Hi Tony,
Whatever is written in the documentation, yes, you can make active-standby
through STP and active-active but for different traffic. So active-active does
not mean both IPS devices inspect the same traffic at the same time,
synchronise session states and support asymmetric traffic. IPS�s don�t share
any information, thus you cannot inspect in-out packets of a flow with one IPS
and out-in packets of the same flow with another IPS and expect it to work.
So you can do just that, put them in pairs with ether channels, you just need
to make sure that CEF mechanism on the upstream/downstream
devices/switches/routers (if is via VLAN-pair is the same box, if is via
interface-pair is different boxes) use the same CEF mechanism so that you are
sure that in-out and out-in traffic for a session is sent towards the same IPS
device for inspection.
Regards,
Cristian Matei, 2 x CCIE #23684 (R&S/SC)
cmatei_at_INE.com<mailto:cmatei_at_INE.com>
Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>
On 08 Jun 2014, at 13:49, Tony Singh
<mothafungla_at_gmail.com<mailto:mothafungla_at_gmail.com>> wrote:
Hi Cristian
Thanks for your reply my idea was to deploy them as L2 in-line pairs with
ether-channels either side of a stacked 3750X access layer and 6509E VSS core
layer
I would prefer not to have an extra L3 hop I'm sure there are way to
manipulate L2 STP costs for this to work but I'm trying to find the docs for
active/active or active/standby configuration on the 4500 series as Cisco's
product page suggests these designs are supported
--
BR
Tony
On 8 Jun 2014, at 11:38, Cristian Matei
<cmatei_at_ine.com<mailto:cmatei_at_ine.com>> wrote:
Hi,
To make that work, you would need a sort of clustering or HA where basically
the session state would be shared among multiple IPS devices. This is not
supported by Cisco IPS and i highly doubt any IPS vendor supports such
scenario, as the challenge is not only about session state, but also
fragmented packets and packet inspection.
Why can�t you just fix the asymmetric routing?
Regards,
Cristian Matei, 2 x CCIE #23684 (R&S/SC)
cmatei_at_INE.com<mailto:cmatei_at_INE.com>
Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>
On 08 Jun 2014, at 13:24, Tony Singh
<mothafungla_at_gmail.com<mailto:mothafungla_at_gmail.com>> wrote:
Hi
Is their a Cisco IPS solution with HA being able to deal with stateful
asymmetric traffic flows I.e the 4500 series
I don't want to disable TCP engines to allow for this behaviour..
--
BR
Tony
Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
Received on Sun Jun 08 2014 - 06:26:05 ART