Cisco IPS 7.1 Installation Guide Page 55

  • Download
  • Add to my manuals
  • Print
  • Page
    / 422
  • Table of contents
  • TROUBLESHOOTING
  • BOOKMARKS
  • Rated. / 5. Based on customer reviews
Page view 54
3-7
Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.1
OL-24002-01
Chapter 3 Installing the IPS 4270-20
Hardware Bypass
The following configuration restrictions apply to hardware bypass:
The 4-port bypass card is only supported on the IPS 4270-20.
Fail-open hardware bypass only works on inline interfaces (interface pairs), not on inline VLAN
pairs.
Fail-open hardware bypass is available on an inline interface if all of the following conditions are
met:
Both of the physical interfaces support hardware bypass.
Both of the physical interfaces are on the same interface card.
The two physical interfaces are associated in hardware as a bypass pair.
The speed and duplex settings are identical on the physical interfaces.
Both of the interfaces are administratively enabled.
Autonegotiation must be set on MDI/X switch ports connected to the IPS 4270-20.
You must configure both the sensor ports and the switch ports for autonegotiation for hardware
bypass to work. The switch ports must support MDI/X, which automatically reverses the transmit
and receive lines if necessary to correct any cabling problems. The sensor is only guaranteed to
operate correctly with the switch if both of them are configured for identical speed and duplex,
which means that the sensor must be set for autonegotiation too.
Hardware Bypass Turned Off for System Image Recovery or Reimage
Hardware bypass starts when you enter the recover application command and the interfaces are paired
correctly. Hardware bypass works until the IPS starts up again with the empty configuration. Because all
interfaces default to
disabled and are no longer paired, when the SensorApp loads, it stops hardware
bypass and sets the interfaces to
link down. BEFORE you perform a reimage or recover, make sure you
bypass the traffic at the switch.
Hardware Bypass and Link Changes and Drops
Properly configuring and deploying hardware bypass protects against complete link failure if the IPS
appliance experiences a power loss, critical hardware failure, or is rebooted; however, a link status
change still occurs when hardware bypass engages (and again when it disengages).
During engagement, the interface card disconnects both physical connections from itself and bridges
them together. The interfaces of the connected devices can then negotiate the link and traffic forwarding
can resume. Once the appliance is back online, hardware bypass disengages and the interface card
interrupts the bypass and reconnects the links back to itself. The interface card then negotiates both links
and traffic resumes.
There is no built-in way to completely avoid link status changes and drops. However, you can greatly
reduce the interruption time (in some cases to sub-second times) by doing the following:
Make sure you use CAT 5e/6-certified cabling for all connections.
Make sure the interfaces of the connected devices are configured to match the interfaces of the
appliance for speed/duplex negotiation (auto/auto).
Enable portfast on connected switchports to reduce spanning-tree forwarding delays.
Page view 54
1 ... 54 55 56 ... 422

Comments to this Manuals

No comments