10/100/1000 Copper Active Fail-Open Bypass Kit Guide Revision D McAfee® Network Security Platform This document describes the contents and how to install the McAfee® 10/100/1000 Copper Active Fail-Open Bypass Kit (the Kit) for McAfee Network Security Sensor (Sensor) M-Series and NS-series models with standard Small Form-factor Pluggable (SFP) monitoring ports, how the Kit functions, and what to expect during normal use. The Kit contains an Active Fail-Open Copper Bypass Switch (Copper Bypass Switch) and all the connecting components to connect the switch to the monitoring ports of the Sensor. Additional cables may be required to connect the Copper Bypass Switch to your other network devices such as, routers or switches. You may not require all the components included in the Kit. For example, you will use only one of the two types of cable included in the Kit. The Copper Bypass Switch can be configured for the following Sensor models: NS9300, NS9200, NS9100, M-8000, M-6050, M-4050, M-3050, M-2950, M-2850, and M-2750. The 10/100/1000 monitoring ports on the Sensor are fail-closed; thus, if the Sensor is deployed in-line, a hardware failure results in network downtime. Fail-open operation for the monitoring ports require the use of an optional external Copper Bypass Switch provided in the Kit. With the Copper Bypass Switch in place, the switch receives power from the dual power adapters (for power redundancy, use two independent power sources). When the Sensor is operating, the switch is “On” and routes all traffic directly through the Sensor. When the Sensor fails, the switch automatically shifts to a bypass state: in-line traffic continues to flow through the network link, but is no longer routed through the Sensor. Once the Sensor resumes normal operation, the switch returns to the “On” state, again enabling in-line monitoring. During normal Sensor in-line fail-open operation, the Copper Bypass Switch sends a heartbeat signal (1 every second) to the monitoring port pair. If the Copper Bypass Switch does not receive 3 heart beat signals within its programmed interval, the Copper Bypass Switch removes the Sensor’s monitoring port pair from the data path, and moves the Sensor into the bypass mode, providing continuous data flow. 1 In the event the Copper Bypass Switch loses power, traffic will bypass the IPS Sensor monitoring ports, and will be forwarded to the peer device (after renegotiation). Since there is no heartbeat signal during this period, the status of the Sensor monitoring port pair will be displayed as AUK (unknown) in the Port Settings page. Kit Contents The following external hardware is shipped with the Kit: Quantity Items 2 Power supplies/cords 1 RS-232 programming cable 3 RJ-45 cat5e straight-through cables (3 meters long) 1 RJ-43 cat5e crossover cable (3 meters long) 1 Quick Start Guide 1 Rack mounting panel Power supply specification: Specification Manufactured by: Condor P/N: SA-123AOI INPUT: 100-240VAC ~ 0.8A 47~63Hz OUTPUT: 12V === 3.0A If any component from the preceding table is missing or damaged, contact McAfee Technical Support at http://mysupport.mcafee.com. 1 Install the Copper Bypass Switch on a rack You can install the kit on a two slot 19 inch panel and the mounted kit occupies one rack unit. Install the Copper Bypass Switch on the rack mount panel a Slide the Copper Bypass Switch into the opening in the rack-mount panel, until the faceplate of the switch rests against the panel. b Secure the Copper Bypass Switch to the rack-mount panel by inserting the thumb screws through the holes on the panel. Additional Copper Bypass Switches can be installed without removing the rack-mount panel from the rack. 2 Install an additional Copper Bypass Switch a Remove the screws holding one of the removable blank plates from the front of the panel. b Follow the procedure for installing a switch in the rack-mount panel for the additional Copper Bypass Switch(es). Install the panel and switch(es) on a rack 2 3 a Place the 1U panel against the front of a standard 19-inch rack. b Secure the rack-mount panel by inserting the screws (included with the rack-mount panel) through the holes on front of the panel and the sides of the rack. Connect the Copper Bypass Switch to a network device a Plug an inside network cable connector into the Network port labeled A on the Copper Bypass Switch b Plug the other end of this cable into the corresponding network device c Plug an outside network cable into the Network port labeled B on the Copper Bypass Switch d Plug the other end of this cable into the corresponding network device Connect the Copper Bypass Switch to a Sensor with SFP ports The physical connection between the Copper Bypass Switch and the Sensor differs by Sensor model and port pair. The number of SFP monitoring ports available on the Sensor is model-specific and is listed below: Sensor Model No of SFP Monitoring Ports M-8000 16 M-6050, M-4050, M-3050 8 M-2950, M-2850 12 M-2750 20 For example: The following diagram shows an example of the Copper Bypass Switch connected to one of the first four port pairs of an M-6050 Sensor. 3 Item Description 1 Copper Bypass Switch. The LFD (Link Fault Detect) and bypass detecting mode settings cannot be changed. 2 Connection to network device (inside) 3 Connection to network device (outside) 4 Monitoring port C (inside) connection to port 5A (copper SFP) 5 Monitoring port D (outside) connection to port 5B (copper SFP) 6 The M-6050 Sensor has eight 10/100/1000 Gigabit Ethernet monitoring ports (four pairs) and supports up to four Kits. 1 Plug a Cat 5/Cat 5e Ethernet cable (inside) into the copper SFP. 2 Plug the other end of the cable into the monitoring port labeled C on the Copper Bypass Switch. 3 Plug a Cat 5/Cat 5e Ethernet cable (outside) into the corresponding peer port. (For example, if you used 5A in step 1, plug the cable into port 5B) 4 Plug the other end of the cable into the Monitoring port labeled D on the Copper Bypass Switch. With this cable configuration, Sensor monitoring port 5A views traffic as originating inside the network, and port 5B views traffic as originating outside the network. Note that this configuration (5A = outside, 5B = inside) must match the port configuration specified for this Sensor, and that the ports must be enabled. For more information, on port configuration accomplished via the Manager, see McAfee Network Security Platform IPS Administration Guide. 4 4 Deploy the Copper Bypass Switch: inline vs tap The Copper Bypass Switch can be configured to operate in inline and tap modes. McAfee recommends customers to deploy Network IPS in inline mode. However, if you decide to install Network IPS in tap mode, there is an option available in Copper Bypass Switch to switch from tap mode to inline mode when your network is experiencing symptoms of potential denial of service attacks or if you need to block certain threats for a short period of time. After the period is over, you can switch back to tap mode deployment Configure the Copper Bypass Switch in tap mode a To configure the Copper Bypass Switch in tap mode: a In the CLI command prompt, type c and press Enter. b Type 1 to set the tap mode On or 0 to set the tap mode Off. By default it is Off. You can configure the Copper Bypass Switch to tap mode only using CLI. Tap mode cannot be set using the Manager. To verify if the connection is in tap mode, do the following: b Click Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical Ports c Verify that Tap is displayed for the corresponding port. This indicates the operating mode of the Copper Bypass Switch. d Click the port to view the Monitoring Port panel. e Verify that the Operating Mode is displayed as In‑line Fail‑open Active. This indicates the operating mode of the Sensor monitoring port. 5 Configure the Copper Bypass Switch in in-line mode You configure the Sensor’s monitoring ports from the Manager interface. The port configuration must match the cabling of the Copper Bypass Switch, the ports must be set to “In-line Fail-open Active (Port Pair)” and must be enabled. To view/configure the settings of your monitoring ports: a In the Manager interface, select Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical Ports. b Click a numbered port (for example 1/5) from monitoring ports. The Monitoring Ports window displays current port settings. c In the port configuration, do the following: a 6 Select the Speed. You can select the following speed setting values from the drop-down list: • 10 Mbps • 100 Mbps • 1000 Mbps b Select the Duplex as Full from the drop-down list and enable the Auto-Negotiate check box. With auto-negotiation mode on all speeds enabled that is, if the first network switch is using a 10/100 Ethernet port and speed is auto and the second network switch is using a 10/100/1000 Ethernet port and speed is at auto, the maximum negotiable speed is 100 Mbps. Therefore, configure the Sensor port pair to 100 Mbps auto-full and the Kit, to remain at its default setting. Half duplex configuration is not supported on the Copper Bypass Switch. c Select the SFP Type as Copper from the drop-down list. d Select the Administrative Status to Enable (on). e Select the Operating Mode as In-line Fail-open Active (Port Pair). f The message "Are the Active Fail-open Kit connected?" Select Yes that you have already connected the Copper Bypass Switch. g Select the area of your network to which the current port is connected: Inside (internal) or Outside (external) . h Click OK . i Click Commit Changes. j Open the Bypass Switch HyperTerminal session. k Type b to set the same configuration on the Copper Bypass Switch for Speed, Duplex and Auto-negotiation settings. l Repeat steps 1-11 for any other ports you need to configure. For more information on configuring monitoring ports, see McAfee Network Security Platform IPS Administration Guide. 5 Verify proper installation Once the Copper Bypass Switch has been connected to the network and the Sensor, check the switch's green status LED to verify that the switch is receiving power from the power adaptors and check the port status and operating mode status in the Manager interface to ensure that the port is enabled and in in-line fail-open active mode. Status LED on the Copper Bypass Switch The table describes the LEDs on the Copper Bypass Switch. 7 Table 1 Item Description 1 The two power LEDs indicate power status. Each LED glows when the power is connected to the Copper Bypass Switch. 2 The two LEDs indicate the Copper Bypass Switch mode. When the Bypass On is illuminated traffic is not flowing through the in-line device. When the Bypass Off is illuminated, traffic is routed through the in-line device. 3 If a good link is established, the corresponding LED on the right illuminates: • Amber for 10 Mbps • Yellow for 100 Mbps • Green for 1 Gbps Port and operating mode status The port status and operating mode status for in-line fail-open mode are as follows: Table 2 LED Port color on the Sensor Operating mode Status Gigabit Ports Link Green The link is connected. Off The link is disconnected. Amber Data transferring Off No data is transferring Gigabit Ports Act Port status on the Manager Table 3 8 Port Status Port color on the Sensor Operating Mode Status In-line Failopen Port Status Green The Sensor is in in-line fail-open mode. Switch Absent Red The Copper Bypass Switch is not present. Verify that the component is connected properly. After connecting, check the Operational Status. N/A Gray The Copper Bypass Switch is not present. Verify that the component is connected properly. After connecting, check the Operational Status. In-line bypass Yellow The Sensor is down and the Copper Bypass Switch has been activated. The Sensor does not monitor during this time. Unknown Teak Unable to get the status of the Copper Bypass Switch from Sensor. Check the Operational Status. Verification process 6 • At the Sensor console on the HyperTerminal, type show intfport 5A. The configuration of the Sensor interface port is displayed. • On the Sensor console, the Operational Status field should display Up. • On the Manager, go to the Configuration page, and select Device List | Sensor_Name | Physical Sensor | Port Settings. Look at the color representing the ports, and check the color legend on the screen to see the status of the Sensor’s ports. Troubleshooting How does the Copper Bypass Switch work? During normal Sensor in-line fail-open operation, the Copper Bypass Switch sends a heartbeat signal (1 every second) to the monitoring port pair. If the Copper Bypass Switch does not receive 3 heart beat signals within its programmed interval, the Copper Bypass Switch removes the Sensor’s monitoring port pair from the data path, and moves the Sensor to the bypass mode, providing continuous data flow. While the Sensor is in bypass mode, traffic passes directly through the Copper Bypass Switch, bypassing the Sensor. When normal Sensor operation resumes, you may or may not need to manually re-enable the monitoring ports from the Manager interface, depending on the activity leading up to the Sensor's failure. Copper Bypass Switch packets are sent in both directions (that is, inbound and outbound.) The following section describes how to return the Sensor to in-line mode: Move from bypass mode back to in-line mode Moving from bypass mode back to in-line mode involves the following: Manual Sensor reboot 9 Certain normal Sensor activity involves a reboot, such as installation of a new Sensor software image or a manual reboot issued from the Manager. If the Sensor reboots during normal activity, no manual intervention is necessary. When the switch receives power from the power adaptor and a heartbeat signal from the Sensor, it sends traffic through the Sensor and the Sensor resumes monitoring traffic in in-line mode. Sensor error If the Sensor reboots due to internal error, hardware failure, removal of the Copper Bypass Switch during normal operation or, disruption of the Sensor or Copper Bypass Switch cables during Sensor operation, the monitoring ports connected to the Copper Bypass Switch are automatically enabled when the Sensor resumes monitoring traffic in in-line mode What happens in a Sensor failure? When a Sensor fails with the Copper Bypass Switch in place, the following events occur in the order shown. 1 The Manager reports a “Sensor in bad health” OR “Port pair is in bypass mode” error in the Operational Status window. 2 The Sensor reboots and Copper Bypass Switch begins forwarding traffic. All traffic then bypasses the Sensor and flows across the Copper Bypass Switch with minimal traffic disruption. 3 Upon reboot completion, the Copper Bypass Switch resumes its heartbeat, and one of the following occurs: • If the reboot happened during normal activity as described above, the Copper Bypass Switch resumes passing data through the Sensor once the Sensor returns to in-line mode. • If the reboot occurred due to an error, the Copper Bypass Switch will continue to bypass the Sensor until the Sensor ports are re-enabled automatically. Once the ports are re-enabled, the Copper Bypass Switch resumes passing data through the Sensor and the Sensor returns to in-line mode. 4 The errors on the Manager are cleared and normal health is reported. What happens if one of the 2 network port is down If only one of the 2 network ports that the Copper Bypass Switch is connected to goes down, the Copper Bypass Switch will bring down the peer network port when LFD option is enabled (enabled by default). When this happens, the ports of the Copper Bypass Switch connected to IPS Sensor ports will remain up but traffic will not be inspected by IPS. Common problems and solutions This section lists some common installation problems and their solutions. 10 Table 4 Problem Possible Cause Solution Copper Bypass Switch power LEDs are off. If the power LEDs do not illuminate on the Copper Bypass Switch, it indicates that either the power supply is not connected or it is not functioning. Check the connection of the power supply in the Copper Bypass Switch. It indicates that either the power supply is not connected or it is not functioning. Sensor LED is off The Sensor is powered off. The Sensor port cable is disconnected. Restore Sensor power. Check the Sensor cable connections. Sensor is operational, but is not monitoring traffic Network device cables have been disconnected. The Sensor ports have not been enabled in the Manager. Check the cables and ensure they are properly connected to both the network devices and the Bypass Switch. Ports are disabled in a Sensor failure; they must be re-enabled in the Manager for the Sensor monitoring to resume. Network or link problems Improper cabling or port configuration. Ensure that the transmit and receive cables are properly connected to the Copper Bypass Switch. Runts or giants errors on switch and routers. Improper cabling or port configuration. Ensure that the transmit and receive cables are properly connected to the Copper Bypass Switch. The system fault “Switch absent” appears in the Operational Status page of the Manager. Improper cabling. Ensure that the transmit and receive cables are properly connected to the Copper Bypass Switch. 11 Copyright © 2014 McAfee, Inc. www.intelsecurity.com Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others. 12 700-3605D00
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
advertising