Greetings,
A potential problem with a NIPS installation has come up, and I am curious to
what other people may have done in this situation.
Scenario:
(2) routers, (1) switch
Both routers have a fiber link to the switch, both routers run HSRP to float
the default gateway for the switch. There is also a routed link between the
two routers directly.
Now insert an NIDS/NIPS device on each of the two links from the swtich. In
this case it is a TippingPoint, but I don't think that really matters.
What will happen with HSRP if the primary router link fails between the NIPS
device and the switch? The HSRP primary router would still see the line
protocol up since the NIPS device is still active.
From what I have been reading, HSRP Hello packets are what determines a
failover, and that those should only be flowing between the routers through
the switch. This would work fine. Cisco says that if a device (such as an
IDS/IPS) inline keeps the line protocol up, HSRP will not failover.
This would seem to be a fairly common scenario. Anyone have experience with
this?
Thanks!
Brian
--
Opinions expressed are either that of my own, or someone else's.
--------------------------------------------------------------------------
FREE Network Security Webinar - How to implement IPSec security into VPN
appliances
New threats and vulnerabilities require new high-performance IPSec VPN
solutions for network protection.
Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and
learn how to successfully integrate IPSec security into VPN processors and
appliances to provide powerful yet cost-effective VPN solutions for your
customers.
Register now:
http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------
