Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Solution for IPS/HA needed.

Hi,

I need some help here.

I have to integrate an IPS into an existent redundant network. This network always has two redundant switch links. There is also a redundant pair of Checkpoint firewalls. I have to implement two ASA/IPS in front of these firewalls and keep the redundancy. I also need to use the transparent mode to reduce the implantation impact, and an active/standby failover mode.

So I decided to use the following physical topology (ignore the dots):

sw1--ips1--sw3--fw1

|....................|

|....................|

sw2--ips2--sw4--fw2

The problem with this topology is the L2 loop and STP. The SPT will block a port to avoid this loop. But the converged topology will have problems.

If the STP topology is like this one bellow, traffic from a host connect to sw1 to a host connected to sw2 will have to pass both IPS, including the standby unit.

sw1--ips1--sw3--fw1

|

|

sw2--ips2--sw4--fw2

On other side, if the STP topology is like this one bellow, traffic from fw1 to fw2 will have to pass both IPS, including the standby unit.

sw1--ips1--sw3--fw1

|

|

sw2--ips2--sw4--fw2

Moreover, if the STP topology is like one of the two bellow, I can force the topology to direct traffic to the active IPS. But the STP topology should change, if the active IPS fail.

sw1--ips1 sw3--fw1

|.......................|

|.......................|

sw2--ips2--sw4--fw2

-----------------------

sw1--ips1--sw3--fw1

|......................|

|......................|

sw2--ips2 sw4--fw2

Am I missing anything here? Is there any other solution for HA/IPS?

Any comment will be appreciated.

Paulo Roque

Network Engineer

SPCBrasil

  • Intrusion Prevention Systems/IDS
4 REPLIES
Gold

Re: Solution for IPS/HA needed.

Paul0 -

Traffic should not normally be passing over your standby rail. Use your spanning tree root bridge assignment and bridge ID assignments to keep the blocked ports on the standby path. In order to allow spanning tree BPDUs to pass thru the ASAs you need to create an ethertype ACL for the BPDUs. The ASA should have some bypass capibility in the event of an AIP failure as well.

- Robert

New Member

Re: Solution for IPS/HA needed.

I guess the question should be this.. SSM or 4200? From his diagram it looks likes switch --> 4200 --> switch --> firewall.

New Member

Re: Solution for IPS/HA needed.

Hi chickman.

I stated that I have to implement this using a ASA/IPS.

New Member

Re: Solution for IPS/HA needed.

Thx Robert.

I have considered a solution similar to yours, but a question raised from that solution: if I issue a 'no failover active' command to force the standby unit to become active, the STP topology should also be modified to make the traffic pass thru the new active ASA.

This STP topology change will not be automatic. And even worst, this will never happen in a situation were the ASA fails over by other reason.

179
Views
0
Helpful
4
Replies
This widget could not be displayed.