IPS Scheme

lcarbajalparedes · ‎02-15-2012

Is it possible to have 4 sensors at the same time for the IPS 4255 in Bypass mode?

The idea its to have monitoring 4 differente interfaces connected to onle 1 IPS and if the IPS fail the traffic must continue the flow without stop.

I attach an image of the physical scheme.

Regards,

rhermes · ‎02-15-2012

Yes you CAN do that with the hardware failopen feature of the 4255. You do not have "4 sensors" you actually have one IPS sensor with two in-line segments.

The reason you might NOT want to to do that are the IPS Sensor becomes a single point of failure. If the software crashes it may not go into hardware bypass. An external (to the IPS Sensor) failopen path would eliminate this danger.

You don't specify what the top switch is in your drawing, but assuming you had additional ports available on the top switch and your 3550 stacks on the bottom, you could run an additional Ethernet cable between the top switch and each of the 3550's. Give this path a HIGHER Spanning Tree Protocol cost than the STP assigned to teh path thru the 4255 IPS Sensor. This way if the sensor ever stops passing Layer 2 BPDU's the switches will use the alternate (hot standby) path for failopen.

- Bob

lcarbajalparedes · ‎02-15-2012

how will be this kind of physical connection? I mean how many port from the IPS will I need, the zone with 3750 its not connected to the 6500 Series SW, I attach an image of the full scheme, the 3750 are in a DMZ zone.