IPS with Failover/HA

Is there any provision of FAILover/HA in Cisco IPS 4200 series?

Re: IPS with Failover/HA

Hi mostwantedto10:

No, there is not (or I'm not aware)

But I have a possible solution idea

s .......................... s

w ------- IPS ------ h

i ........................... i

t ........................... t

c ------- IPS ------- c

h .......................... h

You have two independent IPS between two switches (a redundant connection)

The IPSs act transparently to the switches

One switch block the traffic because RSTP (802.1w)

This is not perfect, because you need to configure 2 independent boxes and repeat the signature tunning in both of them (or copy the configuration and modify the unique parameters like mgm IP address and sensor name). But there are no way to do this automatically

I'm not tested this solution but it probably work.

There are a IPS feature called bypass mode. It only guaranty the traffic pass across the IPS if the analisys engine doesn't work. It is not a really HA feature.

My solution is better because it guaranty the traffic in case of power failure.

Another possibility is to install the HIPS (host IPS, the Cisco security agent) at the host you want to protect. This is a kind of two levels of security. If one fail, you have the second one.

I hope this help. Please, rate the post if it does.

Best regards

Alberto Giorgi from spain.

Re: IPS with Failover/HA


I would just add to the idea of Alberto here and I have worked on these scenarios practically.

1. The above solution can be expanded to have two switches at both the legs of the IPS, so you have highly available switches as well.

2.STP will automatically block traffic through one of the IPS.

3.Both the IPS can be simultaneously configured by one time tuning using VMS or the current CSM.

Hope this helps and if yes, please rate.


Murali Sethuraman

Re: IPS with Failover/HA

If i installed 2 ips between 2 switches and active ips will fail and goes into bypass mode then it will definatley not switched to another IPS because of running bpdu through by pass IPS.

For using above scenario i must enable a option if IPS will fail if never goes into bypass mode but i am not sure about this functionality.

Re: IPS with Failover/HA

Hi there,

Every time we suggests anything to our customer we always ask them their financial capability, budget constraint is always on their mind.

In short, the solution given was in fact designed to meet the required HA, but do you think they will agree of having an idle IPS ?, instead you can suggest a "bypass switch" as an alternate and more economical solution...

Or the cheapest is at the cost of a copper cable and do the tricks on stp.

Hope this helps...

