Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS 4240 High Availability?

Hello there,

Does 4240 work in HA mode?

Or do I have to look at 4255 if I need them to work in HA mode?

Kindly help me with this info..thanks in advance.

Regards,
Ram

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

IPS 4240 High Availability?

Just to add a little bit to Bob's response.  It is possible to get HA, but like mentioned above, it's not HA like you would expect from a firewall, and requires significant network planning and is pretty technical in nature.

The best documentation I have been able to find regarding HA designs is in Chapter 21 - "Deploying Cisco IPS for High Availability and High Performance"  of the CCNP Security IPS 642-627 Official Cert Guide, ISBN: 9780132372107.  It gets pretty detailed and explains a lot of different methods. 

I was also able to find some information on this site, but it's at a higher level, and doesn't provide as many options.

https://www.networkworld.com/community/node/18384

I've had to work HA into some of our environments, and I'm here to tell ya, plan ahead, way ahead, test several methods to find the best one.  We ended up using a method that I couldn't find mentioned anywhere. 

3 REPLIES
Gold

IPS 4240 High Availability?

None of the Cisco IPS sensors run in an HA mode in the same fashion as you would expect a Firewall.

They do not maintain TCP state between the two sensors and can not control traffic (within the sensor) to the active sensor within the pair. They also can not statefully inspect asynchronously routed traffic across both sensors in an HA pair (traffic leaving thru one sensor, returning thru the other, often found in active/active HA).

You can put two Cisco sensors of any size next to each other, have them run indepentantly and call it HA, but it may not have the HA features most people expect when designing HA.

- Bob

New Member

IPS 4240 High Availability?

Just to add a little bit to Bob's response.  It is possible to get HA, but like mentioned above, it's not HA like you would expect from a firewall, and requires significant network planning and is pretty technical in nature.

The best documentation I have been able to find regarding HA designs is in Chapter 21 - "Deploying Cisco IPS for High Availability and High Performance"  of the CCNP Security IPS 642-627 Official Cert Guide, ISBN: 9780132372107.  It gets pretty detailed and explains a lot of different methods. 

I was also able to find some information on this site, but it's at a higher level, and doesn't provide as many options.

https://www.networkworld.com/community/node/18384

I've had to work HA into some of our environments, and I'm here to tell ya, plan ahead, way ahead, test several methods to find the best one.  We ended up using a method that I couldn't find mentioned anywhere. 

New Member

IPS 4240 High Availability?

Would you be able to share the design that you did for IPS HA?

Thanks

807
Views
0
Helpful
3
Replies
CreatePlease login to create content