IPS 4240 high availability?
Hello
4240 running in HA mode?
Or should I look at 4255 if I need to work in HA mode?
Kindly help me with this info... Thanks in advance.
Kind regards
RAM
Just to add a little bit to Bob's response. It is possible for the HA, but as mentioned above, it is not HA as you would expect of a firewall and requires significant network planning and is rather technical in nature.
The best documentation I could find about the designs HA is in chapter 21 - "Deploying Cisco IPS for high availability" and High Performance of Earworms security CCNP 642-627 official Cert Guide, ISBN: 9780132372107. She gets quite detailed and explains a large number of different methods.
I was also able to find some information on this site, but it is at a higher level and does not provide as many options.
https://www.NetworkWorld.com/community/node/18384
I had to work HA in some of our environments, and I'm here to tell you, plan ahead, far in advance, test several methods to find one that suits. We were using a method that I just couldn't find it mentioned anywhere.
Tags: Cisco Security
Similar Questions
-
IPS high-availability Solution
Hi all
obligation to have redundancy for appliance IPS placed on data center design, I dug on Cisco docs but found the resilience and the HA (High Availability) from the point of view of IPS could take place in the side of switches (HSRP/Eth channel balance).
is there a visible way to implement high availability of dynamically!
Kind regards
Belal
Yes Belal, both of the things mentioned by you are right. There is no function available which allows "failover" communications between IPS two boxes as do Cisco firewalls.
Yes Etherchannel load balance traffic to each pair of IP from sensor single src - dst.
Concerning
Farrukh
-
Hello
Does anyone know, when will be available 4xFE cards for IPS-4240 (for total 8 interfaces)?
Kind regards
Krzysztof
The option card for IPS-4240/4255 sensors will be a card 4GE to support copper (RJ45) and fiber (SX) connections. It will allow a total of 8 RJ45 interfaces or 4 SX fiber interfaces (and 4 RJ45 interfaces) on these platforms. Unfortunately, it will be probably available for another 9 months or more.
-
I have two IPS 4240 s that can be placed between our internal network and our extranet firewall. The game of firewall is your pair of standard assets/ASA-5520 switch connected to both switches.
Q1 - if I'm not worried about atomic attacks, is there another advantage that IPS inline on promiscuity?
Is Q2 - If inline or promiscuity, necessary to connect the unique IPS for two switches in order to receive packets when a failover of the SAA occurs? If so, does physically or through RSPAN?
Q3 - if the IPS fails and it is set online, interfaces fail open (traffic continues to pass) or closed (traffic is removed)? I couldn't find that on the Cisco site.
Thank you!
"Promiscuous" mode, you can use a 4240 and extend the output of each switch in two interfaces of remote sensing of the 4240 (it has four available). A single 4240 should even be able to set up TCP sessions that span the two rails, as in the case of a failover.
-
IPS-4240 engine upgradation procedure of E3 E4
Hi all
Can someone help me to upgrade the IPS 6.0 (1) 7.0 E1 (2) E4.
What are the images need to be upgraded for this?
What is the appropriate procedure for upgradation?
Here is the version for your reference results show...
========================================
Cisco IPS #.
Cisco-IPS # sh ver
Application partition:Cisco Intrusion Prevention System, Version 1.0000 E3
Host:
Domain keys key1.0
Definition of signature:
Update of the signing S479.0 2010-03-19
Virus update V1.4 2007-03-02
OS version: 2.4.30 - IDS-smp-bigphys
Platform: IPS-4240-K9
Serial number: JMX1244L0PK
License expires: December 31, 2010 UTC
Sensor time is 211 days.
With the help of 1439252480 of 1984552960 memory available bytes (72% of use)
the application data uses 44.0 M off 166,8 M bytes of disk space available (28% of use)
startup is using 39.7 M off 68.6 M bytes of disk space available (61% of use)MainApp to E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500 Running
AnalysisEngine-E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500 Running
CLI-E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500Upgrade history:
* IPS - GIS - S465 - req - E3 23:00:43 UTC Thursday, January 28, 2010
IPS-GIS-S479-req - E3.pkg 00:05:37 UTC Wednesday, April 7, 2010Version 1.1 - 1, 0000 E3 recovery partition
Valid certificate from the host: November 17, 2008 to November 18, 2010
Cisco IPS #.
Cisco IPS #.
=================================
Kind regards
Anuj Pratap
No, do not reimage system (IPS-4240-K9-sys-1.1-a-7.0-2-E4.img), which would eliminate all of your configuration.
Just perform the upgrade using this upgrade file: IPS-K9-7, 0-2 - E4.pkgand which would automatically be updated to 7.0.2 (E4).
-
The Upgrade Version of the engine on IPS-4240
Hello
I'm running a sensor IPS 4240 with engine Version 7.0 (1) E3 and the sensor will always have a strong canvassing from 97 to 98%. It's recommended to update the sensor to the latest version of the engine, considering the amount of load top right now?
Thank you
Kiran
Hi Kiran,
You need to update the engine at it, since you cannot use the latest signature definitions without being on the latest engine. As long as you don't see packets ignored at the level of the interface of detection, it is fine for the use of the CPU which is high. If you start to see rejected the packages that you need to reduce the amount of traffic being sent to the probe or reduce (by clearing and retreating) the number of signatures inspection of the traffic on the sensor.
Best regards
Justin
-
Configuration of high availability.
Hello
Please help me to configure high availability for Foglight existing environment, please send me the steps and requirements of pre.How many servers can exist in a cluster?
Capacity how do we need on the primary server and the other servers if there is a failure?
We currently have 1 unifying and 3 child FMS.
version: 5.6.10
Thank you
Vicky
Vicky,
There are 2 very useful field guides that go through the requirements and the Setup process.
High Availability Guide - http://edocs.quest.com/foglight/5610/doc/wwhelp/wwhimpl/common/html/frameset.htm?context=field&file=HA-field/index.php&single=true
Federation of field guide-
http://eDOCS.quest.com/Foglight/5610/doc/wwhelp/wwhimpl/common/HTML/frameset.htm?context=field&file=Federation-field/index.php&single=true
Note the following points, known issue
"A master of the Federation running in mode high availability is not supported. Only children Federated can be run by high availability. »
Golan
-
High availability of components in the design of vWorkspace tips
Hi all
Would ask you some advice regarding the design of vWorkspace components highly available. Suppose that vWorkspace components will be deployed in vSphere or hypervisors managed SCVMM hence HA is in place, if the failure of a host. In this situation, if we still need components redundant (n + 1 VMS) vWorkspace?
On the other note, I understand that we can add a couple of broker for vWorkspace in vWorkspace Management Console connections and based on KB 99163 it would just work. I'm not sure how the traffic would be when an application is web access? As in, I guess that the connection broker news would be 'defined' at the request of the web call to the broker for connections. Or this is done automatically? Access Web would choose randomly from the broker for connections to go?
Thanks for any advice in advance
Kind regards
Cyril
Hi Cyril,.
Big questions. As with any IT architecture in layers, you must plan HA and redundancy at all points of failure required by your environment or level of Service (SLA) agreements. For vWorkspace, the center of his universe is SQL and you must plan accordingly the failure and recovery. In some environments, full backup can meet the requirement of HA. In others, full SQL Cluster, Mirroring, replication, or Always-On configurations may be required. With our broker, we recommend N + 1 deployment in most scenarios HA. When you move peripheral components or enabling, you must evaluate each component and needs its impact of failure as well as its valuation to determine the appropriate AP.
Load balancing between several brokers is done automatically by logic in the client connectors. In the case of Web access, when you configure the site Web Access in the Management Console, it includes broker list in the Web access configuration xml file. As client connectors, Web Access includes balancing logic that distributes the client load on brokers available automatically.
If you have any questions about specific components and requirements of HA or architecture, please add them in the discussions.
-
Hello
Today I have two WLC 5508 (with license for 100 AP each of them), on a single site.
The WLC work availability (active-standby).
However, we have a new scenario, with 02 sites: A and B (attachment).
I would like to know if it is possible to work as follows:
The WLC - A as the main controller of site A. WLC - B as a backup (BDC) of WLC.-a.
The WLC - B that has the PDC site B. WLC - as a backup (BDC) to WLC - B.
For example:
If WLC - a falls, site access Points are managed by B WLC site - B and vice versa.
Is this possible?
How can I configure the new scenario? Don't forget, there is a site-to-site between Site A and Site b.
Another point:
If I add more than 50 APs on Site A. How does the license number?
Should I buy a license for the two WLC?
TKS,
>....
>.. .is it possible?
No. , high availability in terms of controller is supposed to be what is said, the backup controller is not 'full' - stby and cannot play other roles.
M.
-
Does anyone know if Cisco will provide redundancy standby high availability of IPCC express?
Chris
Search in the next major version of the IPCC Express. Last I heard it was scheduled for release next month some time.
Jim
-
Deployment of high availability of the IPCC 4.5
In a future HD architecture implementation, the voice service will provide CallManager 5.0, that will integrate with 4.5 of the IPCC. 4.5 (required with 5.0 CM) IPCC does implement a high availability. How can we ensure that technical support continues to operate if the IPCC goes down? One possibility might be to configure CM such that if the IPCC goes down, all the number of help desk calls are automatically and immediately headed to a group (which includes all extensions help desk). This redirection can be configured in CM? Is there a better option?
Thanks in advance,
SB
This is your best bet. On the road Points for your call center just put the call before busy, no answer and failure to the fighter pilot. Thus, when the IPCC Express Server is down it will sent to your fighter pilot.
Please evaluate the useful messages.
adignan - berbee
-
Deployment of Cisco IPS 4240 devices
I can't find all the information about the Cisco IPS 4240 features massive deployments. I have 6 devices, I intend to drive to several remote sites and tie in a centralized unit of Cisco MARCH. Without the help of any CSM/LMS software, is there a quick and dirty to pull this off? I think to set up a single IPS appliance, then pull and distribute the configuration file for the remaining devices. I would like to see how others have done this...
If all of your sensors are of the same type (all 4240 to your situation) and will execute all the even correct configuration, then the copy command will help out you.
There is a new feature added to the copy command in IPS 6.1 which will help you during the copying of config of one sensor to another.
Complete you configure a sensor (using IME, IDM or CLI). When you are satisfied with the configuration, and then use the command copy to copy ON a server of SCP.
Now bringup a second sensor and configure basic networking through the Installer settings (ip address, gateway, etc...).
Now, use the command copy to copy the first configuration of sensors from the SCP server in the running of the second probe configuration on the second.
It will ask you to change the network settings on the second probe.
Answer n °
The rest of the configuration of the probe first copy will be placed in the second sensor.
The second sensor will keep its own unique IP address but win the rest of the configuration of the config of the first probe.
Continue to do this with additional sensors.
The process can then be repeated every time that additional changes are made to the first sensor.
Remember though that this only works if the configuration of the probe will be exactly duplicated (including what interfaces would be monitored and how).
If each sensor will have some unique tunings, then you need to manage each sensor on its own or buy CSM which can be used to share only parts of the configuration of multiple sensors.
-
SNS with high availability option
I need help to understand the requirements of network and connectivity to deployment Cisco show and share with the high availability option where the DC and DR are different geographical locations.
As I understand it, to achieve high availability, the DMM and the SNS servers require a L2 connectivity between the primary and the secondary server. How can this be achieved in a scenario where two data centers are connected by WAN / MAN links?
Thank you.
Chaitanya Datar
+ 91 99225 83636
Hi, Datar,
I already asked this question to the TAC, and it is unfortunately clear today the HA mode with 2 servers connected mode "back to back" via Ethernet2, REQUIRES to be on the same network of L2.
It is not yet based on the IP routing layer, and therefore it is did not in charge of the design when using remote data centers...
:-(
It's a shame, I know, and I pointed to the BU of the SnS.
May be part of a next version of work will be based on network IP L3 routed...
Wait and see.
Hervé Collignon
Converged Communications Manager
Dimension Data Luxembourg.
-
Two WLC 5508 anchor high availability
Hello.
It is possible use 2 WLC 5508 EN HOW to ANCHOR in an active scenario?.
For example, if a WLC down the service, another Dungeon provide service to customers of anchor?
At the moment we have just a WLC 5508 anchor mode. What do I have to configure high availability of the ANCHOR.
Thank you very much!!!
You have redundant WLC as anchor points, but if an anchor fails, the user must reconnect.
There is a feature on the WLC HA, but it is mainly for foreigners redundancy WLC anchor no redundancy. With guest several anchors overseas WLC balance the load between the two. You will not be able to put a primary or backup.
Sent by Cisco Support technique iPhone App
-
Hi all
I have one unit of IPS-4240. I want to know if my sensor or the unit itself fails / stops, is there an option where in my traffic will be passed so that there is no downtime.
Thank you
Pratik
You can configure the sensor when it is inline with inline-bypass 'auto' mode mode so when the unit does not work, it will just pass through traffic without inspection, however, if the sensor is completely shutdown, then no, the traffic will be dropped when in inline mode.
Here is more information on derivation inline mode:
However, if she is in promiscious mode, so you don't have to worry about this because the package is not "inline" and will cause no disruption.
Hope that helps.
Maybe you are looking for
-
I need the actual address of the start page of Mozilla. It is not by default in my Firefox options.
I'm trying to convert to the start page of Mozilla (Firefox) for my homepage. I can't follow the instructions because my default homepage in the options is Yahoo. (I don't want that.) Can you give me the address of the start page? I know how to make
-
Subscription not appearing is not on the new cell phone
I have a unlimited for USA and Canada subscription that charges $ 2.99 a month. It was deducted from my account on 10 November. My subscription has worked well on my iPhone and the computer, but it does not appear on my Android app. I disconnected (e
-
My MBP boots in mode 'sleep' with lid closed. How is that possible?
My mac pro early 2011 book boots itself in mode 'sleep'. How is it possible without user input?
-
Problem with current path function screws...
Hello world... Yesterday my application suddenly started to behave in a weird way... I have a Sub VI, in which I currently have function of path of screws. I created my app executable. launched and observed the current path of screws gives me some st
-
will not install updates and can't download anything on Web sites
Windows Update Error 80070002 ccL60U.dll was not found. Mfc71.dll is not found = ATC Voicepack SDKHpQuickplay has stopped working = ATC Voicepack SDKHPRun has stopped working = ATC Voicepack SD I tried every suggesstions on the microsoft Web site, di