Hardware Bypass (FTW) Network Modules
Fail-to-Wire (FTW) is a physical layer (Layer 1) bypass that allows paired interfaces to go into bypass mode
so that the hardware forwards packets between these port pairs without software intervention. FTW provides
network connectivity when there are software or hardware failures. Hardware bypass is useful on ports where
the Firepower security appliance is only monitoring or logging traffic. The hardware bypass network modules
have an optical switch that is capable of connecting the two ports when needed.
The FTW network modules have built-in SFPs.
Hardware bypass is supported only on a fixed set of ports. You can pair Port 1 with Port 2, Port 3 with Port
4, but you cannot pair Port 1 with Port 4 for example.
Hardware bypass is only supported in inline mode. Also, hardware bypass support depends on your
software application.
Note
When switching from normal operation to hardware bypass or from hardware bypass back to normal
operation, traffic may be interrupted for several seconds. A number of factors can affect the length of the
interruption; for example, copper port autonegotiation; behavior of the optical link partner such as how it
handles link faults and debounce timing; spanning tree protocol convergence; dynamic routing protocol
convergence; and so on. During this time, you may experience dropped connections.
Note
There are three configuration options for hardware bypass network modules:
• Passive interfaces—Connection to a single port.
For each network segment you want to monitor passively, connect the cables to one interface. This is
how the non FTW network modules operate.
• Inline interfaces—Connection to any two like ports (10G to 10G for example) on one network module,
across network modules, or fixed ports.
For each network segment you want to monitor inline, connect the cables to pairs of interfaces.
• Inline with FTW interfaces—Connection of an FTW paired set.
For each network segment that you want to configure inline with fail-open, connect the cables to the
paired interface set.
For the 40G network module, you connect the two ports to form a paired set. For the 1/10G network
modules, you connect the top port to the bottom port to form an FTW paired set. This allows traffic to
flow even if the Firepower security appliance fails or loses power.
If you have a inline interface set with a mix of FTW-capable and non FTW-capable interfaces, you cannot
enable hardware bypass on this inline interface set. You can only enable hardware bypass on an inline
interface set if all the pairs in the inline set are valid FTW pairs.
Note
Cisco Firepower 4100 Series Hardware Installation Guide
12
Overview
Hardware Bypass (FTW) Network Modules
To Next Page
Loading...
Need help?
General