Bypass and PPM Features for In-Path Deployments

In an in-path deployment, the IDP Series device is deployed transparently “in the wire” between two network devices. Consequently, the IDP Series device can become a point-of-failure for the network path. We support a number of features to address the potential point-of-failure. You can:

The following topics describe the bypass and PPM features:

Internal Bypass

Physical interfaces are network interface cards (NICs). If your network security policy privileges availability over security, you can configure the interfaces to enter an internal bypass state in the event of failure or graceful shutdown. Internal bypass is also triggered when the JNET driver is in a state where it cannot receive packets.

In internal bypass, physical interfaces join mechanically to form a circuit that bypasses IDP processing. For example, if you configure internal bypass for vr0, and the IDP Series device encounters failure or is shut down, eth2 and eth3 join to form a circuit that avoids the IDP engine and forwards the traffic to the next network hop.

Internal bypass operates through a timing mechanism. When enabled, the timer on traffic interfaces counts down to a bypass trigger point. When the IDP Series device is turned on and available, it sends a reset signal to the traffic interface timer so that it does not reach the bypass trigger point. If the IDP operating system encounters failure, then it fails to send the reset signal, the timer counts down to the trigger point, and the traffic interfaces enter a bypass state. If the IDP Series device is shut down gracefully, the traffic interfaces immediately enter bypass.

Figure 9 shows the communications path when a virtual router is in internal bypass state.

Figure 9: Internal Bypass

Image g036630.gif

When the IDP operating system resumes healthy operations, it sends a reset signal to the traffic interfaces, and the interfaces resume normal operation.

Best Practice: Our field engineers report that bypass occurs faster when copper NICs are configured with fixed speed and duplex settings. In contrast, when copper NICs have been set to auto, they must renegotiate with peers when recovering from bypass. We recommend you configure fixed speed and duplex settings. Be careful to observe the cabling guidelines (straight-through or cross-over) provided in the installation documentation[link]. Be careful to set the same speed and duplex settings for the IDP Series interfaces and the network devices to which they are directly connected. To check speed and duplex settings, use the Linux mii-tool, ethtool, or dmesg | grep -i duplex commands [link]. To configure NIC speed and duplex settings, use the ACM Configure Network Interface Hardware page [link].

External Bypass

External bypass operates according to the logic of a third-party external bypass unit. When the IDP Series device is turned on and available, it sends NetScreen Redundancy Protocol (NSRP) heartbeats to the external bypass unit. When the NSRP packets flow, the external bypass unit allows connections to proceed through the IDP Series device. If the IDP Series device encounters failure or is shut down, it cannot send the NSRP packets. The traffic interfaces enter a bypass state. When the external bypass unit detects this, it forwards packets around the IDP Series device, according to the rules you configure on the external bypass unit. See Figure 10.

Figure 10: External Bypass

Image g036632.gif

When the IDP operating system resumes healthy operations, it resumes sending NSRP packets. The external bypass unit detects this and allows connections to proceed through the virtual router.

Peer Port Modulation

The peer port modulation (PPM) feature supports deployments where routers monitor link state to make routing decisions. In these deployments, a router might be set to monitor link state on only one side of the IDP Series device. Suppose, for example, the router monitors only the IDP inbound interface. Suppose the inbound interface remains up but the outbound interface goes down. The router watching the inbound link would detect an available link and forward traffic to the IDP Series device. Traffic would be dropped at the point of failure—the outbound link. PPM propagates a link loss state for one traffic interface to all interfaces in the IDP virtual router.

When PPM is enabled, a PPM daemon monitors the health of IDP traffic interfaces belonging to the same virtual router. If a traffic interface loses link, the PPM process turns off any associated network interfaces in the same virtual router so that other network devices detect that the virtual router is down and route around it. For example, assume you have enabled PPM and configured IDP virtual routers as shown in Figure 11.

Figure 11: Peer Port Modulation

Image g036631.gif

Suppose there is a network problem and eth3 goes down. The PPM daemon detects this and turns off the other interface in vr0: eth2. The interfaces in vr1, vr2, and vr3 are unaffected. After the you fix the problem with eth3, the PPM daemon detects this, and turns on eth2.

Note: The PPM feature is independent of the bypass feature (NIC state setting). PPM is related to the status of the link, not the status of the IDP operating system. A link can be down even when the IDP operating system is healthy. Note, however, that PPM runs as a control plane process and operates only when the IDP Series device is turned on and the control plane is available. If the IDP operating system is unavailable, the PPM feature is also unavailable, regardless of the setting for the NIC state.

Best Practice: Network issues are easier to diagnose and correct when the link state is the same on both links in an interface pair. We recommend you enable PPM for (non-redundant) in-path deployments.

Related Documentation

The following related topics are included in the IDP Series Deployment Scenarios guide:

The following related topics are included in the IDP Series Concepts and Examples Guide:

The following related topic is included in the IDP Series Administration Guide: