1/10 Gigabit Modular Passive Fail-Open Kit Quick Start Guide

McAfee Network Security Platform IPS Sensors, when deployed in-line, route all incoming traffic through a designated port pair. However, at times a Sensor might need to be turned off for maintenance or its ports can go down because of an outage. At times like this, you might want to continue allowing traffic to pass through without interruption. For such requirements, you can consider an external device called a fail-open switch. The fail-open switch can either be an active fail-open switch or a passive fail-open switch.

A passive fail-open switch relies on the Sensor to supply a power signal to the switch through a Control cable. The Control port on the Sensor is connected to a Control port on the fail-open switch by a Control cable. While the Sensor is operating, the switch is “on” and routes all traffic directly through the Sensor. When the Sensor fails, the switch automatically shifts to a bypass state: in-line traffic continues to flow through the network link, but is no longer routed through the Sensor. After the Sensor resumes normal operation, the switch returns to the “on” state, and again enabling in-line monitoring. Each Sensor has a number of Control ports depending on which Sensor model it is. Each Sensor Control port is internally wired to a corresponding monitoring port pair. For example, Control port X2 must always be used in tandem with monitoring port pair 2A-2B.

The table below shows you the various models of passive fail-open switches.

Fail-open switch SKU NS9500 NS9x00 NS7x00/NS7x50 NS5x00 NS3500 NS3x00 M-8000, M-6050 M-4050, M-3050 M-2950, M-2850
Passive-Fiber (850 nm)

10G (50 µm)

IAC-PF85050-

KT1

No No Yes Yes (supported on G0 only) No No Yes Yes No
Passive-Fiber (850 nm)

10/1G (62.5 µm)

IAC-PF85062-

KT1

No No Yes Yes No No Yes Yes Yes
Passive-Fiber (1310 nm)

10/1G (8.5 µm)

IAC-PF131010-

KT1

No No Yes Yes No No Yes Yes Yes
Passive-Copper

10/100/1000

IAC-PFOCG-

KT2

No No Yes Yes No No Yes Yes Yes

Fiber fail-open switches consist of two types: single mode and multi-mode fibers. The table gives you some details about both types of fiber optic fail-open switches. Such information is important because you must determine the type of fiber optics used in your organization network before you decide which type of fail-open switch to use. It is also important to understand that various types because all product documentation for fiber fail-open kits and decals on the fail-open switches display these parameters. The table below shows you the differences between single-mode and multi-mode fiber specifications.

Type Fiber thickness Wavelength range
Single mode (Long reach) 8.5 µm 1300 nm to 1550 nm
Multi-mode (Short reach) 50 µm or 62.5 µm 850 nm to 1300 nm
Note: NS-9x00 Sensors do not have Control ports and as a result do not support passive fail-open kits. For more details on Sensor compatibility with various fail-open kits, refer the chapter, Fail-Open operation in Sensors in the McAfee Network Security Platform IPS Administration Guide.

For more details about fail-open kits, refer the chapter, Fail-Open operation in Sensors in the McAfee Network Security Platform IPS Administration Guide. Since this Quick Start Guide makes references to information associated with that chapter, it helps to keep a copy of it easily accessible before you begin installing and configuring your fail-open switch.