ah knew there was a catch - thanks for the advice..
my last question is probably more design related but if a unit has dual
RP's and power supplies is their any need to protect it?
I guess you still have multiple components you still need to protect
against to be sure i.e motherboard,nics etc
BR
Tony
On 8 June 2014 12:26, Cristian Matei <cmatei_at_ine.com> wrote:
> Hi Tony,
>
> Whatever is written in the documentation, yes, you can make active-standby
> through STP and active-active but for different traffic. So active-active
> does not mean both IPS devices inspect the same traffic at the same time,
> synchronise session states and support asymmetric traffic. IPSb�s donb�t
> share any information, thus you cannot inspect in-out packets of a flow
> with one IPS and out-in packets of the same flow with another IPS and
> expect it to work.
> So you can do just that, put them in pairs with ether channels, you just
> need to make sure that CEF mechanism on the upstream/downstream
> devices/switches/routers (if is via VLAN-pair is the same box, if is via
> interface-pair is different boxes) use the same CEF mechanism so that you
> are sure that in-out and out-in traffic for a session is sent towards the
> same IPS device for inspection.
>
> Regards,
> Cristian Matei, 2 x CCIE #23684 (R&S/SC)
> cmatei_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com <http://www.ine.com/>
>
>
>
> On 08 Jun 2014, at 13:49, Tony Singh <mothafungla_at_gmail.com> wrote:
>
>
>
> Hi Cristian
>
> Thanks for your reply my idea was to deploy them as L2 in-line pairs with
> ether-channels either side of a stacked 3750X access layer and 6509E VSS
> core layer
>
> I would prefer not to have an extra L3 hop I'm sure there are way to
> manipulate L2 STP costs for this to work but I'm trying to find the docs
> for active/active or active/standby configuration on the 4500 series as
> Cisco's product page suggests these designs are supported
>
> --
> BR
>
> Tony
>
> On 8 Jun 2014, at 11:38, Cristian Matei <cmatei_at_ine.com> wrote:
>
> Hi,
>
> To make that work, you would need a sort of clustering or HA where
> basically the session state would be shared among multiple IPS devices.
> This is not supported by Cisco IPS and i highly doubt any IPS vendor
> supports such scenario, as the challenge is not only about session state,
> but also fragmented packets and packet inspection.
>
> Why canb�t you just fix the asymmetric routing?
>
> Regards,
> Cristian Matei, 2 x CCIE #23684 (R&S/SC)
> cmatei_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com <http://www.ine.com/>
>
>
>
> On 08 Jun 2014, at 13:24, Tony Singh <mothafungla_at_gmail.com> wrote:
>
> Hi
>
> Is their a Cisco IPS solution with HA being able to deal with stateful
> asymmetric traffic flows I.e the 4500 series
>
> I don't want to disable TCP engines to allow for this behaviour..
>
> --
> BR
>
> Tony
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Jun 08 2014 - 12:35:28 ART