Views:

1. TX/TXE Modules

  • Trend Micro TippingPoint devices with module slots support both standard I/O modules and bypass I/O modules.
  • Only transceiver modules available from Trend Micro have been validated to achieve optimal performance with TippingPoint products. Other vendor devices are not supported, and using them could be detrimental to the TippingPoint system's proper operation.
  • Bypass I/O modules are Zero-Power High-Availability (ZPHA) modules that permit network traffic and services while bypassing the device entirely when the device loses power.
  • For module information and specifications, go to the Trend Micro Online Help Center and look for the following documentation:

2. I/O Modules General Information

  • Running “show-mfg” from the Command Line Interface (CLI) will display the model number of the modules installed in the appliance. The model number and description can also be found on the sticker at the bottom of the module itself.
  • The port configuration for each slot is preserved after you restore a snapshot when the same type of I/O module is installed in the same slot. Otherwise, the port configuration resets to the default.
  • When the SMS manages the device, a delay of up to 1 minute can occur before the SMS recognizes the changed I/O module.
  • When you hot swap an I/O module, keep the following points in mind:
    • Hot-swapping I/O modules during system initialization is not supported.
    • The module port configuration is always reset.
    • The module segment configuration, including link-down synchronization, Intrinsic HA, and inspection bypass, is always preserved. If you swap the module with a different type of module, be sure to verify that your segment configuration settings have persisted.
    • Hot-swapping I/O modules are only supported with swapping like-for-like I/O modules in the same slot.
  • When the device is turned off, cold swapping allows you to add, remove, or replace an I/O module as you would when you hot-swap. However, if the replacement module type is the same, the module port configuration is preserved.
  • A bypass module installed while the system is powered on, remains in bypass mode. This way, the network can continue to pass traffic while users configure the number of network ports and their speeds to meet specific requirements. The BIOM must be taken out of bypass mode either administratively (using the CLI or the LSM) or through a reboot.
  • Bypass modules should continue to pass traffic even when not connected to the device, powered off, or administratively placed in bypass mode. If the module does not pass traffic under these conditions, please ensure you have the appropriate cable for your network. In many cases, replacing a straight-through cable with a cross-over cable will resolve link issues.
  • Bypass modules contain electromechanical switches that are very sensitive to handling when not installed in the system. Network disruption can occur if handled improperly.
  • Best practice calls for testing network connectivity between devices in all available modes (inspection, bypass, and transitions) to ensure that cabling mistakes have not occurred.

3. I/O Module Hot-Swapping Guidelines

When hot-swapping I/O modules, note the following administrative guidelines:

  • If a slot has always been empty, all possible ports and segments on the slot are absent and unavailable.
  • If the user erases a slot’s configuration, the configuration of that slot’s ports and segments is deleted, and all possible ports and segments on the slot become absent and unavailable. However, any policy-related configuration for these ports does not change when the bay configuration is erased and must be manually cleaned up by the user.
  • When a module is inserted into a slot or restarted, the system software performs the following evaluation. When the device boots up, the evaluation is performed for every module installed in a slot:
    • The module is validated.
    • The module's status (whether a module is in the slot, what type of module it is, whether it is being used or is in error) is determined.
    • The physical state (Present or Absent) and availability state (Available or Unavailable) for each possible port and segment on this slot are determined.
    • The configuration is changed and applied as necessary.
    • A Syslog message is added (depending on whether the module passed validation and the module status check).
  • Removing a module from a slot does not change or reapply the configuration or change the availability state of ports and segments. It will, however, change the physical state to Absent. An error-level Syslog message indicates that the module was removed. In addition, users are shown the physical state when viewing the configuration and status related to that slot. These changes also occur when the IPS boots up for every empty slot.
  • The following conditions are displayed when the corresponding ports and segments are available and are hidden when they are unavailable:
    • Segment configuration
    • Network port configuration
    • Network port health
    • Network port throughput performance
    • Traffic profile by the network port

4. What happens when modules are swapped?

A. Hot-Swapping

  • The module port configuration is always reset.
  • The module segment configuration, including Link Down Synchronization, Intrinsic HA, and inspection bypass, is always preserved.
  • The second slot of the 5500TX device supports only the first four segments of a 6-segment I/O module.

B. Cold-Swapping

  • When the device is turned off, cold swapping allows you to add, remove, or replace an I/O module as you would when you hot-swap. However, when you cold-swap an I/O module, if the replacement module type is the same, the module configuration is preserved.

C. Upgrading from 1G to 10G

  • Swapping 6 segments to 4 segments (standard) or 4 segments to 1 segment (bypass)
  • Behavior is as Example-2, but you may have Filter Policy applied to segments that are no longer physically present
  • Customers will have to remove the Filter Policy on the unused segments manually

D. Hot-inserting a Bypass I/O modules

  • The newly hot-inserted bypass module will remain in bypass until an administrator removes it from bypass or reboots the device

E. Swapping to/from a 40G module or inserting a new 40G module

  • Hot-swapping 40G module will require a reboot –full to be placed into service
  • One exception is when you are swapping like for like, which does not require a reboot

5. Adding, Removing, or Swapping Modules

Note: The following procedures will require knowing the device credentials (UserID / Password / IP Address) in order to manage and unmanage them.

5.1. Module Installation - Unused Slot/Bay

Network Impact: We highly recommend performing the following tasks during off-peak hours in a formally scheduled maintenance window. Although this change does not typically require network downtime, installing a new module into the IPS likely implies increased device traffic/inspection. If this is the case, verifying any impact on the device and, subsequently, on the network is essential.

Time Estimate: Maintenance is expected to take 30-60 minutes per device from start to finish. Please plan for additional time for deployments where a large number of profiles are in use and/or atypical (complex) segment configurations are necessary.

Step by Step Instructions

  1. Unmanage the IPS from the SMS:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu.
    2. Use the drop-down on the SMS main menu to select "Edit" and then click "Unmanage Device".
  2. Insert the new module into an empty slot on the front of the appliance, verify it is completely inserted and that the small latch at the bottom left is engaged.
  3. Once the module is physically inserted, you need to remanage the IPS to the SMS:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu.
    2. The SMS main menu's drop-down menu allows you to select "Edit" and then click "Manage Device."
  4. Wait for the device to show up in the SMS as managed.
  5. Navigate to the Network Configuration page to verify and configure the module/segments:
    1. From the Devices section of the SMS GUI, locate and highlight the named device in the tree menu. Expand the tree menu under the device by clicking the "+" sign next to the device's name.
    2. Select the tree branch named "Network Configuration."
    3. Verify that the module is now displayed in the "Physical Segments" table over to the right using the "Slot" number corresponding to the location of where it was installed.
    4. Expand the Slot for the new module by clicking the "+" sign next to the slot number.
    5. Highlight each segment one at a time and click the "Edit" button at the bottom right to configure its "Link Down Synchronization" settings and optionally rename it. You may also want to add the segment to an existing "Segment Group" at this time if you already have one created.
    6. Once the segments are configured, select the "Ports" tab at the top and edit each port you want to enable. You can also bulk edit/enable the ports by selecting the required ports using your mouse and the "Ctrl" or "Shift" keys on your keyboard, right-clicking one of the highlighted ports, and selecting "Enable Hardware."
    7. Distribute a copy of each profile used on the device to its corresponding segment. At this time, it is recommended that a profile be distributed to ALL segments on the device (this includes all pre-existing segments and the "Any-Any" device segment).
  6. Expand the "Events" branch under the device in the tree menu to expose the System Logs branch. Click the "Refresh" button and review the logs for any distribution errors that occur after the last profile distribution is completed.

 

5.2. Module Removal

Network Impact: Removing a module is not expected to require downtime or impact existing modules or their traffic flows. However, we still recommend performing the following tasks in a maintenance window planned during off-peak hours.

Time Estimate: Maintenance is expected to take 15-30 minutes per device from start to finish. For deployments with many profiles, distribution times should be considered as they may increase the time necessary to complete the maintenance fully.

Step by Step Instructions

  1. Unmanage the IPS from the SMS:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu.
    2. Use the drop-down on the SMS main menu to select "Edit" and then click "Unmanage Device".
  2. To remove the module from the IPS, disengage the small latch at the bottom left of the module and then gently slide it out with the handle.
  3. Once the module is physically removed, remanage the IPS to the SMS:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu by using the "+" signs to expand the menu.
    2. Once the device is selected, use the drop-down on the SMS main menu to select "Edit" and then click "Manage Device".
  4. Distribute a copy of each profile used on the device to its corresponding segment. At this time, it is recommended that a profile be distributed to ALL segments on the device (this includes all pre-existing segments and the "Any-Any" device segment).
  5. Expand the "Events" branch under the device in the tree menu to expose the System Logs branch. Click the "Refresh" button and review the logs for any distribution errors that occur after the last profile distribution is completed.


5.3. Module Replacement - Same Model/Version/Speed

Network Impact: Because of the expected downtime, we highly recommend performing the following tasks during off-peak hours in a planned maintenance window.

Time Estimate: Maintenance is expected to take 30-45 minutes per device from start to finish. For deployments with many profiles, distribution times should be considered, as they may increase the time necessary to complete the maintenance fully.

Step by Step Instructions

  1. Remove the existing module from the IPS by disengaging the small latch at the bottom left of the module and gently pulling it out.
  2. Insert the replacement module into the same slot on the front of the appliance, verify it is all the way in, and that the small latch at the bottom left is engaged.
  3. Swap each SFP/SFP+/XSFP from the old module to the replacement module one at a time. Be sure to engage the small latch upon insertion.
  4. Once the physical modules are swapped, go to the Device section of the SMS. Expand the tree menu by clicking the "+" signs until you have exposed the devices. Select the device in question and then click the button at the far bottom right of the SMS GUI to "Refresh" the device information in the SMS.
  5. Distribute a copy of each profile used on the device to its corresponding segment. At this time, it is recommended that a profile be distributed to ALL segments on the device (this includes all pre-existing segments and the "Any-Any" device segment).
  6. Expand the "Events" branch under the device in the tree menu to expose the System Logs branch. Click the "Refresh" button and review the logs for any distribution errors that occur after the last profile distribution is completed.

 

5.4. Module Replacement - Different Model/Version/Speed

Network Impact: Due to the expected downtime, we highly recommend performing the following tasks during off-peak hours in a planned maintenance window.

Time Estimate: Maintenance is expected to take 45-60 minutes per device from start to finish. For deployments with many profiles, distribution times should be considered, as they may increase the time necessary to complete the maintenance fully.

Step by Step Instructions

  1. Unmanage the IPS from the SMS:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu.
    2. Use the drop-down on the SMS main menu to select "Edit" and then click "Unmanage Device".
  2. Place the replacement module on a table or an open space next to the rack with the module to be replaced. Remove each SFP/SFP+/XSFP from the existing module one at a time and insert them into the replacement. Ensure you gently disengage and reengage the small latch for the fiber GBICs and avoid crimping the cables, which will break the internal fiber.
  3. Once the GBICs have been swapped, remove the old module from the IPS. Disengage the small latch at the bottom left and gently slide it out with the handle.
  4. Insert the replacement module containing the SFP/SFP+/XSFP connectors/cables. Be sure to be gentle when inserting the module to avoid damaging the cables/connectors. Check that the small latch at the bottom left of the module has engaged and that the module is fully inserted.
  5. After physically swapping the modules, reboot the IPS and then verify it has completely rebooted and initialized:
    1. Log into the IPS via SSH and type the command "reboot" to reboot the IPS.
    2. You can run a "ping t" to the management IP address and wait for it to go down and come back up.
    3. Once the device is back up and you can log back into it via SSH, verify it has reached "Run Level 12" and "System Initialization Complete" by running the command "show log system-tail" until you see the corresponding log messages.
  6. Once the device has fully initialized, remanage it to the SMS using the SMS client:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu by using the "+" signs to expand the menu.
    2. Once the device is selected, use the drop-down on the SMS main menu to select "Edit" and then click "Manage Device".
  7. Verify that the device has been re-managed and the details have been repopulated.
  8. Navigate to the Network Configuration page to verify and configure the module/segments:
    1. From the Devices section of the SMS GUI, locate and highlight the named device in the tree menu. Expand the tree menu under the device by clicking the "+" sign next to the device's name.
    2. Select the tree branch named "Network Configuration."
    3. Verify that the module is now displayed in the "Physical Segments" table over to the right using the "Slot" number corresponding to the location of where it was installed.
    4. Expand the Slot for the new module by clicking the "+" sign next to the slot number.
    5. Highlight each segment one at a time and click the "Edit" button at the bottom right to configure its "Link Down Synchronization" settings and optionally rename it. You may also want to add the segment to an existing "Segment Group" at this time if you already have one created.
  9. Once the segments are configured, select the "Ports" tab at the top and edit each port you want to enable. You can bulk edit/enable the ports by selecting the required ports using your mouse and the "Ctrl" or "Shift" keys on your keyboard and then right-clicking one of the highlighted ports and selecting "Enable Hardware".
  10. Distribute a copy of each profile used on the device to its corresponding segment. At this time, it is recommended that a profile be distributed to ALL segments on the device (this includes all pre-existing segments and the "Any-Any" device segment).
  11. Expand the "Events" branch under the device in the tree menu to expose the System Logs branch. Click the "Refresh" button and review the logs for any distribution errors that occur after the last profile distribution is completed.
Keywords: Best Practice For Hot-swapping TippingPoint I/O module