1/10 Gigabit Modular Active Fail-Open Kit Quick Start Guide

McAfee Network Security Platform IPS Sensors, when deployed in-line, route all incoming traffic through a designated port pair. However, at times a Sensor might need to be turned off for maintenance or its ports can go down because of an outage. At times like this, you might want to continue allowing traffic to pass through without interruption. For such requirements, you can consider an external device called a fail-open switch. The fail-open switch can either be an active fail-open switch or a passive fail-open switch.

An active fail-open switch constantly monitors Sensor state. It does this by sending a heartbeat signal through its ports. The heartbeat signal is sent through the one of the Monitor ports and received through the other, indicating that the Sensor is functioning normally.

The table below shows you the various models of active fail-open switches.

Fail-open switch SKU NS9500 NS9x00 NS7x00/NS7x50 NS5x00 NS3500 NS3x00 M-8000, M-6050 M-4050, M-3050 M-2950, M-2850
Active-Fiber (850 nm)

10G (62.5 µm)

IAC-AF85010-

KT1

Yes Yes Yes Yes (supported on G0 only) No No Yes Yes No
Active-Fiber (1310 nm)

10G (8.5 µm)

IAC-AF131010-

KT1

Yes Yes Yes Yes (supported on G0 only) No No Yes Yes No
Active-Fiber (850 nm)

1G (62.5 µm)

IAC-AF85062-

KT1

Yes Yes Yes Yes No No Yes Yes Yes
Active-Fiber (1310 nm)

1G (8.5 µm)

IAC-AF131085-

KT1

Yes Yes Yes Yes No No Yes Yes Yes
Active-Copper

10/100/1000 module

IAC-AFOCG-

KT2

Yes Yes Yes Yes No Yes Yes Yes Yes
Active Fail-Open

Chassis

IAC-AFOCH-

KT2

Yes Yes Yes Yes No Yes Yes Yes Yes

You must also make sure you have the requisite SFP/SFP+'s, or XFPs when making this choice.

Fiber fail-open switches consist of two types: single mode and multi-mode fibers. The table below gives you some relevant details about both types of fiber optic fail-open switches. This is especially relevant because you must determine the type of fiber that is used your organization network before you decide which type of fail-open switch to use. Also, all product documentation for fail-open kits and decals on the fail-open switches will repeatedly refer to these parameters. The table below shows you the differences between single-mode and multi-mode fiber specifications.

Type Fiber thickness Wavelength range
Single mode (Long reach) 8.5 µm 1300 nm to 1550 nm
Multi-mode (Short reach) 50 µm or 62.5 µm 850 nm to 1300 nm
Note: For more details about fail-open kits, refer the chapter, Fail-Open operation in Sensors in the McAfee Network Security Platform IPS Administration Guide. Since this Quick Start Guide will make references to information associated with that chapter, it will help to keep a copy of it easily accessible before you begin installing and configuring your fail-open switch.

Working

To begin with, the Sensor and the fail-open switch need to be appropriately cabled with each other. The Sensor ports are then configured for fail-open operation. For more details about configuring Sensor monitoring ports, refer to the section, Configure Sensor Monitoring Ports.

After connecting and configuring the Sensor and fail-open switch, the switch begins to send a heartbeat signal to the Sensor. Each heartbeat signal, once sent, returns from the Sensor to the fail-open switch. When the fail-open switch does not receive this response from the Sensor for a specified period, the switch removes the Sensor from the data path and begins to route traffic to the network through its own ports.

A 1G fiber or a Copper fail-open switch sends a heartbeat signal every second. When the fail-open switch does not receive a response for 3 seconds, it changes its working mode to "unknown" and begins to route traffic through itself.

A 10G fiber fail-open switch sends a heartbeat signal every 10 milliseconds (ms). If the fail-open switch does not receive a response from the Sensor for 100 ms, it removes the Sensor from the data path and begins to route traffic through its own ports.