Overview
8-Port 10/100/1000Base-T Network Module with Hardware
Bypass
The Secure Firewall 3100 chassis has one network module slot named NM-2. Network modules are optional,
removable I/O modules that provide either additional ports or different interface types. The network module
plugs into the chassis on the front panel. See
slot on the chassis.
FPR3K-XNM-8X1GF is an 8-port 10/100/1000Base-T hardware bypass network module. The eight ports are
numbered from top to bottom, left to right. Ports 1 and 2, 3 and 4, 5 and 6, and 7 and 8 are paired for hardware
bypass mode. In hardware bypass mode, data is not processed by the Secure Firewall 3100 but is routed to
the paired port.
Hardware bypass (also known as fail-to-wire) is a physical layer (Layer 1) bypass that allows paired interfaces
to go into bypass mode so that the hardware forwards packets between these port pairs without software
intervention. Hardware bypass provides network connectivity when there are software or hardware failures.
Hardware bypass is useful on ports where the secure firewall is only monitoring or logging traffic. The
hardware bypass network modules have an optical switch that is capable of connecting the two ports when
needed. The hardware bypass network modules have built-in SFPs.
Note
Hardware bypass is supported only on a fixed set of ports. You can pair Port 1 with Port 2, Port 3 with Port
4, but you cannot pair Port 1 with Port 4 for example.
Note
Note
Note
Hardware bypass is only supported with threat defense, although you can use these modules in nonbypass
mode in threat defense or ASA.
When the appliance switches from normal operation to hardware bypass or from hardware bypass back to
normal operation, traffic may be interrupted for several seconds. A number of factors can affect the length of
the interruption; for example, behavior of the optical link partner such as how it handles link faults and
debounce timing; spanning tree protocol convergence; dynamic routing protocol convergence; and so on.
During this time, you may experience dropped connections.
If you have an inline interface set with a mix of hardware bypass and nonhardware bypass interfaces, you
cannot enable hardware bypass on this inline interface set. You can only enable hardware bypass on an inline
interface set if all the pairs in the inline set are valid hardware bypass pairs.
The 8-port 10/100/1000Base-T network module is supported beginning with FTD 7.2.3 and ASA 9.18.2.
8-Port 10/100/1000Base-T Network Module with Hardware Bypass
Front Panel, on page 8
Cisco Secure Firewall 3100 Series Hardware Installation Guide
for the location of the network module
19