Manualshelf

User guide

ManualsBrandsIBM Manualscomputers & electronicsProventia G, Mntc
31323334353637383940
Chapter 3: Configuring Appliances for High Availability
34
About High Availability
Introduction The Proventia Network Intrusion Prevention System (IPS) High Availability (HA) feature
enables appliances to work in an existing high availability network environment. The IPS
passes all traffic over mirroring links, ensuring that both appliances see all traffic across
the network and thus maintain state. This approach also allows the appliances to see
asymmetrically routed traffic in order to fully protect the network.
HA support for Proventia Network IPS is limited to two cooperating appliances. Both
appliances process packets inline, block attack traffic that arrives on their inline protection
ports, and report events received on their inline ports to the management console.
For information on enabling HA, see “Enabling HA” on page 127.
Supported
appliances
The following Proventia Network IPS appliance models can function in an existing HA
environment:
G400
G2000
GX5008
GX5108
GX6116
Use comparable
models as a pair
Always use the same model appliances as an HA pair.
You cannot mix models in a single HA environment. For example, you cannot use a G2000
appliance and a GX5008 appliance as an HA pair.
Supported network
configurations
High availability networks are typically configured in one of two ways:
The Proventia HA feature supports both of these network configurations. In order to
accomplish this, both Proventia appliances must maintain identical state. The appliances
are connected by mirror links that consist of multiple connections over multiple ports.
These mirror links pass all traffic an appliance receives on its inline ports to the other
appliance, ensuring the protocol analysis modules on both appliances process all of the
network traffic. In addition, the appliances also process asymmetrically routed traffic.
This approach ensures that there is no gap in protection during failover.
Existing HA configuration Description
Primary / Secondary With this configuration, the traffic flows only on one of the
redundant network segments and the primary devices on
the network handle all of the traffic until one of the devices
fails, at which point the traffic fails over to the secondary
redundant network segment and the secondary devices
take over.
Clustering With this configuration, the traffic is load balanced and both
sets of devices are active and see traffic all of the time.
Table 17: Supported network configurations