Symantec™ Network Security
In-line Bypass Unit User Guide
2
Symantec Network Security In-line Bypass Unit
User Guide
The device described in this book is furnished under a license agreement and may be used only in
accordance with the terms of the agreement.
PN: 10293105
Copyright Notice
Copyright © 2004 Symantec Corporation.
All Rights Reserved.
Any technical documentation that is made available by Symantec Corporation is the copyrighted work
of Symantec Corporation and is owned by Symantec Corporation.
NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec
Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the
information contained therein is at the risk of the user. Documentation may include technical or other
inaccuracies or typographical errors. Symantec reserves the right to make changes without prior
notice.
No part of this publication may be copied without the express written permission of Symantec
Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Trademarks. Symantec and the Symantec logo are U.S. registered trademarks of Symantec
Corporation. Symantec Network Security is a trademark of Symantec Corporation.
Other brands and product names mentioned in this manual may be trademarks or registered
trademarks of their respective companies and are hereby acknowledged.
Windows is a registered trademark, and 95, 98, NT and 2002 are trademarks of Microsoft Corporation.
Pentium is a registered trademark of Intel Corporation. Sun is a registered trademark, and Java, Solaris,
Ultra, Enterprise, and SPARC are trademarks of Sun Microsystems. UNIX is a registered trademark of
UNIX System Laboratories, Inc. Cisco and Catalyst are registered trademarks of Cisco Systems, Inc.
Foundry is a registered trademark of Foundry Networks. Juniper is a registered trademark of Juniper
Networks, Inc. iButton is a trademark of Dallas Semiconductor Corp. Dell is a registered trademark of
Dell Computer Corporation. Check Point and OPSEC are trademarks and FireWall-1 is a registered
trademark of Check Point Software Technologies, Ltd. Tripwire is a registered trademark of Tripwire,
Inc.
Symantec Network Security software contains/includes the following Third Party Software from
external sources:
“bzip2” and associated library “libbzip2,” Copyright © 1996-1998, Julian R Seward. All rights reserved.
(http://sources.redhat.com/bzip2).
“Castor,”ExoLab Group, Copyright 1999-2001 © 199-2001 Intalio, Inc. All rights reserved.
(http://www.exolab.org
Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
).
Technical support
As part of Symantec Security Response, the Symantec global Technical Support
group maintains support centers throughout the world. The Technical Support
group’s primary role is to respond to specific questions on product
feature/function, installation, and configuration, as well as to author content for
our Web-accessible Knowledge Base. The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your
questions in a timely fashion. For example, the Technical Support group works
with Product Engineering as well as Symantec Security Response to provide
Alerting Services and Virus Definition Updates for virus outbreaks and security
alerts.
Symantec technical support offerings include:
■ A range of support options that give you the flexibility to select the right
amount of service for any size organization
■ Telephone and Web support components that provide rapid response and
up-to-the-minute information
3
■ Upgrade insurance that delivers automatic software upgrade protection
■ Content Updates for virus definitions and security signatures that ensure
the highest level of protection
■ Global support from Symantec Security Response experts, which is
available 24 hours a day, 7 days a week worldwide in a variety of languages
■ Advanced features, such as the Symantec Alerting Service and Technical
Account Manager role, offer enhanced response and proactive security
support
Please visit our Web site for current information on Support Programs. The
specific features available may vary based on the level of support purchased and
the specific product that you are using.
Licensing and registration
If the product that you are implementing requires registration and/or a license
key, the fastest and easiest way to register your service is to access the
Symantec licensing and registration site at www.symantec.com/certificate.
Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html,
select the product that you wish to register, and from the Product Home Page,
select the Licensing and Registration link.
Contacting Technical Support
Customers with a current support agreement may contact the Technical
Support group via phone or online at www.symantec.com/techsupp.
Customers with Platinum support agreements may contact Platinum Technical
Support via the Platinum Web site at www-secure.symantec.com/platinum/.
4
Customer Service
When contacting the Technical Support group, please have the following:
■ Product release level
■ Hardware information
■ Available memory, disk space, NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description
■ Error messages/log files
■ Troubleshooting performed prior to contacting Symantec
■ Recent software configuration changes and/or network changes
To contact Enterprise Customer Service online, go to www.symantec.com, select
the appropriate Global Site for your country, then choose Service and Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information on product updates and upgrades
■ Information on upgrade insurance and maintenance contracts
■ Information on Symantec Value License Program
■ Advice on Symantec's technical support options
■ Nontechnical pre-sales questions
■ Missing or defective CD-ROMs or manuals
SYMANTEC NETWORK SECURITY
IN-LINE BYPASS UNIT WARRANTY AGREEMENT
SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES
(“SYMANTEC”) IS WILLING TO PROVIDE WARRANTIES AS
SET FORTH HEREIN ON THE IN-LINE BYPASS UNIT YOU
HAVE PURCHASED TO YOU AS AN INDIVIDUAL, THE
COMPANY, OR THE LEGAL ENTITY THAT WILL BE
UTILIZING THE IN-LINE BYPASS UNIT (REFERENCED BELOW
AS “YOU OR YOUR”) AND TO PROVIDE WARRANTIES ON
THE IN-LINE BYPASS UNIT ONLY ON THE CONDITION THAT
YOU ACCEPT ALL OF THE TERMS OF THIS WARRANTY
AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS
WARRANTY AGREEMENT CAREFULLY BEFORE USING THE
IN-LINE BYPASS UNIT. THIS IS A LEGAL AND ENFORCEABLE
CONTRACT BETWEEN YOU AND SYMANTEC. BY OPENING
THIS PACKAGE, BREAKING THE SEAL, CLICKING ON THE
“AGREE” OR “YES” BUTTON OR OTHERWISE INDICATING
ASSENT ELECTRONICALLY, REQUESTING A LICENSE KEY OR
USING THE IN-LINE BYPASS UNIT, YOU AGREE TO THE
TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO
NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK ON
THE “I DO NOT AGREE” OR “NO” BUTTON IF APPLICABLE
AND DO NOT USE THE IN-LINE BYPASS UNIT.
1. Limited Warranty:
Symantec warrants that the in-line bypass unit (“In-line
Bypass Unit”) You have purchased shall be free from defects in
material and workmanship under normal use and service and
substantially conform to the written documentation
accompanying the In-line Bypass Unit for a period of three
hundred sixty-five (365) days from the date of original
purchase. Your sole remedy in the event of a breach of this
warranty will be that Symantec will, at its option, repair or
replace any defective In-line Bypass Unit returned to Symantec
within the warranty period or refund the money You paid for
In-line Bypass Unit.
The warranties contained in this Agreement will not apply to
any In-line Bypass Unit which:
A. has been altered, supplemented, upgraded or modified in
any way;
B. has been repaired except by Symantec or its designee; or
C. has been inserted into, used or operated with any device for
which it is not intended as stated in the user documentation
accompanying the In-line Bypass Unit.
Additionally, the warranties contained in this Agreement do
not apply to repair or replacement caused or necessitated by:
(i) events occurring after risk of loss passes to You such as loss
or damage during shipment; (ii) acts of God including without
limitation natural acts such as fire, flood, wind earthquake,
lightning or similar disaster; (iii) improper use, environment,
installation or electrical supply, improper maintenance, or any
other misuse, abuse or mishandling; (iv) governmental actions
or inactions; (v) strikes or work stoppages; (vi) Your failure to
follow applicable use or operations instructions or manuals;
(vii) Your failure to implement, or to allow Symantec or its
designee to implement, any corrections or modifications to the
In-line Bypass Unit made available to You by Symantec; or (viii)
such other events outside Symantec’s reasonable control.
Upon discovery of any failure of the In-line Bypass Unit, or
component thereof, to conform to the applicable warranty
during the applicable warranty period, You are required to
contact us within ten (10) days after such failure and seek a
return material authorization (“RMA”) number. Symantec will
promptly issue the requested RMA as long as we determine
that You meet the conditions for warranty service. The
allegedly defective In-line Bypass Unit, or component thereof,
shall be returned to Symantec, securely and properly
packaged, freight and insurance prepaid, with the RMA
number prominently displayed on the exterior of the shipment
packaging and with the In-line Bypass Unit. Symantec will
have no obligation to accept any In-line Bypass Unit which is
returned without an RMA number.
Upon completion of repair or if Symantec decides, in
accordance with the warranty, to replace a defective In-line
Bypass Unit, Symantec will return such repaired or
replacement In-line Bypass Unit to You, freight and insurance
prepaid. In the event that Symantec, in its sole discretion,
determines that it is unable to replace or repair the In-line
Bypass Unit, Symantec will refund to You the F.O.B. price paid
by You for the defective In-line Bypass Unit. Defective In-line
Bypass Units returned to Symantec will become the property
of Symantec.
Symantec does not warrant that the In-line Bypass Unit will
meet Your requirements or that operation of the In-line Bypass
Unit will be uninterrupted or that the In-line Bypass Unit will
be error-free.
In order to exercise any of the warranty rights contained in
this Agreement, You must have available an original sales
receipt or bill of sale demonstrating proof of purchase with
Your warranty claim.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU
OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR
IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL
PROPERTY RIGHTS. THIS WARRANTY GIVES YOU
SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER
RIGHTS, WHICH VARY FROM STATE TO STATE AND
COUNTRY TO COUNTRY.
2. Disclaimer of Damages:
SOME STATES AND COUNTRIES, INCLUDING MEMBER
COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT
ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE
BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO
YOU.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW AND REGARDLESS OF WHETHER ANY REMEDY SET
FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO
EVENT WILL SYMANTEC OR ITS LICENSORS BE LIABLE TO
YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR
SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR
LOST DATA ARISING OUT OF THE USE OR INABILITY TO
USE THE IN-LINE BYPASS UNIT EVEN IF SYMANTEC HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO CASE SHALL SYMANTEC'S OR ITS LICENSORS’
LIABILITY EXCEED THE PURCHASE PRICE FOR THE
IN-LINE BYPASS UNIT. The disclaimers and limitations set
forth above will apply regardless of whether You accept the
In-line Bypass Unit.
3. Export Regulation:
Certain Symantec products are subject to export controls by
the U.S. Department of Commerce (DOC), under the Export
Administration Regulations (EAR) (see www.bxa.doc.gov).
Violation of U.S. law is strictly prohibited. Licensee agrees to
comply with the requirements of the EAR and all applicable
international, national, state, regional and local laws, and
regulations, including any applicable import and use
restrictions. Symantec products are currently prohibited for
export or re-export to Cuba, North Korea, Iran, Iraq, Libya,
Syria and Sudan or to any country subject to applicable trade
sanctions. Licensee agrees not to export, or re-export, directly
or indirectly, any product to any country outlined in the EAR,
nor to any person or entity on the DOC Denied Persons,
Entities and Unverified Lists, the U.S. Department of State’s
Debarred List, or on the U.S. Department of Treasury's lists of
Specially Designated Nationals, Specially Designated Narcotics
Traffickers, or Specially Designated Terrorists. Furthermore,
Licensee agrees not to export, or re-export, Symantec products
to any military entity not approved under the EAR, or to any
other entity for any military purpose, nor will it sell any
Symantec product for use in connection with chemical,
biological, or nuclear weapons or missiles capable of delivering
such weapons.
4. General:
If You are located in North America or Latin America, this
Agreement will be governed by the laws of the State of
California, United States of America. Otherwise, this
Agreement will be governed by the laws of England. This
Agreement is the entire agreement between You and Symantec
relating to the In-line Bypass Unit and: (i) supersedes all prior
or contemporaneous oral or written communications,
proposals and representations with respect to its subject
matter; and (ii) prevails over any conflicting or additional
terms of any quote, order, acknowledgment or similar
communications between the parties. This Agreement may
only be modified by a written document which has been signed
by both You and Symantec. This Agreement shall terminate
upon Your breach of any term contained herein and You shall
cease use of and destroy the In-line Bypass Unit. The
disclaimers of warranties and damages and limitations on
liability shall survive termination. Should You have any
questions concerning this Agreement, or if You desire to
contact Symantec for any reason, please write: (i) Symantec
Customer Service, 555 International Way, Springfield, OR
97477, USA, or (ii) Symantec Customer Service Center, PO BOX
5689, Dublin 15, Ireland.
Contents
About the Symantec Network Security In-line Bypass unit ........................... 9
Verifying the contents of the box .....................................................................10
In-line Bypass unit features ............................................................................... 10
The 2 In-line Bypass unit ............................................................................11
The 4 In-line Bypass unit ............................................................................11
USB connection ............................................................................................12
Port groups ...................................................................................................12
Matching port groups to in-line pairs ......................................................14
Online and bypass modes ...........................................................................15
Auto-negotiation on bypass unit interfaces ............................................16
Front panel LEDs on the bypass unit ........................................................ 16
Rear panel LEDs on the bypass unit .........................................................17
Setup overview .....................................................................................................18
Mounting onto a rack ..........................................................................................19
Cabling the 2 In-line Bypass unit to the 7120 ................................................. 20
Cabling port group 0 to the 7120 ............................................................... 21
Cabling port group 1 to the 7120 ............................................................... 22
Cabling the USB port to the 7120 .............................................................. 22
Connecting the power on the 2 In-line Bypass unit ...............................22
Cabling the 4 In-line Bypass unit to the 7160 ................................................. 23
Cabling port group 0 to the 7160 ............................................................... 25
Cabling port group 1 to the 7160 ............................................................... 25
Cabling port group 2 to the 7160 ............................................................... 25
Cabling port group 3 to the 7160 ............................................................... 26
Cabling the USB port to the 7160 .............................................................. 26
Connecting the power on the 4 In-line Bypass unit ...............................26
Product specifications .........................................................................................27
Product certifications .........................................................................................28
CE certification .............................................................................................28
Safety instructions ..............................................................................................28
8 Contents
About the Symantec Network Security In-line
Bypass unit
The In-line Bypass unit is available in two models, the 2 In-line Bypass unit and
the 4 In-line Bypass unit. This user guide contains instructions for both.
The bypass unit provides fail-open capability for in-line installations of the
Symantec Network Security 7100 Series appliance. Fail-open is a configuration
that allows network traffic to continue even if the 7100 Series has a hardware or
software failure that affects one or more of its in-line interface pairs. While
connected to the network and the 7100 Series appliance, the bypass unit
monitors the appliance. If it senses an appliance failure, the bypass unit
provides direct network connectivity.
Both bypass unit models can connect to either 10/100 Base-T (Fast Ethernet) or
10/100/1000 Base-T (gigabit copper) ports. Neither model provides fail-open for
the gigabit fiber interfaces on the 7161 appliance.
Both bypass unit models operate at wire speeds and have no impact on
performance.
To begin using the bypass unit after physically installing it, use the Network
Security console to configure the corresponding in-line pairs.
For more information about using the In-line Bypass unit with your 7100 Series
appliance, see the Symantec Network Security 7100 Series Implementation Guide.
This user guide includes the following topics:
■ Verifying the contents of the box
■ In-line Bypass unit features
■ Setup overview
■ Mounting onto a rack
■ Cabling the 2 In-line Bypass unit to the 7120
■ Cabling the 4 In-line Bypass unit to the 7160
■ Product specifications
■ Product certifications
10
Verifying the contents of the box
■ Safety instructions
Verifying the contents of the box
Verify that the following materials are included with the In-line Bypass unit:
■ Two power cords
■ USB cable
■ Cat-5e Ethernet cables:
■ Four cables with a 2 In-line Bypass unit
■ Eight cables with a 4 In-line Bypass unit
■ Two L- brackets
■ Symantec Network Security In-line Bypass Unit User Guide
Note: Cables are provided to connect the In-line Bypass unit to your 7100 Series
appliance. However, you will need to provide cables to connect the bypass unit
to your network devices.
In-line Bypass unit features
This section contains information about the following topics:
■ The 2 In-line Bypass unit
■ The 4 In-line Bypass unit
■ USB connection
■ Port groups
■ Matching port groups to in-line pairs
■ Online and bypass modes
■ Auto-negotiation on bypass unit interfaces
■ Front panel LEDs on the bypass unit
■ Rear panel LEDs on the bypass unit
In-line Bypass unit features
Table 1-1 summarizes the features of the two bypass unit models.
Table 1-1 In-line Bypass unit features
Feature 2 In-line Bypass unit 4 In-line Bypass unit
Supported appliance model 7120 7160
11
Supported number of in-line interface
pairs (equals number of port groups on
bypass unit)
10/100/1000 Base-TX (MDIX)
interfaces
10/100/1000 Base-T (MDI) interfaces 6 12
USB ports 1 1
The 2 In-line Bypass unit
The 2 In-line Bypass unit has two port groups. It can provide fail-open capability
for up to two in-line connections.
Note: The 2 In-line Bypass unit is supported only for use with the Symantec
Network Security 7120 appliance.
Figure 1-1 shows the rear panel of the 2 In-line Bypass unit.
Figure 1-1 2 In-line Bypass unit
24
24
1 - Serial port (unused)
2 - Mgmt USB
3 - Power supply 1
4 - Power supply 2
The 4 In-line Bypass unit
The 4 In-line Bypass unit has four port groups. It can provide fail-open
capability for up to four in-line connections.
5 - Net A
6 - App A
7 - App B
8 - Net B
9 - Port group 1
10 - Port group 0
12
In-line Bypass unit features
Note: The 4 In-line Bypass unit is supported only for use with the Symantec
Network Security 7160 appliance.
Figure 1-2 shows the rear panel of the 4 In-line Bypass unit.
Figure 1-2 4 In-line Bypass unit
USB connection
Port groups
1 - Serial port (unused)
2 - Mgmt USB
3 - Power supply 1
4 - Power supply 2
The Symantec Network Security 7100 Series appliance communicates with the
In-line Bypass unit via the USB connection. The appliance sends commands to
the bypass unit and also sends a periodic keep-alive signal through the USB
connection.
The 2 In-line Bypass unit contains two groups of four ports each, referred to as
port groups. The ports in the port group connect to the two network segments
and the two interfaces of the appliance in-line pair. The 4 In-line Bypass unit
contains four port groups.
5 - Port group 0
6 - Port group 1
7 - Port group 2
8 - Port group 3
Each port group includes:
Net A, App A, App B, Net B
Figure 1-3 Port group layout
Net A App A App B Net B
In-line Bypass unit features
Each of the four ports has specific cabling requirements. The Net A and App A
ports in the port group, along with the even-numbered port of the 7100 Series
in-line pair, handle traffic on one side of the network connection. The Net B and
App B ports in the port group and the odd-numbered port of the appliance
in-line pair handle traffic on the other side of the network connection.
■ Net A Connects via a network device to one side of the network. Traffic
entering the bypass unit through Net A passes through App A to
one port of the 7100 Series in-line pair.
■ App A Connects to the 7100 Series port that handles traffic on the side of
the network connected to Net A.
■ App B Connects to the 7100 Series port that handles traffic on the side of
the network connected to Net B.
■ Net B Connects via a network device to the other side of the network.
Traffic entering the bypass unit through Net B passes through App
B to one port of the 7100 Series in-line pair.
13
The Net A port of each port group on the bypass unit is implemented as
10/100/1000Base-TX. It is a Medium Dependent Interface, crossed (MDIX). You
may need a crossover cable to connect Net A to some devices. The Net B port of
each port group is implemented as 10/100/1000Base-T (MDI - not crossed).
Consult the documentation for your network devices to determine whether they
require crossover connections.
Figure 1-4 depicts a port group connected to an in-line pair and two network devices.
14
In-line Bypass unit features
Figure 1-4 Connected port group
2 In-line Bypass unit
7120 appliance
0 - Port 0 (eth0)
1 - Port 1 (eth1)
2 - Port 2 (eth2)
3 - Port 3 (eth3)
2/3 - In-line pair 1
Network
4 - Net A
5 - App A
6 - App B
7 - Net B
Network
Port group 0
Port group 1
Matching port groups to in-line pairs
Each port group has a designated in-line pair on the 7100 Series.
Warning: Connect each port group to the specified in-line pair. Connecting a port
group to a different in-line pair is not supported.
Note: Do not connect the bypass unit to 7100 Series interfaces that are
configured in passive mode, or are part of an interface group.
In-line Bypass unit features
Table 1-2 defines the cabling matrix for both In-line Bypass unit models and the
two supported 7100 Series appliance models.
Table 1-2 Cabling matrix
15
In-line Bypass unit
model
2 In-line Bypass unit 0 In-line pair 0
4 In-line Bypass unit 0 In-line pair 0
Online and bypass modes
Bypass unit
port group
1 In-line pair 1
1 In-line pair 1
2 In-line pair 2
3 In-line pair 3
7120 in-line pair 7160 in-line pair
Ports 0/1
Ports 2/3
Ports 0/1
Ports 2/3
Ports 4/5
Ports 6/7
The bypass unit can operate in two modes:
■ Online mode: Network traffic passes from the bypass unit to the 7100 Series
for analysis, then goes back to the bypass unit and out through the other
network interface.
■ Bypass mode: Network traffic entering the bypass unit passes directly from
one side of the network to the other, without going through the 7100 Series.
After connecting the bypass unit, each time you reboot the 7100 Series
appliance, all port groups on the bypass unit initially operate in bypass mode.
When a sensor process starts on an in-line pair connected to the bypass unit, the
corresponding port group changes to online mode.
See the Symantec Network Security 7100 Series Implementation Guide for
information about starting a sensor on an in-line pair.
While the keep-alive signal is active on the USB port, the bypass unit operates in
online mode, meaning that all network traffic passes through the 7100 Series
appliance. If the keep-alive signal stops, the bypass unit changes to bypass
16
In-line Bypass unit features
mode, in which the two sides of the network are directly connected and the 7100
Series is bypassed.
Auto-negotiation on bypass unit interfaces
The interface link parameters, including speed and duplex mode, should be
auto-negotiated between Net A and App A, and Net B and App B. You should not
force the link speed or duplex mode to a specific setting on network devices that
connect to Net A or Net B. Forcing the link parameters to a certain value may
result in link speed or duplex mismatches which could cause degraded
performance or possible loss of connectivity.
After connecting the bypass unit to a 7100 Series appliance, you should verify
the link speed and duplex parameters for all interfaces in the port group. To
verify the link parameters for Net A and Net B, log on to the connected network
devices and display the status for the connected interfaces. Ensure that the
connected interfaces are configured for auto-negotiation of link parameters.
To verify the link parameters for App A and App B, use the Network Security
console. After starting a sensor on the corresponding in-line pair, you can view
the link parameters by clicking each interface object in the in-line pair.
The parameter values for all interfaces in a port group should be the same when
the bypass unit is in online mode. For a 2 In-line Bypass unit connected to a
7120, all port group interfaces should auto-negotiate to 100 Mbps in online
mode. However, in bypass mode, when Net A and Net B on a 2 In-line Bypass unit
are connected to gigabit interfaces on both network devices, auto-negotiation
allows the bypass unit to run at up to 1000 Mbps.
Front panel LEDs on the bypass unit
Both In-line Bypass unit models share a common front panel that contains a
number of status LEDs.
Figure 1-5 shows the bypass unit front panel LED configuration.
Figure 1-5 Bypass unit front panel LEDs
45
760123
Table 1-3 describes the LEDs shown in the diagram.
Table 1-3 Bypass unit front panel LED descriptions
17
In-line Bypass unit features
Diagram
LED label LED name Description
location
ONLINE
0 P0 Port group 0 The P0 LED glows when port group 0 is
operating in online mode.
1 P1 Port group 1 The P1 LED glows when port group 1 is
operating in online mode.
2 P2 Port group 2 The P2 LED glows when port group 2 is
operating in online mode.
3 P3 Port group 3 The P3 LED glows when port group 3 is
operating in online mode.
MGMT
4 TX Transmit data The TX LED blinks when the bypass unit is
transmitting data on the USB connection.
5 RX Receive data The RX LED blinks when the bypass unit is
receiving data on the USB connection.
PWR
6 PS1 Power supply 1 The PS1 LED glows when power supply 1 is
7 PS2 Power supply 2 The PS2 LED glows when power supply 2 is
Rear panel LEDs on the bypass unit
The rear panel status LEDs are located in the top left and top right corners of
each port in the port groups. On the bypass unit, the LEDs are labeled only for
the top ports, but the labels apply to the ports in the lower port group as well.
Figure 1-6 shows the bypass unit rear panel LED configuration.
connected to a power source.
connected to a power source.
18
Setup overview
Figure 1-6 Bypass unit rear panel LEDs
Table 1-4 describes the LEDs shown in the diagram.
Table 1-4 Bypass unit rear panel LED descriptions
LED label LED name LED color Description
LT Link test Green The LT LED glows green to indicate an active
link signal on the port.
ALM Alarm Red The ALM LED in the top right corner of the Net
BYP Bypass Yellow The BYP LED in the top right corner of the App
ON Online Green The ON LED in the top right corner of the App
GIG Gigabit Green The GIG LED in the top right corner of the Net
Setup overview
You can set up the In-line Bypass unit in five basic steps.
A port glows red for an alarm condition such
as lack of a link signal on one or more ports in
the port group.
A port glows yellow when the port group is
operating in bypass mode.
B port glows green when the port group is
operating in online mode.
B port glows green when the port group is
operating in gigabit mode (1000Mbps). It is off
when the port group is operating at 100 Mbps
or 10 Mbps.
To set up the In-line Bypass unit
1 Mount the bypass unit onto the rack.
See “Mounting onto a rack” on page 19.
2 Cable the bypass unit to one or more in-line interface pairs on the 7100
Series appliance.
See “Cabling the 2 In-line Bypass unit to the 7120” on page 20.
See “Cabling the 4 In-line Bypass unit to the 7160” on page 23.
3 Connect the power and turn on the bypass unit.
See “Connecting the power on the 2 In-line Bypass unit” on page 22.
See “Connecting the power on the 4 In-line Bypass unit” on page 26.
4 Boot up the 7100 Series appliance.
5 Start a sensor on each appliance in-line pair that is connected to the bypass
unit.
See the Symantec Network Security 7100 Series Implementation Guide.
Mounting onto a rack
19
Mounting onto a rack
The bypass unit rack mounting hardware includes two L-brackets. The In-line
Bypass unit includes four screws that are threaded into the cover sides. You can
use these screws to attach the L-brackets to the bypass unit.
To mount using L-brackets onto a two-post rack
1 Remove the four screws from the bypass unit cover. Position each L-bracket
against the bypass unit side panel toward the rear, as shown. Attach the
brackets securely using the same screws.
2 Lift the bypass unit into place so that the L-brackets press against the rack
posts.
20
Cabling the 2 In-line Bypass unit to the 7120
3 Using the screws supplied with your rack, securely attach the L-brackets to
the posts on both sides of the bypass unit, as shown in the following
diagram.
Cabling the 2 In-line Bypass unit to the 7120
You must connect the USB port, and you can connect one or both port groups
from the 2 In-line Bypass unit to the 7120.
See the sections:
■ Cabling port group 0 to the 7120
■ Cabling port group 1 to the 7120
■ Cabling the USB port to the 7120
■ Connecting the power on the 2 In-line Bypass unit
Warning: To prevent a possible electric shock, do not connect the power until all
other cabling is done.
Figure 1-7 shows the USB port connection and both port group connections to
the proper ports on the 7120.
Figure 1-7 Cabling to the 7120
21
Cabling the 2 In-line Bypass unit to the 7120
2 In-line Bypass unit
Mgmt USB
7120 appliance
Network 1
Net A
Network 2 Network 2
AppA AppB
Network 1
Net B
Port group 0
Port group 1
0 - Port 0
1 - Port 1
2 - Port 2
3 - Port 3
Note: Follow the cabling instructions carefully to match each in-line interface
pair with its associated port group on the bypass unit. Connect in-line pair 0
(ports 0/1 on the appliance) to port group 0 on the bypass unit. Connect in-line
pair 1 on the 7120 to port group 1 on the bypass unit.
4 - USB ports
5 - In-line pair 0
6 - In-line pair 1
Cabling port group 0 to the 7120
Port group 0 is the upper port group on the 2 In-line Bypass unit. You should
connect it only to in-line pair 0 on the 7120.
22
Cabling the 2 In-line Bypass unit to the 7120
To cable port group 0 to the 7120
1 Shut down and disconnect the power from the 7120 appliance and the
In-line Bypass unit.
2 On the bypass unit, connect Net A of port group 0 to one side of the network.
3 Connect App A of port group 0 to port 0 on the 7120.
4 Connect App B of port group 0 to port 1 on the 7120.
5 Connect Net B of port group 0 to the other side of the network.
Cabling port group 1 to the 7120
Port group 1 is the lower port group on the 2 In-line Bypass unit. You should
connect it only to in-line pair 1 on the 7120.
To cable port group 1 to the 7120
1 Shut down and disconnect the power from the 7120 appliance and the
In-line Bypass unit.
2 On the bypass unit, connect Net A of port group 1 to one side of the network.
3 Connect App A of port group 1 to port 2 on the 7120.
4 Connect App B of port group 1 to port 3 on the 7120.
5 Connect Net B of port group 1 to the other side of the network.
Cabling the USB port to the 7120
The appliance communicates with the bypass unit through the USB connection.
You can use either USB port on the 7120.
To cable the USB port to the 7120
◆ Plug one end of the USB cable into either USB port on the 7120, and plug the
other end into the Mgmt USB port on the 2 In-line Bypass unit.
Connecting the power on the 2 In-line Bypass unit
You can connect the bypass unit to a power source after all other cabling is done.
To connect the power
1 Plug one power cord into a power socket on the bypass unit and into a power
source.
2 Plug the second power cord into the other socket on the bypass unit and into
a second power source.
Cabling the 4 In-line Bypass unit to the 7160
Warning: To avoid a shock hazard, the power cords must be connected to
properly wired, grounded outlets. Do not use an extension cord.
Cabling the 4 In-line Bypass unit to the 7160
You must connect the USB port, and you can connect one to four port groups
from the 4 In-line Bypass unit to the 7160.
See the sections:
■ Cabling port group 0 to the 7160
■ Cabling port group 1 to the 7160
■ Cabling port group 2 to the 7160
■ Cabling port group 3 to the 7160
23
■ Cabling the USB port to the 7160
■ Connecting the power on the 4 In-line Bypass unit
Warning: To prevent a possible electric shock, do not connect the power until all
other cabling is done.
Figure 1-8 shows the USB port connection and all port group connections to the
proper ports on the 7160.
24
Cabling the 4 In-line Bypass unit to the 7160
Figure 1-8 Cabling to the 7160
Networks W, X, Y, Z
W
W
X
Y
Z
4 In-line Bypass unit
Port group 0
Port group 1
7160
X
Y
Z
Port
group 2
Port
group 3
0 - Port 0
1 - Port 1
2 - Port 2
3 - Port 3
4 - Port 4
5 - Port 5
6 - Port 6
7 - Port 7
8 - RST0
9 - RST1
10 - RST2
11 - Management port
12 - Mgmt USB on bypass unit
13 - USB ports
14 - In-line pair 0
15 - In-line pair 1
16 - In-line pair 2
17 - In-line pair 3
Note: Follow the cabling instructions carefully to match each in-line interface
pair with its associated port group on the bypass unit. Connect in-line pair 0
(ports 0/1 on the appliance) to port group 0 on the bypass unit. Connect in-line
pair 1 on the 7160 to port group 1 on the bypass unit. Connect in-line pair 2 to
port group 2, and connect in-line pair 3 to port group 3.
Cabling port group 0 to the 7160
Port group 0 is the upper left port group on the 4 In-line Bypass unit. You should
connect it only to in-line pair 0 on the 7160.
To cable port group 0 to the 7160
1 Shut down and disconnect the power from the 7160 appliance and the
In-line Bypass unit.
2 On the bypass unit, connect Net A of port group 0 to one side of the network.
25
Cabling the 4 In-line Bypass unit to the 7160
3 Connect App A of port group 0 to port 0 on the 7160.
4 Connect App B of port group 0 to port 1 on the 7160.
5 Connect Net B of port group 0 to the other side of the network.
Cabling port group 1 to the 7160
Port group 1 is the lower left port group on the 4 In-line Bypass unit. You should
connect it only to in-line pair 1 on the 7160.
To cable port group 1 to the 7160
1 Shut down and disconnect the power from the 7160 appliance and the
In-line Bypass unit.
2 On the bypass unit, connect Net A of port group 1 to one side of the network.
3 Connect App A of port group 1 to port 2 on the 7160.
4 Connect App B of port group 1 to port 3 on the 7160.
5 Connect Net B of port group 1 to the other side of the network.
Cabling port group 2 to the 7160
Port group 2 is the upper right port group on the 4 In-line Bypass unit. You
should connect it only to in-line pair 2 on the 7160.
26
Cabling the 4 In-line Bypass unit to the 7160
To cable port group 2 to the 7160
1 Shut down and disconnect the power from the 7160 appliance and the
In-line Bypass unit.
2 On the bypass unit, connect Net A of port group 2 to one side of the network.
3 Connect App A of port group 2 to port 4 on the 7160.
4 Connect App B of port group 2 to port 5 on the 7160.
5 Connect Net B of port group 2 to the other side of the network.
Cabling port group 3 to the 7160
Port group 3 is the lower right port group on the 4 In-line Bypass unit. You
should connect it only to in-line pair 3 on the 7160.
To cable port group 3 to the 7160
1 Shut down and disconnect the power from the 7160 appliance and the
In-line Bypass unit.
2 On the bypass unit, connect Net A of port group 3 to one side of the network.
3 Connect App A of port group 3 to port 6 on the 7160.
4 Connect App B of port group 3 to port 7 on the 7160.
5 Connect Net B of port group 3 to the other side of the network.
Cabling the USB port to the 7160
The appliance communicates with the bypass unit through the USB connection.
You can use either USB port on the 7160.
To cable the USB port to the 7160
◆ Plug one end of the USB cable into either USB port on the 7160, and plug the
other end into the Mgmt USB port on the 4 In-line Bypass unit.
Connecting the power on the 4 In-line Bypass unit
You can connect the bypass unit to a power source after all other cabling is done.
To connect the power
1 Plug one power cord into a power socket on the bypass unit and into a power
source.
2 Plug the second power cord into the other socket on the bypass unit and into
a second power source.
Warning: To avoid a shock hazard, the power cords must be connected to
properly wired, grounded outlets. Do not use an extension cord.
Product specifications
Table 1-5 provides the physical, environmental, and power specifications for the
In-line Bypass unit models.
Table 1-5 Product Specifications
Parameter 2 In-line Bypass unit 4 In-line Bypass unit
Length 30.48 cm (12 in) 30.48 cm (12 in)
27
Product specifications
Width 43.18 cm (17 in) 43.18 cm (17 in)
Height 4.45 cm (1.75 in) 4.45 cm (1.75 in)
Weight 3.4 kg (7.5 lbs) 3.63 kg (8 lbs)
Operating
temperature range
Storage temperature
range
Operating humidity 10 to 85% non-condensing 10 to 85% non-condensing
Storage humidity Non-condensing Non-condensing
Operating altitude Up to 3100 meters Up to 3100 meters
Storage altitude Up to 4600 meters Up to 4600 meters
AC input voltage 110/220 VAC 110/220 VAC
Power consumption 15 W 25 W
0° to 40° C (32° to 104° F) 0° to 40° C (32° to 104° F)
-25° to 70° C (-13° to 158° F) -25° to 70° C (-13° to 158° F)
28
Product certifications
Product certifications
The In-line Bypass unit is designed to meet specific regulatory requirements for
public safety.
CE certification
CE certification includes the following:
■ EN55022 (1998), Class A Emissions
■ RF Radiated
■ Conducted
■ EN55024 (1998)
■ ESD Immunity
■ RF Field Immunity
■ Electric Fast Transient/Burst Immunity
■ Surge Immunity
■ RF Conducted Immunity
■ EN60950 (2001)
■ General Requirements (to reduce risk of fire, shock, or injury)
■ Remote Power Feeding
Safety instructions
For your protection, read and follow all safety instructions for the Symantec
Network Security In-line Bypass unit.
■ Instructions
Read safety and operating instructions before installing and operating the
bypass unit.
■ Ventilation
Do not block or cover fans or ventilation openings on the bypass unit.
Install the bypass unit in a properly ventilated area.
■ Power
Caution: Unplugging the power cords ensures that the bypass unit is
disconnected from the power sources. The power source outlets must be
located near the bypass unit and be easily accessible.
Safety instructions
Warning: The power cords must be plugged into properly wired, grounded
outlets. Do not use an extension cord.
Warning: To reduce the risk of electrical shock, do not disassemble the
bypass unit. Return it to Symantec if servicing is required. Opening or
removing covers may expose you to dangerous voltage or other risks.
Incorrect reassembly can cause electrical shock on subsequent use of the
bypass unit.
Note: Opening the cover will void your warranty.
Warning: To prevent a possible electrical shock when installing the bypass
unit, unplug the power cords before installing network cables.
29
Warning: To prevent a possible electrical shock when adding the bypass unit
to a system, disconnect all power cords, if possible, from the existing system
before connecting the signal cable to that device.
Warning: To prevent possible electrical shock, do not connect or disconnect
cables during an electrical storm.
Warning: To prevent possible electrical shock from touching two surfaces
with different electrical grounds, use one hand to connect or disconnect
cables.
Warning: Electrical current from power, telephone, and network cables is
hazardous.
■ Equipment rack
Follow these precautions when installing and operating the bypass unit in
an equipment rack:
■ Ensure that the ambient temperature around the bypass unit is within
the specified limits.
■ Ensure that there is sufficient air flow around the bypass unit.
■ Ensure that electrical circuits are not overloaded. Consider the power
ratings of all connected equipment and ensure that you have
overcurrent protection.
30
Safety instructions
Loading...