TMS zl Management and Configuration Guide ST.1.1.100226
1-10
Overview
Operating Modes
Internal Ports in Routing Mode
As mentioned earlier, the TMS zl Module has two internal ports. If you select
routing mode, the two internal ports operate as follows:
■ Port 1—This port sends and receives all network traffic that is being
filtered by the TMS zl Module. It also sends and receives all management
traffic.
■ Port 2—This port sends and receives traffic related to an HA cluster (if
one is configured on the TMS zl Module). This port is also used by ESPd
to interact with the switch.
Port 1 VLAN Membership. When the TMS zl Module operates in routing
mode, its port 1 (data port) is a tagged member of all of the TMS VLANs. (The
tagging is automatically configured when you add the TMS VLAN to the
module.) Note that these VLANs must exist on the host switch.
Port 2 VLAN Membership. When the TMS zl Module is in routing mode,
port 2 is an untagged member of the HA VLAN. By default this is VLAN 1, but
it is recommended that you change the HA VLAN before operating the TMS zl
Module. The VLAN that you select must exist on the host switch, but it is
recommended that this VLAN be reserved for HA traffic. For more informa-
tion, see “Set the High Availability VLAN” in Chapter 2: “Initial Setup in Routing
Mode.”
Monitor Mode
In monitor mode, the TMS zl Module acts as an IDS only. It examines traffic
for threats, matching packets to its IDS signature library and checking for
protocol anomalies. However, the module does not take action to mitigate
detected threats. Rather, it logs the threats to its event log.
You can also configure the module to forward the logged IDS events to one or
more of these locations according to the event’s severity:
■ Email addresses (up to three)
■ Syslog servers (up to three)
■ SNMP trap servers, such as HP ProCurve Manager Plus (PCM+)
Table 1-3. Monitor Mode
Supported Capabilities Analyzed Traffic
IDS Traffic that is mirrored to the module’s port 1