Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
399 Views 1 Reply Latest reply: May 2, 2013 7:35 AM by dmease729 RSS
dmease729 Champion 267 posts since
Jul 22, 2011
Currently Being Moderated

May 2, 2013 3:11 AM

Port patching requirements for asymmetric routing across active-active sensor pair



Its been a short while since I have deployed NSPs (I believe the last I deployed were 6.1) and just looking to refresh my head with regards to the requirements for assymetric routing environments.  Looking at the IPS Administration Guide (v7.5 rev C) p46, under 'interface groups', it states:


"An interface group, also known as port clustering in networking parlance, combines the traffic processed on separate Sensor interfaces—or, in the case of a Failover Pair, on separate Sensors—into a single logical interface for state and intrusion analysis."


which would seem to me to state clearly that if we do have separate sensors in a failover pair, in order to allow for the correct processing of traffic in an asymmetric routing environment, an interface group needs to be configured.  That makes sense to me, however under 'primary v active' (section before 'interface groups'), we have the following:


"This Active‑Active configuration provides the added benefit of supporting asymmetric traffic flows (that is, when packets belonging to the same TCP/UDP flow are divided across Sensors). Thus, the Network Security Platform failover pair will detect attacks even when the traffic is asymmetric. This topic is discussed, in the section Interface groups."


This appears to imply in the first instance that the support of asymmetric routing is there by default - the second part, however, refers to the 'interface groups' section.


My question is, as the sensors in a failover pair are always *really* active-active (as per p44 "In Network Security Platform, because both failover Sensors must be ready to process packets on their monitoring ports at all times, both Sensors are actually active at all times"), I am taking it that the latter section below should really read "... the Network Security Platform failover pair will detect attacks even when the traffic is asymmetric, *and* the respective port pairs have been assigned to interface groups, as per section 'interface groups", or in other words, if an interface group is not created, then the sensor pair will *not* detect attacks when the traffic is asymmetric.


Could somebody verify my understanding or possibly explain where I am going wrong if I have misunderstood?



More Like This

  • Retrieving data ...

Bookmarked By (0)


  • Correct Answers - 5 points
  • Helpful Answers - 3 points