Deploying Sensors In Tap Mode - McAfee M-1250 - Network Security Platform Deployment Manual

McAfee® Network Security Platform 6.0
Fail-open option for GE ports
Gigabit Ethernet ports on Sensors require the connection of an optional optical bypass
switch and controller card for In-line Fail-open functionality; no extra hardware is required
for In-line Fail-closed mode. This hardware is contained in the
Kit,
For more information on hardware connection, see
And, for more information on port configuration, see
Fail-open option for FE ports
Fast Ethernet ports require the use of fail-closed dongles for fail-closed mode; no extra
hardware is required for In-line Fail-open mode for FE ports.
Layer 2 passthru mode
Fail-open operation provides a measure of network integrity when a Sensor fails. When a
Sensor with ports operating in In-line Fail-Open Mode experiences a critical fault, the
Sensor reboots; during the reboot, the Sensor goes into fail-open mode until it restarts. If a
critical fault occurs again, another reboot cycle is initiated. This can continue until acted
upon through human intervention.
You can enable a failure threshold to automatically initiate fail-open, or passthru, mode by
configuring the
interface. This feature enables you to set a threshold on the number of critical failures
within a configured period of time that the Sensor can experience before being forced into
passthru mode at Layer 2.
For example, you configure Layer 2 Passthru mode to enable if there are three critical
faults in any 10-minute period. At minutes 1, 3, and 7, faults occur; L2 mode is enabled.
Here is another scenario: at minutes 1, 4, 11, and 13, faults occur. In this case, the last
three faults occurred within 10 minutes of each other, thus the Sensor enters L2 mode.
Sensor reboot may take a few minutes to complete. This downtime is not counted against
the L2 duration; only Sensor uptime is counted.
The L2 feature is supported by all models of Sensor. For more information, see Enabling
Layer2 Settings,

Deploying Sensors in tap mode

A tap—internal or external—is a passive wiring device that copies traffic on full-duplex
Ethernet segments, and sends this copied traffic information to the S processors for
analysis.
Full-duplex taps split a link into separate transmit and receive channels. Sensors provide
multiple monitoring interfaces to monitor the two channels, and Sensor ports are wired in
pairs in order to accommodate full-duplex taps. Two monitoring ports are used to monitor
one full-duplex link using a tap.
sold separately.
Layer 2 Passthru
Device Configuration Guide
Gigabit Optical Fail-Open Bypass Kit Guide
Manager Server Configuration Guide
(L2) feature from the Network Security Platform user
.
18
Sensor Deployment Modes
Optical Bypass Gigabit Fail-open
.
.