Hardware Bypass Network Modules
Note
• FTW Ports can be used as normal ports in routed mode (not only inline NGIPS functionality).
• FTW Ports can be used to form port-channels across different network modules on the same firewall.
Note
Hardware bypass is only supported in inline mode. Also, hardware bypass support depends on your software
application.
Note
When the appliance switches from normal operation to hardware bypass or from hardware bypass back to
normal operation, traffic may be interrupted for several seconds. A number of factors can affect the length of
the interruption; for example, behavior of the optical link partner such as how it handles link faults and
debounce timing; spanning tree protocol convergence; dynamic routing protocol convergence; and so on.
During this time, you may experience dropped connections.
There are three configuration options for hardware bypass network modules:
• Passive interfaces—Connection to a single port.
For each network segment you want to monitor passively, connect the cables to one interface. This is
how the nonhardware bypass network modules operate.
• Inline interfaces—Connection to any two like ports (10 Gb to 10 Gb for example) on one network module,
across network modules, or fixed ports.
For each network segment you want to monitor inline, connect the cables to pairs of interfaces.
• Inline with hardware bypass interfaces—Connection of a hardware bypass paired set.
For each network segment that you want to configure inline with fail-open, connect the cables to the
paired interface set.
For the 40-Gb network module, you connect the two ports to form a paired set. For the 1/10-Gb network
modules, you connect the top port to the bottom port to form a hardware bypass paired set. This allows
traffic to flow even if the security appliance fails or loses power.
Note
If you have an inline interface set with a mix of hardware bypass and nonhardware bypass interfaces, you
cannot enable hardware bypass on this inline interface set. You can only enable hardware bypass on an inline
interface set if all the pairs in the inline set are valid hardware bypass pairs.
For More Information
• See
• See
Cisco Firepower 9300 Hardware Installation Guide
22
40-Gb Network Module with Hardware Bypass, on page 23
network module.
10-Gb SR/10-Gb LR Network Module with Hardware Bypass, on page 24
the 1-Gb SX, 10-Gb SR and LR network modules.
Overview
for a description of the 40-Gb
for a description of