Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1303
Views
0
Helpful
3
Replies

IPS 4240 High Availability?

Go to solution
ramkunta
Level 1
Level 1

‎01-17-2012 12:01 PM - edited ‎03-10-2019 05:35 AM

Hello there,

Does 4240 work in HA mode?

Or do I have to look at 4255 if I need them to work in HA mode?

Kindly help me with this info..thanks in advance.

Regards,
Ram

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
murphy.brandon
Level 1
Level 1

‎01-18-2012 07:06 AM

Just to add a little bit to Bob's response.  It is possible to get HA, but like mentioned above, it's not HA like you would expect from a firewall, and requires significant network planning and is pretty technical in nature.

The best documentation I have been able to find regarding HA designs is in Chapter 21 - "Deploying Cisco IPS for High Availability and High Performance"  of the CCNP Security IPS 642-627 Official Cert Guide, ISBN: 9780132372107.  It gets pretty detailed and explains a lot of different methods. 

I was also able to find some information on this site, but it's at a higher level, and doesn't provide as many options.

https://www.networkworld.com/community/node/18384

I've had to work HA into some of our environments, and I'm here to tell ya, plan ahead, way ahead, test several methods to find the best one.  We ended up using a method that I couldn't find mentioned anywhere. 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rhermes
Level 7
Level 7

‎01-17-2012 02:32 PM

None of the Cisco IPS sensors run in an HA mode in the same fashion as you would expect a Firewall.

They do not maintain TCP state between the two sensors and can not control traffic (within the sensor) to the active sensor within the pair. They also can not statefully inspect asynchronously routed traffic across both sensors in an HA pair (traffic leaving thru one sensor, returning thru the other, often found in active/active HA).

You can put two Cisco sensors of any size next to each other, have them run indepentantly and call it HA, but it may not have the HA features most people expect when designing HA.

- Bob

0 Helpful

Go to solution
murphy.brandon
Level 1
Level 1

‎01-18-2012 07:06 AM

Just to add a little bit to Bob's response.  It is possible to get HA, but like mentioned above, it's not HA like you would expect from a firewall, and requires significant network planning and is pretty technical in nature.

The best documentation I have been able to find regarding HA designs is in Chapter 21 - "Deploying Cisco IPS for High Availability and High Performance"  of the CCNP Security IPS 642-627 Official Cert Guide, ISBN: 9780132372107.  It gets pretty detailed and explains a lot of different methods. 

I was also able to find some information on this site, but it's at a higher level, and doesn't provide as many options.

https://www.networkworld.com/community/node/18384

I've had to work HA into some of our environments, and I'm here to tell ya, plan ahead, way ahead, test several methods to find the best one.  We ended up using a method that I couldn't find mentioned anywhere. 

0 Helpful

Go to solution
vikasgupta2k
Level 1
Level 1
In response to murphy.brandon

‎03-01-2012 07:46 AM

Would you be able to share the design that you did for IPS HA?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card