<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Solution for IPS/HA needed. in Network Security</title>
    <link>https://community.cisco.com/t5/network-security/solution-for-ips-ha-needed/m-p/934022#M80331</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I guess the question should be this.. SSM or 4200? From his diagram it looks likes switch --&amp;gt; 4200 --&amp;gt; switch --&amp;gt; firewall.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Fri, 11 Apr 2008 22:10:39 GMT</pubDate>
    <dc:creator>chickman</dc:creator>
    <dc:date>2008-04-11T22:10:39Z</dc:date>
    <item>
      <title>Solution for IPS/HA needed.</title>
      <link>https://community.cisco.com/t5/network-security/solution-for-ips-ha-needed/m-p/934020#M80323</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I need some help here.&lt;/P&gt;&lt;P&gt;I have to integrate an IPS into an existent redundant network. This network always has two redundant switch links. There is also a redundant pair of Checkpoint firewalls. I have to implement two ASA/IPS in front of these firewalls and keep the redundancy. I also need to use the transparent mode to reduce the implantation impact, and an active/standby failover mode.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;So I decided to use the following physical topology (ignore the dots):&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;sw1--ips1--sw3--fw1&lt;/P&gt;&lt;P&gt; |....................|&lt;/P&gt;&lt;P&gt; |....................| &lt;/P&gt;&lt;P&gt;sw2--ips2--sw4--fw2&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;The problem with this topology is the L2 loop and STP. The SPT will block a port to avoid this loop. But the converged topology will have problems.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;If the STP topology is like this one bellow, traffic from a host connect to sw1 to a host connected to sw2 will have to pass both IPS, including the standby unit.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;sw1--ips1--sw3--fw1&lt;/P&gt;&lt;P&gt;             |&lt;/P&gt;&lt;P&gt;             | &lt;/P&gt;&lt;P&gt;sw2--ips2--sw4--fw2&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;On other side, if the STP topology is like this one bellow, traffic from fw1 to fw2 will have to pass both IPS, including the standby unit.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;sw1--ips1--sw3--fw1&lt;/P&gt;&lt;P&gt; |            &lt;/P&gt;&lt;P&gt; |             &lt;/P&gt;&lt;P&gt;sw2--ips2--sw4--fw2&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Moreover, if the STP topology is like one of the two bellow, I can force the topology to direct traffic to the active IPS. But the STP topology should change, if the active IPS fail.&lt;/P&gt;&lt;P&gt; &lt;/P&gt;&lt;P&gt;sw1--ips1     sw3--fw1&lt;/P&gt;&lt;P&gt; |.......................|&lt;/P&gt;&lt;P&gt; |.......................|  &lt;/P&gt;&lt;P&gt;sw2--ips2--sw4--fw2&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;-----------------------&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;sw1--ips1--sw3--fw1&lt;/P&gt;&lt;P&gt; |......................|&lt;/P&gt;&lt;P&gt; |......................|  &lt;/P&gt;&lt;P&gt;sw2--ips2      sw4--fw2&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Am I missing anything here? Is there any other solution for HA/IPS?&lt;/P&gt;&lt;P&gt;Any comment will be appreciated.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Paulo Roque&lt;/P&gt;&lt;P&gt;Network Engineer&lt;/P&gt;&lt;P&gt;SPCBrasil&lt;/P&gt;&lt;P&gt;&lt;/P&gt;</description>
      <pubDate>Sun, 10 Mar 2019 11:03:36 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/solution-for-ips-ha-needed/m-p/934020#M80323</guid>
      <dc:creator>pauloroque</dc:creator>
      <dc:date>2019-03-10T11:03:36Z</dc:date>
    </item>
    <item>
      <title>Re: Solution for IPS/HA needed.</title>
      <link>https://community.cisco.com/t5/network-security/solution-for-ips-ha-needed/m-p/934021#M80328</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Paul0 -&lt;/P&gt;&lt;P&gt;Traffic should not normally be passing over your standby rail. Use your spanning tree root bridge assignment and bridge ID assignments to keep the blocked ports on the standby path. In order to allow spanning tree BPDUs to pass thru the ASAs you need to create an ethertype ACL for the BPDUs. The ASA should have some bypass capibility in the event of an AIP failure as well.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;- Robert&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 11 Apr 2008 21:28:30 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/solution-for-ips-ha-needed/m-p/934021#M80328</guid>
      <dc:creator>rhermes</dc:creator>
      <dc:date>2008-04-11T21:28:30Z</dc:date>
    </item>
    <item>
      <title>Re: Solution for IPS/HA needed.</title>
      <link>https://community.cisco.com/t5/network-security/solution-for-ips-ha-needed/m-p/934022#M80331</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I guess the question should be this.. SSM or 4200? From his diagram it looks likes switch --&amp;gt; 4200 --&amp;gt; switch --&amp;gt; firewall.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 11 Apr 2008 22:10:39 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/solution-for-ips-ha-needed/m-p/934022#M80331</guid>
      <dc:creator>chickman</dc:creator>
      <dc:date>2008-04-11T22:10:39Z</dc:date>
    </item>
    <item>
      <title>Re: Solution for IPS/HA needed.</title>
      <link>https://community.cisco.com/t5/network-security/solution-for-ips-ha-needed/m-p/934023#M80337</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Thx Robert.&lt;/P&gt;&lt;P&gt;I have considered a solution similar to yours, but a question raised from that solution: if I issue a 'no failover active' command to force the standby unit to become active, the STP topology should also be modified to make the traffic pass thru the new active ASA.&lt;/P&gt;&lt;P&gt;This STP topology change will not be automatic. And even worst, this will never happen in a situation were the ASA fails over by other reason.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Mon, 14 Apr 2008 01:24:26 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/solution-for-ips-ha-needed/m-p/934023#M80337</guid>
      <dc:creator>pauloroque</dc:creator>
      <dc:date>2008-04-14T01:24:26Z</dc:date>
    </item>
    <item>
      <title>Re: Solution for IPS/HA needed.</title>
      <link>https://community.cisco.com/t5/network-security/solution-for-ips-ha-needed/m-p/934024#M80341</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi chickman.&lt;/P&gt;&lt;P&gt;I stated that I have to implement this using a ASA/IPS.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Mon, 14 Apr 2008 01:26:11 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/solution-for-ips-ha-needed/m-p/934024#M80341</guid>
      <dc:creator>pauloroque</dc:creator>
      <dc:date>2008-04-14T01:26:11Z</dc:date>
    </item>
  </channel>
</rss>

