Views:
Through the Events screen for TPS devices, you can create and manage Inspection bypass rules that are a set of criteria used to determine if a given packet should be routed through the device without further inspection.
Inspection bypass is available for TippingPoint TPS devices. vTPS devices are not supported. Because TPS devices perform inspection bypass only at the BCM (switch) level, some inspection bypass rules that you might have previously employed on NX-platform devices (which can also apply bypass rules at the FPGA level) will not work on TPS devices. Contact your support representative for information on how to determine whether other solutions, such as traffic management rules, can serve as a workaround. For example, one workaround is to use the custom Ethernet type 8847 and 8848 for MPLS traffic.
The maximum number of bypass rules is 8 for IPS devices and 32 for TPS devices.
Entry title Description
ID Reference ID of the rule in the listing.
Enabled Enable/disabled status.
Name Name of the bypass rule. Inspection bypass rule names should be unique.
The name is an SMS-only feature and does not appear on the managed device.
Ethernet Type Type of Packets that are exempt from traffic based on the Rules criteria:
  • IP — Type of IP packets that are exempt.
  • Not IP — All non-IP packets that are exempt from inspection.
  • Protocol — Packets from a specified protocol that are exempt.
IP Protocol Transport layer protocol of packets to exempt from inspection.
Statistics Number of packets that match a bypass rule.
Src IP Source IP address of packets to exempt from inspection.
Src Port Source port of packets to exempt from inspection. This field is valid only if TCP or UDP is specified in the IP Protocol field.
Dst IP Destination IP address of packets to exempt from inspection.
Dst Port Destination port of packets to exempt from inspection. This field is valid only if TCP or UDP is specified in the IP Protocol field.
Action Action that the rule applies to the traffic. (TPS devices only)
  • Bypass (default) – Bypasses the traffic.
  • Block – Blocks the traffic.
  • Redirect – Redirects the traffic. A Target Port field (required) is displayed for you to specify which segment port the traffic gets redirected to. This option is unselectable if no target port is available.
  • Ingress mirror – Mirrors (copies) traffic entering the port to another segment port before the traffic gets inspected. A Target Port field (required) is displayed for you to specify which segment port the traffic gets mirrored to. Four mirror-to-port (MTP) configurations are supported. This option is unselectable if no target port is available.
  • Egress mirror – Mirrors (copies) inspected traffic exiting the port to another segment port. A Target Port field (required) is displayed for you to specify which segment port the inspected traffic gets mirrored to. Four MTP configurations are supported. The port-assigned Virtual LAN (VLAN) is recorded inside the captured packet. This option is unselectable if no target port is available.
Configuring Inspection Bypass Rules includes the following areas:
  • Name — Descriptive name and enabled state option.
  • Action — Action that the rule applies to the traffic.
  • Protocol — Ethernet frames that match these settings and the settings specified for VLAN are delivered directly to the other side of the IPS segment. They are not routed for inspection.
  • VLAN — Configure the VLAN tag. Ethernet frames that match these settings and the settings specified for Protocol are delivered directly to the other side of the Device segment. They are not routed to an iLink for inspection.
  • Segments — Segments with traffic that are subject to the Inspection Bypass Rule.
Related information