. if asymmetric traffic is seen, then another deployment should be considered, or specifial configuration be placed on the sensors.

NOTE: This setup only works when a single sensor is used within the etherchannel. (1 sensor on each etherchannel, 2 sensors in your diagram because you have 2 etherchannels).

You can not place 2 sensors in the same etherchannel (would mean 4 sensors in your diagram).

This is because the balancing being done from the lower switch can not be guaranteed to match that being done from the top switch. A mismatch in balancing could lead to asymmetric patterns.

With a single sensor, the same virtual sensor sees all traffic regardless of which interface the packet comes in on, so a single sensor is fine. But with 2 sensors, the client traffic might get sent to a different sensor than the server traffic.

melchib Thu, 06/11/2009 - 14:40

Thanks Marcoa,

If traffic is asymmetric - and either the IPS1 or IPS2 cannot see the entire flow - then I'm guessing this design will not work or will be ineffective?

Also - if traffic would spike, the IPS will just fail it open (if configured) and just not inspect that traffic correct?

Thanks again,

Brad

Correct Answer
marcabal Thu, 06/11/2009 - 20:42

Asymmetric traffic will prevent the sensor functioning the best it is capable. There is a configuration that can be made to allow the sensor to deployed in an asymmetric environment, BUT it can negatively affect the sensor ability to detect attacks, allows through evasions that would have otherwise been prevented, and will in general affect sensor performance.

So running in asymetric mode should be avoided if at all possible. Bt in those situations where it can't then the sensor can still be used with degraded functionality.

Traffic spikes above what the sensor can handle will cause dropped packets. There is no fail-open for too much traffic.

The fail-open you are referring to I am assuming is the bypass mode feature. The bypass feature does not affect over subscription of the sensor. The bypass feature will only kick in if the analysis engine crashes because of a bug.

melchib Fri, 06/12/2009 - 05:37

Wow - I had no idea it would drop traffic if it went over the inspection theshhold...errrr...Do the ASA IPS modules behave this way as well?

Thanks again - this has been a huge help.

Brad

rhermes Fri, 06/12/2009 - 10:33

Yes, all the IPS Sensors will drop packets. Check your interfaces and you will see a "missed packet %" that is calculated from the time of last reload. These are packet drops.

Actions

This Discussion