Design WSA-S196-K9

longdv · ‎10-22-2025

Hi everyone,
I don’t have much experience in designing a Proxy system, but based on what I’ve read in Cisco’s WSA documentation, the following topology represents my current idea:

I’m planning to design it as follows:

P1, T1 connected to the Internal Network
P2, T2 connected to the Router → Internet

I have a few questions regarding this design:

Can P1 and T1 provide redundancy for each other, similar to how it works in Cisco ISE?
(For example, in Cisco ISE, ports Gi2 and Gi3 can form a pair where one acts as primary and the other as backup.)
Similarly, can P2 and T2 be configured in the same redundant manner?
How can we configure failover between two WSA-S196-K9 appliances for redundancy?

Ken Stieers · ‎10-23-2025

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-sx96-gsg/cisco-wsa-sx96-gsg/m-connect-to-the-appliance-m6.html#cisco-s195-appliance

P ports are for proxy (web traffic), where the requests come in and are then sent by the proxy to the web servers on the internet.
T ports are for "tap" traffic to monitor all traffic for other security threats.

They aren't backups for each other.

This covers NIC teaming, but it may not be available on the S196. (it wasn't on the other 100 series devices, just not enough ports)
https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-15-5/user-guide/swa-userguide-15-5/b_WSA_UserGuide_11_7_chapter_01.html#con_1122852

Just below that it covers HA/Failover using CARP, but you can't do NIC pairing if you do that.

You can also do load balancing/failover with WCCPv2.