Reg. Cisco IPS Inline VLAN Mode

Unanswered Question
Jun 10th, 2008


Currently my Cisco IPS 4240 version 5.1(5) , is in Promiscous mode.Soon i will be configuring it in Inline mode .i will be using only 1 IPS Interface and will be configuring VLANs in the switch and connect the trunk port to the Gig0/0 of the IPS .The issue is that if the IPS goes down , will the packet flow continue to run smoothly i.e will the "Auto bypass mode" will be applicable for this scenario too and let the traffic goes without inspection ?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
marcabal Tue, 06/10/2008 - 15:39

Software ByPass does function in inline vlan pair mode.

However, keep in mind that software bypass does have limitations in both inline vlan pair as well as the traditional inline interface pair modes.

If the analysis engine (also known as sensorApp) stops analyzing traffic, but the rest of the system is still functioning then software bypass can automatically kick and pass the traffic without analysis.

BUT if the problem is not just with the analysis engine, but is instead with the base operating system or drivers, then the software bypass functionality will Not work. The software bypass functionality is done by the software NIC drivers and so the NIC drivers and base operating system must be functional for the software bypass functionality to work. Sensor losing power, or being powered off can be one of these most basic scenarios that can this.

So a good design will usually add an additional bypass mechanism to cover these scenarios where the os and/or driver are not operational.

In inline interface pair mode the IPS-4260 and IPS-4270 are have hardware bypass capable copper interfaces. Where the additional mechanism is built directly into the hardware and can take over when the "software" bypass can't.

For appliances using inline interface pairs without hardware bypass interfaces built-in there is the possibility of purchasing external hardware bypass switches to perform the same functionality.

When a hardware bypass switch is not an option, then are still additional possibilities.

One option is the use of a wire to also connect the same 2 devices, and then configuring some sort of network failover to the wire to handle the situation. A typical method is to place the sensor between 2 switches, and also put a wire between the same 2 switches. Then configure spanning tree to prefer the sensor ports. This way if the sensor goes down, then spanning-tree will start passing packets across the wire. So the wire in the end can mimic a lot of what a hardware bypass switch would provide you.

With inline vlan pairs the hardware bypass switch (or interfaces) are not an option. But the wire might still be an option. The wire can do the vlan translation, but the wire can be used to connect an access port from each vlan to get similar functionality. Once again you would need to configure spanning-tree to prefer the sensor interface doing inline vlan pairs and consider the wire ports as secondary paths.

And since the wires are connecting to access ports this means you need 1 wire for every vlan pairs the sensor is monitoring.

So if monitoring 10 vlan pairs, then you will need 10 wires with each connecting access ports for the 2 vlans in one inline vlan pair.

ankurs2008 Wed, 06/11/2008 - 12:07

hi marcabal

thx for the reply.1) my concern is that i have configured sensor in the Inline mode via VLAN Pairing.If the power goes down / sensor gets shut down unexpectedly , will the traffic passing thru the same continues to flow or not (consider sensor in "Auto " bypass mode)


i have tested my setup by using one L2 Switch and creating 2 vlans in the switch.The trunk port of the switch (assigned with these 2 vlans) was connected to gig 0/0 of the IPS.i have assigned the VLAN pairs to the vs0.Then i connected laptop 1 to switch port 19 (vlan 9) and laptop 2 to switch port 20 (vlan 10) .Tried pinging the laptop 1 to 2 and ping was happening . The sensor was in "Auto " bypass mode . Then i unasigned the VLAN Pairing from vs0 , still ping was happening. After that i reassigned the VLAN Pair again to vs0 and changed the BYPASS mode to "Off" , still ICMP was happening . Please let me know if this is normal.



marcabal Wed, 06/11/2008 - 13:46

Perfectly normal. Your test does not test the Software ByPass feature.

The confusion is in how Software ByPass and Virtual Sensor assignment are related.

If ByPass is set ON (Not Auto, but specifcally ON) then the traffic will be software bypassed regardless of whether or not analysis engine is running or whether the inline pair is assigned to any virtual sensors.

The driver does the bypass, and never even attempts to send it to the analysis engine.

If Software ByPass is set to Auto OR Off, the driver will always attempt to send the packets to the analysis engine.

The only difference between Auto and Off is what happens when the analysis engine STOPS pulling new packets from the driver.

With Software ByPass Auto, the driver will start passing the packets straight through and not send them to analysis engine.

With Software ByPass Off, the driver will bring the link down on the NICs until analysis engine is able to start receiving packets again.

So you see that Software ByPass is a function of the NIC driver.

Whether or not the pair is actually assigned to a virtual sensor is UNKNOWN by the NIC driver itself.

Whether or not the inline pair is assigned to a virtual sensor is solely a function of the analysis engine. If the analysis engine is functioning is running then the driver is always going to send it the packets. The analysis engine then checks to see if the packets should be monitored. If the inline pair is assigned to a virtual sensor then it is monitored before being passed back to the driver for transmit.

IF the inline pair is NOT assigned to a virtual sensor, then the packet is STILL passed back to the driver for transmit.

So an inline pair that is NOT assigned to a virtual sensor will STILL have packets passed through if analysis engine is Running. So long as analysis engine is runninng the NIC driver in Software ByPass Auto or Off does not care whether or not it is actually monitored. The driver only knows that it must pass the packet to the analysis engine and the analysis engine will send the packet back for transmit.

So adding and removing inline pairs from virtual sensors does NOT test the Software ByPass feature. The packets will always be passed through so long as analysis engine is running.

If analysis engine stops passing traffic, then software bypass kicks in and all inline pairs (whether monitored or not) will be treated the same depending on whether bypass is Auto or Off.

The only way to really test Software ByPass is to simulate an actual failure of the analysis engine.

To do this:

create a service account

login with service account

switch to user roor (su - root)

The root password is the same as the service account password.

Execute "ps -ef" to find the pid of the sensorApp process (which is the analysis engine)

Now execute "kill -9 ###" replacing the ### with the pid of the sensorApp process.

Now the Software ByPass functionality should kick in.

You can always run "show int" to see the current running status of the Software ByPass feature in the driver.

It will be either On, Off, or Auto_On or Auto_Off

The Auto_On and Auto_Off are the 2 running states for the Auto configuration. Auto_Off is when analysis engine is working, and auto_on is when the analysis engine is not working.

mherald Sun, 06/15/2008 - 22:22

Keep in mind ... the auto bypass feature only functions when electricity is supplied to the unit and it is running ... additionally you loose throughput when going in / out the same interface (this may have been fixed recently, historically).



This Discussion