IPS-BYPASS Question

Answered Question
Feb 11th, 2010

Hello experts,

I'm working with 2 4260 and a 4270, I will be implementing vlan pair and I would like to know what happens with the traffic if for any reason the IPS fails. Lets say that the failure is due to a power issue.

Thanks,

I have this problem too.
0 votes
Correct Answer by rhermes about 6 years 9 months ago

Yes. You want to create a stand by path between VLAN 310 and 311 in the switch.

Add an additional interface to each VLAN on the switch, cable them together with an ethernet patch cable.

Turn on Spanning Tree Protocol on VLAN 310 and 311 and set the "fail-over" path thru your patch cable to a higher STP cost.

Once the STP BTDU's fail to pass thru the IPS sensor, the stand by path thru the fail over cable will be enabled.

You'll have to play with the timing options to get it to happen in less than the standard STP of 15 seconds or so.

- Bob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Fri, 02/12/2010 - 09:31

The 4260 and 4270 both uses the 4GE card. This card does have a hardware bypass feature. In the event of a power failure the two GigE interfaces are physically connected together:

http://www.cisco.com/en/US/docs/security/ips/7.0/installation/guide/hw_installing_4270.html#wp67704

But you mentioned that you were doing a VLAN pair, this will not work with a hardware failopen feature (such as the one found in the 4GE card).

You are arriving at the IPS sensor on one VLAN and leaving the IPS Sensor on a different VLAN (on the same interface? on different interfaces?) When the IPS sensor is functioning normally, it will translate the VLAN header between the two directions of traffic. A hardware failopen will NOT translate VLAN headers.

If you want to contunie to use VLAN pairs, you will need to perfrom your fail over functionality in an external device, such as a switch.

- Bob

Diego Armando C... Fri, 02/12/2010 - 12:19

Hello,

I,m doing it in the same interface.

I think that the best option is to route the traffic from the switch in order to do NOT send the traffic to the IPS.

Actually the IPS are doing a "VLAN Mapping" so when it receives the traffic on vlan 310 for example it forwards the traffic on VLAN 311 it does a re-tag of the vlan tag.

Is it possible to configure the VLAN Map in the switches?

Thanks,

Correct Answer
rhermes Fri, 02/12/2010 - 14:16

Yes. You want to create a stand by path between VLAN 310 and 311 in the switch.

Add an additional interface to each VLAN on the switch, cable them together with an ethernet patch cable.

Turn on Spanning Tree Protocol on VLAN 310 and 311 and set the "fail-over" path thru your patch cable to a higher STP cost.

Once the STP BTDU's fail to pass thru the IPS sensor, the stand by path thru the fail over cable will be enabled.

You'll have to play with the timing options to get it to happen in less than the standard STP of 15 seconds or so.

- Bob

Actions

This Discussion