Interface pairs

This help contains the following topics:

Introduction
vSystem support information
Restrictions and guidelines
Configure interface pairs

Introduction

Interface pairs monitor traffic at the data link layer. It is typically used on security devices. Layer 2 traffic arriving at a device is redirected to a security device, filtered, and then forwarded toward the destination.

The following forwarding modes are supported:

Reflect-type forwarding—Forwards a packet through the receiving port of the packet.
Blackhole-type forwarding—Drops the received packets.
Forward-type forwarding—Forwards a packet through a port that is different from the receiving port of the packet.

Forwarding of tunneled packets

By default, tunneled packets are forwarded based on the tunnel headers.

You can configure the device to forward tunneled packets based on the original packet headers.

VLAN ID check

This feature enables the device to check the VLAN ID of each packet that matches a session entry during inline forwarding.

With VLAN ID check enabled, the device permits a packet only if its VLAN ID is the same as the VLAN ID in the matching session entry.
With VLAN ID check disabled, the device permits a packet if it matches a session entry.

Security service bypass

By default, packets are processed by the security service first before being forwarded according to the configured bridge forwarding mode.

The security service bypass feature enables user traffic to bypass security service processing of a security device and be forwarded directly according to the configured bridge forwarding mode.

Security service bypass can be classified into internal bypass and external bypass.

Internal bypass—User traffic is sent to the security device but is not processed by it. The security device directly forwards or drops the traffic according to the configured bridge forwarding mode.
External bypass—User traffic is forwarded by the Power Free Connector (PFC) device directly without passing through the security device.

Internal bypass

User traffic is sent to the security device but is not processed by it. The security device directly forwards or drops the traffic according to the configured bridge forwarding mode.

Internal bypass is available for interface pairs operating in reflect-type, blackhole-type, or forward-type forwarding mode.

External bypass

User traffic is forwarded by the Power Free Connector (PFC) device directly without passing through the security device.

Internal bypass is available only for interface pairs using the forward-type forwarding mode.

External bypass can be further classified in to the following types:

Static external bypass—External bypass takes effect immediately when configured and must be manually disabled.
Dynamic external bypass—External bypass is enabled or disabled automatically based on the status of the links between the security device and the PFC. The security device polls the link status periodically and enables external bypass if one or both links go down. External bypass is disabled automatically if the failed links come up.

vSystem support information

Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.

Restrictions and guidelines

Only a Layer 2 or Layer 3 Ethernet interface or a Layer 2 aggregate interface can be added to an interface pair operating in reflect-type, blackhole-type, or forward-type forwarding mode.
For a forward-type interface pair that is automatically created upon insertion of a hardware bypass subcard, you can enable only internal bypass for the interface pair.
Support for the external bypass feature depends on the device model.

Configure interface pairs

Prerequisites

Complete the following tasks before you configure this feature:

Assign IP addresses to interfaces on the Network > Interface Configuration > Interfaces page.
Configure routes on the Network > Routing page. Make sure the routes are available.
Create security zones on the Network > Security Zones page.
Add interfaces to security zones. You can add interfaces to a security zone on the Security Zones page or select a security zone for an interface on the Interfaces page.
Configure security policies to permit the target traffic on the Policies > Security Policies page.

Configure a reflect-mode interface pair

An interface pair is a technology for monitoring traffic at the data link layer. After creation, Layer 2 network traffic passing through the device is redirected to the security appliance, where it is filtered before being forwarded. Through different forwarding modes, the interface pair can handle traffic flexibly. In reflect mode, packets are received and transmitted on the same interface. Since the traffic does not need to pass through other interfaces, the data processing speed is faster. This configuration is simple and suitable for beginners to set up quickly.

To configure a reflect-mode interface pair:

Click the Network tab.
In the navigation pane, select Interface Configuration > Inline > Interface Pairs.
Click Create.
Figure-1 Adding a reflect-mode interface pair

Select the Reflect mode, and select the interface for packet receiving and transmission.

Table-1 Interface pair configuration items

Item	Description
Forwarding mode	Select the forwarding mode of the interface pair. Options include: Reflect Blackhole Forward
Security service bypass	Enable or disable security service bypass.
Interface 1	Select an interface as receiving interface 1 of packets.

Click OK. The interface pair will be displayed on the Interface Pairs page.

Configure a blackhole-mode interface pair

In blackhole mode, packets are received from one interface and discarded after processing. Traffic entering an interface in this mode is not forwarded. By configuring the blackhole mode, you can effectively discard traffic from untrusted sources, ensuring network security.

To configure a blackhole-mode interface pair:

On the Interface Pairs page, click Create.
Figure-2 Adding a blackhole-mode interface pair

Select the Blackhole mode, and select the interface for packet receiving and transmission.

Table-2 Interface pair configuration items

Item	Description
Forwarding mode	Select the forwarding mode of the interface pair. Options include: Reflect Blackhole Forward
Security service bypass	Enable or disable security service bypass.
Interface 1	Select an interface as receiving interface 1 of packets.

Click OK. The interface pair will be displayed on the Interface Pairs page.

Configure a forward-mode interface pair

In forward mode, packets are received from one interface and transmitted from another. This configuration is more flexible and can adapt to more complex network environments. For example, you can use the forward mode for a device to achieve routing and data forwarding between different VLANs.

To configure a forward-mode interface pair:

Click the Network tab.
In the navigation pane, select Interface Configuration > Inline > Interface Pairs.
Click Create.
Figure-3 Adding a forward-mode interface pair

Select the Forward mode, and select the interfaces for packet receiving and transmission.

Table-3 Interface pair configuration items

Item	Description
Forwarding mode	Select the forwarding mode of the interface pair. Options include: Reflect Blackhole Forward
Security service bypass	Enable or disable security service bypass.
Interface 1	Select an interface as receiving interface 1 of packets.
Interface 2	Select an interface as receiving interface 2 of packets. This field is available only when the Forward mode is selected.

Click OK. The interface pair will be displayed on the Interface Pairs page.

Configure advanced settings

After creating an interface pair, you can select the basis for forwarding tunneled packets and enable VLAN ID check through advanced settings to meet various network scenario requirements.

On a hot backup system, you must disable VLAN ID check if the traffic incoming interfaces on the primary and secondary devices belong to different VLANs. If you enable VLAN ID check, traffic cannot match session entries correctly after a primary/secondary device switchover occurs or when asymmetric-path traffic exists.

To configure advanced settings:

Click the Network tab.
In the navigation pane, select Interface Configuration > Inline > Interface Pairs.
Click Advanced Settings.
Table-4 Advanced settings

Configure advanced settings.

Table-5 Configuration items for advanced settings

Item	Description
Forward tunneled packets based on	Select the basis for forwarding tunneled packets. Options include: Original packet headers—Forward tunneled packets based on the original packet headers. Tunnel headers—Forward tunneled packets based on tunnel headers.
VLAN ID Check	Enable or disable VLAN ID check.

Item

Description

Forward tunneled packets based on

Select the basis for forwarding tunneled packets. Options include:

Original packet headers—Forward tunneled packets based on the original packet headers.
Tunnel headers—Forward tunneled packets based on tunnel headers.

VLAN ID Check

Enable or disable VLAN ID check.