Chapter 1: Hardware Overview
When PPM is enabled, a PPM daemon monitors the health of IDP traffic interfaces belonging to the same virtual router. If a traffic interface loses link, the PPM process turns off any associated network interfaces in the same virtual router so that other network devices detect that the virtual router is down and route around it. For example, assume you have enabled PPM and configured IDP virtual routers as shown in Figure 8 on page 13.
Figure 8: Peer Port Modulation
Suppose there is a network problem and eth3 goes down. The PPM daemon detects this and turns off the other interface in vr0: eth2. The interfaces in vr1, vr2, and vr3 are unaffected. After the you fix the problem with eth3, the PPM daemon detects this, and turns on eth2.
NOTE: The PPM feature is independent of the bypass feature (NIC state setting). PPM is related to the status of the link, not the status of the IDP operating system. A link can be down even when the IDP operating system is healthy. Note, however, that PPM runs as a control plane process and operates only when the IDP appliance is turned on and the control plane is available. If the IDP operating system is unavailable, the PPM feature is also unavailable, regardless of the setting for the NIC state.
Layer 2 Bypass
When you configure virtual routers, you have the option of enabling Layer 2 bypass.
When the IDP appliance is turned on and is operating normally, the traffic interfaces select Layer 3 connections for inspection and process according to security policy rules.
For Layer 2 connections, the interfaces either select traffic for inspection, drop it, or pass it through (uninspected), according to the following rules:
■The interfaces select address resolution protocol (ARP) and internet protocol (IPv4) traffic for inspection and process according to security policy rules.
■By default, the interfaces drop all other Layer 2 traffic.