Hardware bypass for an in-line IPS sensor is essential if you require high network availability and have a failopen posture.

Most IPS sensor software updates and some of the signature updates cause a reload of the sensor or put a processing load on the sensor to the point of impacting traffic. The sensors also crash (believe me they crash) and the "software bypass" does not work under many software crashes (since it needs to know it has a problem to be able to enact bypass).

- Bob

Hi Rhermes, 

Thank you for your reply.  That is my impression that hardware bypass switch only kicks in when there is a hardare failure. For software bypass we still have to use built in sw bypass solution. From your post it seems that sw bypass doesn't always work.   

So it seems like its a best case scenario.. We will have to use the hardware bypass for hw failure.. Sw bypass for sw failure and manual invervention when the software bypass doesn't kick in when its supposed to.  Do you have any other suggestions for the times when the sw bypass doesn't kick in the way its supposed to?

Can you also suggest any tests or methods to test the software bypass in lab environment before its rolled out in a live environment.

Thanks once again regards.

A hardware bypass will shunt traffic around a failed sensor for any type of sensor failure, either hardware or software. They work by injecting l2 frames into the sensor. If they do not see those frames pass through the sensor, then they determine the sensor is down and enact a hardware bypass of the sensor.

Please take careful note of the status of the Ethernet link connected to the hardware bypass (go to other devices like your firewall and switch). If the bypass switch (especially the hardware failopen features found in some IPS sensors) take the Ethernet link down, even momentarily. There can be significant delays to establishing an Ethernet link, especially if Spanning Tree Protocol is enabled (and it usually is by default).

- Bob

Thank you Bob, That cleared few things for me.  This is all new for me and I am still confused about Vlan business.  

I am not sure if I need to create seperate vlan for IPS traffic to and from the switch.  Or it it a case of configuring the trunk between the switch and the IPS.    I am continuing to research all that.

Thanks once again for your help.

If you are sending vlan traffic (ethernet frames encapsulated in 802.1Q headers) you need to be aware that the Sensor needs to be set up for VLAN pairs and that the sensor will CHANGE the VLAN number between the inside and outseid of the sensor. This isn;t a big problem in a new network, but can cause some work if you are adding a sensor to an existing network.

http://www.cisco.com/en/US/partner/docs/security/ips/7.0/configuration/guide/idm/idm_interfaces.html#wp1029962

- Bob

Thanks Bob. Any reason I am not able to open the link.. It comes up with a message along the lines of I do not have sufficient previllages.  Thanks.

Forbidden File or Application

The file or application you are trying to access may require additional entitlement or you are trying to access a file with an invalid name. Additional entitlement levels are granted based on a users relationship with Cisco on a per-application basis.

If you feel you have reached this page in error, please try one of the following methods to locate your document:

1. If you are manually entering the URL into your browser location bar, be sure to include the file name of the page you are trying to access (file names typically end in .htm, .html or .shtml).
2. Use the Search feature located in the upper right section of this page.
3. Return to the Cisco.com Home or select a primary site area from the top navigation bar.
4. Consult with your Cisco Account Manager to confirm you have the appropriate entitlement to access this page.

If you would like to contact someone about this problem, please click on the Contacts & Feedback link below.

That was a link to the Cisco documentation on IPs sensors with vlan pairs. It appears that you would need a CCO account to see that link. If there is a copy on the public side of the Cisco website, you should be able to find it by doing a search for "IPS vlan pairs configuration"

- Bob

Thank you Bob. I am still bit confused.   For example suppose we have vlan 100 between the edge router and the ASA firewall, When I introduce IPS in between in inline mode.  Is it a case of IPS won't understand the Vlan tags.  

When it receives the traffic from internal Edge router with vlan id of 100 IPS won't know what to do with it?   Do I need to assign two different Vlans to two ports in inline mode?  ie.. g0/0 for vlan100 (between edge router and IPS)  and g0/1 for vlan 101 (between ips and ASA) and then configure an inline vlan pair?  I will do further research today but I thought I will ask you a quick question as I am really confused.

Please find and read the documentation. it will provide more detailed information than I can give you here.

You will need to create a "vlan pair" in your IPS sensor. one vlan (say vlan 100) will face your ASA, the other vlan (say vlan 200) will face your edge router.

- Bob

Thank you Bob... I think you are refering to this document. http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718  I read it and I think I am now clear about the issue of 2 separate vlans..  However I still have some confusion about my own setup.

Currently there is one vlan -  Vlan 100 between ASA and our internal router.  If I place the IPS with inline interface pair configured between ASA and our internal router, I am not sure if I need any special configuration with reagrds to vlans..  As far as I can see I will have vlan 100 between ASA and IPS and vlan 100 again between IPS and internal router.  But I have a feeling that my assumption is incorrect and when IPS receives the packets on one interface from the internal router, it will not forward it out of the paired interface as IPS may not understand the Vlan tag.   Unfortunately I am not in position to try this on a live IPS device as our IPS is already in a production environment but being used as an IDS. 

Would I be better off adding a switch to the mix between the internal router and the ASA and then follow the "inline vlan pair"  route?.  Bit similar to diagram below.

Hi Sachin, From my research I have found that hardware bypass is useful when when there is a hardware failure like port failure or a power failure for the device.. For 4240 there is a 3rd party hardware bypass switch available.  One of the manufacturer for harware bypass switch is netoptics.  I am hoping that someone who has used this solution can shed some light on it.

Yes thanks I am looking at netoptics hw bypass switch. I was wondering if any one has used it before? Thanks