07-12-2006 03:41 PM - edited 03-10-2019 03:05 AM
anyone has an idea how to implement IDSM2 for failover and redundancy on in-line mode implementation?
07-13-2006 04:52 PM
Hi ..please see below from a session of Networkers 2005
"Failover
?Layer three: Pix failover, Cisco IOS HSRP
?Layer two: spanning tree
Typical IPS sensors (non layer three) do not and cannot control network failover; they function like a wire and a failure of the sensor should look like a failure of a wire; the network will respond accordingly; fail-open capabilities help but do not truly solve the problem.Æ
True High Availability Is Something Built into the Network, Never Built into a Single Piece of Hardware or SoftwareÅ "
Basically .. what is saying is that you can't configure failover as you would with a pix for example .. but you need to design the traffic flow in a way that if one of the ISDM-2 fails, the traffic is re-directed to the second one for inspection .. now how can you do this for intra-switch and inter-switch modules without manual intervention ( chaning the VACL or repatching ) is something I also would like to know .. I hope some Cisco Engineer might be able to post some info or whitepapers on this issue.
07-16-2006 03:44 PM
Thanks for the info.
Regarding fail-open capability, does idsm support it? When I looked at the configuration setup of the idsm, it does not show a fail-open functionality (I've tried it already with our IPS 4250sx box and it does support fail-open). This means that when my idsm fails the traffic that is traversing the idsm will be disconnected. How do we resolve this?
07-16-2006 10:58 PM
hi .. in-line Failopen is definetely available as integral part of the 5.X code.
07-17-2006 02:15 AM
Hi fernando,
In my knowledge the in-line fail-open functionality is available on 5.x version. I already tried it on IPS 4250sx appliance, but on the IDSM module it has no option for fail-open.
I hope someone could help me on this. Thanks
07-17-2006 04:13 PM
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter interface submode:
sensor# configure terminal
sensor(config)# service interface
Step 3 Configure bypass mode:
sensor(config-int)# bypass-mode on
I hope it helps .. Please rate it if it does !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide