thanks, that answers my question.

If you need traffic to traverse your network whenIPS is down Cisco has partnered with the following hardware bypass vendors.

Finisar Shadow Tap Copper 10/100 

NetOptics Fiber Tap

The OP is using the sensor inline. Please explain how a tap can be used with an inline sensor to provide link failover.

I can't tell from any of the documentation on their website, but do you know if the Finisar will work with the IPS's in inline mode?

thanks for the shoremicrosystems link..that makes a bit more sense concerning inline protection. I'm just trying to avoid a single point of failure. So of course my next question is what if the tap itself loses power?

(thanks for all the helpful responses so far, i just want to make sure i have all the answers and angles covered when i go ask my supervisor for one of these taps)....

-----quote from link

Power may be provided either by the appliance itself for internally mounted units, or an external 12V-power supply for the single port stand-alone unit. Multi-port units contain dual redundant 110/220V AC power supplies.

-----

To answer your question, if the bypass switch loses power it won't pass traffic...any more than the router or switch plugged into it will. I don't think the "internally mounted units" are for Cisco equipment? Anyway, sounds like you want the redundant power supply option.

It depends on your buget and your requirement:) Normally if you have the budget you would use multiple IPSs and multiple switches to achieve a high availability architectur, that's the recommended arcitecture. This ensures that a path is always available to pass data.

I haven't done it but, alternatively, if you put a cable parallel to the hardware TAP in a higher port number on your switch, then spanning tree should reroute a path if your TAP fails.

we do have 2 4240 IPS's. I think what i've decided is that the best way to do redundancy is interconnect our T1's thru the IP's in a manner that will provide redundacy if one IPS fails or is rebooted.

We have 4 T1's, 2 IPS's... we have a pair of T1's going to two different segments for redundancy. When i set up the IPS's in inline mode originally, i (for some reason) didn't think what would happen if the IPS lost power or got rebooted. Thanks again for all the advice here.

The HW ByPass Switches generally have both Electronic and Mechanical mechanisms for controlling the ByPass functionality.

The Electronic Mechanisms are what the HW ByPass Switch will use while it is receiving power. It will electronically be monitoring the link between the itself and the 2 sensor ports (the 2 sensor ports being used for inline monitoring).

If the link goes down, then the HW ByPass Switch can electronically detect the link down, and will ByPass the sensor.

If, however, the HW ByPass Switch itself loses power, then this is when the Mechanical mechanism kicks in.

On power loss the HW ByPass Switch will immediately loose any link to the sensor (ByPasssing the sensor regardless of whether or not the sensor is up ).

And mechanically the other 2 interfaces of the HW ByPass Switch (the 2 connected to the other devices, aka the switches and/or routers and/or firewalls) will connect to each other and act like a simple wire. The HW ByPass Switch turns into just an expensive wire when it looses power.

So the HW ByPass Switch is capable of passing traffic when it looses power. It will not send traffic to the sensor when it has lost power, but will allow the other 2 devices to send traffic to each other (hence the ByPass).

Now I see there has been confusion between a Tap and and a HW ByPass Switch.

These are 2 separate pieces of hardware.

A TAP is used only for promiscuous monitoring. It only Copies packets to the sensor, and can not be used with an InLine sensor for InLine monitoring.

A HW ByPass Switch is only used for InLine monitoring. It sends the real packet through the sensor, and so can not be used with a promiscuous sensor because all packets would go to the sensor and never come back to the HW ByPass Switch.

Some of the confusion is that some vendors like NetOptics produces both Taps and HW ByPass Switches. So when you go to make your purchase you will need to be very clear on whether you want a Tap for promisucous monitoring or a HW ByPass Switch for InLine monitoring.

What you will also find out is that the technology for Taps and for HW ByPass Switches are complimentary. And it would not surprise me that in a year or 2 you woudl start seeing hybrid boxes that can be configured to work as a Tap OR a HW ByPass Switch (similar to how Cisco IPS Sensors can be configured for promiscuous IDS or inline IPS)

I didn't see anything definitive in the Shore Micro documentation that indicated that it had mechanical failure, but perhaps they all do tthis though? It would make sense I guess that there default off state would be to act like a simple wire. Can you confirm that the Shore Micro products do this?

Thanks,

Matt

this device from netoptics is exactly what i've been looking for...

http://www.netoptics.com/products/product_family_details.asp?ts_id=&cid=5&pid=140&Section=products&menuitem=5

knowing to look for 'bypass switch' instead of a 'tap' device, really helped. Thanks!

Yes,

I performed the initial testing for Cisco to validate the interoperability of Cisco IPS Sensors with ShoreMicro HW ByPass Switches over a year ago.

So unless something has changed since my initial testing, the HW ByPass Switch will do a mechanical ByPass if powered Off.