Network Security Platform 10/100/1000 Copper Active Fail

10/100/1000 Copper Active Fail-open Bypass Kit with SNMP
Guide
Revision E
McAfee® Network Security Platform
This document describes the contents and how to install the McAfee® 10/100/1000 Copper Active Fail-Open Bypass
Kit with SNMP monitoring (the Kit) for McAfee Network Security Sensor (Sensor) M-Series and NS-series models with
standard Small Form-factor Pluggable (SFP) monitoring ports, how the Kit functions, and what to expect during
normal use.
The Kit contains an Active Fail-Open Copper Bypass Switch (Copper Bypass Switch) and all the connecting
components to connect the switch to the 10/100/1000 monitoring ports of the Sensor. The monitoring ports on the
Sensor are fail-closed; thus, if the Sensor is deployed in-line, experiences a failure such as, link, power or application
failure results in network downtime. Fail-open operation for the monitoring ports require the use of an optional
external Copper Bypass Switch provided in the Kit.
The Copper Bypass Switch can be configured for the following Sensor models: NS9300, NS9200, NS9100,
M-8000, M-6050, M-4050, M-3050, M-2950, M-2850, M-2750.
The 10/100/1000 monitoring ports on the Sensor are fail-closed; thus, if the Sensor is deployed in-line, a hardware
failure results in network downtime. Fail-open operation for the monitoring ports require the use of an optional
external Copper Bypass Switch provided in the Kit.
With the Copper Bypass Switch in place, the switch receives power from the dual power adapters (for power
redundancy, use two independent power sources). When the Sensor is operating, the switch is “On” and routes all
traffic directly through the Sensor. When the Sensor fails, the switch automatically shifts to a bypass state: in-line
traffic continues to flow through the network link, but is no longer routed through the Sensor. Once the Sensor
resumes normal operation, the switch returns to the “On” state, again enabling in-line monitoring.
During normal Sensor in-line fail-open operation, the Copper Bypass Switch sends a heartbeat signal (1 every
second) to the monitoring port pair. If the Copper Bypass Switch does not receive 3 heart beat signals within its
programmed interval, the Copper Bypass Switch removes the Sensor’s monitoring port pair from the data path, and
moves the Sensor into the bypass mode, providing continuous data flow.
In the event the Copper Bypass Switch loses power, traffic will bypass the IPS Sensor monitoring ports, and will be
forwarded to the peer device (after renegotiation). Since there is no heartbeat signal during this period, the status of
the Sensor monitoring port pair will be displayed as AUK (unknown) in the Port Settings page.
The Copper Bypass Switch with SNMP monitoring provides the additional feature of raising SNMP faults to track
events. The Copper Bypass Switch can raise faults for the following events:
1
•
Bypass state changes
•
Utilization exceeds the threshold on any port
•
Any port link status changes
•
Either power supply state changes
You can use the Web and System Managers to configure and remotely manage the Copper Bypass Switch. The Web
Manager is used to monitor and control individual Copper Bypass Switches and the System Manager is used to
view/change the system status settings and retrieve data from the configured Copper Bypass Switch. For more
information, see NetOptics Documentation.
Kit contents
The following external hardware is shipped with the Kit:
Quantity
Items
2
Power supplies/cords
1
DB-9 programming cable
3
RJ-45 cat5e straight-through cables (3 meters long)
1
RJ-43 cat5e crossover cable (3 meters long)
1
Quick Start Guide
1
Rack mounting panel
Power supply specification:
Specification
Manufactured by: Condor
P/N: SA-123AOI
INPUT: 100-240VAC ~ 0.8A 47~63Hz
OUTPUT: 12V === 3.0A
1
Install the Copper Bypass Switch on a rack
You can install the kit on a two slot 19 inch panel and the mounted kit occupies one rack unit.
2
Install the Copper Bypass Switch on the rack mount panel
a
Slide the Copper Bypass Switch into the opening on the rack-mount panel, until the faceplate of the
switch rests against the panel.
b
Secure the Copper Bypass Switch to the rack-mount panel by inserting the thumb screws through the
holes on the panel.
Additional Copper Bypass Switches can be installed without removing the rack-mount panel
from the rack.
Install the panel and switch(es) on a rack
2
3
a
Place the 1U panel against the front of a standard 19-inch rack.
b
Secure the rack-mount panel by inserting the screws (included with the rack-mount panel) through the
holes on front of the panel and the sides of the rack.
Connect the Copper Bypass Switch to a network device
a
Plug an inside network cable connector into the Network port labeled A on the Copper Bypass Switch
b
Plug the other end of this cable into the corresponding network device
c
Plug an outside network cable into the Network port labeled B on the Copper Bypass Switch
d
Plug the other end of this cable into the corresponding network device
Connect the Copper Bypass Switch management port to a network device
a
Connect a Cat 5/Cat 5e straight cables to the Management port found at the rear-end of the Bypass
Switch.
b
Connect the other end to a network switch or hub.
3
4
c
In the HyperTerminal, type set ip <ip address> where <ip address> is the IP address you are assigning to
the Bypass Switch.
d
Type set netmask <netmask addesss> where <address> is the netmask address assigning to the Bypass
Switch.
Connect the Copper Bypass Switch to a Sensor with SFP ports
The physical connection between the Copper Bypass Switch and the Sensor differs by Sensor model and port
pair.
The number of SFP monitoring ports available on the Sensor is model-specific.
Sensor Model
No of SFP Monitoring Ports
NS-9100, NS-9200, NS-9300
8
M-8000
16
M-6050, M-4050, M-3050
8
M-2950, M-2850
12
M-2750
20
This diagram shows a Copper Bypass Switch connected to one of the first four port pairs of an M-4050 Sensor.
4
Item Description
1
Copper Bypass Switch with SNMP monitoring.
The LFD and bypass detecting mode settings cannot be changed.
2
Connection to network device (inside)
3
Connection to network device (outside)
4
Monitoring port 1 (inside) connection to port 5A (copper SFP)
5
Monitoring port 2 (outside) connection to port 5B (copper SFP)
6
Monitoring port in M-4050 Sensor. The M-4050 Sensor has eight 10/100/1000 Gigabit Ethernet
monitoring ports (four pairs) and supports up to four Kits.
1
Plug a Cat 5/Cat 5e Ethernet cable (inside) into the copper SFP.
2
Plug the other end of the cable into the monitoring port labeled C on the bypass switch.
3
Plug a Cat 5/Cat 5e Ethernet cable (outside) into the corresponding peer port. (For example, if you used
5A in step 1, plug the cable into port 5B)
4
Plug the other end of the cable into the Monitoring port labeled D on the Copper Bypass Switch.
With this cable configuration, Sensor monitoring port 5A views traffic as originating inside the
network, and port 5B views traffic as originating outside the network. Note that this configuration
(5A = outside, 5B = inside) must match the port configuration specified for this Sensor, and that the
ports must be enabled. For more information, on port configuration accomplished via the Manager,
see McAfee Network Security Platform IPS Administration Guide.
5
Deploy the Copper Bypass Switch: inline vs tap
The Copper Bypass Switch can be configured to operate in inline and tap modes. McAfee recommends
customers to deploy Network IPS in inline mode. However, if you decide to install Network IPS in tap mode,
there is an option available in Copper Bypass Switch to switch from tap mode to inline mode when your
network is experiencing symptoms of potential denial of service attacks or if you need to block certain threats
for a short period of time. After the period is over, you can switch back to tap mode deployment
Configure the Copper Bypass Switch in tap mode
To change the Copper Bypass Switch from inline to tap mode:
a
Type set mode <1|2> on the CLI command prompt.
Parameter
Description
1
sets the Tap mode On
2
sets the Tap mode Off (Default)
You can configure the Copper Bypass Switch to tap mode only using CLI. Tap mode cannot be
set using the Manager.
To verify if the connection is in tap mode, do the following:
5
b
Click Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical Ports.
c
Verify that Tap is displayed for the corresponding port. This indicates the operating mode of the Copper
Bypass Switch.
d
Click the port to view the Monitoring Port panel.
e
Verify that the Operating Mode is displayed as In‑line Fail‑Open Active. This indicates the operating mode of the
Sensor monitoring port.
Configure the Copper Bypass Switch in in-line mode
You configure the Sensor’s monitoring ports from the Manager interface. The port configuration must match
the cabling of the Copper Bypass Switch, the ports must be set to “In-line Fail-open Active (Port Pair)” and must
be enabled.
6
To view/configure the settings of your monitoring ports:
a
In the Manager interface, select Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical
Ports.
b
Click a numbered port (for example 1/5) from monitoring ports. The Monitoring Ports window displays
current port settings.
c
In the port configuration, do the following:
a
Select the Speed. You can select the following speed setting values from the drop-down list:
•
10 Mbps
•
100 Mbps
•
1000 Mbps
7
b
Select the Duplex as Full from the drop-down list and enable the Auto-Negotiate check box.
With auto-negotiation mode on all speeds enabled that is, if the first network switch is
using a 10/100 Ethernet port and speed is auto and the second network switch is using a
10/100/1000 Ethernet port and speed is at auto, the maximum negotiable speed is 100
Mbps. Therefore, configure the Sensor port pair to 100 Mbps auto-full and the Kit, to
remain at its default setting.
Half duplex configuration is not supported on the Copper Bypass Switch.
c
Select the SFP Type as Copper from the drop-down list.
d
Select the Administrative Status to Enable (on).
e
Select the Operating Mode as In-line Fail-open Active (Port Pair).
f
The message "Are the Active Fail-open Kit connected?" Select Yes that you have already connected the
Copper Bypass Switch.
g
Select the area of your network to which the current port is connected: Inside (internal) or Outside
(external) .
h
Click OK .
i
Click Commit Changes.
j
Open the Bypass Switch HyperTerminal session.
k
Type b to set the same configuration on the Copper Bypass Switch for Speed, Duplex and Auto-negotiation
settings.
l
Repeat steps 1-11 for any other ports you need to configure.
For more information on configuring monitoring ports, see McAfee Network Security Platform IPS
Administration Guide.
8
6
Log on to the Copper Bypass Switch
a
Ensure the power to the Copper Bypass Switch is Off.
Figure 1 Management port and DB-9 RS232 port
b
Using a DB-9 RS232 cable, connect a PC that is running the HyperTerminal to the Copper Bypass Switch.
c
Launch a terminal emulation software such as HyperTerminal, and set the communications parameters
to the following:
d
1)
Bits per second: 19200
2)
Data bits: 8
3)
Parity: None
4)
Stop bit: 1
5)
Flow control: None
Click OK.
The CLI banner and login prompt is displayed.
e
Type the default username and password.
The default username and password is McAfee and is case sensitive. McAfee strongly recommends that
you change the default login credentials for security purposes.
For information on the CLI commands, see NetOptics Documentation.
9
7
Set the Optical Bypass Switch parameters
The details of the commands used in the port configuration are displayed in the following table:
Table 1 Commands
Command Description
a
Set the timeout value.
To set the Timeout value, do the following:
•
Type a and press Enter.
•
TimeOut period (1-254 milliseconds) — Type the number of milliseconds between each
heartbeat (1-254 milliseconds) and press Enter. Default = 10 msec.
•
Retry Count (1-254) — Type the number of missed heartbeats allowed before the Bypass
Switch enters On mode. Default = 10.
The Retry Count must be greater than or equal to the Timeout period.
b
Set Switch parameters.
To set speed duplex and auto-negotiation, LFD, bypass detect:
•
1= turn On.
•
0 = turn Off.
•
Fail Mode Open/Close= 1
The LFD and Bypass detecting mode settings cannot be changed.
c
d
Set TAP mode.
•
Type c and press Enter.
•
Type 1 to set the tap mode On or 0 to set the tap mode Off. Default = Off.
Show configuration.
Type d and press Enter. The following is displayed:
e
•
LFD = On
•
Timeout Period= 10 msec
•
Bypass Detect= Off
•
Retry Count= 10
•
Fail Mode= Open
•
Bypass State= On
•
TAP Mode= Off
Show port status.
Type e and press Enter. The following is displayed:
10
•
Port A= Up/Down
•
Port B= Up/Down
•
Port 1= Up/Down
•
Port 2= Up/Down
Table 1 Commands (continued)
Command Description
f
Set Switch name.
z
8
•
Type f and press Enter.
•
At the prompt, type the Switch name, which can be 8 characters long.
Reset to factory defaults.
Deploy the Copper Bypass Switch: inline vs tap
The Copper Bypass Switch can be configured to operate in inline and tap modes. McAfee recommends
customers to deploy Network IPS in inline mode. However, if you decide to install Network IPS in tap mode,
there is an option available in Copper Bypass Switch to switch from tap mode to inline mode when your
network is experiencing symptoms of potential denial of service attacks or if you need to block certain threats
for a short period of time. After the period is over, you can switch back to tap mode deployment
Configure the Copper Bypass Switch in tap mode
To change the Copper Bypass Switch from inline to tap mode:
a
Type set mode <1|2> on the CLI command prompt.
Parameter
Description
1
sets the Tap mode On
2
sets the Tap mode Off (Default)
You can configure the Copper Bypass Switch to tap mode only using CLI. Tap mode cannot be
set using the Manager.
To verify if the connection is in tap mode, do the following:
b
Click Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical Ports.
c
Verify that Tap is displayed for the corresponding port. This indicates the operating mode of the Copper
Bypass Switch.
11
d
Click the port to view the Monitoring Port panel.
e
Verify that the Operating Mode is displayed as In‑line Fail‑Open Active. This indicates the operating mode of the
Sensor monitoring port.
Configure the Copper Bypass Switch in in-line mode
You configure the Sensor’s monitoring ports from the Manager interface. The port configuration must match
the cabling of the Copper Bypass Switch, the ports must be set to “In-line Fail-open Active (Port Pair)” and must
be enabled.
12
To view/configure the settings of your monitoring ports:
a
In the Manager interface, select Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical
Ports.
b
Click a numbered port (for example 1/5) from monitoring ports. The Monitoring Ports window displays
current port settings.
c
In the port configuration, do the following:
a
Select the Speed. You can select the following speed setting values from the drop-down list:
•
10 Mbps
•
100 Mbps
•
1000 Mbps
13
b
Select the Duplex as Full from the drop-down list and enable the Auto-Negotiate check box.
With auto-negotiation mode on all speeds enabled that is, if the first network switch is
using a 10/100 Ethernet port and speed is auto and the second network switch is using a
10/100/1000 Ethernet port and speed is at auto, the maximum negotiable speed is 100
Mbps. Therefore, configure the Sensor port pair to 100 Mbps auto-full and the Kit, to
remain at its default setting.
Half duplex configuration is not supported on the Copper Bypass Switch.
c
Select the SFP Type as Copper from the drop-down list.
d
Select the Administrative Status to Enable (on).
e
Select the Operating Mode as In-line Fail-open Active (Port Pair).
f
The message "Are the Active Fail-open Kit connected?" Select Yes that you have already connected the
Copper Bypass Switch.
g
Select the area of your network to which the current port is connected: Inside (internal) or Outside
(external) .
h
Click OK .
i
Click Commit Changes.
j
Open the Bypass Switch HyperTerminal session.
k
Type b to set the same configuration on the Copper Bypass Switch for Speed, Duplex and Auto-negotiation
settings.
l
Repeat steps 1-11 for any other ports you need to configure.
For more information on configuring monitoring ports, see McAfee Network Security Platform IPS
Administration Guide.
9
Verify proper installation
Once the Copper Bypass Switch has been connected to the network and the Sensor, the following points
indicate proper installation:
•
Check the power LED located on the front panel is illuminated.
•
Check the link LEDs to ensure that the monitoring device is receiving traffic from the Copper Bypass
Switch.
•
Check the front panel display and the threshold LEDs for utilization and peak information. If no traffic is
flowing through the device, <an error message> is displayed on the device. Type the CLI commands on
the HyperTerminal to set the front panel display contents.
Status LED on the Copper Bypass Switch
The table describes the LEDs on the Copper Bypass Switch:
14
Port and operating mode status
The port and operating mode status for in-line fail-open mode are as follows:
For information on Sensor LEDs, refer to the corresponding Sensor product guide.
Table 2
Item Description
1
The main and redundant power. Both LEDs illuminate when the power is connected to the Copper
Bypass Switch.
2
The two LEDs indicate the Copper Bypass Switch mode. When the Copper Bypass Switch On is
illuminated traffic is not flowing through the in-line device. When Copper Bypass Off is illuminated,
traffic is routed through the in-line device.
3
The two LEDs indicate the network port mode. When traffic is flowing through the ports the LEDs are
illuminated.
4
The two LEDs indicate the monitoring port mode. When traffic is flowing through the ports the LEDs
are illuminated.
5
When traffic utilization exceeds the threshold value, the LED for that link illuminates. Use the Reset
button to clear the threshold alarms.
6
If a good link is established, the corresponding LED illuminates
•
Amber for 10 Mbps
•
Yellow for 100 Mbps
•
Green for a 1 Gbps
Port status on the Central Manager
Table 3
Port Status
Port color on the Operating Mode Status
Sensor
In-line Failopen Port
Status
Green
The Sensor is in in-line fail-open mode.
Switch Absent
Red
The Copper Bypass Switch is not present. Verify that the
component is connected properly. After connecting, check the
Operational Status.
N/A
Gray
The Copper Bypass Switch is not present. Verify that the
component is connected properly. After connecting, check the
Operational Status.
15
Table 3 (continued)
Port Status
Port color on the Operating Mode Status
Sensor
In-line Bypass
Yellow
The Sensor is down and the Copper Bypass Switch has been
activated. The Sensor does not monitor during this time.
Unknown
Teak
Unable to get the status of the Copper Bypass Switch from
Sensor. Check the Operational Status.
Verification process
10
•
At the Sensor console on the HyperTerminal, type show intfport 5A. The configuration of the Sensor
interface port is displayed.
•
On the Sensor console, the Operational Status field should display Up.
•
On the Manager, go to the Configuration page, and select Device List | Sensor_Name | Physical Sensor | Port
Settings. Look at the color representing the ports, and check the color legend on the screen to see the
status of the Sensor’s ports.
Troubleshooting
How does the Copper Bypass Switch work?
During normal Sensor in-line fail-open operation, the Copper Bypass Switch sends a heartbeat signal (1 every
second) to the monitoring port pair. If the Copper Bypass Switch does not receive 3 heart beat signals within
its programmed interval, the Copper Bypass Switch removes the Sensor’s monitoring port pair from the data
path, and moves the Sensor to the bypass mode, providing continuous data flow.
While the Sensor is in bypass mode, traffic passes directly through the Copper Bypass Switch, bypassing the
Sensor.
When normal Sensor operation resumes, you may or may not need to manually re-enable the monitoring
ports from the Manager interface, depending on the activity leading up to the Sensor's failure.
Copper Bypass Switch packets are sent in both directions (that is, inbound and outbound.)
16
The following section describes how to return the Sensor to in-line mode:
Move from bypass mode back to in-line mode
Moving from bypass mode back to in-line mode involves the following:
Manual Sensor reboot
Certain normal Sensor activity involves a reboot, such as installation of a new Sensor software image or a
manual reboot issued from the Manager. If the Sensor reboots during normal activity, no manual intervention
is necessary. When the switch receives power from the power adaptor and a heartbeat signal from the Sensor,
it sends traffic through the Sensor and the Sensor resumes monitoring traffic in in-line mode.
Sensor error
If the Sensor reboots due to internal error, hardware failure, removal of the Copper Bypass Switch during
normal operation or, disruption of the Sensor or Copper Bypass Switch cables during Sensor operation, the
monitoring ports connected to the Copper Bypass Switch are automatically enabled when the Sensor resumes
monitoring traffic in in-line mode
What happens in a Sensor failure?
When a Sensor fails with the Copper Bypass Switch in place, the following events occur in the order shown.
1
The Manager reports a “Sensor in bad health” OR “Port pair is in bypass mode” error in the Operational
Status window.
2
The Sensor reboots and Copper Bypass Switch begins forwarding traffic. All traffic then bypasses the
Sensor and flows across the Copper Bypass Switch with minimal traffic disruption.
3
Upon reboot completion, the Copper Bypass Switch resumes its heartbeat, and one of the following
occurs:
•
If the reboot happened during normal activity as described above, the Copper Bypass Switch
resumes passing data through the Sensor once the Sensor returns to in-line mode.
•
If the reboot occurred due to an error, the Copper Bypass Switch will continue to bypass the Sensor
until the Sensor ports are re-enabled automatically.
Once the ports are re-enabled, the Copper Bypass Switch resumes passing data through the Sensor
and the Sensor returns to in-line mode.
4
The errors on the Manager are cleared and normal health is reported.
What happens if one of the 2 network port is down
If only one of the 2 network ports that the Copper Bypass Switch is connected to goes down, the Copper
Bypass Switch will bring down the peer network port when LFD option is enabled (enabled by default). When
this happens, the ports of the Copper Bypass Switch connected to IPS Sensor ports will remain up but traffic
will not be inspected by IPS.
Common problems and solutions
This section lists some common installation problems and their solutions.
17
Table 4
18
Problem
Possible Cause
Solution
Copper Bypass Switch power
LEDs are off.
If the power LEDs do not illuminate
on the Copper Bypass Switch, it
indicates that either the power
supply is not connected or it is not
functioning.
Check the connection of the power
supply in the Copper Bypass Switch. It
indicates that either the power supply
is not connected or it is not functioning.
Sensor LED is off The Sensor
is powered off.
The Sensor port cable is
disconnected. Restore Sensor
power.
Check the Sensor cable connections.
Sensor is operational, but is
not monitoring traffic
Network device cables have
been disconnected.
The Sensor ports have not been
enabled in the Manager. Check the
cables and ensure they are properly
connected to both the network
devices and the Bypass Switch.
Ports are disabled in a Sensor failure;
they must be re-enabled in the
Manager for the Sensor monitoring to
resume.
Network or link problems
Improper cabling or port
configuration.
Ensure that the transmit and receive
cables are properly connected to the
Copper Bypass Switch.
Runts or giants errors on
switch and routers.
Improper cabling or port
configuration.
Ensure that the transmit and receive
cables are properly connected to the
Copper Bypass Switch.
The system fault “Switch
absent” appears in the
Operational Status page of
the Manager.
Improper cabling.
Ensure that the transmit and receive
cables are properly connected to the
Copper Bypass Switch.
19
Copyright © 2017 McAfee, LLC
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.
20
700-3606E00