LAN Bypass for More Robust Networks
Intel® processor microarchitectures are helping drive the creation of ever-more nimble networks—Now LAN bypass for circumventing harm to the vital data on those networks is also becoming more agile.
Trends in Networking
Advances in networking such as the integration of workloads of different types with 10-40 Gb/s speeds, virtualization, power management of multicore CPU’s, etc. are ushering in a new generation of networks. LAN Bypass isn’t a tool that’s much thought of when thinking about the new ‘agile’ networks. It is more a technique to ensure network robustness. Survivability depends on implementing the new and the tried and true.
Circumvention to the Rescue
Few things in our modern world have the unquestioned value of enterprise data. Data can be critical to the operation of the organization or even represent its lifeblood in on-line transaction processing (OLTP) systems. A fault in an in-line networking system can shut the network down and prove costly. Faults can originate from software, hardware, or power supply issues.
If the network is architected with a LAN bypass the problem can literally be circumvented. The datastream intended for the affected in-line networking node is shunted around the device until the device can be brought back up.
|Figure 1. To configure a LAN bypass, two LAN ports are linked together during bypass mode operation in order to shunt network traffic around a faulted node and back to the network datastream and onto the next inline device. Bypass is often a feature of the network node itself or it can be added to the network as a dedicated LAN bypass device.|
Implementation of LAN bypass comes in two basic approaches: integrated into the networking device or as a dedicated LAN bypass switch. Within these two types, the LAN bypass, depending on the network, will be either copper- or fiber-based. The mechanics of both are basically the same in shunting network traffic. LANs are linked into pairs taking where a LAN port takes in the network datastream and its like companion shunts it out again to the next in-line device. This ensures the preservation of important network data.
Another significant categorization is non-latching and latching bypass. A latching bypass is able to maintain its state when the network node’s power is off, not so with non-latching bypass. This means the latching LAN bypass is not impacted by power failures, but the non-latching versions will only be helpful where the appliance is able to maintain power through battery power or some other back-up methods like an uninterruptable power supply (UPS). The non-latching method retains its value if the fault was from a software or hardware malfunction not impacting power.
Fiber-based LAN bypass systems require that power be retained to LAN bypass switches. WIN Enterprises utilizes technology from Agiltron to accomplish this (see Figure 2). Agiltron manufactures a 2×2 (i.e., two pairs) single-mode opto-mechanical fiberoptic switch with 2 simultaneously activated bypass switches in a single compact format. The device connects optical channels by redirecting incoming optical signals into selected output fibers. The mechanism uses a proprietary opto-mechanical configuration that is activated via an electrical control signal. Latching operation preserves the selected optical path after the drive signal has been removed. The design significantly reduces the moving parts of traditional switches to provide higher stability. Agiltron offers a family of bypass switch products available in multiple configurations for both single-mode and multi-mode optical fiber and latching and non-latching operation.
Figure 2. One approach to avoiding the moving parts associated with conventional switches is to opt for switch activation via an electrical control signal.
And soon to be on the market is a 1x or 2x dual-port fiber, single LAN bypass module. Designed expressly for Intrusion Prevention Systems (IPS), it will provide complete visibility to network traffic. It will also act as a fail-safe point should the unit lose power, the cable fail, or the application freeze.
Dedicated LAN Bypass Switches
Dedicated LAN bypass devices often support the most current 40-10 Gb/s LAN technology. These devices use a microsecond heartbeat detection system to detect a fault in an appliance. LAN bypass is implemented immediately upon this detection. When the heartbeat signal is returned again, the node is immediately brought back online.
The Overall Advantages of LAN Bypass
- Network traffic keeps flowing when the in-line appliance fails. Flow of critical data and transactions are maintained.
- If the feature is provided by a dedicated LAN bypass switch an impacted appliance can be removed or serviced without impacting network traffic.
- In the case of LAN bypasses that are integrated into the appliance, the device will operate in an ‘open mode’ during bypass. This means any security operation the appliance normally does is suspended. This can be overcome through network design and software redundancy at critical points. The security requirements of a particular application should be considered before including a LAN Bypass feature in order to weigh any potential security versus data value trade-offs
- Bypass capability adds cost to the solution, but will save cost in the long run by increasing network’s uptime.
- A node on an in-line network represents a single point of failure. The bypass switch moves this point of failure from the appliance to the bypass switch. However, as a much simpler device, the LAN bypass is not apt to fail.
LAN Bypass Options
COTS appliance with integrated LAN bypass. Fiber-based solutions always use a LAN Bypass add-on card. Copper-based units have both on-board (i.e., the motherboard) or add-on card. Appliances can then be modified to meet an OEM’s more exact specifications.
Mezzanine card with LAN bypass as an addition to an existing solution.
These cards can connect to COTS boards or appliances.
Fully custom LAN bypass device. WIN Enterprises can also work with the OEM to design and manufacture a fully custom LAN bypass device or appliance with integrated capability. WIN Enterprises welcomes the opportunity to share some of its unique expertise.
Figure 3. R 316A expansion module with 2x SFP+ 10 GbE ports, non-latching bypass, Intel® Ethernet Controller XL710 10/40 GbE (Fortville). Supports the Intel® Xeon® E5-2600 processor v3 (EP) with up to 12 cores in a 1U rackmount appliance. This processor is significant because of its ability to scan smaller packet sizes to more practical security applications. The appliance features redundant power.
Figure 4. PL-10610 with Intel® Xeon® E5-2600 processor v3 (EP) demonstrates how a card can be added to an existing appliance to create a new product capable of LAN bypass. In this case, the R 316A card (Figure 3) was added to a revised PL-10590 chassis to create the PL-1061A. The high-performance device can be used for edge security with by-pass capability.
Todd Sirois has held the position of Technical Project Manager/FAE at WIN Enterprises since 2006. This position incorporates Project Management, Sales/Sales Support and Technical Concept Development. In addition, Sirois helps manage the end-of-life (EOL) process for WIN embedded products. He has been employed in the PC hardware and software industry since 1998.Previous experience includes QA for AAA software titles at the Vivendi/Universal subsidiary Papyrus Design Group, Irrational Games (now 2K Boston).