page 7 of 21
SW1020A in order to create the required normal and/or bypass paths through the SW1020A, and to allow the
PING packets from the internal Ethernet node on the SW1020A to travel to the desired external Ethernet node
on the user’s network. See figures 1 & 2 above for examples of typical network connections to the SW1020A
Auto Bypass Switch.
In a typical IPS environment, the NETWORK port on the SW1020A would be connected to an unused port
on the edge router/switch as noted in the example configuration in figure 1 above. To provide auto bypass
switching, the SW1020A should be configured to use the firewall’s IP and MAC addresses for the monitor IP
address and monitor MAC address parameters. With this configuration, if the SW1020A detects a problem
thru the normal path and the IPS to the firewall, it will automatically switch to the bypass path. The auto
recovery switching function is typically not used in this type of application, and would normally be disabled.
This approach allows the network security manager to verify that when a problem occurs in the normal path
thru the IPS (causing the SW1020A to switch to the bypass path), that any problems related to the IPS and the
normal path are resolved before the IPS is reconnected to the network. Once these problems have been
resolved, the network security manager can then issue a “set system B” command to the SW1020A to switch
back to the normal path.
In a typical failover environment, the NETWORK port on the SW1020A would be connected to a layer 2
switch or HUB as described in the example configuration in figure 2 above. To provide auto
failover/recovery, the SW1020A should be configured to use the IP and MAC addresses of a device on the
“normal” network for the monitor IP address and monitor MAC address parameters. With this configuration,
the auto bypass switching function will cause the SW1020A to automatically switch to the failover network if
it detects a problem thru the normal path to the device being monitored. And if the auto recovery switching
function is enabled, it will cause the SW1020A to automatically switch back from the failover network
connection to the normal network connection once the normal network operation is restored (the SW1020A is
able to PING the device again on the normal network path).
When using the auto bypass and auto recovery features, the monitorip address and monitormac address
parameters can be configured to monitor connectivity to any device within, or outside of the user’s network
environment. The monitormac address has two modes of operation – it can be manually configured, or it can
be set to automatic mode. For automatic mode, simply set the monitormac address parameter to 00 00 00 00
00 00. Then set the monitorip address parameter to the IP address of the device you want to PING in order to
monitor the normal network path connections. The SW1020A will issue an ARP request to the gateway router
to get the appropriate MAC address it needs to use in the PING packet. Alternately, you can manually enter
the appropriate MAC address. If monitoring connectivity to a device on the same subnet as the SW1020A’s
internal Ethernet node, set the SW1020A’s monitorip address and monitormac address parameters to the IP
address and MAC address of the device being monitored. If monitoring connectivity to a device on a different
subnet/network than the SW1020A’s internal Ethernet node, set the SW1020A’s monitormac address
parameter to the MAC address of the gateway router on the SW1020A’s subnet, and set the monitorip address
parameter to the IP address of the device being monitored. This allows the PING packet issued by the
SW1020A to be routed through the gateway router to the target device on a different subnet/network.
4.7
Once you have configured the TCP/IP parameters, you may also want to configure the SW1020A’s access
control related parameters. The SW1020A has an internal http server that provides access to its command
interface via any web browser. This internal http server can be enabled or disabled. If enabled, a password
can also be set, its TCP/IP port number can be configured, and an inactivity timeout can be configured to
prevent unauthorized access. The SW1020A also provides telnet access, and SNMP access to its command
interface. These interfaces also have additional configuration parameters to restrict unauthorized access. See
section 7 for a complete description of theses access control related commands.
