Filter
Top Products
4-6
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
OL-24002-01
Chapter 4 Installing the IPS 4260
Hardware Bypass
The following configuration restrictions apply to hardware bypass:
•
The 4-port bypass card is only supported on the IPS 4260.
•
Fail-open hardware bypass only works on inline interfaces (interface pairs), not on inline VLAN
pairs.
•
Fail-open hardware bypass is available on an inline interface if all of the following conditions are
met:
–
Both of the physical interfaces support hardware bypass.
–
Both of the physical interfaces are on the same interface card.
–
The two physical interfaces are associated in hardware as a bypass pair.
–
The speed and duplex settings are identical on the physical interfaces.
–
Both of the interfaces are administratively enabled.
•
Autonegotiation must be set on MDI/X switch ports connected to the IPS 4260.
You must configure both the sensor ports and the switch ports for autonegotiation for hardware
bypass to work. The switch ports must support MDI/X, which automatically reverses the transmit
and receive lines if necessary to correct any cabling problems. The sensor is only guaranteed to
operate correctly with the switch if both of them are configured for identical speed and duplex,
which means that the sensor must be set for autonegotiation too.
Hardware Bypass and Link Changes and Drops
Properly configuring and deploying hardware bypass protects against complete link failure if the IPS
appliance experiences a power loss, critical hardware failure, or is rebooted; however, a link status
change still occurs when hardware bypass engages (and again when it disengages).
During engagement, the interface card disconnects both physical connections from itself and bridges
them together. The interfaces of the connected devices can then negotiate the link and traffic forwarding
can resume. Once the appliance is back online, hardware bypass disengages and the interface card
interrupts the bypass and reconnects the links back to itself. The interface card then negotiates both links
and traffic resumes.
There is no built-in way to completely avoid link status changes and drops. However, you can greatly
reduce the interruption time (in some cases to sub-second times) by doing the following:
•
Make sure you use CAT 5e/6-certified cabling for all connections.
•
Make sure the interfaces of the connected devices are configured to match the interfaces of the
appliance for speed/duplex negotiation (auto/auto).
•
Enable portfast on connected switchports to reduce spanning-tree forwarding delays.