TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 70
10.4 Zones to VLANs
As discussed in Section 6, the TMS zl Module is a zone-based firewall. One question
that often arises is “How do zones relate to VLANs?” The answer: VLANs must be
assigned to a TMS Zone. You can add multiple VLANs to a TMS Zone. Each VLAN
must have an IP address defined on the TMS zl Module to serve as the new default
gateway for that VLAN. For our example, there is a one-to-one mapping between
VLANs and TMS Zones although this is not a requirement.
We now want to associate the VLANs on the 5406 to Zones on the TMS zl Module. Go
to the left-hand navigation bar and select Zones under the network heading, then add a
VLAN association.
The following image shows a very important error message that you may encounter and it
cannot be ignored. The TMS zl Module is indicating that the switch already has an IP
address on this VLAN. For VLANs to be associated to zones and for the TMS zl Module
to properly filter and inspect the traffic, the TMS zl Module must have the default
gateway IP address for the VLAN, not the switch. When installing the TMS zl Module in
an operational network, you will need to remove the IP address from the VLAN in the
switch configuration before configuring the IP address on the TMS zl Module. With rare
exceptions, do not assign IP addresses on switch interfaces for VLANs requiring
protection by the TMS zl Module. One common exception is for the switch management
IP address in the management VLAN.