Filter
Top Products
5-11
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 5 Configuring Interfaces
Understanding Interfaces
Note The IPS 4260 supports a mixture of 4GE-BP, 2SX, and 10GE cards. The IPS 4270-20 supports a mixture
of 4GE-BP, 2SX, and 10GE cards up to a total of either six cards, or sixteen total ports, which ever is
reached first, but is limited to only two 10GE card in the mix of cards.
Hardware Bypass Mode
In addition to Cisco IPS software bypass, the IPS 4260 and the IPS 4270-20 also support hardware
bypass. This section describes the hardware bypass card and its configuration restrictions, and contains
the following topics:
• Hardware Bypass Card, page 5-11
• Hardware Bypass Configuration Restrictions, page 5-12
Hardware Bypass Card
The IPS 4260 and the IPS 4270-20 support the 4-port GigabitEthernet card (part number
IPS-4GE-BP-INT=) with hardware bypass. This 4GE bypass interface card supports hardware bypass
only between ports 0 and 1 and between ports 2 and 3.
Note To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<->2/2 and
2/1<->2/3.
Hardware bypass complements the existing software bypass feature in Cisco IPS. The following
conditions apply to hardware bypass and software bypass:
• When bypass is set to OFF, software bypass is not active.
For each inline interface for which hardware bypass is available, the component interfaces are set to
disable the fail-open capability. If SensorApp fails, the sensor is powered off, reset, or if the NIC
interface drivers fail or are unloaded, the paired interfaces enter the fail-closed state (no traffic flows
through inline interface or inline VLAN subinterfaces).
• When bypass is set to ON, software bypass is active.
Software bypass forwards packets between the paired physical interfaces in each inline interface and
between the paired VLANs in each inline VLAN subinterface. For each inline interface on which
hardware bypass is available, the component interfaces are set to standby mode. If the sensor is
powered off, reset, or if the NIC interfaces fail or are unloaded, those paired interfaces enter
fail-open state in hardware (traffic flows unimpeded through inline interface). Any other inline
interfaces enter fail-closed state.
• When bypass is set to AUTO (traffic flows without inspection), software bypass is activated if
SensorApp fails.
For each inline interface on which hardware bypass is available, the component interfaces are set to
standby mode. If the sensor is powered off, reset, or if the NIC interfaces fail or are unloaded, those
paired interfaces enter fail-open state in hardware. Any other inline interfaces enter the fail-closed
state.
Note To test fail-over, set the bypass mode to ON or AUTO, create one or more inline interfaces
and power down the sensor and verify that traffic still flows through the inline path.