Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
0
Helpful
5
Replies

Failover and redundancy on IDSM2

koiflowerhorn
Level 1
Level 1

‎07-12-2006 03:41 PM - edited ‎03-10-2019 03:05 AM

anyone has an idea how to implement IDSM2 for failover and redundancy on in-line mode implementation?

Labels:
0 Helpful
5 Replies 5

Fernando_Meza
Level 7
Level 7

‎07-13-2006 04:52 PM

Hi ..please see below from a session of Networkers 2005

"Failover

?Layer three: Pix failover, Cisco IOS HSRP

?Layer two: spanning tree

Typical IPS sensors (non layer three) do not and cannot control network failover; they function like a wire and a failure of the sensor should look like a failure of a wire; the network will respond accordingly; fail-open capabilities help but do not truly solve the problem.Æ

True High Availability Is Something Built into the Network, Never Built into a Single Piece of Hardware or SoftwareÅ "

Basically .. what is saying is that you can't configure failover as you would with a pix for example .. but you need to design the traffic flow in a way that if one of the ISDM-2 fails, the traffic is re-directed to the second one for inspection .. now how can you do this for intra-switch and inter-switch modules without manual intervention ( chaning the VACL or repatching ) is something I also would like to know .. I hope some Cisco Engineer might be able to post some info or whitepapers on this issue.

0 Helpful

koiflowerhorn
Level 1
Level 1

‎07-16-2006 03:44 PM

Thanks for the info.

Regarding fail-open capability, does idsm support it? When I looked at the configuration setup of the idsm, it does not show a fail-open functionality (I've tried it already with our IPS 4250sx box and it does support fail-open). This means that when my idsm fails the traffic that is traversing the idsm will be disconnected. How do we resolve this?

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to koiflowerhorn

‎07-16-2006 10:58 PM

hi .. in-line Failopen is definetely available as integral part of the 5.X code.

0 Helpful

koiflowerhorn
Level 1
Level 1
In response to Fernando_Meza

‎07-17-2006 02:15 AM

Hi fernando,

In my knowledge the in-line fail-open functionality is available on 5.x version. I already tried it on IPS 4250sx appliance, but on the IDSM module it has no option for fail-open.

I hope someone could help me on this. Thanks

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to koiflowerhorn

‎07-17-2006 04:13 PM

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter interface submode:

sensor# configure terminal

sensor(config)# service interface

Step 3 Configure bypass mode:

sensor(config-int)# bypass-mode on

I hope it helps .. Please rate it if it does !!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card