Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

TippingPoint Bypass Modules

    • Updated:
    • 2 Aug 2017
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint TPS All
    • Platform:
Summary
This article provides background information on the Trend Micro TippingPoint Intrusion Prevention System (IPS) bypass modules as found in the Core Controller, N-Platform (2500N, 5100N, 6100N) and the NX-Platform (2600NX, 5200NX, 6200NX, 7100NX, 7500NX) family of devices.
Details
Public
1. Purpose

The purpose of the bypass modules is to route traffic around the IPS device if and when there is a power failure. If the power is interrupted due to power supply failure, power loss, or unplugging, the module continues to pass traffic (un-inspected) through the network while bypassing the device. Depending on the IPS device, the bypass module comes in different configuration to include copper and fiber.

2.1 N-Platform

2.11 Bypass Modules

The ZPHA modules include a set of relays (contacts for copper and mirrors for fiber) for receiving network traffic from a network device, routing the traffic through the device, and sending it back out to a network device. The network device could be a switch, a single workstation, a server, or other network device. Be aware that ZPHA technology is not "hitless" as when relays are being switched over you will suffer some traffic loss.

Note: VLAN Translation is not supported if the ZPHA modules are active

ZPHA technology is available for the N-Platform in two different variants:

  • Smart ZPHA
  • ZPHA Chassis

2.1.1.1 Smart ZPHA

The Smart ZPHA modules are designed to be used with the Trend Micro TippingPoint Core Controller and the 2500N, 5100N and 6100N IPS devices (only for the 10GB segment). The Smart ZPHA module receives power through the TippingPoint device in which it is installed. In the case of a power loss, the ZPHA module reroutes traffic to bypass the IPS. Smart ZPHA modules may be singlemode or multimode. Be sure to select the module type that is suitable for your network. In order to have 1GB segment redundancy with ZPHA, you will have to use an external ZPHA Chassis.

User-added image
Figure 3‑1: SMART ZPHA (a)
 
User-added image
Figure 3‑1: SMART ZPHA (b)
  •  The Smart ZPHA is only able to bypass one segment and is a separate module from the IPS inspection ports.
  •  The Smart ZPHA module has a total of four ports; the two outer ports (marked NETA/NET B) are utilized to connect to the network device (switch/router) ports for the bypass. The two inner ports (marked A/B) connect to corresponding ports on the IPS device for inspection.
  •  Smart ZPHA must be initialized prior to first use
    •  Install into device, power device up, allow to boot completely, and halt the IPS, power off the IPS.
    •  This procedure charges the capacitors and allows the prisms to be properly aligned prior to use, otherwise the shipping process may have put the prisms in a state that prevents the passing of traffic.
  •  The Smart ZPHA is available in two models
    •  Single-Segment 10GbE Fiber SR (orange trim and jumper cables)
    •  Single-Segment 10GbE Fiber LR (blue trim and jumper cables).
  •  The Smart ZPHA is hot-pullable only, not hot-swappable.

 

2.1.1.2. Modular ZPHA Chassis

The Modular ZPHA chassis is a device with five available segment ports for fiber or copper modular components. The ZPHA Chassis receives power from the IPS via a USB cable connection (no AC required). If the power through the USB cable is interrupted due to a power loss, the ZPHA instantly switches over to reroute the network traffic and thus bypassing the IPS.

Note: If the ZPHA module is engaged, traffic is not being inspected.

User-added image
3-3: Modular ZPHA Chassis

 

Note: A ZPHA chassis cannot be shared between IPS units. Each ZPHA is dedicated to a single IPS. However, a single ZPHA chassis can protect multiple segments of a single IPS.

The ZPHA bypass system comes in two different models;

  •  Fixed ZPHA chassis, five segments (copper only), two USB-B type ports
  •  Modular ZPHA chassis, five segments (copper/fiber), one each USB-A/USB-B type ports

2.1.1.2 Modular ZPHA chassis daisy-chaining

In order to protect more than five IPS segments, two separate ZPHA bypass chassis have to be utilized. The issue with this configuration is that the ZPHA bypass chassis utilizes the USB power available from the IPS device and due to energy consumption of the ZPHA modules, a specific configuration has to be enabled if a combination of copper and fiber ports is being configured between the IPS and the multiple ZPHA chassis.

The options available for ZPHA daisy-chaining are as follows;


Option 1: Both ZPHA systems are Modular with a combination of copper and fiber ports.

  •  USB cable, A/B connection between IPS and Modular ZPHA.
  •  USB cable, A/B connection between both Modular ZPHA systems.

Note: Modular ZPHA system with fiber modules must be installed first in the chain. 


Option 2: Fixed ZPHA (copper only) with Modular ZPHA system and a combination of copper and fiber ports.

  •  USB cable, A/B connection between IPS and Modular ZPHA.
  •  USB cable, A/B connection between Modular ZPHA and Fixed ZPHA (copper only).

Note: Modular ZPHA system with fiber modules must be installed first in the chain.


Option 3: Both ZPHA systems are Fixed ZPHA (copper only).

  •  USB cable, A/B connection between IPS and first ZPHA.
  •  USB cable, B/B connection between first ZPHA and second ZPHA.

Option 4: Both Modular ZPHA with all copper modules.

  •  USB cable A/B connection between IPS and first ZPHA.
  •  USB cable B/B connection between first ZPHA and second ZPHA.

Note: In this configuration either ZPHA system can be installed first as all ports are copper and as such power consumption is the same.


3.2. NX-Platform

The NX-Platform IPS support a range of Bypass I/O Modules (BIOMs), which combine the IPS segment interfaces with mechanical bypass switches for high-availability purposes. The BIOMs offered for the NX-Platform support various interface speed and connectivity types, including copper or fiber (1Gbps) or fiber (10Gbps). Fiber modules are available with either long range or short range transceivers.

The BIOMs can route traffic within the module when the IPS loses power or when the module is removed from the IPS. Using the LSM, CLI, or SMS, you can also configure the BIOMs to bypass traffic on a per-module basis

NX-Platform Fiber Bypass ModuleNX-Platform Copper Bypass Module

3-4: NX Bypass Modules

3.2.1. Bypass I/O Modules
  •  The Bypass Modules are only compatible with the NX-Platform IPS devices running TOS v3.6.0 and higher (2600NX, 5200NX, 6200NX, 7100NX, 7500NX).
  •  The Bypass Modules are hot-swappable
  •  The Bypass Modules are available in five different models:
Table 3-1: NX-Platform Bypass Modules
DescriptionMediaTrend Micro P/N
4-Segment 1GbECopperTPNN0070
2-Segment 1GbEShort-Range Fiber(Multi-Mode)TPNN0071
2-Segment 1GbELong-Range Fiber(Single-Mode)TPNN0072
2-Segment 10GbEShort-Range Fiber(Multi-Mode)TPNN0073
2-Segment 10GbELong-Range Fiber(Single-Mode)TPNN0074
  • Running "show-mfg" from the NX Command Line Interface (CLI) will display the model number of the modules (bypass or otherwise) that are installed into the appliance. In addition, In addition, the model number and description can also be found on the sticker on the bottom of the module itself.

3.2.1.1. Link Transitions

When transitioning into or out of bypass mode, a link transition can result. During a link transition, the link goes down briefly and then comes back up. Even though the transition of the bypass happens quickly, some network equipment can take longer to establish a link. To recognize normal patterns for your IPS, take note of the link times required by your network equipment that connects to the bypass module.

3.2.1.2. Optical Insertion Loss

Insertion loss for optical BIOMs is higher than for standard I/O modules. This normal drop in signal power occurs because of the presence of optical switches and the two duplex connections on the modules front panel. Unlike standard I/O modules, insertion loss for a BIOM link happens twiceonce when the signal enters the modules duplex connection and once when it exits the connection.

In addition to the duplex adapter loss, the BIOM experiences a drop in signal power between the optical switch and the duplex adaptor as well as between the switch and the SFP+ transceiver. This loss also happens twicewhen the signal enters the module and when it exits the module.

The maximum connection length to other equipment is limited by the insertion loss during bypass mode. The combined external connection lengths on a bypass port pair must be less than the allowed maximum length for a normal connection adjusted for the bypass module insertion loss. The following table provides estimates of both nominal and worst-case optical insertion loss. Note these limitations when configuring your network connections.

 
Table 3-2: Bypass Mode Optical Insertion Loss
DescriptionSR MultimodeLR Multimode
 NominalWorst CaseNominalWorst Case
Each Duplex Adapter0.1dB0.35dB0.1dB0.30dB
Each Internal Fiber0dB0.15dB0dB0.15dB
Switch Loss0.6dB1.0dB0.7dB1.0dB
Total Module Insertion Loss0.8dB2.0dB0.9dB1.9dB

NOTE 1: Handle all I/O modules with care. The bypass modules contain electro mechanical switches that are very sensitive to handling when not installed in the system. Network disruption can occur if handled improperly. For more information about deploying bypass modules, refer to the Trend Micro TippingPoint N-Platform and NX-Platform Hardware Installation and Safety Guide.

NOTE 2: When you hot-insert a bypass module, it remains in bypass mode until an administrator removes it from bypass mode through the CLI, LSM, or SMS. Rebooting the IPS after a hot-insertion also brings the module into normal (non-bypass) mode. After the system has fully rebooted, it is ready for inspection.

NOTE 3: Best practice calls for network connectivity to be tested in all available modes (inspection, bypass and transitions) between devices. This should be done in order to ensure that no cabling mistakes have occurred.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy; Install
Solution Id:
TP000085758
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.