Network Security Platform 10/100/1000 Copper Active Fail

Network Security Platform 10/100/1000 Copper Active Fail
10/100/1000 Copper Active Fail-Open Bypass Kit Guide
Revision D
McAfee® Network Security Platform
This document describes the contents and how to install the McAfee® 10/100/1000 Copper
Active Fail-Open Bypass Kit (the Kit) for McAfee Network Security Sensor (Sensor) M-Series
and NS-series models with standard Small Form-factor Pluggable (SFP) monitoring ports,
how the Kit functions, and what to expect during normal use.
The Kit contains an Active Fail-Open Copper Bypass Switch (Copper Bypass Switch) and all
the connecting components to connect the switch to the monitoring ports of the Sensor.
Additional cables may be required to connect the Copper Bypass Switch to your other
network devices such as, routers or switches. You may not require all the components
included in the Kit. For example, you will use only one of the two types of cable included in
the Kit.
The Copper Bypass Switch can be configured for the following Sensor models:
NS9300, NS9200, NS9100, M-8000, M-6050, M-4050, M-3050, M-2950, M-2850,
and M-2750.
The 10/100/1000 monitoring ports on the Sensor are fail-closed; thus, if the Sensor is
deployed in-line, a hardware failure results in network downtime. Fail-open operation for the
monitoring ports require the use of an optional external Copper Bypass Switch provided in
the Kit.
With the Copper Bypass Switch in place, the switch receives power from the dual power
adapters (for power redundancy, use two independent power sources). When the Sensor is
operating, the switch is “On” and routes all traffic directly through the Sensor. When the
Sensor fails, the switch automatically shifts to a bypass state: in-line traffic continues to
flow through the network link, but is no longer routed through the Sensor. Once the Sensor
resumes normal operation, the switch returns to the “On” state, again enabling in-line
monitoring.
During normal Sensor in-line fail-open operation, the Copper Bypass Switch sends a
heartbeat signal (1 every second) to the monitoring port pair. If the Copper Bypass Switch
does not receive 3 heart beat signals within its programmed interval, the Copper Bypass
Switch removes the Sensor’s monitoring port pair from the data path, and moves the
Sensor into the bypass mode, providing continuous data flow.
1
In the event the Copper Bypass Switch loses power, traffic will bypass the IPS Sensor monitoring ports,
and will be forwarded to the peer device (after renegotiation). Since there is no heartbeat signal during
this period, the status of the Sensor monitoring port pair will be displayed as AUK (unknown) in the Port
Settings page.
Kit Contents
The following external hardware is shipped with the Kit:
Quantity
Items
2
Power supplies/cords
1
RS-232 programming cable
3
RJ-45 cat5e straight-through cables (3 meters long)
1
RJ-43 cat5e crossover cable (3 meters long)
1
Quick Start Guide
1
Rack mounting panel
Power supply specification:
Specification
Manufactured by: Condor
P/N: SA-123AOI
INPUT: 100-240VAC ~ 0.8A 47~63Hz
OUTPUT: 12V === 3.0A
If any component from the preceding table is missing or damaged, contact McAfee Technical Support at
http://mysupport.mcafee.com.
1
Install the Copper Bypass Switch on a rack
You can install the kit on a two slot 19 inch panel and the mounted kit occupies one rack unit.
Install the Copper Bypass Switch on the rack mount panel
a
Slide the Copper Bypass Switch into the opening in the rack-mount panel, until the faceplate of
the switch rests against the panel.
b
Secure the Copper Bypass Switch to the rack-mount panel by inserting the thumb screws
through the holes on the panel.
Additional Copper Bypass Switches can be installed without removing the rack-mount
panel from the rack.
2
Install an additional Copper Bypass Switch
a
Remove the screws holding one of the removable blank plates from the front of the panel.
b
Follow the procedure for installing a switch in the rack-mount panel for the additional Copper
Bypass Switch(es).
Install the panel and switch(es) on a rack
2
3
a
Place the 1U panel against the front of a standard 19-inch rack.
b
Secure the rack-mount panel by inserting the screws (included with the rack-mount panel)
through the holes on front of the panel and the sides of the rack.
Connect the Copper Bypass Switch to a network device
a
Plug an inside network cable connector into the Network port labeled A on the Copper Bypass
Switch
b
Plug the other end of this cable into the corresponding network device
c
Plug an outside network cable into the Network port labeled B on the Copper Bypass Switch
d
Plug the other end of this cable into the corresponding network device
Connect the Copper Bypass Switch to a Sensor with SFP ports
The physical connection between the Copper Bypass Switch and the Sensor differs by Sensor model
and port pair. The number of SFP monitoring ports available on the Sensor is model-specific and is
listed below:
Sensor Model
No of SFP Monitoring Ports
M-8000
16
M-6050, M-4050, M-3050
8
M-2950, M-2850
12
M-2750
20
For example: The following diagram shows an example of the Copper Bypass Switch connected to
one of the first four port pairs of an M-6050 Sensor.
3
Item Description
1
Copper Bypass Switch.
The LFD (Link Fault Detect) and bypass detecting mode settings cannot be changed.
2
Connection to network device (inside)
3
Connection to network device (outside)
4
Monitoring port C (inside) connection to port 5A (copper SFP)
5
Monitoring port D (outside) connection to port 5B (copper SFP)
6
The M-6050 Sensor has eight 10/100/1000 Gigabit Ethernet monitoring ports (four pairs)
and supports up to four Kits.
1
Plug a Cat 5/Cat 5e Ethernet cable (inside) into the copper SFP.
2
Plug the other end of the cable into the monitoring port labeled C on the Copper Bypass Switch.
3
Plug a Cat 5/Cat 5e Ethernet cable (outside) into the corresponding peer port. (For example, if
you used 5A in step 1, plug the cable into port 5B)
4
Plug the other end of the cable into the Monitoring port labeled D on the Copper Bypass Switch.
With this cable configuration, Sensor monitoring port 5A views traffic as originating
inside the network, and port 5B views traffic as originating outside the network. Note
that this configuration (5A = outside, 5B = inside) must match the port configuration
specified for this Sensor, and that the ports must be enabled. For more information, on
port configuration accomplished via the Manager, see McAfee Network Security Platform
IPS Administration Guide.
4
4
Deploy the Copper Bypass Switch: inline vs tap
The Copper Bypass Switch can be configured to operate in inline and tap modes. McAfee
recommends customers to deploy Network IPS in inline mode. However, if you decide to install
Network IPS in tap mode, there is an option available in Copper Bypass Switch to switch from tap
mode to inline mode when your network is experiencing symptoms of potential denial of service
attacks or if you need to block certain threats for a short period of time. After the period is over, you
can switch back to tap mode deployment
Configure the Copper Bypass Switch in tap mode
a
To configure the Copper Bypass Switch in tap mode:
a
In the CLI command prompt, type c and press Enter.
b
Type 1 to set the tap mode On or 0 to set the tap mode Off.
By default it is Off.
You can configure the Copper Bypass Switch to tap mode only using CLI. Tap mode
cannot be set using the Manager.
To verify if the connection is in tap mode, do the following:
b
Click Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical Ports
c
Verify that Tap is displayed for the corresponding port. This indicates the operating mode of the
Copper Bypass Switch.
d
Click the port to view the Monitoring Port panel.
e
Verify that the Operating Mode is displayed as In‑line Fail‑open Active. This indicates the operating mode
of the Sensor monitoring port.
5
Configure the Copper Bypass Switch in in-line mode
You configure the Sensor’s monitoring ports from the Manager interface. The port configuration must
match the cabling of the Copper Bypass Switch, the ports must be set to “In-line Fail-open Active
(Port Pair)” and must be enabled.
To view/configure the settings of your monitoring ports:
a
In the Manager interface, select Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup |
Physical Ports.
b
Click a numbered port (for example 1/5) from monitoring ports. The Monitoring Ports window
displays current port settings.
c
In the port configuration, do the following:
a
6
Select the Speed. You can select the following speed setting values from the drop-down list:
•
10 Mbps
•
100 Mbps
•
1000 Mbps
b
Select the Duplex as Full from the drop-down list and enable the Auto-Negotiate check box.
With auto-negotiation mode on all speeds enabled that is, if the first network
switch is using a 10/100 Ethernet port and speed is auto and the second network
switch is using a 10/100/1000 Ethernet port and speed is at auto, the maximum
negotiable speed is 100 Mbps. Therefore, configure the Sensor port pair to 100
Mbps auto-full and the Kit, to remain at its default setting.
Half duplex configuration is not supported on the Copper Bypass Switch.
c
Select the SFP Type as Copper from the drop-down list.
d
Select the Administrative Status to Enable (on).
e
Select the Operating Mode as In-line Fail-open Active (Port Pair).
f
The message "Are the Active Fail-open Kit connected?" Select Yes that you have already
connected the Copper Bypass Switch.
g
Select the area of your network to which the current port is connected: Inside (internal) or
Outside (external) .
h
Click OK .
i
Click Commit Changes.
j
Open the Bypass Switch HyperTerminal session.
k
Type b to set the same configuration on the Copper Bypass Switch for Speed, Duplex and
Auto-negotiation settings.
l
Repeat steps 1-11 for any other ports you need to configure.
For more information on configuring monitoring ports, see McAfee Network Security Platform IPS
Administration Guide.
5
Verify proper installation
Once the Copper Bypass Switch has been connected to the network and the Sensor, check the
switch's green status LED to verify that the switch is receiving power from the power adaptors and
check the port status and operating mode status in the Manager interface to ensure that the port is
enabled and in in-line fail-open active mode.
Status LED on the Copper Bypass Switch
The table describes the LEDs on the Copper Bypass Switch.
7
Table 1
Item Description
1
The two power LEDs indicate power status. Each LED glows when the power is connected to
the Copper Bypass Switch.
2
The two LEDs indicate the Copper Bypass Switch mode. When the Bypass On is illuminated
traffic is not flowing through the in-line device. When the Bypass Off is illuminated, traffic is
routed through the in-line device.
3
If a good link is established, the corresponding LED on the right illuminates:
•
Amber for 10 Mbps
•
Yellow for 100 Mbps
•
Green for 1 Gbps
Port and operating mode status
The port status and operating mode status for in-line fail-open mode are as follows:
Table 2
LED
Port color on the Sensor
Operating mode Status
Gigabit Ports Link
Green
The link is connected.
Off
The link is disconnected.
Amber
Data transferring
Off
No data is transferring
Gigabit Ports Act
Port status on the Manager
Table 3
8
Port Status
Port color on
the Sensor
Operating Mode Status
In-line Failopen
Port Status
Green
The Sensor is in in-line fail-open mode.
Switch Absent
Red
The Copper Bypass Switch is not present. Verify that the
component is connected properly. After connecting, check the
Operational Status.
N/A
Gray
The Copper Bypass Switch is not present. Verify that the
component is connected properly. After connecting, check the
Operational Status.
In-line bypass
Yellow
The Sensor is down and the Copper Bypass Switch has been
activated. The Sensor does not monitor during this time.
Unknown
Teak
Unable to get the status of the Copper Bypass Switch from
Sensor. Check the Operational Status.
Verification process
6
•
At the Sensor console on the HyperTerminal, type show intfport 5A. The configuration of the
Sensor interface port is displayed.
•
On the Sensor console, the Operational Status field should display Up.
•
On the Manager, go to the Configuration page, and select Device List | Sensor_Name | Physical Sensor |
Port Settings. Look at the color representing the ports, and check the color legend on the screen to
see the status of the Sensor’s ports.
Troubleshooting
How does the Copper Bypass Switch work?
During normal Sensor in-line fail-open operation, the Copper Bypass Switch sends a heartbeat signal
(1 every second) to the monitoring port pair. If the Copper Bypass Switch does not receive 3 heart
beat signals within its programmed interval, the Copper Bypass Switch removes the Sensor’s
monitoring port pair from the data path, and moves the Sensor to the bypass mode, providing
continuous data flow.
While the Sensor is in bypass mode, traffic passes directly through the Copper Bypass Switch,
bypassing the Sensor.
When normal Sensor operation resumes, you may or may not need to manually re-enable the
monitoring ports from the Manager interface, depending on the activity leading up to the Sensor's
failure.
Copper Bypass Switch packets are sent in both directions (that is, inbound and outbound.)
The following section describes how to return the Sensor to in-line mode:
Move from bypass mode back to in-line mode
Moving from bypass mode back to in-line mode involves the following:
Manual Sensor reboot
9
Certain normal Sensor activity involves a reboot, such as installation of a new Sensor software image
or a manual reboot issued from the Manager. If the Sensor reboots during normal activity, no manual
intervention is necessary. When the switch receives power from the power adaptor and a heartbeat
signal from the Sensor, it sends traffic through the Sensor and the Sensor resumes monitoring traffic
in in-line mode.
Sensor error
If the Sensor reboots due to internal error, hardware failure, removal of the Copper Bypass Switch
during normal operation or, disruption of the Sensor or Copper Bypass Switch cables during Sensor
operation, the monitoring ports connected to the Copper Bypass Switch are automatically enabled
when the Sensor resumes monitoring traffic in in-line mode
What happens in a Sensor failure?
When a Sensor fails with the Copper Bypass Switch in place, the following events occur in the order
shown.
1
The Manager reports a “Sensor in bad health” OR “Port pair is in bypass mode” error in the
Operational Status window.
2
The Sensor reboots and Copper Bypass Switch begins forwarding traffic. All traffic then bypasses
the Sensor and flows across the Copper Bypass Switch with minimal traffic disruption.
3
Upon reboot completion, the Copper Bypass Switch resumes its heartbeat, and one of the
following occurs:
•
If the reboot happened during normal activity as described above, the Copper Bypass
Switch resumes passing data through the Sensor once the Sensor returns to in-line mode.
•
If the reboot occurred due to an error, the Copper Bypass Switch will continue to bypass the
Sensor until the Sensor ports are re-enabled automatically.
Once the ports are re-enabled, the Copper Bypass Switch resumes passing data through the
Sensor and the Sensor returns to in-line mode.
4
The errors on the Manager are cleared and normal health is reported.
What happens if one of the 2 network port is down
If only one of the 2 network ports that the Copper Bypass Switch is connected to goes down, the
Copper Bypass Switch will bring down the peer network port when LFD option is enabled (enabled by
default). When this happens, the ports of the Copper Bypass Switch connected to IPS Sensor ports
will remain up but traffic will not be inspected by IPS.
Common problems and solutions
This section lists some common installation problems and their solutions.
10
Table 4
Problem
Possible Cause
Solution
Copper Bypass Switch
power LEDs are off.
If the power LEDs do not
illuminate on the Copper Bypass
Switch, it indicates that either
the power supply is not
connected or it is not
functioning.
Check the connection of the power
supply in the Copper Bypass Switch.
It indicates that either the power
supply is not connected or it is not
functioning.
Sensor LED is off The
Sensor is powered off.
The Sensor port cable is
disconnected. Restore Sensor
power.
Check the Sensor cable connections.
Sensor is operational, but is
not monitoring traffic
Network device cables have
been disconnected.
The Sensor ports have not been
enabled in the Manager. Check
the cables and ensure they are
properly connected to both the
network devices and the Bypass
Switch.
Ports are disabled in a Sensor
failure; they must be re-enabled in
the Manager for the Sensor
monitoring to resume.
Network or link problems
Improper cabling or port
configuration.
Ensure that the transmit and
receive cables are properly
connected to the Copper Bypass
Switch.
Runts or giants errors on
switch and routers.
Improper cabling or port
configuration.
Ensure that the transmit and
receive cables are properly
connected to the Copper Bypass
Switch.
The system fault “Switch
absent” appears in the
Operational Status page of
the Manager.
Improper cabling.
Ensure that the transmit and
receive cables are properly
connected to the Copper Bypass
Switch.
11
Copyright © 2014 McAfee, Inc. www.intelsecurity.com
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/
registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
12
700-3605D00
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising