01-19-2016 02:07 AM - edited 03-10-2019 06:32 AM
hello all,
I face a problem when IPS fail all network behind it be not accessible,
so how can I check capability of box to support both
1-hardware bypass.
2-software bypass.
Solved! Go to Solution.
01-19-2016 04:37 AM
There is no HW-bypass on the 4500 as far as I know. But you can use software-bypass:
01-19-2016 04:21 AM
1) Which platform are you using? Not all support HW-bypass. You should find the needed information in the Data-Sheet of your platform.
2) In the configuration of you system. And that is (again) dependent of the platform you use.
01-19-2016 04:32 AM
cisco IPS 4510 - 7.3(4)E4
is show tech-support command is useful ?
I have found that below every interface "hardware bypass capable = NO"
Is this tells that interface not supported in hardware bypass or hardware not set to that interface
01-19-2016 04:37 AM
There is no HW-bypass on the 4500 as far as I know. But you can use software-bypass:
01-19-2016 04:46 AM
thank you Karsten
last question in case of software bypass it can work on interface vlan pair ?
or require interface pair or this doesn't matter in case of software bypass
I know that software bypass will work in case of service engine stopped but if device rebooted due to time changing or anything will it work ?
01-19-2016 05:00 AM
Yes, it works with vlan pairs. But be aware that the usecase for software bypass is a situation where the software still has full control of the system. If the signatures are updated, bypass can be used to make sure that no traffic is dropped.
But in every situation where the software doesn't have any control, software bypass can't work. That includes software-updates where the sensor reboots of failed/crashed IPS-software.
01-21-2016 09:03 AM
Hello,
I had a similar situation where I had a CX Module + Cisco Prime Security Manager with Next Generation IPS.
At the beginning when the CX Module Fails (IPS) no traffic is allowed.
I was able to overcome this problem by doing the following changes to the Policy-map:
I added "cxsc fail-open" this means if the model goes down the firewall will not pass the traffic through the model for inspection any more.
Initially it was "cxsc fail-close". After I did this change everything went well.
Hope this helps,
Best Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide