10/100/1000 Copper Active Fail-Open Bypass Kit Guide

Revision D

McAfee

® Network Security Platform

This document describes the contents and how to install the McAfee

®

10/100/1000 Copper

Active Fail-Open Bypass Kit (the Kit) for McAfee Network Security Sensor (Sensor) M-Series and NS-series models with standard Small Form-factor Pluggable (SFP) monitoring ports, how the Kit functions, and what to expect during normal use.

The Kit contains an Active Fail-Open Copper Bypass Switch (Copper Bypass Switch) and all the connecting components to connect the switch to the monitoring ports of the Sensor.

Additional cables may be required to connect the Copper Bypass Switch to your other network devices such as, routers or switches. You may not require all the components included in the Kit. For example, you will use only one of the two types of cable included in the Kit.

The Copper Bypass Switch can be configured for the following Sensor models:

NS9300, NS9200, NS9100, M-8000, M-6050, M-4050, M-3050, M-2950, M-2850, and M-2750.

The 10/100/1000 monitoring ports on the Sensor are fail-closed; thus, if the Sensor is deployed in-line, a hardware failure results in network downtime. Fail-open operation for the monitoring ports require the use of an optional external Copper Bypass Switch provided in the Kit.

With the Copper Bypass Switch in place, the switch receives power from the dual power adapters (for power redundancy, use two independent power sources). When the Sensor is operating, the switch is “On” and routes all traffic directly through the Sensor. When the

Sensor fails, the switch automatically shifts to a bypass state: in-line traffic continues to flow through the network link, but is no longer routed through the Sensor. Once the Sensor resumes normal operation, the switch returns to the “On” state, again enabling in-line monitoring.

During normal Sensor in-line fail-open operation, the Copper Bypass Switch sends a heartbeat signal (1 every second) to the monitoring port pair. If the Copper Bypass Switch does not receive 3 heart beat signals within its programmed interval, the Copper Bypass

Switch removes the Sensor’s monitoring port pair from the data path, and moves the

Sensor into the bypass mode, providing continuous data flow.

1

In the event the Copper Bypass Switch loses power, traffic will bypass the IPS Sensor monitoring ports, and will be forwarded to the peer device (after renegotiation). Since there is no heartbeat signal during this period, the status of the Sensor monitoring port pair will be displayed as AUK (unknown) in the Port

Settings page.

Kit Contents

The following external hardware is shipped with the Kit:

1

1

3

1

Quantity

2

1

Items

Power supplies/cords

RS-232 programming cable

RJ-45 cat5e straight-through cables (3 meters long)

RJ-43 cat5e crossover cable (3 meters long)

Quick Start Guide

Rack mounting panel

Power supply specification:

Specification

Manufactured by: Condor

P/N: SA-123AOI

INPUT: 100-240VAC ~ 0.8A 47~63Hz

OUTPUT: 12V === 3.0A

If any component from the preceding table is missing or damaged, contact McAfee Technical Support at http://mysupport.mcafee.com

.

1 Install the Copper Bypass Switch on a rack

You can install the kit on a two slot 19 inch panel and the mounted kit occupies one rack unit.

Install the Copper Bypass Switch on the rack mount panel

a

Slide the Copper Bypass Switch into the opening in the rack-mount panel, until the faceplate of the switch rests against the panel.

b

Secure the Copper Bypass Switch to the rack-mount panel by inserting the thumb screws through the holes on the panel.

Additional Copper Bypass Switches can be installed without removing the rack-mount panel from the rack.

2

Install an additional Copper Bypass Switch

a

Remove the screws holding one of the removable blank plates from the front of the panel.

b

Follow the procedure for installing a switch in the rack-mount panel for the additional Copper

Bypass Switch(es).

Install the panel and switch(es) on a rack

a

Place the 1U panel against the front of a standard 19-inch rack.

b

Secure the rack-mount panel by inserting the screws (included with the rack-mount panel) through the holes on front of the panel and the sides of the rack.

2 Connect the Copper Bypass Switch to a network device

a

Plug an inside network cable connector into the Network port labeled A on the Copper Bypass

Switch

b

Plug the other end of this cable into the corresponding network device

c

Plug an outside network cable into the Network port labeled B on the Copper Bypass Switch

d

Plug the other end of this cable into the corresponding network device

3 Connect the Copper Bypass Switch to a Sensor with SFP ports

The physical connection between the Copper Bypass Switch and the Sensor differs by Sensor model and port pair. The number of SFP monitoring ports available on the Sensor is model-specific and is listed below:

Sensor Model

M-8000

M-6050, M-4050, M-3050

M-2950, M-2850

M-2750

No of SFP Monitoring Ports

16

8

12

20

For example: The following diagram shows an example of the Copper Bypass Switch connected to one of the first four port pairs of an M-6050 Sensor.

3

4

Item Description

1 Copper Bypass Switch.

The LFD (Link Fault Detect) and bypass detecting mode settings cannot be changed.

4

5

2

3

6

Connection to network device (inside)

Connection to network device (outside)

Monitoring port C (inside) connection to port 5A (copper SFP)

Monitoring port D (outside) connection to port 5B (copper SFP)

The M-6050 Sensor has eight 10/100/1000 Gigabit Ethernet monitoring ports (four pairs) and supports up to four Kits.

1

Plug a Cat 5/Cat 5e Ethernet cable (inside) into the copper SFP.

2

Plug the other end of the cable into the monitoring port labeled C on the Copper Bypass Switch.

3

Plug a Cat 5/Cat 5e Ethernet cable (outside) into the corresponding peer port. (For example, if you used 5A in step 1, plug the cable into port 5B)

4

Plug the other end of the cable into the Monitoring port labeled D on the Copper Bypass Switch.

With this cable configuration, Sensor monitoring port 5A views traffic as originating inside the network, and port 5B views traffic as originating outside the network. Note that this configuration (5A = outside, 5B = inside) must match the port configuration specified for this Sensor, and that the ports must be enabled. For more information, on port configuration accomplished via the Manager, see McAfee Network Security Platform

IPS Administration Guide.

4 Deploy the Copper Bypass Switch: inline vs tap

The Copper Bypass Switch can be configured to operate in inline and tap modes. McAfee recommends customers to deploy Network IPS in inline mode. However, if you decide to install

Network IPS in tap mode, there is an option available in Copper Bypass Switch to switch from tap mode to inline mode when your network is experiencing symptoms of potential denial of service attacks or if you need to block certain threats for a short period of time. After the period is over, you can switch back to tap mode deployment

Configure the Copper Bypass Switch in tap mode

a

To configure the Copper Bypass Switch in tap mode:

a

In the CLI command prompt, type c and press Enter.

b

Type 1 to set the tap mode On or 0 to set the tap mode Off.

By default it is Off.

You can configure the Copper Bypass Switch to tap mode only using CLI. Tap mode cannot be set using the Manager.

To verify if the connection is in tap mode, do the following:

b

Click Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical Ports

c

Verify that Tap is displayed for the corresponding port. This indicates the operating mode of the

Copper Bypass Switch.

d

Click the port to view the Monitoring Port panel.

e

Verify that the Operating Mode is displayed as In

‑line Fail‑open Active. This indicates the operating mode of the Sensor monitoring port.

5

Configure the Copper Bypass Switch in in-line mode

You configure the Sensor’s monitoring ports from the Manager interface. The port configuration must match the cabling of the Copper Bypass Switch, the ports must be set to “In-line Fail-open Active

(Port Pair)” and must be enabled.

To view/configure the settings of your monitoring ports:

a

In the Manager interface, select Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup |

Physical Ports.

b

Click a numbered port (for example 1/5) from monitoring ports. The Monitoring Ports window displays current port settings.

6 c

In the port configuration, do the following:

a

Select the Speed. You can select the following speed setting values from the drop-down list:

• 10 Mbps

• 100 Mbps

• 1000 Mbps

b

Select the Duplex as Full from the drop-down list and enable the Auto-Negotiate check box.

With auto-negotiation mode on all speeds enabled that is, if the first network switch is using a 10/100 Ethernet port and speed is auto and the second network switch is using a 10/100/1000 Ethernet port and speed is at auto, the maximum negotiable speed is 100 Mbps. Therefore, configure the Sensor port pair to 100

Mbps auto-full and the Kit, to remain at its default setting.

Half duplex configuration is not supported on the Copper Bypass Switch.

j i c

Select the SFP Type as Copper from the drop-down list.

d

Select the Administrative Status to Enable (on).

f e

Select the Operating Mode as In-line Fail-open Active (Port Pair).

The message "Are the Active Fail-open Kit connected?" Select Yes that you have already connected the Copper Bypass Switch.

g

Select the area of your network to which the current port is connected: Inside (internal) or

Outside (external) .

h

Click OK .

Click Commit Changes.

Open the Bypass Switch HyperTerminal session.

l k

Type b to set the same configuration on the Copper Bypass Switch for Speed, Duplex and

Auto-negotiation settings.

Repeat steps 1-11 for any other ports you need to configure.

For more information on configuring monitoring ports, see McAfee Network Security Platform IPS

Administration Guide.

5 Verify proper installation

Once the Copper Bypass Switch has been connected to the network and the Sensor, check the switch's green status LED to verify that the switch is receiving power from the power adaptors and check the port status and operating mode status in the Manager interface to ensure that the port is enabled and in in-line fail-open active mode.

Status LED on the Copper Bypass Switch

The table describes the LEDs on the Copper Bypass Switch.

7

8

Table 1

Item Description

1

2

The two power LEDs indicate power status. Each LED glows when the power is connected to the Copper Bypass Switch.

The two LEDs indicate the Copper Bypass Switch mode. When the Bypass On is illuminated traffic is not flowing through the in-line device. When the Bypass Off is illuminated, traffic is routed through the in-line device.

3 If a good link is established, the corresponding LED on the right illuminates:

• Amber for 10 Mbps

• Yellow for 100 Mbps

• Green for 1 Gbps

Port and operating mode status

The port status and operating mode status for in-line fail-open mode are as follows:

Table 2

LED

Gigabit Ports Link

Port color on the Sensor

Green

Off

Operating mode Status

The link is connected.

The link is disconnected.

Gigabit Ports Act Amber

Off

Data transferring

No data is transferring

Port status on the Manager

Table 3

Port Status Port color on the Sensor

Green In-line Failopen

Port Status

Switch Absent Red

Operating Mode Status

The Sensor is in in-line fail-open mode.

N/A

In-line bypass

Unknown

Gray

Yellow

Teak

The Copper Bypass Switch is not present. Verify that the component is connected properly. After connecting, check the

Operational Status.

The Copper Bypass Switch is not present. Verify that the component is connected properly. After connecting, check the

Operational Status.

The Sensor is down and the Copper Bypass Switch has been activated. The Sensor does not monitor during this time.

Unable to get the status of the Copper Bypass Switch from

Sensor. Check the Operational Status.

Verification process

• At the Sensor console on the HyperTerminal, type show intfport 5A. The configuration of the

Sensor interface port is displayed.

• On the Sensor console, the Operational Status field should display Up.

• On the Manager, go to the Configuration page, and select Device List | Sensor_Name | Physical Sensor |

Port Settings. Look at the color representing the ports, and check the color legend on the screen to see the status of the Sensor’s ports.

6 Troubleshooting

How does the Copper Bypass Switch work?

During normal Sensor in-line fail-open operation, the Copper Bypass Switch sends a heartbeat signal

(1 every second) to the monitoring port pair. If the Copper Bypass Switch does not receive 3 heart beat signals within its programmed interval, the Copper Bypass Switch removes the Sensor’s monitoring port pair from the data path, and moves the Sensor to the bypass mode, providing continuous data flow.

While the Sensor is in bypass mode, traffic passes directly through the Copper Bypass Switch, bypassing the Sensor.

When normal Sensor operation resumes, you may or may not need to manually re-enable the monitoring ports from the Manager interface, depending on the activity leading up to the Sensor's failure.

Copper Bypass Switch packets are sent in both directions (that is, inbound and outbound.)

The following section describes how to return the Sensor to in-line mode:

Move from bypass mode back to in-line mode

Moving from bypass mode back to in-line mode involves the following:

Manual Sensor reboot

9

10

Certain normal Sensor activity involves a reboot, such as installation of a new Sensor software image or a manual reboot issued from the Manager. If the Sensor reboots during normal activity, no manual intervention is necessary. When the switch receives power from the power adaptor and a heartbeat signal from the Sensor, it sends traffic through the Sensor and the Sensor resumes monitoring traffic in in-line mode.

Sensor error

If the Sensor reboots due to internal error, hardware failure, removal of the Copper Bypass Switch during normal operation or, disruption of the Sensor or Copper Bypass Switch cables during Sensor operation, the monitoring ports connected to the Copper Bypass Switch are automatically enabled when the Sensor resumes monitoring traffic in in-line mode

What happens in a Sensor failure?

When a Sensor fails with the Copper Bypass Switch in place, the following events occur in the order shown.

1

The Manager reports a “Sensor in bad health” OR “Port pair is in bypass mode” error in the

Operational Status window.

2

The Sensor reboots and Copper Bypass Switch begins forwarding traffic. All traffic then bypasses the Sensor and flows across the Copper Bypass Switch with minimal traffic disruption.

3

Upon reboot completion, the Copper Bypass Switch resumes its heartbeat, and one of the following occurs:

• If the reboot happened during normal activity as described above, the Copper Bypass

Switch resumes passing data through the Sensor once the Sensor returns to in-line mode.

• If the reboot occurred due to an error, the Copper Bypass Switch will continue to bypass the

Sensor until the Sensor ports are re-enabled automatically.

Once the ports are re-enabled, the Copper Bypass Switch resumes passing data through the

Sensor and the Sensor returns to in-line mode.

4

The errors on the Manager are cleared and normal health is reported.

What happens if one of the 2 network port is down

If only one of the 2 network ports that the Copper Bypass Switch is connected to goes down, the

Copper Bypass Switch will bring down the peer network port when LFD option is enabled (enabled by default). When this happens, the ports of the Copper Bypass Switch connected to IPS Sensor ports will remain up but traffic will not be inspected by IPS.

Common problems and solutions

This section lists some common installation problems and their solutions.

Table 4

Problem

Copper Bypass Switch power LEDs are off.

Sensor LED is off The

Sensor is powered off.

Sensor is operational, but is not monitoring traffic

Network device cables have been disconnected.

Network or link problems

Possible Cause

If the power LEDs do not illuminate on the Copper Bypass

Switch, it indicates that either the power supply is not connected or it is not functioning.

The Sensor port cable is disconnected. Restore Sensor power.

The Sensor ports have not been enabled in the Manager. Check the cables and ensure they are properly connected to both the network devices and the Bypass

Switch.

Improper cabling or port configuration.

Runts or giants errors on switch and routers.

The system fault “Switch absent” appears in the

Operational Status page of the Manager.

Improper cabling or port configuration.

Improper cabling.

Solution

Check the connection of the power supply in the Copper Bypass Switch.

It indicates that either the power supply is not connected or it is not functioning.

Check the Sensor cable connections.

Ports are disabled in a Sensor failure; they must be re-enabled in the Manager for the Sensor monitoring to resume.

Ensure that the transmit and receive cables are properly connected to the Copper Bypass

Switch.

Ensure that the transmit and receive cables are properly connected to the Copper Bypass

Switch.

Ensure that the transmit and receive cables are properly connected to the Copper Bypass

Switch.

11

Copyright © 2014 McAfee, Inc. www.intelsecurity.com

Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.

12

700-3605D00