Filter
Top Products
5-12
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 5 Configuring Interfaces
Understanding Interfaces
For More Information
For the procedure for configuring inline bypass mode, see Configuring Inline Bypass Mode, page 5-39.
Hardware Bypass Configuration Restrictions
To use the hardware bypass feature on the 4GE bypass interface card, you must pair interfaces to support
the hardware design of the card. If you create an inline interface that pairs a hardware-bypass-capable
interface with an interface that violates one or more of the hardware-bypass configuration restrictions,
hardware bypass is deactivated on the inline interface and you receive a warning message similar to the
following:
Hardware bypass functionality is not available on Inline-interface pair0.
Physical-interface GigabitEthernet2/0 is capable of performing hardware bypass only when
paired with GigabitEthernet2/1, and both interfaces are enabled and configured with the
same speed and duplex settings.
The following configuration restrictions apply to hardware bypass:
• The 4-port bypass card is only supported on the IPS 4260 and IPS 4270-20.
• Fail-open hardware bypass only works on inline interfaces (interface pairs), not on inline VLAN
pairs.
• Fail-open hardware bypass is available on an inline interface if all of the following conditions are
met:
–
Both of the physical interfaces support hardware bypass.
–
Both of the physical interfaces are on the same interface card.
–
The two physical interfaces are associated in hardware as a bypass pair.
–
The speed and duplex settings are identical on the physical interfaces.
–
Both of the interfaces are administratively enabled.
• Autonegotiation must be set on MDI/X switch ports connected to the IPS 4260 and IPS 4270-20.
You must configure both the sensor ports and the switch ports for autonegotiation for hardware
bypass to work. The switch ports must support MDI/X, which automatically reverses the transmit
and receive lines if necessary to correct any cabling problems. The sensor is only guaranteed to
operate correctly with the switch if both of them are configured for identical speed and duplex,
which means that the sensor must be set for autonegotiation too.
Hardware Bypass Turned Off for System Image Recovery or Reimage
Hardware bypass starts when you enter the recover application command and the interfaces are paired
correctly. Hardware bypass works until the IPS starts up again with the empty configuration. Because all
interfaces default to
disabled and are no longer paired, when the SensorApp loads, it stops hardware
bypass and sets the interfaces to
link down. BEFORE you perform a reimage or recover, make sure you
bypass the traffic at the switch.
Interface Configuration Restrictions
For IPS standalone appliances with 1 G and 10 G fixed or add-on interfaces, the maximum jumbo frame
size is 9216 bytes. For integrated IPS sensors, such as the ASA 5500-X and ASA 5585-X series, refer to
the following URL for information: