Академический Документы
Профессиональный Документы
Культура Документы
Version 3.7
http://www.anuesystems.com
Anue Net Tool Optimizer User Guide, October 11, 2012 Part no: 510-12-0017-A0-0 Copyright 2008-2012 Anue Systems, Inc. All Rights Reserved. The information contained in this document is subject to change without notice and does not represent a commitment on the part of Anue Systems. No part of this manual may be copied, reproduced, stored in a retrieval system, or transmitted in any form, or by any means, electronic, mechanical, or otherwise, without the prior written permission of Anue Systems, Inc. Anue Systems makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The information in this document is believed to be accurate and reliable, however, Anue Systems assumes no responsibility or liability for any errors or inaccuracies that may appear in the document. Limited Warranty Anue Systems warrants that its Products will conform to the description on the face of order, that it will convey good title thereto, and that the Product will be delivered free from any lawful security interest or other lien or encumbrance. Anue Systems further warrants to Customer that hardware which it supplies and the tangible media on which it supplies software will be free from significant defects in materials and workmanship for a period of twelve (12) months, except as otherwise noted, from the date of delivery (the Hardware Warranty Period), under normal use and conditions. To the extent the Product is or contains software (Software), Anue Systems also warrants that, if properly used by Customer in accordance with the Software License Agreement, the Software which it supplies will operate in material conformity with the specifications supplied by Anue Systems for such Software for a period of ninety (90) days from the date of delivery (the Software Warranty Period). The Product Warranty Period shall mean the Hardware Warranty Period or the Software Warranty Period, as applicable. Anue Systems does not warrant that the functions contained in the Software will meet a specific requirement or that the operation will be uninterrupted or error free. Anue Systems shall have no warranty obligations whatsoever with respect to any Software which has been modified in any manner by Customer or any third party. Defective Products and Software under warranty shall be, at Anue Systems' discretion, repaired or replaced or a credit issued to Customer's account for an amount equal to the price paid for such Product provided that: (a) such Product is returned to Anue Systems after first obtaining a return authorization number and shipping instructions, freight prepaid, to Anue Systems' location in the United States; (b) Customer provides a written explanation of the defect or Software failure claimed by Customer; and (c) the claimed defect actually exists and was not caused by neglect, accident, misuse, improper installation, improper repair, fire, flood, lightning, power surges, earthquake, or alteration. Anue Systems will ship repaired Products to Customer, freight prepaid, based on reasonable best efforts after the receipt of defective Products. Except as otherwise stated, any claim on account of defective materials or for any other cause whatsoever will conclusively be deemed waived by Customer unless written notice thereof is given to Anue Systems within the Warranty Period. Anue Systems reserves the right to change the warranty and service policy set forth above at any time, after reasonable notice and without liability to Customer. TO THE EXTENT PERMITTED BY APPLICABLE LAW, ALL IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY EXCLUDED, AND THE LIABILITY OF ANUE SYSTEMS, IF ANY, FOR DAMAGE RELATING TO ANY ALLEGEDLY DEFECTIVE PRODUCT SHALL BE LIMITED TO THE ACTUAL PRICE PAID BY THE CUSTOMER FOR SUCH PRODUCT. THE PROVISIONS SET FORTH ABOVE STATE ANUE SYSTEMS' ENTIRE RESPONSIBILITY AND CUSTOMER'S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY BREACH OF ANY WARRANTY.
Contents
Preface............................................................................................................ 7
Organization ............................................................................................................... 7
CHAPTER 1 Overview....................................................................................................... 13
Port Connection Options ........................................................................................... 15 Supported Packet Sizes ........................................................................................... 16 Filter Overview .......................................................................................................... 16 Filter Criteria Options ................................................................................................ 17
Control Panel Behavior when Adding or Removing Port Modules ........................... 68 Creating Network or Tool Ports ................................................................................ 68 Using the Port General Tab ................................................................................ 70 Using the Network Port (Ingress) or Tool Port (Egress) Filter Criteria Tab ........ 73 Using the Port Connections Tab ........................................................................ 73 Using the Port Access Control Tab .................................................................... 75 Creating Dynamic Filters .......................................................................................... 75 Using the Dynamic Filter General Tab ............................................................... 76 Using the Dynamic Filter Criteria Tab ................................................................ 77 Using the Dynamic Filter Connections Tab ........................................................ 77 Using the Dynamic Filter Access Control Tab .................................................... 78 Creating Port Groups ................................................................................................ 78 Interconnect Port Groups ................................................................................... 79 Using the Interconnect Port Group General Tab ............................................ 81 Using the Interconnect Port Group Ports Tab ................................................ 83 Using the Interconnect Port Group Filter Criteria Tab .................................... 85 Using the Interconnect Port Group Connections Tab ..................................... 86 Using the Interconnect Port Group Access Control Tab ................................ 86 Load Balance Port Groups ................................................................................. 89 Using the Load Balance Port Group General Tab .......................................... 91 Using the Load Balance Port Group Ports Tab .................................................. 92 Using the Load Balance Port Group Filter Criteria Tab .................................. 94 Using the Load Balance Port Group Connections Tab .................................. 94 Using the Load Balance Port Group Access Control Tab .............................. 95 Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters ......................... 96 Filter Mode ......................................................................................................... 97 Available Criteria ................................................................................................ 98 Detailed Criteria Descriptions ........................................................................... 100 Selected Criteria ............................................................................................... 105 Library .............................................................................................................. 108 Custom Dynamic Filtering ....................................................................................... 109 Define Custom Fields ....................................................................................... 114 MPLS Custom Fields .................................................................................... 114 GTP Custom Fields (5288 only) ................................................................... 115 Raw Custom Fields ...................................................................................... 117 Use Custom Fields in Filters ............................................................................ 118 Quick Example: GTP-U Custom Filtering Field (5288/5293 only) .................... 119 Custom Filter Portion of Available Filter Memory Meter ................................... 127 Filtering on 802.1Q VLAN Tags .............................................................................. 127 Port, Port Group, and Dynamic Filter Symbols and Indicators ............................... 129 Packet Drop Indicator ....................................................................................... 133 Link Down Indicator .......................................................................................... 133
Remove Users from Groups ............................................................................. 156 System View ........................................................................................................... 157 Status Tab ........................................................................................................ 157 Settings Tab ..................................................................................................... 166 Version/License Tab ......................................................................................... 184 Hardware Info Tab ............................................................................................ 186 Available Filter Memory Meters ........................................................................ 189
CHAPTER 8 Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS ....................................................................................................... 191
Comparing Authentication Modes ........................................................................... 191 Configuring Remote Authentication ........................................................................ 193 Subsequent sections describe in further detail how to configure both TACACS+ (page 197) and RADIUS (page 213). ................................................................... 195 Effects of Authentication Mode Changes on Users and Groups ............................ 195 Configuring TACACS+ ............................................................................................ 197 Custom Authorization Settings ......................................................................... 198 TACACS+ Access Control Group Settings ...................................................... 199 TACACS+ Servers ........................................................................................... 200 Adding a TACACS+ Server .............................................................................. 201 Click the Test Settings button to verify that the NTO can connect to the TACACS+ server using the configured settings. ...................................................................... 202 Configuring TACACS+ Accounting .................................................................. 202 TACACS+ Configuration Examples ................................................................. 204 TACACS+ User Authorization Examples ..................................................... 205 TACACS+ Access Control Group Examples ................................................ 212 Configuring RADIUS ............................................................................................... 213 RADIUS Servers .............................................................................................. 215 Adding a RADIUS Server ................................................................................. 215 RADIUS Accounting ......................................................................................... 217 Configuring the Microsoft Network Policy Server ............................................. 217 Adding an NTO as a RADIUS Client of the NPS .......................................... 217 Configuring the NPS Network Policies ......................................................... 219
Quick Start Example ............................................................................................... 249 Use Case 1: Aggregating Three Network Ports to One Tool Port .......................... 252 Use Case 2: Easily Extending the Configuration .................................................... 252 Use Case 3: Sending SPAN Port Data to Several Devices .................................. 257
Advanced Packet Processing Features .................................................................. 315 VNTag Stripping (5288 only) ............................................................................ 316 GTP Stripping ................................................................................................... 317 MPLS Stripping ................................................................................................ 317 L2 VPN with Pseudowire Control Words ...................................................... 317 L2 VPN without Pseudowire Control Words ................................................. 318 L3 VPN ......................................................................................................... 318 De-duplication .................................................................................................. 318 Packet Trimming .............................................................................................. 320 Packet Trimming Example 1 ........................................................................ 320 Packet Trimming Example 2 ........................................................................ 320 Packet Trimming Example 3 ........................................................................ 321 Packet Trimming Example 4 ........................................................................ 321 Packet Timestamping (5288 only) .................................................................... 321 Configurable Time Sources .......................................................................... 322 Unavailable Time Sources ........................................................................... 323 Trailer Format ............................................................................................... 323 Configured Time Sources and Alarms ......................................................... 324 Burst Protection (5236/5273 1G tool port only) ................................................ 325 Packet Processing Pipeline .............................................................................. 326 AFM Network Port Pipeline Order ................................................................ 326 Non-AFM Network Port Pipeline Order ........................................................ 326 AFM Tool Port Pipeline Order ...................................................................... 326 Non-AFM Tool Port Pipeline Order .............................................................. 327 AFM Statistics ......................................................................................................... 327 At What Point Does Oversubscription (dropped packets) Occur? ................... 328 AFM Oversubscription Example ....................................................................... 328 In this scenario: ............................................................................................ 329 AFM Operational Considerations ............................................................................ 329
Preface
About this Document
This documentprovides detailed information about the Anue Net Tool Optimizer (NTO), as well as the procedures necessary to use the Anue NTO to manage your network. For information about installing the Anue NTO, refer to the Installation Guide for your NTO model. NOTE This document is intended to be printed using double-side printing. If you print this document using single-side printing, some pages appear blank. NOTE Some Control Panel details differ for various models of the NTO. Therefore, the screen captures you see in this document may differ from what you see for your particular model.
Audience
This document is intended for Anue customers that use the Anue Net Tool Optimizer (NTO). Readers should be familiar with networking concepts.
Organization
The following table describes the chapters and appendixes in this document. Chapter/Appendix Chapter 1, Overview Chapter 2, Configuring the Management Port IP Settings Description Provides an overview of the Anue NTO. Describes how to configure the management port IP address.
Chapter 3, 5273/5288/5293 Craft Describes the Craft Port Interface. Port Interface Chapter 4, Log in to the Management Control Panel Chapter 5, Control Panel Menu Options Describes how to log in to the management control panel. Describes the control panel menu options.
Chapter/Appendix Chapter 6, Creating and Using Objects Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS Chapter 9, SNMP Chapter 10, SYSLOG Chapter 11, Access Control Using Groups Chapter 12, Use Cases and Common Configurations
Description Describes how to create and configure objects. Describes TACACS+ and RADIUS authentication.
Describes SNMP functionality. Describes SYSLOG functionality. Describes how to control access using groups. Provides use cases and describes common configurations.
Chapter 13, Control Panel Ease Describes control panel ease of use features. of Use Features Chapter 14, Automation Scripting Chapter 15, Statistics Appendix A, Software Upgrade and Port Allocation Procedures Appendix B, 5204/5236/5273 Front Panel LCD Menu Reference Describes automation scripting. Describes statistics. Describes software upgrade and port allocation procedures. Describes the front panel LCD menus and functions.
Appendix C, Packet Processing Describes packet processing features, both standard features and advanced features Features that are part of the advanced features modules for the 5236/5273 and the 5288. Appendix D, How Licenses are Remapped Due to a Configuration Change Appendix E, Troubleshooting Appendix F, 5273/5288/5293 Safety Guidelines Describes how floating licenses change when the configuration changes. Describes troubleshooting tools and procedures. Describes safety guidelines.
Document Conventions
Typographic
The following table describes the typographic conventions used in this document. Convention Description ABCdef Identifies book titles, emphasized words or words that appear in the glossary, and command variables. Example You must log in as root. C:\>cd directory_name
ABCdef
Identifies commands and Click the OK button. graphical user interface items with which you interact. Identifies a hyperlink or URL. http://www.anuesystems.com Identifies computer-generated package require anuento output, API elements, and code samples. Indicates optional parameters ?login_id? within a syntax description. This convention applies to scripting documentation only. Separates items in a list of choices; used with braces (??) in a syntax description. This convention applies to scripting documentation only. ?-include tcl_list(import_export_spec) | -exclude tcl_list(import_export_spec)?
ADCdef ABCdef
??
Notational
The following table describes the notational conventions used in this document. Type Tip NOTE Icon Description Provides information that might help you use the product more efficiently. Provides information that emphasizes the main text. Provides information of critical importance that is required to ensure your own personal safety and to help protect your equipment and working environment from potential damage. Indicates an electrical hazard. This convention applies to hardware-related material only. Indicates a laser light hazard. This convention applies to hardware-related material only.
CAUTION
Type
Icon
Description Indicates that the material should not be discarded with ordinary waste. This convention applies to hardware-related material only. Indicates a dual power supply. This convention applies to hardware-related material only.
Additional Information
The following table lists additional documentation associated with the Anue Net Tool Optimizer (NTO). Resource Installation Guide for your NTO model Description Provides instructions for installing the Anue NTO.
Anue 5204/5236 Redundant Describes how to connect the Unipower AC AC Power Supply Connection Redundant Power Supply to the Anue NTO. Guide Anue 5204/5236 Redundant Describes how to connect the Unipower DC DC Power Supply Connection Redundant Power Supply to the Anue NTO. Guide Anue 5200 Automation Scripting Guide
Preface 10
Technical Support
Contacting Anue Technical Support For technical support, contact Anue Systems: Email: support@anuesystems.com Phone: Direct (512) 600-7200 Toll Free (US & Canada Only) 1-877-268-3269 (Select option 2 from the phone menu.) Asia +852 2824 8850 EMEA (Europe, Middle East, Africa) +44 (0) 1189 076 204
The Anue Customer Portal (http://support.anuesystems.com) is also available. The customer portal allows customers to open support tickets, search for solutions and download documentation. All customers with a current support contract have an employee that has been designated as their Customer Administrator. Contact your Customer Administrator for details on how to request an Anue Customer Portal password and login account. Optional service and maintenance contracts are available for each of Anues products and may be purchased separately. Contact Anue at sales@anuesystems.com for details. Sending Log Files to Anue Technical Support A technical issue may require that you send the Anue NTO log files to Anue Technical Support. To send log files to Anue Technical Support: 1. 2. Select Help > Save and Send Logs from the menu. Type a name for the log file, and click the Save button. Your email application launches with a new message addressed to support@anuesystems.com as shown in the image below.
3. 4. 5.
Attach the log from the directory indicated in the body of the email. Specify the reason you are sending the logs and include any other pertinent information in the body of the message. Click Send.
Technical Support 11
Preface 12
CHAPTER 1 Overview
The Anue Net Tool Optimizer (NTO) directs network data from SPAN ports and TAPS in your data center and forwards it to a convenient centralized tool farm where multiple tools can share simultaneous access to the network data. Models 5273, 5293: These models of the NTO are Network EquipmentBuilding System (NEBS) certified. The Anue NTO has a full range of connectivity capabilities so that each network tool is fed exactly the data it needs from anywhere in your network.
Inbound traffic from any incoming port may be switched to one or more outgoing ports, regardless of the speed of the incoming and outgoing ports. Ports designated through software as Network Ports are used to connect tap and SPAN ports to the Anue NTO. Ports designated through software as Tool Ports are used to connect tools such as data recorders and VoIP monitors to the Anue NTO. The NTO server runs on the unit chassis and the Control Panel client, a Java based graphical user interface (GUI), is provided so that the configuration and visualization of port mappings is easy and intuitive. Multiple users can manage the NTO simultaneously and passwords and access privileges can be assigned. The Anue NTO server manages access to the configuration database. Users are warned when potential database conflicts exist and are allowed to decide if changes are saved to the database.
13
NTO Automation Scripting enhances the functionality of the NTO by providing the ability to automate the configuration and management of the NTO. NTO Automation Scripting consists of a command interpreter and a set of commands that can be saved in script files for automated processing or typed into an interactive shell for immediate processing. For example, this functionality allows you to interactively manage several Anue Net Tool Optimizers, to track specific traffic patterns during certain times of day, and to automatically update filter criteria and/or connections based on user defined trigger parameters. Statistics are also provided to help monitor tool utilization and optimization. Table 1-1 summarizes the physical characteristics of the different NTO models.
Table 1-1: Characteristics of NTO Models
Characteristics The unit chassis is 1U high (5273 is 2U high) and supports up to 28 ports on the front and back. Port speeds of 1G and 10G are supported. In addition, built-in copper ports support 10/100/1000. The unit chassis is 2U high and supports up to 64 ports on the front. Port speeds of 1G, 10G, and 40G are supported.
5288, 5293
Chapter 1, Overview 14
You can combine the port connection combinations listed above in any speed mapping combination. NOTE When you map ports with higher rates of traffic to ports with lower rates of traffic (for example, a 10G Ethernet port mapped to a 1G port or multiple 1G ports aggregated to a 1G port), you should use filters so excess traffic is not passed to lower rate ports. Filtering can help tools avoid being overloaded with unnecessary or unwanted data.
Filter Overview
This section provides an overview of the filter types that are available on the NTO. Tip: Several technical notes on advanced filtering subjects can also be downloaded from the Anue Customer Portal. See Technical Support on page 11 for information on how to access the Anue Customer Portal. Filter Types Dynamic filters are the primary method used to filter traffic on the Anue NTO. These are the filters that appear in the middle of the NTO Control Panel Diagram View. They are optimized for topologies that require both aggregating traffic from multiple network ports to a single tool, as well as sharing traffic from a network port with multiple tools. Dynamic filters are recommended as the default filtering approach because nearly all users have both of these topology requirements. In addition to the dynamic filters, three other filter types are available: an ingress filter (located in the Network Ports column in the control panel), an egress filter (located in the Tool Ports column), and a Dynamic One-Stage filter (an advanced mode of dynamic filter, located in the Dynamic Filters column). All of the filter types can be used in combination with each other.
Chapter 1, Overview 16
Ingress Filters Ingress filters are configured at the network port. Ingress filtering occurs immediately upon traffic entering a network port, upstream from other filter types. One ingress filter can be applied to each network port. Deny and Pass filter modes are supported. Any traffic that is filtered out (i.e. removed) at ingress is no longer available to any downstream filters or tools. Therefore, care should be used when applying Ingress filters. Ingress filters are typically used in conjunction with dynamic filters to remove traffic that is not needed by the tools that are connected, or plan to be connected to a network port. By filtering at ingress, traffic that is not needed is removed from the beginning and the overall filtering capacity of the NTO is improved. Egress Filters Egress filters are configured at the tool port. Egress filtering occurs downstream from Ingress and Dynamic filters. Deny and Pass All filter modes are supported. This filter type is typically used to fine tune filtering in combination with the Dynamic filters. Using a Deny filter to remove traffic that is not required by tools can also improve tool performance. Dynamic One-Stage Filters One-stage is an advanced setting on a dynamic filter. This type of filter is appropriate for applications that require sharing network port traffic with multiple tools, but do not require a heavy aggregation capability that could exceed the bandwidth of the tool port to which it is connected.
Dynamic filters (which display in the center of the diagram area) allow traffic to pass through based on the defined criteria. The filter can also be configured to Pass All or Deny All traffic. Tool ports deny traffic from passing through based on the defined criteria. The filter can also be configured to Pass All or Deny All traffic.
The following filter criteria options are available. Note that the available filter criteria options may vary based on the object type (port or dynamic filter), filter mode (Pass All or Deny All) and the filter memory allocation settings. Layer 2 MAC Address Ethertype VLAN Tag Layer 3 IPv4 Address IP Protocol DSCP/ECN L4 Port (TCP/UDP Port) TCP Control
IPv4
Layer 4
IPv6 (Models 5236/5273 only) Layer 3 IPv6 Address Next Header Traffic Class L4 Port (TCP/UDP Port) TCP Control
Layer 4
Several criteria options can be selected per filter. The selected criteria can be ANDd or ORd.
Chapter 1, Overview 18
Location(s) and Labels One port on the rear of the chassis One port on the front of the chassis Two ports: one on the front of chassis labeled front, one on the rear labeled rear Two ports on the front of the chassis numbered 1 and 2
19
The following rules and practices apply to the management ports: Connecting both management ports allows for failover redundancy which is recommended but not required. Both management ports must be connected to the same subnet. Both management ports will automatically be assigned the same IP address but have unique MAC addresses. If both management ports are connected and report a link up status when the unit is powered up, the 1st Ethernet port will be the active port and the 2nd Ethernet port will be the standby (backup). NOTE You cannot access the standby port to manage the NTO while it is the standby, only if it becomes the active port. In the event of failover to the standby Ethernet port, the standby port will remain active when the original active port returns to service. The original active port becomes the standby (backup) port. Models 5273/5288/5293: Auto-MDIX (automatic medium-dependent interface crossover) is supported for copper 1G, 100M and 10M copper ports. Auto-MDIX allows the interface to automatically detect and support a straight through or crossover Ethernet cable. NOTE In the event of management port failover the NTO will issue gratuitous self ARPs to cause the remote nodes to update their ARP tables. Customers should verify that the routers in their network have gratuitous ARPs enabled. If gratuitous ARPS are not enabled on remote nodes, management port switchover may take longer to complete.
More Information For information about configuring the management port IP address using the front panel control panel and LCD, refer to the either the Anue 5204/5236 Installation Guide or the Anue 5273 Installation Guide. For information on how to configure the management port IP address using the craft port, see Chapter 3, 5273/5288/5293 Craft Port Interface.
Caution: Changing the IPv4 address, subnet mask, default gateway, IPv6 address, or network prefix settings will restart the NTO and force all users off the system. The user performing the IP address change will lose connection to the unit from the control panel GUI after saving the modification. To regain access to the unit, log in to the ANUE NTO using the new IP address. If the newly assigned IP address values are not correct, users will not be able to access the NTO remotely. (Models 5204/5236/5273) Misconfigured IP address settings can only be corrected using the LCD interface. (Model 5273 addresses can be corrected using either the LCD or the craft/serial port interface.) (Models 5273/5288/5293) Misconfigured IP address settings can only be corrected using the craft/serial port interface. 1. 2. Log in to the control panel as described in Log in to the Management Control Panel using an account that has System Administrator privileges. Click System in the management frame at the left side of the control panel and access the Status Settings tab. The information on this tab differs depending on your NTO model.
3.
4.
Configure the desired IP address, subnet mask and gateway in the Set IP Configuration window. Click OK to save the changes.
The NTO supports dual stack IPv4/IPv6 management. IPv4 is always enabled and available for static assignment. IPv6 can optionally be enabled for dual stack operation and a static IPv6 management address can be assigned. IPv6 addresses may be entered using preferred format (e.g. 2001:0:0:0:0:80:21AF:3DAB) or compressed format (e.g. - 2001::80:21AF:3DAB where :: collapses consecutive groups of zeros. The default gateway for the NTOs IPv6 management interface is automatically determined by periodic router advertisements received on the interface.
Model 5273
More Information Standard 9-pin, RS-232 serial port, located on the rear panel Note that the 5273 craft port exposes a female connector.
5288, 5293
Connect a serial cable between the NTO craft port and the serial port of a computer running a COM port terminal utility. The settings of the COM port terminal utility must be set to 115200 baud, 8 data bits, 1 stop bit, and no parity. You can configure the NTO for IPv4 and IPv6.
23
Main Menu options are displayed below the unit status information. Welcome to Anue Systems <IP Address, IPv4 and IPv6 if its also enabled.> Hit Enter to refresh status [System Name] <System Type: System Status> Main Menu: 1. Reboot System 2. IP Config 3. Management Port Config 4. Reset Admin Password 5. Run POST tests 6. Get POST results Enter command number:
Reboot System
From the Main Menu type 1 to reboot the system and then press the Enter key on the keyboard. A reboot verification message will be received. Type yes to begin the system reboot.
IP Config
1. From the Main Menu, type 2 and then press the Enter key on the keyboard. The following menu will display. Notice that the current settings are displayed next to each menu item. IP Config: 1. Set IP Address 2. Set Netmask 4. Commit changes 5. Cancel/Return to Main Menu 2. Enter the command number for the IP setting you wish to change (1, 2, or 3). For this example, we will select menu option 1 (Set IP Address). The following prompt will display. Enter new IP Address: Type 192.168.162.12.Then press the Enter key on the keyboard. A confirmation message will then display. Value entered: 192.168.162.12 Correct? Enter Y or N Type y or Y. Then press the Enter key on the keyboard. 3. The IP Config menu will now display the modified IP address along with the other settings and options. Note that the modification will not take effect on the NTO until the changes have been committed (menu option 4). IP Config: 1. Set IP Address 2. Set Netmask 4. Commit changes 5. Cancel/Return to Main Menu Select option 1, 2 or 3 to continue modifying the current IP settings using the procedure described above. Select option 4 to commit changes (there will be another verification prompt before changes are actually applied). Select option 5 to cancel all changes that have not been committed. Note: The System Status displayed on the main menu may indicate Not ready until management port configuration changes have been completed. Once the configuration changes have completed, the full main menu will display. (192.168.162.12) (255.255.255.0) (192.168.41.99) (255.255.255.0)
IP Config 25
Main Menu: 1. Reboot System 2. IP Config 3. Management Port Config 4. Reset Admin Password 5. Run POST tests 6. Get POST results Enter command number: 4 Enter the key to reset the admin pasword: 00000003 Value entered: 00000003 Type "yes" to accept, anything else to cancel: yes The password has been reset to default.
Welcome to Anue Systems IP address: 192.168.162.33 Main Menu: 1. Reboot System 2. IP Config 3. Management Port Config 4. Reset Admin Password 5. Run POST tests 6. Get POST results Enter command number: 6 Get Power On Self Tests results Type "yes" to accept, anything else to cancel: yes Results: Passed
29
Address of website field, enter the IP address of the NTO for example, http://192.168.40.122/. Click the Allow button. Click the Close button. Click OK. NOTE If your browser version requires a different procedure to enable cookies, please consult the help information of the browser for instructions. C. For network environments where NAT (Network Address Translation) firewall traversal is required, see Port Forwarding for NAT Firewall Network Environments on page 36.
3.
In the General section, click the link to the right of the Login banner field. The Set Login Banner Configuration dialog displays, Figure 4-1.
4.
Type in the login banner text and URI you want to display at login and click Preview to see it for example, see Figure 4-2.
5. 6.
Click Cancel to close the preview. Click OK to accept the new login configuration. A portion of the login banner text displays to the right of the Login banner field.
The Welcome page provides general information about the Net Tool Optimizer and resources to help manage and configure your NTO model.
At the left side of the page, there are links to the PDF versions of the Startup Guide and the User Guide.
At the lower left side of the page there is a display that indicates the current status of the NTO. This is a real time display that is updated once a second. Models 5204, 5236, 5273: The current status information also appears on the front panel LCD for the NTO. For information about status messages, see the 5204/5236/5273 Front Panel LCD Menu Reference. In the center of the page, there are links to the Anue Systems Support web page, the Anue Systems home page, and the Tcl package to be downloaded. Unzip the Tcl package zip file to install the Tcl package. Complete help for installing and using the Anue Tcl Package can be found in the Automation Scripting Guide for your NTO model. Click the Launch 52xx Control Panel button. Tip: If you have previously accessed the NTO server from your current PC, you can skip to the Control Panel Login instructions as described below. See Login Issues in the Appendix E, Troubleshooting for information on resolving log in issues. If this is the first time you have launched the application, a Java based client will automatically download to the client PC from the NTO server. The Java based client requires Java Runtime Environment (JRE) 1.6 or 1.7 (that is, Java 6 or Java 7). Anue has tested on and recommends Java versions 1.6.0_31 and 1.7.0_05-b05. Both the 32-bit and 64-bit version of JRE are supported. The Firefox browser may prompt you to open console_jnlp.jsp with Java (TM) Web Start Launcher as shown in. Click Ok if you receive this prompt.
If an older version of Java is installed on the client PC, one of the following will happen: The NTO Server will attempt to update client PC to the supported version. The browser will display the message, This website wants to install the following add-on: Java (TM) SE Runtime Environment 6 Update # from Sun Microsystems, Inc. If you trust website and the add-on and want to install it click here. The NTO Welcome page will provide a link to a website that will allow Java to be downloaded and installed instead of displaying the Launch 52xx Control Panel button (as shown in). The prompt will also display if the client PC does not have any version of Java installed.
Click the message and select Install Active X control to upgrade Java.
Control Panel Log In When the Control Panel Log In window displays, enter the NTO DNS name or address (IPv4 or IPv6), Login ID, and password. Note the system default Login ID (admin) and default Password (admin).
If this is the first time that the NTO has been powered up or the unit has been reset to factory defaults a license key must be entered. The license key is located on the USB memory stick that was shipped in the same box as the NTO unit.
To enter the license key, click the Browse button at the bottom of the window, navigate to the license key on the USB flash drive, select the license key, and click the OK button. Log In Window options: NTO: Enter the IP address (IPv4 or IPv6) or DNS name defined for the NTO.
NOTE IPv6 management must be enabled before IPv6 can be used to login or manage the NTO. IPv4 addresses must be entered using dotted quad format (e.g. - 192.168.162.25). IPv6 addresses may be entered using preferred format (e.g. - 2001:0:0:0:0:80:21AF:3DAB) or compressed format (e.g. - 2001::80:21AF:3DAB where :: collapses consecutive groups of zeros. If this is the first attempt to log in to the NTO, the displayed IP address or DNS name matches the value entered into the HTML browser URL field. Subsequent login attempts will display the IP address or DNS name of the NTO that was last successfully logged in to.
History: If there have been prior logins, clicking the History button will provide a pick list of IP addresses and/or DNS names that can be selected for login - for example, the Address History shown below:
A selection from the History will populate the NTO field. Login Id: Enter the login name. Note the system default Login Id (admin) Password: Enter the password associated with the name entered in the Login Id field. Note the system default Password (admin) Click OK to log in. Note: Additional users can be added as described in the Adding Users and Configuring Authentication section.
Table 4-1 shows an example port forwarding table (using default ports):
Table 4-1: Example Port Forwarding Table, Using Default Ports
As shown in Table 4-1 above, any traffic received by the NAT firewall destined for port 80 will be forwarded to port 80 on the NTO server at 10.0.0.21. Given the configuration shown above, clients inside and outside the NAT firewall could still access NTO web server at IP address 10.0.0.21 using the default HTTP port 80. Clients inside the firewall can access the NTO web server as follows: http://10.0.0.21 http://67.195.3.55 Clients outside the NAT firewall could access the NTO web server as follows:
By using default incoming ports as shown in the example above, only one NTO server can be configured behind the NAT firewall because the default ports can only be forwarded to one server. If more than one NTO server resides behind the firewall, the administrator needs to configure additional (non-default) ports. For more detailed information about setting up NAT firewall traversal and using multiple NTO servers behind the firewall, go to the customer portal and download the NTO tech note entitled 5200 - Anue 5200 Series NAT Traversal.
Manage Multiple NTO Systems from the Same Control Panel Interface using ULM
The ULM (Unified Login and Management) feature allows users to log in to and manage multiple NTO systems without having to start multiple instances of the Control Panel interface. Using ULM a user will be able to easily switch between NTO units for viewing and management. Although the diagram area and controls for the NTO units appear in the same interface, the units are completely independent and do not share data. A change made to the configuration of one of the units will have no effect on the other units. Note: All NTO systems managed with ULM must be running the same software version.
Manage Multiple NTO Systems from the Same Control Panel Interface using ULM
After logging in to a NTO system, select File -> New Session from the Control Panel menu to log in to additional systems. The user can also log in to the same system more than once using different Login IDs. This feature can be used as a method to troubleshoot security issues. For example, an administrator could log in to the same unit as a System Administrator and as a non-System Administrator to verify that applied security settings are having the desired effect for certain users.
After more than one user is logged in, a separate tab will appear in the Control Panel interface for each unique login Id/NTO combination. Information displayed on the tab: A user icon. Non-administrators are represented by a person wearing a blue shirt. System administrators are represented by a person wearing a shirt and tie. A system alarm status indicator which indicates the highest alarm state of all subsystems. The System Info name (if defined on the Settings tab of the System view). The System Info name in the example above is NTO-52 3.0 Testing. The NTO model number (for example, 5293). The user Login Id name @ the NTO IP address or DNS name. The user can choose which system to manage by clicking on the appropriate tab. The active tab will have a gold border along the top edge. Except for the Edit -> Options settings, actions performed using the menu options will only apply to the configuration of the NTO system that is selected. The Edit -> Options settings are stored locally and apply to all systems that are logged in to from the same PC. Objects (filters and filter criteria, for example) can be copied and pasted from one NTO diagram to another. It is possible to have multiple property and statistic dialog boxes from different NTO systems open simultaneously. The title bar of each dialog box will display the NTO model number, user name and unit IP address or DNS name. When several port or filter statistic dialog boxes are open (from the same system or different systems), clicking the Pause button in one of the dialog boxes will pause the reporting of statistics for all open dialog boxes. Clicking the Resume button in one of the dialog boxes, will resume the reporting of statistics for all open dialog boxes. Note that pausing and resuming of
statistics reporting also affects the statistics displayed in the ports and dynamic filter views. Tip: The F12 function key can be used to bring all open statistics windows into the foreground at the same time To log out of a system (close the tab for the system): 1. 2. Click the tab of the system. Select File -> Log Out from the menu or use the Ctrl+L shortcut.
Subsequent Log in using the Saved Sessions Feature The control panel GUI has the ability to remember active sessions upon exit. Session information can be saved to the users local PC preferences and recalled the next time the user logs in. This feature is enabled by default but it can be disabled by selecting Edit -> Options from the menu, deselecting the Remember active sessions on exit option and clicking OK. After the IP address of an NTO (that was active upon exit of the last session) is entered into a HTML browser and the Launch 52xx Control Panel button is clicked, the user will be prompted for the Login IDs and passwords that were active during the last session. Tip: If the last session included logins to systems that used the same login name/password combination, the login name/password combination only has to be entered once to log into all of those systems. For example, if a session included 4 systems with the login name/password of admin/ admin, the user will automatically be logged into all 4 systems after entering admin/admin once at the Log In prompt.
login ID admin and password admin. The admin account cannot be deleted, even when using one of the remote authentication services. You should change the password for the admin account at your earliest opportunity. Caution: If forgotten, account passwords cannot be recovered. If the admin account password is lost, and it is not possible to use one of the reset procedures described below, the NTO unit must be returned to Anue Systems to be reset. Models 5204, 5236, 5273: The password for the admin account can be reset using the front panel controls if the LCD admin password reset feature is enabled on the System Settings page. Note that this feature is enabled by default. See Resetting the Admin Password from the LCD Menu on page 311 for more information. Models 5273, 5288, 5293: The password for the admin account can be reset using the serial/craft port interface. See Reset Administrator Password on page 26.
3.
Configure the user account in the New User window. Click the System Administrator checkbox to assign system administrator capability to the user account. A password must be assigned for new users. Users can change their passwords after logging in.
4.
Table 4-2 lists the capabilities of System Administrators and Non-Administrator Users.
Table 4-2: System Administrator and Non-Administrator User Capabilities
Capabilities Add and delete user accounts and modify the properties of any user account Modify system configuration settings Install a license and software upgrades Save, restore and clear configurations Clear filters Clear the system Import/export configurations Create groups and port groups Shutdown/restart the system Add, modify, delete, enable and disable any object Modify the Edit->Option settings Modify their own user account properties View objects created by all users
System Administrator x x x x x x x x x x x x x
User
x x x
View, reset and export object statistics Add, modify and delete filters Delete and add connections between objects Create and modify custom icons and filter templates
x x x x
x x x x
The Control Panel is the primary user interface for controlling, configuring, and monitoring the NTO. There is also an automation scripting interface. See Automation Scripting for more information.
The menu options (File, Edit, View, Help) and shortcut toolbar can be used to configure the NTO settings and gather information. Focus indicates which objects are currently displayed in the diagram. Selection indicates the selected object.
Management Frame
The management frame provides high level views and configuration options for Ports, Port Groups, Dynamic Filters, Library (filter and icon), Users, Groups and the NTO System. The default selection is Diagram which displays the diagram area. The view that is selected will have a gold strip along its left edge.
Diagram Area
The Diagram Area is used to connect and configure NTO objects such as dynamic filters, ports and port groups.
The diagram area title bar shows the number of objects configured and displayed in the diagram. For example in the figure above, Tool Ports/Port Groups (5 of 12) indicates that 12 tool ports or port groups are configured and 5 of them are visible. In this case, the remaining 7 ports are contained within the port groups displayed. The count of ports that are not displayed will also include disabled ports that are hidden. Note that objects in the diagram area are automatically arranged using an algorithm designed to minimize crossed connections. See the Edit Menu section for details on the Auto-organize algorithm and information on how to disable the feature if desired.
The bottom section of the diagram area provides a Function Key Legend for several viewing options. See the Function Keys section for a description of displayed and non-displayed functions keys.
Right-Click Function
You can right-click many items for a shortcut menu of options. For example, rightclicking on the diagram area background displays a menu with the options shown in the figure below.
Right-clicking on ports, port groups and dynamic filters will also display a menu, like the one below when you right-click a network port icon.
File Menu
This section describes the File menu. Note that the file menu options are different for regular users and system administrators.
New Session Sessions allow users to log in to multiple NTO systems. Unified Login and Management (ULM) is used to manage sessions. See Manage Multiple NTO Systems from the Same Control Panel Interface using ULM for more information.
Log Out Ends the current session (the one whose session tab is active). New >
49
Dynamic Filter Opens a dialog for configuring a new dynamic filter. New Interconnect Port Group -> (Network, Tool or Bidirectional) Opens a dialog for configuring a new network, tool, or bidirectional interconnect port group.
New Load Balance Port Group Opens a dialog for configuring a new load balance group. Filter Template Collection Opens a dialog for configuring a new collection of filter templates. Filter Template Opens a dialog for configuring a new, reusable filter template. User Opens a dialog for adding a new local user to the system. (This option is available only to system administrators, and it is available to system administrators only when the NTO is in local authentication mode.)
Group Opens a dialog for adding a new local group to the system. (This option is available only to system administrators, and it is available to system administrators only when the NTO is configured to manage groups locally.
The following menu options are only available to system administrators. Export Configuration Opens a dialog for saving the current system settings and configuration to an external file for backup purposes or to share the settings between systems. (See Exporting and Importing an NTO Configuration on page 51.) Import Configuration Opens a dialog for applying the settings from a previously exported configuration file to the system. (See Exporting and Importing an NTO Configuration on page 51.) Restart Restarts the hardware and software systems of the NTO as if from power down and power up. Power Down Shuts down the hardware and software systems of the NTO. Note that the system will need to be restarted manually after power down. For information about restarting after power down, refer to the Installation Guide for your NTO model.
Clear Filters and Ports Removes all filters and port groups and reset all ports to factory default. Clear Configuration Does the same thing as Clear Filters and Ports, and removes all user groups, filter templates and collections, and local users (except for the default administrator).
Clear System Does the same thing as Clear Configuration and removes all library items and resets all system settings and the default administrator password to factory default. The unit will then be restarted.
File Menu 51
The export and import features allow the user to accomplish four (4) essential tasks: 1. 2. 3. 4. Make a full backup of an NTO configuration. This feature can be used to restore a unit to a base configuration in the case of accidental data loss. Make identical copies of a master unit. The master configuration could be used as a starter template when there is a need to deploy several units. Allow users to share partial information between NTO units. Allow for easily changing the traffic configuration of an NTO. Note that this feature can be used manually or automatically (using TCL) by importing a different configuration based on traffic conditions. Full Backup This export is a copy of the entire configuration (ports, filters, system configuration settings, etc.). Exceptions are noted below. Traffic Configuration This export saves the following configuration information: All ports, port groups, filters, and custom port icons. System tab settings related to ports, port groups and filters, including filter memory allocation settings, port group load balance settings (if applicable), etc.
3.
Custom This export gives you the option to select the objects that will be saved to the configuration file. Note: Regardless of the export type, the default administrator account and the NTO IP address settings (IP, Subnet Mask, Default Gateway) are never exported/imported.
Import Behavior and Characteristics When importing a configuration, the options and items available for import vary depending on the type of the export file and depending on the unit into which the configuration is being imported. Some of the factors affecting the items available for import are shown below: Users cannot be shared between NTO units and can be imported only into the same unit from which they were exported. Settings that are specific to one NTO model can be shared only with the same NTO model (for example port settings from a 5273 NTO cannot be imported into a 5288 optimizer).
These factors result in several different options being available during an import. For example, when importing a full backup configuration into the same unit that it was exported from, the user will be given the following import options: Full Import (from Backup) Traffic Configuration Custom
When importing a full backup configuration into a different unit, the user will given the following import options: Full Copy (without users) Traffic Configuration Custom
When importing a traffic configuration into the same or a different unit, the full import options will not be available, and the user will be given the following import options: Traffic Configuration Custom When importing a custom configuration, the full import and traffic configuration options will not be available. Only the custom option will be available. You can export and import across all model types, with some restrictions. The import will always be treated as a custom import in those cases Notes: When dynamic filters are imported via a Custom import, copies of the filters will be created with no connections. Filters that previously existed on the target system will be unaffected. When importing dynamic filters via any other type of import, the previously existing filters on the target system will first be deleted and the imported filters, and their connections, will be created. The user will be alerted if any of the requested items could not be imported. Importing a configuration that changes management port settings will result in the NTO restarting. Importing a configuration that changes the authentication mode or the TACACS+ or RADIUS configuration settings will result in all users being logged out of the NTO.
File Menu 53
To export a configuration: 1. Select File -> Export Configuration from the control panel menu. The Export Configuration dialog box appears.
2.
A description of the export configuration can be entered in the Description field. This field is for the convenience of the user and can be used to describe the contents and purpose of the export file. The description will be visible when later importing this file. In the Export Selection area, select the Export Type. The export types are Full Backup, Traffic Configuration and Custom. The components of the configuration that are selected will change depending on the type of export selected. After an export type is selected, components within the categories of Ports, Port Groups, Dynamic Filters, Library, Users, Groups and System can be checked for inclusion in and unchecked for omission from the backup. Hovering the mouse over a component will cause more information about that component to be displayed in the form of a pop-up tool tip. (see image below).
3.
4. 5.
Click the Export button. In the Export Configuration window, accept the default name or enter a new name for the configuration file and select the destination directory. Note that the NTO configuration files by default have an .ata file name extension. The default file name is composed of: the unit IP address or System name (if configured)_model number (for example, 5293)_yyyymmdd_unit software version_export type (Full, Traffic or Custom).ata.
File Menu 55
To import a configuration: 1. 2. 3. 4. Select File -> Import Configuration from the control panel menu. The Select the Import File window appears. Select the appropriate directory and configuration file. Note that the NTO configuration files have an .ata file extension by default. Click the Import button. If an Import exception occurs, read the exception and then click OK button. The Import Configuration window appears.
5.
The user can customize the import and remove an entire category of data by unchecking the category checkbox or expanding a category and selecting options from the category. Notes: After an import has succeeded, import exceptions can be reported if configuration conflicts need to be resolved.
Edit Menu
This section describes the Edit menu.
The Edit menu gives users options with objects such as filters, groups, filter template collections, etc., to: Copy to the system clipboard Paste from the system clipboard Delete Configure display Options (described in detail below) Configure the user profile settings under My Profile (described in detail below) Configure the Properties of a selected object
Edit Menu 57
The settings on the Options page apply to all NTO sessions started from the current PC user account and are only applied on the current PC. For example: 1. 2. A user configures control panel options while logged in at PC#1. The user logs out of an NTO at PC#1 and then logs into the same NTO from PC#2.
The control panel settings configured while logged in at PC1 will not be in effect during the users control panel session at PC#2. Also, if a second user logs into the NTO from PC#1, the options configured by the first user will not be in effect for the second user. General Remember window location and size on exit When this option is enabled, the location and size of the control panel window is saved upon exit and recalled when the user logs in again. Remember active sessions on exit - When this option is enabled, the active session information is saved (excluding passwords) and recalled when the user
logs in again. Details about this feature can be found in the Manage Multiple NTO Systems from the Same Control Panel Interface using ULM section. Show disabled ports When this option is selected, network and tool ports that are disabled display in the diagram area. Unselect this option to hide disabled ports. Hiding disabled ports may help to make the diagram easier to read. Control panel log level: Click the hyperlink to configure the log level for the control panel. The control panel log level can be raised to help troubleshoot control panel issues. Log levels should only be changed as directed by Anue Technical Support. Diagram Automatically re-organize when changes occur - Selecting this option will cause the diagram to automatically re-arrange objects so that the diagram connections are easier to see. Filters and ports are automatically arranged using an algorithm designed to minimize crossed connections. When Auto-organize is disabled, the diagram can be organized by pressing the F5 key. The rules for reorganization (or organization after pressing the F5 key) are: Network ports with connections to filters are arranged before network ports without connection to filters. Ports connected to the same filter are sorted alphabetically by name. Ports without connections are sorted alphabetically, with enabled ports having higher priority than disabled ports. Enabled ports are arranged before disabled ports. Filters that have the most port connections are displayed at the top of the diagram. Filters that have equal connection counts are sorted alphabetically by name. Port groups are treated the same as ports although port groups have a higher priority than ports.
Statistics Refresh statistics every The statistics refresh rate can be configured in seconds, minutes or hours. This setting is only applicable to the current control panel and does not affect the actual collection of statistics on the NTO. Chart sample interval Configure the sample rate for port and dynamic filter statistics charts. This control panel option does not affect the actual collection of statistics on the NTO. The drop-down list provides options that range from 1 second to 5 minutes. Each interval option also indicates how long each sample is retained in the chart history before being discarded to make room for a new sample. For example, the option 30 sec (max data range 15 hours), indicates that chart statistics will refresh every 30 seconds and that statistics data can be charted at this sample interval, continuously, without data loss, for up to 15 hours.
Edit Menu 59
Confirmations Confirmation messages display when users perform certain actions. These messages may become undesirable if a user is familiar with a feature and already understands the ramifications of their actions. The settings in this section of the page allow confirmation messages to be suppressed or displayed. Confirmation messages can be suppressed from the confirmation dialogs, themselves. Confirm mandatory statistics reset when filter connections are added: The options for this confirmation message are: Always ask and Never ask. For example, a user has drawn a connecter between a filter and a tool port. The following message will display: (notice the Dont show this message again. checkbox at the bottom of the confirmation dialog box):
Display edit dynamic filter dialog when connecting two ports on the diagram: The options for this confirmation message are: Always ask, Always do this (automatically open the Edit filter dialog box when this action occurs) and Never do this (never ask about configuring the filter). For example, a user has drawn a connector between a network port and a tool port. This action will cause a filter to be created automatically. The following message will display (notice the Remember my answer checkbox at the bottom of the confirmation dialog box):
Automatically enable disabled ports when a connection is added: The options for this confirmation message are: Always ask, Always do this (always enable disabled ports when a connection is added) and Never do this. For example, a user draws a connector between a filter and a disabled tool port. The following message will display (notice the Remember my answer checkbox at the bottom of the confirmation dialog box):
While editing a dynamic filter, warn when statistics will be reset: The options for this confirmation message are: Always ask and Never ask. For example, a user has changed the criteria of a filter from Pass All to Pass by Criteria. When OK is clicked to accept the modifications, the following message displays (notice the Dont show this message again. checkbox at the bottom of the confirmation dialog box):
Display edit port group dialog when creating a port group from selected ports: The options for this confirmation message are: Always ask, Always do this (always open the Edit Port Group window after the port group is added) and Never do this.
Edit Menu 61
Confirm editing far-end when a remote interconnect port group is set up: The options for this confirmation message are: Always ask, Always do this (always open the Edit Port Group window after the port group is added) and Never do this. This message displays after the Remote Far End feature is configured. The system attempts to connect to the far end configure the far end port group Interconnected with settings.
Allow a dynamic filter to connect to both ends of bidirectional interconnect port group: The options for this confirmation message are: Always ask, Always do this (always open the Edit Port Group window after the port group is added) and Never do this. This message displays after the user attempts to a make a connection between both ends of the same bidirectional interconnect port group. The message serves as a minor warning because this sort of connection is unnecessary.
At the bottom of the Options window there are OK, Cancel and Reset buttons. The Reset button can be used to reset the display option configuration to the default settings.
Configure My Profile (Edit -> My Profile) The following settings can only be modified when the NTO is in local authentication mode. User profiles cannot be modified when the NTO is in TACACS+ or RADIUS authentication mode. All users can modify the following settings for their account: Login ID Full Name Email Address Phone number Password
Created: Displays the date and time the account was created and the name of the system administrator who created the account. Last Modified: Displays the date and time the account was last modified and the name of the user who modified the account. A brief description of the change that was made to the account is described in parentheses.
Edit Menu 63
View Menu
This section describes the View menu.
The View menu is used to modify the view of the diagram area. The options are: Zoom In Makes the elements of the diagram larger, consequently displaying fewer of them at a time. Zoom Out Makes the elements of the diagram smaller, consequently displaying more of them at a time. Zoom to 100% Restores the diagram elements to their default sizes. Focus diagram on (All ports and dynamic filters or Selected object(s) or My access) Shows only certain diagram elements and their connections. All ports and dynamic filters - Shows everything on the diagram. If disabled ports are hidden they remain hidden. Selected object(s) - Shows only those objects that are currently selected, plus any objects they are connected to. My access - Shows only those objects which the current user is allowed to modify or connect to, plus any objects those objects are connected to.
The Focus feature allows the user to isolate and display a specific set of objects in the diagram area. Focus can be used to simplify a complex diagram and make it easier to read. The user can choose to focus on: selected object(s), all ports and dynamic filters or my access. Focus is a local option that only affects the diagram view of the current user. The diagram focus can be selected using the following methods: F6 focuses on the selected objects or removes focus from the view. Right-click the selected objects or the diagram background and select the desired focus option. Select View -> Focus diagram on. Tip: When selecting objects, press and hold the Ctrl key to select more than one object.
The My access focus allows the user to view the objects that they can access based on the Access Control settings of the objects. Note that connected objects are also displayed. For example, if a login account has access to a tool port, the objects connected to the tool port will also display in the view even though the user might not have the ability to modify or change the connections to those objects. Administrator users will not have the Focus on My access option because they always have access to all objects.
Help Menu
This section describes the Help menu.
The Help options provide access to the following: Anue Net Tool Optimizer Help: Access the online help system. Documentation: Access the user guide and the startup guide. Support: Launches your default email application and opens a message addressed to Anue Technical Support. Save and Send Logs: Allows you to save and send server logs to Anue Technical Support. For more information, see Technical Support on page 11. Licensing: Opens an HTML page that displays the license agreement. About: Provides information about the version of the NTO Control Panel that is currently running.
Help Menu 65
The Focus status lists the selected focus and the Selection status provides information about the objects that are selected. The default focus is on all objects. In this mode, the focus status will indicate All. When a single object is selected for focus, Focus will display the object type and the name of the object. When several objects are selected for focus, Focus will display the type of objects selected and a count of each type of object selected.
Last Modified: Displayed on the General tab. Displays the date and time the object was last modified and the name of the user who modified the object. A brief description of the changes that were made to the port is provided in parenthesis. Up to 3 modification descriptions will be listed, followed by the text more if there were more than 3 changes made to the object during the last modification. When the text more is displayed in the dialog, the tooltip help for the Last Modified field provides the complete list of changes that were made to the port. Except for Dynamic Filters, the following features and displayed information are available on all of the NTO objects described in the sections below: Port or Port Group Icon The current icon is displayed at the lower left of the General tab. You may select a different icon from the icons displayed on the right or click the Custom Icon button to add or remove a custom icon from the Icon Library. The custom icon will then be used as the port icon. Supported file types for custom icons are; .jpg, .gif and .png. Larger images will be automatically resized down to a maximum of 64x64 pixels, maintaining their original aspect ratio. Images smaller than 64x64 maintain their original size.
67
Use the Reset To Default button to revert back to using the default port/port group icon.
The Control Panel uses this default naming convention for ports: P<slot><port.> where: slot indicates the interface module in a particular slot port indicates the port number For example, PA10 indicates port 10 in the interface module installed in slot A. You can also give the port a more descriptive name using the Port Name field in the Port Properties dialog. Table 6-1 describes the ports available on each NTO model and the capabilities of those ports.
Table 6-1: Available Ports on NTO Models
Available Ports Ports 1-20 support copper connections. Ports 21-24 can support copper or fiber connections. Ports 1-20 support 1G copper or fiber or 10G fiber connections. Ports 21-24 support copper connections. Ports PA1 and PA2 are physically located on the interface module in slot A. These ports do not appear if no card is present in slot A. Ports PB1 and PB2 are physically located on the interface module in slot B. These ports do not appear if no card is present in slot B.
5288, 5293
Port modules, with a varying number of ports and capabilities, can be installed into expansion slots A, B, C or D. A label below each port indicates the port number.
Figure 6-2 shows the expansion slots on an NTO 5293. Your model may look different.
To configure a port, double-click the icon of an unassigned port. The Edit Port dialog will then display. The General Tab options are: Port Number #: The port number is displayed. This number corresponds to a physical port on the chassis or interface module. Name: The name field allows a name to be assigned to the port. A default name, such as P10 (models 5204/5236/5273) or PA10 (models 5288/5293), will be used if none is specified.
Description: The description field provides an area to document detailed information about the port. Text entered in this field will display in the tooltip help of the port icon and in a column of the Ports View. Port Status Image: See Features Common to All Object Pages on page 67. Last Modified: See Features Common to All Object Pages on page 67. Port Settings Media Type: The media type for the port connection. Possible values depend on licensing. If a port can be 1G SFP/10G SFP+, you can license the port for 1G-only or for 1G/10G. When ports are licensed for 1G/10G,
you can select which media type you want to use (1G SFP or 10G SFP+) for each port. See Table 6-2 for media types available on the different NTO models.
Table 6-2: Possbile Media Types
Model 5204
Media Types Ports 1-20 are 1G copper only. Ports 21-24 can be 1G copper or 1G SFP (Fiber). Ports A1, A2, B1, B2 (on expansion modules) can be 10G XFP or 1G SFP/10G SFP+, depending on the expansion module type. Ports 1-20 are 1G SFP/10G SFP+. Ports 21-24 are 1G copper. Ports A1, A2, B1, B2 (on expansion modules) can be 10G XFP or 1G SFP/10G SFP+, depending on the expansion module type.
5236, 5273
5288, 5293
All ports are on expansion modules and can be 1G SFP/10G SFP+, or 40G QSFP+, depending on the module type.
Port Mode: The user can select Network or Tool. Network ports are used to connect SPAN ports or taps to the NTO. Tool ports are used to connect devices such as intrusion detection systems, VoIP analyzers and data storage devices to the NTO. Network ports will display on the left side of the diagram area. Tool Ports will display on the right side of the diagram area. Pause Frames (Tool Ports Only): The user can select Ignore or Accept. A pause frame is a flow control mechanism defined by IEEE 802.3x that uses MAC Control frames to carry pause commands. Pause commands are generated when a sending device is transmitting data faster than a receiving device can receive it. The receiving device generates a pause frame that indicates the amount of time it wants the sending device to pause sending traffic. When the NTO accepts pause frames it will stop the transmission of data until Ethernet flow control indicates that the device that sent the pause frame is ready to receive additional traffic. When the NTO ignores pause frames it will continue to forward traffic to the connected device regardless of the Ethernet flow control state of the device. Ignore Pause Frames is the default tool port setting. This feature is not supported on network ports. Note: When accepting pause frames, the NTO will buffer a very small amount of data before dropping packets. Configuring the NTO to ignore pause frames will prevent packets from dropping at the NTO but the port of the connected device may drop packets due to oversubscription. Enabled: The user can select Enabled or Disabled. A port must be enabled in order to pass traffic. Disabled ports will display as dimmed in the diagram view, tabular views, and pick lists.
Link Settings: The available link settings depend on the port media type. For 1G SFP ports, the only supported link setting is 1G Full Duplex. For 10G SFP+ ports, the only supported link setting is 10G Full Duplex. Models 5204, 5236, 5273: Auto-MDIX (automatic medium-dependent interface crossover) is always used for copper 1G, 100M and 10M copper ports. Auto-MDIX allows the interface to automatically detect and support a straight-through or crossover Ethernet cable. Port Status Link Status: Displays the connectivity status of the port. Displays Link Up or Link Down. A red X ( Port Icon See Features Common to All Object Pages on page 67. ) appears on icon when a port is enabled and down.
Using the Network Port (Ingress) or Tool Port (Egress) Filter Criteria Tab
Filter criteria are used to define the type of traffic that will be allowed to pass through an object or define the type of traffic that will be prevented from passing through an object. See Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters for detailed information.
Connections to dynamic filters can be removed using the Remove button (select one or more dynamic filters and then click the Remove button). To add connections use the Add dynamic filter button. The Select dynamic filters window will display. Select one or more dynamic filters to connect to the tool port (the Shift and Ctrl keys can be used to select more than one dynamic filter).
NOTE Adds and removes occur immediately after clicking OK and connection modifications cannot be canceled using the Cancel button on the main Port Properties window.
There are several ways to begin the filter creation process: 1. 2. 3. 4. From the control panel menu, select File > New > Dynamic Filter. Right-click in the Diagram area and select New Dynamic Filter. Click the Add a new dynamic filter icon ( ) in the control panel toolbar.
Draw a connector between a network port and a tool port. Note that when a filter is created in this manner the filter is configured to deny all packets by default.
Filter Status Image: See Features Common to All Object Pages on page 67. Advanced: The advanced options are designed for experienced users who want to configure one-stage filters. For more details about one-stage filters, see the 5200 - Advanced Filtering Concepts and Options Technote, which is available for
download from the Anue Customer Portal. See Technical Support on page 11 for information on how to access the Anue Customer Portal. The customer portal (http://support.anuesystems.com) allows customers to open support tickets, search for solutions, and download documentation.
Connections can be removed by highlighting the connected port and clicking the Remove button. The Shift and Ctrl keys can be used to select more than one port. Network and tool port connections can be added using the Add Port buttons.
When the Add Port button is clicked the Select Ports window will display. Select one or more ports and click OK. The Shift and Ctrl keys can be used to select more than one port.
NOTE Unlike the Select Dynamic Filter connection dialog reached from the Port Properties dialog, these port connection changes do NOT take effect immediately after you click OK. If you change your mind, you can cancel them by clicking the Cancel button on the main Filter Properties window.
The figure above demonstrates how port groups can be deployed to share tools between NTOs. A detailed description is provided below. The notation 4x10 G indicates that an interconnect port group (ICPG) contains four 10G ports.
Note that in all ICPG scenarios, it is required that an ICPG be created on both of the NTO systems that share the interconnect: NTO #1 has local tools. The ICPG connection to NTO #4 is unidirectional. The tools that are directly connected to NTO #1 can only be shared by the SPAN and taps that are directly connected to NTO #1. Those same SPANs and taps can access the tools on NTO #4 by way of the interconnect port group. NTOs #2 and #3 can share their local tools with each other because of the bidirectional ICPG between them. Both NTO #2 and NTO #3 have a unidirectional ICPG to NTO#4. SPANs and taps that are directly connected to NTO #2 and NTO #3 can access the tools on NTO #4. NTO #4 has unidirectional network-side interconnects with NTOs #1, #2, and #3. The tools connected to NTO #4 can be shared by all of the NTOs deployed at the site. NTO #4 has no access to tools on the other NTOs. Note: The ports within an interconnect port group can be a combination of 1G and 10G ports but caution should be taken when mixing port speeds within tool interconnect port groups. If one of the ports within a tool interconnect port group goes down, its traffic will automatically be diverted to the other ports in the group. Failover to in-service ports occurs regardless of port speed. Failover from a 10G port to a 1G port could lead to traffic congestion and dropped packets. Also, traffic will not balance well between the 10G and 1G ports, resulting in drops on the 1G ports and/or under-use of the 10G ports. The load balancing algorithm cannot weight the ports such that the 10G ports would get 10 times the load of the 1G ports. The tool side of an ICPG is always set to a Rebalance failover mode. In Rebalance mode, a port failure will cause the port to be disabled and removed from the load balancing algorithm. Traffic that was destined for the failed port will be transmitted out of an in-service port within the group. Once the port's link status returns to link up, the port is re-added into the load balance algorithm. Creating an Interconnect Port Group There are three methods that can be used to create an interconnect port roup: Method One 1. 2. 3. Select ports in the diagram area. Right-click one of the selected ports. Select Create Interconnect Port Group -> Network, Tool or Bidirectional from the menu. Note that the options displayed vary depending on the ports selected. For example, if a tool port and network port are selected, the menu only displays bidirectional because it is the only possible configuration when a network and tool port are in the same group. Method Two Click the New Interconnect Port Group icon in the toolbar area.
Method Three 1. 2. Right-click in the diagram area. Select New Interconnect Port Group > Network, Tool or Bidirectional from the menu.
The New Interconnect Port Group or Edit Interconnect Port Group dialog window displays depending on the creation method chosen:
The following sections explain how to use the tabs on the New Tool Interconnect Port Group window.
The following options can be configured on this dialog box: Address: Enter the IP Address or DNS name of the far-end NTO. Click the History button to select a far-end NTO from a list of NTO units that have been accessed during earlier NTO Control Panel sessions. Note: To use the Manage Other End Feature and configure the Interconnected with setting, the NTO units that share an interconnect port group must be running the same version of software. After the address of the far-end NTO is selected, a login prompt will be launched for that system. The user will need to have a login account on the far-end NTO to complete the interconnection. The login accounts do not have to be the same account. Interconnect Port Group: Displays the remote or far-end interconnect port group. Click the Select button to select an interconnect port group from the remote NTO. Clear: Click the Clear button to remove the current Far-End Interconnect Port Group settings.
Description: You can enter a description of the Interconnect Port Group in this field so for future reference you can tell at a glance the nature of this specific interconnect port group that you created and configured. Interconnect Port Group Settings: This section displays Port Mode settings and options. The displayed port mode can be Network, Tool or Bidirectional. Interconnect Port Group Status: Enabled Status: This field displays the number of ports within the port group that are enabled followed by the total number of ports in the port group. Enabled Port Status: Combined Speed: This field displays the combined speed of all the enabled ports within the port group.
The word partial after the speed value, indicates that 1 or more of the enabled ports within the port group have a link down status. The reported combined speed does not include the port speed settings of link-down ports. Link Status: This field indicates the number of enabled ports within the port group that have a link up status. Port Group Icon See Features Common to All Object Pages on page 67.
Ports can be removed by selecting them in the port section and clicking the Remove button. NOTE The following are the effects of adding ports to an interconnect port group: When a port is added to a port group, its icon is removed from the diagram area. The individual port properties can then only be accessed from the Ports tab within the port group or from the rightclick menu of the port group. A port added to a port group maintains its media settings. A port added to a port group inherits the filter criteria settings of the port group. Port groups inherit the access control settings of the ports within the group that have the most restrictive access control settings. The icon for a bidirectional port group is displayed on both sides of the diagram area as shown in the figure below. Notice that the port group maintains the same name (whether automatically assigned or user assigned) on both sides of the diagram area. The BIC-# (Bidirectional Interconnect #) label indicates the number of ports in the port group.
Tip: Right-clicking on a port displayed in the Ports section provides the ability to access the properties of the port, disable the port, and for system administrators, modify the access control settings of the port.
The access policies for a port group are inherited from the contained ports. Operation: Modify this Port Group: This section displays the access policy in effect and the users who are allowed to change the configuration settings of this port group. Operation: Connect/Disconnect Filters to/From this Port Group: This section displays the access policy in effect and the users who are allowed to connect filters to this port group and disconnect filters from this port group.
The Details buttons provide information about the specific users with access and how the access settings were determined, as shown in the following image:
Figure 6-13. Access Details for Modify - Interconnect Port Group Dialog
The Users section displays the users who can change the property settings of the port group. Note that system administrators can always modify the property settings. The Ports sections displays a table showing the ports that determine the Modify access settings of the port group. A user must meet the access requirements for every port shown in order to modify the port group settings.
When the Rebalance mode is set to None, a port failure will cause packets destined for the port to be dropped. When the failed port returns to service, packets will resume transmission out of the port. Access Control Required to Create and Modify Load Balance Port Groups Note the Access Control required to create and modify load balance port groups: In order to connect/disconnect to/from a port group, a user must have Connect access on all ports within the port group. In order to modify the properties of a port group, a user must have Modify access on all ports within the port group. In order to add/remove ports to/from a port group, a user must have Connect access on the port group (which requires Connect access on all the ports within the port group). Select tool ports in the diagram area. Right-click one of the selected ports. Choose Create Load Balance Group from the menu. Click the New Load Balance Port Group icon in the toolbar area. Right-click in the diagram area. Choose New Load Balance Port Group from the menu.
There are three methods to that can be used to create a load balance port group. 1. 2. 3.
The New Load Balance Port Group or Edit Load Balance Port Group dialog window displays depending on the creation method chosen:
Figure 6-14. Edit Tool Load Balance Port Group (LBPG) Window
Failover: In the event of port failure the Rebalance option redistributes traffic amongst in-service ports within the port group. Rebalance is the default setting. The None option disables the failover feature. Load Balance Status: Enabled Status: This field displays the number of ports within the port group and the number of ports within the port group that are enabled. Enabled Port Status: Combined Speed: This field displays the combined speed of all the enabled ports within the port group. The word partial after the speed value, indicates that 1 or more of the enabled ports within the port group have a link down status. The reported combined speed does not include the port speed settings of enabled link-down ports. Link Status: This field indicates the number of enabled ports within the port group that have a link up status. Port Group Icon See Features Common to All Object Pages on page 67.
Ports can be removed by selecting them in the port section and clicking the Remove button. Note: The Effect of Adding Ports to a Load Balance Port Group When a port is added to a port group, its icon is removed from the Diagram Area. The individual port properties can then only be accessed from the Ports tab within the port group or from the rightclick menu of the port group. A port added to a port group maintains its media settings. A port added to a port group inherits the filter criteria settings of the port group. Port groups inherit the access control settings of the port within the group that has the most restrictive access control settings. The load balance group will be assigned a LBG-# (load balance group number) label. The number displayed indicates the number of ports in the load balance port group.
Tip: Right-clicking on the ports displayed in the Ports section provides the ability to access the properties of the port, disable the port, and for system administrators, modify the access control settings of the port.
The Users section displays the users that can perform modify operations on the property settings of the port group. Note that system administrators can always modify the property settings of a port group. The Ports sections displays a table that shows the ports that determine the Modify access to the connection settings of the port group. A user must meet the access requirements for every port shown in order to modify the port group connections.
Systems administrators can modify the access control settings of the ports from the Ports tab by right clicking on the ports within the port group as shown in the figure below.
Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters
Dynamic Filters, Network Ports, Tool Ports, and Port Groups all have filter criteria settings. Filter criteria are used to define the types of network packets that will be allowed to pass through a filter or will be prevented from passing through a filter. Additional information that can help users take full advantage of NTO filtering capabilities is provided in the tech note 5200 - Advanced Filtering Concepts and Options. This guide can be downloaded from the Anue Customer Portal. See Technical Support on page 11 for information on how to access the Anue Customer Portal. The Filter Criteria tab of a Network Port is shown in the following figure.
Filter Mode
Filters can be placed in one of four modes, as shown below. Note that some filters do not support all four choices. Refer to Table for details.
Pass All: This setting allows all traffic to pass through the filter. Pass by Criteria: This setting allows the user to describe the characteristics of the packets that should be allowed to pass through the filter. Deny All: This setting prevents all traffic from passing through the filter. Deny by Criteria: This setting allows the user to describe the characteristics of the packets that should be prevented from passing through the port.
Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters
NTO objects have different filter mode options. The following table displays the filter mode options for each object type.
Table 6-3: Filter Modes
Pass All Note: The tool side of a Bidi ICPG is always Pass All.
Pass by Criteria
Deny All
Deny by Criteria
Available Criteria
When determining whether packets should be passed or denied, the NTO has the ability to look at the Layer 2 Ethernet headers *or* the Layer 3 and 4 IP headers of each packet. Users may specify which layer they want to look at, and within each layer, which header fields to look at. Figure 6-17, Figure 6-18, and Figure 6-19 show the available header fields for each layer. Note that the VLAN field (first VLAN only) can be examined with both Layer 2 and Layer 3/4. Models 5204/5288/5293: These NTO models do not support IPv6 criteria.
Multiple criteria may be combined to create more complex filters. Criteria may be combined as "Match All" (AND) or "Match Any" (OR). When using "Match All", each criterion may only be used one time in a single filter. When using "Match Any", each criterion may be used more than once in the same filter. Therefore, in a "Match All" filter, once a criterion is used that button will gray out indicating the criterion cannot be used again in that filter. Refer to the Selected Criteria section for more information. One other reason that a criterion button might be grayed out would be that the current filter memory allocation settings do not support that type of criterion. When a criterion button is pressed, a criterion-specific dialog will be displayed in which specific values can be entered for the header fields related to that criterion type. For example, using the Layer 2 Criteria Type, select the VLAN button. The New VLAN Filter Criterion window will display.
Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters
Tip: The instructions at the top of the window describing how to enter ranges of values. All criterion windows will have similar instructions and/or tool tip help.
VLAN When connecting trunk port taps or SPANs to NTO ports, trunk links are required to pass VLAN information. NTO ports are configured for 802.1Q (dot1q) encapsulation by default, and automatically belong to VLANs 1-4094. Packets with 802.1Q tags for VLANs 1-4094 may be filtered using the NTO filter criteria. See the section on Filtering on 802.1Q VLAN Tags for detailed information and an example router configuration. VLAN VLAN using Layer 2 Criteria Type: When the Criteria Type is Layer 2, the VLAN button allows the user to specify the VLAN IDs to be matched on both IP and non-IP packets. VLAN with Layer 3/4 Criteria Type: When the criteria type is Layer 3/4, the VLAN button allows the user to specify the VLAN IDs to be matched in IP packets only. In this case, non-IP packets will not match, even if they have the specified VLAN ID.
Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters
MAC Address - Specify Attributes of Address When matching a MAC address, users may choose to look for a value in the source address, a value in the destination address, a value in the source *or* destination address, or a value in the source address in combination with another value in the destination address. These are described in more detail in the following sections. The picture below shows the MAC dialog when matching on the source address header field:
The address may be specified as one or more actual addresses, with optional "don't care" parts, or by the administration type. When more than one address is specified (using the "+" button) the filter will match on address 1 *or* address 2, and so on. Multiple addresses here are always combined with an "or", regardless of whether the containing filter is set to "Match All" (AND) or "Match Any" (OR). The Administration options are: Universal (Globally Unique) Local
A universally administered MAC address (globally unique) is assigned to a device by its manufacturer. A locally administered MAC address is assigned to a device by a network administrator.
The picture below shows the MAC dialog when matching on the destination address header field:
Destination addresses are specified in the same manner as source addresses. Destination addresses, however, support different attributes which can be matched as an alternative to the addresses. The Administration options are: Dont Care: The address can be Local or Universal (Globally Unique). Universal (Globally Unique) Local Dont Care: The address can be Individual (Unicast) or Group (Multicast/ Broadcast) Individual (Unicast) Group (Multicast/Broadcast) Note: Both the Destination Address and Administration attributes cannot be set to Dont Care. One of the options must be configured to a value other than Dont Care. Address Combinations Several header fields, including MAC addresses, IPv4 addresses, and Layer 4 Port numbers involve source and destination values. The NTO allows simplified filtering on different combinations of these values. As has already been shown for MAC addresses, one can filter on the source value or destination value alone.
Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters
It is also sometimes useful to look for a particular value in either the source address *or* the destination address. The IPv4 address dialog below shows the selection of "Source or Destination" as the criterion type:
When the Source or Destination criterion type is configured, a packet will match if either the Source or Destination matches any of the defined address or port values. Note the instructions below the Type section of the window explaining how to duplicate a row. This feature allows the user to quickly create a list of addresses that only require minor modifications to make an address unique.
When the Mask Type is set to CIDR or Netmask, hovering the mouse over the magnifying glass displays the range of addresses that have been configured. Non-contiguous addresses are not displayed. The range helper feature is only available for IPv4. The Address Pair(s) option allows a pair of ports or addresses to be configured.
A packet will match if either of the following conditions is true: 1. 2. Source equals any address/port A and destination equals any address/port B. Source equals any address/port B and destination equals any address/port A.
This requires that every address/port A be paired with every address/port B. This fact may be important in scenarios where the available filter memory is limited.
Selected Criteria
The Selected Criteria section displays the configured criteria and allows the user to "AND" or "OR" the defined criteria. Filter criteria can also be retrieved from the filter template library. Network Port/Network ICPG/Network side Bidirectional ICPG options: AND: Pass or Deny packets that match ALL of the specified criteria. OR: Pass or Deny packets that match ANY of the specified criteria.
Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters
Tool Port/Tool ICPG/Load Balance Port Group options: AND: Deny packets that match ALL of the specified criteria. OR: Deny packets that match ANY of the specified criteria.
The chosen filter criteria are displayed under the Criteria Type and Criteria Values columns. To modify a criterion, choose one of the following methods: Highlight the criterion and then press the Modify button. Right-click the criterion and select Modify. Double-click the criterion.
To remove a criterion, chose one of the following methods: Highlight the criterion and click the Remove button. Highlight the criterion and press the Delete key on the keyboard. Right-click the criterion and press the Delete key on the keyboard.
Note: Select several criteria for deletion by holding down the Shift or Ctrl key while clicking. Tip: Criteria can be copied and pasted between filters. To copy and paste criteria, select the criteria, right-click the selection and then choose Copy. Access the Filter Criteria tab of a Dynamic Filter, port or Filter Template, right-click in the Selected Criteria area of the tab and choose Paste (Replace) or Paste (Merge). The Paste (Replace) option removes the current filter criteria from the destination filter and replaces them with the criteria that were copied from the source filter. The Paste (Merge) option maintains the current filter criteria of the destination filter and adds the criteria that were copied from the source filter.
Figure 6-24. Copy Criteria from One Filter and Merge into Another Filter
Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters
Ctrl+C can also be used to copy criteria from the source filter. Ctrl+V can be used to paste criteria into the destination filter. The user will receive the following prompt after pressing Ctrl+V.
Library
Replace: Filter criteria can be changed by replacing the current filter criteria with criteria selected from the Filter Template Collections. Merge: Filter criteria can be augmented by merging the current filter criteria with criteria selected from the Filter Template Library. This option maintains the currently defined criteria and adds criteria from the Filter Template Library. Save: Selected filter criteria can be saved to the Filter Template Library.
SNMP Tag The SNMP tag field is a free-form text field that users may optionally configure for each filter. A user can configure one or more keywords using comma, space, or colon as separators. An SNMP management application can then use the keywords to facilitate customized search, sort, and aggregation of Anue MIB filter information.
The filter will be tagged with the defined text. The maximum length of this field is 255 characters.
Models 5236/5273: Custom dynamic filtering is not supported on 5236/ 5273 when IPv6 filtering is enabled (that is, when filter memory is allocated to support IPv6 filtering). The NTO comes with several predefined fields for filtering traffic. Using those fields, you can specify the types of network packets allowed or not allowed to pass through a filter. The predefined filtering fields are available for network ports, tool ports, and dynamic filters. For a detailed explanation of how to use the predefined fields, see Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters on page 96. With Custom Dynamic Filtering, you can now define custom fields to use in your dynamic filters to match on parts of the packet headers and payload that are not accessible using the predefined fields. Custom fields allow you to match on 2- or 4-byte fields, up to 128 bytes deep into Ethernet packets. By defining your own custom fields, you can filter on specific bit patterns and values at selected locations in a packet. This allows access to header and payload fields in protocols such as MPLS, GTP, GRE, HTTP, FCoE, FIP, iSCSI, L2TP, VoIP, RTP, and more. Table 6-4 outlines the number and sizes of the custom fields available on each NTO model.
Table 6-4: Available Custom Fields on NTO Models
Available Custom Fields Custom dynamic filtering is not supported. Up to 8, 4-byte fields, with 4-byte boundaries and sizes to be even multiples of 4. Note: In the specific case of using offset 0 from the start of a packet, the sizes allowed are 2 or 6.
5288, 5293
Up to 16, 2-byte fields, with 2-byte boundaries and sizes to be even multiples of 2
The NTO has built-in support for MPLS (all models) and GTP (5288/5293 models only), providing access to specific named fields within those protocols, avoiding the need to calculate the exact packet positions of the fields. You can also create raw custom fields, or as the control panel refers to them, Custom fields. These more generic fields allow you to specify the size of the field and the offset from a location in the packet to the beginning of the field. The relative starting position for the offset can either be the beginning of the packet or the end of the Layer 2 header. When using the raw custom fields, be aware that if youre looking for a byte match at a certain offset, you can unintentionally match on random data at that offset. To
avoid that, check some other field, such as the IP protocol or TCP source port, to confirm that the packet is of the correct type. When you use the built-in protocols, MPLS and GTP, the NTO automatically provides these confirmation fields for you. Unlike the predefined fields, which you can use on network ports and tool ports, you can only use custom fields in the dynamic two-stage filters that connect network ports to tool ports on the NTO. A dynamic two-stage filter using custom fields is also referred to as a custom filter. Some things to keep in mind when using custom filters are the following: When using custom fields, not all predefined fields will be available in the same filter. A network port can only be connected to one custom filter at a time. A network port connected to a tool port through a standard dynamic filter cannot at the same time be connected to the same tool port through a custom filter.
In the NTO, custom fields are allocated in one or two field sets. These field sets appear on the Dynamic Custom Filtering dialog, where you define the custom fields. Access the dialog from the System Settings tab by clicking the link to the right of the Custom dynamic filtering field. You can enable and define one or two field sets, but only enable what you need because the field sets come with a price. Each field set uses about 10% of the available dynamic filter and tool port filter memory, which reduces the amount of memory available for other types of filters. If you enable two field sets, you have the choice of using them in the same filter or different filters. By using them in the same filter, you get up to 32 bytes of custom fields for a single filter. If you use them in different filters, you only get up to 16 bytes of custom fields in any one filter. You get up to an amount because, in most cases, you don't use up the full amount all at once. As you chose the composition of your custom fields, your choices use up bytes, usually in 2- or 4byte increments, depending on the NTO model (see Table 6-4 on page 109). Not all of your choices cost bytes. Some are free. They don't count against the total 16 or 32 bytes available. These are typically fields in the outer headers of tunneled packets, and the ones that you get for free depend on which layers and protocols you select to filter. For example, MPLS is a Layer 2 tunnel protocol which is identified by a specific Ethertype. When you choose MPLS & Custom as the types of fields you want to include in field set 1, Ethertype is provided as a free outer header field to use for confirmation. As another example, GTP is a Layer 3 and 4 tunnel protocol which is identified by a specific UDP source port When you choose GTP & Custom (5288/5293 only) as the types of fields you want to include in field set 1, Outer IP protocol and outer L4 source port are provided as free outer headers to use for confirmation. Table 6-5 shows the free headers you get as optional confirmation fields with the
custom field types you choose to filter. It also shows the optional additional outer header fields you can select at a cost of 10% filter memory.
Table 6-5: Free Outside & Additional Headers with Selected Field Types
Selected Field Types Field Set 1 - MPLS & Custom Field Set 1 - GTP & Custom (5288/ 5293)
Additional Available Outer Header Fields VLAN VLAN Ethertype Outer IPv4 source or destination address Outer L4 source or destination port TCP Control VLAN Ethertype Outer IPv4 source or destination address Outer L4 source or destination port
Field Set 2 - MPLS & Custom Field Set 2 - GTP & Custom (5288/ 5293) Field Set 2 Custom (5236/ 5273) Field sets in same filter
Ethertype DSCP/ECN Outer IP protocol DSCP/ECN Outer IP protocol VLAN Ethertype DSCP/ECN Outer IP Protocol Outer L4 source or destination port TCP Control (5236/ 5273 only)
None None
None
None
NOTE If you enable field sets 1 and 2 to be used in the same filter, all the custom fields you create must be for the same layer type. For example, if you add a GTP-U field (Layer 3/4) to the field sets you cannot later add an MPLS field (Layer 2) to the field sets. 5236/5273 GTP custom fields are not available at this time. To use custom fields, perform the following tasks, explained in detail in the sections that follow: 1. 2. 3. 4. Enable one or both field sets. If you enable both field sets, choose whether to use them in the same or different filters. Select the network layer with headers that will be most useful for your filtering. Assign pre-defined (GTP-C, GTP-U, or MPLS) or Custom fields and their associated confirmation fields to the field sets. Use the fields in the field sets in one or more dynamic filters, specifying the values to be matched. NOTE When editing fields in field sets, an existing field may be removed as long as it is not either (a) in use in a Dynamic Filter or (b) saved as a filter template. If removal is attempted, and one of these conditions exists, an error message describing the above will be displayed. In that case, first delete its use in all Dynamic Filters and filter templates. The field can then be removed from the field set. Once you enable field sets and select a packet header layer for the custom fields, you can start adding custom fields to the field sets. You can allocate fields to a field set until you use up the available bytes - 16 bytes for one field set, or 32 bytes when both field sets are enabled for use in the same filter. Depending on the field type you select, you will be prompted to enter additional information, such as enabling confirmation fields and configuring the number of optional header words. NOTE The 16-byte limit of one field set is only large enough for one IPv6 address. To filter on both the source and destination IPv6 address in one filter, you need to enable both field sets in the same filter. Confirmation fields are necessary to ensure the pre-defined fields are actually there. For example, if you add a GTP-U tunneled IPv4 source address field to a field set, you are given the option to confirm that the outer IP protocol is UDP, the outer UDP destination port is 2152, and the inner IP version is IPv4. If you dont check these confirmation fields you might match packets that are not GTP-U packets that just happen to have an IPv4 address (or even just some matching bits!) at the same location. In many cases, the packet protocols provide for optional fields in the headers. For example, IPv4, IPv6, TCP, and GTP headers all include optional fields which may or may not be present in a particular packet. In tunneled packets, the IP and TCP
headers can appear both outside and inside the tunnel. In order to filter on custom fields, the NTO must know the exact offset from the start of the packet or the end of the outer Layer 2 header to that field. Therefore, if a custom field is deeper in the packet than one of the headers with optional fields, you must specify the size of those optional fields. For example, if you want to add the pre-defined field Tunneled IPv4 L4 Source Port in a GTP-U packet, you must specify the number of 32-bit words in the optional fields in the GTP-U header plus the number of 32-bit words in the optional fields in the inner IPv4 header. If you need to filter on packets with different numbers of optional fields, you will have to add the pre-defined field multiple times, once for each different size of the optional fields. As another example, to filter on fields inside MPLS tunnels you must specify the number of MPLS labels you expect in the packets, the service type (L2 VPN or L3 VPN), whether the pseudowire code word is present, and the number of VLAN tags in the tunneled frame. Tip: A network protocol analyzer tool like Wireshark can help you determine information you need before you create custom filters. Using a tool like Wireshark, you can examine some sample traffic to determine the following kinds of information: MPLS How many MPLS labels are present MPLS How many VLAN tags are present in the inner L2 header GTP-U How many words are in the optional fields in your GTP-U headers Raw The size of bytes, that is, the number of words in an optional field, like the IPv4 header options values
If one of the pre-defined GTP or MPLS fields does not suit your needs, you can also define raw custom fields, specifying your own offsets and field sizes. You specify a byte offset relative to the start of the packet or the end of the Layer 2 header and a byte length (or size). The byte offset and length must be multiples of 2 on the 5288/5293 and multiples of 4 on the 5236/5273. By selecting the end of the Layer 2 header, you can avoid having to account for any VLANs or variations in Ethernet frame formats (for example, Ethernet II, 802.2, LLC/SNAP, etc.). Be sure to account for any optional headers beyond the relative starting position when you define a Custom field. You must also specify a name for this field. The name is limited to 32 characters and must be unique across all custom fields. This name will appear in the dynamic filter dialog to allow you to filter on this custom field. To perform custom filtering, complete the following two main tasks: 1. 2. Define Custom Fields on page 114. Use Custom Fields in Filters on page 118.
For a quick example of these two main tasks, see Quick Example: GTP-U Custom Filtering Field (5288/5293 only) on page 119.
4. 5.
9.
11. In the MPLS section, select How many VLAN tags are present in the inner L2 header - for example, 1. Note: You can use a tool like Wireshark to examine some sample traffic to determine how many VLAN tags are present in the inner L2 header. 12. In the Inner L3 section, select the confirmations you prefer - for example, Confirm IP version and Confirm IP protocol, which if you select, you also need to select the protocol - for example, TCP. 13. In the Inner L3 section, enter How many 32-bit words are present in the inner L2 header - for example, 1. 14. In the Inner L4 section, either accept the default Field Name or change the text. Note: The Field Name text is what displays as the button text on the Filter Criteria tab of the Edit Dynamic Filter dialog after you finish defining this custom filter field. 15. Click OK. In the Field Set 1 section, the Main Fields and Confirmation Fields populate with a summary of your selections, and in parentheses to the right of Field Set 1, it shows the number of bytes you have used so far out of the total 16 bytes available - for example, 4 of 16 bytes used on the 5288. 16. Click OK. The Custom Dynamic Filtering dialog closes and the field sets you enabled display to the right of the Custom dynamic filter field in the Filtering section of the Settings tab - for example, Field Set 1. NOTE If you create a custom MPLS field type of Label, then when you use this custom field in a dynamic filter, the MPLS Label field can be a decimal input between 0 and 1,048,575 (220 - 1). To use a MPLS custom field, see Use Custom Fields in Filters on page 118.
To define GTP custom fields: 1. In the System view, on the Settings tab, in the Filtering section, to the right of the Custom dynamic filtering field, click the link - for example, click Disabled (which is the default setting). Note: Once you enable custom dynamic filtering, the text on this link will change to describe the field sets that you enable. The Custom Dynamic Filtering dialog displays. 2. Select an Enabled State - for example, Field set 1 enabled.
3.
In the Field Set 1 Free Outer Headers section, select the GTP layer and protocol you want for this custom filter field - for example, GTP & Custom (Layer 3/4 outer headers). (Optional) In the Available Outer Header Fields section, select Provide additional outer headers (reserves an additional 10% of filter memory.) In the Field Set 1 section, click the Add button and select the GTP protocol you want from those available on the list - for example, GTP-U. The Select GTP-U Field Type dialog displays. Select a GTP-U field type to create - for example, Tunneled IPv4 Src (source) Address - and click OK. The Add GTP-U Tunneled IPv4 Src Address Field dialog displays. In the Outer L4 section, if desired, select Confirm outer L4 dst (destination) port. This confirmation uses 2 of the total 16 bytes available for this custom field set. In the GTP-U section, enter How many 32-bit words are present in the optional fields in the GTP-U headers - for example, 2. Note: You can use a tool like Wireshark to examine some sample optional fields in your GTP-U headers to determine how many words you need to include in this custom dynamic filtering field.
4. 5.
6.
7.
8.
9.
In the Inner L3 section, if desired, select Confirm outer IP version. This confirmation uses 4 of the total 16 bytes available for this custom field set. Note: The Field Name text (in this example, GTP-U Tunneled IPv4 Src Address) is what displays as the button text for this custom field set when you select it on the Filter Criteria tab of the Dynamic Filter dialog.
10. For the Field Name, either accept the default field name or change the text.
11. Click OK. The selections you made in this dialog now display in the Field List for Field Set 1. Note: Notice that you have used 8 of the available 16 bytes for Field Set 1, shown in parentheses to the right of Field Set 1, You can add other Layer 3 and Layer 4 related protocol custom dynamic fields to Field Set 1 until you use all of the 16 bytes available. The Custom Dynamic Filtering dialog closes and the field sets you enabled display to the right of the Custom dynamic filter field in the Filtering section of the Settings tab - for example, Field Set 1. NOTE If you create a custom GTP-U field type of TEID, then when you use this custom field in a dynamic filter, the GTP TEID field can be a decimal input between 0 and 4,294,967,295 (232 - 1). To use the a GTP custom field, see Use Custom Fields in Filters on page 118.
4. 5.
9.
The Custom Dynamic Filtering dialog closes and the field sets you enabled display to the right of the Custom dynamic filter field in the Filtering section of the Settings tab - for example, Field Set 1. To use the a raw custom field, see Use Custom Fields in Filters on page 118.
NOTE If you create a custom GTP-U field type of TEID, then when you use this custom field in a dynamic filter, the GTP TEID field can be a decimal input between 0 and 4,294,967,295 (232 - 1). 5. Click OK. The filter criterion displays in the Selected Fields section of the Filter Criteria tab. 6. 7. Click OK. The Confirm dialog displays. Click OK. The Confirm dialog closes, the Edit Dynamic Filter dialog closes, the Diagram view displays, and your custom filter begins filtering traffic.
2.
Select Field set 1 enabled, GTP & Custom (Layer 3/4 outer headers), Provide additional outer headers, and click Add.
A drop-list appears.
3.
4.
Select Tunneled IPv4 Src Address and click OK. The Add GTP-U Tunneled IPv4 Src Address Field dialog displays.
5.
Select the confirmation field and type 2 in the field for How many 32-bit words are present in the optional fields in the GTP-U headers (assuming thats how many optional words your incoming packets will have).
Note: You can use a tool like Wireshark to examine some sample optional fields in your GTP-U traffic to determine how many words you want to include in this custom dynamic filtering field. Note: The Field Name GTP-U Tunneled IPv4 Src Address is the button text that will display on the Filter Criteria tab of the Dynamic Filters dialog next to the GTP-U field once you select Custom Field Set 1 (see steps 8 and 9 below). In this dialog, you can change the button text that will display on the Filter Criteria tab. 6. Click OK. The selections you made in this dialog display in the Main Fields and Confirmation Fields for the Field Set 1 section of the Custom Dynamic Field dialog.
Note: Notice that you have used 6 of the available 16 bytes for Field Set 1, shown in parentheses to the right of Field Set 1, You can add other custom fields to Field Set 1 until you use all of the 16 bytes available. 7. Click OK.
8.
Click the Diagram view icon on the Control Panel main window.
9.
Right-click a Dynamic Filter icon, select Properties, and click the Filter Criteria tab.
10. Select Pass by Criteria, Custom Field Set 1, and click the GTP-U Tunneled IPv4 Src Address button. The Edit IPv4 Filter Criterion dialog displays.
11. Enter a valid source address or range of addresses and click OK.
The IPv4 filter criterion displays in the Selected Fields section of the Filter Criteria tab.
13. Click OK. The Confirm dialog closes, the Edit Dynamic Filter dialog closes, the Diagram view displays, and your custom filter begins filtering traffic.
In this example, 96% Custom displays to the right of the Dynamic filter/Tool port meter, shown with a red box around it in the figure. In this case, 96% is how much dynamic filter and tool port filter memory that is still available for use. Note: You might have to use custom fields in dynamic filters connected to several network and tool ports before the display registers an available percentage less than 100% Custom.
Providing VLAN information to the Anue NTO There are two ways to direct traffic to an incoming network port on an Anue NTO: Mirrored ports (SPANs) - Port mirroring is used on a network switch to send a copy of all network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network tools that require a copy of what is happening on a VLAN such as protocol analyzers or intrusion-detection system. Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN) but other vendors may have other names for it, such as Roving Analysis Port (RAP) on 3Com switches. Mirrored ports by default will be defined as access ports on switches. Trunk port taps - A tap (Test Access Point) is a passive splitting mechanism installed inline on a trunk connection between switches or other internetworking devices where the trunk link is terminated. taps transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring device in real time. Note: It is important to remember that when using taps, two network port connections are necessary for each tap because their TX and RX traffic is sent on dedicated paths to the NTO. For a configuration example, refer to the Installation Guide for your NTO model. Taps will normally be connected to trunk ports but can also be connected to access ports. NTO ports are configured for 802.1Q (dot1q) encapsulation, and automatically belong to VLANs 1-4094. Packets with 802.1Q tags for VLANs 1-4094 may be filtered using the NTO. Because mirrored (SPAN) ports are configured as access ports by default, they will not receive, nor pass any 802.1Q header information in the traffic coming from that interface. This means you may not create any Pass or Deny filters on the NTO that use VLAN ID as a pass or drop criteria if the ingress network port providing traffic to the filter is coming from a SPAN port that is configured as an access port. Once taps or SPAN ports have been properly installed and configured to pass desired traffic to the NTO, pass filters or tool port deny filters can then be created on any L2 or L3 criteria including VLAN ID. An example of a SPAN port configuration providing 802.1Q headers from a Cisco 4506 switch is provided below. SPAN port configuration providing 802.1Q headers
This configuration example displays the commands necessary to create a SPAN port on a Cisco 4506 Catalyst Switch that will deliver traffic to the Anue network port which includes 802.1Q VLAN header information: DDCPHRCE1# monitor session 1 source vlan 1 - 4094 monitor session 1 destination interface Gi4/13 encapsulation dot1q interface GigabitEthernet4/13 description DDC-SPN-DSW1 G7 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate no cdp enable Notes: Not all switches will support this function Check with manufacturers instructions to enable this feature The sequence commands are entered in may be important Specifying the 802.1Q encapsulation method may be necessary
Two black arrows touching a vertical black line indicates that a filter is configured to Drop All packets.
When a filter is set to Pass by Criteria or Deny by Criteria, several additional indicators are displayed:
The AND symbol indicates that the filter mode is Pass by Criteria and the defined filter criteria are logically ANDd to allow traffic that matches all of the criteria. An OR symbol indicates that the filter mode is Pass by Criteria and the defined filter criteria are logically ORd to allow traffic that matches any of the criteria. The -AND symbol indicates that the filter mode is Deny by Criteria and the defined filter criteria are logically ANDd to deny traffic that matches all of the criteria. The -OR symbol indicates that the filter mode is Deny by Criteria and the defined filter criteria are logically ORd to deny traffic that matches any of the criteria. Dynamic filters do not support Deny by Criteria. The text below the AND and OR symbols, provides a quick overview of the configured filter criteria. For example, IP indicates that an IP protocol filter criteria has been defined and L4SPT indicates that a Layer 4 source port filter criteria has been defined. When more than three filter criteria are defined, the word more is displayed. The text in the lower right corner describes the physical port. Table 6-6 lists the types of physical ports you will see for each NTO model.
Table 6-6: Supported Physical Port Types
Physical Port Type XFP, CX4, RJ-45, SFP, SFP+ SFP, SFP+, QSFP+
The text in the upper right corner indicates the link status. If the link is up, the text will indicate the link speed. For example, the text 1G indicates that port has successfully connected to a device at 1 Gbps. If the link is down, a red "X" will be displayed. If the letters "EXP" are shown, that indicates the port has a time-limited license and the license has expired. Filter Criteria Indicators - The table below provides a partial list of the filter indicators and a description of the corresponding filter criteria. Models 5288, 5293: These models do not support IPv6. Table entries below that refer to IPv6 are for models 5204, 5236, and 5273. Filter Indicator MACSA MACDA VLAN VLANI ETYPE IP4DA IP4SA IP6DA IP6SA PROTO Filter Criteria MAC Source Address MAC Destination Address VLAN ID VLAN ID (packet must contain an IPv4 header) Ethertype IPv4 Destination Address IPv4 Source Address IPv4/IPv6 Destination Address IPv4/IPv6 Source Address More than one IP protocol is defined (when a single IP protocol is defined, the indicator will represent that specific protocol) Layer 2 Layer 3/4 IPv4 Layer 3/4 IPv6 Layer 3/4 IPv4 or IPv6 DSCP/ECN Layer 4 Source Port Layer 4 Destination Port TCP Control
Filter Symbols Once a filter is created it will display the filter name, the filter criteria indicators and a filter icon. The filter icon displayed will differ based on the filter mode. Three arrows in and one arrow out indicate that the dynamic filter is configured to Pass traffic by criteria.
Three arrows in and three arrows out indicates that the dynamic filter is configured to Pass All traffic.
Three arrows in and no arrows out indicates that the dynamic filter is configured to Drop All traffic.
The circled number 1 indicates that a dynamic filter is configured as a one-stage filter.
Cause: The most common cause for this indicator is that several network ports have been aggregated to the tool port (for example, three 1G network ports aggregated to one 1G tool port). Traffic burstiness may also be a factor with many-to-one connections. Troubleshooting tips: 1. Observe the tool port Tool Management View to find out which network port is sending the most traffic and contributing the greatest amount of packets to the overflow condition. Re-configure as necessary to prevent the alarm condition. Apply filter criteria to the filter to prevent unnecessary traffic from flowing to the tool port. Be aware that in some scenarios, overlapping filter criteriacan cause packets to drop. For more information about overlapping filter criteria, see the Tool Management View section. Microbursts of traffic can occur that may also cause traffic to drop. Bursts of traffic with durations shorter than 1 second are typically referred to as microbursts. Additional information about microbursts can be found in the Understanding Traffic Burstiness technical note that can be downloaded from the Anue Customer Portal.
2. 3.
4.
See Technical Support on page 11 of this document for information on how to access the Anue Customer Portal.
Cause: The network or tool port could not negotiate speed and duplex (half, full) with the connected device.
Troubleshooting tips: 1. 2. Verify the connectivity between the device and the NTO port (re-seat the cables and SFP/XFP if applicable). Verify that the connectivity elements are correct and match, i.e. multi-mode fiber and 850 nm multi-mode SFP. For information about supported SFPs/ XFPs, refer to the Installation Guide for your NTO model. Check the port LED status. For more information, refer to the Installation Guide for your NTO model. Change the NTO port speed to match the connection speed and duplex mode of the connected device.
3. 4.
Units (Statistics View only) Checkboxes are available for Packet, Bytes and Other.
A checked box indicates that all statistics with that category or unit are currently being displayed.
135
A filled box indicates that some (but not all) statistics with that category or unit are currently being displayed. An empty box indicates that no statistics with that category or unit are being displayed. Time of Displayed Stats: Displays the time at which the statistics were collected on the NTO server. The time is displayed in the local time zone of the PC running the control panel. Users running the control panel in different time zones will see different times displayed here. Display Refresh Interval: Indicates how often the display is updated to show new statistics values. Click the value to configure the interval. This setting does not affect how often statistics are collected on the NTO, which is always once per second. The refresh interval can also be configured under the Edit -> Options menu. The Export to CSV button exports the information displayed in the view (Settings or Statistics) to a comma separated value file. The Pause button temporarily suspends the display of new statistics values throughout the control panel (the button name will change to Resume during pause). This button does not the affect the actual collection of statistics on the NTO server. General View Tips You can click a column heading to sort by values in that column. There are scroll bars at the bottom and along the right side of the view that allow fields that are not visible to be displayed. Disabled ports can be hidden/displayed by pressing the F11 key on the keyboard. Double clicking on an object or selecting a port and clicking the Properties Icon will display the properties window. Ctrl double clicking on a port/filter will open the statistics window. Right clicking on an object provides a menu with several options specific to the object type. For example, the object properties can be opened, an object can be connected to other objects, ports can be added to port groups.
Several objects can be modified simultaneously by: Holding down the Ctrl key, selecting the ports and then right clicking on one of the ports and choosing an available menu option. For example, several ports can be enabled at once by selecting the Enable option. Dragging the mouse to highlight several objects and then right clicking on one of the objects and choosing an available menu option. For example, port statistics can be reset for several ports at once using this method.
Customizing the Tabular Views To hide columns, right click on any column name. A list of all column names that can be displayed in the view appears. A check will be visible to the right of all currently displayed columns. Select the name of the column that you want to hide. Reverse the procedure to display columns that are currently hidden. Columns that are grayed out cannot be hidden. The width of the columns in the view can be adjusted by clicking on the border to either side of the column heading and dragging to the left or right.
Diagram View
The diagram view (the default view) displays the ports, port groups and filters laid out graphically. This view shows how packets flow through the NTO, entering the box through network ports on the left, then through dynamic filters in the middle, and finally out through tool ports on the right.
Ports View
The ports view displays licensed port settings and statistics in tabular form.
Transceiver Info: Click this button to display transceiver information for all of the ports on the system. This feature displays the properties and capabilities of the installed transceivers. This helps to ensure that the transceivers are the correct devices for your network configuration and are compatible with your optical wiring. Model 5204: Transceiver Information is displayed only for transceivers that are installed into the ports of expansion modules. Expansion modules are installed at the rear of the unit. Diagnostics are also provided to verify that transceiver links are operating within adequate margins and to troubleshoot connectivity issues. An example of a Transceiver Info window is shown below. The window has been split into three sections for ease of understanding.
The top section of the window displays the NTO model number, the NTO IP address, and the date the snapshot of transceiver information was obtained. The Alerting Port(s) summary lists the ports containing transceivers that had an alert or warning status at the time the snapshot was taken. The example above
indicates that the transceivers in ports P02, P03 and P04 have an alert. Alerts and warnings are explained in more detail below.
The next section of the display lists the port number, transceiver identification information and the characteristics or capabilities of the transceiver installed in the port.
Note: Only the transceiver capabilities relevant to operation within Ethernet networks are displayed. The displayed data is retrieved from the EEPROM of the transceiver. If the transceiver does not provide certain data, the field may display the value unknown. The bottom section of the display provides real time transceiver diagnostics and operating parameters. When the Transceiver Info button is clicked, a snapshot of the current Rx and Tx Power, Temperature, Voltage, and Tx Laser Bias is displayed in the Current Value column. The Units column provides the unit of measurement. The Diagnostics field indicates whether the transceiver was internally or externally calibrated. Internally calibrated transceivers directly report calibrated values in units of current, power, etc. Externally calibrated transceivers report A/D (analogto-digital) counts which must be converted to real world units by the NTO using calibration values read from the EEPROM.
The Alert Low, Warn Low, Warn High and Alert High columns display thresholds for the different states. For example, the current Rx Input Power is -40.00 dBm. The table indicates that a value less than or equal to -23.98 dBm is an Alert Low which explain the Alert status for Rx Input Power. The Current Status column displays whether the current value is in the Normal (green), Warning (orange), or Alert (red) range.
Network Port statistic definitions can be found in the Network Port Statistics section. Tool Port statistic definitions can be found in the Tool Port Statistics section.
When the Settings option is selected, the Dynamic Filters View provides the following information. Filter Name Mode Criteria Dynamic Filter Type Description Network Ports Tool Ports Access Settings for Modifying Access Settings for Connecting/Disconnecting Network Ports Access Settings for Connecting Tool Ports Modified Modified By Created Created By
When the Statistics option is selected, the Dynamic Filters View provides the following information.
Name Mode Access % Bytes Passed (cur) % Bytes Passed (avg) % Bytes Passed (peak) Time Since % Bytes Passed (peak) % Pkts Passed (cur) % Pkts Passed (avg) % Pkts Passed (peak) Time Since % Pkts Passed (peak) Inspected Bytes Inspected Bits/Sec (cur) Inspected Bits/Sec (avg) Inspected Bits/Sec (peak) Time Since Inspected Bits/Sec (peak) Inspected Pkts Inspected Pkts/Sec (cur) Inspected Pkts/Sec (avg) Inspected Pkts/Sec (peak) Time Since Inspected Pkts/Sec (peak) Passed Bytes Passed Bits/Sec (cur) Passed Bits/Sec (avg) Passed Bits/Sec (peak) Time Since Passed Bits/Sec (peak) Passed Pkts Passed Pkts/Sec (cur) Passed Pkts/Sec (avg) Passed Pkts/Sec (peak) Time Since Passed Pkts/Sec (peak) Time Since Stats Reset Reset By
Filter statistic definitions can be found in the Dynamic Filter Statistics section.
Library View
The Library View is used to organize libraries of filter templates and custom icons shared by all users. Collections can also be shared between NTO systems by copying one or more collections from one NTO and pasting them into the library of another system or by exporting them from one system and importing them into another. All users can create and modify library collections. The Library View provides a Filter Templates tab and Custom Icons tab.
Filter template collections can be shared between NTO systems by copying one or more collections from one NTO and pasting them into the filter library of another system.
For collections and templates, the following information is displayed: The Name of the filter template or collection A Description of the filter template or collection The Criteria of the filter template (this field is not available for collections) The date the filter template or collection was last Modified The name of the user who last modified the filter template or collection (Modified By) The date the filter template or collection was Created The name of the user who created the filter template or collection (Created By)
Modifying Filter Templates There are several methods that can be used to modify a filter template: 1. 2. 3. Double click on the template. Right click on the template and select Properties. Select the template and then click the Properties Icon in the toolbar below the main menu.
Deleting Filter Templates The listed filter templates can be deleted by right clicking on the template and selecting Delete from the pop-up menu. The user can also select the filter
template and press the Delete key on the keyboard or click the Delete Icon in the tool bar. Creating Filter Template Collections There are several methods to create filter template collections: 1. 2. Select File->New->Filter Template Collection. Filter template collections can be created using the New Filter Template Collection icon displayed in the toolbar below the main menu options.
3.
When saving filter templates from the filter criteria tab of any object, there is an option to create a new filter template collection. Use the New button to create a new collection.
4.
Filter templates can be created by right clicking in the Filter Template Collections pane of the Library view and selecting New Filter Template Collection.
The New Filter Template Collection window displays. A Name and an optional Description can be entered.
4.
Filter templates can be created by right clicking in the Filter Templates pane of the Library view and selecting New Filter Template.
Collection: The filter template will be saved to the selected filter template collection. The drop down box can be used to select the target filter template collection. The New button can be clicked to create a new filter template collection. A Name and an optional Description can be entered. Filter Template Available Criteria The same filter criteria options that can be specified for dynamic filters, ports and port groups can also be specified for filter templates. See Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters for details and examples.
A tooltip can be assigned to the icon. The icon file name is the default icon tooltip but the name can be modified during the processing of adding the icon to the library. Tooltips can also be edited using the Edit Tooltip button. Note that tooltips are only visible in the library and in the Port Icon area of the Properties tab of ports, dynamic filters and port groups. Use the Remove button to remove an icon from the custom icon collection.
Users View
The Anue NTO supports 2 flavors of user authentication: Local and Remote (using TACACS+ or RADIUS). When the system is using local authentication, the Users view displays all local users that are defined in the internal NTO user database. When the system is using remote authentication, it is not possible to determine the complete list of users defined in the remote server. In that case, the Users view infers as many users as it can by displaying the list of currently logged-in users, and any users which appear in locally-defined groups.
The default administrator account, "admin," is always a local account and is always present even when remote authentication is used. The following information is displayed in the Users View: Login ID System Administrator capabilitiesWhether the user has system administrator capabilities. A red x indicates a non-system administrator, a green check () indicates that a user has system administrator capabilities. Online statusA red x indicates offline; a green check () indicates online. Session TypeIndicates whether a user is logged in from a Control Panel GUI or a Tcl shell. Full NameThe full name assigned to the user. Email Address and Phone NumberThe email address and phone number assigned to the user. Authentication Mode Indicates whether the user is a Local, TACACS+, or RADIUS user. Owner of GroupsLists the groups for which the user is an Owner.
Member of GroupsLists the groups of which the user is a Member. Port Modify AccessLists the ports which the user has permission to modify. Port Connect/Disconnect AccessLists the ports to which the user has permission to connect. Dynamic Filter Modify AccessLists the dynamic filters which the user has permission to modify. Dynamic Filter Connect/Disconnect Network Port AccessLists the dynamic filters which the user has permission to connect to network ports. Dynamic Filter Connect Tool Port AccessLists the dynamic filters which the user has permission to connect to tool ports. ModifiedThe date and time the user properties were last modified. Modified ByThe login ID of the user who last modified the user account. CreatedThe date and time the user was created. Created ByThe login ID of the user who created the user.
The text at the top left of the view indicates the authentication mode of the Net Tool Optimizer. The text reads Locally-Defined Users when the unit is in local authentication mode, TACACS+ authentication enabled when the unit is in TACACS+ authentication mode, and RADIUS authentication enabled when the unit is in RADIUS authentication mode. User account information cannot be modified when the unit is in TACACS+ or RADIUS authentication mode with the exception that the local administrator (admin) can modify their own account. In local authentication mode, users without system administrator capabilities can view the properties of all users and modify their own user properties by double clicking on a user entry. System administrators can double click on any user to view and modify the user properties. Note: The password for the "admin" account can only be changed by the "admin" user. It cannot be changed by any other administrator account. If forgotten, the "admin" password can be reset. Details differ depending on the NTO model: Models 5204/5236/5273: See Resetting the Admin Password from the LCD Menu for more information. Models 5288/5293: See Reset Administrator Password for more information.
Modifying User Settings The user settings can be modified by right clicking on a user and selecting a menu option. Right clicking on a user provides several menu options: New Users can be created Users can be Deleted The user Properties can be accessed
Groups View
When the system is using Local authentication, the Groups view displays all local groups that are defined in the internal NTO group database. When the system is using remote (TACACS+ or RADIUS) authentication, it is not possible to determine the complete list of groups defined in the remote server. In that case, the Groups view infers as many groups as it can by displaying the list of groups to which any currently logged-in users belong, and any groups which appear in port access lists. Groups are used to conveniently assign access privileges for ports and filters to a group of users with similar access needs. This eliminates the burden of having to assign and maintain an access list of individual users. For example, members of the security team can be organized into a security group that has access to modify and connect to the Intrusion Detection System (IDS) tools. Groups can be defined in any manner to meet your organizations needs. Group composition can be based on function (networking, security, compliance, etc.), roles (administrators, basic users, managers) or group structure (project team, geographic location, etc.). In Local authentication mode or in remote authentication mode with local groups, groups can be created, edited, and deleted from the group view. Once defined, groups can then be granted access control privileges to network ports and tools ports by a system administrator. For more details about access control, see Access Control Using Groups. The following fields are displayed in the Groups view: Name Description
Group Ownersthe Login IDs of the users who can add/remove users from the group Group Members Used in Portsthe list of ports whose access control lists include the group ModifiedThe date the group was last modified Modified Bythe Login ID of the user who last modified the port group CreatedThe date the group was created Created Bythe Login ID of the user who created the port group
The Export to CSV button exports the information displayed in the view to a comma separated value file. The view can display Brief or Verbose information. The CSV file can then be imported into a spreadsheet so the information can be used for documentation purposes. Modifying Group Settings Groups can be modified by right clicking on a group and selecting a menu option. Right clicking on a group provides the following menu options: New GroupNew groups can be created Add User(s)Users can be added to groups Remove User(s)Users can be removed from groups CopyGroups can be copied (and then pasted into the Groups view under a different name) PasteGroups can be pasted into the Groups view DeleteGroups can be deleted PropertiesGroup properties can be accessed
There are three methods that can be used to begin the process of creating a local group (note that these options are only visible to system administrators): 1. Groups can be created using the New Group icon displayed in the toolbar below the main menu options.
2. 3.
Right click in the table area of the Groups View and select New Group. Select File->New->Group from the main menu.
When the New Group window displays, enter a Name and optional Description.
Click the Add button to begin adding users to the new group. Note that system administrators do not need to be (and cannot be) added to groups because they always have full access to every port and filter.
Select the users from the displayed list. Several users can be selected by using the Shift or Ctrl keys. Then click OK to add the users. When the NTO is configured in TACACS+ or RADIUS authentication mode, a slightly different Select Users dialog appears (shown below). For more information about TACACS+ and Radius authentication modes, see Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS. Only non-administrator users that are currently logged in to the NTO will appear on the Select Users list. A comma-separated list of names of remote users that are not listed in the dialog can be entered manually in the field at the bottom of the dialog. A remote user is defined as a Login ID listed in the configuration database of the remote authentication server (either TACACS+ or RADIUS).
If there are no non-administrator remote users logged in to the NTO at the time, the Select Users dialog will show only the name entry text field, as show in Figure 7-22.
Tip: Users can be copied from one group and pasted into another group. Select users from the Members area of the of a groups General tab, right click and select Copy. Right click in the Members area of the destination groups General tab and select Paste. After users have been added to a group, one or more users can be designated as a Group Owner. Click the checkbox under the Group Owner field to designate a user as a group owner. The owner of a group has the ability to add and remove group members.
System View
The System view provides status, settings, version, license, and hardware information about the overall system. These elements are described in more detail in the following sections.
Status Tab
The Status tab displays overall status of the system and its components, including information such as uptime, temperatures, and an event history. The Status tab displays different information depending on the model of your NTO.
Several items shown on the Status tab can give rise to system alarms due to various failure conditions. In the presence of no adverse conditions, the alarm status of these items is shown as a green check mark, indicating that the subsystem is functioning normally - i.e. no alarms are present. A minor alarm, such as a small rise in temperature, will appear as a yellow exclamation point, and a major alarm, such as a large rise in temperature, will appear as a red exclamation point. Details about an alarm, such as the time it occurred, can be seen by hovering the mouse over the alarm icon. The most severe alarm will be reflected in the Session tab at the top of the window. This alarm indicator will always be visible, even when not viewing the System Status tab.
The following table describes the various alarm levels: Operational Condition Normal Minor Color Green Yellow Meaning Resource is in a normal operational state Alarm level that indicates a problem of relatively low severity that should not impede use of the resource. Corrective action should be taken in order to prevent a more serious fault. Alarm level that indicates some kind of possibly service-affecting problem with the resource. The severity of the problem is relatively high and normal use of the resource is likely to be impaired. This requires urgent action.
Major
Red
System System time: Displays the current time on the NTO server. The time is displayed in the local time zone of the PC running the control panel. Users running the control panel in different time zones will see different times displayed here. Up Time: Displays the amount of time since the NTO was last restarted. General Temperature: Displays the primary temperature of the system in Celsius/ Fahrenheit. Acceptable temperature ranges differ for the various models of NTO. Table 7-1 shows the messages for the different models.
Table 7-1: Acceptable Temperature Ranges
Temperature Status Models Normal 5204 5236 5273 5288 5293 <=63C/145F <=61C/142F <=75C/167F <=49C/120F <=49C/120F Warm (Minor Alarm) >63C/145F >61C/142F >75C/167F >49C/120F >49C/120F Hot (Major Alarm) >66C/151F >64C/147F >80C/176F >65C/149F >65C/149F
Temperature Warning: Please ensure that the Net Tool Optimizer is properly ventilated The NTO will shutdown automatically once the unit temperature rises above a critical temperature. Temperatures vary between NTO models. See Table 7-2 for details.
Fan Status (5236 only): Displays the status of the unit fans. OK will display if all fans are working correctly. If there has been a fan failure, the total number of failed fans will display and a minor alarm will be raised. Power supply (5204/5236 only): Displays the power supply status. Status reported will be Good or Bad. A power supply failure (Bad status) will raise a major alarm. External power supply (5204/5236 only): Displays the external power supply status. Status reported will be Good, Bad or Not Present. An external power supply failure (Bad status) will raise a major alarm. The following series of screen shots illustrate the control panel status indicators for various power supply and external (auxiliary) power supply situations:
State with AC and the external (auxiliary) power supply connected but turned off
State with AC and the external (auxiliary) power supply connected and turned on.
State with AC unplugged and external (auxiliary) power supply connected and the external power supply not turned on.
Mgmt port (Management port status) (5204/5236 only): Displays the speed and duplex of the management port connection. Management port (front and back) (5273 only): Displays the speed and duplex of the front panel management port connection. Will indicate "active" if the port is the active management port. Will indicate "standby" if the port is the standby management port. Management port 1 and 2 (5288/5293 only): Displays the link status of the two management ports. The word "active" indicates which port is currently being used.
The word "standby" indicates which port is ready to become active should the active port fail or go link-down. Expansion Modules (5204/5236/5273 only) Module A: Indicates whether an interface module has been detected in slot A. The field also indicates whether the installed card supports 1G SFP+, 10G copper CX-4,10G XFP or 10G SFP+. Module B: Indicates whether a 10G expansion card has been detected in slot B. The field also indicates whether the installed card supports 1G SFP+, 10G copper CX-4,10G XFP or 10G SFP+. Port Modules (5288/5293 only) Module A, B, C and D: Indicates whether an interface module has been detected in the slot. Displays the type of module installed and the current module temperature. Power Modules (5288/5293 only) Module A and B: Power supply: Displays the power supply status. Status reported will be Good or Bad. A power supply failure (Bad status) will raise a major alarm. Fan Status: Displays the status of the power supply fans. OK will display if all fans are working correctly. If there has been a fan failure, the total number of failed fans will display and a minor alarm will be raised. Fan Modules (5288/5293 only) Module A, B and C: Displays the status of the independent, pluggable fan modules. System History Settings last modified: The last system setting that was changed is displayed along with the date and time of the change and the name of the user who made the change. Software last installed: The name of the last NTO software file installed is displayed along with the date and time of the installation and the name of the user who performed the installation. The NTO software file is used to upgrade the system software version. License last installed: The name of the last NTO license file installed is displayed along with the date and time of the installation and the user who performed the installation. This field will be blank until a license update is performed in the field. Configuration last imported: The name of the last configuration file that was imported is displayed along with the date and time of the import and the name of the user who performed the import.
Restart last requested: The date and time that a system restart was last requested is displayed along with the name of the user who requested the restart. Models 5204, 5236, 5273: If the restart request was initiated using the LCD and keypad on the front panel of the unit, the name listed will be LCD panel. Note that this is the time of the request, not the time the system actually came back up. Models 5273, 5288, 5293: If the restart request was initiated using the craft port interface, the name listed will be Serial port. Power down last requested: The date and time that the last request to power down the system was made. Models 5204, 5236, 5273: If the power down request was initiated using the LCD and keypad on the front panel of the unit, the name listed will be LCD panel. Models 5273, 5288, 5293: If the power down request was initiated using the craft/serial port, the name listed will be Serial port. External Alarms (5273, 5293 only) Visual Alarms: The visual alarm status displays. Audible Alarms: The audible alarm status displays. Alarm Cut-Off (button) Pressing the ACO button mutes the critical and major audible alarms that are present and lights the ACO LED on the front panel of the unit (note that major and/or critical visual alarms are still present). ACO Last pressed: Indicates the date and time the ACO button on this page or on the front panel of the unit chassis was last pressed. If the ACO button on this page was pressed, the Login ID of the user will also be displayed. Note: Critical and Major alarms are reported via audible and visual alarms that can be relayed to a centralized alarm system. Refer to the Anue 5273 Installation Guide or the Anue 5293 Installation Guide for information on how to make connections between a local alarm system and the 5273 or 5293 alarm port. Power Module A (5273 only) Fan Status: Displays the status of the unit fans. OK will display if all fans are working correctly. If there has been a fan failure, the total number of failed fans will display and a minor alarm will be raised. Power supply: Displays the power supply status. Status reported will be Good or Bad. A power supply failure (Bad status) will raise a major alarm. Power Module B (5273 only)
Fan Status: Displays the status of the unit fans. OK will display if all fans are working correctly. If there has been a fan failure, the total number of failed fans will display and a minor alarm will be raised. Power supply: Displays the power supply status. Status reported will be Good or Bad. A power supply failure (Bad status) will raise a major alarm. Note that a 2nd power supply is an optional feature.
Settings Tab
The System Settings tab displays the current values of the system-wide configuration settings and, for system administrators, provides a means to changes the settings. Non-administrators can view the settings but cannot change them. The following figures show some of the differences on various models of NTO. Your display may differ depending on your configuration.
General System Info: Click on the hyperlink to configure NTO system information. A name, location and contact information can be defined. The name defined for the NTO will be displayed in the title bar of the Anue NTO Control Panel. There is no character length limitation for System Info fields but note that only the first 255 characters can be queried through SNMP. The system information can be retrieved via SNMP MIB-II get requests. IP configuration: Click on the hyperlink to configure the Anue NTO IP address, subnet mask or gateway. Caution: Changing the IP configuration or Management port settings will cause the NTO to restart and forces all users off the system. If the IP address values are not correct you will not be able to log back into the NTO through the Control Panel GUI or the Tcl API. In this case, the serial port menu would be the only means of correcting the error. Management port settings: Click on the hyperlink to configure the management port duplex settings. The options are Auto-Negotiate, 1G Full Duplex, 100M Full Duplex, 100M Half Duplex, 10M Full Duplex and 10M Half Duplex. Models 5204, 5236, 5273: Auto-MDIX (automatic medium-dependent interface crossover) is supported for copper 1G, 100M and 10M copper ports. Auto-MDIX allows the interface to automatically detect and support a straight through or crossover Ethernet cable. Serial Port Access (5273 only): Click on the hyperlink to disable or enable serial port access. The 5273 can be restarted from the serial port. This is the only function of the serial port. LCD admin password reset (5204, 5236, 5273 only): Disabling this feature prevents the password of the default administrator account (admin) from being reset from the front panel LCD and keypad. For more information, refer to Resetting the Admin Password from the LCD Menu. Login session timeout: Click on the hyperlink to configure the idle login session timeout. If a timeout is specified, a user will be automatically logged out if there is no control panel activity from that user in the specified time. The logout can be configured for minutes, hours, or never. Login session timeout should be set at least 10 minutes to allow potential software upgrades to complete. Server log level: Click on the hyperlink to configure the log level for the Anue NTO server. The server log level can be raised to help troubleshoot Anue NTO server issues. Log level options are error, warn, info, debug and trace. Log levels should only be changed as directed by Anue Technical Support. Power on self test (POST): The POST provides a mechanism to initiate a series of diagnostic tests at startup to validate the health of the NTO hardware. To enable the POST, click Disabled. Click OK to confirm that you want the POST to run
every time the NTO is restarted. The Disabled text will change to display Enabled. NOTE The POST adds the following time to the NTO restart process: Models 5204/5236/5273: 4-5 minutes Models 5288/5293: approximately 10 minutes
To disable the automatic POST, click Enabled and then click OK to confirm that you wish to disable the automatic POST. See the Appendix E, Troubleshooting for detailed information about the POST and how to view POST results. TLS/SSL: The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols are designed to help protect the privacy and integrity of data while it is transferred between the Control Panel and the NTO. To enable TLS/SSL: 1. On the Settings tab, to the right of the TLS/SSL field, click the Disabled hyperlink. The TLS/SSL Configuration dialog displays.
2.
Select the Enable TLS/SSL encryption check box. A Confirm dialog displays.
3.
4.
Click OK. The TLS/SSL state changes to Enabled, all users are logged off, and the NTO restarts to put the system in the new state.
When connecting to an SSL-enabled NTO, an Anue provided code-signing certificate is presented by the NTO to the Control Panel to establish the identity of the NTO. When an untrusted certificate is recieved such as the first time connecting to an NTO after SSL has been enabled the user must determine if the certificate is to be trusted or not. To determine whether to trust an untrusted SSL certificate on an SSL-Enabled NTO: 1. Log on to an SSL-Enabled NTO. When you connect to an SSL-Enabled NTO which presents an un-trusted SSL certificate, the SSL Certifcate Validation dialog displays.
2.
Click Details to see the chain of other certificates certifying the issuer of the main certificate. The Certifcate Details dialog displays.
3.
Click any member in the chain to see details about it. You can decide whether the main SSL certificate is trustworthy by viewing the details of the certificate chain. Once a certificate has been deemed to be trusted, it is stored in the Control Panel's trust store. Trusted certificates will connect without further user inspection. Note that since all NTOs currently present the same certificate, once any NTO certificate has been accepted into the Control Panel's trust store, all subsequent certificates presented by any NTO will be automatically trusted. The NTO presents a code-signing certificate to assure that the application being executed is authentic. The NTO does not support userprovided certificates at this time. The Control Panel's trust store is located in the file <user-home>\Anue Systems\Anue 52<nn>\anuecerts. <user-home> is typically C:\Document and Settings\username (Windows XP) or
C:\Users\username (Windows 7). If the user decides to _stop_ trusting a particular certificate, the local trust store file (anuecerts) can be deleted. NOTE If the trust store is deleted while an NTO session is open, the fact that the certificate is no longer trusted will not be detected until that instance of the Control Panel is closed and re-started. The existing session will continue to be secure, since all security artifacts are cached to memory while the Control Panel is open.
NOTE When you are connected to an NTO using TLS/SSL, a secure lock icon displays in the lower right corner of the main window, similar to the way it does in a web browser. You can double-click this secure lock icon to launch the Certificate Details dialog. This also works if you want to inspect a certificate after you have accepted it the first time.
Fan Control (5204 Only - Not displayed above): Click the hyperlink to configure the fan speed. The options are: Auto Allow the server to control the fan speed based on temperature Maximum Cool Run server fan speeds at maximum
Remote Services Authentication: The current authentication mode is displayed. Click on the hyperlink to configure the NTO authentication mode. Options include Local, TACACS+, and RADIUS. For detailed information on configuring TACACS+ and Radius, refer to Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS. Syslog: Click on the hyperlink to specify one or more servers to which the NTO should send "syslog" status messages. These messages are used to notify listeners when changes are made to the NTO or when adverse conditions are present. Servers can be identified by IP address or DNS name. The Facility (local0 - local7 or User) and Port can also be defined (the default port is 514). Please see the Chapter 10, SYSLOG for detailed information on how to configure this feature.
SNMP: Click on the hyperlink to configure SNMP support. For detailed information on configuring SNMP, refer to Chapter 9, SNMP. DNS Configuration: Click on the hyperlink to configure the NTO to use DNS to resolve host names entered in fields within the system configuration. A DNS server must be configured if any Remote Services (TACACS+, RADIUS, Syslog, or NTP) servers have been specified using DNS names. Note that the TTL (timeto-live) for a successful DNS resolution is 5 minutes. After the Set DNS Configuration window displays, the IP address of a preferred and alternate DNS server can be entered. Optionally you can enter up to two suffixes to use when resolving unqualified domain names. The expected valid characters are A-Z, a-z, 0-1, ., or . Other characters can be accepted but the user will receive a warning. Click OK to save the changes.
NTP: The Network Time Protocol (NTP) is a clock synchronization feature that maintains synchronization with a network time source. The NTO supports NTP version 4, but also retains compatibility with versions 1-3. NTP converges to an accurate time more quickly when multiple NTP servers are configured. The following NTP functionality is supported: Add and enable an NTP server list (also called server pool) using either IP address or fully qualified domain name, up to a maximum of five (5) servers. Display the detailed status of the NTP server pool. Disable servers from the NTP server pool Delete servers from the NTP server pool. NOTE You must have system administrator privileges to use this feature.
The NTO System Settings page displays the following NTP values depending on what you configure and enable:
Table 7-3:
Value Not Set Enabled - <server name or IP> Enabled - <# servers configured> Disabled - <server name or IP> Disabled - <# servers configured>
Meaning No servers are configured. One server is configured and enabled. More than one server is configured. One server is configured but disabled. More than one server is configured but disabled.
To configure and enable NTP servers: 1. On the Settings tab, to the right of the NTP field, click the Not set hyperlink. The NTP Servers dialog displays.
2.
The NTP field displays the added and enabled DNS NTP server name.
or B. Open the Server address drop-list and select IPv4 Address. The Server address field displays, which allows you to enter a valid IPv4 address for your NTP server.
NOTE The NTP port is 123 and cannot be modified. C. Enter an NTP IPv4 address and click OK. The NTP field displays the added and enabled IPv4 NTP server.
To display the detailed NTP Status, click NTP Status. The NTP Server Status dialog displays.
Configured Address:The address the user entered when configuring the NTP server. Server Name:This column may be different from the configured address because of DNS lookup.
Reachable: Indicates whether the server is reachable or unreachable. : Condition: May display 'reject', 'falsetick', 'excess', or 'outlier' to indicate that the server is currently discarded by the NTP algorithm. Condition:" Displays 'candidate' when the server is included in the NTP algorithm, 'sys.peer' when the server is a system peer, and 'pps.peer' when the server is a preferred peer. Time Offset:Displays the offset of this NTP server relative to the NTO time. Clock Quality:Displays the stratum level (1-15) of this NTP server. To disable NTP servers: 1. On the Settings tab, to the right of the NTP field, click the Enabled link. The NTP Servers dialog displays.
2.
Deselect Enable and click OK. The NTP field displays Disabled.
To delete NTP servers: 1. On the Settings tab, to the right of the NTP field, click the Enabled link. The NTP Servers dialog displays.
2.
Select a server and click Delete. The deleted server is removed from the NTP Server list.
3.
Click OK. The NTP field displays the remaining enabled server(s).
Filter Memory Allocation This feature allows system administrators to customize the NTO filter memory in a manner that is specific to their needs. For example, if users only need to filter traffic based on L3/4 (layer 3 and layer 4) criteria, a system administrator can configure the settings to support 100% L3/L4 filter criteria. Another common use for this feature is to make minor modifications in the memory allocation to complete a filter configuration. For example, a user attempts
to create an L3 filter and receives a notification message indicating that there is not enough L3 memory to create the filter. To resolve the problem, the system administrator can reduce the amount of L2 memory (which will increase the amount of L3 memory) and allow the user to complete the task of creating the filter. Caution: Modifying the filter memory allocation settings may momentarily disrupt traffic flow.
Dynamic and tool port filters: Dynamic and tool port (egress) filters share the same memory pool. The current memory allocation for dynamic filters and tool port (egress) filters is displayed. Network port filters: The current memory allocation for network port filters is displayed. Only system administrators can modify the configuration. Clicking the Network port filters or Dynamic and tool port filters links will display the Set Filter Memory Allocation window. The window contains a tab for each of the two memory pools. The functionality of the tabs are exactly the same; both tabs allow the memory allocation for the desired filter criteria types.
The following options are available: Once the criteria types are selected, the Available Memory Allocation Options can be used to further customize the memory allocation. The highlighted option indicates the currently selected configuration. For example, with the default Criteria Types Selected (L2 and IPv4 L3/4) the following options are available:
The selected configuration indicates that 25% of the filter memory will be allocated to L2 filter criteria and 75% of the filter memory will be to IPv4 with a combination of VLAN, L3 and L4 filter criteria.
The memory allocation section of the window provide meters that display a visual representation of the current filter criteria memory allocation. Note: Tool port deny filter memory cannot be directly configured. The Tool port deny filter meters represent the type of filter criteria that can be configured for tool port deny filters. L2 criteria are only supported on tool ports when L2 is the only criteria selected. The Available Criteria/Unavailable Criteria section of the dialog box clearly displays the effect of the configured settings by listing the criteria that will be available and the criteria that will be unavailable. Note that modifications to the memory allocation settings do not take effect until OK is clicked.
Tool Port Group Load Balance Settings Model 5204: The Load Balancing feature is not available on this model. These settings allow the user to specify how traffic is to be balanced across all tool interconnect port groups and load balance port groups. Note that load balance group traffic flows are maintained after system events such as NTO restart, import, and image upgrade.
Clicking the IPv4 packets, IPv6 packets, or L2 packets links will display the Tool Load Balance Settings window.
Separate settings for each packet type: Select this option to use the settings in the IPv4, IPv6 and L2 sections of this window to load balance packets. Same settings for all packet types: Select this option to only use Layer 2 header information to load balance IPv4, IPv6 and L2 packets. IPv4 Packets IPv4 packets are always balanced using the source and destination IP addresses and the IP protocol. To maintain host to host sessions, when an IPv4 packet is detected, then Layer 2 is ignored in the algorithm. Users may optionally check the Source and destination L4 ports box to add those headers to the load balancing algorithm. This might be necessary if the default settings do not provide an even enough balancing and additional variability is needed. Source and destination L4 ports: Select this option to include the source and destination L4 ports in the load balance hashing algorithm. IPv6 Packets IPv6 packets are always balanced using the source and destination IP addresses and the Next Header field. To maintain host to host sessions, when an IPv6 packet is detected, then Layer 2 is ignored in the algorithm. Users may optionally check the Source and destination L4 ports box to add those headers to the load balancing algorithm. This might be necessary if the default settings do not provide an even enough balancing and additional variability is needed.
L2 Packets Non-IP Layer 2 packets are always balanced using the source and destination MAC addresses. Users may optionally check the Ethertype box to add that header to the load balancing algorithm. This might be necessary if the default settings do not provide an even enough balancing and additional variability is needed. Default: Click the Default button to reset the Tool Load Balance Settings to the defaults.
Version/License Tab
The following figure shows the Version/License tab. The types of available ports will differ depending on your NTO model.
Licensed Ports The types and numbers of the licensed ports are displayed. Unlicensed Ports The types and number of any unlicensed ports are displayed. None indicates that all ports are licensed. Unused Floating Licenses The types and number of unused floating licenses are displayed. Tip: For detailed information about how floating licenses are remapped after the NTO configuration has changed, see How Licenses are Remapped Due to a Configuration Change.
Maintenance Expiration System: Displays the date that the maintenance (support) contract expires for the Net Tool Optimizer.
Table 7-4: Maintenance Expiration per NTO Model
Details Expansion Module A: Displays the date that the maintenance (support) contract expires for the interface module installed in slot A. Expansion Module B: Displays the date that the maintenance (support) contract expires for the interface module installed in slot A.
5288, 5293
Port Modules A-D: Displays the dates that the maintenance (support) contracts expire for the interface modules installed in slots A through D.
Dates will be highlighted in yellow when maintenance will expire within 7 days. Dates will be highlighted in red after maintenance has expired. Note: When system maintenance expires, all NTO components will continue to work normally but system administrators will no longer be able to install software upgrades released after the maintenance expiration date. Contact your local Anue Sales person or contact support@anuesystems.com to renew maintenance. View License Details (button): Click this button to display license information for this specific NTO unit and expansion modules. Within the License Details display window the hardware information can also be viewed from here in order to compare the installed hardware with the installed license. View Hardware Info (button): Clicking on the View Hardware Info button displays system and hardware information including serial numbers and the unit MAC address. Enter License Key (button): Click this button to upgrade the license key. The Enter License Key window will display. You can browse for the license key using the Browse button, drag a license key file into the license key window or copy and paste the contents of a license key file into the license key window. Then click OK to install the key. Allocate Licenses: Use this option to modify the default port license configuration and allocate port licenses to the physical ports on your NTO as best fits your network. For detailed information, see Port License Allocation. System Software Server software version: Displays the software version running on the Anue / 5288/5288 server.
Server software build: Displays the build number of the software running on the Anue 5288/5293 server. Install Software (button): Click the Install Software button to upgrade the Anue NTO server software. For more information, refer to Software Upgrade. Revert to : This feature allows the administrator to revert the Anue NTO server to the software version installed before the last upgrade. For more information, refer to Software Downgrade.
To obtain a license key for additional ports and/or features, please contact Anue Systems Technical Support. For more information about how to contact Anue Technical Support, refer to Technical Support on page 11.
CHAPTER 8 Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS
This section describes the Anue NTO support for remote user authentication, authorization, and accounting (AAA) using TACACS+ (Terminal Access Controller Access-Control System Plus) and RADIUS (Remote Authentication Dial-In User Service). RFC 1492 (http://www.faqs.org/rfcs/rfc1492.html) describes TACACS+ in full.RFC 2865 (http://www.faqs.org/rfcs/rfc2865.html) describes RADIUS in full. RFC 2866 (http://www.faqs.org/rfcs/rfc2866.html#b) describes RADIUS accounting. One use for RADIUS is as a bridge to a Microsoft Active Directory installation. Microsoft provides a native RADIUS module, the Network Policy Server (NPS), as a part of Windows Server 2008.
Both locally and remotely managed users may be authorized as NTO regular users or administrators. Port and filter access control can be configured using locally-managed user groups or using groups defined in the remote AAA services. When using a remote AAA service, you may choose whether to use the groups defined by the service or to manage groups locally. When using local authentication, groups are always managed locally. Some of the primary differences between local and remote authentication are outlined in the Table 8-1:
191
Local Users and Local Groups User accounts are created and managed from the NTO Control Panel. Separate user accounts exist on each NTO system. The Users View lists all user accounts.
User accounts are created and managed on a centralized TACACS+ or RADIUS server.
User accounts exist on the TACACS+ or RADIUS server and can be shared between multiple NTO systems. The Users View lists remote users who are currently logged in, as well as remote users who are listed in the local groups. When picking remote users to add to the local groups, only the users shown in the Users View are listed. Other remote users (known to exist on the TACACS+ or RADIUS server) may be typed in. The Users View lists only remote users who are currently logged in.
Remote users cannot be picked for remote groups from the control panel GUI. Remote group creation and membership are handled automatically by the TACACS+ or RADIUS server configuration. Group creation and membership are handled automatically by the TACACS+ or RADIUS server configuration. Groups may not be deleted from the control panel. When the last member of a remote group logs out, if the group is not used in any port or dynamic filter access list, the group is removed from the Groups View. The Groups View lists only remote groups with users who are currently logged in, or groups listed in port access lists.
Groups are created and managed by an administrative user from the NTO Control Panel.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 192 Anue Net Tool Optimizer User Guide
By default, Anue NTO systems are configured in Local authentication mode with one initial user, admin. This user is referred to as the default administrator and cannot be deleted. This local user account is accessible even when using TACACS+ or RADIUS authentication, as a fail-safe in the event that the remote server is unreachable due to either a communication or misconfiguration error. Remote authentication must be enabled on both the Anue NTO and on the remote server. Reference your TACACS+ or RADIUS server documentation for information on configuring and enabling your server. Please be aware of the following NTO behavior when the unit is in TACACS+ or RADIUS authentication mode.: When remote authentication is enabled on the NTO, it is not possible to add users using the Anue NTO Add New User option. This option is for adding local users only. When the NTO is configured to use remote authentication with local groups, groups must be created locally on each NTO. Local groups can be deleted and their membership can be updated by a user with administrator rights. When the NTO is configured to use remote authentication with remote groups, group creation and membership is handled via configuration of the remote server itself. It is not possible to add groups using the Anue NTO Add New Group option. This option is for adding local groups only. When using remote groups, groups cannot be imported or exported. When using remote groups, and after the last member of a group logs out of a particular NTO, the group is removed from the Groups View on that NTO if the group is not used in any port or dynamic filter access list. In the Groups View, the NTO only lists remote groups that are known to exist by the fact that a member of the group is logged in or by the fact that the group is listed in a port or dynamic filter access list.
The effect of changing from one authentication mode to another is described in Effects of Authentication Mode Changes on Users and Groups on page 195.
4.
5.
Select either the TACACS+ or RADIUS option and configure the settings.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 194 Anue Net Tool Optimizer User Guide
Subsequent sections describe in further detail how to configure both TACACS+ (page 197) and RADIUS (page 213).
Result All local users (except admin) are deleted. Users in local groups will continue to be listed in the Users View under the assumption that the same users will exist in the remote authentication server. Local groups can be edited to remove unwanted users. All local users (except admin) and groups are deleted. Groups in access lists will continue to be listed in the Groups View under the assumption that the same groups will exist in the remote authentication server. Access lists can be edited to remove unwanted groups.
Local Authentication
Subsequent sections describe in further detail how to configure both TACACS+ (page 197) and RADIUS (page 213).
Local Authentication
Initially, the only local user is the admin user. All groups are retained but will be empty because there are no local users. Access lists are not affected. Users who
were members in a group will be created with a random password in order to retain group membership. An administrator can either delete those users after the switch or assign them new passwords.
All local groups are deleted. Groups in access lists will continue to be listed in the Groups View under the assumption that the same groups will exist in the remote authentication server. Access lists can be edited to remove unwanted groups. Initially, the only local user is the admin user, and there are no local groups. Access lists are cleared, but access policies such as Require Group remain in place, albeit with empty group lists. Initially, there are no local groups. Access lists are cleared, but access policies such as Require Group remain in place, albeit with empty group lists.
Remote Authentication with Remote Groups Remote Authentication with Remote Groups
Local Authentication
NOTE The NTO does not allow switching directly from one remote authentication mode to the other (TACACS+ to RADIUS or RADIUS to TACACS+). If you need to make a change like that you must first change to Local authentication mode, apply the change, and then change to the desired mode.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 196 Anue Net Tool Optimizer User Guide
Configuring TACACS+
This section describes the settings available when TACACS+ is selected as the authentication mode.
NOTE The options configured in the Common TACACS+ Settings section of this window apply to ALL of the configured TACACS+ servers. When Authorization is set to Default, all users defined in TACACS+ will be able to log in to the NTO, and they will all be non-administrators. Administrator login privileges cannot be established when Default authorization is used. Users can log in but cannot be granted administrator capabilities. When Authorization is set to Custom, attributes in TACACS+ will be used to determine whether users will be allowed to log in to the NTO and whether they will be designated as administrators or non-administrators. You must tell the NTO which TACACS+ attributes to consider when determining whether a user is allowed to log in and whether or not they will be an administrator. The Groups setting indicates whether you want the NTO to manage user groups (choose Local) or whether you want TACACS+ to manage them (choose TACACS+). User groups are not required but can be used to control access to specific ports and dynamic filters in the NTO.
In this dialog, you will specify the TACACS+ attributes that the NTO will use to identify administrators and regular users. The first step is to specify the TACACS+ service under which these attributes will be found. Here is an example of defining a service named anue in TACACS+: user = Jane { service = anue { } } In this case you would enter the text anue as the service value in the All Users section of the dialog. If you are using a different service name, enter that name here instead. The next step is to specify which attribute or attributes (if any) indicate whether the user is an NTO administrator. Here is an example of using a role attribute to identify NTO administrators: user = Jane { service = anue {
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 198 Anue Net Tool Optimizer User Guide
role = admin } } In this case, in the Admin Users section of the dialog you would enter role to the left of the = and admin to the right. The left box is for the attribute name and the right box is for the value. If you use more than one attribute to identify NTO administrators you can specify additional attributes using the + button to the right of the value. You can remove unwanted attributes using the - button. Note that the changes do not modify the TACACS+ server in any way. They simply tell the NTO what is present in the TACACS+ server. If you have specified more than one attribute, you can tell the NTO whether all attribute values must match or whether only one of them must match in order to authorize a user as an NTO administrator. NOTE If there are no administrator user attributes specified, users will not be able to log in to the NTO with administrator capabilities. The final step is to specify which attribute or attributes (if any) indicate whether the user is a regular NTO user. Here is another example of using a role attribute for this purpose: user = Jane { service = anue { role = user } } In this case, in the Regular Users section of the dialog, you would enter role to the left of the = and user to the right. If you use more than one attribute to identify NTO users you can specify additional attributes in the same manner as described earlier in this section for NTO administrators. NOTE If there are no regular user attributes defined, all TACACS+ users will be allowed to log in to the NTO as regular users. Be aware that this is opposite behavior as when no admin user attributes are defined. Click OK to save configuration changes.
In this dialog you will specify the TACACS+ attributes that the NTO will use to place regular users into groups. As with custom authorization, the first step is to specify in the Service Name section the TACACS+ service under which these attributes will be found. The next step is to specify which attribute indicates the names of the groups to which a user belongs. Here is an example of using a groups attribute to specify a list of groups: user = Jane { service = anue { role = user groups = Engineering,Dallas } } In this case, in the Group List section of the dialog, you would enter groups to the left of the =. Note that a group list is only needed if the role is user (nonadministrator). NTO administrators can do anything and are not subject to group membership checks.
TACACS+ Servers
Your company may use a single TACACS+ server, or it may use multiple servers to guard against the failure of a single server. In either case, you specify the TACACS+ server details in the Servers section of the Set Authentication Mode dialog, shown in Figure 8-3. Click the Add button to add a TACACS+ server. As TACACS+ servers are added, they are listed in the dialog. There is no limit to the number of TACACS+ servers that can be added.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 200 Anue Net Tool Optimizer User Guide
Servers are checked in the order listed when attempting to authenticate users. The first server that responds to an authentication request will be used for future authentications. If the active TACACS+ server goes down and a user attempts to authenticate, the first server to respond to the authentication request will become the active TACACS+ server. To change the settings of a TACACS+ server, select it and click the Modify button. To change the order in which the servers are checked, select a server and click the Up or Down button. To validate the settings of a server, select it and click the Test Settings button. The NTO will attempt to connect to the server using the defined IP address (or DNS name), TCP port, and specified secret password and will report the result. To remove one or more servers from the list, select them and click the Delete button.
The network address of the TACACS+ server can be specified as a DNS name or an IPv4 address in the Server field.To use a DNS name, a DNS server must be configured on the System Settings tab. (See Settings Tab on page 166.) By default, TACACS+ servers communicate over TCP port 49. If your server is configured differently, you may change the value in the Port field. Communications between the NTO and the TACACS+ server are encrypted using a secret key configured on the TACACS+ server. Enter the key in the Secret and Confirm Secret fields. The corresponding entry in the TACACS+ configuration file
is usually defined as key =. The value listed after the equals sign must be the same as the value entered here. The default amount of time the NTO will wait on a TACACS+ server to respond before reporting a connection failure is 10 seconds. To shorten or lengthen this amount of time change the value in the Timeout field. When an attempted communication times out, the NTO can be configured to re-try the communication. The default is to re-try two more times after the initial failure before giving up. To reduce or increase the number of re-try attempts change the value in the Retry field. The NTO supports two different protocols for sending user passwords to the TACACS+ server - CHAP (challenge encoded password) or PAP (plain text password). Select the protocol you want the NTO to use from the Authentication type drop-list. Information related to user login attempts (both successful and failed) and authorization checks can be tracked using the TACACS+ accounting feature. You can turn accounting on or off using the Accounting drop-list. When accounting is on, you may configure the attributes to be tracked using the Configure button (see Configuring TACACS+ Accounting on page 202). Click the Clear All button to reset all settings for this server to their default values. Click the Test Settings button to verify that the NTO can connect to the TACACS+ server using the configured settings.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 202 Anue Net Tool Optimizer User Guide
Four different events can be logged: Authentication success this event occurs when a user (either regular or admin) successfully logs in to the NTO. Authentication failure this event occurs when a user fails to log in either because the login ID was not authorized as a regular user or an administrator or because the password was incorrect. Administrator authorization this event occurs when a user successfully logs in as an NTO administrator. User authorization this event occurs when a user successfully logs in as a regular (non-admin) user.
For each event, you may specify one or more informational values to be logged as name/value pairs. For the authentication events, the login ID attribute is already populated with a value that will be automatically filled in with the current users login ID. You will just supply the name you want to use for that value for example, by typing user in the field labeled User ID. You may add or remove name/value pairs using the + and - buttons. You may type your own attribute names on the left or select from a list of standard TACACS+ accounting attributes
(cmd, event, priv_level, reason, and service). In addition, you may specify custom accounting attributes by entering any text in the name fields on the left. For every named attribute you enter, you must also specify the value to be logged. For example, under Log Authentication Success, if you added the attribute event, then you might enter the value as login success.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 204 Anue Net Tool Optimizer User Guide
Lines 1, 5, 12, 18. and 21 (red text) define the user login name. Lines 2, 6, 13, 19, 22. and 32 (green text) define the password and authentication type for each user. The CHAP authentication type is used on lines 2, 13, 19, and 22. The global authentication type is used on line 6 and indicates that the password defined for staylor will work for any authentication method, including CHAP or PAP. In the NTO TACACS+ Configuration dialog for this server, you would select CHAP as the authentication type.
Lines 3, 7, 14, 23, 26, and 33 (black text) define the service for the user. This is the service name you would enter in the NTO Configure Authorization (page 198) and Configure Groups (page 200) dialogs.. With a service name of anue (lines 3, 7, 14, and 26), all users except mthompson (who does not have the anue service defined) can be logged in as regular users. In the dialog to the left, no attributes have been specified to authorize administrator users, so none of the users will be able to log in as NTO administrators. Also in the dialog to the left, no attributes have been specified to authorize regular users, so all users (except for mthompson) will be able to log in as regular users. Quick Reference: Lines 3,7,14, and 26: service = anue { }
Figure 8-9. TACACS+ Configuration Example 1
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 206 Anue Net Tool Optimizer User Guide
Adding an Admin Users attribute of role=ADMIN allows mjones and pjackson (lines 15 and 27) to be logged in as administrators. staylor and rjohnson continue to log in as regular users. Note: The term name role and value ADMIN are arbitrary. This could just as easily be level=administrator or any other name/value pair you want to configure in your TACACS+ server. Quick Reference: Lines 15 and 27: role = ADMIN
Specifying a Regular Users attribute of role=REG to authorize regular users makes rjohnson no longer able to log in. This occurs because rjohnson does not have the attributes required for either administrator or regular users. By contrast, staylor can continue to log in as a regular user because of the role=REG statement in the staylor user settings in the TACACS+ configuration file. Quick Reference: 8. role = REG
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 208 Anue Net Tool Optimizer User Guide
Adding another Admin Users attribute of priv_level=7 and leaving the administrator users selection criteria set to Match any does not affect the administrator users in this example. Both mjones and pjackson can still be logged in as administrator users because they each have at least one of the required attributes. Quick Reference: 12. user = mjones { 14. service = anue { 15. role = ADMIN 16. } 17. } ======================== 21. user = pjackson { 26. service = anue { 27. role = ADMIN 28. priv_level = 7 29. }
Figure 8-12. TACACS+ Configuration Example 4
Maintaining the same Admin Users attributes as in the last example, but changing the selection criteria to Match All, results in only pjackson being able to login as an administrator. mjones does not possess all of the attributes required to be authorized as an administrator user but pjackson does (lines 27, 28). Quick Reference: 21. user = pjackson { 27. role = ADMIN 28. priv_level = 7
In the above examples, we saw how we could create a TACACS+ attribute named role and use two values, ADMIN and REG to control the privileges of specific users. TACACS+ also allows you to define groups with attributes and then make users members of those groups. Users would inherit those attributes by virtue of their membership in the groups. Note that these groups are *not* the same groups that would appear in NTO port and filter access lists. The groups described here are only for determining whether a user is an NTO administrator or regular user. The following example, Figure 8-14, shows how to assign the role attribute we used above to a group instead of a user.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 210 Anue Net Tool Optimizer User Guide
Figure 8-14 shows a section of a TACACS+ server configuration file with the settings for several groups. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. group = anue_staff { service = anue } group = anue_admin { service = anue { role = ADMIN } } user = rjohnson { chap = cleartext letmein member anue_staff } user = staylor { global = cleartext letmein member anue_staff } user = mjones { chap = cleartext letmein member anue_admin } user = mthompson { global = cleartext letmein member anue_staff } user = pjackson { chap = cleartext letmein member anue_admin }
Figure 8-14. Sample TACACS+ Group Configuration
Two groups have been established in the TACACS+ configuration file: 1. 2. anue_staff (line 1 - blue text). anue_admin (line 5 - brown text).
Users have been assigned to those groups using the TACACS+ member keyword. For example, on lines 12, 16, and 24, users rjohnson, staylor, and mthompson have been assigned to the anue_staff group. As a result they inherit service = anue, but do not inherit any roles (none are defined for that group). As long as the configuration settings in the NTO for this TACACS+ server do not require any attributes for regular users, then all of these users will be able to log in. On lines 20 and 28, users mjones and pjackson have been made members of the anue_admin group. As a result they inherit service = anue and role = ADMIN. As long as the configuration settings in the NTO for this TACACS+ server specify
role = ADMIN in the Admin Users section, these users will be able to log in as administrators. For more information on NTO user capabilities, see the table in Adding Users and Configuring Authentication on page 39.
The NTO now just needs to know the name of the attribute. This name is entered in the Group List section of the Configure Groups dialog that is displayed when the Configure button for Groups is clicked in the Set Authentication Mode dialog (page 197).This Configure Groups dialog is displayed below.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 212 Anue Net Tool Optimizer User Guide
Based on the settings described, the user jane will be a member of the Engineering and Dallas access control groups on the NTO when she logs in. See Access Control Using Groups on page 239 for additional access control information. . When TACACS+ users are logged in, their administrator status and access control group membership can be verified on the Users tab of the NTO Control Panel. A user with administrator capabilities will have a check in the System Administrator column. For details on the capabilities of users and system administrators, see Adding Users and Configuring Authentication on page 39.
Configuring RADIUS
This section describes the settings available when RADIUS is selected as the authentication mode, as shown in Figure 8-17.
NOTE The options configured in the Common RADIUS Settings section of this window apply to all of the configured RADIUS servers. When Authorization is set to Default, all users defined in RADIUS will be able to log into the NTO, and they will all be non-administrators. Administrator login privileges cannot be established when Default authorization is used. Users can log in, but they cannot be granted administrator capabilities. When Authorization is set to Role-Based, policies in RADIUS will be used to determine whether users will be allowed to log in to the NTO and whether they will be designated as administrators or non-administrators. The policies are described further in Configuring the Microsoft Network Policy Server on page 217. The Groups setting indicates whether you want the NTO to manage user groups (choose Local) or whether you want RADIUS to manage them (choose RADIUS). User groups are not required but can be used to control access to specific ports and dynamic filters in the NTO.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 214 Anue Net Tool Optimizer User Guide
RADIUS Servers
Your company may use a single RADIUS server, or it may use multiple servers to guard against the failure of a single server. In either case, you specify the RADIUS server details in the Servers section of the Set Authentication Mode window (page 214). Click the Add button to add a RADIUS server. As RADIUS servers are added they are listed in the window. There is no limit to the number of RADIUS servers that can be added. Servers are checked in the order listed when attempting to authenticate users. The first server that responds to an authentication request will be used for future authentications. If the active RADIUS server goes down and a user attempts to authenticate, then the first server to respond to the authentication request will become the active RADIUS server. To change the settings of a RADIUS server, select it and click the Modify button. To change the order in which the servers are checked, select a server and click the Up or Down button. To validate the settings of a server, select it and click the Test Settings button. The NTO will attempt to connect to the server, using the defined IP address (or DNS name), TCP port, and specified secret password, and it will report the result. To remove one or more servers from the list, select them and click the Delete button.
The network address of the RADIUS server can be specified as a DNS name or an IPv4 address in the Server field. To use a DNS name, a DNS server must be configured on the System Settings page. (See Settings Tab on page 166.) By default, RADIUS servers communicate over TCP port 1812. If your server is configured differently, you may change the value in the Authentication Port field. Communications between the NTO and the RADIUS server are encrypted using a secret key configured on the RADIUS server. Enter the key in the Secret and Confirm Secret fields. The default amount of time the NTO will wait on a RADIUS server to respond before reporting a connection failure is 10 seconds. To shorten or lengthen this amount of time, change the value in the Timeout field. When an attempted communication times out, the NTO can be configured to re-try the communication. The default is to re-try two more times after the initial failure before giving up. To reduce or increase the number of re-try attempts, change the value in the Retry field. The NTO supports two different protocols for sending user passwords to the RADIUS server - CHAP (challenge encoded password) or PAP (plain text password). Select the protocol you want the NTO to use from the Authentication type drop-down selector. Information related to user login attempts (both successful and failed) and authorization checks can be tracked using the RADIUS accounting feature. You can turn accounting on or off using the Accounting drop-down selector. By default, RADIUS servers communicate accounting information over TCP port 1813. If your server is configured differently, you may change the value in the Accounting Port field.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 216 Anue Net Tool Optimizer User Guide
Click the Clear All button to reset all settings for this server to their default values. Click the Test Settings button to verify that the NTO can connect to the RADIUS server using the configured settings. Tip: Accounting logs are stored on the RADIUS server. Please reference your RADIUS server documentation for information on how to retrieve accounting logs.
RADIUS Accounting
When a user successfully logs in to an NTO (or fails to log in), an AccountingRequest message is sent by the NTO to the RADIUS server. This message will contain five attributes: Acct-Status-Type the data will always be 1 (Start) to indicate that this is a login message. NAS-IP-Address the data will be the IP address of the NTO. User-Name the data will be the NTO login ID of the user. Anue-Login-Status the data will be 1 if the login succeeds or 2 if the login fails. Anue-Role the data will be 1 if the user logged in as an administrator or 2 if the user logged in as a regular user. This value will also be 2 if the login fails.
In the Address (IP or DNS) field, enter the NTOs IP address or DNS name. If you are using Windows Server 2008 Enterprise Edition, you can specify a range of NTO IP addresses using CIDR notation. For example, enter 192.168.81.0/24 to add all NTOs in the 192.168.81 subnet as RADIUS clients. In the Shared Secret fields enter the same value as was entered in the Secret fields when the RADIUS server was added to the NTO. (See Configure RADIUS Server Dialog on page 216.) On the Advanced tab leave all the settings as the default.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 218 Anue Net Tool Optimizer User Guide
For example, the Anue-Role attribute is attribute number 1 and can be assigned a value of 1 (for an admin user) or 2 (for a regular user). The Anue-Groups attribute is attribute number 2 and can be assigned a string. The string is a comma-separated list of group names. You can also see the Anue-Service and Anue-Login-Status attributes used during accounting. The network policies you create will be checking membership in your Active Directory groups and will be setting Anue attributes when membership conditions are met. Network policies are an ordered set of rules. The NPS checks them in order until a match is found. As a consequence, you will want to create a network policy for every possible combination of Active Directory groups that users might belong to and put them in order from most groups to fewest groups. For example, if you have two Active Directory groups, Engineering and Security, and users could be in one or both of the groups, you would want to create three network policies in this order: 1. 2. 3. Engineering and Security Policy Engineering Policy Security Policy
The first policy would have as a condition membership in both the Engineering and Security Active Directory groups and upon a match would set Anue attribute 2 (Anue-Groups) to Engineering, Security. The second policy would have as a condition membership in the Engineering group and upon a match would set Anue attribute 2 to Engineering.
Configuring RADIUS 219
The third policy would have as a condition membership in the Security group and upon a match would set Anue attribute 2 to Security. To create a network policy, in the NPS Server Manager GUI, select Server Manager > Roles > Network Policy and Access Services > NPS (Local) > Policies > Network Policies. Right-click on Network Policies and select New from the pop-up menu. The New Network Policy dialog will appear. In the Policy name field enter a name that reflects the groups being checked, such as Anue NTO Engineering Policy. Click Next to advance to the Specify Conditions page. Click Add and select the User Groups condition. Click Add and the User Groups dialog will appear. Click Add Groups and the Select Group dialog will appear. Enter the group name(s). Click OK in the Select Group and User Groups dialogs. When finished the Specify Conditions dialog should look something like the following, Figure 8-21:
Click Next to advance to the Specify Access Permissions dialog. Select Access Granted. Click Next to advance to the Configure Authentication Methods and Configure Constraints dialogs, select both (CHAP) and (PAP, SPAP), and configure the settings as desired. Consult your NPS documentation for more information on these settings. Click Next to advance to the Configure Settings dialog and select Vendor Specific under RADIUS Attributes. Click Add and the Add Vendor Specific Attribute dialog will appear. Select Custom from the Vendor list and then select the Vendor-Specific attribute, Figure 8-22:
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 220 Anue Net Tool Optimizer User Guide
Click Add and the Attribute Information dialog will appear. Click Add again and the Vendor-Specific Attribute Information dialog will appear, Figure 8-23:
Select Enter Vendor Code and enter 32620 for Anue. Select Yes. It conforms and then click Configure Attribute. The Configure VSA (RFC Compliant) dialog will appear, Figure 8-24:
In this example, we want to specify the NTO group(s) that correspond to this policy, so enter 2 (Anue-Groups) for the Vendor-assigned attribute number, select String for the Attribute format, and enter Engineering (for example) as
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 222 Anue Net Tool Optimizer User Guide
the Attribute value. In this case, Engineering corresponds to a group name in the NTO port access lists. If you want to create a policy that controls whether users are NTO administrators, modify your Conditions to make the appropriate check of Active Directory groups or settings and then add a vendor-specific attribute with attribute number 1 (Anue-Role), attribute format Decimal and attribute value 1 (Anue-Role ADMIN from the Anue dictionary), Figure 8-25:
Note that if you have a policy for authorizing users as NTO administrators, you will also need a policy for authorizing them as regular users. For regular users, set the attribute value to 2 (Anue-Role REG from the Anue dictionary).You will also need to make sure that Authorization is set to Role-Based in the Common RADIUS Settings panel of the NTO Set Authentication Mode dialog (page 214). When Authorization is set to Default in the NTO, the Anue-Role attribute is ignored. If your NPS authorization policies are not working as expected this is one place to check.
Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS 224 Anue Net Tool Optimizer User Guide
CHAPTER 9 SNMP
Introduction
SNMP (Simple Network Management Protocol) allows monitoring of network device configuration, state, and statistics. SNMP traps/informs provide real time notifications of particular events. The Anue NTO supports SNMPv1, SNMPv2c and SNMPv3. SNMPv1 provides for basic gets, get-nexts, and sets, responses along with traps. SNMPv2c is SNMPv1 plus get-bulks and informs. SNMPv2c supports both traps and informs. Traps do not require acknowledgement whereas informs do require acknowledgement. SNMPv2 traps are generated to trap recipients configured for SNMP version V2 with Retries set to 0. Informs are generated to trap recipients configured for SNMP version V2 with Retries set to 1 or greater. SNMPv3 is SNMPv2c plus security. The security features added by SNMPv3 include authentication, privacy, and access control. SNMPv3 Authentication verifies that the message is from a valid source. It also verifies that the message was not altered in transit and that it was not artificially delayed or replayed. In addition to authentication, SNMPv3 provides for privacy through encryption to prevent eavesdropping by third parties. When privacy is invoked between a principal and a remote engine, all traffic between them is encrypted using the encryption methods such as Data Encryption Standard (DES). Access Control for SNMPv3 determines whether a specific type of access (read, write, notify) to a particular object (instance) is allowed. Currently, access is open to the entire set of MIBs that the NTO supports. SNMPv3 informs also provide for authentication, privacy and access control. The same way that SNMP requests are authenticated by the agent informs are authenticated by the end user or Network Management Station. Anue NTO SNMP support is restricted to SNMP requests and trap generation. SNMP sets (writes) are not supported at this time. Note: The Anue NTO can only respond to SNMP requests on UDP port 161. This setting is not configurable. Supported MIBS Portions of the following MIBs and their corresponding traps are supported. A spreadsheet detailing the specific MIB objects and traps supported by the NTO
225
can be requested from Anue Technical Support. For more information about how to contact Anue Technical Support, see Technical Support on page 11. Note: Anue also provides a proprietary MIB in order to model NTO configurations and statistics which cannot be modeled in a straightforward manner with existing standard MIBs. These objects include filter configuration, advanced AFM features (Models 5204/5236/5273 only), history, connections, and statistics. The Anue MIB also includes extended interface information and authentication objects/traps. Details about the specific Anue MIB objects and traps supported can be requested from Anue Technical Support. Port filters and dynamic filters can be assigned an SNMP tag. The SNMP tag field is a free-form text field that users may optionally configure for each filter. A user can configure one or more keywords using comma, space, or colon as separators. A SNMP management application can then use the keywords to facilitate customized search, sort, and aggregation of the Anue MIB filter information. Anue Systems has registered with IANA and been assigned Private Enterprise number 32620 [http://www.iana.org/assignments/enterprisenumbers]. All Anues MIB objects are organized under this uniquely assigned OID anueMIB (1.3.6.1.4.1.32620). 1. 2. 3. IF-MIB http://www.ietf.org/rfc/rfc2863.txt Etherike Interfaces http://www.ietf.org/rfc/rfc2665.txt VACM MIB http://www.rfc-editor.org/rfc/rfc3415.txt FRAMEWORK MIB http://www.ietf.org/rfc/rfc3411.txt USM-MIB http://www.ietf.org/rfc/rfc3414.txt TARGET-MIB and NOTIFICATION-MIB http://www.ietf.org/rfc/rfc3413.txt COMMUNITY MIB http://www.ietf.org/rfc/rfc3584.txt RMON MIB http://www.ietf.org/rfc/rfc2819.txt Entity MIB http://www.ietf.org/rfc/rfc4133.txt Entity State MIB http://www.ietf.org/rfc/rfc4268.txt IP MIB http://www.ietf.org/rfc/rfc4293.txt SNMPv2 MIB http://www.ietf.org/rfc/rfc3418.txt Log in to the Anue NTO using an account that has system administrator capabilities. Click System to access the System View. Click the Disabled hyperlink to the right of SNMP configuration:
To configure SNMP:
Configure the desired SNMP request and trap parameters. Note that SNMP request processing can be enabled or disabled separately from SNMP trap generation. Multiple trap recipients are supported, each can have their own characteristics and enabled/disabled trap types.
Introduction 227
4.
Click the Add button. Select SNMP version V2. Type the word AnueComm1 in the Community String field. Click OK.
5. 6.
Repeat step 4 and type the word AnueComm2 in the Community String field. Click the Enable SNMP requests checkbox. Note that the Anue NTO will not respond to SNMP requests when this setting is disabled. Configured community string information is maintained when SNMP requests are disabled.
7.
Click the Traps tab and then click the Enable SNMP Traps checkbox. Note that the Anue NTO will not generate SNMP traps when this setting is disabled. Configured trap recipient information is maintained when SNMP trap generation is disabled.
8.
Click the Add button. Select SNMP Version V2. Enter 192.168.40.119. Leave the Destination UDP Port set at 162.
Click the Cold start and SNMP Authentication failure checkbox. For SNMP authentication failure, select Enhanced Anue MIB. Enhanced Anue MIB: In the case of SNMP Authentication failure, send the Anue enhanced trap. Enhancements beyond RFC 1213 include text in the trap message indicating the last failed SNMP query system time, source IP address, IP type, message security model and user name/ community string. Standard MIB-II: Send the standard RFC 1213 MIB-II trap when SNMP authentication failures occur.
Set the Retries to 1. This value indicates that the NTO will attempt to send the inform up to two times. Set the Retry timeout to 5 seconds. This value indicates the amount of time in seconds that the NTO will retry sending the trap. Click OK. 9. The SNMP configuration has now been completed. The bottom portion of the window provides a summary of the configuration of the selected SNMP trap. Click OK to save all of the changes.
CHAPTER 10 SYSLOG
Syslog is a standard for forwarding log messages in an IP network. Syslog is a client/server protocol. The syslog sender sends a small (less than 1KB) text message to the syslog receiver. Syslog is typically used for computer system management and security auditing and it can be used to integrate log data from many different systems into a central repository. In order to enable syslog on the Anue NTO, users must supply the IP address or DNS name of an external syslog server. Note: Reference your syslog server documentation for information on configuring and enabling your syslog server. When a syslog server is configured on the NTO, syslog messages will be created and sent to each syslog server configured whenever configuration or state changes occur on the NTO.
Log Level 0 1 2
Description The system is unusable. Action must be taken immediately. Critical conditions exist that should be corrected immediately because there is a failure in a primary system - for example, the loss of a backup ISP connection. Error conditions exist for non-urgent failures that should be relayed to developers or administrators.
Error
233
Log Level 4
Severity Warning
Description Warning message, not an error, that indicates an error will occur if action is not taken - for example, the file system is 85% full. Each item must be resolved within a given time. Events that are unusual but are not error conditions. No immediate action is required. These events might be summarized in an email to developers or administrators to spot potential problems. Normal operational messages where no action is required. These events may be harvested for reporting, measuring, throughput, etc. Information that is useful for developers for debugging the application, These events are not useful during operations.
Notice
Informational
Debug
Events usually generate messages at the Informational severity level (level 6), but there are exceptions. Table 10-2 shows the types of events that generate messages and the severity level for those events.
Event Modification of tool and network port configuration Creation and modification of port groups, filters, filter templates, template collections Creation and deletion of connections between ports and filters Reset of port or filter statistics State changes link up/ link down, dropped packet alarm, fan failure, temperature changes, insufficient filter memory, license expiration. Creation and modification of users and groups, including adding and removing users from groups Login attempts success and failure
Informational Informational
Event System settings software installation, license installation, system info modification, IP address change, DNS configuration, authentication settings, SNMP, settings, syslog settings, etc TACACS+ server failures when using TACACS+ authentication The primary configuration database is corrupt, Login attempts that fail Link down for the management port Fan failures Temperature exceeding the maximum acceptable temperature All configured TACACS+ servers have failed. Both primary and backup configuration databases are corrupt,
Syslog servers going offline will be logged. If the server is taken offline by a user, that is logged at level Informational. If the server goes offline because of a communication error, that is logged at level Warning. The syslog settings are retained when the NTO is rebooted.
When syslog servers are configured, they can be added by IP address or by DNS name. If DNS name is used, the system DNS configuration must be set before messages can be sent to the server. The port and facility must also be selected.
The facility is the application or operating system component that generates a log message. The level is the severity or significance of the message that's been generated. The action defines what's done with any newly-arrived message that matches the facility and level. This combination of facility and level, referred to as the selector, allows system administrators to customize message handling, based on which parts of the system are generating data and how critical the data is. Eight facilities are used for customized auditing: Local0-Local7 and User, as shown in Figure 10-2. Configure the NTO to match the facility level on your syslog server. For example, if your syslog server uses Local5, then select Local5 from the Facility drop-down list in the Syslog Server Configuration dialog, Figure 10-2.
239
For each port, access policies can be set for two operations, 1) Modifying a ports configuration and 2) Connecting/disconnecting from a port. For these two operations, there are three choices: Allow all, Require Group Member or Require Admin. Modification and connection access can be used to customize policies for an organization. For example, you may want to set up access to a tool port for an IDS tool such that only members of the security engineering team can connect to a tool port, and only members of security management can modify the tool port settings (filter criteria, connection speed, etc.). Access Control Behavior Once access control policies are set, each user receives a customized view of the ports that they can access. Users can see all port and dynamic filter settings, but lock icons will display on the ports and dynamic filters that they cannot connect to or modify. Access Control Icon Indicators The figure below displays a single lock towards the center of the port. This indicates that the user can add and remove port connections but cannot modify the port settings (port speed, filter criteria, etc.).
The next figure displays a lock towards the center of the port and at the port connector. This indicates that the user cannot modify the port settings, add port connections or remove port connections.
Because system administrators have access to all objects regardless of the access control settings of the object, their view will display faded locks on ports and dynamic filters with access control in effect. The faded locks, as shown in the figure below, inform the system administrator that a dynamic filter or port has access control settings other than Allow All configured.
Inheritance Filters automatically inherit the access control settings of the network and tool ports to which they are connected. This ensures that the access policies are consistently enforced. As an option, the access policies of filters can be
configured by a system administrator. This feature can be used to filter out sensitive data so tools can safely monitor cleansed data (see example #2). Port Groups inherit the security settings of their contained ports. A user must have modify access to every port contained in a port group to have modify access to the port group. A user must have connect/disconnect access to every port contained in a port group to be able to perform those operations on a port group. Authorization Failure If an unauthorized user attempts to add or remove connections or alter port or filter configuration settings, they will receive an authorization failure message similar to the one displayed in the figure below.
3.
4.
1.
Add the appropriate users to the Security Team group. Click the New Group icon displayed in the toolbar below the main menu options. (Note that this icon will not visible when a non-system administrator is logged in.) When the New Group window displays, enter Security Team in the Name field. Then click the Add button to begin adding users to the Security Team group from the list.
Select the users from the displayed list. Several users can be selected by using the Shift or Ctrl keys. Click OK to add the users. Click OK to create the group. For more details on how to create groups, see Creating Groups and Adding Users to Groups. 2. Double-click the IDS 1 tool port and select the Access Control tab. Change the Operation: Connect/Disconnect to/from this Port Policy to Require Group Member. Click the Add Group button in this section and add the Security Team to the access list. Note: More than one group can be added to a group.
Click OK.
3.
After the access control policy has been enabled, only the members of the Security Team (and system administrators) will be able to make connections to the IDS 1 tool port.
Notice that the VLAN 100 dynamic filter has inherited the IDS 1 tool port access control settings. The IDS 1 Connect/Disconnect policy has been applied to the VLAN 100 filter Connect/Disconnect and Modification policies. This ensures that the access policies are consistently enforced. For example, modifications to the VLAN 100 filter settings could alter the data received by to the IDS 1 tool port and disconnecting the VLAN 100 filter from the SPAN 1 network port would stop all traffic from being sent to the IDS 1 tool port. Note that the access control policies of filters can also be customized by a system administrator.
Access Control Example #2 Protect Sensitive Data but Allow Non-sensitive Data to be Accessed
The goal of this example is to configure access control to only allow system administrators to direct sensitive data to tool ports. Note: This example uses local authentication. See the figure below. In this example, sensitive PCI and SOX data is being received from the P01 network port along with other non-sensitive data. The goal of this example is to configure access control to only allow system administrators to direct sensitive data to tool ports. Note that if the goal of this example was to configure access control to only allow a select group of users to direct sensitive data to tool ports, a group name could be substituted for the Require Admin option selected in this example. The figure below displays the access control settings that have been enabled. Access control settings are applied on the Access Control tab of each object.
Network Port (P01) Access Control Settings: The access control setting for modifying this network port has been set to Require Admin (notice the modification lock on the network port in the figure above). This setting will prevent non-system administrators from modifying the type of traffic that will be allowed to pass through the network port. The access control setting for connecting tools to this network port has also been set to Require Admin (notice the connection lock on the network port in the figure above). Only system administrators will be able to modify the network port settings and connect dynamic filters to the network port. Dynamic Filter (F1) Access Control Settings: The dynamic filter has been configured with filter criteria that will remove sensitive data from the traffic received from network port (P01) and allow all other data to pass through to connected tool ports. The access control setting for modifying the dynamic filter has been set to Require Admin (notice the modification lock on the F1 dynamic filter in the figure above). This will prevent the dynamic filter settings from being modified by nonsystem administrators and ensure that sensitive data cannot be accessed. For
example, if a non-system administrator could change the filter criteria to Pass All, all data, sensitive and non-sensitive, could pass through the dynamic filter. The access control setting for connecting tool ports to the dynamic filter has been set to Allow All. This setting will allow any user to connect a tool port to this dynamic filter. Connected tools will only receive non-sensitive data. Dynamic Filter (F2) Access Control Settings: The access control setting for modifying this dynamic filter has been set to Require Admin. The access control setting for connecting tools to this dynamic filter has also been set to Require Admin. Only system administrators will be able to modify the dynamic filter settings and connect tool ports to this dynamic filter.
Access Control Example #3 - Restrict Access to Allow One Group to Modify a Port and another Group to Make Connections to the Port
The goal is to ensure that only system administrators can modify the configuration of a port but all users can connect to the port and direct traffic to tools. This setup will ensure that only system administrators can disable the port and modify filter criteria settings. Note: This example uses local authentication.
1.
Double-click the SPAN 1 network port and select the Access Control tab.
The Operation: Connect/Disconnect to/From this Port Policy will remain at the default setting of Allow All. Notice that there is information below both of the policy access lists indicating which users can perform operations specific to the policy. Click OK to save the changes. 2. After the access and control policy has been enabled, users who are not system administrators will see a lock towards the center of the port that indicates that the user does not have the ability to modify the port configuration. There is no lock at the port connector indicating that the user can connect tools to the port.
4.
249
5.
Create and enable a Router SPAN Port (P01), Data Storage tool port (P02) and IDS tool port (P03). Draw connectors between the ports as shown in the figure below. Connections are drawn by clicking the mouse pointer on the small green square on the side of an object and dragging to the small green square on the side of another object. Note that when the first connection is drawn between P01 and P02 or P01 and P03, a dynamic filter will automatically be created.
6.
Double-click the dynamic filter. Select the Filter Criteria tab and configure the Filter Mode to Pass by Criteria. Select the Layer 2 Criteria Type. Click the VLAN button. Enter the VLAN ID 2. Click OK in each dialog box until all of the dynamic filter windows are closed.
7.
Double-click the Data Storage tool port (P02). Select the Filter Criteria tab and configure the Filter Mode to Deny by Criteria. Click the IP Protocol button. Select ICMP (1) from the drop down list. Click OK in each dialog box until all of the tool port windows are closed.
The Quick Start Example is now completed. VLAN 2 traffic from the Router Span Port is being sent to tool port P02. ICMP packets will be dropped at tool port P02 before traffic reaches the Data Storage device. All VLAN 2 traffic from the Router Span Port is being sent to the IDS device connected to tool port P03.
Three 1G ports (transmitting data at full line rate) have been aggregated to one 1G port. The VLAN 10 Filter eliminates traffic that is not required by the Data Capture (P03) tool port and prevents the three network ports from causing a packet overflow condition at the tool port. Tool port statistics can be used to verify that the traffic from the three network ports, after the VLAN 10 filtering, is equal to less than 1G.
Now we would like to add a similar configuration where the same three network ports will have their traffic aggregated to a 1G IDS tool port and the Pass by Criteria criterion of the filter will be set to VLAN 2. The control panel ease of use features can be used to quickly make the configuration changes in the four simple steps outlined below. 1. 2. 3. 4. Add the additional tool port. Duplicate the VLAN 10 Filter and change the criterion to VLAN 2 Use the Connections tab of the Edit Filter window to connect the filter to the three network ports. Use the Connections tab of the Edit Filter window to connect the filter to the tool port.
For more information about the control panel ease of use features, see Control Panel Ease of Use Features. Step 1 Add the IDS tool port Double-click an available port, configure it as 1G tool port, name the port IDS and enable it. Click OK to save the changes.
Step 2 Duplicate the VLAN 10 filter and change the criterion to VLAN 2 Note that this feature is most useful when a complex filter has been created and there is a need to create a very similar filter that has minor modifications. Right-click the VLAN 10 filter and select Copy. Right-click the diagram area and select Paste. You will receive the following message:
Enter the name VLAN 2 Filter and click OK. Double-click the VLAN 2 Filter. In the Selected Criteria section on the Criteria tab, double-click the VLAN 10 criteria. Set the VLAN ID to 2. Click OK.
Step 3 Use the Connections tab of the Edit Dynamic Filter window to connect the (VLAN 2) filter to the three network ports Click the Connections tab. To the right of the Network Ports section, click the Add Port button.
Step 4 Use the Connections tab of the Edit Filter window to connect the (VLAN2) filter to the (IDS) tool port. To the right of the Tool Ports section on the connections tab, click the Add Port button. Click the Data Capture tool port and click OK. Click OK again on the Edit Filter window to save all of the port changes.
The tool port icon indicates that a layer 4 Source Port deny criterion has been configured (L4SPT). The tool port is configured to deny DNS traffic.
Create the second tool port for a traffic analyzer and draw a connector to the Pass All Filter. The second tool port is configured to Pass All traffic. In the figure below, the Router SPAN Port 2 traffic is now being sent to two tool ports. The IPS (P21) tool port is denying or filtering a portion of the available traffic, the Traffic Analyzer (P03) tool port is receiving all of the available traffic.
259
2.
Function Keys
The function keys provide several features that help with viewing and organizing the diagram. A Function Key Legend is displayed at the bottom of the main window. The Function Key Legend provides a quick reference to some of the available function keys.
The options displayed in the legend can change based on the current focus or view. For example, the F5 Organize Diagram option is not displayed in the legend unless the diagram area Auto-organize option is disabled. There are additional Function Keys that are not displayed in function key legend. Function Key shortcuts are displayed next to several menu options. For example, while in the diagram view, accessing the View menu option indicates that Zoom can be achieved with the F4 key. The F2 function toggles between Enable Mouseover Pathway Highlighting (when disabled) and Disable Mouseover Pathway Highlighting (when enabled). When this function is enabled, the user can hover the mouse over a diagram object to highlight the connections unique to the object. For example, looking at this diagram it may be difficult for the user to clearly see the connections to the Data Capture (P03) tool port.
When Mouseover Pathway Highlighting is enabled, placing the mouse over the P03 icon will cause the connection lines to be highlighted in bold blue as shown in the figure below. The mouse can be placed over network ports, tool ports and connections to highlight the pathways involving that object.
F3: Zoom In (Not listed in the diagram area legend) This function key will enlarge the size of the diagram view. Note that the menu option View -> Zoom to 100% can be used to restore the view to normal. F4: Zoom Out (Not listed in the diagram area legend) This function key will decrease the size of the diagram view. Note that the menu option View -> Zoom to 100% can be used to restore the view to normal. F5: Organize Diagram This option will redraw the diagram so that there are a minimum number of crossed connections. When the Automatically re-organize.... option is unchecked under the Diagram section of the Options menu (Edit -> Options), the F5 function key can be used to organize the objects on the diagram. See the section on the Edit Menu for details on the algorithm used to organize the diagram. Note that the F5 function key is not available on the function key bar when the diagram area is configured to automatically re-organize. F6: Focus on all/Focus on selected/Focus on my access The F6 function key provides three focus option: Focus on all, Focus on selected and (for non-system administrators) Focus on my access. Pressing the F6 key will toggle between the last two focus options selected by the user. Focus on all: This is the default focus mode that displays all diagram objects. Focus on selected: To utilize this feature the user selects diagram objects that they want to focus on and then presses the F6 function key. The diagram will then redraw so that only the selected object(s), and the other objects that are
connected to it, are displayed. To select more than one object the user can hold down the Ctrl key while selecting objects or lasso the objects using the mouse. Focus on my access: When access control using groups has been enabled on ports or dynamic filters, this focus option displays the dynamic filter and ports that the user has access to. This option is only available to non-system administrators because system administrators always have access to all objects. For more information on access control using groups, see Access Control Using Groups. There are additional methods available to choose the diagram view focus. For more information, see Icon Toolbar and Focus Status. F7: Suppress/Show Tooltips This function key will suppress display of tooltips. Most of the Control Panel diagram area objects provide tooltip help. Occasionally the display of tooltips may interfere with the display of information that a user wants to view. Pressing F7 allows the display of tooltips to be suppressed. Pressing F7 (Show Tooltips) again will display tooltips. F10: Hide/Show Memory Meters This function key toggles between Hide Memory Meters and Show Memory Meters. It will hide or show the memory meters displaying the filter memory allocation. F11: Hide Disabled Ports/Show Disabled Ports This function key toggles between Hide Disabled Ports and Show Disabled Ports. This setting is remembered upon exit and recalled when the user logs in again. F12: Bring Stats to Front This function key will bring all open statistics windows to the foreground. The F12 key is only visible in the function key legend when there are statistics windows open.
265
CHAPTER 15 Statistics
The Anue Net Tool Optimizer (NTO) provides a wide range of statistics to help users optimize tool utilization. Network ports, tool ports and filters report statistics. There are also tool management view statistics which provide statistics for all the objects connected to a specific tool port. There are several ways to view object statistics. Right click on an object (tool port, network port, or dynamic filter) and choose Statistics. Ctrl double click on an object. Click on Filters or Ports in the management pane and select statistics. This provides a view of all filter or ports statistics at once. Right click on a tool port and select Tool Management View. Shift click on several objects, right click and choose Statistics. The statistics window for all selected objects will open.
267
Refresh Time of Displayed Stats: Displays the time at which the statistics were collected on the server. The time is displayed in the local time zone of the PC running the control panel. Users running the control panel in different time zones will see different times displayed here. Display Refresh Interval: The configured refresh interval is displayed. Click the value to configure the interval. This setting does not affect how often statistics are collected on the NTO, which is always once per second. The refresh interval can also be configured under the Edit -> Options menu. The Pause button pauses the update of the statistics displayed in the control panel for the currently logged in user (the button name will change to Resume during pause). This button does not the affect the actual collection of statistics on the NTO server. Reset Time since stats reset: Displays the amount of time that has transpired since the reset of the port statistics. Reset by: Displays the Login ID of the last user who reset the port statistics. The Reset button will reset the tool port statistics. The Reset Open button will reset the statistics of all of the ports and filters with statistics windows that are currently open. This feature will allow the statistics for different objects to be synchronized to a similar point in time. Note that since the statistic windows are reset serially, the statistics displayed on the open statistic windows will not be completely synchronized. The Close All button closes all of the currently open statistics windows. The Close button closes the tool port statistics window.
Counts Received: A total count of the received Packets or Bytes since statistics were last reset for the port. Packet counts display under the Packets column, byte counts display under the Bytes column. Valid: A total count of the valid packets received since the statistics were last reset. Invalid: A total count of the invalid packets received since the statistics were last reset. This value is also a link that provides details about the invalid packets. The invalid packet breakdown window is shown below. Note that invalid packets are not forwarded to tools.
The Invalid Packets Breakdown window displays the following RFC 2665 Dot 3 statistics. When a statistic category is selected, a brief description will display in the Description field: Frame-too-long errors FCS Errors Alignment errors Symbol errors
The Invalid Packets Breakdown window displays the following RFC 1757 Ether statistics. When a statistic category is selected, a brief description will display in the Description field: Collisions CRC alignment errors Fragments Runts
Table 15-1 describes how invalid packets are handled on different models of the NTO. See Supported Packet Sizes for information on packets that are classified as invalid because of size.
Table 15-1: Invalid Packets on Different Models
Model 5204
Details Byte counts include both valid and invalid packets. The byte counters increment when invalid packets are received, but packet counters do not. Both network port filters and dynamic filters will include invalid packets in packet and byte counts before the packets are dropped prior to the Tool Port filter. Packets that contain an invalid 802.3 Length/Type field will pass through the network port but will not be counted in the packet statistics. These packets will not be passed to tools. Both network port filters and dynamic filters will include invalid packets in packet and byte counts before the packets are dropped prior to the Tool Port filter. Packets that contain an invalid 802.3 Length/Type field will pass through the network port but will not be counted in the packet statistics. If Length is the only error, the packet will pass through the Tool Port. Other error packets will not be passed to tools.
5236, 5273
5288, 5293
Passed: A total count of the Packets or Bytes that were allowed to pass through the port since port statistics were last reset. Packet counts display under the Packets column, byte counts display under the Bytes column. Traffic is allowed to pass through the port based on the filter mode and criteria. Rates/Percentages Clicking the Chart icon displays a chart window. Statistic charts provide a historical view of counts/rates/throughput, traffic patterns and burstiness in line chart format. A detailed description of this feature is provided in the Statistics Charting section. Rates and percentage values are displayed under the following categories: Current: The value recorded in the last second. Average: The average value per second since statistics were last reset for the port. Peak: The largest value recorded since statistics were reset for the port.
Time Since Peak: The time in seconds since the Peak value was recorded. Note: Statistics are measured once per second by accurately counting a physical quantity such as bits, bytes or packets during that second and then representing that value in the appropriate format and units for display to the user. Traffic patterns in actual networks may fluctuate on a timescale faster than the measurement period of the statistics (one second). When this occurs, it is important to understand the limitations of such one-second measurements. The counts of bits, bytes or packets over a one second period (and cumulative statistics based directly on them) will always be correct. However, caution must be used when interpreting any statistic that indicates a "rate" such as bits per second or percentage load. One-second rate statistics are essentially averages over a whole second. When traffic is bursty, and those bursts last less than one second, a portion of the one second measurement period will have a traffic intensity above the reported value. During the rest of the one second measurement period, the traffic intensity will be below the reported value. Received Bits/Sec: A count of the bits received each second. Passed Bits/Sec: A count of the bits that were allowed to pass through the ports filter each second. Traffic is allowed to pass through the port based on the filter mode and criteria. % Bytes Passed: The percentage of bytes that were allowed to pass through the ports filter. Traffic is allowed to pass through the port based on the filter mode and criteria. Received Pkts/Sec: A count of the packets received each second. Passed Pkts/Sec: A count of the packets that were allowed to pass through the ports filter each second. Traffic is allowed to pass through the port based on the filter mode and criteria. % Pkts Passed: The percentage of packets that were allowed to pass through the ports filter. Traffic is allowed to pass through the port based on the filter mode and criteria. Utilization: Displays the percentage of available port bandwidth being used by incoming traffic. Refresh See Features Common to All Statistics Pages on page 267. The Resume button is only available when traffic is paused. Clicking the Resume button restarts the update of statistics. Reset See Features Common to All Statistics Pages on page 267.
Counts Inspected: A total count of the Packets and/or Bytes that were inspected since dynamic filter statistics were last reset. Packet counts display under the Packets column, byte counts display under the Bytes column. Passed: A total count of the Packets and/or Bytes that were allowed to pass through the dynamic filter since dynamic filter statistics were last reset. Packet counts display under the Packets column, byte counts display under the Bytes column. Traffic is allowed to pass through the dynamic filter based on the filter mode and criteria. Rates/Percentages Clicking the Chart icon displays a chart window. Statistic charts provide a historical view of counts/rates/throughput, traffic patterns and burstiness in line chart format. A detailed description of this feature is provided in the Statistics Charting section. Rates and percentage values are displayed under the following categories: Current: A display of the value recorded in the last second. Average: A display of the average value per second since statistics were last reset for the dynamic filter. Peak: A display of the largest value recorded in any single second since statistics were last reset for the dynamic filter. Note that since statistics are sampled once
per second, peaks that occur between samples may be missed, and may be larger than what is actually reported. Time Since Peak: The time in seconds since the Peak value was recorded. Inspected Bits/Sec: A count of the inspected bits per second. Passed Bits/Sec: A count of the bits per second that were allowed to pass through the dynamic filter. % Bytes Passed: The percentage of bytes that were allowed to pass through the dynamic filter. Traffic is allowed to pass through the dynamic filter based on the filter mode and criteria. Inspected Pkts/Sec: A count of the inspected packets per second. Passed Pkts/Sec: A count of the packets per second that were allowed to pass through the dynamic filter. % Pkts Passed: The percentage of packets that were allowed to pass through the dynamic filter. Traffic is allowed to pass through the dynamic filter based on the filter mode and criteria. Refresh See Features Common to All Statistics Pages on page 267. The Resume button and is only available when traffic is paused. Clicking the Resume button restarts the update of statistics. Reset See Features Common to All Statistics Pages on page 267.
Counts Inspected: A total count of the packets that were inspected since port statistics were last reset. Passed: A total count of the packets that were passed by the tool port filter. (Models 5236/5273 only) AFM tool port statistics include a total count of the packets that were passed by the tool port filter on to the AFM for advanced packet processing. Transmitted: A total count of the Packets and Bytes that were transmitted since port statistics were last reset. Packet counts display under the Packets column, byte counts display under the Bytes column. Dropped: A total count of the dropped packets since port statistics were last reset or the Reset Drops button was pressed. Received Pause: A total count of the pause frames received from the device connected to the tool port. Current rate: The rate of the inspected packets in the last second. Average rate: The average rate of inspected packets since the last reset of the port statistics. Drops Dropped packet count: A total count of the dropped packets since port statistics were last reset or the Reset Drops button was pressed. Time since last drop: The time in seconds since the last dropped packet. This value is reset when the port statistics are reset or the Reset Drops button is pressed.
Time since drops reset: The time in seconds since the Dropped Packets count was reset. Reset by: Displays the Login ID of the last user who reset the port statistics. Rates/Percentages Clicking the Chart icon displays a chart window. Statistic charts provide a historical view of counts/rates/throughput, traffic patterns and burstiness in line chart format. A detailed description of this feature is provided in the Statistics Charting section. Rates and percentage values are displayed under the following categories: Current: A display of the value recorded in the last second. Average: A display of the average value per second since statistics were last reset for the port. Peak: A display of the largest value recorded in any single second since statistics were last reset for the port. Please note that since statistics are sampled once per second, peaks that occur between samples may be missed, and may be larger than what is actually reported. Time Since Peak: The time in seconds since the Peak value was recorded. Inspected Pkts/Sec: A count of the inspected packets per second. Transmitted Pkts/Sec: A count of the transmitted packets per second. Dropped Pkts/Sec: A count of the dropped packets per second. % Pkts Passed: The percentage of packets that were allowed to pass through the port. Traffic is allowed to pass through the port based on the filter mode and criteria. Transmitted Bits/Sec: A count of the transmitted bits per second. Transmit Utilization: Displays the percentage of available port bandwidth being used to transmit traffic. Refresh See Features Common to All Statistics Pages on page 267. The Resume button and is only available when traffic is paused. Clicking the Resume button restarts the update of statistics. Reset See Features Common to All Statistics Pages on page 267.
Refresh See Features Common to All Statistics Pages on page 267. Reset See Features Common to All Statistics Pages on page 267.
See Tool Port Statistics for details on the Counts and Rates/Percentages statistics. Load Balance Distribution statistics are described below
Load Balance Distribution View Distribution: Select whether to view how bytes or packets are distributed across the port group. If bytes are selected, then utilization is also displayed. The following statistics are provided for each port when Transmitted Bytes/ Utilization is selected: Transmitted Bytes (cur): Of the total number of bytes transmitted out of the port group in the last second, this is the percent transmitted by this port. Transmitted Bytes (avg): Of the total number of bytes transmitted out of the port group since statistics were last reset, this is the percent transmitted by this port. Transmitted Utilization (cur): The network utilization of the traffic leaving this port in the last second. Transmitted Utilization (avg): The average network utilization per second of the traffic leaving this port since statistics were last reset.
The following statistic are provided for each port when Inspected/Transmitted Packets is selected: Inspected Packets (cur): Of the total number of packets inspected by the port group in the last second, this is the percent inspected by this port. Inspected Packets (avg): Of the total number of packets inspected by the port group since statistics were last reset, this is the percent inspected by this port. Transmitted Packets (cur): Of the total number of packets transmitted out of the port group in the last second, this is the percent transmitted by this port. Transmitted Packets (avg): Of the total number of packets transmitted out of the port group since statistics were last reset, this is the percent transmitted by this port.
Refresh See Features Common to All Statistics Pages on page 267. Reset See Features Common to All Statistics Pages on page 267.
Statistics Charting
The port and dynamic filter statistics windows provide a charting feature. Statistic charts provide a historical view of counts/rates/throughput, traffic patterns and burstiness in line chart format. To display the chart window: 1. 2. Access the port or dynamic filter statistics (right click on the port/filter and select Statistics or hold down the Ctrl key and double click the port/filter). Click the Chart icon .
Information The Information section displays instructions on how to view the charts and focus on a specific data point or period of time. These instructions are described in detail in the chart area section below. Note: Data is charted only while the chart window is open. The charts will be cleared when the window is closed. Port or Filter Icon Image: See Features Common to All Statistics Pages on page 267. Chart Area The chart area for ports and dynamic filters are customized to the functionality of the port/filter. The other sections of the chart window are basically the same for ports and dynamic filters. Here are some examples: 1. 2. 3. A network filter configured in the Pass All mode displays a Passed Packets per Second chart. A network filter configured in the Deny All mode displays a Received Packets per Second chart. A network filter configured in Pass by Criteria Mode displays a Received and Passed Packets per Second chart as shown in the figure below.
The legend below the chart indicates that Received Packets per Second is represented with a green line. Passed Packets per Second is represented with a blue line and the Percent of Packets Passed per Second is represented by a cyan line. Time is reflected along the x axis with date/time values displayed periodically along the axis. The most current data is displayed at the right side of the chart. The oldest visible data is displayed at the left side of the chart. As new values and timestamps are collected the axis scale changes accordingly and autoscales based on the range of values being plotted. Note that later in this document we will describe how the chart view can be dragged to view earlier data points. The Packets/Sec values (Passed Packets per Second, Received Packets per Second) are against the left side y axis. The Pct Passed value (Percent of Packets Passed per Second) is plotted against the right side y axis.
Packets/Bits: Click a radio button to select whether to chart the statistics data in units of packets or bits. The measurement values along the left and right side of the chart will change to represent packets or bits. Selecting a Data Point To focus on a specific data point, click on a location in any chart.
When a data point is selected, the Selected Sample section of the window provides detailed information about the data point as shown in the figures above. Adjusting the Data Point Selection To move the selection left or right to the next data point, hold the Ctrl key and use the left or right arrow key to move backward or forward in time. Selecting a Period of Time (zoom feature) Notice that two of the lines in the figure displayed in the last example are very close together. Zooming into a period of time provides greater detail and usually helps to view the lines separately in the chart. To zoom in, click a point in the chart and drag the mouse to the left or right to highlight a section.
As shown in the top figure above, closely drawn lines are now much easier to read. Zooming in allows the user to clearly see the spikes in the charts and the selected samples. To reset the zoom view and see the entire data range, click the Reset Zoom button in the Chart Ranges section or right click on the chart and select Reset Zoom from the menu list. Saving, copying and printing charts Right click on a chart to access options that allow you to Copy, Save and Print the chart. Charts are saved in PNG file format. The Print option displays a page setup window that allows customization of basic print parameters. The entire chart window can be copied to the Windows clipboard by pressing the Alt -> PrtSc (print screen) or Fn -> Prtsc keys simultaneously.
The Reset Zoom option will also be available if the chart is in zoom mode. Selected Sample Time: When a sample is selected, a timestamp is displayed listing the ending second. This value is displayed as, x secs ending Month - Numeric Day of the Month, Year Hour:Minute:Seconds AM or PM Time Zone. x equals the sample interval. Passed Pkts/Sec: A count of the passed packets per second at the time of the selected packet. Passed Bits/Sec: A count of the passed bits per second at the time of the selected packet. FCS Error Pkts: A count of the Frame Check Sequence error packets at the time of the selected packet. Align Error Pkts: A count of the alignment error packets at the time of the selected packet. Fragment Pkts: A count of fragmented packets at the time of the selected packet. Runt Pkts: A count of runt packets at the time of the selected packet. Chart Refresh Sample interval: The configured sample interval value for charts is displayed. Click the value to change the sample interval. The drop-down list provides options that range from 5 seconds to 5 minutes. Each interval option also indicates how long charting can take place before the oldest chart data must be discarded to make room for new chart data. For example the option 30 sec (max data range 15 hours) indicates that a new data point will be added to the chart every 30 seconds and that statistics data can be charted at this sample interval, continuously, without data loss, for up to 15 hours.
Note that this value can also be configured on the Edit-> Options page. This value is separate from the refresh rate used in the tabular statistics windows.
Max data range: Displays the maximum data range that can be displayed on the chart at the configured sample interval. Next sample in: Displays a value that counts down in seconds until the next sample will be added to the chart. Chart Ranges Data range: Displays the range of chart data (in hours and minutes) that has been stored and can be reviewed. Begin: Displays the beginning date and time of the data range. End: Displays the end date and time of the data range. Visible Range: This value will equal the Data Range value unless a range of data has been selected or zoomed into. When zoom is in effect this value (in hours and minutes) displays the range of data that is visible in the displayed chart. When zoom is in effect this value is also highlighted in yellow to indicate that the visible range is a subset of the actual data range Begin: Displays the beginning date and time of the Visible data range. End: Displays the end date and time of the Visible data range. Reset Zoom (button): Click this button to reset the zoom mode. The chart will revert to displaying the maximum data range. The Visible Range, Begin (visible range) and End (visible range) values will be reset accordingly. The Reset Zoom button will be dimmed unless the user has zoomed in to area of a chart. Chart Reset Clear: Clicking this button clears all data samples on the chart window. The charts become blank. The next data sample collected becomes the first sample plotted on the chart. Clearing the chart data does not clear the corresponding Statistics window, nor does it cause the statistics to be reset. Clear Open: Clicking this button clears all data samples on all open chart windows. The behavior is the same as for the Clear function.
The Tool Port Statistics provide summary information on the ports utilization. The Breakdown by Data Source displays statistics and configuration information for the network ports and dynamic filters that are connected to the selected tool port or port group. This view is primarily used to see the amount of traffic the individual network ports and dynamic filters are delivering to the tool port or port group.
View Time Frame: Checkboxes are available for Current and Average. A checked box indicates that all statistics in the category are currently being displayed. Units: Checkboxes are available for Packet and Bytes. A checked box indicates that all statistics in the category are currently being displayed. Detail Level: A Brief and Verbose option can be selected for the view.
For example, the Filter Criteria field displays the type of criteria defined (i.e. VLAN) in brief mode but also displays the specific criteria value (i.e. VLAN 100102) in verbose mode. Export to CSV : The Export to CSV button exports the information displayed in the view to a comma separated value file (.csv). Port or Filter Icon Image: The image is displayed in the upper right corner of this window, other windows associated with this port, and on the diagram. The image displays the same port/filter status and configuration information that is displayed on the icon in the diagram area. Within any window that this icon is visible: Double click on the icon image to open the port properties window. Ctrl double click on the icon image to open the port statistics window.
Tool Port Statistics The Tool port statistics area provides statistics and configuration information for the selected tool port or port group. When all the fields in the view are displayed, the following information is provided. Tool Port statistic definitions can be found in the Tool Port Statistics section. Filter Mode Filter Criteria Tx Utilization(cur %) Tx Utilization (avg %) % Passed Pkts (cur) % Passed Pkts (avg) Inspected Pkts Inspected Pkts/Sec (cur) Inspected Pkts/Sec (avg) Tx PktsTx Pkts/Sec (cur) Tx Pkts/Sec (avg) Dropped Packets Dropped Pkts/Sec (cur)
Time since last drop: Displays the amount of time that has transpired since the last packet drop. Time since drops reset: Displays the amount of time that has transpired since the reset of drop or port statistics. Clicking the Reset Drops button will reset the Dropped Packets Statistics. Breakdown by Data Source This area displays statistics and configuration information for the network ports and dynamic filters that are connected to the selected tool port or port group. This
view is primarily used to see the amount of traffic the individual network ports and dynamic filters are delivering to the tool port or port group. Network ports are listed in brown text. The dynamic filters that connect the network port to the tool port or port group are listed in black text and are indented below the network port. When all fields in the view are displayed, the following information is provided. Network Port statistic definitions can be found in the Network Port Statistics section. Filter statistic definitions can be found in the Dynamic Filter Statistics section. Network Port/Dynamic Filter Filter Mode Port/Filter Criteria Rx Util (cur) Rx Util (avg) % Passed Pkts (cur) % Passed Pkts (avg) Rx/Inspected Pkts Rx/Inspected Pkts/Sec (cur) Rx/Inspected Pkts/Sec (avg) Passed Pkts Passed Pkts/Sec (cur) Passed Pkts/Sec (avg) Dynamic Filter Type Overlaps With Overlaps Inspected
Refresh See Features Common to All Statistics Pages on page 267. Reset See Features Common to All Statistics Pages on page 267. Overlapping Filter Criteria Dynamic filters are optimized for topologies that require both aggregating traffic from multiple network ports to a single tool, as well as sharing traffic from a network port with multiple tools. Dynamic filters are recommended as the default filtering approach because nearly all users have both of these topology requirements. The default dynamic filter uses a two-stage filtering approach. The first stage optimizes for aggregation capacity by pre-filtering traffic before aggregation. The purpose of the second stage post-filter is to inspect and resolve any overlapping filter criteria traffic. This is performed by inspecting the overlapping traffic from
other filters attached to the shared network port. This post-filter can add traffic to the overall traffic load of a dynamic filter. The amount and source of this traffic can be seen in the Tool Management View. The overlap inspection traffic from filters connected to other tools is shown in italics in the Tool Management View (see example below).
In the example above, the two filters are overlapping because they share a network port (SPAN 1) and their filter criteria overlap. Overlap occurs because some of the traffic received from the network port could possibly match both the IPv4 Source Address and the MAC Destination Address filters. The Tool Management Breakdown by Data Source view of the Data Storage Tool port shows the MAC destination filter statistics (in italics) even though the MAC destination filter is not directly attached to the Data Storage tool port. This is because the MAC traffic from SPAN Port 1 is being inspected by the IPV4 Source second stage filter to resolves overlaps.
Upgrade Procedures
The procedures to upgrade the NTO software and system license are described in the following topics.
License Update
To obtain a license key for additional ports and/or features, please contact Anue Systems Technical Support. For information about how to contact Anue Systems Technical Support, see Technical Support on page 11. Tip: You may be able to use the same license file for more than one system. The license file covers all of the systems listed in the license, including all cold spare systems. The license is an ASCII file that can be opened with a text editor. The text displayed towards the top of the license file lists the systems to which the license pertains, including the cold spare systems. Cold spare licenses are part of this license file. On the Version/License tab under the System View, click the Enter License Key button to upgrade the license key. Browse for the license key. Then click OK to install the key.
291
NOTE If you receive a license key prompt after powering up the unit the first time, the license key is located on the USB flash drive that was shipped in the same box as the NTO.
3.
Activate the cold spare license by installing the license file. NOTE The cold spare license is part of the license file contained on the USB flash drive that shipped with your NTOs.
4.
Return the defective NTO to Anue for RMA once you have received an RMA number from Anue Support. A. Anue either fixes it or replaces it if it cannot be fixed. B. Anue installs a new Perpetual License on the RMA NTO because it is now the cold spare NTO. C. Anue sends the new cold spare NTO to you. D. Anue Support issues you a new license including a new cold spare license.
5.
Install the newly issued license on the activated cold spare NTO to restore production licensing.
Software Upgrade
The files required to upgrade the Anue NTO Server to the latest version of software will be provided by Anue Technical Support. You must be logged into the Anue NTO as a system administrator to perform a software upgrade. Upgrading will restart the NTO. Important notes before upgrading: 1. All users should be logged out of the system before beginning the upgrade procedure. An administrator can view the accounts logged into the system in the Users view of the NTO control panel. The install procedure will also allow the System administrator to force logouts. We recommend that the upgrade be done using a reliable high speed network connection between the Anue NTO management port and the PC running the Control Panel software. We do not recommend performing an upgrade across a wireless connection or over a VPN connection that does not guarantee symmetric upstream/ downstream performance (an asymmetric link can result in very slow upload times to the NTO). It will take approximately 7 minutes to upgrade the Anue NTO Server. The upgrade should be scheduled during a time when it is acceptable for the unit to be inaccessible to users for approximately 7 minutes. The System setting for Login session timeout should be set at least 10 minutes to allow the software upgrade to complete. Note: The timeout may need to be temporarily raised or set to Never during an upgrade cycle, especially if the network connection to the NTO management port is slow. After the upgrade is complete, change it back to your normal timeout setting. To see how to configure the Login session timeout, see Login session timeout: on page 169. After upgrading (or downgrading) the software, a version mismatch error similar to the one shown below may occur after a login attempt.
2.
3.
4.
5.
This problem can be resolved by clearing the Java cache. For more information on how to clear the Java cache, see How to clear the Java Cache.
Follow the procedure listed below to upgrade the system. 1. From the Version/License tab of the System View page, click the Install Software button.
2.
An Installation File window will display. Navigate to the Net Tool Optimizer Install File provided by Anue Technical Support. Select the zip file then click the Install button. A prompt will display indicating that new software will be installed and that the 52xx will be restarted after the upgrade. Click OK. The upgrade will take approximately 7 minutes.
3.
It is recommended that your configuration is exported before the installation begins. Click the Yes button to export the configuration.
The software upgraded procedure will now begin and the installation progress bar will display.
4.
When the software upgrade has completed a prompt will display indicating that the upgrade has been successful.
Note that the software upgrade can be undone by reverting to the last version of software that was running on the system. See the Software Downgrade section for details.
Software Downgrade
The NTO software can be downgraded to the last version of software that was running on the system before the current software was installed. NOTE Only system administrators can downgrade the software to the last running version. Topics include: Downgrade Using the GUI Control Panel on page 297 Recommended way to downgrade. 5204/5236/5273 Downgrade Using the Front Panel LCD and Keypad on page 299 Alternate way to downgrade supported on specific NTO models.
Important notes before reverting to earlier versions of software: 1. Reversion of the system software to an earlier version will disrupt service and log all users out of the system. It will take approximately 2 minutes for the reversion process to complete. Any user that logged in to the NTO server while it was running the current version of software may need to clear their Java cache after the system software has been downgraded. For more information on how to clear the Java cache, see How to clear the Java Cache. A version mismatch error, similar to the one shown below, may occur after a login attempt.
2.
This problem can be resolved by clearing the Java cache. For more information on how to clear the Java cache, see How to clear the Java Cache. 3. The downgrade will return the system to the last pre-upgrade configuration. Any changes that were made to the NTO database while running the current software version will be lost! The current configuration can be exported but it can only be imported into a system running the current software version or higher.
3.
The system administrator will then receive a message indicating that users who previously logged into the NTO server may need to clear the Java cache on their computer after the revert process has completed. For more information on how to clear the Java cache, see How to clear the Java Cache.
4.
If users are currently logged in to the system, the system administrator will receive a message indicating their Login IDs. The system administrator will be given the option to abort the revert procedure or continue the revert procedure and automatically log the users out of the system. Reversion to the previous software version may take 1-2 minutes.
5.
The message indicates that the software update will be complete after any user logs in to the NTO. In this state, prior to a login by any user, the software upgrade can be undone. 2. Using the front panel LCD and keypad, restart the NTO two consecutive times to revert the system software. A. Press the Up Arrow () 1 time. B. Display reads 7 Power Off. C. Press the Check Button (). D. Display reads Power Off?, No Yes. E. Right Arrow () 1 time so that Yes is highlighted. F. Press the Check Button (). G. Display reads Shutting Down Finished. H. To power up: Press and hold the chassis keypad check button () for 1 second. I. Wait for the power up to complete (the keypad/LCD will respond after power up). J. Perform the procedure a 2nd time starting at step 1).
3.
Under the Temporary Internet Files section of the window, click the Settings button. The Temporary Internet File Settings window will open.
4.
5. 6.
Click OK. Continue to click OK until all of the previously opened windows are closed.
Models 5204
Default Port Allocation 1G port licenses are assigned starting from physical port 1 in ascending order. Dual media port licenses are assigned to the physical copper and fiber ports 21-24. 1G and 10G expansion port licenses are assigned to the ports of expansion cards. 1G/10G port licenses are assigned starting from physical port 1 in ascending order. 1G port licenses are assigned after the 1G/10G physical ports in ascending order (for example, if the license key contains 5 10G SFP+ licenses and 5 1G SFP licenses, ports P01-P05 will be 10G and ports P06-P10 will be 1G). 1G copper port licenses are assigned to copper ports 2124. 1G and 10G expansion port licenses are assigned to the ports of expansion cards. 40G QSFP+ licenses are assigned starting from physical port 1 in ascending order. The 40G QSFP+ license is valid for 40G ports. A 40G license can also be applied to 10G/1G ports but the 10G/1G port will still run at its maximum speed. (A 40G license applied to a 10G port wastes 30G.) 10G AFM SFP+ licenses are assigned first if you have them because the AFM ports that accept them cannot accept 1G licenses. These licenses are assigned starting from physical port 1 in ascending order. 10G SFP+ licenses are assigned starting from physical port 1 in ascending order. 1G SFP licenses are assigned after the 10G SFP+ licenses in ascending order (for example, if the license key contains 5 10G SFP+ licenses and 5 1G SFP licenses, ports PA01-PA05 will be 10G and ports PA06PA10 will be 1G).
5236, 5273
5288, 5293
License Type 5204 1G Copper 5204 Dual Media 5236/5273 1G Copper 5236/5273 1G SFP 5236/5273 1G/10G SFP+ 5288/5293 1G Copper
Port Types Copper ports Copper or fiber dual media ports Copper or fiber dual media ports Copper ports Copper ports SFP+ ports limited to 1G SFP+ ports limited to 1G SFP+ ports running at 1G or 10G Copper ports SFP+ ports limited to 1G
License Type 5288/5293 1G SFP 5288/5293 1G/10G SFP+ 5288/5293 10G AFM SFP+ 5288/5293 40G QSFP+
Port Types SFP+ ports limited to 1G Copper ports SFP+ ports running at 1G or 10G Copper ports AFM SFP+ ports running at 10G SFP+ ports running at 1G, 10G, or 40G, Copper ports
Figure A-16 shows the License Allocation table for models 5288 and 5293. The current floating licenses and unused floating licenses are displayed.
To reassign licenses, select a license in the License Type column. Cut (ctrl-x) the license from its port and paste (ctrl-v) on another to swap the licenses. For example, in the figures below the license assigned to port 4 (P04) has been re-assigned to port 10 (P10).
An example of how to read the table can be illustrated by reading the 1st entry in the table, 1 Anue 52xx | Mgmt Port Status. This line describes the default display of the Anue NTO which is the product name and status of the System/Ethernet management port. Example of the LCD display when the management Ethernet port is up: 1 Anue 5236 Status:Normal
309
Example of LCD display when the management Ethernet port is down: 1 Anue 5236 Mgmt port down
NOTE When system alarms are present, the LCD will blink and display an alarm warning. The blinking message will indicate Major Alarm or Minor Alarm depending on the highest severity. Pressing the right arrow key on the LCD keypad will provide a set of menu items related to the alarm. Press the up/down arrow keys to view all current alarms. The complete listing of the LCD menu options are provided in the tables below.
To navigate down the menu use the down key (). For example, to navigate from 1 Anue 52xx | Status to 2 SW Version | main. To access an option that is indented in the table press the right arrow key (). For example, to navigate from 2 SW Version | main to 2a Build Num | xxxxx press the right arrow key (). 2 SW Version | main 2a Build Num | 32587M To access an option that is a level above an indented item press the left arrow key (). For example, to navigate from 2a Build Num | 32587m to 3 System | Configuration press the left arrow key () and then the up arrow key (). Note: Some of the values displayed in the table are specific to the software version installed on your Anue NTO. The menu on your system may display different values than the values shown below.
2 SW Version | main 2a Build Num | 32587M 2b Build Date | 20081002095147 3 System | Configuration
See the information below for an example of how to use the keypad and LCD to change NTO management port IP address. To configure the IP address and associated settings using the front panel controls and LCD, follow the instructions below. 1. 2. 3. 4. 5. 6. 7. Down Arrow () 2 times. Display reads 3 System Configuration. Right Arrow () 1 time. Display reads 3a IP Config Press the check button (). Display reads Set IP Addr (The current IP address is displayed). Use the left or right () arrows to move to the number that needs to be changed. Up arrow () to increment the value, press the down arrow () to decrement the value. Repeat the process until the address is configured. Press the check button () to save the changes. Display reads Set Netmask (The current netmask is displayed). Follow the steps described in Step 7 to configure the Netmask.
8. 9.
10. Display reads Set Gateway (The current gateway is displayed). 11. Follow the steps described in Step 7 to configure the gateway. 12. Display reads Restarting please wait. The system will take approximately 1 minute to restart. 13. Display reads 1 Anue 52xx Status:Normal when the restart is complete and the new IP address has been configured.
2. 3. 4. 5. 6. 7. 8.
Display reads 3 System Configuration. Right Arrow () 1 time. Down Arrow () 3 times. Display reads 3d Reset Admin Password. Press the check button () to enter edit mode. Display reads Enter Key. Enter the last 8 digits of the unit serial number. For example, serial number 52xx-00001234 will be entered as 00001234. The unit serial number is located on the rear of the unit. Press the Down arrow () to decrement the value, press the Up arrow () to increment the value. Use the right arrow () to move to next the number field. Use the left arrow () to move backwards and modify a number field.
9.
Press the check button () to reset the admin password. The LCD display will return to 3d Reset Admin Password when the reset is successful. If an incorrect value is entered the LCD will display Error: Invalid Key.
Many of the features are the same for both types of AFM. Where the features differ, the model number will be called out in the feature descriptions. Packet processing features are configured on the Packet Processing tab in the Edit Network (or Tool) Port dialog. Enable a feature by checking the appropriate box and configuring any settings for that feature. CAUTION Please follow the steps below before you install either an AFM16, a GPS control module, or both, in an NTO 5288 running software release 3.6 or older: 1. 2. 3. 4. Upgrade the software to version 3.7 or newer. Power down the system. Install the new module(s). Restart the system.
During the restart in step 4 and only that restart, the system will go through an additional firmware upgrade. During the firmware upgrade, the LEDs on the port modules will show a "chase" sequence where the LEDs light up on each port in succession until the firmware upgrade is done, which is approximately 10 minutes. It is VERY important that you do NOT cycle power or power down the NTO during the firmware upgrade process. Systems manufactured with release 3.7 or later do not need to go through the firmware upgrade procedure described above.
313
following table lists the supported TPID values in order for VLAN stripping to work at network and tool ports:
Table C-1: Supported TPID Values for VLAN Stripping
Supported TPIDs 0x8100 0x9100 0x88A8 (5288/5293 only) 0x8100 0x8100 0x8100
Note that for double-tagged packets, the NTO will only strip the inner tag if the TPID of that tag is 0x8100. NOTE One bit in the VLAN header represents the Canonical Format Indicator (CFI). On the 5236/5273, if this bit is not 0 the NTO will drop the packet when VLAN stripping is enabled.
De-duplication: Improves tool bandwidth by removing redundant packets before they reach monitoring tools. While some tools are able to detect and remove duplicate packets, this consumes processor resources on the tools.
Packet Trimming: Improves tool bandwidth by trimming bytes from packets before delivering them to the tools. The ability to eliminate payload information before delivering packets to tools may also help with security compliance. Timestamping (5288 only): Available on network (ingress) ports, the timestamping feature adds custom packet trailers containing arrival times. This feature can be used to provide packet timing data to latency-sensitive tools for accurate analysis without compromising access for other network monitoring tools. Note that packets arriving with timestamps keep their timestamps. This feature appends a trailer that contains a timestamp. Trailer Stripping (5288 only): Available on any AFM tool (egress) port or the tool side of a bidirectional port group, this feature allows you to strip timestamping trailers appended to packets. This feature is useful in cases where the incoming packets need to be timestamped, but not all tools receiving those packets can handle the timestamping trailer. Extended Burst Protection (5236/5273 1G tool port only): Short bursts of network traffic can exceed the queuing resources of an NTO 1G tool port and lead to dropped packets. This feature allows a 5236/5273 AFM tool port to buffer up to 200 MB of traffic. Buffering occurs when traffic bursts above the 1G line rate.
NOTE If stripping or trimming results in a packet less than 64 bytes in length, the end of the packet will be padded with zeroes up to 64 bytes. After GTP or MPLS stripping, if the L3 header is IPv4, then the Ethertype will be changed to 0x0800. If the L3 header is IPv6, then the Ethertype will be changed to 0x86DD.
NOTE For bidirectional port groups, you must select one side or the other on which advanced packet processing features are to take place, either network (ingress) or tool (egress). In the Ports view and the Port Groups view, columns show whether advanced features are enabled for a particular port or port group.
GTP Stripping
This feature allows you to strip the outer IP, UDP, and GTP headers from a GTP-U packet, leaving the inner, tunneled L3 and L4 headers exposed. This allows filters to match on fields in the inner headers and provides tools easier visibility to the tunneled packets. The following diagram illustrates packets of this type.
The green headers in the diagram are the ones that will be stripped; the grey headers are the ones that remain after stripping. The CRC will be recalculated after stripping. The outer and inner IP headers can be either IPv4 or IPv6, in any combination. For example, it is possible to have an IPv6 packet tunneled inside an IPv4 packet. After stripping, the Ethertype field in the Ethernet header will be updated to match the tunneled IP header. NOTE GTP and MPLS Stripping are mutually exclusive, if you enable GTP Stripping when MPLS Stripping is already enabled, you will be asked to disable MPLS Stripping.
MPLS Stripping
This feature allows you to strip up to 8 MPLS labels from MPLS packets, leaving the inner, tunneled L2, L3, and L4 headers exposed. This allows filters to match on fields in the inner headers and provides tools easier visibility to the tunneled packets. In order to recognize the labels and the tunneled headers, the NTO needs to know whether the MPLS packets coming into a particular network port represent an L2 VPN tunnel or an L3 VPN tunnel. If it is an L2 VPN tunnel, the NTO also needs to know whether the pseudowire code word is present. These tunnels are described in more detail below. In the diagrams below, the green headers in the diagram are the ones that will be stripped; the grey headers are the ones that remain after stripping. The CRC will be recalculated.
L3 VPN
L3 VPN packets are packets where the last (or bottom) MPLS header is followed immediately by an L3 header:
NOTE If there is a mis-match between the service type selected in the NTO and the service type of the actual MPLS packets, the packets are likely to be corrupted by the AFM, and it is not always possible for the NTO to report that this has occurred. A packet corrupted in this manner, when detected, will display in the port statistics as an invalid packet. Detection of corrupted packets due to a mismatch of MPLS stripping options and actual MPLS traffic is best effort. Based on the difference in packet structures, if the traffic on a network port includes a mixture of L2 VPN without a pseudowire control word and L3 VPN MPLS packets, MPLS stripping will result in some corrupted packets. Since MPLS and GTP Stripping are mutually exclusive, if you enable MPLS Stripping when GTP Stripping is already enabled, you will be asked to disable GTP Stripping.
De-duplication
Duplicate packets are the result of certain network topologies and configurations of SPAN ports. The De-duplication feature removes duplicate packets from the data stream. The default settings remove all exact duplicates that occur within 500 microseconds of the first occurrence. The window of time in which all identical arriving packets are removed is adjustable from 5 to 500 microseconds for a 10G port, and 5 to 5,000 microseconds for a 1G port. In the event an identical packet arrives outside this window, it will be considered unique, and a new window is begun. Duplicates that arise from spanning both the switch receive (Rx) and transmit (Tx) ports are typically bit-for-bit, exact duplicates. In some network configurations, duplicate payloads may have slightly different headers. For example, packets sampled before and after traversing a router could have different MAC addresses,
times-to-live, and flags, even though their payloads may be the same. These could be counted as duplicates if the headers through Layer 3 were ignored. The de-duplication feature provides this option of ignoring header information if desired. NOTE The last 4 bytes of the CRC are always ignored when determining duplicates. Ignoring header information is useful when the same payload passes through different network elements, and the header information is changed. When specific headers are ignored (for example, MAC and VLAN), only the content in these headers is ignored. Thus, the impact of lower layer changes on upper layers should be kept in mind when selecting what to ignore. For example, a MAC header may change as a packet traverses a router. In this case, while the MAC header is ignored, the time to live (TTL) will change. For this situation, the user would want to also ignore all packet headers up through L3. Another example would be when ignoring L3, and a packet passes through a Network Address Translation element. While the changing IP address will be ignored, TCP and UDP packets would be considered unique because their respective checksums include the IP addresses in the calculation. De-duplication is available both on a per-port and a per-port group basis. The only difference in AFM functionality between a port and a port group is in the option to ignore header information while de-duplicating. On the tool side of any port group, the user cannot ignore header information while de-duplicating. It is disabled in these cases because it would affect load balancing. The tool/load balance port group restriction does not apply to network interconnect groups, or to bidirectional interconnect groups. In the case of a bidirectional interconnect group, de-duplication may be done on the ingress side of each link, where it is possible to ignore headers. NOTE De-duplication will occur only within the data stream on a single port, regardless of whether that port is in a port group. Duplicate packets arriving on separate ports in the same port group will not be detected as duplicates.
Packet Trimming
Packet Trimming allows bytes to be trimmed from packets before they are delivered to tools. The trim function will retain wanted headers, plus an optional number of the packet bytes after that. The headers that can be retained are: MAC MAC and VLAN MAC, VLAN and MPLS MAC, VLAN, MPLS, and L3 NOTE You should be aware of the expected traffic on the links when configuring the trimming settings in order to avoid creating invalid packets that may be dropped within the NTO or the downstream device. For example, if MAC Plus the next 0 bytes is selected and VLAN tagged traffic is received, then the VLAN tags will be truncated, resulting in invalid packets. MAC and VLAN should be selected instead if VLAN tags are expected on the link. In all cases, the Ethernet FCS/CRC value will be re-calculated. Other header information is not modified, such as the L3 packet length value when L3 is retained. Depending on the selected header information and the number of additional bytes retained, the result could be less than 64 bytes. In these cases, after trimming to the selected headers, the remainder of the packet will be padded with zeros, and a correct FCS will be added to obtain a valid 64-byte packet. The valid range for the number of bytes retained after the selected headers is 0 16342 bytes. Below are some examples of packet trimming and its results.
After trimming, the resulting packet will be 126 bytes: MAC DST/SRC/Type (14 bytes), 2 VLANs (2x4 bytes), the next 100 bytes in the packet (MPLS, L3, TCP, first bytes of payload), and FCS (4 bytes).
When your 5288 has an AFM16 present in one of its expansion slots, you can enable or disable the timestamping feature on any AFM16 network port or any AFM16 bidirectional port group where advanced features are enabled on the network side.
To configure the time source to use one of the three possible time sources: 1. 2. Click the System Settings tab. In the General section, to the right of the field Timestamp time source, click the link and select one of the following three sources for the timestamp: Local NTO The default source, it relies on the local operating system alone to provide the time. It is not synchronized with an accurate time source, but it is always available. You might use this, for example, while you test the system and no accurate timestamp is needed or if you have an AFM card but no access to an NTP server. Network Time Protocol (NTP) This source requires a connection to a Network Time Protocol (NTP) server. Once you select and configure an NTP server, the time-of-day in the timestamps will be kept in sync with the time received from the configured NTP server. For NTP to be an available choice, you must first configure the NTO to connect to an NTP server. See NTP: on page 174 for details on how to configure an NTP server. Connection to an NTP server can be lost. See Unavailable Time Sources on page 323 for details about how the NTO deals with a lost connection to an NTP server. NOTE When using the NTP source, at least one NTP-enabled server must be configured and kept in the list. When you import a configuration that includes a configured time source that is unavailable on a system, the setting is not imported. If you change the NTP configuration while packet timestamping is occurring - for example, if you delete one NTP server and add another in its place - the system will continue packet timestamping, but an alarm will trigger if the NTO is not in sync with the NTP server in the new configuration. Global Position System (GPS) Time can be kept in sync with a Global Positioning System (GPS) source. This is the most accurate of the three time sources. Although you can connect the NTO to a GPS time source, connection to a GPS satellite can be lost. See Unavailable Time Sources on page 323 for details about how the NTO deals with a lost GPS signal and what to do about it. NOTE To use this time source, the 5288 must also be equipped with a GPS control module. The GPS control module includes a GPS connector.
Trailer Format
The AFM appends a trailer to add timestamping information to the incoming packet. Trailer information is inserted between the Ethernet CRC and the previous contents of L2-L7. The trailer starts with fields and is immediately followed by one byte indicating the length of the fields in bytes, followed by the Magic Number (0xAF12), followed by a trailer checksum. The checksum is calculated in the same manner as an IP Header checksum. Figure C-1 shows the modified frame:
Support has been added to Wireshark for a Layer 2 protocol that includes packet timestamps, using the T,L,V (Type, Length, Value) format. The Trailer Length field is one byte. The Trailer Checksum field is 2 bytes. The fields portion of the trailer is a series of 2-byte fields followed by variable length data. The first byte indicates the field type; the 2nd byte indicates the field length. Table C-2 shows the types supported:
Table C-2: Types Supported
Type 1 2 3 4 5 6 7
Description RESERVED RESERVED Timestamp (from Local Timebase) Timestamp (from NTP source) Timestamp (from GPS source) Timestamp (from 1588) Synchronization Lost (Timestamp from Holdover)
Timestamps for all types are currently parsed in the same format and are always 8 bytes in length. The format is two, signed, 32-bit values stored in Big Endian format. The first value indicates the seconds since January 1, 1970 (Unix Time). The second 32-bit value indicates the fractional second in nanosecond resolution (that is, the maximum value is 0x3b9ac9ff or 999,999,999). NOTE Because the timestamp trailer adds 15 bytes per packet, a network port with timestamp-insertion enabled can no longer handle line rate user data traffic. For example, if the incoming data stream were right at line rate, then the data stream with timestamps inserted would be significantly over line rate, resulting in packet drops. How far over line rate depends on the size(s) of the original packets. For example, 15 bytes is a bigger percentage difference on 64-byte packets than it is on 5KB packets. Packets may arrive with a timestamp trailer already present. In order to apply other packet processing features, the trailer is temporarily removed. If padding occurs, it occurs before the trailer is re-appended. This may result in a few packets growing in size.
The NTO flags packets using the SyncLost time source until it re-syncs with either an NTP server or a GPS satellite, depending on which is configured. There will almost always be a lag time between the time when an NTO starts and the time when a configured NTP server or GPS satellite time source becomes available. For that reason, the NTO will not trigger an alarm for the first 10 minutes of the startup process. After 10 minutes, the NTO will trigger a minor alarm if: The GPS source is still not in sync. The NTO cannot contact the NTP server. An NTP server connection was established within 10 minutes, but the NTO has still not completed synchronizing the time. The synchronization process adjusts the clock incrementally. If the process has not completed within an hour, then it triggers a minor alarm. NOTE If the NTO completes synchronizing the time within one (1) hour, it will not trigger an alarm.
AFM Statistics
To view AFM statistics: 1. 2. Right-click the AFM port or the port group that contains AFM ports and select Statistics. Click the Packet Processing tab. The advanced feature statistics display as shown below.
Packets that have been dropped due to oversubscription after filtering and AFM processing can be applied (Packet Trimming, De-duplication, etc.), are counted under the Drops (AFM) section on the Packet Processing tab of the tool port statistics window.
In this example, the tool port statistics for a 1G AFM tool port indicates that there are no Pre-filter dropped packets but the tool port icon (at the top right corner of the figure below) indicates that packets have dropped (yellow shield and exclamation symbol). Also notice that the icon indicates that this is an AFM port (encircled A symbol and ASFP i.e., Advanced SFP).
However, a look at the Packet Processing tab of the AFM tool port statistics window (see figure below) displays dropped packets under Drops (AFM).
In this scenario:
The traffic received did not exceed the Pre-filter capacity of the AFM tool port. (Remember that an AFM 1G port supports up to 10G of Pre-filter traffic.) After the stages where filtering and AFM features can be applied (Packet Trimming, De- duplication, etc.), the remaining traffic exceeded the line rate of the port (1G). Therefore, dropped packers were reported under Drops (AFM).
Overview
Models 5288, 5293: References to 40G licenses refer only to the 5288/5293 NTO models. When the Net Tool Optimizer (NTO) is restarted with a different configuration of QSFP+/SFP+ modules installed or when a configuration is imported that has a different configuration of QSFP+/SFP+ modules, the port floating licenses will be remapped as necessary.
331
Remapping Process
After the NTO configuration has changed due to a change in the installed port modules or import of a configuration, the remapping of floating licenses occurs in the order shown below. 1. Find exact matches and license: For each port in the new license map, if there is a duplicate entry in the old license map, use it. A duplicate entry is one with the same default port name. For example, a 10G license from port A01 in the old map will be moved over to port A01 in the new map if the current hardware for A01 supports the license. Find port type matches (10G and 1G licenses only) and license: For ports in the new license map, which didnt receive an exact match license, look for a license in the old map and apply that license to a port in the new map. This process is similar to step 1 except that the default port name doesnt have to match. For example, we might find a license at port C04 in the old map that can be reallocated to A01 in the new map. The algorithm attempts to reallocate 10G licenses into the new map first and then attempts to reallocate 1G licenses. Also note that the old map list is searched in reverse order so that a license is taken from port D16 before it is taken from port A01. NOTE There may be a scenario where a 10G or 1G port in an old license map had been given a 40G license when that was all that was available. Because a new configuration may require a license for a 40G port, 40G licenses are not reallocated into the new map in the manner described above.
2.
Models 5288, 5293: References to 40G licenses refer only to the 5288/5293 NTO models. 3. License remaining ports: At this stage, ports may remain in the new license map without a license. This is because the criteria defined in steps 1 and 2 above were not met in order to allow the remapping of licenses from the old license map to ports in the new license map. Now the algorithm will search through the list of remaining licenses and try to find one that will match the remaining ports. The search and possible licensing occurs in the following order: A. 40G licenses to apply to 40G ports B. 10G licenses to apply to 10G ports C. 1G licenses to apply to 1G ports D. 40G licenses to apply to 10G ports or 1G ports E. 10G licenses to apply to 1G ports
APPENDIX E Troubleshooting
Color Solid Green Flickering Green Slow Blinking Green (Off 3 sec, On sec) Solid Amber
Description Licensed Port is Enabled and Link is Up Licensed Port is Enabled and Link is Up w/ activity. Port is sending or receiving data. Licensed Port is Enabled with Link Down
Licensed Port is Disabled Licensed Combo Port Enabled but its Media Type is NOT selected. Port is Unlicensed Rear Slot A/B No Module Present
Off (Black)
335
Description Licensed Port is operating at its maximum speed (1GB or 10GB) in Full Duplex Licensed Port is operating at 10Mb or 100Mb Full Duplex or 1GB (SFP+) Full Duplex (N/A for SFPs) Licensed Port is operating at 10Mb or 100Mb Half Duplex (N/A for RJ-45 and SFPs) Unlicensed Port Licensed Port is Disabled, or Licensed Port is Enabled with Link Down Licensed Combo Port Enabled but its media type is NOT selected
Troubleshooting 336
Manual POST
Manual POST differs for various models of NTO. See Table E-3 for details.
Table E-3: Manual Post on Different NTO Models
Details o manually start a POST, use the front panel LCD and keypad. Enter the following commands: 1. 2. 3. 4. 5. 6. 7. 8. 9. Press the down Arrow () 7 times. Display reads 7 Power on Self Test (POST). Right Arrow () 1 time. Down Arrow () 1 time. Display reads 7b Run POST. Press the Check Button (). Display reads Restart Now? No Yes. Right Arrow () 1 time so that the word Yes is highlighted. Press the Check Button ().
10. Display reads Shutting down please wait. The system will reboot and the POST will execute the during system initialization. 5273, 5288, 5293 A manual POST can be initiated from the serial port menu. The system will restart and the POST will run one time. It will not run after the next restart unless it is configured to run automatically, or another manual POST is initiated.
Automatic POST
To configure a POST to run every time the NTO is restarted: 1. 2. 3. 4. Access the Settings tab of the System view. To the right of the Power on self test (POST) field. Click Disabled. Click OK to confirm that you want the POST to run every time the NTO is restarted. The Disabled text will change to display Enabled. NOTE The POST adds the following times to the NTO restart process: Models 5204/5236/5273: 4-5 minutes Models 5288/5293: approximately 10 minutes
To disable the automatic POST: Click Enabled and then click OK to confirm that you wish to disable the automatic POST.
5273/5288/5293 View POST Results Via the Serial (Craft) Port Interface
From the Main Menu, type 6 to retrieve the results of the last POST run. This command cannot be run while the system is restarting. Note: If the POST fails, contact Anue Technical Support for assistance.
Welcome to Anue Systems IP address: 192.168.162.33 Main Menu: 1. Reboot System 2. IP Config 3. Management Port Config 4. Reset Admin Password 5. Run POST tests 6. Get POST results Enter command number: 6 Get Power On Self Tests results Type "yes" to accept, anything else to cancel: yes Results: Passed
Troubleshooting 338
10. Continue pressing the down arrow to display additional test results.
Login Issues
This section documents issues that may cause login failures. Tip: Firewall configurations may need to open TCP port 1099 to allow the NTO Control Panel GUI to communicate with the NTO server. Tip: A bug in Java version 1.6 update 14 can prevent users from logging in to the NTO Control Panel. If errors are received after clicking on the Launch 52XX Control Panel button, please upgrade to Java version 1.6.0_30, which Anue has tested on and recommends. Both the 32-bit and 64-bit version of JRE are supported. Java version 1.7 (i.e., Java 7) is not currently supported.
Login Failures Using the IE8 and IE9 Browsers on Windows 7 and Vista
Attempting to launch the NTO Control Panel using IE8 and IE9 on Windows 7 and Vista with the default IE Account Control settings produces an error similar to the following: "The Anue 52xx at 10.179.164.49 is running software version 3.5.x.x-xxxxxxxxxxxx-xxxxxx. Please ensure that you start your Control Panel from the launch page at http://10.179.164.49. If this problem persists, refer to Upgrade Procedures. Note that the Upgrade Procedures can be found in the NTO User Guide.
Troubleshooting 340
Background
When using Internet Explorer to launch the control panel, the NTO home page and control panel will run in one of the following URL Security Zones: Internet Zone Local Intranet Zone Trusted Sites Zone Restricted Sites Zone
In addition, Protected Mode can either be enabled or disabled. Typically, applications will run with Protected Mode enabled in the Internet and Restricted Sites Zones, and with Protected Mode disabled in the Local Intranet and Trusted Sites Zones. Some user accounts may also be configured to bypass these Internet Explorer settings, and disable protected mode even in the Internet Zone. For instance, a user may have disabled change notifications in User Account Control Settings. This configuration may be more common on a Windows 7 system, which was migrated from an earlier Windows release.
Issue
If the Control Panel is launched using Internet Explorer with Protected Mode enabled, the user will observe the following error message:
Confirm the cause by checking the Protected Mode, as follows: 1. 2. Browse to the home page of the NTO. View properties for the NTO page. Either: A. In the Menu Bar, click File -> Properties. or B. Right-click on the webpage and select Properties. 3. Select the values Zone and Protected Mode.
If Protected Mode is off, then the control panel should launch normally.
Exception
If the NTO was previously trusted, but is now in another zone with Protected Mode on, the control panel will still launch. This exception can be resolved by clearing the IE cookies.
Solutions
There are two solutions for this issue: Use the Firefox Browser or Temporarily Disable User Account Control (UAC)
The goal is to run the Control Panel with Protected Mode off. NOTE You may need to restart the system, restart Internet Explorer, and/ or clear IE cookies for some of these changes to take effect.
Troubleshooting 342
Add the NTO to the Trusted Sites Zone with Protected Mode disabled 1. 2. 3. 4. 5. 6. 7. 8. Open Internet Options from Internet Explorer. Click the Security tab. Select Trusted Sites. Confirm Enable Protected Mode is not selected for this zone. Click the Sites button. Add the URL to the website list. Click OK. Reload the webpage.
Run the NTO from the Intranet Zone with Protected Mode disabled NOTE This may be helpful if the NTO is on your intranet, but IE identifies the NTO as being on the internet. 1. 2. 3. 4. 5. 6. Open Internet Options from Internet Explorer. Click the Security tab. Select Local Intranet. Confirm Enable Protected Mode is not selected for this zone. Click the Sites button. Either: A. Modify the settings to define which websites are included in the local intranet zone. or A. Select Advanced. B. Add the URL to the website list. 7. 8. Click OK. Reload the webpage.
Run the NTO from the Internet Zone with Protected Mode disabled NOTE This disables key security settings of Internet Explorer. 1. 2. 3. 4. 5. Open Internet Options in Internet Explorer. Click the Security tab. Select Internet. Deselect Enable Protected Mode for this zone. Click Apply/OK. Caution: This security setting will put your computer at risk.
6.
Run Internet Explorer with Administrator Privileges - One Time Only NOTE The user must have administrative privileges. This disables key security settings of Internet Explorer during this session.
1.
Locate the Internet Explorer icon, for instance: A. Click the Windows Start icon (and look for Internet Explorer without a short-cut icon). or B. Browse to C:\Program Files (x86)\Internet Explorer (and look for "iexplore.exe").
2. 3. 4.
Right-click the Internet Explorer icon. Select Run as Administrator. Browse to the NTO webpage.
Troubleshooting 344
Run Internet Explorer with Administrator Privileges - Every Time NOTE The user must have administrative privileges. This disables key security settings of Internet Explorer every time (when run from the shortcut described).
1.
Locate the Internet Explorer icon, for instance: A. Click the Windows Start icon (and look for Internet Explorer without a short-cut icon). or B. Browse to C:\Program Files (x86)\Internet Explorer (and look for "iexplore.exe").
2. 3. 4. 5. 6. 7. 8. 9.
Create a shortcut to the Internet Explorer icon (on the desktop, for instance). Right-click the Internet Explorer shortcut icon. Select Properties. Click the Shortcut tab. Click the Advanced button. Select Run as administrator. Click OK. Double-click the shortcut.
10. Browse to the NTO webpage. Modify user account to disable change notifications NOTE The user must have administrative privileges. This method disables key security settings of Windows 7. This approach is NOT recommended.
1. 2. 3. 4. 5.
Open the Control Panel. Select User Accounts. Select User Accounts (and confirm you are at "Make Changes to your user account"). Select Change User Account Control settings. Change the slider from:
A. Default - Notify me only when programs try to make changes to my computer. to B. Never notify me when. 6. 7. 8. Click OK. Run Internet Explorer normally. Browse to the NTO webpage.
Reference
Internet Explorer Developer Center > Learn > Security and Privacy > Security Zones > Overviews/Tutorials > About URL Security Zones http://msdn.microsoft.com/en-us/library/ie/ms537183(v=vs.85).aspx
Troubleshooting 346
English
CAUTION: Safety Instructions Use the following safety guidelines to help ensure your own personal safety and to help protect your equipment and working environment from potential damage. SAFETY: General Safety CAUTION: The power supplies in your system may produce high voltages and energy hazards, which can cause bodily harm. Only Anue Systems service technicians are authorized to remove the cover and access any of the components inside the system. CAUTION: This system may have more than one power supply cable. To reduce the risk of electrical shock, a trained service technician must disconnect all power supply cables before servicing the system. Note: The installation of your equipment and rack kit in a rack cabinet has not been approved by any safety agencies. It is your responsibility to ensure that the final combination of equipment and rack complies with all applicable safety standards and local electric code requirements. Anue Systems disclaims all liability and warranties in connection with such combinations. Rack kits are intended to be installed in a rack by trained service technicians. When setting up the equipment for use: Place the equipment on a hard, level surface. Leave 10.2 cm (4 in) minimum clearance on all vented sides of the equipment to permit the airflow required for proper ventilation. Restricting airflow can damage the equipment or cause a fire. Ensure that nothing rests on your equipments cables and that the cables are not located where they can be stepped on or tripped over. Keep your equipment away from radiators and heat sources.
347
Keep your equipment away from extremely hot or cold temperatures to ensure that it is used within the specified operating range. Do not stack equipment or place equipment so close together that it is subject to re-circulated or preheated air.
When operating your equipment: CAUTION: Do not operate your equipment with the cover removed. Use this product only with approved / certified equipment. Operate this product only with approved /certified redundant power supplies. Operate the equipment only from the type of external power source indicated on the electrical ratings label. If you are not sure of the type of power source required, consult your service provider or local power company. If the equipment has multiple sources of power, disconnect power from the system by unplugging all power cables from the power supplies. Use only approved power cable(s). If you have not been provided with a power cable for the equipment or for any AC-powered option intended for the equipment, purchase a power cable that is approved for use in your country. The power cable must be rated for the equipment and for the voltage and current marked on the equipments electrical ratings label. The voltage and current rating of the cable should be greater than the ratings marked on the equipment. Do not modify power cables or plugs. Consult a licensed electrician or your power company for site modifications. Always follow your local/national wiring rules. To help prevent electric shock, plug the equipments power cables into properly grounded electrical outlets. These cables are equipped with threeprong plugs to help ensure proper grounding. Do not use adapter plugs or remove the grounding prong from a cable. If you must use an extension cable, use a 3-wire cable with properly grounded plugs. Observe extension cable and power strip ratings. Ensure that the total ampere rating of all equipment plugged into the extension cable or power strip does not exceed 80 percent of the ampere ratings limit for the extension cable or power strip. If any of the following conditions occur, unplug the equipment from the electrical outlet and replace the part or contact Anue Systems: . The power cable, extension cable, or plug is damaged. An object has fallen into the equipment. The equipment has been exposed to water. The equipment has been dropped or damaged. The equipment does not operate correctly when you follow the operating instructions.
Do not operate the equipment within a separate enclosure unless adequate intake and exhaust ventilation are provided on the enclosure that adheres to the guidelines listed above. Do not restrict airflow into the equipment by blocking any vents or air intakes. Do not push any objects into the air vents or openings of your equipment. Doing so can cause fire or electric shock by shorting out interior components.
CAUTION: Only Anue Systems trained service technicians are authorized to replace the battery. Should the battery need to be replaced, please contact Anue Systems to arrange for the replacement of the battery. Incorrectly installing or using an incompatible battery may increase the risk of fire or explosion. Replace the battery only with the same or equivalent type recommended by the manufacturer, carefully following installation instructions. Dispose of used batteries properly. SAFETY: Battery Disposal
Your system uses a lithium coin-cell battery. These batteries are long-life batteries, and it is very possible that you will never need to replace them. However, should you need to do so, please contact Anue Systems to arrange for the replacement of the battery. Do not dispose of the battery along with ordinary waste. Contact your local waste disposal agency for the address of the nearest battery deposit site. Handle batteries carefully. Do not disassemble, crush or puncture batteries. Do not short external contacts, dispose of batteries in fire or water, or expose batteries to temperatures higher than 60 degrees Celsius (140 degrees Fahrenheit). Do not attempt to open or service batteries. Replace batteries only with batteries designated for the equipment. SAFETY: Risk of Electrical Shock CAUTION: Opening or removing the cover of this equipment may expose you to risk of electrical shock. Components inside these compartments should be serviced only by an Anue Systems service technician. Allow the equipment to cool before removing add-in modules. Add-in modules may become very warm during normal operation. Use care when removing add-in modules after their continuous operation. To help avoid the potential hazard of electric shock, do not connect or disconnect any cables or perform maintenance or reconfiguration of your equipment during an electrical storm.
English 349
SAFETY: Equipment with Laser Devices CAUTION: Do not look directly into a fiber-optic transceiver or into the end of a fiber-optic cable. Fiber-optic transceivers contain laser light sources that can damage your eyes. This equipment may contain optical communications transceivers which have built-in laser devices. To prevent any risk of exposure to laser radiation, do not disassemble or open any optical transceiver assembly for any reason.
Protecting Against Electrostatic Discharge CAUTION: Disconnect product from mains power source in accordance with product-specific safety information located in this manual. Electrostatic discharge (ESD) events can harm electronic components. Under certain conditions, ESD may build up on your body or an object and then discharge into another object, such as your add-in modules. To prevent ESD damage, you should discharge static electricity from your body before you handling any add-in modules. You can protect against ESD and discharge static electricity from your body by touching a metal grounded object before you interact with anything electronic. When connecting other devices to this equipment, you should always ground both yourself and the other device before connecting it to this equipment. You can also take the following steps to prevent damage from electrostatic discharge: When unpacking a static-sensitive component from its shipping carton, do not remove the component from the antistatic packing material until you are ready to install the component. Just prior to unwrapping the antistatic package, be sure to discharge static electricity from your body. When transporting a sensitive component, first place it in an antistatic container or packaging. Handle all electrostatic sensitive components in a static-safe area. If possible, use antistatic floor pads and work bench pads.
French
AVERTISSEMENT : Instructions relatives la scurit Veuillez suivre les directives de scurit suivantes afin dassurer votre scurit personnelle et de protger votre quipement et votre environnement de travail contre les dommages potentiels.
SCURIT : Scurit gnrale AVERTISSEMENT : les sources dalimentation de votre systme peuvent produire une tension leve et des dangers lectriques qui peuvent causer des blessures corporelles. Seuls les techniciens de service dAnue Systems sont autoriss retirer le couvercle et accder aux composants lintrieur du systme. AVERTISSEMENT : ce systme peut comprendre plus dun cble dalimentation. Afin de rduire le risque de choc lectrique, un technicien de service form devra dbrancher tous les cbles dalimentation avant deffectuer lentretien sur le systme.
REMARQUE : linstallation de votre quipement et de votre ensemble de bti dans une armoire na t approuve par aucune agence de scurit. Il vous incombe dassurer que la combinaison finale dquipements et de btis soit conforme toutes les normes de scurit applicables et aux exigences du code local en matire dlectricit. Anue Systems dcline toute responsabilit et toutes les garanties relatives de telles combinaisons. Les ensembles de btis sont prvus pour tre installs par un technicien de service form. Lors de linstallation de lquipement aux fins dutilisation : Placer lquipement sur une surface dure et niveau. Laisser un espace dau moins 10,2 cm (4 po) sur tous les cts de lquipement dots de fentes daration afin de permettre la circulation dair ncessaire une bonne ventilation. Lentrave la circulation dair peut endommager lquipement ou causer un incendie. Sassurer que rien ne se trouve sur les cbles de lquipement et que les cbles ne se trouvent pas dans un endroit o on pourrait marcher ou trbucher sur eux. Tenir lquipement loign des radiateurs et autres sources de chaleur. Ne pas exposer lquipement des tempratures extrmement chaudes ou froides afin dassurer quil soit utilis dans la plage de fonctionnement spcifie. Ne pas empiler lquipement ni placer ses composants si prs les uns des autres quils risquent dtre exposs de lair de recirculation ou prchauff.
French 351
Lors de lutilisation de votre quipement : AVERTISSEMENT : ne pas utiliser votre quipement avec le couvercle retir. Utiliser ce produit uniquement avec des quipements approuvs/certifis. Faire fonctionner ce produit uniquement avec des alimentations redondantes approuves/certifies. Faire fonctionner lquipement uniquement avec le type dalimentation externe indiqu sur ltiquette des caractristiques lectriques. En cas de doute quant au type dalimentation requis, consulter votre prestataire de services ou la compagnie dlectricit locale. Si lquipement comporte de multiples sources dalimentation, dconnecter lalimentation du systme en dbranchant tous les cbles dalimentation des sources dalimentation. Utiliser uniquement des cbles dalimentation approuvs. Si on ne vous a pas fourni de cble dalimentation pour lquipement ou pour toute autre option alimente au CA prvue pour lquipement, acheter un cble dalimentation approuv pour utilisation dans votre pays. Le cble dalimentation doit tre conforme aux caractristiques nominales de lquipement, ainsi quaux valeurs nominales de tension et de courant indiques sur ltiquette des caractristiques lectriques de lquipement. Les valeurs nominales de tension et de courant du cble doivent tre suprieures celles indiques sur lquipement. Ne pas modifier les cbles dalimentation ou les fiches. Consulter un lectricien agr ou votre compagnie dlectricit pour toute modification du site. Systmatiquement respecter les rgles locales/nationales en matire de cblage. Pour prvenir les chocs lectriques, brancher les cbles dalimentation de lquipement dans des prises lectriques mises la terre correctement. Ces cbles sont dots de fiches trois branches afin dassurer une mise la terre adquate. Ne pas utiliser de fiches dadaptation ni retirer la broche de mise la terre dun cble. Si une rallonge doit absolument tre utilise, utiliser un cble trois fils dot de fiches de mise la terre adquates. Respecter les caractristiques nominales de la rallonge et de la barrette dalimentation. Sassurer que lamprage nominal total de tous les quipements branchs la rallonge ou la barrette dalimentation nexcde pas 80 pour cent de lamprage nominal maximal de la rallonge ou de la barrette dalimentation. Si lune des situations suivantes se produit, dbrancher lquipement de la prise de courant et remplacer la pice ou contacter Anue Systems : Le cble dalimentation, la rallonge ou la fiche est endommag. Un objet est tomb dans lquipement. Lquipement a t expos de leau.
Lquipement est tomb ou a t endommag. Lquipement ne fonctionne pas correctement quand vous suivez les consignes dutilisation.
Ne pas utiliser lquipement dans une enceinte spare moins quune ventilation dentre et de sortie dair adquate soit fournie sur cette enceinte en conformit avec les directives indiques ci-dessus. Ne pas entraver larrive dair dans lquipement en bloquant les fentes daration ou les entres dair. Ne pas introduire dobjets dans les fentes daration ou ouvertures de votre quipement au risque de causer un incendie ou un choc lectrique la suite dun court-circuit des composants internes.
AVERTISSEMENT : seuls les techniciens de service forms dAnue Systems sont autoriss remplacer la pile. Si la pile doit tre remplace, contacter Anue Systems pour prendre les dispositions ncessaires au remplacement de la pile. Linstallation incorrecte ou lutilisation dune pile incompatible peut augmenter le risque dincendie ou dexplosion. Remplacer la pile uniquement par un type de pile identique ou quivalent conformment aux recommandations du fabricant et suivre les consignes dinstallation la lettre. Correctement liminer les piles uses. SCURIT : limination des piles
Votre systme utilise une pile bouton au lithium. Ces piles sont longue dure et il est trs possible que vous nayez jamais les remplacer. Toutefois, si jamais vous deviez le faire, veuillez contacter Anue Systems pour prendre les dispositions ncessaires au remplacement de la pile. Ne pas liminer la pile avec les ordures mnagres. Contacter lagence locale charge de llimination des dchets pour obtenir ladresse du site de collecte de piles le plus proche. Manipuler les piles avec prcaution. Ne pas dmonter, craser ou percer les piles. Ne pas court-circuiter les contacts externes, liminer les piles dans le feu ou leau, ni exposer les piles des tempratures suprieures 60 degrs Celsius (140 degrs Fahrenheit). Ne pas essayer douvrir ou de rparer les piles. Remplacer les piles uniquement avec les piles dsignes pour lquipement.
French 353
SCURIT : Risque de choc lectrique AVERTISSEMENT : ouvrir ou retirer le couvercle de cet quipement peut vous exposer un risque de choc lectrique. Les composants lintrieur de ces compartiments doivent tre entretenus exclusivement par un technicien de service Anue Systems. Laisser lquipement refroidir avant de retirer les modules additionnels. Les modules additionnels peuvent devenir trs chauds lors du fonctionnement normal. Faire preuve de prudence lors du retrait de modules additionnels aprs un fonctionnement continu. Pour viter le risque potentiel de choc lectrique, ne pas connecter ou dconnecter les cbles, ni effectuer lentretien ou la reconfiguration de votre systme durant une tempte lectrique.
SCURIT : quipement dot de dispositifs laser AVERTISSEMENT : ne jamais regarder directement dans un metteurrcepteur fibres optiques ou dans lextrmit dun cble fibres optiques. Les metteurs-rcepteurs fibres optiques contiennent des sources de lumire laser qui peuvent endommager vos yeux. Cet quipement peut contenir des metteurs-rcepteurs de communication par fibre optique qui comportent des dispositifs laser intgrs. Pour prvenir tout risque dexposition au rayonnement laser, ne jamais dmonter ou ouvrir un metteur-rcepteur fibres optiques.
Protection contre les dcharges lectrostatiques AVERTISSEMENT : dbrancher le produit de la source principale dalimentation conformment aux informations de scurit spcifiques au produit fournies dans ce manuel. Les dcharges lectrostatiques peuvent endommager les composants lectroniques. Dans certaines conditions, les dcharges lectrostatiques peuvent saccumuler sur votre corps ou sur un objet, puis se dcharger dans un autre objet comme vos modules additionnels. Pour prvenir les dommages dus aux dcharges lectrostatiques, vous devez dcharger llectricit statique de votre corps avant de manipuler un module additionnel. Vous pouvez assurer la protection contre les dcharges lectrostatiques et dcharger llectricit statique de votre corps en touchant un objet en mtal mis la terre avant de toucher quoi que ce soit dlectronique. Lors de la connexion dautres dispositifs cet quipement, vous devez toujours assurer votre mise la terre et celle de lautre dispositif avant de le connecter cet quipement.
Vous pouvez aussi suivre les tapes suivantes afin de prvenir les dommages causs par les dcharges lectrostatiques : Lors du retrait dun composant sensible llectricit statique de son carton dexpdition, ne pas retirer le composant de son matriau demballage antistatique avant dtre prt installer ce composant. Juste avant de retirer lemballage antistatique, veiller dcharger llectricit statique de votre corps. Lors du transport dun composant sensible, le placer pralablement dans un contenant ou un emballage antistatique. Manipuler tous les composants sensibles llectricit statique dans une zone protection antistatique. Si possible, utiliser des tapis antistatiques pour le sol et la surface de travail.
French 355