TMS zl Management and Configuration Guide ST.1.0.090213
1-9
Overview
Operating Modes
Internal Ports in Routing Mode
As mentioned earlier, the TMS zl Module has two internal ports. If you select
routing mode, the two internal ports operate as follows:
■ Port 1—This port sends and receives all network traffic that is being
filtered by the TMS zl Module. It also sends and receives all management
traffic.
■ Port 2—This port sends and receives traffic related to an HA cluster (if
one is configured on the TMS zl Module).
Port 1 VLAN Membership. When the TMS zl Module operates in routing
mode, its port 1 (data port) is a tagged member of all of the TMS VLANs. Note
that these VLANs must exist on the host switch.
Port 2 VLAN Membership. When the TMS zl Module is in routing mode,
port 2 is an untagged member of the HA VLAN. By default this is VLAN 1, but
it is recommended that you change HA VLAN before operating the TMS zl
Module. The VLAN that you select must exist on the host switch, but it is
recommended that this VLAN be reserved for HA traffic. For more informa-
tion, see “High Availability” in Chapter 2: “Initial Setup in Routing Mode.”
Monitor Mode
In monitor mode, the TMS zl Module acts as an IDS only. It examines traffic
for threats, matching packets to its IDS signature library and checking for
protocol anomalies. However, the module does not take action to mitigate
detected threats. Rather, it logs the threats to its event log.
You can also configure the module to forward the logged IDS events to one or
more of these locations according to the event’s severity:
■ Email addresses (up to three)
■ Syslog servers (up to three)
■ SNMP trap servers, such as HP ProCurve Manager Plus (PCM+)
Internal Ports in Monitor Mode
In monitor mode, the two internal ports operate differently than they do in
routing mode.
■ Port 1—This port is used for data. When operating in monitor mode, the
data that the TMS zl Module receives on this port is mirrored traffic.