Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Best Practice For Hot-swapping TippingPoint NX-Platform I/O modules

    • Updated:
    • Product/Version:
    • TippingPoint IPS NX-series All
    • Platform:
Summary
This article provides background information on the TippingPoint Intrusion Prevention System (IPS) standard I/O modules and bypass I/O modules as found in the NX-Platform (2600NX, 5200NX, 6200NX, 7100NX, 7500NX) family of devices.
Details
Public
1. NX Modules

1.1. Standard Modules

The NX-Platform IPS support up to four I/O modules, which enable the user to customize the device to suit the needs of the network. Each NX module occupies a slot, and each slot can contain up to 12 physical ports or 6 segments, depending on the module that is installed.

 
Table 3-1: NX-Platform Standard Modules
ModuleDescription
User-added image6-Segment Gig-T NX (Gig-T)
Ports: 12 Fixed RJ-45 copper ports
Port speed: 10/100/1000 Mbps
Part Number: JC768A / TPNN0059
User-added image6-Segment GbE SFP NX (SFP)
Ports: 12 SFP ports
Port speed: 1 Gbps
Part Number: JC769A / TPNN0068
User-added image4-Segment 10GbE SFP+ NX (SFP+)
Ports: 8 Fiber SFP+ ports
Port speed: 10 Gbps
Part Number: JC770A / TPNN0060
User-added image1-Segment 40 GbE QSFP+ NX (QSFP+)
Ports: 2 Fiber QSFP+ ports
Port speed: 40 Gbps
Part Number: JC771A / TPNN0069
 

1.2. Bypass Modules

The NX-Platform IPS support a range of Bypass I/O Modules (BIOMs), which combine the IPS segment interfaces with mechanical bypass switches for high-availability purposes. The BIOMs offered for the NX-Platform support various interface speed and connectivity types, including copper or fiber (1Gbps) or fiber (10Gbps). Fiber modules are available with either long range or short range transceivers.

The BIOMs can route traffic within the module when the IPS loses power or when the module is removed from the IPS. Using the LSM, CLI, or SMS, you can also configure the BIOMs to bypass traffic on a per-module basis

 
Table 3-2: NX-Platform Bypass Modules
ModuleDescription
User-added imageNX IPS 4-Segment Gig-T Bypass Module
Ports: 8 copper ports
Port speed: 10/100/1000 Mbps
Part Number: JC877A / TPNN0070
User-added imageNX IPS 2-Segment 1G Fiber SR
Ports: 4 Multi-Mode (LC type)
Port speed: 1 Gbps
Part Number: JC878 / TPNN0071
User-added imageNX IPS 2-Segment 1G Fiber LR Bypass Module
Ports: 4 Single-Mode Fiber (LC type)
Port speed: 1 Gbps
Part Number: JC879A / TPNN0072
User-added imageNX IPS 2-Segment 10G Fiber SR
Ports: 4 Multi-Mode Fiber (LC type)
Port speed: 1/10 Gbps
Part Number: JC880A / TPNN0073
User-added imageNX IPS 2-Segment 10G Fiber LR Bypass Module
Ports: 4 Multi-Mode Single-Mode Fiber (LC type)
Port speed: 1/10 Gbps
Part Number: JC881A / TPNN0074

2. I/O Modules General Information

  • Running "show-mfg" from the NX Command Line Interface (CLI) will display the model number of the modules (bypass or otherwise) that are installed into the appliance. In addition, the model number and description can also be found on the sticker on the bottom of the module itself.
  • Hot-swapping I/O modules on the NX-Platform devices is only supported with TOS v3.6.0 or higher. Hot-swapping modules without adverse reactions, only works by swapping like-for-like I/O modules in the same slot.
  • Hot-swapping I/O modules on the NX-Platform running TOS v3.5.x is not supported. If you must remove and replace an NX I/O module, shut down the system, replace the module and re-start the system.
  • Bypass modules are only compatible with the NX-Platform IPS devices running TOS v3.6.0 and higher.
  • A bypass module that is installed while the system is powered on remains in bypass mode. This way the network can continue to pass traffic while users configure the number of network ports and their speeds to meet specific requirements. The BIOM must be taken out of bypass mode either administratively (using the CLI or the LSM) or through a reboot.
  • Bypass modules should continue to pass traffic even while not connected to the NX-Platform device, or while the device is powered off or administratively placed in bypass mode. If the module does not pass traffic under these conditions, ensure that you have the appropriate cable for your network. In many cases, replacing a straight-through cable with a cross-over cable will resolve link issues.
  • Bypass modules contain electro mechanical switches that are very sensitive to handling when not installed in the system. Network disruption can occur if handled improperly.
  • Best practice calls for network connectivity to be tested in all available modes (inspection, bypass and transitions) between devices. This should be done in order to ensure that no cabling mistakes have occurred.
  • For more information about deploying NX I/O modules, refer to the TippingPoint NX-Platform Hardware Installation and Safety Guide.

3. I/O Module Hot-Swapping Guidelines

When hot-swapping I/O modules, note the following administrative guidelines:

  • If a slot has always been empty, all possible ports and segments on the slot are absent and unavailable.
  • If a slot’s configuration is erased by the user, configuration of that slot’s ports and segments is deleted and all possible ports and segments on the slot become absent and unavailable. However, any policy-related configuration for these ports does not change when the bay configuration is erased and must be manually cleaned up by the user.
  • When a module is inserted into a slot or restarted, the system software performs the following evaluation. When the IPS boots up, the evaluation is performed for every module installed in a slot:
    • The module is validated.
    • The status of the module (whether there is a module in the slot, what type of module it is, whether it is being used or is in error) is determined.
    • The physical state (Present or Absent) and availability state (Available or Unavailable) for each possible port and segment on this slot is determined.
    • The configuration is changed and applied as necessary.
    • A syslog message is added (depending on whether the module passed validation and the module status check).
  • Removing a module from a slot does not change or reapply the configuration. It also does not change the availability state of ports and segments. It will, however, change the physical state to Absent. An error-level syslog message indicates that the module was removed. In addition, users are shown the physical state when viewing configuration and status related to that slot. These changes also occur when the IPS boots up for every empty slot.
  • The following conditions are displayed when the corresponding ports and segments are available, and are hidden when they are unavailable:
    • Segment configuration
    • Network port configuration
    • Network port health
    • Network port throughput performance
    • Traffic profile by network port

4. What happens when modules are swapped?

A. Swapping like-for-like

  • All configuration is preserved including:
    • Port & Segment configuration (port state, speed / duplex settings, Link Down Sync & L2FB behavior)
    • Inspection Bypass, VLAN translation rules & Filter policy

B. Swapping with a different module type

  • Port & Segment configuration is reset to defaults
  • Inspection Bypass rules & Filter Policy is preserved
  • VLAN translation rules are preserved, but ports are administratively disabled

C. Upgrading from 1G to 10G

  • Swapping 6 segments to 4 segments (standard) or 4 segments to 1 segment (bypass)
  • Behavior is as Example-2, but you will may have Filter Policy applied to segments which are no longer physically present
  • Customers will have to manually remove the Filter Policy on the unused segments

D. Hot-inserting a Bypass I/O modules

  • The newly hot-inserted bypass module will remain in bypass until an administrator removes it from bypass or reboots the device

E. Swapping to/from a 40G module or inserting new 40G module

  • Hot-swapping 40G module will require a reboot –full to be placed into service
  • One exception is when you are swapping like for like, which does not require a reboot

5. Adding, Removing, or Swapping Modules

5.1. Module Installation - Unused Slot/Bay

Network Impact

We highly recommend performing the following tasks during off-peak hours in a formally scheduled maintenance window. Although this change does not typically require network downtime, installing a new module into the IPS likely implies an increase in device traffic/inspection. If this is the case, it is essential to verify any the impact to the device and subsequently to the network.

Time Estimate

Maintenance is expected to take 30-60 minutes per device from start to finish. For deployments where a large number of profiles are in use and/or atypical (complex) segment configurations are necessary, please plan for additional time.

Step by Step Instructions

  1. Unmanage the IPS from the SMS:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu.
    2. Use the drop down on the SMS main menu to select "Edit" and then click "Unmanage Device".
  2. Insert the new module into an empty slot on the front of the appliance, verify it is completely inserted and that the small latch at the bottom left is engaged.
  3. Once the module is physically inserted you need to Remanage the IPS to the SMS:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu.
    2. Use the drop down on the SMS main menu to select "Edit" and then click "Manage Device".
  4. Wait for the device to show up in the SMS as managed.
  5. Navigate to the Network Configuration page to verify and configure the module/segments:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu. Expand the tree menu under the device by clicking "+" sign next to the device's name.
    2. Select the tree branch named "Network Configuration"
    3. Verify the module is now displayed in the "Physical Segments" table over to the right using the "Slot" number corresponding to the location of where it was installed.
    4. Expand the Slot for the new module by clicking "+" sign next to the slot number.
    5. Highlight each segment one at a time and click the "Edit" button at the bottom right to configure its "Link Down Synchronization" settings and optionally rename it. You may also want to add the segment to an existing "Segment Group" at this time if have one created already.
    6. Once the segments are configured, select the "Ports" tab at the top and edit each port you would like to enable. You can bulk edit/enable the ports by selecting the required ports using your mouse and the "Ctrl" or "Shift" keys on your keyboard and then right clicking one of the highlighted ports and selecting "Enable Hardware."
    7. Distribute a copy of each profile being used on the device to its corresponding segment. It is recommended to distribute a profile to ALL segments on the device at this time (this includes all pre-existing segments and the "Any-Any" device segment).
  6. Expand the "Events" branch under the device in the tree menu to expose the System Logs branch. Click the "Refresh" button and review the logs for any distribution errors that occur after the time the last profile distribution completed.

 

5.2. Module Removal

Network Impact

Removing a module is not expected to require any downtime or to impact existing modules or their traffic flows, however we still recommend performing the following tasks in a maintenance window planned during off-peak hours.

Time Estimate

Maintenance is expected to take 15-30 minutes per device from start to finish. For deployments where a large number of profiles are in use, distribution times should be considered as they may increase the time necessary to fully complete the maintenance.

Step by Step Instructions

  1. Unmanage the IPS from the SMS:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu.
    2. Use the drop down on the SMS main menu to select "Edit" and then click "Unmanage Device".
  2. To remove the module from the IPS, disengage the small latch at the bottom left of the module and then gently slide it out with the handle.
  3. Once the module is physically removed, remanage the IPS to the SMS:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu by using the "+" signs to expand the menu.
    2. Once the device is selected, use the drop down on the SMS main menu to select "Edit" and then click "Manage Device".
  4. Distribute a copy of each profile being used on the device to its corresponding segment. It is recommended to distribute a profile to ALL segments on the device at this time (this includes all pre-existing segments and the "Any-Any" device segment).
  5. Expand the "Events" branch under the device in the tree menu to expose the System Logs branch. Click the "Refresh" button and review the logs for any distribution errors that occur after the time the last profile distribution completed.

 

5.3. Module Replacement - Same Model/Version/Speed

Network Impact

Due to the expected downtime we highly recommended performing the following tasks during off-peak hours in a planned maintenance window.

Time Estimate

Maintenance is expected to take 30-45 minutes per device from start to finish. For deployments where a large number of profiles are in use, distribution times should be considered, as they may increase the time necessary to fully complete the maintenance.

Step by Step Instructions

  1. Remove the existing module from the IPS by disengaging the small latch at the bottom left of the module and gently pulling it out.
  2. Insert the replacement module into the same slot on the front of the appliance, verify it is all the way in and that the small latch at the bottom left is engaged.
  3. Swap each SFP/SFP+/XSFP from the old module to the replacement module one at a time. Be sure to engage the small latch upon insertion.
  4. Once the physical modules are swapped, go to the Device section of the SMS. Expand the tree menu by clicking "+" signs until you have exposed the devices. Select the device in question and then click the button at the far bottom right of the SMS GUI to "Refresh" the device information to the SMS.
  5. Distribute a copy of each profile being used on the device to its corresponding segment. It is recommended to distribute a profile to ALL segments on the device at this time (this includes all pre-existing segments and the "Any-Any" device segment).
  6. Expand the "Events" branch under the device in the tree menu to expose the System Logs branch. Click the "Refresh" button and review the logs for any distribution errors that occur after the time the last profile distribution completed.

 

5.4. Module Replacement - Different Model/Version/Speed

Network Impact

Due to the expected downtime we highly recommended performing the following tasks during off-peak hours in a planned maintenance window.

Time Estimate

Maintenance is expected to take 45-60 minutes per device from start to finish. For deployments where a large number of profiles are in use, distribution times should be considered, as they may increase the time necessary to fully complete the maintenance.

Step by Step Instructions

  1. Unmanage the IPS from the SMS:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu.
    2. Use the drop down on the SMS main menu to select "Edit" and then click "Unmanage Device".
  2. Place the replacement module on a table or an open space next to the rack with the module to be replaced. Begin removing each SFP/SFP+/XSFP from the existing module one at a time and inserting them into the replacement. Make sure you are gently disengaging and reengaging the small latch for the fiber GBICs and avoid crimping the cables which will break the internal fiber.
  3. Once the GBICs have been swapped, remove the old module from the IPS. Disengage the small latch at the bottom left and gently slide it out with the handle.
  4. Insert the replacement module containing the SFP/SFP+/XSFP connectors/cables. Be sure to be gentle when inserting the module to avoid damaging the cables/connectors. Check that the small latch at the bottom left of the module has engaged and that the module is fully inserted.
  5. After physically swapping the modules, reboot the IPS and then verify it has completely rebooted and initialized:
    1. Log into the IPS via SSH and type the command "reboot" to reboot the IPS.
    2. At this time, you can run a "ping t" to the management IP address and wait for it to go down and come back up.
    3. Once the device is back up and you are able to log back into it via SSH, verify it has reached "Run Level 12" and "System Initialization Complete" by running the command "show log system-tail" until you see the corresponding log messages.
  6. Once the device has fully initialized, remanage it to the SMS using the SMS client:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu by using the "+" signs to expand the menu.
    2. Once the device is selected, use the drop down on the SMS main menu to select "Edit" and then click "Manage Device".
  7. Verify the device has been remanaged and that the device details have repopulated.
  8. Navigate to the Network Configuration page to verify and configure the module/segments:
    1. From the Devices section of the SMS GUI, locate and highlight the named IPS device in the tree menu. Expand the tree menu under the device by clicking "+" sign next to the device's name.
    2. Select the tree branch named "Network Configuration"
    3. Verify the module is now displayed in the "Physical Segments" table over to the right using the "Slot" number corresponding to the location of where it was installed.
    4. Expand the Slot for the new module by clicking "+" sign next to the slot number.
    5. Highlight each segment one at a time and click the "Edit" button at the bottom right to configure its "Link Down Synchronization" settings and optionally rename it. You may also want to add the segment to an existing "Segment Group" at this time if have one created already.
  9. Once the segments are configured, select the "Ports" tab at the top and edit each port you would like to enable. You can bulk edit/enable the ports by selecting the required ports using your mouse and the "Ctrl" or "Shift" keys on your keyboard and then right clicking one of the highlighted ports and selecting "Enable Hardware".
  10. Distribute a copy of each profile being used on the device to its corresponding segment. It is recommended to distribute a profile to ALL segments on the device at this time (this includes all pre-existing segments and the "Any-Any" device segment).
  11. Expand the "Events" branch under the device in the tree menu to expose the System Logs branch. Click the "Refresh" button and review the logs for any distribution errors that occur after the time the last profile distribution completed.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000085894
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.