Table of Contents
Advertisement
8-Port 1000Base-T Network Module with Hardware Bypass
8-Port 1000Base-T Network Module with Hardware Bypass
The Secure Firewall 4200 chassis has two network module slots named NM-2 and NM-3 (left to right on the
front panel). Network modules are optional, removable I/O modules that provide either additional ports or
different interface types. The network module plugs into the chassis on the front panel. See
page 8
FPR4K-XNM-8X1GF is an 8-port 1000Base-T hardware bypass network module. The eight ports are numbered
from top to bottom, left to right. Ports 1 and 2, 3 and 4, 5 and 6, and 7 and 8 are paired for hardware bypass
mode. In hardware bypass mode, data is not processed by the Secure Firewall 4200 but is routed to the paired
port.
Hardware bypass (also known as fail-to-wire) is a physical layer (Layer 1) bypass that allows paired interfaces
to go into bypass mode so that the hardware forwards packets between these port pairs without software
intervention. Hardware bypass provides network connectivity when there are software or hardware failures.
Hardware bypass is useful on ports where the secure firewall is only monitoring or logging traffic. The
hardware bypass network modules have a switch that is capable of connecting the two ports when needed.
Note
Hardware bypass is supported only on a fixed set of ports. You can pair Port 1 with Port 2, Port 3 with Port
4, but you cannot pair Port 1 with Port 4 for example.
Note
Note
Note
Cisco Secure Firewall 4200 Series Hardware Installation Guide
22
for the location of the network module slots on the chassis.
Hardware bypass is only supported with threat defense, although you can use these modules in nonbypass
mode in threat defense or ASA.
When the appliance switches from normal operation to hardware bypass or from hardware bypass back to
normal operation, traffic may be interrupted for several seconds. A number of factors can affect the length of
the interruption; for example, behavior of the link partner such as how it handles link faults and debounce
timing; spanning tree protocol convergence; dynamic routing protocol convergence; and so on. During this
time, you may experience dropped connections.
If you have an inline interface set with a mix of hardware bypass and nonhardware bypass interfaces, you
cannot enable hardware bypass on this inline interface set. You can only enable hardware bypass on an inline
interface set if all the pairs in the inline set are valid hardware bypass pairs.
The hardware and the system support hot swapping if you are replacing a network module with the same type
of network module. If you replace the 8-port 10/100/1000Base-T network module with another supported
network module, you must reboot the chassis so that the new network module is recognized. See the
configuration guide for your operating system for the detailed procedures for managing network modules.
Overview
Front Panel, on
Advertisement
Chapters
Table of Contents
