Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    In-Path Deployments: Bypass and PPM Features

    In an in-path deployment, the IDP Series device is deployed transparently “in the wire” between two network devices. Consequently, the IDP Series device can become a point-of-failure for the network path. We support a number of features to address the potential point-of-failure. You can:

    • Deploy the IDP Series devices in a redundant path, failover topology.
    • Enable internal or external bypass.
    • Enable peer port modulation.

    The following topics describe the bypass and PPM features:

    Layer 2 Bypass

    You enable or disable Layer 2 bypass to determine how the IDP Series device handles Layer 2 packets.

    When the IDP Series appliance is deployed in the path of network traffic, it can take three types of actions on the packets it receives:

    • Drop it.
    • Pass it through.
    • Process it according to IDP OS rules to determine whether to drop it, forward it, rate limit, and so forth.

    The IDP Series appliance processes Layer 2 traffic as follows:

    • Processes address resolution protocol (ARP) and Layer 2 packets related to internet protocol (IPv4) traffic.
    • Drops all other Layer 2 traffic, unless the Layer 2 bypass setting is enabled.
    • When Layer 2 bypass is enabled, the IDP Series device passes through Layer 2 packets related to bypass and high availability deployments (such as heartbeats or Bridge Protocol Data Unit (BPDU) packets), and non-IPv4 packets and packets related to switching and routing protocols, such as IPv6, internetwork packet exchange (IPX), Cisco Discovery Protocol (CDP), and interior gateway routing protocol (IGRP), and so forth.

    The IDP Series appliance processes TCP/IP traffic according to implicit rules related to traffic anomaly detection and explicit rules specified in the security policy.

    Internal Bypass

    The Internal Bypass feature is intended for deployments where a network security policy privileges availability over security. In the event of failure or graceful shutdown, traffic bypasses the IDP processing engine and is passed through the IDP Series device uninspected.

    The Internal Bypass feature operates through a timing mechanism. When enabled, the timer on traffic interfaces counts down to a bypass trigger point. When the IDP Series appliance is turned on and available, it sends a reset signal to the traffic interface timer so that it does not reach the bypass trigger point. If the IDP OS encounters failure, then it fails to send the reset signal, the timer counts down to the trigger point, and the traffic interfaces enter a bypass state. If the IDP Series appliance is shut down gracefully, the traffic interfaces immediately enter bypass.

    With copper NICs, the bypass mechanism joins the interfaces mechanically to form a circuit that bypasses IDP processing. Packets traverse the IDP Series device as if the path from eth2 (receiving interface) to eth3 (transmiting interface) were a crossover cable. No packet inspection or processing occurs.

    With fiber NICs, the bypass mechanism uses use optical relays instead of copper relays. During normal operations, the optical relays send light to the built-in optical transceivers. When bypass is triggered, the relays flip state, and the light signal is redirected to optically connect the two external ports.

    Figure 1 compares the data path when Internal Bypass is enabled but not activated with the data path when Internal Bypass is activated.

    Figure 1: Internal Bypass

    Image g036630.gif

    When the IDP OS resumes healthy operations, it sends a reset signal to the traffic interfaces, and the interfaces resume normal operation.

    Best Practice: Our field engineers report that bypass occurs faster when copper NICs are configured with fixed speed and duplex settings. In contrast, when copper NICs have been set to auto, they must renegotiate with peers when recovering from bypass. We recommend you configure fixed speed and duplex settings. Be careful to observe the cabling guidelines (straight-through or cross-over) provided in the installation documentation [link]. Be careful to set the same speed and duplex settings for the IDP Series interfaces and the network devices to which they are directly connected. To check speed and duplex settings, use the Linux ethtool or dmesg | grep -i duplex commands [link]. (Do not use the mii-tool command. On IDP OS, mii-tool results are not reliable.) To configure NIC speed and duplex settings, use the ACM Configure Network Interface Hardware page [link].

    Note: You can enable bypass for all copper interface cards (onboard or I/O module) and for select fiber interface cards that support bypass. Refer to the product datasheets or installation documentation for information on which fiber interface cards support bypass.

    External Bypass

    The External Bypass setting supports third-party external bypass units. Deployments with external bypass units depend on the functionality of the external bypass unit to check the status of the IDP Series appliance and make the determination whether to send packets through or around the IDP Series device. Most external bypass units test for availability by sending heartbeat packets through the device. If the packets reach the expected destination, the external bypass unit allows the traffic to continue through the IDP Series appliance. If the packets fail to reach the expected destination, the external bypass unit determines the IDP Series is unavailable, so it forwards traffic around the IDP Series device. The IDP Series supports external bypass solutions by allowing the heartbeat traffic to pass through the device regardless of the Layer 2 Bypass setting. In other words, if you disable Layer 2 Bypass and enable External Bypass, most Layer 2 traffic will be dropped but the heartbeat traffic used in the external bypass deployment will be passed through. Figure 2 compares the data path when External Bypass is enabled but not activated with the data path when External Bypass is activated.

    Figure 2: External Bypass

    Image g036632.gif

    Peer Port Modulation

    The peer port modulation (PPM) feature supports deployments where routers monitor link state to make routing decisions. In these deployments, a router might be set to monitor link state on only one side of the IDP Series device. Suppose, for example, the router monitors only the IDP inbound interface. Suppose the inbound interface remains up but the outbound interface goes down. The router watching the inbound link would detect an available link and forward traffic to the IDP Series device. Traffic would be dropped at the point of failure—the outbound link. PPM propagates a link loss state for one traffic interface to all interfaces in the IDP virtual router.

    When PPM is enabled, a PPM daemon monitors the health of IDP traffic interfaces belonging to the same virtual router. If a traffic interface loses link, the PPM process turns off any associated network interfaces in the same virtual router so that other network devices detect that the virtual router is down and route around it. For example, assume you have enabled PPM and configured IDP virtual routers as shown in Figure 3.

    Figure 3: Peer Port Modulation

    Image g036631.gif

    Suppose there is a network problem and eth3 goes down. The PPM daemon detects this and turns off the other interface in vr0: eth2. The interfaces in vr1, vr2, and vr3 are unaffected. After the you fix the problem with eth3, the PPM daemon detects this, and turns on eth2.

    Note: The PPM feature is independent of the bypass feature (NIC state setting). PPM is related to the status of the link, not the status of the IDP operating system. A link can be down even when the IDP operating system is healthy. Note, however, that PPM runs as a control plane process and operates only when the IDP Series device is turned on and the control plane is available. If the IDP operating system is unavailable, the PPM feature is also unavailable, regardless of the setting for the NIC state.

    Best Practice: Network issues are easier to diagnose and correct when the link state is the same on both links in an interface pair. We recommend you enable PPM for (non-redundant) in-path deployments.

    Published: 2011-04-26