Network Critical SmartNA-X, User Manual

Page 1: ...Smart Network Access Modular System X SmartNA X 1G 10G Network Tapping Device User Guide v1 4 ...

Page 2: ...ewall 16 How to set up a TAP 16 Chapter 2 Getting Started 19 List of supplied components 19 Installing the chassis 19 Installing the TAP modules 20 Cabling for administrative connections 20 Management port cabling for serial access 21 Management port cabling for network access 22 Accessing the management interfaces 22 Connecting locally using the supplied serial cable 22 Connecting to the system 2...

Page 3: ...ing Ports 42 Configuring Ports 42 Working with copper ports 42 Configuring port settings 44 Viewing port statistics 46 Chapter 5 Moving Traffic With Maps 48 Creating maps in the web UI 48 Chapter 6 Restricting Traffic with Filters 50 Using filters 50 Defining filters 50 Packet header filtering criteria 51 Defining custom fields 55 Applying filtering 56 Chapter 7 Load Balancing 57 Load balancing 57...

Page 4: ...77 SNMP Engine ID 77 Defining notification trap settings 78 Specifying send notifications 78 Configuring notification hosts 79 Defining SNMPv1 v2 communities 79 Define SNMPv1 v2 communities 80 Configuring SNMP v3 80 Defining SNMP users 81 Mapping SNMPv1 v2 users to SecurityNames 82 Creating SNMP groups 83 Defining SNMP views 84 Defining the group access policy 85 Chapter 11 Command Line Reference ...

Page 5: ... 105 create radius authserver 105 delete radius authserver 106 create radius accserver 106 delete radius accserver 107 show tacacs 107 create tacacs authserver 107 delete tacacs authserver 108 create tacacs accserver 108 delete tacacs accserver 109 set log 109 Module commands 110 select 110 show status 110 show counters 111 clear counters 111 show temperaturehigh 111 set temperaturehigh 112 show r...

Page 6: ...ble agent 143 snmp show all 144 snmp show engineid 145 snmp apply 145 snmp show notify 145 snmp enable notify 146 snmp disable notify 146 snmp show host 147 snmp create host 148 snmp delete host 148 snmp show community 149 snmp create community 149 snmp delete community 150 snmp show user 150 snmp create user 151 snmp delete user 152 snmp show sectogroup 152 snmp create sectogroup 153 snmp delete ...

Page 7: ...rm 176 set port packetprocessor clear transform 176 set port packetprocessor slicing 177 cancel packetprocessor 177 Chapter 12 Troubleshooting 178 Troubleshooting network issues 178 Connecting to the IPv6 link local address 178 Troubleshooting slow transmission rates copper ports 179 Troubleshooting Java plugins 179 Troubleshooting the CLI 180 Troubleshooting SNMP 181 Troubleshooting the web UI 18...

Page 8: ...10G User Guide 1 4 2015 Network Critical Solutions Limited Transport header Matches 193 GRE header matches 194 Layer above TCP UDP 195 IPP module preset Transforms 196 Appendix E Supported MIBs 198 Hardware warranty 199 Contacting Network Critical 200 ...

Page 9: ... power cord or supplied power cord set Whenever it is likely that protection has been impaired disconnect the power cord until the ground has been restored Power supply Removable power supplies are to be used in the SmartNA Xsystem only For pluggable equipment the socket outlet shall be installed near the equipment and shall be easily accessible Servicing There are no user serviceable parts inside...

Page 10: ... for inline integration of network tools Packet slicing options Support for RADIUS TACAS authentication and accounting servers Integrated SNMPv3 management agent Optional chassis dual power units System features SmartNA X provides a modular scalable and customizable 1 10G packet broker and TAP solution for network monitoring and security tools It is designed to work as an enterprise solution custo...

Page 11: ... provides two 10G bps ports at the rear Each module has four ports that operate in pairs for connecting to a live network and network monitoring tools Slot 1 on the left of the chassis supports data rates up to 10G bps while Slots 2 4 support data rates up to 1G bps The chassis also provides network and serial management ports for remote and local connections to the web and CLI management interfac...

Page 12: ...th None IPv6 gateway None Web management HTTP Secure Server Enabled HTTP Secure Server Port 443 Web management Timeout 1 minute for an incorrectly ended session browser closed without logging out or a dropped connection SNMP SNMP Agent Disabled Community strings None configured User accounts Auditor Permissions Read only Username audit Password audit Operator Permissions Read write access to port ...

Page 13: ...ntication and accounting Add packet filters to maps Set up load balancing groups supported systems only Update system firmware Configure SNMPv1 v2c v3 management stations and enable SNMP notifications About network TAPs A network TAP provides a means of unobtrusively connecting to a data network for the purpose of accessing the traffic data packets flowing along that network and sending it to netw...

Page 14: ...talled allows up to four servers to be tapped or more if C D ports are used in TAP failsafe mode Figure 3 TAPs placed on individual servers TAP before a load balancer You can place TAPs before a load balancer to monitor a group of servers with one TAP In this location you ll be able to observe the IP addresses of individual requesters and have a better understanding of user traffic locations Note ...

Page 15: ... configured A limitation of placing TAPs after a load balancer would be understanding who is requesting the information The Load Balancer typically will appear as the user address making the requester of data appear as a single user Another possibility to address recognizing a users location depends on the type of load balancer you are using For example if your load balancer supports it you can en...

Page 16: ... internet router and a firewall to monitor the data exchanged between the public Internet and your local Intranet Figure 6 TAP configuration between router and firewall How to set up a TAP You set up a TAP by connecting the SmartNA X to your LAN and directing the received traffic to your network monitoring tools for capture or analysis Once the TAP has been installed its presence is transparent to...

Page 17: ...e relevant step below 2 Map ports A and B to each other to join the live links and allow traffic to flow across the TAP Figure 7 Map A and B ports to join the live links Assuming module 3 the equivalent CLI commands are CONTROLLER set map 3a to 3b CONTROLLER set map 3b to 3a 3 Map the live ports to output ports C and or D as required Figure 8 Map A and B ports to C and or D output ports The equiva...

Page 18: ...A speed auto SLOT3 set port A duplex auto SLOT3 set port A mastering preferMaster SLOT3 set port A tap LFP 5 If required define and apply filters to limit the packets sent to the output ports to a subset of the overall data stream Figure 10 Apply filters The equivalent CLI commands for the filters shown in the above figure are as follows SLOT3 set map 3a to 3c require HTTP SLOT3 set map 3b to 3d e...

Page 19: ... SmartNA X chassis should be installed in a secure server rack with access to authorized personnel only Caution Static electricity can damage sensitive electronic components To discharge static fit an antistatic wrist strap or touch a bare metal surface before handling SmartNA X components 1 Unpack all parts onto a clean workbench for inspection 2 Carefully check all parts against your order If an...

Page 20: ... take other precautions against electrostatic discharge ESD before handling the TAP modules 2 Remove the TAP modules from their ESD bags The modules are colour coded as follows Red 10G bps maximum Red modules must only be used in Slot 1 left most slot Blue 1G bps maximum Blue modules may be used in any slot The following figure shows the correct placement of the 10G and 1G modules 3 Carefully slid...

Page 21: ...ulation software such as PuTTY http www chiark greenend org uk sgtatham putty Figure 13 DE 9 female to 8P8C RJ45 serial management cable 1 Connect the RJ45 end of the DE 9 female to 8P8C RJ45 serial management cable to the serial CONSOLE port 2 On your PC open your preferred terminal emulation client and make sure the COM settings are as follows Baud Rate 9600 bps Data bits 8 Stop bits 1 Parity No...

Page 22: ...ction to the CONSOLE port Remotely via a HTTPS or SSH network connection to the MGMT port Connecting locally using the supplied serial cable You can set up a local connection to SmartNA X by attaching the supplied serial cable to the CONSOLE port and connecting it to a PC running a terminal program Local connections provide access to the CLI only 1 Connect the supplied DE 9 female to 8P8C RJ45 ser...

Page 23: ...e graphical user interface In particular the integrated Drag n Vu engine allows the easy creation of port maps by dragging from one port to another and the application of filters by clicking on a map and choosing a filter to apply 1 Before starting ensure your PC has a web browser with the Oracle Java plugin installed The security settings for Java must be configured as follows Enable Java content...

Page 24: ...ons and the timeout period for rule generation for when applying maps and filters Management Provides options for upgrading system firmware installing Feature Packs saving configurations uploading a custom SSL certificate and for rebooting the system Click on a module to access the following per module settings Health Provides similar information as the chassis health options uptime firmware revis...

Page 25: ...e authenticity of host 192 168 254 100 can t be established RSA key fingerprint is 9a 30 7b 95 ec b4 fe 53 e1 a4 42 69 4f 15 5c 1a Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 254 100 RSA to the list of known hosts 3 When prompted type your SmartNA X password and press enter The SmartNA X CONTROLLER prompt is displayed after logging in admin 192 168 254...

Page 26: ...on another network segment The gateway address must be specified in dotted decimal format a b c d DNS Server Optional Enter the IPv4 address of a default DNS server in dotted decimal format a b c d 4 If assigning an IPv6 address enter the IPv6 parameters System IPv6 address Enter the network interface IPv6 address in standard IPv6 format such as 2001 db8 52 0 1 IPv6 prefix length Enter the network...

Page 27: ...k Critical Solutions Limited 2 Select the Use DHCP checkbox 3 Click Review apply review the changes you have made and then click Apply to implement the new settings After a short delay you will be logged out while changes are implemented The system will begin broadcasting service requests ...

Page 28: ...re which limits the user to certain management functionality as follows Administrators have full access to all system and port settings Operators have access to port settings only Auditors have read only access to system and port settings Local users are managed from the Local Users list which is accessible from the Security tab after clicking Configure local users Figure 17 Local Users list Addin...

Page 29: ...tab or with CLI commands 1 Log in to the web UI as Administrator 2 Click on the chassis and select the Security tab 3 Click Configure local users 4 In the Local Users list click the edit icon for the Administrator account The Edit local user dialog displays see figure Figure 19 The Edit local user dialog 5 Select the Change password checkbox 6 Enter a new password for the Administrator account Pas...

Page 30: ...es to be consistent regardless of the machine on which the file systems reside For these reasons it is important that the time configured on the all devices on the network be accurate Note The SmartNA X device supports Network Time Protocol NTP and when enabled the device dynamically synchronizes the device time with the NTP server time The device operates only as an NTP client and cannot provide ...

Page 31: ...ns dialog displays with a list of available configurations Depending on your system installation you may have several default configurations that have been pre installed For example all system have a factory_defaults configuration that can be used to reset the system back to its factory configuration Other default configurations may exist on your system 3 Select the configuration to restore and cl...

Page 32: ...s necessary 1 Click on the chassis and select the Management tab 2 Click Upload configuration file and click Continue You will now be logged out of the system 3 Enter the Administrator username and password click Choose file and navigate to the file you want to load Upgrade system firmware Network Critical may occasionally release new versions of the system firmware to upgrade device functionality...

Page 33: ...nstallation of additional Feature Packs before they can be applied successfully The following Feature Packs are available Aggregation Feature Pack Aggregation Filtering Feature Pack Aggregation Filtering Load Balancing Feature Pack Installing a Feature Pack Administrators can install Feature Packs to add additional port capabilities to the system including filtering and load balancing Each Feature...

Page 34: ...t will most likely give you the option of trusting the key adding it to your local cache see the following example output The authenticity of host 192 168 254 100 can t be established RSA key fingerprint is 9a 30 7b 95 ec b4 fe 53 e1 a4 42 69 4f 15 5c 1a Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 254 100 RSA to the list of known hosts Once you ve trus...

Page 35: ... not available the next selected method is used For example if the selected authentication methods are RADIUS and Local and all configured RADIUS servers are queried in priority order and do not reply the user is authenticated locally If an authentication method fails or the user has insufficient privilege level the user is denied access to the device In other words if authentication fails at an a...

Page 36: ...cks user privileges Accounting Enable accounting of login sessions using the TACACS server This enables a system administrator to generate accounting reports from the TACACS server After the authentication session is completed an authorization session starts using the authenticated username The TACACS server then checks user privileges The TACACS protocol ensures network integrity through encrypte...

Page 37: ...wn in the following figure server priority can be changed by dragging the servers into the required order Servers at the top of the list have the highest priority Figure 26 Drag servers up and down the servers list to configure server priority Configure TACACS authentication servers 1 Click on the chassis and select the Security tab Existing TACACS authentication servers are shown in the TACACS au...

Page 38: ... session is completed an authorization session starts using the authenticated username The RADIUS server then checks user privileges Accounting Enable accounting of login sessions using the RADIUS server This enables a system administrator to generate accounting reports from the RADIUS server RADIUS authentication servers can be configured using the RADIUS authentication dialog shown below Figure ...

Page 39: ... parameters Server address Enter the server s IPv4 address Server port Enter the UDP port number usually port 1812 for RADUS authentication servers Shared secret Enter the RADIUS server s shared secret Confirm secret Enter the shared secret again to confirm it 4 Click Add server The server is added to the list of RADIUS accounting servers 5 If desired arrange server priority by dragging with the A...

Page 40: ...wn and will be contacted first 3 If you have not done so already click Set shared secret and enter the global shared secret for the TACACS accounting servers 4 Click Review apply and review pending changes To apply these changes to the system click Apply changes or click X to cancel Add RADIUS accounting servers 1 Click on the chassis and select the Security tab Any RADIUS accounting servers alrea...

Page 41: ...em click Apply changes or click X to cancel Rebooting the system You can reboot the device to reset all components of the system to the last saved applied configuration Any pending updates will be lost unless applied prior to rebooting Attention A reboot takes around 2 3 minutes During this time you will be unable to login to the system and all network traffic on the live ports will be stopped inc...

Page 42: ...M bps Auto negotiation set to OFF The following details should be noted when auto negotiation is set to OFF Port duplex setting must be either full duplex or half duplex not auto and must match the link partner setting Port speed setting must be either 10M or 100M not 1G or auto and must match the link partner setting Port mastery setting is irrelevant If auto negotiation is OFF the speed and dupl...

Page 43: ...to port A and device Y to port B A behaves as if it were Y and B as if it were X making the presence of a TAP relatively invisible to the partner ports LMP is a TAP mode option that can be chosen instead of LFP giving three possibilities None LFP or LMP When LMP is selected it has control over the speed duplex and master slave characteristics of the ports and the effect of changes to speed duplex ...

Page 44: ...de of the port either MDI normal MDI X crossover or Auto An Ethernet crossover cable must be used if port link partners are using the same MDI setting MDI to MDI or MDI X to MDI X Duplex Select the duplex mode either Full for full duplex Half for half duplex or Auto to allow either Mastery Select the port mastery for clock synchronization A link will only function correctly if there is one master ...

Page 45: ...resholds do not cause port throttling discarding of packets to occur when the high threshold level is exceeded Packets will only be discarded if the maximum carrying capacity of the port is surpassed 1 Click on the port to access port information and configuration options Multiple ports can be selected by holding down Shift and clicking on additional ports 2 Click on the Health tab The port health...

Page 46: ...ors statistics The Errors tab shows various accumulated packet errors since the last reboot or counter reset Statistics for the following packet errors are available Undersize Number of undersized packets less than 64 octets received Fragments Number of fragments packets with less than 64 octets excluding framing bits but including FCS octets received Oversize Number of packets over the MRU size r...

Page 47: ...r Guide 1 4 2015 Network Critical Solutions Limited Figure 38 Errors statistics for ports 1C and 2B Viewing SFP information The SFP tab shows information about the transceiver and physical link for the selected SFP port s Figure 39 SFP information for ports 1A and 1B ...

Page 48: ...ort diagram Arrows show the direction of traffic Figure 40 Maps appear as lines on the port diagram Map lines are drawn using different colours so you can tell them apart in complicated configurations You can also move the pointer over a map line and the other maps will fade into the background Figure 41 Hover over a line to dim all other lines You can aggregate traffic from multiple source ports ...

Page 49: ...SmartNA X 1G 10G Modular Moving Traffic With Maps 49 SmartNA X 1G 10G User Guide 1 4 2015 Network Critical Solutions Limited Figure 43 A one to many Replication map ...

Page 50: ... matching the filtering criteria and rejects packets which do not An exclude passes packets which do not match the filtering criteria and rejects packets which do When a filter has been applied its label appears beside the map along with the word NOT if the filter is an exclude filter More complex filtering rules can be created by Applying multiple filters to a single map as shown in the following...

Page 51: ...ilter by adding a custom field Only custom filters which match the packet type are shown Specify the values to match in the custom field A custom field is in use if at least one filter that is required or excluded by at least one map specifies a value to match for that field 7 Click Add filter to finish defining the filter 8 Click Review apply and review pending changes To apply these changes to t...

Page 52: ... VLAN header You may use the following formats when specifying levels 2 A single level 2 4 An inclusive range 0 1 A value mask pair here all even 0 2 Multiple levels MAC addressing Filters by MAC address You may give either a single specification to find packets where either the source or the destination address matches or separate specifications for source and or destination address You may use t...

Page 53: ...nges and wildcards may be used in any segment s Multiple addresses may each use either ranges and wildcards or a mask For ARP packets use source for the sender address and destination for the target address IPv4 fragment Filters by IPv4 fragments Enter 0 not a fragment or 1 is a fragment IP protocol Filters by IP protocol number Some commonly used IP protocols numbers are 1 ICMP 6 TCP 17 UDP 132 S...

Page 54: ...mmas The following formats are recognized 10 a single code point 10 14 An inclusive range 0 1 a value mask pair 10 12 14 multiple code points Multiple code points may each use a range or mask Layer 4 port filtering Filters by TCP UDP port number when protocol number 6 TCP or 17 UDP is specified in Layer 3 You may enter either a single specification to find packets where either the source or the de...

Page 55: ...an six underlying user defined bytes can be used in total at any given time Here used refers to custom fields that can actually affect passing traffic Other custom fields may still be defined and filters may be defined using them but these don t count toward the totals as long as the filters aren t applied to any maps 1 Click on the chassis and select the Custom fields tab 2 Click Add new custom f...

Page 56: ...n t done so already set up the port mappings and define your filters 2 Click on a map A list of defined filters is shown as shown in the figure below 3 For each filter in the list choose how you want filtering to be applied to the map Ignore Default setting Ignore this filter let all packets pass Require Pass all matching packets and drop all non matching packets Exclude Drop all matching packets ...

Page 57: ...ed groups may still be used as destinations for the normal mapping and filtering functions For example if tools are monitoring a protocol that has separate control and data channels it is possible to load balance the data channel traffic across a set of tool ports but still to replicate all control channel data to all of those tool ports at the same time Load balancing scalability SmartNA X suppor...

Page 58: ...ct the stream to just those packets required for load balancing For example if you wish to balance on headers below layers 2 that is the various IP address and port headers set up a filter that restricts packets to just those headers Limitations The following limitations apply when using load balancing on SmartNA X devices Load balancing needs variation in the selected header fields of incoming tr...

Page 59: ...ionally add filters to remove unwanted packets prior to load balancing Figure 48 Add filters to remove unwanted packets 4 Select ports 1C 1D 2C 2D then drag LB1 to any one of the selected ports Figure 49 Map LB1 to ports 1C 1D 2C 2D 5 Click on the Load Balancer Group LB1 6 Choose up to three headers for the load balancing group Note that to ensure an even load distribution the headers chosen must ...

Page 60: ...hese changes to the system click Apply changes or click X to cancel The complete set of CLI commands for the example configuration are shown below CONTROLLER set map 3a to 3b CONTROLLER set map 3b to 3a CONTROLLER set map 3A 3B to LB1 require HTTP CONTROLLER set LB1 to 1C 1D 2C 2D CONTROLLER set lbheaders LB1 ipv4_src port_dest CONTROLLER commit Committing maps Committing filters Committing load b...

Page 61: ...n the AB port pair only On these modules the AB ports always have either LFP or LMP enabled unless it is running in Egress mode However in V Line mode if the Reverse Bypass setting is enabled this will break the AB link if there is a power outage For more information see About TAP mode on page 43 V Line module functionality The V Line Module provides three primary areas of functionality although t...

Page 62: ...ss For more information about failsafe see About TAP mode on page 43 Breakout mode V Line Module Breakout mode see the figure below sends copies of traffic from the live network A and B ports to a selectable combination of C and D ports with or without optional packet slicing Packets received on the live network ports A B can be passed to other modules in the system Filters are not supported on ma...

Page 63: ...u can override this to disable the failsafe behaviour for that port pair by activating Reverse Bypass For more information about failsafe see About TAP mode on page 43 Egress mode The Egress mode allows traffic to be mapped onto the V Line module from other ports on the system via the internal backplane and taken out of the front ports optionally slicing it first All four ports A B C and D work th...

Page 64: ...d all traffic flowing along it is stopped The link remains isolated even in the case of a power failure and stays isolated when power is returned until either the tool is seen to be working properly or the card configuration is changed Heartbeat rate ms Enter heartbeat packet transmit rate in milliseconds Heartbeat packets are never allowed onto the live data network You may enter values from 1 10...

Page 65: ...V Line module live ports A and B must have matching communication settings same speed duplex and MDI settings Tool ports If operating in V Line or Breakout mode the V Line module tool ports C and D must have the same communication settings as the live ports A and B 5 Click Review apply and review pending changes To apply these changes to the system click Apply changes or click X to cancel Figure 5...

Page 66: ... unsliced Slicing D egress Enter a packet slicing size for egress traffic sent from Port D Minimum slicing size is 16 Bytes and maximum slicing size is 9216 Bytes Leave blank or enter 0 to keep packets unsliced 4 Configure port communication settings noting the following requirements for effective port communications Mapping to other TAP modules If a V Line module is mapped to another TAP module t...

Page 67: ...ing in V Line or Breakout mode the V Line module tool ports C and D must have the same communication settings as the live ports A and B 5 Click Review apply and review pending changes To apply these changes to the system click Apply changes or click X to cancel Configure Egress mode 1 Click on the V Line module you wish to configure and select the V Line tab 2 From V Line mode select Egress The V ...

Page 68: ...68 Working with the V Line Module SmartNA X 1G 10G Modular SmartNA X 1G 10G User Guide 1 4 2015 Network Critical Solutions Limited Figure 61 V Line Module Egress mode ...

Page 69: ... eight headers can be looked for and processed per packet The IPP module has no external ports of its own Instead packets are sent to it from other SmartNA X modules before being returned to the chassis for onward forwarding Maps are used in the normal way to direct traffic into the IPP module and then from the IPP module post processing to an egress port to a tool Maps can be configured using the...

Page 70: ... in a byte you can t set some bits and clear others The following limits apply to IPP actions Only the first 120 bytes of a packet support an action The first 119 bytes may have any action associated with them The 120th byte only supports truncate or pass The start bit of a delete or truncate action must begin after the MAC addresses that is no less than the 12th byte The value associated with XOR...

Page 71: ...m or not To set up packet slicing on an IPP module port use the set port packetprocessor slicing command The following example slices packets to 756 byes egressing from Port 1A CONTROLLER select slot 1 SLOT1 set port A packetprocessor slicing 756 Committing changes after configuring the IPP module Any changes made to the IPP module remain pending in memory only until the commit command has been en...

Page 72: ...m for configuring the IPP module The following steps provide detailed instructions and example commands for configuring the IPP module Step 1 Create a Transform logical name The first step when configuring the IPP module is to create a Transform logical name Once a Transform has been created Matches and actions can be assigned to it and applied to a port Multiple Transforms each with different Mat...

Page 73: ... third step is to add to the Transform a set of Actions that will be taken if a Match is found The following Actions are available Delete a byte Remove a specified byte from the packet header Replace a byte Change a specified byte in the packet header to a different value Invert bit s within a byte logical XOR Change any or all bits within a byte to the opposite value Set bit s within a byte logic...

Page 74: ... module is to review the pending port configuration changes If the changes are correct commit them to update the system configuration otherwise use the cancel packetprocessor command to discard them SLOT1 show port A port type Packet processor slicing 756 transforms 7 remove v2 header SLOT1 commit Example Transforms The GRE packet arrives with a delivery IP header and GRE header that we want to st...

Page 75: ...a Transform to remove delivery header and 8 byte GRE header from untagged 20 byte IPv4 packets create packetprocessor transform IPv4 20 remove GRE 8 set packetprocessor transform IPv4 20 remove GRE 8 named match EtherType IPv4 set packetprocessor transform IPv4 20 remove GRE 8 named match IPv4 IHL 5 set packetprocessor transform IPv4 20 remove GRE 8 named match GRE KS L 3 IPv4 set packetprocessor ...

Page 76: ...v1 v2 and v3 It also reports system events to trap receivers using the traps defined in the MIB that it supports SNMP v1 and v2 To control access to the system a list of community entries is defined Each community entry consists of a community string and its access privilege Only SNMP messages with the suitable community string and operation are responded to by the system SNMP agents maintain a li...

Page 77: ...y using the Add communitydialog Configure the access rights of a community as read only or read write In addition you can restrict the access to the community to only certain MIB objects by specifying an OID SNMPv3 workflow In SNMPv3 users are organized into groups and are useless unless included in a group A group is a label for a logical entity combination of attributes A group is operational on...

Page 78: ...the chassis and select the SNMP tab 2 Using the Send notifications options select the notifications you want to send to your notification hosts from this device The following notifications are available Health the following events will trigger a Health notification System temperature above threshold nctapNotifySysTemperature TAP module temperature above threshold nctapNotifyTemperature Power on of...

Page 79: ... UDP port on the host SNMP version Choose whether notifications are to be sent using SNMP v1 v2c or v3 Notification type Specify whether notifications may be sent as traps or where supported informs Credentials Enter security credentials for the Manager For SNMP v1 or v2c it is the community string For SNMP v3 it is an existing local user for traps or remote user for informs Engine ID Specify the ...

Page 80: ...anumeric characters no spaces and the first character must be a letter IP version Specify whether this community allows access via IPv4 or IPv6 Source You may restrict access to the community from certain sources by specifying the source address subnet or hostname Type Specify whether this community allows read only or read write access to clients OID You may restrict access to the community to pa...

Page 81: ...igure users The SNMP Users dialog displays 3 To define a new user click Add new user or to edit an existing user click the icon for that user The Add Edit new user dialog displays see the figure below 4 Enter or edit details for the user User name Specify a name for the user Names consist of 1 32 alphanumeric characters and must begin with a letter Engine Choose whether the user is a local user mo...

Page 82: ... communities The SNMP Communities VACM dialog displays 3 To map a new user click Add new community or to edit an existing mapping click the icon for that user The Add Edit Community dialog displays see the figure below 4 Enter or edit details for the community mapping Community string Specify the community string The community string is case sensitive and must contain 1 32 alphanumeric characters ...

Page 83: ... 73 The SNMP Groups dialog Create an SNMP group 1 Click on the chassis and select the SNMP tab 2 Under View based access control click Configure groups The SNMP Groups dialog displays 3 To define a new group click Add new group or to edit an existing community click the icon for that group The Add Edit group member dialog displays see the figure below 4 Enter or edit details for the group Group na...

Page 84: ...nder View based access control click Configure views The SNMP Views dialog displays 3 To define a new view click Add new view or to edit an existing view click the icon for that view The Add Edit view member dialog displays see the figure below 4 Click Add new view The Add view member window appears 5 Enter or edit details for the view Name Specify a name for the view Names consist of 1 32 alphanu...

Page 85: ...therwise a user or a community associated with this group is able to write all MIBs except those that control SNMP itself Notify Sends only notifications with contents that is included in the SNMP view selected for notification Otherwise there is no restriction on the contents of the notifications Group access policies are configured using the SNMP Access Control List dialog shown below Figure 77 ...

Page 86: ...fy the names of existing views to which get requests will be mapped If no access is required create a None view with no access to any MIB and specify it here Write view Specify the names of existing views to which set requests will be mapped If no access is required create a None view with no access to any MIB and specify it here Notify view Specify the names of existing views to which notify requ...

Page 87: ... required items Choose one from the list to complete the command optional items Optional items Separated by where there are several items to choose from choose one item from the list CLI editing and command completion The CLI uses standard keyboard controls for auto completion of commands and line editing Typing cursor L R moves the cursor through a partially typed command Typing cursor U D moves ...

Page 88: ...lp for port mapping commands port Display help for port communications commands snmp Display help for SNMP commands loadbalancing Display help for Load Balancing commands customfields Display help for custom field user defined bytes commands vline Display help for V Line module commands Examples Display CLI help CONTROLLER help The command interpreter supports the following basic commands Help Sel...

Page 89: ...mand usage for network commands CONTROLLER help net The following commands control and display networking parameters The commands to set gateway and dns cannot be used in DHCP mode show IPv4 show all IPv4 settings show IPv6 show all IPv6 settings set IPv4 static IPv4 address IPv4 mask gateway IPv4 address set IPv4 address network mask and optionally gateway set IPv4 dhcp use DHCP for address netma...

Page 90: ...ore command to restore a saved configuration overwriting the current configuration in the process Entering restore without a configuration name produces a list of all available configurations Syntax restore restore config name Parameters config name Specify the name of the configuration to restore Example List the available configurations then restore breakout_10G CONTROLLER restore restore Need n...

Page 91: ... be available Copper ports which have LFP or LMP enabled will continue to pass traffic but all other ports will stop passing traffic while the system reboots Syntax reboot Parameters This command has no arguments or keywords Example Reboot the system CONTROLLER reboot Rebooted card 2 Rebooted card 3 Rebooted card 4 Trap Request queue started for writing 32769 Rebooted motherboard CONTROLLER Broadc...

Page 92: ...0 3 IPv4 DNS Server None configured Stored IPv6 Global Address Stored IPv6 Prefix Length 0 Stored IPV6 Gateway IPv6 Link Local Address fe80 21d ffff fe21 92c5 Active IPv6 Global Address Active IPv6 Prefix Length 0 Active IPv6 Gateway SNMP on Chassis Type 1U Power Supply 1 DOWN Power Supply 2 UP Time and Date 11 23 20 Fri 21 Mar 2014 System Timeout 30 minutes exit Use the exit command to stop the c...

Page 93: ...ords Example CONTROLLER show system Device Name Network Critical Device Contact Device Location MAC address 00 1e ff 63 42 89 IPv4 Addressing Mode static IPv4 Address 192 168 0 126 IPv4 Netmask 255 255 255 0 IPv4 Gateway 192 168 0 254 IPv4 DNS Server None configured Stored IPv6 Global Address Stored IPv6 Prefix Length 0 Stored IPV6 Gateway IPv6 Link Local Address fe80 25d ffaf fe86 4399 Active IPv...

Page 94: ... by underscores _ Example Set name information to Network Critical SmartNA X CONTROLLER set name Network Critical SmartNA X CONTROLLER show name Network Critical SmartNA X show location Use the show location command to report location details blank by default Syntax show location Parameters This command has no arguments or keywords Example Report location details CONTROLLER show location boston_da...

Page 95: ...act details Parameters contact details Specify contact details using 1 19 alphanumeric characters Commas and other punctuation characters may be used but may be replaced on RADIUS servers by underscores _ Example Set contact information to Network admin Tel 4321 CONTROLLER set contact Network admin Tel 4321 CONTROLLER show contact Network admin Tel 4321 set banner Use the set banner command to spe...

Page 96: ...TROLLER set banner 2 filtering for HTTP S packets entering VLAN 23 on the CONTROLLER set banner 3 main data network show banner Use the show banner command to display the current banner message Syntax show banner Parameters This command has no arguments or keywords Example Report the system name CONTROLLER show banner Banner message line 1 Banner message line 2 Banner message line 3 ...

Page 97: ...he NTP server address CONTROLLER show ntp NTP server 192 168 254 21 create ntp Use the create ntp command add an NTP time server After adding an NTP server the system will attempt to synchronize the internal clock with the NTP server Syntax create ntp address Parameters address Specify the IPv4 address of the NTP server Example Specify an NTP server with address 192 168 0 10 CONTROLLER create ntp ...

Page 98: ...gateway gateway address Parameters ipv4 address Specify the network interface IPv4 address in dotted decimal format a b c d netmask Specify a subnet mask netmask gateway gateway address Optional Specify a gateway address Example Define the following static IPv4 network settings and then exit the CLI to implement Network Address 192 168 0 122 Netmask 255 255 255 0 Gateway address 192 168 0 1 CONTRO...

Page 99: ...P Domain Name System DNS server Adding a DNS server allows the use of server names at the command line Changes to network interface settings are implemented after exiting the CLI or immediately if connecting over IPv6 or via the Console port Syntax set ipv4 dns ipv4 address Parameters ipv4 address Specify the IPv4 address of the DNS server in dotted decimal format a b c d Example Define DNS server...

Page 100: ...Set Gateway 2001 4 Link Local Address fe80 21d ffff fe00 91ff Active Global Address 2001 5 Active Prefix Length 16 Active Gateway 2001 4 exit to enable new network settings set ipv6 static Use the set IPv6 static command to define static IPv6 network settings The system carries an implicit fixed link local IPv6 address but you can use this command to add one additional global IPv6 address The new ...

Page 101: ...Use the set ipv6 gateway command to define a gateway address for IPv6 inter network routing The gateway address is implemented after exiting the CLI Syntax set ipv6 gateway ipv6 address Parameters ipv6 address Specify the IPv6 address of the gateway in standard IPv6 format 2001 db8 52 0 10 Example Define IPv6 gateway 2001 db8 52 0 10 and then exit the CLI to implement CONTROLLER set ipv6 gateway 2...

Page 102: ...security level 3 create user Command to add a user account and assign a username password and security level Syntax create user username password 1 2 3 Parameters username Specify the account username Usernames are case sensitive and may contain alphanumeric characters only Spaces are not permitted password Specify the account password Passwords are case sensitive and may contain alphanumeric char...

Page 103: ...he new security level 1 specifies Auditor level with interrogative access only 2 specifies User level access with interrogate access only to system settings and full access to traffic ports 3 specifies Administrator level with full access to system settings and traffic ports Example Change security level to 2 for user1 CONTROLLER set user user1 level 2 set user password Use the set user password c...

Page 104: ... Command Line Reference SmartNA X 1G 10G Modular SmartNA X 1G 10G User Guide 1 4 2015 Network Critical Solutions Limited CONTROLLER set user Admin password myAdminPassword Changing password for user Admin ...

Page 105: ...thenticate users by RADIUS server s fallback to TACACS server s if RADIUS fails fallback to local if all authentication servers fail CONTROLLER set authentication radius tacacs local Change accepted show radius Use the show radius command to show a list of all configured RADIUS servers Syntax show radius Parameters This command has no arguments or keywords Example List RADIUS servers CONTROLLER sh...

Page 106: ...ate radius authserver 192 168 10 22 1812 radiusSecret CONTROLLER set authentication radius local Change accepted delete radius authserver Use the delete radius authserver command to remove a RADIUS Authentication server Ensure your authentication scheme set authentication includes local if no Authentication servers are configured to prevent becoming locked out of the system Syntax delete radius au...

Page 107: ... accounting servers are configured then transaction logging will be disabled since local accounting is not supported Syntax delete radius accserver server addr Parameters ipv4 Specify the IPv4 address of the RADIUS Accounting server to delete Example Delete RADIUS accounting server 192 168 10 25 CONTROLLER delete radius accserver 192 168 10 25 show tacacs Use the show tacacs command to show a list...

Page 108: ...Shared secret tacacsSecret CONTROLLER create tacacs authserver 192 168 10 23 tacacsSecret CONTROLLER set authentication tacacs local Change accepted delete tacacs authserver Use the delete tacacs authserver command to remove a TACACS Authentication server Ensure your authentication scheme set authentication includes local if no Authentication servers are configured to prevent becoming locked out o...

Page 109: ...d then transaction logging will be disabled since local accounting is not supported Syntax delete tacacs accserver ipv4 Parameters ipv4 Specify the IPv4 address of the TACACS Accounting server to delete Example Remove TACACS accounting server 192 168 10 26 CONTROLLER delete tacacs accserver 192 168 10 26 set log Use the set log command to manually add entries to the transaction logs This command r...

Page 110: ...ot num select controller Parameters num Specifies the module slot number Slots are numbered 1 4 starting from the left and the rear slot is 0 or R Examples Select slot 1 CONTROLLER select slot 1 SLOT1 Select Controller SLOT1 select Controller CONTROLLER show status Use the show status command to display system information The information returned can be used to check the overall system status temp...

Page 111: ... counter information for slot 3 CONTROLLER select slot 3 SLOT3 show counters Port Bytes in Bytes out Packets in Packets out A 0 0 0 0 B 0 0 0 0 C 0 0 0 0 D 0 0 0 0 clear counters Use the clear counters command to reset the traffic counters Syntax clear counters Parameters This command has no arguments or keywords Example Reset counters for Slot 3 CONTROLLER select slot 3 SLOT3 clear counters show ...

Page 112: ...C for the chassis and 85 C for Slot 3 CONTROLLER set temperaturehigh 70 CONTROLLER select slot 3 SLOT3 set temperaturehigh 85 show rates Use the show rates command to display traffic rates updated every two seconds through each port of the current module Syntax show rates Parameters This command has no arguments or keywords Example Show traffic rates for slot 3 CONTROLLER select slot 3 SLOT3 show ...

Page 113: ...re less than 64 octets in length excluding framing bits but including FCS octets and had either a bad Frame Check Sequence FCS with an integral number of octets FCS Error or a bad FCS with a non integral number of octets Alignment Error OverSize The number of packets received during this sampling interval that were longer than the MRU excluding framing bits but including FCS octets but were otherw...

Page 114: ...ock Configured port locking option when link down is detected either off port does not lock on link down or on port locks on link down Lock Current lock unlocked state either off port is open for traffic or on port is closed for traffic in or out Description Shown if a port name description has been entered Usage Configured port usage either unknown network or tool This setting has no bearing on a...

Page 115: ...ar ports On Turn on port auto locking Off Turn off port auto locking Example Enable autolock for port 3A CONTROLLER select slot 3 SLOT3 set port A autolock on SLOT4 show port a speed set auto actual 1G duplex set auto actual full mdi set mdi x actual mdi x mastering set preferslave actual master autoneg auto tap off autolock on lock off description Web router downstream port usage network port typ...

Page 116: ...ic threshold low 0 traffic threshold high 100 set port name description Use the set port name or set port description command to specify a name description for the specified port Syntax set port port id name description port name description Parameters port id Specify the port letter to set or show A D for front ports 0 or 1 for rear ports port name description Enter a description for the port Spa...

Page 117: ...ROLLER select slot 3 SLOT3 set port A duplex full speed set auto actual 1G duplex set full actual full mdi set mdi x actual mdi x mastering set preferslave actual master autoneg auto tap off autolock on lock off description Web router downstream port usage network port type Registered Jack 45 RJ45 PORT UP traffic threshold low 0 traffic threshold high 100 set port lock Use the set port lock comman...

Page 118: ... be synchronization master link partner must be slave Forceslave Force the port to be synchronization slave link partner must be master Prefermaster Prefer the port to be synchronization master Preferslave Prefer the port to be synchronization slave Example Set port 3A to Preferslave CONTROLLER select slot 3 SLOT3 set port A mastering forcemaster speed set auto actual 1G duplex set auto actual ful...

Page 119: ...itting maps and vline SLOT3 set port name Use the set port name command to enter a name description for the port Syntax set port port id name description Parameters port id Specify the port letter to set or show A D for front ports 0 or 1 for rear ports description Enter a name or suitable description for the port Surrounding quotes are not required Example Set port 3A name description to Web rout...

Page 120: ...d of 100M bps 1G Set a port speed of 1G bps 10G Set a port speed of 10G bps This setting is only available on optical ports of the type 10G 1G optical or direct attach cable 10G 1G as indicated by the show port command Example Set port A on slot 3 to 1G bps CONTROLLER select slot 3 SLOT3 set port A speed 1G speed set 1G actual 1G duplex set auto actual full mdi set mdi x actual mdi x mastering set...

Page 121: ...et port port id traffichigh high threshold Parameters port id Specify the port letter to set or show A D for front ports 0 or 1 for rear ports high threshold Specify a high traffic threshold as a percentage of the total available bandwidth Example Set a 95 high traffic threshold for port 4A CONTROLLER set port 4 traffichigh 95 set port trafficlow Use the set port trafficlow command to set a low tr...

Page 122: ... can use this setting to help identify which ports are connected to a network and which are connected to tools Syntax set port port id usage undefined network tool Parameters port id Specify the port letter to set or show A D for front ports 0 or 1 for rear ports Undefined Indicates that the port is not used Network Indicates that the port is connected to a network Tool Indicates that the port is ...

Page 123: ... Ports 1A Destination Ports 1B 1C 2 Source Ports 1B Destination Ports 1A 3 Source Ports 1B Excluded Filters HTTP Destination Ports 3D 4 Source Ports 1B Destination Ports 3C 5 Source Ports 1B Required Filters SMTP Destination Ports 1D set map Use the set map command to create maps and optionally apply filters to them Maps can be created between physical ports and between logical load balancer group...

Page 124: ...regated for example 1A 1B RA end ports Specify the ending port s for the map The ending ports can be any of the physical ports such as port 1C or any of the logical Load Balancer Groups such as LB1 on supported systems Use spaces if the data stream is to be replicated to two or more end ports for example 1C 1D RA require filter Optional Specify the name of any require filters to apply pass matchin...

Page 125: ... maps before deleting a map to determine the correct map number After deleting maps enter a commit command to replace the live settings on the device with your new configuration Syntax delete map map number Parameters map number Specify the map number to delete Map numbers are shown in the listing provided by show maps and are updated each time a map is deleted Example Show maps delete map 4 and c...

Page 126: ... Destination Ports 1D 5 Source Ports 1B Excluded Filters SMTP Destination Ports 3C CONTROLLER commit Committing maps and vline clear maps Use the clear maps command to remove all user defined maps packet filters load balancing policies and custom fields If you only want to remove a single instance of a map filter or custom field you may use these alternate commands instead delete map delete filter...

Page 127: ...arate values no spaces PCP level Filter by Priority Code Point user priority from a VLAN header You may use the following formats when specifying levels 2 A single level 2 4 An inclusive range 0 1 A value mask pair here all even 0 2 Multiple levels use commas to separate values no spaces MAC src dest either mac id Filter by MAC address source destination or either Use one of the following formats ...

Page 128: ...yip protocol TCP Port src port number Port dest port number Port either port number cwr flag value ece flag value urg flag value ack flag value psh flag value rst flag value syn flag value fin flag value other filtering options set filter filter name anyip protocol UDP TCP TCP_UDP SCTP Port src port number Port dest port number Port either port number other filtering options set filter filter name...

Page 129: ...ode points may each use a range or mask Port src dest either port number Filter by TCP UDP port number when protocol number 6 TCP 17 UDP or SCTP 132 is specified in Layer 3 You may enter either a single specification to find packets where either the source or the destination port matches or separate specifications for source and or destination port Common TCP ports include 80 8080 HTTP 443 HTTPS 2...

Page 130: ...ommit Committing maps and vline Committing filters CONTROLLER set filter ipv4 Use the set filter ipv4 command to create filters for packets that match packets of ether type IPv4 The filter can be further refined by specifying IPv4 layer 2 3 and or layer 4 headers plus any user pre defined custom fields that are within the IPv4 scope Syntax set filter filter name IPv4 VLAN tag PCP level MAC src mac...

Page 131: ...rce and or destination address The following address formats are recognised 192 168 0 1 A single address 192 168 0 4 10 An inclusive range 192 168 0 Wildcard 192 168 0 0 255 10 10 0 0 255 255 255 252 Mask 10 10 0 0 3 10 10 0 3 10 10 0 5 Multiple addresses use commas to separate values no spaces Ranges and wildcards may be used in any segment s Multiple addresses may each use either ranges and wild...

Page 132: ...ength defined for the custom field For example if the custom field was defined with an 8 bit length then values of 0 255 are permitted Examples Define a filter that matches IPv4 packets from address 10 10 0 3 to destinations on subnet 192 168 0 1 255 255 255 0 Review and commit to the system CONTROLLER set filter Example filter ipv4 protocol tcp address src 10 10 0 3 address dest 192 168 0 1 255 2...

Page 133: ...ned custom fields within the IPv6 scope Syntax set filter filter name IPv6 VLAN tag PCP level MAC src mac id MAC dest mac id MAC either mac id Address src ip Address dest ip Address either ip Protocol protocol number or name DSCP class Customfield custom field name value set filter filter name IPv6 protocol TCP Port src port number Port dest port number Port either port number cwr flag value ece f...

Page 134: ...mmas to separate values no spaces Addresses may each use either ranges and wildcards or prefix notation Ranges and wildcards may be used in any segment s Protocol protocol number or name Filter by IP protocol number You may also use the following names in place of the number TCP 6 UDP 17 ICMPv4 1 SCTP 132 and TCP_UDP 6 and 17 The following number formats are recognised 1 A single protocol 1 2 An i...

Page 135: ...otocol type TCP or UDP from source 2001 db8 85a3 8a2e 370 7334 to destinations 2000 abcd 77 88 99 CONTROLLER set filter Example filter ipv6 protocol tcp_udp address src 2001 db8 85a3 8a2e 370 7334 address dest 2000 abcd 77 88 99 CONTROLLER show filters Use commit command to configure the switch with these filters Example filter packetType ipv6 protocol 6 17 ipv6 source 2001 db8 85a3 8a2e 370 7334 ...

Page 136: ...s source destination or either Use one of the following formats to specify a single MAC address or multiple MAC addresses 01 23 45 67 89 ab 01 23 45 67 89 ab 01 23 45 67 89 ac use commas to separate values no spaces Address src dest either ipv4 address Filter by IPv4 address You may give either a single specification to find packets where either the source or the destination address matches or sep...

Page 137: ...ets of ether type MRP The filter may be further refined by specifying MPLS top of stack labels plus any user pre defined custom fields within the MPLS scope Syntax set filter filter name MPLS Label value Customfield custom field name value Parameters filter name Specify a unique case sensitive name for the filter The name may contain spaces but if it does it must be contained in quotes the name ca...

Page 138: ...OLLER set customfield Use the set customfield command to filter on user defined bytes UDBs in a packet header The positioning of the custom field within the packet is done by specifying an anchor and an offset value The custom field itself can be up to 32 bits long Custom fields are applied by defining a filter of the same packet type and specifying the custom field and UDBs that you want to apply...

Page 139: ...the anchor position field length Specify the length of the field Valid range 1 32 bits Note The length of offset plus field length must not exceed 1008 bits Example Define a custom field called Example customfield with the following attributes Scope IPV4 packets Anchor Start of L3 headers Offset value 8 bits Field length 16 bits Review changes and commit to the system CONTROLLER set customfield Ex...

Page 140: ...port_src UDP port source field port_dest UDP port destination field The following combinations are disallowed when specifying Load Balancer Group headers IPv4 source and or destination at the same time as IPv6 source and or destination MAC source and or destination at the same time as IPv6 destination only IPv6 source with MAC is allowed Example Set up a load balancing policy configuration for Loa...

Page 141: ... custom fields show filters Use the show filters command to list filters committed and uncommitted on this device The information for each map includes the user defined name and the filtering parameters used to match against packet headers Syntax show filters Parameters This command has no arguments or keywords Example CONTROLLER show filters filters arp_traffic ipv4 destination 192 168 0 1 255 25...

Page 142: ... CF 1 scope ipv4 anchor l3header offset 22 bits length 16 bits show lbheaders Use the show lbheaders command to list load balance policy headers for each Load Balancer Group committed and uncommitted Syntax show lbheaders Parameters This command has no arguments or keywords Example Show Load Balancer Groups CONTROLLER show lbheaders load balance policy headers LB1 ipv4_src ipv4_dest LB2 mac_src ip...

Page 143: ...d has no arguments or keywords Example Show the enabled disabled status of the SNMP agent CONTROLLER snmp show agent SNMP Enabled snmp enable agent Use the snmp enable agent command to enable the SNMP agent Enabling the agent allows SNMP managers to access system management data and for SNMP notifications traps to be sent Syntax snmp enable agent Parameters This command has no arguments or keyword...

Page 144: ...nts or keywords Example Display all SNMP information CONTROLLER snmp show all SNMP Enabled SNMP notify on system notify on health notify on Community number 0 IP protocol version ipv4 comString public Community Type ro oid source Engine ID 0x80007b9d03001dff031009 User number 0 Engine local EngineId Name u1 Auth type md5 priv type des User number 1 Engine local EngineId Name u2 Auth type sha priv ...

Page 145: ...LER snmp show engineid Engine ID 0x80007b9d03001dff00eef4 snmp apply Use the snmp apply command to apply SNMP changes and save to NVR This command is needed for SNMP changes to take effect Syntax snmp apply Parameters This command has no arguments or keywords Example Apply changes to SNMP CONTROLLER snmp apply snmp show notify Use the snmp show notify command to show the on or off state of SNMP no...

Page 146: ... System restarted warmStart SNMP authentication failure authenticationFailure System Turn on System notifications Events which trigger a System notification are Port link up state linkUp Port link down state linkDown Data rate above high threshold nctapNotifyXSTrafficOver Data rate below low threshold nctapNotifyXSTrafficUnder Module inserted or removed nctapNotifyCard Failed login attempt ncUnaut...

Page 147: ...own Data rate above high threshold nctapNotifyXSTrafficOver Data rate below low threshold nctapNotifyXSTrafficUnder Module inserted or removed nctapNotifyCard Failed login attempt ncUnauthorisedAccess Health Turn off Health notifications Events which trigger a Health notification are System temperature above threshold nctapNotifySysTemperature Module temperature above threshold nctapNotifyTemperat...

Page 148: ...used by the host community user Specify the community string SNMPv1 v2c or user SNMPv3 Trap Inform Choose a notification format either Traps unacknowledged notifications or Informs acknowledged notifications If using Informs you must set the EngineID of the remote host EngineID Specify the SNMP EngineID of the host You must specify the remote host s EngineID if using Inform notifications Examples ...

Page 149: ...ROLLER snmp delete host transport specifier hostaddress port v2c community CONTROLLER apply snmp show community Use the snmp show community command to list all SNMP v1 and v2 communities configured on this device Communities are only defined in SNMPv1 and v2 because SNMP v3 works with users instead of communities Syntax snmp show community Parameters This command has no arguments or keywords Examp...

Page 150: ...gement stations with the specified IP address hostname or subnet A subnet is specified as IP mask 10 10 10 0 255 255 255 0 or 10 10 10 0 24 for example ipv4 ipv6 Limit access to the community to IPv4 or IPv6 traffic Example Add a read only community from IPv4 management stations on subnet 192 168 0 0 16 Restrict access to OID 1 3 6 1 4 1 31645 CONTROLLER snmp create community community name ro oid...

Page 151: ...Name which is a name representing a principal in a security model independent format By itself a user securityName is useless and must be added to the VACM access control tables with the snmp create sectogroup command Syntax snmp create user username Auth_None MD5 md5 passphrase SHA sha passphrase Priv_None AES aes passphrase DES des passphrase Local Remote EngineID Parameters username Specify the...

Page 152: ...er local most cases or remote If the agent is remote you must also specify the Engine ID of the remote agent Examples Create a local user no authentication or privacy encryption CONTROLLER snmp create user username CONTROLLER apply Create local user with MD5 authentication encryption and DES privacy encryption CONTROLLER snmp create user username md5 md5 passphrase des des passphrase CONTROLLER ap...

Page 153: ...at most one groupName That is a given user securityName whose communications are protected by a given securityModel can only be included in one groupName The VACM sectoGroup table is used to store group information and is indexed by a securityModel and securityName Several group directives can specify the same groupName allowing a single access setting to apply to several users and or community st...

Page 154: ...ew Use the snmp show view command to list viewNames A viewName is a mapping between SNMP objects and the access MIB rights as reference by the OID range that are available to those objects viewNames are created with the snmp create view command Syntax snmp show view Parameters This command has no arguments or keywords Example List viewNames CONTROLLER snmp show view View number 0 view type include...

Page 155: ...ut a mask all bits are set The mask parameter can be used to define a view covering a particular row or rows in a table by matching against the appropriate table index value but skipping the column sub identifier For more information see http www net snmp org wiki index php Vacm VACM_Masks 2C_or_How_to_restrict_access_to_a_particular_index_ 28ro w 29_in_a_Table Examples Create a viewName with acce...

Page 156: ...OID format for example 1 3 6 1 2 1 1 this is the OID string of the system subtree Examples Delete the viewName with OID string 1 CONTROLLER snmp delete view viewName 1 Delete the viewName with OID string sysUpTime 0 CONTROLLER snmp delete view viewName sysUpTime 0 snmp show access Use the snmp show access command to list VACM Access Table group entries The VACM Access Table is used to store the ac...

Page 157: ...s no active view configured for notify access Syntax snmp create access groupName Any USM v1 v2c noAuth Auth Priv read viewname write viewname notify viewname Parameters groupName Specify a group name that this access right applies Any USM v1 v2c Specify the security model that must be used to get access rights USM is the most secure with all SNMPv3 packets authenticated encrypted and decrypted SNM...

Page 158: ...ame The comtosec security name is distinct from the community string that is mapped to it They can be the same public or different mynet private but what appears in the group directive is the security name regardless of the original community string Syntax snmp show comtosec Parameters This command has no arguments or keywords Example Display community secrets to security name mappings CONTROLLER ...

Page 159: ...ommunity pair to a security name and limited to IPv6 requests CONTROLLER snmp create comtosec securityName commsecret IPv6 CONTROLLER apply Create a mapping from a source community pair to a security name and limited to requests from 192 168 0 0 16 CONTROLLER snmp create comtosec securityName commsecret SOURCE 192 168 0 0 16 CONTROLLER apply snmp delete comtosec Use the snmp delete comtosec comman...

Page 160: ...on of a device into a network Inline devices are continuously monitored for failure and depending on how bypass mode has been configured are either short circuited bypassed or the network is stopped if the device fails This mode also allows packets to be sliced before sending onto the live network ingress Breakout mode copies traffic from the live ports A and B to a selectable combination of the m...

Page 161: ...ypassing Reverse bypass Always sends traffic through the appliance so that a failure of the appliance breaks network links and removes the device from the network This mode is useful in High Availability network links Forced bypass Enables bypass mode at all times regardless of the state of the attached appliance It should be noted that this mode will not prevent traffic from reaching your network...

Page 162: ...cing b ingress 0 SLOT4 commit Committing maps and filters set vline heartbeat timeout Use the set vline heartbeat timeout command to specify the heartbeat packets timeout period If heartbeat packets are not received within this period the system immediately activates bypass mode isolating the device or the network as appropriate The default timeout is 250ms Setting a lower rate means faster detect...

Page 163: ...n Slot 4 and commit CONTROLLER select slot 4 SLOT4 set vline heartbeat packet 416E206578 SLOT4 show vline vline mode vline Bypass mode auto Heartbeat rate 50 Heartbeat timeout 250 Heartbeat packet data 416E206578 Heartbeat status ACDB OK Heartbeat status BDCA OK Slicing a ingress 80 Slicing b ingress 0 SLOT4 commit Committing maps set vline slicing Use the set vline slicing command to set a slicin...

Page 164: ...bd off Slicing a ingress 128 Slicing b ingress 0 Slicing c egress 0 Slicing d egress 0 SLOT4 commit Committing maps and filters set vline breakout Use the set vline breakout command to specify breakout ports for V Line modules operating in Breakout mode Changes must be committed before they are implemented on the system Syntax set vline breakout AC BD On Off Parameters AC BD Select the breakout po...

Page 165: ...ine Use commit command to configure the vline with these settings vline mode aggregation Heartbeat status ACDB not OK Heartbeat status BDCA not OK Aggregate ab c on Aggregate ab d on Inject ca off Inject cb off Inject da off Inject db off Slicing c egress 0 Slicing d egress 0 SLOT3 commit Committing maps filters and vline set vline inject Use the set vline inject command to specify a packet inject...

Page 166: ...ggregation SLOT3 set vline inject ca on SLOT3 set vline inject db on SLOT3 show vline Use commit command to configure the vline with these settings vline mode aggregation Aggregate ab c off Aggregate ab d off Inject ca on Inject cb off Inject da off Inject db on Slicing c egress 0 Slicing d egress 0 SLOT3 commit Committing maps filters and vline ...

Page 167: ...m use the set packetprocessor Transform match set packetprocessor transform named match and set packetprocessor transform action commands Syntax create packetprocessor transform transform name Parameters transform name Specify a name for the transform The name is case sensitive and must be unique Spaces may be used if the name is contained in quotes Example Create a packet processor Transform name...

Page 168: ...ch with its name matches and actions Syntax show packetprocessor transforms Parameters This command has no arguments or keywords Example Show all packet processor Transforms CONTROLLER show packetprocessor transforms ipv4 L 5 remove GRE L 2 matches EtherType IPv4 IPv4 IHL 5 IPv4 protocol GRE GRE KS L 3 IPv4 actions 96 byte 12 delete 24 0x18 304 byte 38 delete 8 0x8 ipv6 UDP remove GRE_U V1 L 2 mat...

Page 169: ...16 match 2152 0x868 Ethertype ARP 96 width 16 match 2054 0x806 Ethertype IPv4 96 width 16 match 2048 0x800 Ethertype IPv6 96 width 16 match 34525 0x86DD Ethertype C tag 96 width 16 match 33024 0x8100 Ethertype MPLS multi 96 width 16 match 34888 0x8848 Ethertype MPLS uni 96 width 16 match 34887 0x8847 Ethertype S tag 96 width 16 match 34984 0x88A8 Ethertype VNTAG 96 width 16 match 35110 0x8926 GRE ...

Page 170: ...60 width 8 match 47 0x2F IPv6 protocol ICMP 160 width 8 match 1 0x1 IPv6 protocol TCP 160 width 8 match 6 0x6 IPv6 protocol UDP 160 width 8 match 17 0x11 Source GTP IPv4 272 width 16 match 3386 0xD3A Source GTP IPv6 432 width 16 match 3386 0xD3A Source GTP C IPv4 272 width 16 match 2123 0x84B Source GTP C IPv6 432 width 16 match 2123 0x84B Source GTP U IPv4 272 width 16 match 2152 0x868 Source GTP...

Page 171: ...5 IPv4 432 width 4 match 5 0x5 tt TCP Data Offset 5 IPv6 592 width 4 match 5 0x5 tt Version IPv6 176 width 4 match 6 0x6 set packetprocessor transform match Use the set packetprocessor transform match command to create a custom match within the first 120 bytes of a packet The matching bits can be either 0 1 or don t care X All bits are assumed to be X unless they have been specified in a match fie...

Page 172: ...packetprocessor transform remove v2 header matches 17 width 1 match 1 0x1 actions none CONTROLLER commit Committed packet processing set packetprocessor transform named match Use the set packetprocessor transform named match command to create a match using a named match Named matches are included as part of the system software and have been configured to match against a range of common matching re...

Page 173: ...g match bit within the field The start bit can be seen in the show packetprocessor transform output Example Clear a match field in the Transform named remove v2 header starting at bit 17 CONTROLLER set packetprocessor transform remove v2 header clear match 17 set packetprocessor transform clear named match Use the set packetprocessor transform clear named match command to remove a named match from...

Page 174: ...OR AND OR Replace Delete Obfuscate value Truncate Pass Parameters transform name The name of the packet processor Transform to add the action to start byte The position of the field to be acted on specified in bytes starting from the first transmitted received byte of the MAC destination address in the Ethernet header The first byte is numbered zero XOR Invert any bit s within a byte That is chang...

Page 175: ...essor speed command to configure the packet processor ports as 2 x 10G or 4 x 1G ports This setting applies to the currently selected slot with a packet processor module present Note that 10G ports are only possible when the module is installed in Slot 0 rear slot or Slot 1 front left slot Syntax set packetprocessor speed 1G 10G Parameters 1G Set ports A B C and D to 1G bps 10G Set ports A and B t...

Page 176: ... takes priority To see a list of Transforms use the show packetprocessor transforms command The pre configured Transforms are listed in section Packet Processor Preset Matches section Syntax set port port id packetprocessor transform transform number transform name Parameters port id Port to set either A B C or D transform name The name of the packet processor Transform to set transform number The...

Page 177: ...ther A B C or D slice size bytes Sets the packet slice size The minimum slice size is 64 bytes and the maximum is 8191 bytes A slice size of 0 turns packet slicing off Examples Set packet slice size to 756 bytes on Port 1A SLOT1 set port A packetprocessor slicing 756 Turn off packet slicing on Port 1A SLOT1 set port A packetprocessor slicing 0 cancel packetprocessor Use the cancel packetprocessor ...

Page 178: ...contain this sequence The relevant ping6 commands for Linux and Windows are as follows Linux ping6 ff02 1 interface Windows ping6 ff02 1 interface where interface is the local Ethernet interface as identified by the interface configuration command ifconfig or the equivalent on your operating system See the sample output below ping6 ff02 1 eth0 PING ff02 1 eth0 ff02 1 56 data bytes 64 bytes from fe...

Page 179: ... Java plugins The web UI complies with W3C recommendations and uses standard Java 1 5 for the applet The web UI should run on any platform that supports web standards including the latest versions of Internet Explorer Firefox Chrome see note below Opera and Safari Note As from September 2015 it will no longer be possible to run the web UI in Chrome as Google are withdrawing support for Java applet...

Page 180: ... 168 254 100 port 22 debug1 Connection established debug1 identity file home user ssh id_rsa type 1 debug1 identity file home user ssh id_rsa cert type 1 debug1 identity file home user ssh id_dsa type 1 debug1 identity file home user ssh id_dsa cert type 1 debug1 identity file home user ssh id_ecdsa type 1 debug1 identity file home user ssh id_ecdsa cert type 1 debug1 Remote protocol version 2 0 r...

Page 181: ...host key WARNING REMOTE HOST IDENTIFICATION HAS CHANGED IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY Someone could be eavesdropping on you right now man in the middle attack It is also possible that the RSA host key has just been changed The fingerprint for the RSA key sent by the remote host is 52 5a 1d 41 2c 77 de 3f 30 d1 b8 d2 6e e4 bb c1 Please contact your system administrator Add co...

Page 182: ...a 8 The latest version of Java has removed the option to set Medium security level for Java applets leaving only High and Very High security levels Neither of these levels will allow the web UI Java applet to run unless a site exception is added for this device To allow the Java applet to run configure the Java security settings as follows Turn on the Enable Java content in the browser setting Set...

Page 183: ...ensions 450mm w x 44mm h x 450mm d Compliance Emissions EN55022 class A Immunity ESD EN61000 4 2 Radiated EN61000 4 3 EFT Burst EN61000 4 4 Surge EN61000 4 5 Conducted EN61000 4 6 Power frequency magnetic field IEC 61000 4 8 Voltage dips interruptions IEC 61000 4 11 Harmonics EN 61000 3 2 Flicker EN 61000 3 3 Safety EN60950 1 UL60950 1 Environment RoHS compliance Operating temperature 0C to 40C Op...

Page 184: ...tNA X 1G 10G User Guide 1 4 2015 Network Critical Solutions Limited Feature Specifications Management CLI via SSH Web UI via HTTPS SNMPv1 v2v v3 Authentication Authorization Local RADIUS TACACS MTU Maximum Transmission Unit 10240 untagged traffic 10244 802 1q tagged traffic ...

Page 185: ... copper RJ45 multi mode fiber MM SFF single mode fiber SM SFF and SFP SFP port configurations 5611 RJ RJ V Line Module 2x 10 100 1000Mbps RJ45 Network Ports 2x 10 100 1000Mbps RJ45 TAP Ports 5621 MM RJ V Line Module 2x 1000Mbps Multi Mode LC Network Ports 2x 10 100 1000Mbps RJ45 TAP Ports 5622 SM RJ V Line Module 2x 1000Mbps Single Mode LC Network Ports 2x 10 100 1000Mbps RJ45 TAP Ports 5631 RJ SF...

Page 186: ...n between the Live RJ45 ports Optical switch switch automatically when the module detects a power failure to provide an optical bypass connection between the Live LC connectors Data Filtering None None Jumbo Frames Supported up to 16KB Supported up to 16KB Link Failure Propagation Supported Supported Link Synchronization Supported Not applicable Latency 50μs 50μs TAP ports C D Feature Copper Ports...

Page 187: ...rt all ports Green OFF Not Linked ON Linked Traffic flashing LFP Left Link Fail Propagation per port A and B only Green OFF Normal operation GREEN LFP has forced this port down HB Left Heartbeat OK per port C and D only Green OFF No Heartbeat being received GREEN Heartbeat being received OK Bypass LED status indicators LED V Line Mode Breakout Aggregation TAP Mode A B Top Port A B Bypass State OFF...

Page 188: ...s SmartNA X 1G 10G Modular SmartNA X 1G 10G User Guide 1 4 2015 Network Critical Solutions Limited LED V Line Mode Breakout Aggregation TAP Mode YELLOW REVERSE BYPASS Triggered Port A not connected to B GREEN Not Used GREEN Not Used ...

Page 189: ...to 40 C 32 F to 104 F Operating humidity 90 non condensing Storage temperature 20 C to 70 C 4 F to 158 F Power 5W IPP module data interfaces SmartNA X Intelligent Packet Processor Module has no external data interfaces Traffic is mapped to and from the module internally Speed 4 x 1G All Slots or 2 x 10G Slot 1 and Rear slot only Jumbo Frames Supported up to 9KBytes Minimum Frame size support 64Byt...

Page 190: ...nt panel Figure 82 Front panel Table 6 Chassis LED LED Status Use OFF Module not powered BLUE Module booted Power on board RED Chassis 12V detected Module not booted Table 7 IPP module LEDs LED Status Use OFF No packets being received Activity Top YELLOW Flashing Activity packets received OFF Not used Processing Bottom YELLOW Flashing Processing packet matches detected ...

Page 191: ...sed to match various EtherType headers Table 8 Ethertype matches Match name Match definition start bit width value Ethertype IPv4 96 16 2048 Ethertype IPv6 96 16 34525 Ethertype ARP 96 16 2054 Ethertype C tag 96 16 33024 Ethertype S tag 96 16 34984 Ethertype MPLS uni 96 16 34887 Ethertype MPLS multi 96 16 34888 Ethertype VNTAG 96 16 35110 t Ethertype IPv4 128 16 2048 t Ethertype IPv6 128 16 34525 ...

Page 192: ...v4 header matches Match name Match definition start bit width value IPv4 IHL 5 112 8 69 t IPv4 IHL 5 144 8 69 tt IPv4 IHL 5 176 8 69 Table 10 IPv4 header protocol matches Match name Match definition start bit width value IPv4 protocol ICMP 184 8 1 IPv4 protocol TCP 184 8 6 IPv4 protocol UDP 184 8 17 IPv4 protocol GRE 184 8 47 t IPv4 protocol TCP 216 8 6 tt IPv4 protocol TCP 248 8 6 t IPv4 protocol...

Page 193: ...CP 192 8 6 tt IPv6 protocol TCP 224 8 6 t IPv6 protocol UDP 192 8 17 tt IPv6 protocol UDP 224 8 17 t IPv6 protocol GRE 192 8 47 tt IPv6 protocol GRE 224 8 47 Transport header Matches TCP header length matches The following matches check the length of the TCP header is 5 words without options No further matches are defined for cases where it is not Table 13 TCP header length matches Match name Matc...

Page 194: ...v4 272 16 2152 Dest GTP U IPv4 288 16 2152 Source GTP IPv4 272 16 3386 Dest GTP IPv4 288 16 3386 Source GTP C IPv6 432 16 2123 Dest GTP C IPv6 448 16 2123 Source GTP U IPv6 432 16 2152 Dest GTP U IPv6 448 16 2152 Source GTP IPv6 432 16 3386 Dest GTP IPv6 448 16 3386 GRE header matches The following Matches can be used to match GRE or PPTP GRE headers using Key and Sequence fields but not Checksum ...

Page 195: ...5 Layer above TCP UDP The following Matches can be used to match GTPv1 GTPv2 and GTP headers Table 18 GTPv1 UDP only Match name Match definition start bit width value GTP v1 IPv4 336 3 1 GTP v1 IPv6 496 3 1 Table 19 Test PT bit not GTP Match name Match definition start bit width value GTP v1 not IPv4 339 1 1 GTP v1 not IPv6 499 1 1 The following presets match for checking the GTP header is not ext...

Page 196: ...TCP Match name Match definition start bit width value GTP v2 TCP IPv4 432 3 2 GTP v2 TCP IPv6 592 3 2 Test the TEID flag header length is 8 bytes if 0 12 bytes if 1 Table 23 GTPv2 TEID flag over UDP Match name Match definition start bit width value GTP v2 L 2 UDP IPv4 340 1 0 GTP v2 L 2 UDP IPv6 500 1 0 Table 24 GTPv2 TEID flag over TCP Match name Match definition start bit width value GTP v2 L 2 ...

Page 197: ... remove GRE L 2 Ethertype IPv4 IPv4 IHL 5 IPv4 protocol GRE GRE KS L 3 IPv4 96 byte 12 delete 24 0x18 304 byte 38 delete 8 0x8 ipv6 UDP remove GRE U V1 L 2 Ethertype IPv6 Version IPv6 IPv6 protocol UDP Source GTP U IPv6 GTP v1 IPv6 GTP v1 L 2 IPv6 96 byte 12 delete 50 0x32 remove C tag Ethertype C tag 96 byte 12 delete 4 0x4 remove QinQ double tag Ethertype S tag t Ethertype C tag 96 byte 12 delet...

Page 198: ...ly support of objects in this MIB The following restrictions apply to objects within the NlmLogVariableTable table nlmLogVariableID supported nlmLogVariableValueType supported nlmLogVariableTimeTicksVal supported for 1st entry only nlmLogVariableInteger32Val not supported nlmLogVariableOctetStringVal not supported nlmLogVariableOidVal not supported The following restrictions apply to objects withi...

Page 199: ... manual instructions has been modified in any way or has had any serial number removed or defaced Repair by anyone other than NETWORK CRITICAL SOLUTIONS or an approved agent will void this warranty The maximum liability of NETWORK CRITICAL SOLUTIONS under this warranty is limited to the purchase price of the product covered by the warranty Prior to returning any defective product the end customer ...

Page 200: ...Europe and Asia Network Critical Solutions Limited East Throp House 1 Paddock Road Caversham Reading Berkshire RG4 5BY United Kingdom Tel 44 0 118 954 3210 support networkcritical com North America and South America Network Critical NA LLC 37 Franklin Street Suite 100 Buffalo NY 14202 USA Tel 1 716 558 7280 Fax 1 716 568 8280 support us networkcritical com ...