Interface pairs

This help contains the following topics:

·     Introduction

¡     Forwarding of tunneled packets

¡     VLAN ID check

¡     Security service bypass

·     Restrictions and guidelines

Introduction

Interface pairs monitor traffic at the data link layer. It is typically used on security devices. Layer 2 traffic arriving at a device is redirected to a security device, filtered, and then forwarded toward the destination.

The following forwarding modes are supported:

·     Reflect-type forwarding—Forwards a packet through the receiving port of the packet.

·     Blackhole-type forwarding—Drops the received packets.

·     Forward-type forwarding—Forwards a packet through a port that is different from the receiving port of the packet.

Forwarding of tunneled packets

By default, tunneled packets are forwarded based on the tunnel headers.

You can configure the device to forward tunneled packets based on the original packet headers.

VLAN ID check

This feature enables the device to check the VLAN ID of each packet that matches a session entry during inline forwarding.

·     With VLAN ID check enabled, the device permits a packet only if its VLAN ID is the same as the VLAN ID in the matching session entry.

·     With VLAN ID check disabled, the device permits a packet if it matches a session entry.

On a hot backup system, you must disable VLAN ID check if the traffic incoming interfaces on the primary and secondary devices belong to different VLANs. If you enable VLAN ID check, traffic cannot match session entries correctly after a primary/secondary device switchover occurs or when asymmetric-path traffic exists.

Security service bypass

By default, packets are processed by the security service first before being forwarded according to the configured bridge forwarding mode.

The security service bypass feature enables user traffic to bypass security service processing of a security device and be forwarded directly according to the configured bridge forwarding mode.

Security service bypass can be classified into internal bypass and external bypass.

·     Internal bypass—User traffic is sent to the security device but is not processed by it. The security device directly forwards or drops the traffic according to the configured bridge forwarding mode.

·     External bypass—User traffic is forwarded by the Power Free Connector (PFC) device directly without passing through the security device.

Internal bypass

User traffic is sent to the security device but is not processed by it. The security device directly forwards or drops the traffic according to the configured bridge forwarding mode.

Internal bypass is available for interface pairs operating in reflect-type, blackhole-type, or forward-type forwarding mode.

External bypass

User traffic is forwarded by the Power Free Connector (PFC) device directly without passing through the security device.

Internal bypass is available only for interface pairs using the forward-type forwarding mode.

External bypass can be further classified in to the following types:

·     Static external bypass—External bypass takes effect immediately when configured and must be manually disabled.

·     Dynamic external bypass—External bypass is enabled or disabled automatically based on the status of the links between the security device and the PFC. The security device polls the link status periodically and enables external bypass if one or both links go down. External bypass is disabled automatically if the failed links come up.

Restrictions and guidelines

·     Only a Layer 2 or Layer 3 Ethernet interface or a Layer 2 aggregate interface can be added to an interface pair operating in reflect-type, blackhole-type, or forward-type forwarding mode.

·     For a forward-type interface pair that is automatically created upon insertion of a hardware bypass subcard, you can enable only internal bypass for the interface pair.

·     Support for the external bypass feature depends on the device model.