1. Manuals
  2. Brands
  3. IBM Manuals
  4. Network Hardware
  5. 10G Network Active Bypass
  6. User manual

IBM 10G Network Active Bypass User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
IBM Security 10G Network Active Bypass
User Guide
V ersion 3. 4

Advertisement

Table of Contents
loading

Related Manuals for IBM 10G Network Active Bypass

Summary of Contents for IBM 10G Network Active Bypass

  • Page 1 IBM Security 10G Network Active Bypass User Guide V ersion 3. 4...
  • Page 2 Copyright statement © Copyright IBM Corporation 2011, 2014. U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Publication Date: April 2014...

  • Page 3: Table Of Contents

    . 23 Active Bypass unit ..1 Backup or restore settings . 24 About the 10G Network Active Bypass unit . Firmware updates . . 25 Front panel . Port statistics .
  • Page 4 10G Network Active Bypass V3.4: User Guide...

  • Page 5: Homologation Statement - Regulation Notice

    Homologation statement - regulation notice This product is not intended to be connected directly or indirectly by any means whatsoever to interfaces of public telecommunications networks. © Copyright IBM Corp. 2011, 2014...
  • Page 6 10G Network Active Bypass V3.4: User Guide...

  • Page 7: Safety, Environmental, And Electronic Emissions Notices

    It is the responsibility of the customer to ensure that the outlet is correctly wired and grounded to prevent an electrical shock. (D004) DANGER © Copyright IBM Corp. 2011, 2014...
  • Page 8 Electrical voltage and current from power, telephone, and communication cables are hazardous. To avoid a shock hazard: ® v Connect power to this unit only with the IBM ISS provided power cord. Do not use the IBM ISS provided power cord for any other product.
  • Page 9 Exchange only with the IBM ISS-approved part. Recycle or discard the battery as instructed by local regulations. In the United States, IBM ISS has a process for the collection of this battery. For information, call 1-800-426-4333. Have the IBM ISS part number for the battery unit available when you call.
  • Page 10 US English source. Before using a US English publication to install, operate, or service this IBM ISS product, you must first become familiar with the related safety information in the booklet. You should also refer to the booklet any time you do not clearly understand any safety information in the US English publications.
  • Page 11 (IT) equipment to responsibly recycle their equipment when it is no longer needed. IBM offers a variety of product return programs and services in several countries to assist equipment owners in recycling their IT products. Information on IBM ISS product recycling offerings can be found on IBM's Internet site at http:// www.ibm.com/ibm/environment/...
  • Page 12 States, go to http://www.ibm.com/ibm/environment/products/ batteryrecycle.shtm or contact your local waste disposal facility. In the United States, IBM has established a return process for reuse, recycling, or proper disposal of used IBM sealed lead acid, nickel cadmium, nickel metal hydride, and other battery packs from IBM equipment.
  • Page 13 Note: Properly shielded and grounded cables and connectors must be used in order to meet FCC emission limits. IBM is not responsible for any radio or television interference caused by using other than recommended cables and connectors, by installation or use of this equipment other than xvi IBM Internet Security Systems as specified in the installation manual, or by any other unauthorized changes or modifications to this equipment.
  • Page 14 This product is in conformity with the protection requirements of EU Council Directive 2004/108/ EEC on the approximation of the laws of the Member States relating to electromagnetic compatibility. IBM ISS cannot accept responsibility for any failure to satisfy the protection requirements resulting from a non-recommended modification of the product, including the fitting of non-IBM ISS option cards.
  • Page 15 This product is a Class A Information Technology Equipment and conforms to the standards set by the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). In a xviii IBM Internet Security Systems domestic environment, this product may cause radio interference in which case the user may be required to take adequate measures.
  • Page 16 10G Network Active Bypass V3.4: User Guide...

  • Page 17: About This Publication

    About this publication This publication describes the concepts and capabilities of the IBM Security 10G Network Active Bypass unit. Audience This publication is intended for network system administrators who are responsible for installing and configuring network and system appliances. A fundamental knowledge of network policies and IP network configuration is helpful.

  • Page 18: Contacting Ibm Support

    Check IBM Technotes, accessible through the IBM Support Portal. If you are unable to find an answer or a solution in the Support portfolio or in the IBM Technotes, check to be sure your company or organization has an active IBM maintenance contract, and that you are authorized to submit a problem to IBM, before you contact IBM Support.

  • Page 19: Chapter 1. About The 10G Network Active Bypass Unit

    Chapter 1. About the 10G Network Active Bypass unit The 10G Network Active Bypass unit is a 10 Gb external bypass switch that is installed inline with the IBM Security Network Intrusion Prevention System (IPS) appliance. The 10G Network Active Bypass unit can automatically switch to bypass mode to ensure that network traffic continues to flow should the connected Network IPS appliance lose a network link, lose power, or is removed from the network.
  • Page 20 TACACS+ authentication v Syslog support You can use the management interface to manage and monitor the 10G Network Active Bypass unit from any web browser. The management port for the 10G Network Active Bypass unit has an assigned IP address.

  • Page 21: Front Panel

    This topic describes the settings on the front panel and each of the network segments available for the 10G Network Active Bypass unit. Front panel The following figure illustrates the front panel of the 10G Network Active Bypass unit: Table 1. Front panel Item...
  • Page 22 Network segments You can connect up to four Network IPS appliances to the 10G Network Active Bypass unit. The four network segments work independently. Table 2. Network segments Item Description (1) Appliance port Ports that connect the 10G Network Active Bypass unit to a Network IPS appliance.

  • Page 23: Switching Modes

    Network IPS appliance to port A2 (appliance out). Traffic is then routed through the 10G Network Active Bypass unit at port N2 (network out) and out to the network. This mode also operates in reverse, routing traffic between networks.

  • Page 24: Heartbeat Settings

    Bypass mode In bypass mode, network traffic is sent to port N1 (network in) on the 10G Network Active Bypass unit. The traffic is routed through a closed loop from port N1 (network in) to port N2 (network out) and bypasses the Network IPS appliance.

  • Page 25: Operation Modes

    Operation modes The 10G Network Active Bypass unit operates in four different modes that it uses to pass traffic through itself and through a connected Network IPS appliance. Normal Active Bypass The 10G Network Active Bypass unit remains inline if it receives heartbeat packets within a set time period.
  • Page 26 The 10G Network Active Bypass unit is always in inline mode regardless of the heartbeat state. Network traffic flows from port N1 to port A1 and from port N2 to port A2, but the 10G Network Active Bypass unit does not send heartbeat packets.

  • Page 27: Tap Ports

    TAP port. The TAP ports function as an access port for the 10G Network Active Bypass unit as it collects inline data. From either the management interface or the command line, you can specify which TAP port the 10G Network Active Bypass unit uses and the direction of the traffic.

  • Page 28: Sfp And Sfp+ Transceiver Support

    Table 5. Supported transceivers and orderable transceiver kits IBM Orderable PN Form Factor Speed Mode IBM Part Number (kit of 2) SX (multi-mode) 51J1701 51J2260 LX (single-mode) 51J1704 51J2261 SFP+ SR (multi-mode) 46N5368 46N5338 SFP+ LR (single-mode) 46N5369 46N5340 10G Network Active Bypass V3.4: User Guide...

  • Page 29: Chapter 2. Setting Up The 10G Network Active Bypass Unit

    4. Check the Power LEDs on the 10G Network Active Bypass unit to verify that it is receiving power. In the preceding figure, the Run LED shows the system status. While the system boots, a green LED blinks.

  • Page 30: Logging In To The Management Interface

    What to do next You are now ready to configure the 10G Network Active Bypass unit from either the secure web-based management interface or from the command-line interface. Logging in to the management interface The 10G Network Active Bypass unit provides a secure web-based management interface that you can use to configure and to manage options from a web browser.

  • Page 31: Bypass Settings

    When set to "Link," the system uses the link status of the appliance ports to determine the status of the appliance. Chapter 2. Setting up the 10G Network Active Bypass unit...
  • Page 32 Ethernet type of the heartbeat frame. 0x88b5 Use 0x8137 or 0x8138 when IPX heartbeats are used. Heartbeat Source MAC Source MAC address used for 00:0c:bd:00:00:00 heartbeat packets when Etherframe, ICMP, or TCP SYN heartbeat modes are used. 10G Network Active Bypass V3.4: User Guide...
  • Page 33 TAP port. Note: The 10G Network Active Bypass unit provides seven functioning TAP ports (1 through 7). TAP port 8 is not available for use. 0: Disabled 1: Enabled Chapter 2. Setting up the 10G Network Active Bypass unit...

  • Page 34: Ha Service

    For each pair, the following information is provided: Table 8. Bond service settings Field Description Default State Bonding for the pair is enabled or Disabled disabled First First segment of the pair Second Second segment of the pair 10G Network Active Bypass V3.4: User Guide...

  • Page 35: Link Sfp

    1 GB Half Duplex: Uses a speed of 1 gigabyte per second, allowing for communication in both directions, but in only one direction at a time, to broadcast speed to connected Network IPS appliances. Chapter 2. Setting up the 10G Network Active Bypass unit...

  • Page 36: System Logging

    Use the Syslog page to enable the consolidation of log data from various systems into a central repository. System logs contain important information about actions the 10G Network Active Bypass unit takes, due to user interaction, such as a system restart or manual feature configuration, or due to a system action, such as an automatic restart after a firmware update.

  • Page 37: Email Notification Settings

    Heartbeat status template Template for email notification of Heartbeat segment ${segment}: heartbeat status change state=${hb_state_name}, OpMode=${op_mode_name} Power template Template for email notification of Power: supply ${power_supply} is power supply status change ${power_state?OFF:ON} Chapter 2. Setting up the 10G Network Active Bypass unit...

  • Page 38: Snmp Settings

    Use the SNMP Settings page to configure the SNMP destination IP and SNMPv2 community name, and to enable or disable the SNMP trap function. The 10G Network Active Bypass unit provides an SNMP trap function that can send messages to a trap server when the network segment status or power supply status changes.

  • Page 39: Ntp And Time Zone Settings

    Use the Time Zone page to set the time zone for the 10G Network Active Bypass unit. The following settings are used for setting the time zone for the 10G Network Active Bypass unit: Table 14.
  • Page 40 10G Network Active Bypass V3.4: User Guide...

  • Page 41: Chapter 3. Monitoring The 10G Network Active Bypass Unit From The Management Interface

    You can use either the secure web-based management interface or the command-line interface to set and to manage most of the configuration options for the 10G Network Active Bypass unit. This chapter explains the configuration options that are available for you to manage through the web-based management interface.

  • Page 42: Backup Or Restore Settings

    Vendor of the SFP/SFP+ module attached Backup or restore settings Use the Settings page to make a backup file or to return the 10G Network Active Bypass unit to its default settings. The follow settings are used for backing up or restoring the 10G Network Active Bypass unit: Table 18.

  • Page 43: Firmware Updates

    2. Check the Status page to verify that the new firmware version is installed. Port statistics Use the Port Statistics page to view port configuration for the 10G Network Active Bypass unit and to view a snapshot of traffic activity. The information on this page is updated every 10 seconds.

  • Page 44: Remote Authentication: Tacacs

    Use the TACACS page to configure settings for the TACACS+ protocol. The TACACS+ (Terminal Access Controller Access Control System Plus) protocol provides access control (separate authentication, authorization, and accounting services) for 10G Network Active Bypass unit from one or more servers.

  • Page 45: Alerting Capabilities

    Alerting capabilities Under normal conditions, the 10G Network Active Bypass unit does not send notifications. If the status of the 10G Network Active Bypass unit changes, it notifies you about the new status. Table 21. Alert triggers Action Trigger Email...
  • Page 46 10G Network Active Bypass V3.4: User Guide...

  • Page 47: Chapter 4. Using The Command-Line Interface

    You can use either the secure web-based management interface or the command-line interface to set and to manage most of the configuration options for the 10G Network Active Bypass unit. This chapter explains the command-line parameters that are available for you to use in order to manage the 10G Network Active Bypass unit from the command-line interface.

  • Page 48: Command-Line Parameters

    Command-line parameters The 10G Network Active Bypass unit uses a command-line interface to configure programmable parameters and monitor the unit status. Permissions required Only the Admin account has permissions to configure and check the system parameters. Command-line parameters You can view and configure system settings with the command-line interface. Press the “Tab” key to show the next available commands.
  • Page 49 Options Description authentication Configure authentication setting bond Configure bond bypass Configure bypass information Configure fan information Configure high availability Configure Link Fault Detection information links Configure link status management-if Configure management interface information notification Configure notification setting Configure sfp information statistics Configure port statistics system...
  • Page 50 10G Network Active Bypass V3.4: User Guide...

  • Page 51: Notices

    Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead.

  • Page 52: Trademarks

    Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at Copyright and trademark information at www.ibm.com/ legal/copytrade.shtml.

  • Page 53: Index

    Fail mode 13 Port Statistics page 25 100 MB Full Duplex 17 firmware update 25 port status 25 10G Network Active Bypass unit Firmware Update page 25 power fail protection 1 audience xvii front panel 3 back up settings 24...
  • Page 54 10G Network Active Bypass V3.4: User Guide...
  • Page 56 Printed in USA...

Table of Contents