Which statement about the 4-port GigabitEthernet card with hardware bypass is true?
A.
Hardware bypass only works with inline interface pairs.
B.
Hardware bypass is only supported on the Cisco IPS 4270 appliance.
C.
Hardware bypass is independent from software bypass.
D.
Hardware bypass is enabled if software bypass is configured to “OFF”.
E.
Hardware bypass is supported between any of the four GigabitEthernet ports
Explanation:
Hardware Bypass
This section describes the 4GE bypass interface card and its configuration restrictions. It contains the following topics:
·4GE Bypass Interface Card
·Hardware Bypass Configuration Restrictions
4GE Bypass Interface Card
IPS-4260 and IPS 4270-20 support the 4-port GigabitEthernet card (part number IPS-4GE-BP- INT=) with hardware bypass. This 4GE bypass interface card
supports hardware bypass only between ports 0 and 1 and between ports 2 and 3.
Note To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<- >2/2 and 2/1<->2/3.
Hardware bypass complements the existing software bypass feature in Cisco IPS. The following conditions apply to hardware bypass and software bypass:
·When bypass is set to OFF, software bypass is not active. For each inline interface for which hardware bypass is available, the component interfaces are set to
disable the fail-open capability. If SensorApp fails, the sensor is powered off, reset, or if the NIC interface drivers fail or are unloaded, the paired interfaces enter thefail-closed state (no traffic flows through inline interface or inline VLAN subinterfaces).
·When bypass is set to ON, software bypass is active. Software bypass forwards packets between the paired physical interfaces in each inline interface and
between the paired VLANs in each inline VLAN subinterface. For each inline interface on which hardware bypass is available, the component interfaces are set to
standby mode. If the sensor is powered off, reset, or if the NIC interfaces fail or are unloaded, those paired interfaces enter fail-open state in hardware (traffic flows
unimpeded through inline interface). Any other inline interfaces enter fail-closed state.
·When bypass is set to AUTO (traffic flows without inspection), software bypass is activated if SensorApp fails.
For each inline interface on which hardware bypass is available, the component interfaces are set to standby mode. If the sensor is powered off, reset, or if the NIC
interfaces fail or are unloaded, those paired interfaces enter fail-open state in hardware. Any other inline interfaces enter the fail- closed state.
Note To test fail-over, set the bypass mode to ON or AUTO, create one or more inline interfaces and power down the sensor and verify that traffic still flows through
the inline path.
Hardware Bypass Configuration Restrictions
To use the hardware bypass feature on the 4GE bypass interface card, you must pair interfaces to support the hardware design of the card. If you create an inline
interface that pairs a hardware- bypass-capable interface with an interface that violates one or more of the hardware-bypass configuration restrictions, hardware
bypass is deactivated on the inline interface and you receive a warning message similar to the following:
Hardware bypass functionality is not available on Inline-interface pair0. Physical-interface GigabitEthernet2/0 is capable of performing hardware bypass only when
paired with GigabitEthernet2/1, and both interfaces are enabled and configured with the same speed and duplex settings.
The following configuration restrictions apply to hardware bypass:
·The 4-port bypass card is only supported on IPS-4260 and IPS 4270-20. ·Fail-open hardware bypass only works on inline interfaces (interface pairs), not on inline
VLAN pairs.
·Fail-open hardware bypass is available on an inline interface if all of the following conditions are met:
Both of the physical interfaces support hardware bypass. Both of the physical interfaces are on the same interface card. The two physical interfaces are associated
in hardware as a bypass pair. The speed and duplex settings are identical on the physical interfaces. Both of the interfaces are administratively enabled.
·Autonegotiation must be set on MDI/X switch ports connected to IPS-4260 and IPS 4270-20. You must configure both the sensor ports and the switch ports for
autonegotiation for hardware bypass to work.
The switch ports must support MDI/X, which automatically reverses the transmit and receive lines if necessary to correct any cabling problems. The sensor is only
guaranteed to operate correctly with the switch if both of them are configured for identical speed and duplex, which means that the sensor must be set for
autonegotiation too.