Trellix IPS Sensor interface configuration deployment guide
Last Modified: 2024-01-17 10:58:10 Etc/GMT
Environment
Summary
The following matrix sets out the possible speed and duplex settings that can be configured between a Sensor and its peer device. The matrix also describes the resultant mode of operation (that is, if an error condition or a link fails to establish). When you deploy the Sensor in inline mode, you want to prevent any form of congestion in the data path. So, make sure that these settings are consistent across all peers and ports in a port pair.
NOTE: This rule applies to any mode of operation used.
The Sensor ports, when in in-line mode, are designed to behave as part of the physical link. If a single interface in the port pair is physically down, so is the other port in the pair. In this way, an Administrator using a spanning tree or VRRP redundancy mechanism can be confident that failure conditions on one segment propagate to the other connected network peers on the other Sensor attached segment.
Hard-coding Gigabit Ethernet interfaces to full-duplex can impact this redundancy. Differences in speed and duplex settings across a Sensor port pair or peer devices can make deterministic VRRP or STP failure detection hard. You must ensure consistent speed and duplex operation across the Sensor port pair and peer devices.
NOTE: Shaded Items = gigabit Interfaces
Configuration Sensor (Speed/Duplex) |
Configuration Switch (Speed/Duplex) |
Resulting Sensor Speed/Duplex |
Resulting Switch Speed/Duplex |
Comments |
1000-AUTO |
1000-AUTO |
1000 Mbps, Full-duplex |
1000 Mbps, Full-duplex |
Valid configuration3 |
1000 Mbps, Full-duplex |
1000 Mbps, Full-Duplex |
1000 Mbps, Full-duplex |
1000 Mbps, Full-duplex |
Valid manual configuration2 |
1000 Mbps, Full-duplex |
AUTO |
1000 Mbps, Full-duplex |
Down |
A link isn't established, although the Sensor port is seen as up |
AUTO |
1000 Mbps, Full-duplex |
Down |
1000 Mbps, Full-duplex |
A link isn't established, although the switch port is seen as up |
100 Mbps, Full-duplex |
AUTO |
100 Mbps, Full-duplex |
100 Mbps, Half-duplex |
Duplex Mismatch1 |
AUTO |
100 Mbps, Full-duplex |
100 Mbps, Half-duplex |
100 Mbps, Full-duplex |
Duplex Mismatch1 |
100 Mbps, Full-duplex |
100 Mbps, Full-duplex |
100 Mbps, Full-duplex |
100 Mbps, Full-duplex |
Valid Manual configuration2 |
100 Mbps, Half-duplex |
AUTO |
100 Mbps, Half-duplex |
100 Mbps, Half-duplex |
Link is established, but Sensor doesn't see any auto-negotiation information from the switch. It defaults to half-duplex when operating at 10/100 Mbps. |
10 Mbps, Half-duplex |
AUTO |
10 Mbps, Half-duplex |
10 Mbps, Half-duplex |
A link is established, but the switch doesn't see Fast Link Pulse (FLP) and defaults to 10 Mbps half-duplex. |
10 Mbps, Half-duplex |
100 Mbps, Half-duplex |
No Link |
No Link |
Neither side establishes a link, due to speed mismatch. |
AUTO |
100 Mbps, Half-duplex |
100 Mbps, Half-duplex |
100 Mbps, Half-duplex |
A link is established, but the Sensor doesn't see any auto-negotiation information. It defaults to 100 Mbps, half-duplex. |
AUTO |
10 Mbps, Half-duplex |
10 Mbps, Half-duplex |
10 Mbps, Half-duplex |
A link is established, but the Sensor doesn't see FLP and defaults to 10 Mbps, half-duplex. |
1 A duplex mismatch might result in performance issues, intermittent connectivity, and loss of communication. When troubleshooting Interface or Port issues, verify that the Sensor and switch use a valid configuration.
2 Some third-party switch interfaces might fall back to half-duplex operation mode, even though both the Sensor and switch have been manually configured for 100 Mbps, full-duplex. This behavior is because the switch auto-negotiation link detection still operates even when the switch's interface has been manually configured. The result is duplex inconsistency between the switch port and the Sensor. Symptoms include poor port performance and frame check sequence errors that increment on the switch interface or port or Sensor port. To troubleshoot this issue, manually configure the switch port and Sensor to 100 Mbps, half-duplex on a temporary basis. If this action resolves the connectivity problems, it's a strong indication of this problem. We recommend upgrading to the latest software for this switch or contacting the switch vendor for more support.3 When possible, use a manual (fixed-speed) setting on both the sensor monitor port and connected network device. If using a gigabit Copper GBIC with a fail-open kit, you must use the auto-negotiate configuration on both the Sensor and peer device. This setting makes sure that a port down condition forces the fail-open kit to go into bypass mode.
Why can't Speed and Duplex be hard-coded on only one Link Partner?
As indicated in the table above, manually setting the speed and duplex to full-duplex on one link partner results in a duplex mismatch. This state is the result of disabling auto-negotiation on one link partner while the other link partner defaults to a half-duplex configuration. A duplex mismatch results in slow performance, intermittent connectivity, data link errors, and other issues. If the intent isn't to use auto-negotiation, both link partners must be manually configured for speed and duplex (full-duplex is always recommended).
Gigabit and Fail-open considerations
This section has been set aside because of common misconceptions surrounding Gigabit Ethernet and perceptions about its operation regarding speed and duplex settings. Often, the assumption made about speed and duplex negotiation and operation is that the same model of operation from Ethernet and Fast Ethernet is carried over into the gigabit standards. This assumption isn't the case, and techniques used with FLP are no longer used.
Fiber Gigabit Ethernet doesn't support extensions to the standard auto-negotiation messages such as 10/100/1000 links. It doesn't negotiate settings other than a speed of 1000 Mbit/s, and in most circumstances, full-duplex operation. Despite most Gigabit Ethernet ports only ever negotiating 1000 Mbit/s Full Duplex, there are still some significant differences between coding the ports manually and using auto-negotiation to derive the same speed and duplex. The device, when set to auto-negotiate, doesn't establish a link with a peer that has been manually coded.
Interfaces can become disconnected without any indication or change in interface status. Gigabit Ethernet running in full-duplex operation forces the port up constantly unless the administrator disables it. This state is again a function of auto-negotiation or, in this case, the lack of it.
In Gigabit Ethernet, auto-negotiation is responsible for the detection of certain physical layer conditions and faults. If auto-negotiation isn't enabled, these conditions can't be detected and include Loss of Signal on cabling.
This lack of detection has implications for networks where external fail-open kits are deployed. We recommend that you always place the Sensor ports and peer device ports in 10/100/1000-Auto mode when using external fail-open kits. If the ports are hard-coded, the Sensor might not determine if it has lost connectivity to the peer device through a cable break between the Sensor and fail-open kit. In this scenario, the fail-open kit would never bypass the Sensor and you can see packet loss.
Certain environments are unable to support the 1000 Auto-operation due to peer device limitations, where one peer device only supports the 1000 Full hard-coded operation and another peer device supports the 1000 Auto-operation. These environments have different settings on a per-peer and port basis.
These issues relate to misunderstandings about the command structures for these modes of operation on the peer devices. You expect to use commands similar to
You might think that there's no way to set this option on the gigabit port. But, if you negate the command with the
For example,
Related Information
Other Considerations
Some other considerations that can impact an Inline deployment when you choose the speed and duplex settings are
On certain Cisco devices, such as Catalyst 3750 switches,
Previous Document ID (Secured)
Affected Products
Languages:
This article is available in the following languages: