https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005242#M79371 <HTML><HEAD></HEAD><BODY><P>Yes, and most importantly any configuration change you need to make (like signature tuning) need to be done to each individual sensor unless you have CSM. This is pretty annoying, from your signature it seems you work for a gold partner, pass the message across to Cisco, to stop the lame marketing stuff 'we don't need regular failover STP/ECLB are enough' and ask them to provide a proper failover solution. </P><P></P><P>Regards <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Farrukh</P></BODY></HTML> Thu, 31 Jul 2008 12:26:04 GMT Farrukh Haroon 2008-07-31T12:26:04Z https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005235#M79361 <P>IPS 4270 connected to distribution in datacenter, each with each 6509, now the question is how will redundancy/failover works both in inline and out of band usage.</P> Sun, 10 Mar 2019 11:12:25 GMT https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005235#M79361 asim.mz99 2019-03-10T11:12:25Z https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005236#M79362 <HTML><HEAD></HEAD><BODY><P>The appliance sensors do not have the ability to synchronize state between two sensors like a firewall can. This means that any High Availability (HA) araingment with dual sensors in line will not fail over gracefully. Depending on what signatures you have set to drop, some sessions will be terminated when you fail over in an in-line mode. If you put your sensor pair in promiscious mode, there will be no ill effect on traffic. The worst that could happen is you might miss a number of events or trigger false positives as the TCP sessions in progress move to the alternate sensor.</P></BODY></HTML> Wed, 30 Jul 2008 15:28:21 GMT https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005236#M79362 rhermes 2008-07-30T15:28:21Z https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005237#M79364 <HTML><HEAD></HEAD><BODY><P>As you say that it will not failover gracefully but it can go for failover in non gracefull way, how would be that ?</P></BODY></HTML> Wed, 30 Jul 2008 18:26:48 GMT https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005237#M79364 asim.mz99 2008-07-30T18:26:48Z https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005238#M79365 <HTML><HEAD></HEAD><BODY><P>Have a look at this:</P><P></P><P><A class="jive-link-custom" href="http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;topicID=.ee6e1fc&amp;fromOutline=&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc11c11" target="_blank">http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;topicID=.ee6e1fc&amp;fromOutline=&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc11c11</A></P><P></P><P><A class="jive-link-custom" href="http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;topicID=.ee6e1fc&amp;fromOutline=&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc106a7" target="_blank">http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;topicID=.ee6e1fc&amp;fromOutline=&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc106a7</A></P><P></P><P>Check out the pdf in the second link.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 31 Jul 2008 01:13:07 GMT https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005238#M79365 Farrukh Haroon 2008-07-31T01:13:07Z https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005239#M79367 <HTML><HEAD></HEAD><BODY><P>Thanks Farrukh,</P><P></P><P>Just see the PPT, but have some more questions,</P><P></P><P>1) In Layer 2 design will IPS be the default gateway.</P><P></P><P>2) If yes then technically fwsm and ACE should be in bridge mode. Also what would be the traffic flow.</P><P></P><P>3, Also in Layer 3 design if one IPS fail in a switch how the other in the other switch will continue the traffic.</P><P></P><P>Asim</P></BODY></HTML> Thu, 31 Jul 2008 04:28:50 GMT https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005239#M79367 asim.mz99 2008-07-31T04:28:50Z https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005240#M79368 <HTML><HEAD></HEAD><BODY><P>1) No the Cisco IPS don't support any Layer 3 mode. The IPS is at layer 2, Spanning Tree is used to failover in case one of the boxes go down.</P><P></P><P>2) See Above</P><P></P><P>3) It uses Etherchannel (ECLB). Have a look at:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/eclbips5.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/eclbips5.htm</A></P><P></P><P>Please rate if helpful.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 31 Jul 2008 06:39:12 GMT https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005240#M79368 Farrukh Haroon 2008-07-31T06:39:12Z https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005241#M79370 <HTML><HEAD></HEAD><BODY><P>That really helps, just have last following concern, please correct me if i am wrong.</P><P></P><P>From your inputs and details it looks like if we have two 6500 in datacenter connected with two separate IPS with the same configurations.They don't have any link between them and cannot provide statefull failover, but at least work as backup for each other. </P></BODY></HTML> Thu, 31 Jul 2008 10:34:13 GMT https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005241#M79370 asim.mz99 2008-07-31T10:34:13Z https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005242#M79371 <HTML><HEAD></HEAD><BODY><P>Yes, and most importantly any configuration change you need to make (like signature tuning) need to be done to each individual sensor unless you have CSM. This is pretty annoying, from your signature it seems you work for a gold partner, pass the message across to Cisco, to stop the lame marketing stuff 'we don't need regular failover STP/ECLB are enough' and ask them to provide a proper failover solution. </P><P></P><P>Regards <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Farrukh</P></BODY></HTML> Thu, 31 Jul 2008 12:26:04 GMT https://community.cisco.com/t5/network-security/ips-in-datacenter/m-p/1005242#M79371 Farrukh Haroon 2008-07-31T12:26:04Z