This help contains the following topics:
Interface pairs monitor traffic at the data link layer. It is typically used on security devices. Layer 2 traffic arriving at a device is redirected to a security device, filtered, and then forwarded toward the destination.
The following forwarding modes are supported:
Reflect-type forwarding—Forwards a packet through the receiving port of the packet.
Blackhole-type forwarding—Drops the received packets.
Forward-type forwarding—Forwards a packet through a port that is different from the receiving port of the packet.
By default, tunneled packets are forwarded based on the tunnel headers.
You can configure the device to forward tunneled packets based on the original packet headers.
This feature enables the device to check the VLAN ID of each packet that matches a session entry during inline forwarding.
With VLAN ID check enabled, the device permits a packet only if its VLAN ID is the same as the VLAN ID in the matching session entry.
With VLAN ID check disabled, the device permits a packet if it matches a session entry.
On a hot backup system, you must disable VLAN ID check if the traffic incoming interfaces on the primary and secondary devices belong to different VLANs. If you enable VLAN ID check, traffic cannot match session entries correctly after a primary/secondary device switchover occurs or when asymmetric-path traffic exists.
By default, packets are processed by the security service first before being forwarded according to the configured bridge forwarding mode.
The security service bypass feature enables user traffic to bypass security service processing of a security device and be forwarded directly according to the configured bridge forwarding mode.
Security service bypass can be classified into internal bypass and external bypass.
Internal bypass—User traffic is sent to the security device but is not processed by it. The security device directly forwards or drops the traffic according to the configured bridge forwarding mode.
External bypass—User traffic is forwarded by the Power Free Connector (PFC) device directly without passing through the security device.
User traffic is sent to the security device but is not processed by it. The security device directly forwards or drops the traffic according to the configured bridge forwarding mode.
Internal bypass is available for interface pairs operating in reflect-type, blackhole-type, or forward-type forwarding mode.
User traffic is forwarded by the Power Free Connector (PFC) device directly without passing through the security device.
Internal bypass is available only for interface pairs using the forward-type forwarding mode.
External bypass can be further classified in to the following types:
Static external bypass—External bypass takes effect immediately when configured and must be manually disabled.
Dynamic external bypass—External bypass is enabled or disabled automatically based on the status of the links between the security device and the PFC. The security device polls the link status periodically and enables external bypass if one or both links go down. External bypass is disabled automatically if the failed links come up.
Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.
Only a Layer 2 or Layer 3 Ethernet interface or a Layer 2 aggregate interface can be added to an interface pair operating in reflect-type, blackhole-type, or forward-type forwarding mode.
For a forward-type interface pair that is automatically created upon insertion of a hardware bypass subcard, you can enable only internal bypass for the interface pair.
Support for the external bypass feature depends on the device model.
Click the Network tab.
In the navigation pane, select Interface Configuration > Inline > Interface Pairs.
Click Create.
The Create Interface Pair page opens.
Create an interface pair.
Table-1 Interface pair configuration items
Item | Description |
Forwarding mode | Select the forwarding mode of the interface pair. Options include:
|
Security service bypass | Enable or disable security service bypass. |
Interface 1 | Select an interface as receiving interface 1 of packets. |
Interface 2 | Select an interface as receiving interface 2 of packets. This field is available only when the Forward mode is selected. |
Click OK. The interface pair will displayed on the Interface Pairs page.
On the Advanced Settings page, configure advanced settings.
Table-2 Configuration items for advanced settings
Item | Description |
Forward tunneled packets based on | Select the basis for forwarding tunneled packets. Options include:
|
VLAN ID Check | Enable or disable VLAN ID check. |