From: Jason W. Miller (jaymiller5@gmail.com)
Date: Thu Aug 16 2007 - 10:46:22 ART
Depending on your IPS version you will want to configure your fail-open
interface parameters (6 this is the default) for both IPS devices using the
interface pair configuration. Setup your port channels for the IPS
interfaces. Then setup your monitor sessions to the port channel that you
have configured that both of these devices are part of. You will want to
note that both boxes have the potential of sending shuns etc so both will
need to be maintained and to my knowledge someone correct me if I am wrong
there is no central management interface at this time nor do they support
active/standby either.
Outside of that I would contact your sales team to discuss your specific
enviornment as well as hardware on your network. Also reference the IPS
documentation on interface pairing and the IOS for the platforms you have to
setup your RSPAN or SPAN sessions depending on how you want to engineer your
network for this technology. I do not think you will get exact's for this in
reference to what YOU should do and how since these types of requests are
site specific. Below is a sample of a span to send traffic from a vlan and
interface to another interface and another vlan.
monitor session 1 source interface Fa3/2
monitor session 1 destination interface Fa3/45
monitor session 3 destination interface Fa2/34 ingress vlan 10
monitor session 3 source remote vlan 999
monitor session 4 source vlan 10 tx
monitor session 4 destination remote vlan 999
HTH
On 8/16/07, Muhammad Nasim <muhammad.nasim@gmail.com> wrote:
>
> Thanks a lot all but still vague to me. Can someone point to exact example
> of it. As I also came to knew that it can also be done by using STP.
>
> Yes it is a real world network requirement for highly sensitive
> organization.
>
>
>
> On 8/16/07, Jason W. Miller <jaymiller5@gmail.com> wrote:
> >
> > Outside the realm of this forum but I will answer with a high level yes
> > it can be done and the basics on how to do it....
> >
> > You could setup a HSRP and port channel to two different IPS
> > appliances.... This is outside the realm of the security lab section and is
> > more of a overall network design and requirement. This can be done with any
> > appliance basically, I use it currently for content filters etc on the
> > network I manage.
> >
> > But here is a write up (poor yet touches on the appliance specifically)
> > on this for the IPS solution.... Go to other features for an more detailed
> > explanation.
> >
> > http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_data_sheet0900aecd805baef2.html
> >
> >
> > HTH
> > Jay
> >
> >
> > On 8/12/07, Muhammad Nasim <muhammad.nasim@gmail.com > wrote:
> > >
> > > Hi All,
> > >
> > > I am looking for failover feature in CISCO IPS 4200 series. I want to
> > > know
> > > does CISCO IPS 4200 series supports failover?
> > >
> > > TIA
> > >
> > >
> > >
> > > --
> > > Muhammad Nasim
> > > Network Engineer
> > > Saudi Arabia
> > >
> > >
> >
> >
> > --
> > ~Jay~
>
>
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
>
-- ~Jay~
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:11 ART