https://community.cisco.com/t5/network-security/ips-bypass-question/m-p/1374858#M68015 <HTML><HEAD></HEAD><BODY><P>The 4260 and 4270 both uses the 4GE card. This card does have a hardware bypass feature. In the event of a power failure the two GigE interfaces are physically connected together:</P><P><A href="http://www.cisco.com/en/US/docs/security/ips/7.0/installation/guide/hw_installing_4270.html#wp67704">http://www.cisco.com/en/US/docs/security/ips/7.0/installation/guide/hw_installing_4270.html#wp67704</A></P><P></P><P>But you mentioned that you were doing a VLAN pair, this will not work with a hardware failopen feature (such as the one found in the 4GE card).</P><P>You are arriving at the IPS sensor on one VLAN and leaving the IPS Sensor on a different VLAN (on the same interface? on different interfaces?) When the IPS sensor is functioning normally, it will translate the VLAN header between the two directions of traffic. A hardware failopen will NOT translate VLAN headers.</P><P>If you want to contunie to use VLAN pairs, you will need to perfrom your fail over functionality in an external device, such as a switch.</P><P></P><P>- Bob</P></BODY></HTML> Fri, 12 Feb 2010 17:31:44 GMT rhermes 2010-02-12T17:31:44Z https://community.cisco.com/t5/network-security/ips-bypass-question/m-p/1374857#M68011 <P>Hello experts,</P><P></P><P>I'm working with 2 4260 and a 4270, I will be implementing vlan pair and I would like to know what happens with the traffic if for any reason the IPS fails. Lets say that the failure is due to a power issue.</P><P></P><P>Thanks,</P> Sun, 10 Mar 2019 11:53:18 GMT https://community.cisco.com/t5/network-security/ips-bypass-question/m-p/1374857#M68011 Diego Armando Cambronero Arias 2019-03-10T11:53:18Z https://community.cisco.com/t5/network-security/ips-bypass-question/m-p/1374858#M68015 <HTML><HEAD></HEAD><BODY><P>The 4260 and 4270 both uses the 4GE card. This card does have a hardware bypass feature. In the event of a power failure the two GigE interfaces are physically connected together:</P><P><A href="http://www.cisco.com/en/US/docs/security/ips/7.0/installation/guide/hw_installing_4270.html#wp67704">http://www.cisco.com/en/US/docs/security/ips/7.0/installation/guide/hw_installing_4270.html#wp67704</A></P><P></P><P>But you mentioned that you were doing a VLAN pair, this will not work with a hardware failopen feature (such as the one found in the 4GE card).</P><P>You are arriving at the IPS sensor on one VLAN and leaving the IPS Sensor on a different VLAN (on the same interface? on different interfaces?) When the IPS sensor is functioning normally, it will translate the VLAN header between the two directions of traffic. A hardware failopen will NOT translate VLAN headers.</P><P>If you want to contunie to use VLAN pairs, you will need to perfrom your fail over functionality in an external device, such as a switch.</P><P></P><P>- Bob</P></BODY></HTML> Fri, 12 Feb 2010 17:31:44 GMT https://community.cisco.com/t5/network-security/ips-bypass-question/m-p/1374858#M68015 rhermes 2010-02-12T17:31:44Z https://community.cisco.com/t5/network-security/ips-bypass-question/m-p/1374859#M68017 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I,m doing it in the same interface.</P><P></P><P>I think that the best option is to route the traffic from the switch in order to do NOT send the traffic to the IPS.</P><P></P><P>Actually the IPS are doing a "VLAN Mapping" so when it receives the traffic on vlan 310 for example it forwards the traffic on VLAN 311 it does a re-tag of the vlan tag.</P><P></P><P>Is it possible to configure the VLAN Map in the switches?</P><P></P><P>Thanks,</P></BODY></HTML> Fri, 12 Feb 2010 20:19:07 GMT https://community.cisco.com/t5/network-security/ips-bypass-question/m-p/1374859#M68017 Diego Armando Cambronero Arias 2010-02-12T20:19:07Z https://community.cisco.com/t5/network-security/ips-bypass-question/m-p/1374860#M68020 <HTML><HEAD></HEAD><BODY><P>Yes. You want to create a stand by path between VLAN 310 and 311 in the switch.</P><P>Add an additional interface to each VLAN on the switch, cable them together with an ethernet patch cable.</P><P>Turn on Spanning Tree Protocol on VLAN 310 and 311 and set the "fail-over" path thru your patch cable to a higher STP cost.</P><P>Once the STP BTDU's fail to pass thru the IPS sensor, the stand by path thru the fail over cable will be enabled.</P><P>You'll have to play with the timing options to get it to happen in less than the standard STP of 15 seconds or so.</P><P></P><P>- Bob</P></BODY></HTML> Fri, 12 Feb 2010 22:16:06 GMT https://community.cisco.com/t5/network-security/ips-bypass-question/m-p/1374860#M68020 rhermes 2010-02-12T22:16:06Z