GigaVUE-420
User’s Guide
Software Version 4.0
COPYRIGHT
© 2006-2008 Gigamon Systems LLC. All Rights Reserved. No part of this publication may be reproduced,
transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any
means without the written permission of Gigamon Systems, LLC.
TRADEMARK ATTRIBUTIONS
Gigamon, Gigamon Systems, GigaVUE-420, and GigaVUE-MP are registered trademarks or trademarks of
Gigamon Systems, LLC. All other registered and unregistered trademarks herein are the sole property of their
respective owners.
Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Audience of this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How To Use This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conventions Used in this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Product Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaVUE-420 Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other Sources of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contacting Sales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
14
16
16
17
18
19
20
Chapter 1 Introducing GigaVUE-420 4.0 . . . . . . . . . . . . . . . 21
GigaVUE-420 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaVUE-420 Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaVUE-420 Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaVUE-420 Chassis – Front View (Copper and Optical). . . . . . . . . . .
GigaVUE-420 Chassis – Rear View (AC and DC). . . . . . . . . . . . . . . . . . .
GigaVUE-420 vs. the GigaVUE-MP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Differences in Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaVUE-420 – Front View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaVUE-MP – Front View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaVUE-420 – Rear View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
22
25
26
26
28
28
29
29
30
3
GigaVUE-MP – Rear View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Differences in Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Differences in Maps and Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Differences in Restrictions on Legacy Commands . . . . . . . . . . . . . . . . . .
Differences in Stacking Commands for 10 Gb Ports . . . . . . . . . . . . . . . .
Differences in Port-Stat Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Differences in Mgmt Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
New Features in GigaVUE-420 v4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Filter and Map-Rule Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Traffic Distribution Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaVUE-420 Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaVUE-420 Physical Dimensions and Weight . . . . . . . . . . . . . . . . . . . . . . . .
Power Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Environmental Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
31
31
34
35
35
36
37
37
39
41
42
42
42
43
Chapter 2 Updating the GigaVUE-420 . . . . . . . . . . . . . . . . . 45
Chapter 3 Getting Started with GigaVUE-420: A Roadmap . 47
First Steps – Getting Connected and into the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Chapter 4 Rack-Mounting the GigaVUE-420 . . . . . . . . . . . . 51
Unpacking GigaVUE-420 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rack-Mounting the GigaVUE-420 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Safety Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rack Mounting Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Four-Point Mounting in Four-Post Racks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Center-Mounting in Two-Post Racks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
51
52
52
53
54
56
Chapter 5 Connecting the GigaVUE-420 . . . . . . . . . . . . . . . 59
Basic GigaVUE-420 Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connecting -48 V DC Power Supplies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaVUE-420 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaMGMT Four-Port Base Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaPORT Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaPORT Port Numbering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
59
62
63
64
65
66
Contents
GigaTAP-Sx/GigaTAP-Lx/GigaTAP-Zx Modules . . . . . . . . . . . . . . . . . . . . . .
GigaTAP-Tx Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Passive Mode vs. Active Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Tap Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GigaLINK Modules (CU and XR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Modules – Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Traffic Distribution and Replacing Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
67
68
68
69
73
74
75
Chapter 6 Getting Started in the Command Line Interface . . 79
Establishing a Configuration Session with GigaVUE-420 . . . . . . . . . . . . . . . . . . . . . . 79
Local Connections to the Console Port using the Console Cable . . . . . . . . . . 80
Remote Connections to the Mgmt Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configuring the Mgmt Port’s Network Settings. . . . . . . . . . . . . . . . . . . . 82
SSH2 vs. Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Command Line Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
The CLI Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Getting Help in the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Command Line Syntax – Entering Commands . . . . . . . . . . . . . . . . . . . . . . . . . 92
Command Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
The Basic Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Completing the Initial GigaVUE-420 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Initial User Account Configuration (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Configuring the GigaVUE-420 Name and Date . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configuring GigaVUE-420 Time Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Setting Time Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Setting Time from an SNTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Using Automatic Daylight Savings Time Adjustments. . . . . . . . . . . . . 100
Using a Custom Login Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Saving Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Chapter 7 Stacking GigaVUE-420 Boxes . . . . . . . . . . . . . . 105
About Cross-Box Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About GigaVUE-420 10 Gb Stacking Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating Cross-Box Stacks: A Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stacking Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Planning the Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Identifying Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents
106
108
109
110
110
110
5
Create the Stack Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create the Configuration Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a Box’s Stacking Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assigning Box IDs: config system bid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Designating Stacking Ports: config port-type . . . . . . . . . . . . . . . . . . . . . . . . . .
Specifying Neighbor Boxes: config system x1_bid/x2_bid . . . . . . . . . . . . . .
Sample Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Cable Lengths (GigaLINK-CU Stacking Ports) . . . . . . . . . . . . .
Activating Stacking Ports: config system active_link . . . . . . . . . . . . . . . . . . .
Stack Examples: CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example: Two-Box Cross-Box Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example: Cross-Box Stack with Four Systems . . . . . . . . . . . . . . . . . . . .
Making Physical Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Verifying a Cross-Box Stack’s Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Check the show diag Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up Cross-Box Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Cross-Box Packet Distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting Cross-Box Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Making Changes to an Existing Cross-Box Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding a Box to the Edge of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remove a Box from the Edge of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding a Box to the Middle of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disconnect a Box in the Middle of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Power Loss Considerations for Cross-Box Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Power Loss on Box in the Middle of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . .
Power Loss and Power Restore to the Entire Stack . . . . . . . . . . . . . . . . . . . . .
111
113
114
116
116
117
117
118
119
119
120
121
122
122
122
124
125
125
127
127
128
128
129
131
131
131
Chapter 8 Configuring GigaVUE-420 Security Options . . . 133
About GigaVUE-420 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Users and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Changing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Maximum Simultaneous Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Lock Levels and Port Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Syntax for the config system lock-level Command . . . . . . . . . . . . . . . . . . . . .
Syntax for the config port-owner Command . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
134
135
137
137
138
139
141
141
142
Contents
Configuring Authentication (AAA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Syntax for the config system aaa Command . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using GigaVUE-420 with an External
Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specifying TACACS+ Servers in GigaVUE-420 . . . . . . . . . . . . . . . . . . .
Specifying RADIUS Servers in GigaVUE-420 . . . . . . . . . . . . . . . . . . . . .
Setting up GigaVUE-420 Users in an
External Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Differences in Commands for External and Local Users . . . . . . . . . . . . . . . .
143
144
146
147
148
149
152
156
164
Chapter 9 Using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Configuring SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding a Destination for SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example – Adding SNMP Trap Destinations . . . . . . . . . . . . . . . . . . . . .
Enabling GigaVUE-420 Events for SNMP Traps . . . . . . . . . . . . . . . . . . . . . . .
Example – All Trap Events Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Receiving Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enabling GigaVUE-420’s SNMP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
166
167
167
169
171
172
172
Chapter 10 Using Configuration Files . . . . . . . . . . . . . . . . 175
What’s Saved In a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Saving a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing the Contents of a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Storing Configuration Files on a TFTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uploading a Configuration File to a TFP Server . . . . . . . . . . . . . . . . . . . . . . .
Downloading a Configuration File from a TFTP Server . . . . . . . . . . . . . . . . .
Applying Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Applying a Configuration File from Flash . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting a Configuration File to Boot Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restoring Configuration Files in a Cross-Box Stack . . . . . . . . . . . . . . . . . . . .
176
177
179
179
179
180
180
181
182
183
Chapter 11 Configuring Logging . . . . . . . . . . . . . . . . . . . 185
Configuring Logging – A Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Specifying Which Events Are Logged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
About syslog.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Contents
7
Specifying an External Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Packet Format for Syslog Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uploading Log Files for Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example – Saving a Log File to a Spreadsheet . . . . . . . . . . . . . . . . . . . . . . . . .
188
189
190
192
192
Chapter 12 Introducing Packet Distribution . . . . . . . . . . . 197
About Packet Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Network and Tool Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Designating a Port’s port-type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Packet Distribution Illustrated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Single-Box and Cross-Box Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cross-Box Commands: Enter All Commands on All Boxes . . . . . . . . . . . . . .
Getting Started with Packet Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example – Designating and Connecting Tool Ports . . . . . . . . . . . . . . . . . . . .
Connecting vs. Mapping – The Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connection Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Map Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Combining Pass-All with Connections and Maps . . . . . . . . . . . . . . . . . . . . . .
Sharing Network and Tool Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
198
198
199
200
201
202
203
205
208
208
208
209
211
213
214
Chapter 13 Connections, Filters, and Pass-Alls . . . . . . . . . 215
Cross-Box Config: Enter Commands on All Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connecting Network Ports to Tool Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connection Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Showing Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Filters with Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Filters – Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Pre-Filters vs. Post-Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example: When to Use Pre-Filters and Post-Filters . . . . . . . . . . . . . . . .
IPv4/IPv6 and Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Config Filter Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Filters for TCP Control Bits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Bit Count Subnet Netmasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
216
216
216
217
218
219
220
220
220
223
225
232
233
Contents
Combining Filters and Filter Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples of Filter Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Working with User-Defined Pattern Match Filters . . . . . . . . . . . . . . . . . . . . .
User-Defined Pattern Match Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User-Defined Pattern Match Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User-Defined Pattern Match Examples . . . . . . . . . . . . . . . . . . . . . . . . . .
Mixing Allow and Deny Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Showing Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Filter Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Filtering on RTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MAC Address Filter Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example 1 – Deny Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example 2 – Allow Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example 3 – Deny Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example 4 – Denying Odd-Numbered MAC Addresses . . . . . . . . . . .
Example 5 – Allowing Odd-Numbered MAC Addresses . . . . . . . . . . .
Using the Pass-All Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Syntax for config pass-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rules for config pass-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Maximum Number of Pass-All Destinations . . . . . . . . . . . . . . . . . . . . .
Pass-All Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Filters and the config pass-all Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples for config pass-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Illustration of Pass-Alls in the Show Connect Screen . . . . . . . . . . . . . .
235
235
237
238
239
241
242
243
244
245
245
246
246
247
247
248
249
250
250
252
252
253
254
256
260
Chapter 14 Working with Maps (Single-Box and Cross-Box) . . .
263
Cross-Box Config: Enter Commands on All Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mapping Network Ports to Tool Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating Maps: config map/config xbmap . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Single-Tool Maps vs. Multi-Tool Maps . . . . . . . . . . . . . . . . . . . . . . . . . .
Syntax for the config map / config xbmap Commands . . . . . . . . . . . .
Creating Map-Rules: config map-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How GigaVUE-420 Processes Map-Rules . . . . . . . . . . . . . . . . . . . . . . . .
Syntax for the config map-rule Command . . . . . . . . . . . . . . . . . . . . . . .
Binding Maps to Ports:
config mapping / config xbmapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents
264
264
266
267
270
271
271
271
273
9
Syntax for config mapping /config xbmapping . . . . . . . . . . . . . . . . . . .
Showing Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Changing Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding Map-Rules to Single-Box/Cross-Box Maps . . . . . . . . . . . . . . .
Deleting a Map-Rule from Single-Box/Cross-Box Maps . . . . . . . . . . .
Deleting a Single-Box Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting a Single-Box/Cross-Box Map . . . . . . . . . . . . . . . . . . . . . . . . . .
Combining Pass-All with Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Map-Rule Priority and Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Map Creation Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Map Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Map Example – Selectively Forwarding VLAN Ranges . . . . . . . . . . . . . . . . .
What this Map Will Do. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Commands to Create this Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Showing the Map in the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Map Illustration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Map Example – Single-Tool vs. Multi-Tool . . . . . . . . . . . . . . . . . . . . . . . . . . .
Single-Tool Map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multi-Tool Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
273
275
277
277
278
278
279
280
280
281
282
282
283
284
285
286
287
287
291
Command Line Reference . . . . . . . . . . . . . . . . . . . . . . . . . 295
config commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config map command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config map-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config mapping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config pass-all command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config password command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config port-alias command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config port-filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config port-owner command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config port-pair command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config port-pair and GigaTAP-Tx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config port-params commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config port-type command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config rad_server command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
296
296
296
297
304
305
306
306
307
307
307
307
308
309
309
310
311
Contents
config restore command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config save command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config snmp_server commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config snmp_trap commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config sntp_server command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config syslog_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config system commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config tac_server command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config uda command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config user command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config xbconnect command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config xbmap command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config xbmapping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config xbport-filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
delete commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
help command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
history command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
install commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logout command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
reset commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
upload command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
313
313
314
314
316
317
318
324
326
327
328
329
330
330
331
332
333
333
334
336
336
337
340
CLI Parameter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Lock-Level Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
About Lock-Levels and Port Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Abbreviations in this Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Login Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Delete Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Config Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reset Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents
347
348
349
349
351
353
355
356
11
Port Statistics Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Console Cable Pinouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
DB9 Pinouts – Figure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
RJ45 Pinouts – Figure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
DB9 to RJ45 Pinouts – Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
12
Contents
About This Guide
This guide describes how to install, connect, configure, and operate
the GigaVUE-420™ data access switch.
Audience of this Guide
This guide assumes that you are familiar with basic networking
concepts and are comfortable configuring network equipment such
as switches and routers in a command-line interface.
13
How To Use This Guide
This User’s Guide is divided into several main sections. Each section
corresponds to a different stage of GigaVUE-420 operations, as
summarized below.
Section
Chapter
Welcome to GigaVUE-420 4.0
Chapter 1, Introducing GigaVUE-420 4.0
These chapters introduce you to the
GigaVUE-420 and orient
GigaVUE-MP customers to the new
product. They also describe how to
upgrade the system once new
versions are available.
Chapter 2, Updating the GigaVUE-420
Chapter 3, Getting Started with GigaVUE-420: A Roadmap
Initial Configuration
These chapters describe how to
perform the initial system
configuration of the GigaVUE-420
4.0.
After working through these
chapters, your unit will be up and
running. You will most likely only
need to read these chapters once.
Chapter 4, Rack-Mounting the GigaVUE-420
Chapter 5, Connecting the GigaVUE-420
Chapter 6, Getting Started in the Command Line Interface
Chapter 7, Stacking GigaVUE-420 Boxes
Chapter 8, Configuring GigaVUE-420 Security Options
Chapter 9, Using SNMP
Chapter 10, Using Configuration Files
Chapter 11, Configuring Logging
Configuring Packet
Distribution
This chapter describes the core
features of GigaVUE-420 4.0 – how
to configure the distribution of traffic
arriving at network ports to
destination tool ports.
You will likely return to these
chapters frequently as you use the
product.
14
Chapter 12, Introducing Packet Distribution
Chapter 13, Connections, Filters, and Pass-Alls
Chapter 14, Working with Maps (Single-Box and Cross-Box)
Section
Chapter
Appendixes
Appendix A, Command Line Reference
These chapters provide useful
reference information. You will likely
return to these chapters as you have
specific questions about
GigaVUE-420 features.
Appendix B, CLI Parameter Limits
Appendix C, Lock-Level Reference
Appendix D, Port Statistics Counters
Appendix E, Console Cable Pinouts
About This Guide
15
Conventions Used in this Guide
The following notational conventions are used in this guide.
Bold face
Bold is used for GigaVUE-420 CLI commands within
text. For example:
Use the config connect command to connect a
network port to a tool port.
Bold Sans-Serif
Italic
Bold, sans-serif font is used for GigaVUE-420 CLI
commands when standing by themselves (for
example, where the only text on a line is a CLI
command, or within a table cell).
Italic font is used in two different ways:
- the first time a new term or concept is introduced,
- in cross references to headings or chapters. For
example:
See About Tool Ports on page 44.
Product Naming Conventions
This guide refers to GigaVUE-420 components by the names used in
the command-line reference. Occasionally, these names may be
slightly different than those used by Gigamon sales literature. The
following table shows how the names used in this manual
correspond to those used by sales literature.
Engineering Product
Name
Sales Product Name
Description
GigaLINK-CU
GigaLINK-CU
Optional 10 Gb copper interface for stacking,
network or tool port use.
16
Engineering Product
Name
Sales Product Name
Description
GigaLINK-SR
Optional 10 Gb optical Short Range interface for
stacking, network or tool port use.
GigaLINK-LR
Optional 10 Gb optical Long Range interface for
stacking, network or tool port use.
GigaLINK-ER
Optional 10 Gb optical Extended Range interface
for stacking, network or tool port use.
GigaTAP-Tx
GigaTAP-Tx
Dual Copper Tap Module
GigaTAP-Sx
GigaTAP-Sx
Dual Multi Mode 850 nm Optical Tap Module
GigaTAP-Lx
GigaTAP-Lx
Dual Single Mode 1310 nm Optical Tap Module
GigaTAP-Zx
GigaTAP-Zx
Dual Single Mode 1550 Optical Tap Module
GigaPORT
GigaPORT
4 port Copper/Optical SFP Expansion Module
GigaLINK-XR
GigaVUE-420 Models
There are four basic GigaVUE-420 models available:
Sales Product Name
Description
GVS-421
• Copper GigaMGMT Module
• AC Power
GVS-422
• Optical GigaMGMT Module
• AC Power
GVS-423
• Copper GigaMGMT Module
• DC Power
GVS-424
• Optical GigaMGMT Module
• DC Power
About This Guide
17
Other Sources of Information
GigaVUE-420 provides other sources of information that can help
you get up to speed with the equipment, including an online help
system. There are several ways to use online help:
18
•
Whenever you are working with the command-line interface, you
can type either ? or help to see basic description of GigaVUE-420
commands.
•
Command Completion. If you have partially typed a command,
you can press Tab and the CLI will attempt to complete the
command for you based on what’s been entered so far. If it is
unable to complete the command, the CLI will simply redraw the
line with the cursor at the end of the line.
•
Word Help. When you are typing a command and are not sure
how to spell the word you are working on, type a ? mark
immediately following the partially-typed word (for example,
config x?). The CLI will show you a list of all possible words
using the word entered so far.
•
Command Help. When you are typing a command and have
finished a word but are not sure what the rest of the syntax is, you
can type a space after the word and then a ?. The CLI will list all
possible commands using the words you have entered so far. For
example, if you type config system ?, the CLI will return all
possible config system commands.
Contacting Customer Support
Contact Gigamon Systems LLC’s Support department with product
questions using the information in Table i. The Customer Service
department’s hours of operation are from 7:30 AM to 5:30 PM Pacific
Time, Monday through Friday.
Table i: Customer Support Contact Information
About This Guide
Telephone
(408) 263-2022
Fax
(408) 263-2023
E-Mail
support@gigamon.com
Web
http://www.gigamon.com
Mail
736 South Hillview Drive
Milpitas, CA 95035
19
Contacting Sales
Table ii shows how to reach the Sales Department at Gigamon
Systems.
Table ii: Sales Contact Information
20
Telephone
(408) 263-2022
Sales
info@gigamon.com
Chapter 1
Introducing GigaVUE-420 4.0
This section introduces the GigaVUE-420 4.0 data access switch,
describes its features and functions, and provides an orientation to
the physical layout of the box. It includes the following major
sections:
•
GigaVUE-420 Overview on page 21
•
GigaVUE-420 Chassis on page 25
•
GigaVUE-420 vs. the GigaVUE-MP on page 28
•
New Features in GigaVUE-420 v4.0 on page 37
•
GigaVUE-420 Specifications on page 42
GigaVUE-420 Overview
GigaVUE-420 is an out-of-band data access switch for enterprise
networks. It provides dynamic connectivity for 10 Gb and 1 Gb
Ethernet network monitor, compliance, and archival tools, including:
•
Intrusion Detection Systems
•
Protocol Analyzers
•
VoIP Analyzers
21
•
Application Performance Monitors
•
Stream-to-Disk Data Recorders
GigaVUE-420 Features and Benefits
GigaVUE-420 unobtrusively acquires and maps relevant traffic from
multiple data sources to multiple tools, including the following
common scenarios:
Filtering and Mapping
(Any-to-Any)
Direct traffic from any network port to any tool
port. Use filters to focus on particular traffic types.
Use map-rules to send different types of traffic to
different tool ports.
Aggregation
(Many-to-Any)
Aggregate traffic from multiple links to deliver a
“big pipe” view to any tool. Merge Tx and Rx traffic
into a single tool interface.
Multicasting
(Any-to-Many)
Multiplex filtered or unfiltered, singular or
aggregated traffic to multiple tools.
Figure 1-1 summarizes these features:
22
Chapter 1
Figure 1-1: GigaVUE-420 Features
Introducing GigaVUE-420 4.0
23
The table below lists GigaVUE-420’s major features and benefits.
Benefit
Descriptions
Share SPAN Ports
Connect a SPAN port to a network port on the GigaVUE-420. Then, use
GigaVUE-420’s command-line interface to multicast that traffic to multiple
different tool ports, giving multiple different tools access to the same data.
You can apply different filters to individual tool ports to ensure that each tool
sees the data that best suits its individual strengths.
Aggregate Links
Send the data from multiple different network ports to one or more tool ports,
allowing you to combine traffic from multiple access points into a single
stream for analysis.
Filter Packets
Set both pre-filters and post-filters, allowing or denying traffic that meets
specified criteria, including IP address and port ranges, VLAN IDs, protocols,
and so on.
• Pre-filters are filters applied on a network port.
• Post-filters are filters applied on a tool port.
Remote Management
Configure GigaVUE-420’s operations from an intuitive command-line
interface:
• Local access over the serial Console port.
• Remote network access using Telnet or SSH2 over the 10/100/1000
Ethernet Management port.
• Secure access to the CLI, either through local authentication or optional
RADIUS/TACACS+ support.
Fault Tolerant Taps
GigaTAP modules protect production links at all times (for copper, relay
closes if power fails; for fiber, optical link maintains connection).
Modularized Design
Install once and never touch any links again. You can move, add, and
reconfigure tools at will without affecting production networks.
10 Gb Support
• Support for up to four separate 10 Gb ports, allowing for a full tap of both
sides of two full-duplex 10 Gb links.
• Aggregate multiple 1 Gb network ports to 10 Gb tool port.
• Split out 10 Gb network port to multiple 1 Gb tool ports.
• 10 Gb ports in x1/x2 slots can be used for stacking multiple GigaVUE-420
systems.
24
Chapter 1
GigaVUE-420 Chassis
Each GigaVUE-420 unit consists of a 1U, rack-mountable, 19”-wide
chassis. The chassis comes equipped with a 4-port base unit
(GigaMGMT) permanently installed on the front side, available with
either copper or optical ports. Figure 1-2 shows front and rear views
of the GigaVUE-420:
Introducing GigaVUE-420 4.0
25
GigaVUE-420 Chassis – Front View (Copper and Optical)
Base Ports –
Copper Version
Base Ports –
Optical Version
Optional Front Module Slots
Optional Front Module Slots
GigaVUE-420 Chassis – Rear View (AC and DC)
Power Supplies – AC
Power supply audible alarm reset button
Power Supplies – DC
Optional Rear 10 Gb Module Slots
Fan 1
Fan 2
Optional Rear 10 Gb Module Slots
(Populated)
Figure 1-2: The GigaVUE-420 Chassis
26
Chapter 1
Chassis Front – 10/100/1000 Modules
As shown in Figure 1-2, the front of the GigaVUE-420 chassis accepts
up to four hot-swappable, 4-port, 10/100/1000 modules for a total of
20 ports. The following modules are available for the chassis front:
•
GigaPORT Module (Four-port UTP or SFP)
•
GigaTAP-Sx /GigaTAP-Lx/GigaTAP-Zx Module
•
GigaTAP-Tx Module
NOTE: See GigaVUE-420 Modules on page 63 for more information on
the base unit and optional modules.
Chassis Rear – 10 Gb Modules
You can install up to four hot-swappable 10 Gb modules on the rear
side of the chassis. Slots for 10 Gb modules are numbered x1 – x4.
This same terminology is used when working with the 10 Gb ports in
the GigaVUE CLI.
Both copper (GigaLINK-CU) and optical (GigaLINK-XR) 10 Gb
modules are available for the x1 – x4 slots.
Total Available Ports in a Maximally Sized Stack
You can stack up to 10 GigaVUE-420 systems for a total of 222
potential network/tool ports. There would be 240 total ports in such
a stack (24 x 10). Of the total potential 240 ports, eighteen would be
used as stack ports – two apiece for each of the 8 middle systems and
one on each of the stack endpoints.
Introducing GigaVUE-420 4.0
27
GigaVUE-420 vs. the GigaVUE-MP
The GigaVUE-420 is the next generation of Gigamon Systems’
award-winning GigaVUE-MP data access switch. This section lists
and describes the major differences between the two products.
Differences in Hardware Features
The GigaVUE-420 takes the power built into the GigaVUE-MP and
increases its 10 Gb support. Users familiar with the GigaVUE-MP will
notice some key differences in the GigaVUE systems shown in
Figure 1-3 and Figure 1-4 right away:
•
More 10 Gb Ports – Instead of the two possible 10 Gb ports
provided by the GigaVUE-MP, you can now have up to four
separate 10 Gb ports. In contrast to the GigaVUE-MP’s front and
rear-mounted 10 Gb ports, 10 Gb ports on the GigaVUE-420 are
all rear-mounted in individual module slots numbered from x1 to
x4). You can use any combination of fiber-optical (GigaLINK-XR)
or copper (GigaLINK-CU) 10 Gb modules.
•
More Front Module Slots – You still get a maximum of 20
separate 10/100/1000 ports on the front of the GigaVUE, but now
those ports are distributed across the four ports in the base
GigaMGMT unit (available with copper or optical ports) and four
optional module slots. In contrast, the GigaVUE-MP used an
8-port base module (the GigaMUX) and included three optional
module slots.
The types of optional modules available for the GigaVUE-420 are
still the same as those available with the GigaVUE-MP:
•
GigaPORT Module (Four-port UTP or SFP)
•
GigaTAP-Sx /GigaTAP-Lx/GigaTAP-Zx Module
•
GigaTAP-Tx Module
NOTE: The modules listed above are interchangeable. If you have
existing versions from the GigaVUE-MP, you can use them in the
GigaVUE-420.
28
Chapter 1
GigaVUE-420 – Front View
The GV-420’s base module
includes four ports (copper
or optical) instead of eight,
giving you more slots for
different module types.
Both systems accept the same optional
module types (GigaPORT and GigaTAP) and
support a maximum of 20 ports on the front
side. However, the GV-420 has four optional
module slots instead of three.
GigaVUE-MP – Front View
Figure 1-3: GigaVUE-420 vs. GigaVUE-MP – The Front Side
Introducing GigaVUE-420 4.0
29
GigaVUE-420 – Rear View
Both systems use the same
power supplies. DC power
supplies are also available.
The GigaVUE-420 supports up to four
separate copper or optical 10 Gb modules. In
contrast, the GigaVUE-MP supported a
maximum of two (one in the front and one in
the rear).
GigaVUE-MP – Rear View
Figure 1-4: GigaVUE-420 vs. GigaVUE-MP – The Back Side
30
Chapter 1
Differences in Software Features
GigaVUE-MP users will have no trouble adjusting to the
GigaVUE-420 – the new system’s CLI works much the same as the
old system. However, there are some key differences, as summarized
in the tables below.
Differences in Maps and Filters
Many of the limitations regarding maps and filters have been relaxed
on the GigaVUE-420, as summarized below:
Feature
GigaVUE-MP 3.5
GigaVUE-420 4.0
Maximum Number of Localized Cross-Box,
Multi-Tool Maps
4
10
Maximum Number of Filter Entries in Database
200
4,000
Maximum Number of Tool Ports with Filters
Bound
4
23
Maximum Number of Filters Bound to Tool Ports
per Box
(tool port-filters)
480
100
Maximum Number of Network Port Filters and
Single-Tool Map-Rules Bound per Box
2520 network port-filters
3600 map-rules
2048
Maximum Number of Multi-Tool Map-Rules
Bound per Box
1680
512
A multi-tool cross-box map is considered localized
when it is mapped to at least one network port on
the local box.
Introducing GigaVUE-420 4.0
31
Feature
GigaVUE-MP 3.5
GigaVUE-420 4.0
Supports 4-byte patterns.
Supports 16-byte patterns.
Supports offsets at 4-byte boundaries
from 0-80 bytes.
Supports offsets at 4-byte
boundaries from 2-126 bytes.
Offsets configured within config filter
command.
Offsets configured separately from
patterns using the config uda
command.
Patterns configured using config filter
Patterns configured using config
[offsetx <1-byte-hex>] [datax
<4-byte-hex>] [maskx <4-byte-hex>]
filter [udax_data <16-byte-hex>]
[udax_mask <16-byte-hex>]
command
command.
User-defined pattern match filters
available in multi-tool maps and tool
port filters.
User-defined pattern match filters
not available in multi-tool maps and
tool port filters. Use single-tool
maps or network port-filters for
user-defined pattern matches.
Filtered Tool Port Sharing
Filtered tool ports cannot be shared
with a map-rule.
Filtered tool ports can be shared
with a connect, map-rule,
xbconnect, or xbmap-rule.
Applying Filters to
Unconnected Tool Ports
Filters can only be applied to tool ports
with a connection in place.
Filters can now be applied to tool
ports without a connection in place.
User-Defined Pattern
Match Filters
NOTE: You still cannot apply a
filter to a network port without a
connection in place.
Overlapping Map-Rule
Ranges
32
Overlapping ranges in map-rules only
allowed when other arguments in
map-rule are different.
Overlapping ranges in map-rules
allowed regardless of whether
other arguments in map-rule are
different.
Chapter 1
Feature
Filters/Map-Rules for
IP Fragments
GigaVUE-MP 3.5
GigaVUE-420 4.0
Matches all fragments for all
conversations. Intended to be used in
a single map-rule with no other
attributes.
Can be combined with IP Address
and Port filters to focus on
fragments associated with specific
traffic.
Only available in map-rules.
Available in both filters and
map-rules
Filter either fragments or no
fragments.
Filter on different types of
fragments, including:
• Unfragmented packets
• Fragment in IP header
• Unfragmented or fragment in IP
header
• Fragment but not in IP header
• All fragments
Choosing Map Types in the GigaVUE-420
As with the GigaVUE-MP, the GigaVUE-420 supports both
single-tool and multi-tool maps. However, when working with the
GigaVUE-420, it’s important to understand the trade-offs that
accompany these map types. In general:
Single-Tool Maps
Use single-tool maps if you want to use user-defined pattern match
filters. The trade-off is that you will have fewer port-pair and pass-all
resources for ports in single-tool maps. Single-tool maps consume
system resources needed to construct pass-alls and port-pairs.
Single-Tool Maps
Plus
Minus
Fewer Port-Pairs (2 instead of 12)
Support Pattern
Match Filters
Introducing GigaVUE-420 4.0
Fewer Pass-All Destination Ports for Ports in the
Map (4 instead of 23)
33
Multi-Tool Maps
Multi-tool maps can consist entirely of map-rules that only send
traffic to a single tool port. There is no requirement that a multi-tool
map have at least one multi-tool rule.
This is important to keep in mind when deciding which type of map
to use – you can use a multi-tool map if you want to maximize the
number of pass-alls and port-pairs available for ports in the map. The
trade-off is that you will not be able to use user-defined pattern
matches in multi-tool map-rules.
Multi-Tool Maps
Plus
Minus
More Port-Pairs (12 instead of 2)
More Pass-All Destination Ports for Ports in the
Map (23 instead of 4)
No User-Defined Pattern
Match Map-Rules
Differences in Restrictions on Legacy Commands
Command
Port-Pair
Pass-All
Cross-Box Maps
34
GigaVUE-MP 3.5
GigaVUE-420 4.0
• Can only be established between ports
in the same module.
• Can be established between any
ports on the same GigaVUE-420.
• Can only be established between ports
running at the same speed.
• Can be established between ports
using different speeds (for example,
from a 1 Gb port to a 10 Gb port).
• No support for link status propagation.
• Supports link status propagation –
when one port goes down, the other
port goes down (and vice-versa).
• Can only be established within the
GigaMGMT (ports 1-8) or within ports
9-20.
• Can be established between any
ports on the GigaVUE-420.
• Can only be established to a single tool
port destination.
• Can be established to multiple tool
port destinations.
• Not allowed over optical stacking ports.
• Allowed over optical stacking ports.
Chapter 1
Differences in Stacking Commands for 10 Gb Ports
Many of the arguments for the stacking commands in the
GigaVUE-MP used “front” and “back” designators for the 10 Gb
ports. Because the GigaVUE-420’s 10 Gb ports are all on the back of
the unit now, the arguments for these commands have changed to
use x1 and x2 instead. The table below summarizes the differences.
Command
GigaVUE-MP 3.5
GigaVUE-420 4.0
config system active_link
config system active_link
<front | back | both | none>
config system active_link
<x1 | x2 | both | none>
Specifying Stack Neighbors
config system front_bid <1-10>
config system x1_bid <1-10>
These commands inform the
local GigaVUE-420 of the boxes
reachable from its stacking ports.
These commands are renamed
so that they no longer use the
“front” and “back” designators.
config system back_bid <1-10>
config system x2_bid <1-10>
Configuring Cable Lengths
config system
front_glink_cable_len
config port-params <port-id>
ib_cable_len
Specifies which stacking ports
are in use on the GigaVUE-420.
You must specify the cable
length for any copper stacking
port connections. These
commands are renamed and
have moved from config system
to config port-params.
config system
back_glink_cable_len
Changes to cable length settings
saved immediately.
Changes to cable length settings
must be saved manually using
config save.
Differences in Port-Stat Counters
Some of the port statistics shown by the show port-stats command
are counted differently on the GigaVUE-420. See Appendix D, Port
Statistics Counters for full description of the available port statistics.
Statistic
GigaVUE-MP 3.5
GigaVUE-420 4.0
IfInOctets
Includes undersize frames.
Excludes undersize frames.
IfInUcastPkts
Includes packets with FCS/CRC
errors.
Excludes packets with FCS/CRC
errors.
Introducing GigaVUE-420 4.0
35
Statistic
GigaVUE-MP 3.5
GigaVUE-420 4.0
IfInDiscards
Discards due to oversubscription
counted only on Tool ports in a
pass-all configuration.
Discards due to oversubscription
counted on Tool port in ALL
configurations.
IfOutDiscards
Not supported in GigaVUE-MP
Supported in GigaVUE-420
Includes oversize packets
without FCS/CRC.
Excludes oversize packets
without FCS/CRC.
This counter increments when a
packet is discarded at a tool port
due to a tool port filter.
IfInError
Differences in Mgmt Port
You can configure speed and duplex options for the GigaVUE-420’s
Mgmt port:
Feature
GigaVUE-MP 3.5
GigaVUE-420 4.0
Mgmt Port Speed
Unconfigurable. Maximum speed
of 100 Mbps.
Configurable.
Unconfigurable.
Configurable for 10/100 Mbps.
To achieve 1 Gb speed,
autonegotiation must be
enabled.
Mgmt Port Duplex
36
The maximum configurable
speed is 100 Mbps. However,
with autonegotiation enabled, the
Mgmt port can negotiate a 1 Gb
speed.
Chapter 1
New Features in GigaVUE-420 v4.0
This section summarizes the major features in GigaVUE-420 v4.0,
including the changes relative to the GigaVUE-MP 3.5 release.
Features are grouped into the following major categories:
•
System Management Features on page 37
•
Filter and Map-Rule Features on page 39
•
Traffic Distribution Features on page 41
System Management Features
Feature
Description
Logging
GigaVUE-420 introduces comprehensive logging capabilities to
keep track of events on the unit. Logged events are always written
to the local syslog.log file. In addition, you can optionally specify
an external syslog server as a destination for GigaVUE-420’s
logging output.
First, check the log-level to make sure the events you’re interested
in will be logged (the default log-level is Info, but you can change
it). Then, use the show log command to view available log files and
log file contents. You can filter the show log output by priority, type,
and date range. You can also use the tail argument to show only
the last x entries in the log.
See Configuring Logging on page 185 for information on working
with logging.
Upload Log Files
You can use the upload -log command to upload saved log files to
a TFTP server. This can be useful for troubleshooting issues with
Support staff. If you used the delim option to display the log file in
comma-delimited format, you can easily import the file into a
spreadsheet application.
See Uploading Log Files for Troubleshooting on page 192 for
details.
Introducing GigaVUE-420 4.0
37
Feature
Description
History
GigaVUE-420 includes a new History command that lets you see
the last 50 commands you’ve issued during the current session.
After issuing the History command, you can repeat any of the
commands by typing !<command number>. For example, to
repeat command number 6 in the list, you would type !6 and press
Enter. This makes it easy to reuse a command that you’ve already
entered in the CLI.
The History command is particularly useful when trying to construct
complex map-rules or filters – long commands with exact syntax.
Occasionally, you may try to construct a complex map-rule before
its destination port is set up as a tool port, causing GigaVUE to
reject the rule. In a case like this, you could configure the
destination port as a tool port and then use the History command
to reuse the previously rejected config map-rule command. With
the destination port properly configured as a tool port, GigaVUE will
no longer reject the rule.
See history command on page 333 for details.
GigaVUE-420 adds new powerchange and fanchange SNMP trap
events.
The powerchange trap is generated when:
• One of the two power supplies is powered on or off.
• Power is lost or restored to one of the two power supplies.
SNMP Traps
The fanchange trap is generated when the speed of one of the two
fans on the GigaVUE-420 drops below 4,800 RPM.
See Enabling GigaVUE-420 Events for SNMP Traps on page 169
for details.
Gigamon’s MIB has been updated to support both the
GigaVUE-420 and the GigaVUE-MP.
Save Adds “Next Boot” Flag
The config save command now includes a new nb (“next boot”)
argument, allowing you to specify that a newly saved configuration
file should be loaded at the next system boot. In previous GigaVUE
products, you could only enable the next boot flag for a
configuration file using the config file command
See Setting a Configuration File to Boot Next on page 182 for
details.
38
Chapter 1
Filter and Map-Rule Features
Feature
Description
IPv6 Filters
GigaVUE-420 adds several new filter options for IPv6:
• Allow or deny traffic from specific IPv6 source or destination
addresses.
• Allow or deny IPv6 packets matching a particular IPv6 Flow
Label.
• Allow or deny traffic based on IP version (IPv4 or IPv6).
See Config Filter Syntax on page 225 for details on these options.
Improved Pattern Match Filters
GigaVUE-420 significantly enhances the user-defined pattern
match filters available in the GigaVUE-MP 3.5 product:
• You can now use 16-byte patterns instead of the 4-byte patterns
available in the GigaVUE-MP 3.5.
• Offsets can now be set at 4-byte boundaries from offsets of
2-126 bytes instead of the 0-80 byte range supported in the
GigaVUE-MP 3.5.
• You now set offsets for user-defined pattern matches separately
from the patterns themselves.
See Working with User-Defined Pattern Match Filters on page 237
for details.
Filters for TCP Control Bits
GigaVUE-420 adds built-in filter support for any of the eight
standard control bits (“flags”) in the TCP header (ACK, SYN, FIN,
and so on).
See Config Filter Syntax on page 225 for details.
Filters for TTL/Hop Limit Values
GigaVUE-420 adds the ability to filter on Time To Live (TTL; IPv4)
or Hop Limit (IPv6) values. These fields perform the same function,
specifying the maximum number of hops a packet can cross before
it reaches its destination.
See Config Filter Syntax on page 225 for details.
Introducing GigaVUE-420 4.0
39
Feature
Description
Improved IP Fragment Filters
GigaVUE-420 significantly enhances the IPv4 fragment filters
available in the GigaVUE-MP 3.5 product:
• Available in both filters and map-rules (only available in
map-rules on the GigaVUE-MP 3.5).
• Can be used with other filters/map-rules instead of standalone.
Previously intended to be used in a single map-rule with no other
attributes.
• Previous versions only let you match either fragments or no
fragments. This release lets you filter on different types of
fragments, including:
• Unfragmented packets
• Fragment in IP header
• Unfragmented or fragment in IP header
• Fragment but not in IP header
• All fragments
See Config Filter Syntax on page 225 for details.
Protocol Filters
GigaVUE-420 adds support for one-byte user-defined pattern
matches in protocol filters. This way, you can specify a particular
pattern to be matched against the Protocol (IPv4) or Next Header
(IPv6) field in the IP header.
See Config Filter Syntax on page 225 for details.
40
Chapter 1
Traffic Distribution Features
Feature
Description
Config Pass-All Enhancements
The GigaVUE-420 relaxes some of the restrictions on the config
pass-all command from the GigaVUE-MP 3.5:
• You can set up pass-alls between any of the ports on each
GigaVUE-420 chassis, including the 10 Gb ports. In contrast, the
GigaVUE-MP requires that pass-alls be established either
between Ports 1-8 (the GigaMGMT base unit) or Ports 9-20 (the
optional module slots).
• You can set up pass-alls to multiple tool port destinations instead
of just a single tool port.
See Using the Pass-All Command on page 250 for details.
Tool Port Sharing
Introducing GigaVUE-420 4.0
A filtered tool port can now be shared among multiple connection
types (for example, an xbconnect and a map-rule).
41
GigaVUE-420 Specifications
This section provides the physical specifications and power
requirements for the GigaVUE-420 unit.
GigaVUE-420 Physical Dimensions and Weight
The GigaVUE-420 is housed in a 1U high rack-mountable chassis. The
table below summarizes its dimensions:
Specification
Value
Width
• 17.31 inches (without mounting ears)
• 19.0 inches including the front mounting
ears
Height
1.75 inches (1U)
Depth
23.50 inches
Weight (Fully Populated)
30.8 lbs/14.0 kg (approximately)
Shipping Weight
45 lbs/20.5 kg (approximately)
Power Requirements
The GigaVUE-420 is powered by dual redundant, load-sharing,
hot-swappable power supplies. The GigaVUE-420 can be ordered
with either dual 100-240V 50-60Hz AC power supplies, or dual -48V
DC power supplies. The table below summarizes the electrical
characteristics of the unit:
42
Power Supply Type
Requirement
Heat/Power Dissipation
For a fully populated system (24 ports) with all
ports at 100% traffic load: nominally 160Watts/
546 BTU/hour
Chapter 1
Power Supply Type
Requirement
AC Power Supplies
100 to 240V AC, 50-60 Hz
Nominal current requirement: 1.45A @ 110
VAC
Frequency: 50/60 Hz
DC Power Supplies
-36 to –72V
Optional external fuse rating: 6A Slow-Blo
Nominal current requirement: 3.33A @ -48 VDC
NOTE: See Connecting -48 V DC Power Supplies on page 62 for
instructions on how to connect DC power supplies.
Environmental Specifications
The following table summarizes the GigaVUE-420’s environmental
specifications:
Specification
Value
Operating Temperature
32ºF to 104ºF (0ºC to 40ºC)
Operating Relative Humidity
20% to 80%, non-condensing
Non-Operating Temperature
-4ºF to 158ºF (-20ºC to 70ºC)
Non-Operating Relative Humidity
15% to 85%, non-condensing
Altitude
Up to 15,000ft. (4.6km)
Introducing GigaVUE-420 4.0
43
44
Chapter 1
Chapter 2
Updating the GigaVUE-420
This section describes how to update the GigaVUE-420’s software
with a new release. To update the GigaVUE-420, you will need the
following items:
Item
Description
Updated GigaVUE-420
Image
This is the image file containing the updated v4.0
software (gvb4003).
You can obtain this image by contacting Technical
Support via either e-mail or telephone:
• E-mail: support@gigamon.com
• Telephone: (408) 263-2022
TFTP Server
You will need to copy the GigaVUE-420 4.0
software image onto this TFTP server. The
GigaVUE-420 unit will need the TFTP server’s IP
address so that it can connect to the server and
download the image.
NOTE: There are freeware TFTP servers
available on the Internet for a variety of operating
systems.
45
Update Procedure
1. Copy the new GigaVUE-420 installation file to your TFTP server.
2. Log in to the system to be updated as a super user.
NOTE: Normal users do not have the necessary privileges to
update the GigaVUE-420 software.
3. Use the config save command to save your configuration to flash
memory for version migration.
4. Use the following command to install the GigaVUE-420 software:
install image_name TFTP-server-ipaddr
For example, to install the GigaVUE-420 4.0 installation file
named gv.bin.4.0.xx from a TFTP server running on IP address
192.168.1.102, you would use the following command:
install gv.bin.4.0.xx 192.168.1.102
5. The system may warn you that another image file already exists
in the system. Press y to confirm that you want to install the new
image.
The system will erase the existing image and install the new one.
Wait for this process to complete. The system will inform you that
the image was installed successfully.
6. When the system prompt reappears, reset the system with the
reset system command.
7. When the login prompt appears, log in and use the config save
command to save your configuration in the new v4.0 format.
46
Chapter 2
Chapter 3
Getting Started with
GigaVUE-420: A Roadmap
This chapter provides a flow chart of the major steps you need to
perform to get GigaVUE-420 up and running on your network. It also
describes what you should do once you have completed the initial
setup of the unit.
•
First Steps – Getting Connected and into the CLI on page 48
•
Next Steps on page 49
47
First Steps – Getting Connected and into the CLI
You’ve received your GigaVUE-420 unit and now you’re ready to get
up and running. Figure 3-1 shows the major steps you need to
perform to get the GigaVUE-420 out of the box, into a rack, plugged
in, and running on your network:
1
Rack-Mount
GigaVUE-420
2
Make GigaVUE-420
Connections
3
Access the Command
Line Interface
4
Configure Basic CLI
Options
Step 1: Rack-Mount GigaVUE-420
See Rack-Mounting the GigaVUE-420 on page 51.
Step 2: Connect GigaVUE-420
See Connecting the GigaVUE-420 on page 59.
Step 3: Access the Command-Line Interface
See Getting Started in the Command Line Interface on page 79.
Step 4: Configure Essential CLI Options:
•
Get familiar with the CLI
•
Configure System Options
•
Configure Users and Passwords
•
Set the Name, Date, and Time
See the sections beginning with Command Line Basics on page 91.
5
6
Configure Cross-Box
Stacks
Set Security Options
Step 5: Configure Cross-Box Stacks. If you are connecting multiple
GigaVUE-420 systems together in a cross-box stack, this chapter
describes how to make the physical connections and use the correct
configuration commands.
See Stacking GigaVUE-420 Boxes on page 105.
Step 6: Set Security Options.
See Configuring GigaVUE-420 Security Options on page 133.
Figure 3-1: Getting Started Roadmap
48
Chapter 3
Next Steps
Once you’ve performed the initial configuration of the GigaVUE-420
unit, installing, connecting, and configuring the unit, you’re ready to
get started mapping traffic between network and tool ports.
See Introducing Packet Distribution on page 197 for information on
these day-to-day GigaVUE-420 tasks.
Getting Started with GigaVUE-420: A Roadmap
49
50
Chapter 3
Chapter 4
Rack-Mounting the
GigaVUE-420
This section describes how to unpack and rack-mount the
GigaVUE-420 chassis. The section covers the following major topics:
•
Unpacking GigaVUE-420 on page 51
•
Rack-Mounting the GigaVUE-420 on page 52
Unpacking GigaVUE-420
Unpack GigaVUE-420 and inspect the box it was shipped in. If the
carton was damaged, please file a claim with the carrier who
delivered it. Next, select a suitable location for the rack unit that will
hold the GigaVUE-420.
Choose a location that is clean, dust free, and well ventilated. You
will need access to a grounded power outlet. Avoid areas where heat,
electrical wire, and electromagnetic fields are generated.
Plan for enough clearance in front of a rack so you can open the front
door completely (approximately 25 inches) and enough clearance in
the back of the rack to allow sufficient airflow and easy access for
servicing the 10 Gb connections.
51
Rack-Mounting the GigaVUE-420
This section describes how to rack-mount the GigaVUE-420 in a
standard 1U rack space using the hardware provided with the
chassis. You can install the GigaVUE-420 in racks with a minimum
width of 17.75”.
See the following sections:
•
Safety Precautions on page 52
•
Rack Mounting Hardware on page 53
•
Four-Point Mounting in Four-Post Racks on page 54
•
Center-Mounting in Two-Post Racks on page 56
Safety Precautions
There are a wide variety of racks available on the market. Make sure
you consult the instructions provided by your rack vendor for
detailed mounting instructions before installing the GigaVUE-420
chassis.
NOTE: Before rack-mounting the GigaVUE-420, make sure you have
read the following safety precautions:
52
•
The GigaVUE-420 chassis weighs approximately 31 pounds when
fully populated. Make sure you install any stabilizers provided
for the rack before installing the chassis. Unsecured racks can tip
over.
•
Make sure you install boxes in the rack from the bottom up with
the heaviest boxes at the bottom.
•
Make sure you provide adequate ventilation to the systems
installed in the rack.
Chapter 4
Rack Mounting Hardware
Figure 4-1 shows the rack mount hardware included with the
GigaVUE-420. You use this hardware together with the supplied
screws to rack mount the system in either a four-post or two-post
rack.
Slide Assemblies
Rack Ears
Use the slide assemblies together with
the orange rack ears for four-point
mounting in a four-post rack.
Use the rack ears either by themselves for
center-mounting in a two-post rack or
together with the slide assemblies for
four-point mounting in a four-post rack.
Figure 4-1: Rack Mount Hardware Kit
Rack-Mounting the GigaVUE-420
53
Four-Point Mounting in Four-Post Racks
To mount the GigaVUE-420 in a four-post rack, you use both the
orange rack ears and the slide assemblies. The rack ears attach at the
front of the unit and the slide assemblies at the rear.
The slide assemblies make it easy to adjust the mount points to fit
racks of varying widths:
•
The unit can slide forward and backward on the slide assembly to
fit the width of the rack.
•
There are two attachment points on the side of the GigaVUE-420
for the slide assemblies, making it easy to adjust the width to fit
the rack (Figure 4-2).
Slide Assembly Attached in Front Position
In this picture, the slide assembly is attached in the front position.
Slide Assembly Attached in Rear Position
In this picture, the slide assembly is attached in the rear position.
Figure 4-2: Attachment Points for Slide Assemblies
54
Chapter 4
To mount the GigaVUE-420 chassis in a four-post rack:
1. Attach the orange rack ears to the front of the unit using the
supplied screws.
2. As shown in Figure 4-1 on page 53, the slide assemblies consist of
two parts – a flat tab with a beveled edge and a sliding bracket
that fits over the tab. Attach the flat tabs to the GigaVUE-420 at
one of the two rear positions (see Figure 4-2). Select the position
that best fits the width of your rack.
3. Attach the bracket portions of the slide assembly to the rear posts
of the rack with the supplied screws.
4. Slide the chassis into the rack space occupied by the brackets,
making sure that the tabs fit into the brackets.
5. Slide the unit in until the orange rack ears are flush with the front
rack posts.
6. Attach the orange rack ears to the front posts of the rack with the
supplied screws.
Rack-Mounting the GigaVUE-420
55
Center-Mounting in Two-Post Racks
To center-mount the GigaVUE-420 in a two-post rack, you attach the
orange rack ears to the middle of the unit. As shown in Figure 4-3,
you can attach the rack ears facing either forward or backward to best
fit your rack.
Forward-Facing Rack Ears
In this picture, the rack ears are attached at the center-mount position facing towards the front of the chassis.
Rear-Facing Rack Ears
In this picture, the rack ears are attached at the center-mount position facing towards the rear of the chassis.
Figure 4-3: Attaching Rack Ears for Center-Mounting
56
Chapter 4
To center-mount the GigaVUE-420 chassis in a two-post rack:
1. Attach the orange rack ears to the middle of the unit using the
supplied screws.
As shown in Figure 4-3, you can attach the rack ears facing
towards either the front or the rear of the chassis. Select the
orientation that best fits your rack. For example, one position may
provide better clearance for rack doors at the front of the chassis.
2. While one person supports the weight of the unit with the rack
ears flush to the chassis, a second person can attach the ears to the
rack with the supplied screws.
Rack-Mounting the GigaVUE-420
57
58
Chapter 4
Chapter 5
Connecting the GigaVUE-420
This section explains how to make the basic GigaVUE-420
connections necessary to get the box powered up and communicating
with a connected PC in the command-line interface. It includes the
following major sections:
•
Basic GigaVUE-420 Connections on page 59
•
Connecting -48 V DC Power Supplies on page 62
•
GigaVUE-420 Modules on page 63
•
Using Modules – Best Practices on page 74
•
Traffic Distribution and Replacing Modules on page 75
Basic GigaVUE-420 Connections
To make basic GigaVUE-420 connections:
1. Gigamon Systems provides the GigaVUE-420 with a DB9-to-RJ45
serial cable used to connect a PC’s COM port to the Console port
on the GigaVUE-420. This cable is called a Console cable.
Connect the RJ45 end of the Console cable to the GigaVUE-420’s
Console port.
59
NOTE: See Appendix E, Console Cable Pinouts for details on the
connectors on this cable.
DB9-to-RJ45 Console
Cable (RJ45 End)
Figure 5-1: Connecting the GigaVUE-420’s Console Port
2. Connect the DB9 end of the Console cable to a PC’s COM port.
3. Make sure the power supply switches are both in the off position.
Then, plug power cables into each of the GigaVUE-420’s dual
power supplies (Figure 5-2).
NOTE: For information on connecting the optional DC power
supplies, see Connecting -48 V DC Power Supplies on page 62.
Figure 5-2: Plugging in the Power Supplies
60
Chapter 5
4. Plug the other end of the power cables into a power source that
can supply adequate power. For optimal power protection, plug
the power supplies into separate circuits.
For information on GigaVUE-420 power requirements, see Power
Requirements on page 42.
5. Turn on the power switches for each of the dual power supplies
(Figure 5-3).
6. See Establishing a Configuration Session with GigaVUE-420 on
page 79 for information on how to connect to the GigaVUE-420’s
command-line interface.
Power switches
Power supply alarm
cancel button.
Figure 5-3: Turning on the Power Switches
Connecting the GigaVUE-420
61
Connecting -48 V DC Power Supplies
The GigaVUE-420 is available with DC power supplies (Figure 5-4).
instead of the standard AC power supplies provided with most
systems. This section provides instructions for connecting a -48 V DC
power source to the DC power supplies.
Ground terminal
0V Return Terminal
-48V Terminal
Figure 5-4: DC Power Supply with Screw Terminals
To connect a -48 V DC input to the screw terminal DC power
supply:
1. Remove the safety cover from the power terminals.
2. Connect the power supply ground terminal (
(Figure 5-4).
) to earth ground
3. Connect the positive and negative power cables to the screw
terminals using a Phillips screwdriver. See Figure 5-4 for the
locations of the terminals:
•
The top connector on the DC power supply is the 0V
connector.
•
The bottom connector on the DC power supply is the -48V
return connector.
4. Replace the safety cover over the power terminals.
62
Chapter 5
5. Connect the neutral and negative power cables to the DC power
source:
•
Connect the neutral wire to the 0V (RTN) connector on the DC
power source.
•
Connect the negative wire to the -48v connector on the DC
power source.
6. Repeat Step 2 through Step 5 for the second DC power supply in
the GigaVUE-420.
7. Once you have connected the DC power connections, switch the
power buttons for each of the power supplies to the ON position.
GigaVUE-420 Modules
This section describes each of the GigaVUE-420 modules. All
GigaVUE-420 systems are shipped with the 4-port GigaMGMT
(page 64) base unit with either copper or optical Ethernet ports. Then,
you can use the following modules in the front and rear slots:
Modules for Front Slots
The four front slots in the GigaVUE-420 chassis can be filled with
any combination of the following optional modules:
• GigaPORT Module (page 65)
• GigaTAP-Sx/Lx/Zx Module (page 67)
• GigaTAP-Tx Module (page 68)
NOTE: The modules listed above are interchangeable between the
GigaVUE-MP and the GigaVUE-420. If you have existing versions
from the GigaVUE-MP, you can use them in the GigaVUE-420.
Modules for Rear Slots
The four rear slots in the GigaVUE-420 chassis can be filled with
any combination of the following optional 10 Gb modules:
• GigaLINK-CU (page 73)
• GigaLINK-XR (page 73)
Connecting the GigaVUE-420
63
GigaMGMT Four-Port Base Module
All GigaVUE-420 systems include a 4-port GigaMGMT base module
(Figure 5-5) at the far left of the chassis. The GigaMGMT base
includes Mgmt and Console ports for administrative connections, as
well as four network/tool ports. The GigaMGMT is available with
either copper or optical network/tool ports. Both are shown in
Figure 5-5.
GigaMGMT - Copper Ports
10/100/1000 Ethernet
network/tool ports.
Link (green) and Activity
(yellow) LEDs for Mgmt port.
Note that the LEDs for the
Console port are not
enabled.
Mgmt port for 10/100/1000
Ethernet configuration.
GigaMGMT - Optical Ports
Console port for
serial configuration.
Fiber-optical Gigabit
Ethernet network/tool ports.
Figure 5-5: The GigaMGMT Four-Port Base Module
The table below lists and describes the connectors on the GigaMGMT
base module:
64
Chapter 5
Table 5-1: GigaMGMT Base Module Connectors
Connector
Description
Mgmt
Use the Mgmt port for remote configuration of the GigaVUE-420 over a 10/100/
1000 Ethernet network. See Remote Connections to the Mgmt Port on page 82
for information on establishing a Telnet or SSH configuration session with the
GigaVUE-420.
Console
Use the Console port for local configuration of the GigaVUE-420 over a serial
connection. See Local Connections to the Console Port using the Console Cable
on page 80 for information on establishing a serial configuration session with the
GigaVUE-420 in a terminal window.
Tool/Network Ports
(1-4)
Ports 1-4 can be used as either network (input) or tool (output) ports. There are
separate copper and optical models available:
• Copper 10/100/1000 UTP Ethernet ports.
• Fiber-optical Gigabit Ethernet ports.
GigaPORT Module
The GigaPORT module provides flexible connectivity to a total of
four copper and/or fiber-optical Gigabit Ethernet network ports –
there are four ports for each.
Although there are a total of eight connectors on the GigaPORT, you
can only use four at a time. An easy way to visualize this is to think of
the GigaPORT as having four ports, each with an electrical and an
optical interface. Enabling one interface for a given port disables the
other (for example, if the RJ45 electrical interface is enabled on Port 9,
the optical SFP interface for Port 9 is disabled).
You use the config port-params <port-id> medium <electrical |
optical> command to specify whether the RJ45 10/100/1000 Ethernet
interface or the fiber-optical SFP interface is enabled for a given port.
NOTE: You can always tell whether the copper or optical port is
enabled by typing the show connect command in the GigaVUE-420
CLI. Ports listed in parentheses use an electrical/RJ45 interface. Ports
listed without parentheses use an optical SFP/LC interface.
Connecting the GigaVUE-420
65
NOTE: 850 nm multi-mode or 1310 nm single-mode SFP transceivers
are available as standard options. Zx 1550 nm single-mode SFP
transceivers are available as a special order.
Copper UTP
10/100/1000
Ethernet Ports
Fiber-Optical 1
Gb Ports
Figure 5-6: The GigaPORT Module
GigaPORT Port Numbering
Ports on the GigaPORT module are numbered from top to bottom,
left to right. Figure 5-7 illustrates how the ports would be numbered
if this GigaPORT module was installed in the Ports 9-12 slot in the
GigaVUE-420 chassis.
9
11
9
11
10
12
10
12
GigaPORT
Figure 5-7: Sample Port Numbering – GigaPORT Module
66
Chapter 5
GigaTAP-Sx/GigaTAP-Lx/GigaTAP-Zx Modules
GigaTAP-Sx and Lx modules provide the ability to tap fiber-optical
Gigabit Ethernet links (1000BASE-Sx, 1000BASE-Lx, or 1000BASE-Zx,
respectively). The GigaTAP-Sx/Lx/Zx modules use a fiber-optic
splitter to tap the signal flowing through the module for distribution
to GigaVUE-420 tool ports. There are two pairs of LC ports for
tapping two different links.
NOTE: GigaTAP-Sx/Lx/Zx ports can only be used as network ports.
They cannot be used as tool ports.
The optical GigaTAP modules protect production links during a
power outage by using an optical switch.
Optical tap
port pair.
Optical tap
port pair.
Figure 5-8: The GigaTAP-Sx Module
Connecting the GigaVUE-420
67
GigaTAP-Tx Module
The GigaTAP-Tx module provides the ability to tap a copper Gigabit
Ethernet link, copying traffic to specified tool ports as it flows
through the tap. There are two pairs of RJ45 connectors for tapping
two different links.
NOTE: GigaTAP-Tx ports can be used as either network or tool ports.
RJ45 tap
port pair.
RJ45 tap
port pair.
Figure 5-9: The GigaTAP-Tx Module
Passive Mode vs. Active Mode
By default, the ports in the GigaTAP-Tx module operate in passive
mode instead of active mode:
•
In passive mode, the relays in the GigaTAP-Tx module are
closed. This means that traffic received on one port is repeated
out the other port in the pair but is never seen by the
GigaVUE-420 – it simply flows between the two ports.
Passive mode protects production links in case of power failure.
The tap will always revert to passive mode in the event of power
loss.
•
68
In active mode, the relays in the GigaTAP-Tx module are open.
Traffic received on one port is actively regenerated out the other
port in the port-pair. In addition, it flows through the
GigaVUE-420, making it available to tool ports.
Chapter 5
Configuring Tap Connections
There are two main configuration steps when tapping a link with the
GigaTAP-Tx:
•
Set up the Port-Pair on page 69
•
Verify End Node Status and Open the Relays on page 70
Set up the Port-Pair
A port-pair is a bidirectional connection in which traffic arriving on
one port in the pair is actively regenerated out the other (and
vice-versa) as a passthrough tap. Without a port-pair in place, traffic
arriving on one port will not be regenerated out the other. So, the first
step in tapping a link is to set up the port-pair with the config
port-pair command:
config port-pair <port-alias1|pid1> <port-alias2|pid2> alias <string>
Notes on Port-Pairs
•
Port-pairs can be established between any ports on the same
GigaVUE-420.
•
Port-pairs support link status propagation – when one port goes
down, the other port goes down (and vice-versa).
•
Port-pairs between GigaMGMT or GigaPORT ports can be used
as an electronic tap for RJ45 or fiber-optical links, although
without the fail-over protection provided by the GigaTAP-Tx and
GigaTAP-Sx/Lx/Zx.
•
Port-pairs can be established between ports using different
speeds (for example, from a 1 Gb port to a 10 Gb port).
NOTE: Depending on traffic volume, port-pairs between ports
using different speeds can cause packet loss when going from a
faster port to a slower port (for example, from 1 Gb to 100 Mbps,
from 10 Gb to 1 Gb, and so on).
Connecting the GigaVUE-420
69
Verify End Node Status and Open the Relays
The next step is to open the relays for the ports used to tap the link.
Before doing so, however, check the link status LEDs on both end
nodes connected to the port-pair ports to verify that they are
operating correctly. The links must be good for failover protection to
function properly.
If the link status on the end nodes is not good (LEDs are not green),
check the following:
•
Verify that the combined cable length is less than 100 meters.
•
Verify that autonegotiation settings match. If autonegotiation is
not enabled on one of the endpoints, you must manually
configure the port-params of the connected tap ports to match,
followed by a config save. See config port-params commands on
page 309 for details.
•
Most newer Ethernet interfaces support autosensing (Auto-MDI/
MDI-X; part of the 1000BASE-T standard). However, if your
equipment does not support this feature (or it is disabled), you
may need to use a crossover cable.
8. Open the relays for the ports used to tap the link in the
GigaTAP-Tx using the config port-params <port-id> taptx active
command. Once you have opened the relays, verify that the green
link LEDs for both ports in the port-pair have illuminated.
Set up Connections/Maps for Both Ports
Once you have set up a port-pair, make sure to logically connect both
ports in the port-pair connection to tool ports. Only the receive traffic
is forwarded through the connections, so it’s important to connect
both sides of the port-pair to tool ports to see both sides of the traffic.
70
Chapter 5
Example:
For example, consider the tap scenario shown in Figure 5-10:
Switch B
Switch A
13
14
15
16
GigaTAP-Tx
Figure 5-10: Example – Tapping a Link with the GigaTAP-Tx
•
The GigaTAP-Tx is installed in the Port 13 - 16 slot in the
GigaVUE-420.
•
The tap is set up between ports 13 and 14.
To set up this tap scenario, you would issue the following commands
in the GigaVUE-420 CLI:
Command
Description
config port-pair 13 14 alias switch-tap
This command sets up the port
pair between ports 13 and 14 so
that traffic received on 13 is
repeated out 14 (and vice-versa).
In this example, we’ve given our
port-pair the alias switch-tap.
config port-params 13 taptx active
This command opens the relays
on port 13 and the adjacent port
(14).
Once you have set up the tap, it’s always a good idea to do a show
connect in the GigaVUE-420 CLI to review the settings in place.
Figure 5-11 shows the results of a show connect once this example
has been set up.
Connecting the GigaVUE-420
71
The show connect
command illustrates the
tap in place.
The plus signs (+) in front
of 13 and 14 indicate that
the relays are open.
The port-pair is shown at
the end of the ports list
with an illustration of the
traffic flow.
Figure 5-11: Setting up a Tap with the GigaTAP-Tx
72
Chapter 5
GigaLINK Modules (CU and XR)
GigaLINK modules provide high-speed connectivity to 10 Gb links
and can be used as network, tool, or stacking ports. GigaLINK
modules can be installed in the x1, x2, x3, and x4 slots at the rear of
the unit. However, only the x1 and x2 slots can be used as stacking
ports.
GigaLINK modules are available in both copper (GigaLINK-CU) and
optical (GigaLINK-XR) versions, as summarized in the table below:
Module
Description
GigaLINK-CU
10 Gb copper module. Accepts 1/5/10/15 meter
CX4 copper cable (InfiniBand).
GigaLINK-XR
10 Gb optical module. Available with the
following XFP optical transceivers:
• SR – 850nm (300 meter)
• LR – 1310nm (2m - 10km)
• ER – 1550 nm (40km)
See the table below for details on each of these
transceivers.
Connecting the GigaVUE-420
73
Using Modules – Best Practices
Transceiver
Description
Cabling/Distances
SR XFP
Ports
Maximum distance
Supports 10
Gb SR 850nm
fiber standard.
• One 10-Gigabit Ethernet port
(IEEE 802.3ae Type
10Gbase-SR 850nm serial
optics)
• 62.5 μm multimode cable @ 160 MHz/km =
2-26 meters
• Duplex: full
• Connectors: LC
• 50 μm multimode cable @ 400 MHz/km = 2-66
meters
Optical characteristics (dBm)
• 50 μm multimode cable @ 500 MHz/km = 2-82
meters
Supports
standard 50 μ
and 62.5 μ
MMF up to 300
meters.
• Tx power: >-4.3 (*1)
• Rx sensitivity: -7.5
(*2
)
(*1) OMA (*2) Stressed Rx
sensitivity in OMA.
• 62.5 μm multimode cable @ 200 MHz/km =
2-33 meters
• 50 μm multimode cable @ 2000 MHz/km =
2-300 meters
Notes
• 62.5 μm (core/cladding) diameter or 50 μm,
850 nm, low metal content, multimode
fiber-optic, complying with the ITU-T G.652 and
ISO/IEC 793-2 Type B1 standards
LR XFP
Ports
Cabling
Supports 10
Gb LR
1310nm
distance of
<10 km.
One 10-Gigabit Ethernet port (IEEE
802.3ae Type 10Gbase-LR 1310nm
serial optics)
• Low metal content, single-mode fiber-optic,
complying with ITU-T G.652 and ISO/IEC 793-2
Type B1
Duplex: full
Connectors: LC
Maximum distance
• 9/125 μm single-mode cable = 2 m-10 km
Optical characteristics (dBm)
• Tx power: >-5.2 to +0.5 (*1)
• Rx sensitivity: -10.3 to +0.5 (*2)
(*1) OMA (*2) Stressed Rx
sensitivity in OMA.
74
Chapter 5
Transceiver
Description
Cabling/Distances
ER XFP
Ports
Cabling
Supports 10
Gb ER
1550nm
distance of up
to 80 km.
• One 10-Gigabit Ethernet port
(IEEE 802.3ae Type
10Gbase-ER 1550nm serial
optics)
Low metal content, single-mode fiber-optic,
complying with ITU-T G.652 and ISO/IEC 793-2
Type B1
• Duplex: full
Maximum distance
• Connectors: LC
9/125 μm single-mode cable = 2 m to 40 km; 80
km extra long reach 10 Gb XFP available by
special order.
Optical characteristics (dBm)
• Tx power: -1 to +2
• Rx sensitivity : -11.3 to -1 (*2)
(*1) OMA (*2) Stressed Rx
sensitivity in OMA.
When working with GigaVUE-420 modules, it’s generally best to use
each module for its intended purpose:
•
Use GigaTAP modules to tap into network links.
•
Use GigaMGMT and GigaPORT modules for end station or
SPAN port connections.
For example, although it is possible to create a passthrough tap
between GigaPORT/GigaMGMT ports using the config port-pair
command, you will not have the power failure protection afforded by
the GigaTAP-Tx module (see Passive Mode vs. Active Mode on
page 68).
Traffic Distribution and Replacing Modules
The following table summarizes the effects of removing and
replacing GigaVUE-420 modules on connections, cross-box
connections, maps, cross-box maps, port-pairs, and pass-alls. Two
cases are covered:
•
Replacing a GigaVUE-420 module with another module of the
same type.
•
Replacing a GigaVUE-420 module with a different type module.
Connecting the GigaVUE-420
75
NOTE: You can use GigaVUE’s config save filename.cfg and config
restore commands to create configuration files corresponding to
different physical configurations. This way, you can swap different
types of modules in and out of the system and quickly restore all
settings associated with a particular physical configuration.
Connection
Types
Remove and Insert Different Module Type
show connect
after removal
show connect
after removal
Local
Connections
Connections
persist.
Missing ports
marked ?.
Local Maps
Connections
persist.
Missing ports
marked ?.
Cross-Box
Connections
Cross-Box
Maps
76
Remove and Reinsert Same
Module Type
Connections
persist.
Missing ports
marked ?.
Connections
persist.
Missing ports
marked ?.
show connect
after reinsert
Connections
restored.
Connections
persist.
Missing ports
marked ?.
Connections
restored.
Connections
persist.
Missing ports
marked ?.
Connections
restored.
Connections
restored.
Connections
persist.
Missing ports
marked ?.
Connections
persist.
Missing ports
marked ?.
show connect after reinsert
Connections to the swapped
ports are deleted and must be
manually recreated.
After recreating the
connections, use the config
save filename.cfg command.
Connections to the swapped
ports are deleted and must be
manually recreated.
After recreating the
connections, use the config
save filename.cfg command.
The xbconnections on affected
ports are deleted but other
xbconnections remain. You
must delete and reapply the
affected xbconnections on all
boxes in the stack.
After recreating the
xbconnections, use the config
save filename.cfg command.
The xbmap connections on
affected ports are deleted but
other xbmaps remain. You
must delete and reapply the
affected xbmaps on all
systems in the stack.
After recreating the xbmaps,
use the config save
filename.cfg command.
Chapter 5
Remove and Reinsert Same
Module Type
Remove and Insert Different Module Type
show connect
after removal
show connect
after reinsert
show connect
after removal
show connect after reinsert
Port-Pair
Connections
persist.
Missing ports
marked ?.
Connections
restored.
Connections
persist.
Missing ports
marked ?.
Connections on affected ports
deleted; other connections
remain.
Pass All
Connections
persist.
Missing ports
marked ?.
Connections
restored.
Connections
persist.
Missing ports
marked ?.
Connections on affected ports
deleted; other connections
remain.
Connections
persist. No local
ports missing.
No changes.
No action
needed.
Connections
persist. No
local ports
missing.
No changes. No action
needed.
Connection
Types
No Connections
or Maps Using
Removed Ports
Connecting the GigaVUE-420
77
78
Chapter 5
Chapter 6
Getting Started in the
Command Line Interface
This chapter describes how to establish a configuration session with
the GigaVUE-420, provides you with an orientation to the
GigaVUE-420’s command-line management software, and describes
how to set the basic initial configuration options necessary to get you
up and running.
The chapter includes the following sections:
•
Establishing a Configuration Session with GigaVUE-420 on page 79
•
Command Line Basics on page 91
•
The Basic Commands on page 94
•
Completing the Initial GigaVUE-420 Setup on page 95
Establishing a Configuration Session with GigaVUE-420
You use GigaVUE-420’s command-line interface to configure the
unit’s operations, including system settings, user accounts, port
configuration, and packet distribution from network ports to tool
ports.
There are two ways to access GigaVUE-420’s command-line interface:
79
•
Locally, via a serial connection to the Console port.
See Local Connections to the Console Port using the Console Cable on
page 80.
•
Remotely, via a Telnet or SSH2 connection to the Mgmt port.
See Remote Connections to the Mgmt Port on page 82
NOTE: The same commands are available in the command-line
interface regardless of how you connect.
Local Connections to the Console Port using the
Console Cable
This section describes how to access the command-line interface
using a local terminal emulation connection to the Console port.
NOTE: The following procedure explains how to connect to
GigaVUE-420 using the HyperTerminal application provided with
MS-Windows. If you use another terminal emulation application,
consult that application’s documentation for information on
establishing a terminal session. The GigaVUE-420 configuration
commands all work the same once the terminal session is established.
To access the command-line interface over the Console port:
1. Make the basic power and Console cable connections described in
Basic GigaVUE-420 Connections on page 59 and power on
GigaVUE-420.
2. Start HyperTerminal on the PC. Under most circumstances, this
program is located under Start > Programs > Accessories >
Communications.
3. Supply a name for the connection in the Connection Description
dialog box and click OK. For example, GigaVUE Config.
4. Select the COM port connected to the Console cable from the
Connect using dropdown list and click OK. For example, COM1.
5. Configure the port settings for the Console connection as follows
(Figure 6-1):
•
80
Bits per second – 115,200
Chapter 6
NOTE: Users with super privileges can change the baud rate
for the Console port.
•
Data bits – 8
•
Parity – None
•
Stop bits – 1
•
Flow control – None
Figure 6-1: Setting COM Port Properties for the Console Connection
6. Click OK.
7. The terminal session begins. You may need to press Enter a few
times before you see the login: prompt from GigaVUE-420.
8. Log in to the command-line interface with the following default
user account and password:
User
root
Password
root123
The GigaVUE> prompt appears, giving you access to the built-in
command-line interface. See Command Line Basics on page 91 for
information on getting started with the CLI.
Getting Started in the Command Line Interface
81
Remote Connections to the Mgmt Port
This section describes how to access the command-line interface
remotely using either a Telnet or SSH2 connection to the Mgmt port.
The Mgmt port is a standard RJ45 10/100/1000 Ethernet port located
in the upper left corner of the GigaMGMT base module (Figure 6-2).
Mgmt port for 10/
100/1000 Ethernet
configuration.
Figure 6-2: The GigaMGMT Module
NOTE: The Mgmt port supports Auto MDI-X. There is no need to use
a crossover cable.
Configuring the Mgmt Port’s Network Settings
Before you can connect remotely to the Mgmt port, you must
configure its IP settings.
You can also configure the Mgmt port’s physical settings. By default,
the Mgmt port is configured to autonegotiate its configuration with
the connected equipment. If required by the connected equipment,
you can disable this setting and set specific values for speed, duplex,
and MTU. See Mgmt Port Configuration Procedure on page 84 for the
procedure.
NOTE: Per the 802.3 specification, the Mgmt port can only achieve 1
Gb speeds if autonegotiation is enabled. Although autonegotiation is
optional for most Ethernet variants, it is mandatory for Gigabit
copper (1000BASE-T).
82
Chapter 6
About IPv4/IPv6 for the Mgmt Port
IPv4 is always active and available on the GigaVUE-420, regardless of
whether IPv6 is also enabled. You can set up the Mgmt port with
either a static or dynamic IPv4 address.
NOTE: If you configure the Mgmt port to use DHCP, it will obtain a
new IPv4 address from a DHCP4 server each time it reboots. After
each reboot, you will need to learn this address in order to connect
via SSH2/Telnet
Configuring IPv6 Network Properties
You can also enable IPv6 on the GigaVUE-420 with the following
command, followed by a reboot:
config system ipv6 1
When IPv6 is enabled, GigaVUE-420 will operate with support for
both IPv4 and IPv6.
GigaVUE-420 obtains an IPv6 address in one of the following ways:
•
IPv6 router advertisements. GigaVUE-420 listens for a valid IPv6
header and then uses this to construct its IPv6 address.
•
Router-solicited IPv6 address. GigaVUE can send out router
solicitation packets and use the responses to generate an IPv6
address.
•
Self-generated IPv6 address using an IPv6 header and the Mgmt
port’s MAC address.
These are the only methods supported for IPv6 address generation.
GigaVUE-420 does not support either static IPv6 addresses or
DHCP6 for IPv6 address assignment. The show system command
will inform you of the unit’s IPv6 address.
The table below summarizes which applications GigaVUE-420
supports over IPv4 and IPv6. Note that IPv6 support is only provided
for listed applications when IPv6 is actually turned on in the CLI
(config system ipv6 1).
Getting Started in the Command Line Interface
83
Application
Supported over IPv4?
Supported over IPv6?
SSH2
Telnet
TACACS+
RADIUS
TFTP
SNTP
SNMP
DHCP
NOTE: You can still use
DHCP4 for the unit’s IPv4
address when IPv6 is
enabled.
Mgmt Port Configuration Procedure
Use the following procedure to configure the Mgmt port’s network
settings:
To configure the Mgmt port’s settings:
1. Connect locally to the GigaVUE-420 command-line interface over
the Console port using the instructions in Local Connections to the
Console Port using the Console Cable on page 80 and log in as a
super user (by default, root with the password root123).
2. Use the config system mgmt_port command to configure
autonegotiation, speed, duplex, and MTU settings for the Mgmt
port.
In most cases, the defaults for these settings will work just fine.
However, depending on the type of port to which you are
connecting the Mgmt port, you may need to adjust these settings
(for example, to avoid a duplex mismatch):
•
84
Autonegotiation – By default, autonegotiation is enabled.
You can disable/enable it with the following command:
Chapter 6
config system mgmt_port autoneg <1 | 0>]
NOTE: Per the 802.3 specification, autonegotiation is
mandatory for 1 Gb speeds over copper (1000BASE-T).
•
Speed – By default, speed is set to whatever the
autonegotiation process negotiates. After disabling
autonegotiation, you can change speeds manually with the
following command:
config system mgmt_port speed <100 | 10>
•
Duplex – By default, duplex is set to whatever the
autonegotiation process negotiates. After disabling
autonegotiation, you can change duplex settings with the
following command:
config system mgmt_port duplex <half | full>
•
MTU – By default, this is set to 1518 bytes, the largest
standard Ethernet packet size. However, you can configure
the size to between 320~1518 bytes using the following
command:
config system mgmt_port mtu <320~1518>] (bytes)
NOTE: GigaVUE-420’s Mgmt port supports RFC 1191 Path
MTU Discovery and can automatically adjust MTU
downwards if it discovers that the specified MTU is too large.
3. Use the config system command’s dhcp, ipaddr, subnetmask,
and gateway arguments to set up the IPv4 network properties for
the Mgmt port. Use the following syntax:
config system [dhcp <1 | 0> ipaddr <addr> subnetmask <xxx.xxx.xxx.xx>]
config system gateway <xxx.xxx.xxx.xx>]
Where:
•
dhcp specifies whether GigaVUE-420 will obtain an IPv4
address for its Mgmt port from a DHCP4 server (1) or use a
static address (0). If you set dhcp to 1, do not supply values
for ipaddr, subnetmask, or gateway.
NOTE: If you enable DHCP, you can also use the config
system dhcp_timeout <4 | 10 | 30 | 60 | 100> command to
specify the number of seconds GigaVUE-420 will wait for a
response from a DHCP server after querying for an address.
•
ipaddr specifies the static IPv4 address to use.
Getting Started in the Command Line Interface
85
•
subnetmask specifies the subnet mask to be used for the IPv4
address.
•
gateway specifies the default gateway to which the Mgmt
port should direct its traffic.
For example, to configure a static IP address of 192.168.1.20 with a
standard Class C subnet mask (255.255.255.0) and a default
gateway of 192.168.1.1, you would type the following command
followed by <Enter>.
config system dhcp 0 ipaddr 192.168.1.20 subnetmask 255.255.255.0 gateway
192.168.1.1
NOTE: This command combines two commands into a single line
in order to minimize reboots. These commands could also be
issued separately, but you would receive two separate reboot
requests if you did it this way:
config system dhcp 0 ipaddr 192.168.1.20 subnetmask 255.255.255.0
config system gateway 192.168.1.1
NOTE: When DHCP is disabled, the system must reboot before
implementing changes to the Mgmt port’s network settings. The
CLI will prompt you to reboot the system if necessary.
4. By default, only IPv4 is enabled on the GigaVUE-420. You can
also enable IPv6 with the following command, followed by a
reboot:
config system ipv6 1
Enabling IPv6 lets you use IPv6 addresses for SSH2, Telnet,
TACACS+, RADIUS, SNTP, and TFTP. See Configuring IPv6
Network Properties on page 83 for more information.
SSH2 vs. Telnet
You can use either Telnet or SSH2 for remote connections to
GigaVUE-420’s Mgmt port, but not both.
By default, Telnet is enabled. You use the config system ssh2 <1 | 0>
command to specify which remote protocol you would like to use.
For example, to enable SSH2, you would use the following command:
config system ssh2 1
86
Chapter 6
Once SSH2 is enabled, Telnet connections are no longer accepted
(and vice-versa – SSH2 connections are not available when Telnet is
enabled).
TIP: If you generate new public host keys before enabling SSH, you
will save an extra reboot of the unit. See Changing Public Host Keys on
page 89.
Getting Started in the Command Line Interface
87
Advantages of SSH2
SSH2 is a more secure choice for remote connections than Telnet,
providing an encrypted channel instead of relying on clear text. It
also provides stronger user authentication capabilities, including the
use of a public host key. Host keys uniquely identify a server, helping
guarantee that the server you’re connecting to is the server you think
it is.
GigaVUE-420 includes default RSA and DSA-encrypted public host
keys (SSH2 supports both RSA and DSS encryption algorithms). The
first time you connect to GigaVUE-420 with an SSH2 client, the client
will warn you that the host keys are not in your local cache and show
you the actual host key presented by GigaVUE-420. Your client will
most likely give you the option of trusting the key, adding it to your
local cache. Once you’ve trusted the key, your client will alert you
during connection if a different key is presented.
Verifying GigaVUE-420’s Host Key During Connection
To verify that the host key presented during an SSH2 connection is in
fact GigaVUE-420’s, you can connect over the Console port (see Local
Connections to the Console Port using the Console Cable on page 80) and
use the show hostkeys command to see GigaVUE-420’s current
public host keys and fingerprints. Write these down and keep them
nearby when you connect via SSH2 the first time. This way, you’ll be
able to compare the actual host key to what your SSH2 client says is
being presented. Once you’ve verified that they are the same, you can
choose to trust the host key, allowing future connections to take place
seamlessly.
88
Chapter 6
Changing Public Host Keys
You can use the config system hostkey command to change the
default host keys provided with GigaVUE-420. The command has the
following syntax:
config system hostkey <dss | rsa> [<768~2048> (bits)]
Acceptable bit values for the host keys are multiples of 8 between 768
- 2048 (for example, 768, 776, 784, and so on). If you do not specify a
key length, GigaVUE-420 defaults to 1024 bits.
For example, to configure a new RSA-encryption hostkey, you could
use the following command:
config system hostkey rsa 768
Connecting to GigaVUE-420 Using SSH2
When SSH2 is enabled, you can use any compliant SSH2 client to
connect to the command-line interface remotely. For example, to
connect using the popular SSH2 client, PuTTY:
1. Start PuTTY and enter GigaVUE-420’s IP address in the Host
Name field.
2. Click the SSH protocol radio button.
3. Click Open to open a connection.
4. If this is your first connection PuTTY warns you that the host key
presented by GigaVUE-420 is not in your cache. You can add the
key, connect without adding the key, or cancel the connection.
See Verifying GigaVUE-420’s Host Key During Connection on
page 88 for information on how to verify that the host key shown
is the correct one.
5. Type root in the User name field followed by the root password
(root123 is the default).
Getting Started in the Command Line Interface
89
Connecting to GigaVUE-420 Using Telnet
When Telnet is enabled, you can use any compliant Telnet client to
connect to the command-line interface remotely. For example, to
connect using the Telnet client provided with Microsoft Windows:
1. Open a command prompt window and type Telnet.
2. Type open <Mgmt Port IP Address>.
3. Log in with acceptable GigaVUE-420 credentials (by default, user
root with the password root123).
90
Chapter 6
Command Line Basics
This section provides a quick orientation to the GigaVUE-420
command-line interface – how to get help, how to enter commands,
and so on.
The CLI Prompt
By default, the GigaVUE-420 command-line interface appears with
the GigaVUE> prompt.
NOTE: If you are working simultaneously with multiple
GigaVUE-420 boxes, you may find it handy to change the prompts on
individual boxes to make it easy to identify separate terminal
sessions. Super users can do this with the config system prompt
<string> command. This is particularly helpful when working with
cross-box configurations where the same command often needs to be
entered on each box in the stack.
Getting Help in the Command Line Interface
When working with the command-line interface, you can always get
help on the available commands by typing either ? or help followed
by <Enter>.
NOTE: Typing ? accesses the help system immediately – you do not
need to press <Enter>.
In addition, there are several other ways to get help – Command
Completion, Word Help, and Command Help:
Command Completion
If you have partially typed a command, you can press Tab and the
CLI will attempt to complete the command for you based on what’s
been entered so far. If it is unable to complete the command, the CLI
will simply redraw the line with the cursor at the end of the line.
Getting Started in the Command Line Interface
91
Word Help
When you are typing a command and are not sure how to spell the
word you are working on, type a ? mark immediately following the
partially-typed word. The CLI will show you a list of all possible
words using the word entered so far.
For example, if you typed config x?, the CLI would return the
following possible commands based on what you’ve entered so far:
xbconnect
xbmap
xbmapping
xbport-filter
Command Help
When you are typing a command and have finished a word but are
not sure what the rest of the syntax is, you can type a space after the
word and then a ?. The CLI will list all possible commands using the
words you have entered so far. For example, if you type config
system ?, the CLI will return all possible config system commands.
Command Line Syntax – Entering Commands
You enter all configuration commands for the GigaVUE-420 in the
command-line interface. Enter commands by typing them to the
prompt and pressing <Enter>.
When entering commands, keep in mind the following rules:
•
All commands are case-sensitive and entered in lower case.
•
Alias strings must consist entirely of alphanumeric characters
with no spaces. The only exceptions are the underscore (_) and
hyphen (-) characters. Those are allowed.
For example, config port-alias 3 My_Alias is legal, but config
port-alias 3 My Alias is not.
•
Description strings can contain spaces and non-alphanumeric
characters and are entered between quotation marks.
The CLI will inform you which sort of string you are entering. For
example, when you set up a system name, you can enter both a
name-string without spaces and a description within quotation
marks that can contain spaces. If you type config system ?, the
92
Chapter 6
CLI informs you that the syntax for the name argument is as
follows:
config system [name name-string] [description “string”]
So, for example:
config system name GigaVUE-420 description “My GigaVUE-420 Box”
Command Structure
In general, GigaVUE-420 commands are structured as follows:
<verb> <object> <arguments>
You can loosely interpret this as Do this (verb) to this (object) like
this (argument). The following table summarizes this:
Verb
Do this...
Verbs are commands like config,
show, delete, and so on.
Object
...to this
Objects are items like the system, a
filter, a map-rule, a port-type, and so
on.
Argument
...like this.
Arguments can be port numbers,
strings, or other values to be set in the
GigaVUE-420’s flash memory.
So, for example:
config port-type 8 tool
This command sets port number 8 to be a tool port. The verb, object,
and argument are as follows:
Verb
Object
Argument
config
port-type 8
tool
Getting Started in the Command Line Interface
93
The Basic Commands
The table below lists each of the top level commands for the
GigaVUE-420 CLI. As described in the table, most of these commands
have multiple supported objects and arguments. You can see the
exact objects and arguments for a command by typing it into the CLI
followed by ?.
In general, the commands you will use most frequently are config,
show, and delete.
Command
Description
?
Display help.
config
Set up system settings, users, filters, maps,
connections, port settings, port pairs, port filters,
and so on.
delete
Delete defined users, connections, port pairs,
port-filter associations, filters and so on.
exit
Exit the current CLI session.
help
Display help.
history
Lists the most recent 50 commands issued during
the current session.
install
Install an image, config file, or banner file via
TFTP.
logout
Exit the current CLI session or log out another
user.
reset
You can use the reset command to:
• Reboot the system and apply the configuration
file with nb (next boot) set (reset system).
• Reset port statistics (reset port-stats [all |
port-alias | pid-list])
• Reset the system’s configuration file settings to
the factory defaults (reset system
factory-default).
show
94
Display users, system, ports, connectivity, filters,
and diagnosis information.
Chapter 6
Command
Description
upload
Upload a configuration or log file to a TFTP server.
Completing the Initial GigaVUE-420 Setup
At this point, you have logged in to the command-line interface using
the default root super user account, configured the Mgmt port’s
network properties for Telnet or SSH access, and have explored the
command-line interface structure
There are a few more steps you should perform to complete the initial
configuration before you get to the fun stuff – setting up network
ports, tool ports, and mapping traffic. These tasks include:
•
Configure some basic user accounts (optional).
See Initial User Account Configuration (Optional) on page 96.
•
Configure the GigaVUE-420 name and date.
See Configuring the GigaVUE-420 Name and Date on page 98.
•
Configure the GigaVUE-420 time options.
See Configuring GigaVUE-420 Time Options on page 99.
•
Configure a custom login banner.
See Using a Custom Login Banner on page 102.
•
Save your changes!
See Saving Changes on page 104.
Getting Started in the Command Line Interface
95
Initial User Account Configuration (Optional)
Before you start mapping traffic, it’s a good idea to change the factory
password supplied with the default root super user account and add
a few other accounts for use by different level users.
Change the Password for the root Account
1. First, change the password for the default root account. Use the
following command:
config password user root <newpassword> <newpassword>
Acceptable passwords include between 6-30 alphanumeric
characters. At least one of the characters must be a numeral.
NOTE: The system will not let you delete the root account.
However, as a security measure, you can disable it using the
config system rootdis 1 command. Before doing so, however, you
must have added at least one other active account with super
privileges.
Set Up Some Basic Accounts
1. Next, you will probably want to set a few user accounts with
different access levels.
GigaVUE-420 provides an interlocking set of options that let you
create a comprehensive security strategy for the unit. These
options include the authentication method (local, TACACS+, or
RADIUS), different account access levels (super, normal, and
audit), port ownership (assigning access to different ports to
different users), and the overall security level in place on the box
(referred to as the lock-level).
These options are described in detail in Chapter 8, Configuring
GigaVUE-420 Security Options on page 133. For now, however, it’s
easiest to simply create a few basic user accounts – one of each
level. In general, user privileges are as follows:
•
96
Super users have access to all ports on the box regardless of
the lock-level in place. They can also perform all configuration
commands.
Chapter 6
•
Normal users have access to different ports depending on the
lock-level in place. They cannot perform most system
configuration commands.
•
Audit users do not have access to any ports. Their access
consists mainly of the ability to use the show command to see
what basic settings are in place on the box.
NOTE: Figure 6-3 shows the port ownership for each of these
account types when system lock-level is set to none.
NOTE: Lock-Level Reference on page 347 provides full details on the
different privileges for each user level depending on the
lock-level in place.
The following config user commands create a new super user,
normal user, and audit user:
Command
Comments
config user MySuperUser 1password 1password level super
description “New Super User Account”
Creates a new account named
MySuperUser with the password
1password and the description “New
Super User Account.”
config user MyNormalUser 2password 2password level normal
description “New Normal User Account”
Creates a new account named
MyNormalUser with the password
2password and the description “New
Normal User Account.”
config user MyAuditUser 3password 3password level audit
description “New Audit User Account”
Creates a new account named
MyAuditUser with the password
3password and the description “New
Audit User Account.”
2. Once you have configured these basic user accounts, use the
show user all command to review your settings. Figure 6-3 shows
the results of a show user all after adding the users in the table
above.
Getting Started in the Command Line Interface
97
Note the designated
port ownership for
each user:
Super users always
own all ports,
regardless of the
system lock-level in
place.
Normal users own
different ports
depending on the
lock-level and port
ownership assigned
by a super user.
Audit users never
own any ports.
Figure 6-3: Reviewing the User List
Configuring the GigaVUE-420 Name and Date
It’s generally a good idea to configure the GigaVUE-420’s name and
date, and time as part of your initial configuration. The following
commands show how to set the system name and date. See
Configuring GigaVUE-420 Time Options on page 99 for information on
setting options related to time.
Setting the System Name
1. Use the following command to specify the system name:
config system [name name-string] [description “string”]
So, for example:
config system name GigaVUE-420 description “My GigaVUE-420 Box”
Setting the Date
1. Use the following command to set the system date:
config system [date <mm-dd-yy>]
NOTE: After entering the name and date, you may want to do a show
system to verify your settings.
98
Chapter 6
Configuring GigaVUE-420 Time Options
GigaVUE-420 includes a variety of features for setting the time,
including:
•
Time can be set either manually or using an SNTP server.
•
Time can optionally adjust automatically for daylight savings
time start and end.
•
Timezone options for adjustment of UTC time received from an
SNTP server.
GigaVUE-420’s built-in clock is not subject to noticeable drift and is
sufficiently accurate for the needs of most users. Most of
GigaVUE-420’s features are not particularly time-sensitive and do not
require the accuracy of an SNTP time server. However, if you have
enabled the forwarding of SNMP traps, you may want to use an
SNTP server so that the timestamps shown in SNMP server are
extremely accurate.
Setting Time Manually
The easiest way to set GigaVUE-420’s time is manually with the
config system time command. For example:
config system time 03:45:12
NOTE: Even if you are using SNTP, it’s a good idea to configure time
manually as well. GigaVUE-420 will automatically fall back to the
manual time setting if it is unable to synchronize with the specified
SNTP server.
A show system will reveal whether SNTP is enabled, as well as the
current GigaVUE-420 time.
Setting Time from an SNTP Server
GigaVUE-420 can optionally use a Simple Network Time Protocol
(SNTP) server for its time setting. Configuring GigaVUE-420 to use
an SNTP server as follows:
Getting Started in the Command Line Interface
99
1. Specify the address of the SNTP server with the config
sntp_server command. For example, if the SNTP server is on
204.123.2.72, you would use the following command:
config sntp_server 204.123.2.72
NOTE: There are many public SNTP servers available on the
Internet.
2. Turn on SNTP with the following command:
config system sntp 1
GigaVUE-420 will inform you that it must reboot to enable the
use of an SNTP server. You will be provided with the option of
saving any provisional configuration changes before the reboot
takes place.
Once the system reboots, it will connect to the specified SNTP
server and synchronize to its time. If connection to the specified
SNTP server is not successful, GigaVUE-420 informs you of the
error and automatically falls back to the manual time setting.
3. SNTP reports times in UTC. Because of this, it’s a good idea to
specify the GigaVUE-420’s timezone so that UTC can be
converted to the local timezone.
You specify the timezone in terms of the offset from UTC (either
plus or minus). For example, to set the timezone for a
GigaVUE-420 in the United States Pacific Standard Timezone,
you would use the following command:
config system timezone UTC-08:00
Using Automatic Daylight Savings Time Adjustments
When using SNTP, you can configure GigaVUE-420 to automatically
adjust its time setting for daylight savings time by specifying both the
start and end dates for daylight savings time. Then, you turn on
automatic adjustments with the config system dst command.
NOTE: Automatic daylight savings time adjustments are only used
when SNTP is enabled and there is a successful connection to a
running SNTP server.
100
Chapter 6
NOTE: Start and end dates for Daylight Savings Time change every
year in some countries. If you decide to use automatic adjustments,
make sure you change the onset and offset every year.
Command
Comments
config system dst_onset 03-11-02:00
Specifies that Daylight Savings Time starts on March
11th at 02:00 AM.
config system dst_offset 11-04-02:00
Specifies that Daylight Savings Time ends on November
4th at 02:00 AM.
config system dst 1
Turns on the use of automatic Daylight Savings Time
adjustments.
Getting Started in the Command Line Interface
101
Using a Custom Login Banner
GigaVUE-420 can display a customizable text banner at system
startup and whenever a user logs in. The text banner displays the
contents of a special banner_file.txt on the GigaVUE-420. This file
must be a text file of no more than 4096 bytes.
Configuring GigaVUE-420 to display a text banner consists of the
following steps:
1. Use a text editor to create the banner_file.txt file. The file must
consist of raw text and be no larger than 4096 bytes.
2. Download banner_file.txt to GigaVUE-420 from a TFTP server.
For example, to install from a TFTP server running on
192.168.1.102, you would use the following command:
install -ban banner_file.txt 192.168.1.102
3. Turn on the display of text banners with the following command:
config system banner 1
The next time you log in to the GigaVUE-420, you will see the
customizable banner (Figure 6-4).
Replacing the Custom Banner
To replace the current custom banner with a different one, create
another banner_file.txt and download to the GigaVUE-420. The next
time you log in, the new banner will be shown.
Disabling the Banner Display
To disable the custom banner, use the following command:
config system banner 0
102
Chapter 6
Figure 6-4: Customizable Login Banner
Getting Started in the Command Line Interface
103
Saving Changes
The changes made in this chapter were all config system changes.
These changes are added to the active configuration right away and
automatically saved in a different location than the configuration files
– there is no need to perform a config save filename.cfg to save them.
However, it’s a good idea to get into the habit of using the config
save filename.cfg command. Later on, when you start setting up
packet distribution with connections and maps, your changes will
added to the active configuration right away but won’t be saved
across a system reboot unless you use the config save filename.cfg
command to write your changes to flash.
NOTE: The name of the factory-provided configuration file in v4.0 is
gigavue.cfg. You can see the name of the most recently booted
configuration file by using the show file command and looking for
the file with Last restored set to Yes. In Figure 6-5, you can tell that
GigaVUE-420 is currently operating with the factory-provided
gigavue.cfg configuration file and that this is also the configuration
file that will be booted next (Next boot file = Yes).
See Using Configuration Files on page 175 for details on using
configuration files.
Figure 6-5: Showing Configuration Files
104
Chapter 6
Chapter 7
Stacking GigaVUE-420 Boxes
This section describes how to connect multiple GigaVUE-420 systems
in a cross-box stack so that data arriving at a network port on one
GigaVUE-420 box can be forwarded to a tool port on another
GigaVUE-420 box.
IMPORTANT: You cannot stack GigaVUE-420 systems with
GigaVUE-MP systems in this release – stacks must consist entirely of
one system type or the other. In a future release, you will be able to
create mixed stacks.
It includes the following major topics:
•
About Cross-Box Configurations on page 106
•
Creating Cross-Box Stacks: A Roadmap on page 109
•
Stacking Rules on page 110
•
Planning the Stack on page 110
•
Configuring a Box’s Stacking Information on page 114
•
Making Physical Connections on page 122
•
Verifying a Cross-Box Stack’s Connectivity on page 122
•
Configuring Cross-Box Packet Distribution on page 125
105
•
Troubleshooting Cross-Box Stacks on page 125
•
Making Changes to an Existing Cross-Box Stack on page 127
•
Power Loss Considerations for Cross-Box Stacks on page 131
About Cross-Box Configurations
Cross-box stacks consists of two or more GigaVUE-420 systems
connected via their x1/x2 10 Gb ports. Cross-box stacks can be as
simple as two systems connected via their x1 ports, or as complex as a
chain of ten separate systems. For example, Figure 7-1 shows a
sample cross-box stack of four GigaVUE-420 systems.
NOTE: The x3 and x4 ports can not be used as stack ports. The CLI
will not let you set their port-type to stack.
106
Chapter 7
x1
x2
x1
x2
x1
x2
x1
x2
Figure 7-1: Stacking Four GigaVUE-420 Boxes
You create cross-box stacks by performing a series of configuration
commands that identify each box in the stack, as well as its upstream
and downstream neighbors. You perform these configuration
commands on each of the boxes in the stack.
NOTE: You must be logged in with super user account privileges to
complete the stack configuration commands in this chapter.
Stacking GigaVUE-420 Boxes
107
About GigaVUE-420 10 Gb Stacking Ports
Cross-box stacks are set up by connecting multiple systems using the
x1 and/or x2 10 Gb ports on the rear of the GigaVUE-420 and
configuring their port-type as stack.
NOTE: The GigaVUE-420 can have up to four 10 Gb modules installed
in slots x1-x4. However, you can only use the 10 Gb modules installed
in slots x1 and x2 as stacking ports. The CLI will not let you set the x3
or x4 module’s port-type to stack.
You can stack two systems together with only a single 10 Gb module
installed in each unit’s x1 slot. However, to stack three or more
GigaVUE-420 boxes, the middle systems must have an additional 10
Gb module installed in the x2 slot.
There are two main types 10 Gb modules. Either can be used as a
stacking port in the x1/x2 slots:
•
10 Gb GigaLINK-CU with a copper CX-4 connector.
NOTE: The maximum length of the cable run between
GigaLINK-CU stacking ports is 15 meters. You must specify the
distance of the cable run using the config port-params <port-id>
ib_cable_len command. See Configuring Cable Lengths
(GigaLINK-CU Stacking Ports) on page 118 for details.
•
10 Gb GigaLINK-XR with a fiber-optical XFP connector (SR, LR,
or ER XFPs are all available).
NOTE: You can only connect optical-to-optical stacking ports
using the same XFP type. In addition, make sure the XFP you are
using is supported by the length of your cable run, as follows:
•
SR: 300 meter
•
LR: 2m - 10km
•
ER: 40km
See GigaLINK Modules (CU and XR) on page 73 for details on the
cable lengths supported by each GigaLINK-XR XFP type.
108
Chapter 7
Creating Cross-Box Stacks: A Roadmap
Setting up a cross-box stack consists of the major steps shown in
Creating Cross-Box Stacks: Major Steps on page 109.
1
Plan the Stack
Step 1: Identify Requirements, Create a Map, and Write a
Per-Box Configuration Plan
Cross-box stacks can quickly become quite complex. It’s a good
idea to plan your configuration. Start by identifying the number of
boxes in your stack, the stacking port configuration of each box, the
length of each copper cable run, and so on. Then, draw a stack map
that positions each of your boxes in the stack. Finally, create a
per-box configuration plan with the CLI commands to be issued on
each box in the stack. See Planning the Stack on page 110 for
details.
2
Configure Each Box in
the Stack
Step 2: Configure bid, port-type, active_link, x1_bid, x2_bid, and
Cable Length (copper modules) Settings for Each Box in the Stack
Use the Configuration Plan you created in Step 1 to configure each box
in the stack. Once you have finished configuring the boxes, save
changes with a config save and then turn them off. See Configuring a
Box’s Stacking Information on page 114 for details.
3
Make Physical
Connections
Step 3: Connect the Boxes According to the Stack Map
See Making Physical Connections on page 122 for details.
Step 4: Power On Systems and Verify Connectivity
4
Power on and Verify
Connectivity
5
Configure Cross-Box
Packet Distribution
Turn on all the systems and wait for them to complete booting. Then,
verify the stack path by setting up an end-to-end xbconnection (that is,
an xbconnection that starts at a network port on one end of the stack
and terminates at a tool port on the other end of the stack). Issue the
exact same xbconnect command on each box in the stack. Then, send
traffic across this xbconnection to verify connectivity. See Verifying a
Cross-Box Stack’s Connectivity on page 122 for details.
Step 5: Configure Cross-Box Packet Distribution
See Configuring Cross-Box Packet Distribution on page 125
Figure 7-2: Creating Cross-Box Stacks: Major Steps
Stacking GigaVUE-420 Boxes
109
Stacking Rules
Cross-box stacks must adhere to the following rules:
Rule
Description
Rule 1
All GigaVUE-420 systems in a cross-box stack must run the same
version of software.
Rule 2
GigaVUE-420 systems can NOT be stacked with GigaVUE-MP
systems.
Rule 3
Only the x1 and x2 10 Gb ports can be used as stacking ports. The
x3 and x4 10 Gb ports can not be used as stacking ports.
Rule 4
Each GigaVUE-420 system in a cross-box command must have its
own unique Box ID (bid).
Rule 5
All commands for cross-box connections and cross-box maps must
be applied to all boxes in exact same order.
Rule 6
You can only connect copper-to-copper and optical-to-optical
stacking ports. In addition, optical-to-optical connections must use
the same XFP type (SR, LR, or ER).
Planning the Stack
Cross-box stacks larger than two or three boxes can quickly become
quite complex to manage and configure. It’s essential that you
identify your requirements and then create an accurate stack map
reflecting those requirements.
Identifying Requirements
When identifying your requirements, ask the following questions:
110
•
How many boxes will be stacked? Are they all running the same
version of software?
•
Will I be connecting copper-to-copper or optical-to-optical
stacking ports?
•
Are my optical-to-optical connections using the same XFP type?
Chapter 7
•
How long will my cable runs be?
•
Copper cable runs are limited to a maximum length of 15
meters.
•
Fiber cable runs are limited by the XFP type.
SR: 300 meter
LR: 2m - 10km
ER: 40km
See GigaLINK Modules (CU and XR) on page 73 for details on the
cable lengths supported by each GigaLINK-XR XFP type.
•
How can I minimize the number of boxes data will need to cross
from input network ports to destination tool ports?
Create the Stack Map
The stack map should identify:
•
Each box in the stack along with its stacking port types and Box
ID.
•
Stacking link cable routing between the boxes.
Draw a simple picture showing each of the boxes in the stack along
with their Box IDs and how they will be connected (x1, x2, or both). A
simple diagram will make it much easier to connect the cables and
perform the system configuration commands correctly. For example,
you could draw a simple picture like the one shown in Figure 7-3.
In addition, you may want to label each box so that you can match up
the individual boxes with your diagram. Something as simple as a
post-it with a Box ID and IP address attached to the top of each unit
may save you unnecessary confusion later on.
Stacking GigaVUE-420 Boxes
111
Box ID 3
Box ID 1
192.168.1.50
192.168.1.1
x1 CU
Stacking Port
x1 CU
Stacking Port
10 meters
cable
Box ID 2
5 meters
cable
192.168.1.25
x1 CU
Stacking Port
x2 CU
Stacking Port
Figure 7-3: Planning a Cross-Box Configuration
Keep in mind the following points as you plan your configuration:
112
•
You will need to specify the cable length in use for any
connections between the copper GigaLINK-CU stacking ports.
This is described in Configuring Cable Lengths (GigaLINK-CU
Stacking Ports) on page 118.
•
You cannot mix stacking port types. You can only connect
copper-to-copper or optical-to-optical stacking ports. In addition,
you can only connect optical-to-optical with the same XFP type
(LR, SR, or ER).
Chapter 7
Create the Configuration Plans
Once you have drawn your stack map, it’s easy to write up
configuration plans for each box in the stack showing the values for
the configuration commands you will need to issue. For example, the
plans for the stack map in Figure 7-3 could look like this:
Configuration Plan for 192.168.1.1 (Box ID 1)
bid
1
port-type x1
stack
active_link
x1
x1_bid
23
x2_bid
n/a
config port-params x1 ib_cable_len
5
Configuration Plan for 192.168.1.25 (Box ID 2)
bid
2
port-type x1 x2
stack
active_link
both
x1_bid
1
x2_bid
3
config port_params x1 ib_cable_len
5
config port_params x2 ib_cable_len
10
Configuration Plan for 192.168.1.50 (Box ID 3)
bid
3
port-type x1
stack
active_link
x1
Stacking GigaVUE-420 Boxes
113
Configuration Plan for 192.168.1.50 (Box ID 3)
x1_bid
21
x2_bid
n/a
config port_params x1 ib_cable_len
10
Configuring a Box’s Stacking Information
This section describes how to perform the CLI configuration
commands for a cross-box stack. You must set these options for each
of the systems in the stack. You do this before you physically
connect the systems.
GigaVUE-420 distributes traffic through a cross-box stack using Box
IDs. Box IDs uniquely identify each GigaVUE-420 systems in a
cross-box stack.
In order for traffic to flow correctly up and down a cross-box stack,
you execute a number of commands on each GigaVUE-420 box in the
stack specifying both the unique Box ID of the local GigaVUE-420 as
well as the Box IDs of each GigaVUE-420 system accessible via the x1
and x2 stacking port(s). Figure 7-4 summarizes this procedure:
NOTE: You must be logged in with super user account privileges to
complete the stack configuration commands in this section.
114
Chapter 7
1
Assign the Unique
Box ID
Step 1: Use the config system bid command to assign a unique
Box ID to the GigaVUE-420.
Box IDs are used to uniquely identify each system in a cross-box
stack. When you set up packet distribution between systems, you
will use the Box ID to identify a particular port in a cross-box stack.
The format is typically bid-pid (Box ID-Port ID).
See Assigning Box IDs: config system bid on page 116 for
information on assigning a Box ID.
2
Designate the Stacking
Ports
Step 2: Use the config port-type command to designate the x1 and/or x2
ports as stacking ports, followed by a config save to save your changes.
See Designating Stacking Ports: config port-type on page 116 for
information on specifying the Box IDs for neighbor boxes.
3
Specify the Box ID(s)
Connected to the
Stacking Port(s)
Step 3: Use the config system x1_bid and config system x2_bid
commands to specify Box IDs for all systems accessible through the x1
and x2 stacking ports, respectively.
See Specifying Neighbor Boxes: config system x1_bid/x2_bid on
page 117 for information on specifying the Box IDs for neighbor boxes.
4
Specify Copper Cable
Lengths
Step 4: Use the config port-params <port-id> ib_cable_len command
to specify the cable lengths for any GigaLINK-CU modules used as
stacking ports in the x1/x2 slots, followed by a config save to save your
changes.
See Configuring Cable Lengths (GigaLINK-CU Stacking Ports) on
page 118 for information on specifying cable lengths.
5
Activate the Stacking
Port(s)
Step 5: Use the config system active_link command to activate the
stacking ports on the GigaVUE-420.
You can specify x1, x2, or both. You can only enable active_link for x1
and x2 10 Gb modules that are actually installed in the chassis.
See Activating Stacking Ports: config system active_link on page 119 for
information on setting the active_link option.
6
Step 6: Repeat the stack configuration commands in Step 1 - Step 5 for
each box in the cross-box stack.
Repeat
Figure 7-4: CLI Cross-Box Configuration Commands
Stacking GigaVUE-420 Boxes
115
Assigning Box IDs: config system bid
You use the config system bid command to assign a unique Box ID to
a GigaVUE-420 system. This Box ID is used to distribute traffic across
a cross-box stack.
The syntax for the command is as follows:
config system bid <1~10>
You can stack as many as 10 boxes in this release. Because of this, you
can select Box ID values from 1-10, inclusive. The default Box ID is 1.
NOTE: You must reboot the system to apply changes made to the Box
ID.
Designating Stacking Ports: config port-type
You use the config port-type command to designate the the x1 and/
or x2 ports as stacking ports. You must designate the 10 Gb ports you
plan to use as stacking ports.
The config port-type command has the following syntax:
config port-type <port-alias | pid-list | pid-x..pid-y> [network | tool | stack]
For example, when configuring a middle system in a three-box stack,
you could use the following command to designate both the x1 and
x2 ports as stacking ports:
config port-type x1 x2 stack
NOTE: The CLI will not let you set port-type to stack for any ports
other than x1 and x2.
Save Changes!
Make sure you perform a config save to save your port-type changes
to flash.
116
Chapter 7
Specifying Neighbor Boxes: config system x1_bid/
x2_bid
You use the config system x1_bid and config system x2_bid
commands to inform the local GigaVUE-420 of the boxes reachable
from its x1 and x2 stacking ports, respectively. GigaVUE-420 uses this
information to distribute traffic up and down the stack correctly.
You must specify the Box IDs of all boxes reachable from the x1 and
x2 stacking ports – not just the immediately adjacent box.
The syntax for these commands is as follows:
config system x1_bid <1-10>
config system x2_bid <1-10>
You can specify multiple Box IDs separated by spaces.
Sample Commands
So, for example, consider our earlier example from Figure 7-3 on
page 112. The first system in this stack (Box ID 1) has only its x1
stacking port connected. Both of the other boxes (2 and 3) are
reachable from this connector. So, the configuration command for
this box is:
config system x1_bid 2 3
However, the second system (Box ID 2) uses both its x1 and x2
connectors. It can access Box ID 1 from its x1 stacking port and Box
ID 3 from its x2 stacking port. So, the configuration commands for
this box are:
config system x1_bid 1
config system x2_bid 3
NOTE: To minimize reboots, you could combine the stack
configuration commands for Box ID 2 into a single command, as
follows:
config system bid 2 x1_bid 1 x2_bid 3 active_link both
Stacking GigaVUE-420 Boxes
117
Configuring Cable Lengths (GigaLINK-CU Stacking
Ports)
For any copper stacking port connections (GigaLINK-CU), you must
use the config port-params <port-id> ib_cable_len command to
specify the length of the InfiniBand cable (in meters).
For example, if the x2 stacking port is connected using a 10 meter
cable, you would use the following command:
config port-params x2 ib_cable_len 10
Similarly, if a GigaLINK-CU was installed in x1 and connected to a 5
meter cable, you would use the following command:
config port-params x1 ib_cable_len 5
You can select 1, 5, 10, or 15 meters for ib_cable_len. The default
value is 5.
NOTE: Five meter cables can be ordered as the standard length. Other
lengths are available as a special order.
Save Changes!
Make sure you perform a config save to save any changes to the cable
length settings.
118
Chapter 7
Activating Stacking Ports: config system active_link
You use the config system active_link command to activate the x1/
x2 stacking ports on a GigaVUE-420 system. You must activate the 10
Gb ports you plan to use as stacking ports.
The config system active_link command has the following syntax:
config system active_link <x1 | x2 | both | none>
For example, when configuring a middle system in a three-box stack,
you would use the following command to activate both the x1 and x2
stacking ports:
config system active_link both
Stack Examples: CLI Commands
The following sections provide some sample cross-box
configurations, along with the necessary stack configuration
commands to set them up.
•
Example: Two-Box Cross-Box Stack on page 120
•
Example: Cross-Box Stack with Four Systems on page 121
Stacking GigaVUE-420 Boxes
119
Example: Two-Box Cross-Box Stack
Figure 7-5 shows a simple two-box stack. This is the simplest stack
available and requires only a single 10 Gb module on each box in the
stack. Notice in Figure 7-5 that the x2 - x4 slots are unpopulated in
each of the systems – only x1 is populated.
GigaVUE-420 Box ID 1
config system bid 1
config port-type x1 stack
config system x1_bid 2
config system active_link x1
config save
x1
GigaVUE-420 Box ID 2
config system bid 2
config port-type x1 stack
config system x1_bid 1
config system active_link x1
config save
x1
Figure 7-5: Two-Box Stack
120
Chapter 7
Example: Cross-Box Stack with Four Systems
Figure 7-6 shows a more complex stack with four GigaVUE-420’s
connected in a chain. The endpoints of the stack only have a single 10
Gb module installed in slot x1 – the other slots are unpopulated. The
middle systems, however, have all four 10 Gb slots populated and are
using x1 and x2 as stacking ports.
GigaVUE-420 Box ID 1
config system bid 1
config port-type x1 stack
config system x1_bid 2 3 4
config system active_link x1
config save
x1
GigaVUE-420 Box ID 2
config system bid 2
config port-type x1 x2 stack
config system x1_bid 1
config system x2_bid 3 4
config system active_link both
config save
x1
x2
x1
x2
GigaVUE-420 Box ID 3
config system bid 3
config port-type x1 x2 stack
config system x1_bid 1 2
config system x2_bid 4
config system active_link both
config save
GigaVUE-420 Box ID 4
config system bid 4
config port-type x1 stack
config system x1_bid 1 2 3
config system active_link x1
config save
x1
Figure 7-6: Stacking Four GigaVUE-420 Boxes
Stacking GigaVUE-420 Boxes
121
Making Physical Connections
Once you have finished configuring the cross-box stacking
commands for each of the systems in the stack, turn off all the
systems and make the physical connections shown in your stack map.
Then, power on all the systems and wait for them to complete
booting before verifying the stack’s connectivity.
Verifying a Cross-Box Stack’s Connectivity
You can verify a cross-box stack’s connectivity using the techniques
in this section:
•
Check the show diag Output on page 122
•
Set Up Cross-Box Connections on page 124
Check the show diag Output
The easiest way to verify end-to-end stack connectivity is to use the
show diag command on the first box in the stack. Then scroll down to
the section listing slot configuration for adjacent boxes. If the system
is able to detect the slot configuration of each of the downstream
boxes in the stack, the stack connectivity is good.
For example, if you issued the show diag command on Box ID 1 in
Figure 7-6 on page 121, the output shown below would indicate that
the stack has been set up correctly. Note the following:
122
•
You can see that slot status has been detected for each of the four
boxes in the stack. Also, the Active_link setting for each is correct,
as well.
•
Boxes 5-10 are not present in this stack. Slot status is shown as
Unknown for all slots in each of these boxes.
Chapter 7
Box 1
HW=2
Active_link=x1
GigaMgmt-CU
GigaPORT
GigaPORT
GigaPORT
GigaPORT
GigaLINK-CU
(slots 4, 5,x1)
Unknown
Unknown
Unknown
(slots x2,x3,x4)
Box 2
HW=2
Active_link=both
GigaMgmt-CU
GigaPORT
GigaPORT
GigaPORT
GigaPORT
GigaLINK-CU
(slots 4, 5,x1)
GigaLINK-CU
GigaLINK-CU
GigaLINK-CU
(slots x2,x3,x4)
Box 3
HW=2
Active_link=both
GigaMgmt-CU
GigaPORT
GigaPORT
GigaPORT
GigaPORT
GigaLINK-CU
(slots 4, 5,x1)
GigaLINK-CU
GigaLINK-CU
GigaLINK-CU
(slots x2,x3,x4)
Box 4
HW=2
Active_link=x1
GigaMgmt-CU
GigaPORT
GigaPORT
GigaPORT
GigaPORT
GigaLINK-CU
(slots 4, 5,x1)
Unknown
Unknown
Unknown
(slots x2,x3,x4)
Box 5
HW=0
Active_link=none
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
(slots 4, 5,x1)
Unknown
Unknown
Unknown
(slots x2,x3,x4)
Box 6
HW=0
Active_link=none
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
(slots 4, 5,x1)
Unknown
Unknown
Unknown
(slots x2,x3,x4)
Box 7
HW=0
Active_link=none
Unknown
Unknown
Unknown
(slots 1, 2, 3)
Unknown
Unknown
Unknown
(slots 4, 5,x1)
Unknown
Unknown
Unknown
(slots x2,x3,x4)
Box 8
HW=0
Active_link=none
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
(slots 4, 5,x1)
Unknown
Unknown
Unknown
(slots x2,x3,x4)
Stacking GigaVUE-420 Boxes
(slots 1, 2, 3)
(slots 1, 2, 3)
(slots 1, 2, 3)
(slots 1, 2, 3)
(slots 1, 2, 3)
(slots 1, 2, 3)
(slots 1, 2, 3)
123
Box 9
HW=0
Active_link=none
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
(slots 4, 5,x1)
Unknown
Unknown
Unknown
(slots x2,x3,x4)
Box 10
HW=0
Active_link=none
Unknown
Unknown
Unknown
(slots 1, 2, 3)
Unknown
Unknown
Unknown
(slots 4, 5,x1)
Unknown
Unknown
Unknown
(slots x2,x3,x4)
(slots 1, 2, 3)
Set Up Cross-Box Connections
You can also verify stack connectivity by setting up a simple
cross-box connection between a network port on one end of the stack
and a tool port on the other end of the stack.
So, for example, you could issue the following command on each of
the boxes shown in Figure 7-6 on page 121.
config xbconnect 1-2 to 4-2 alias stacktest
Issue the exact same xbconnect command on each box in the stack.
Then, send traffic across this xbconnection to verify connectivity.
NOTE: If data does not appear, see Troubleshooting Cross-Box Stacks on
page 125 for tips on resolving the problem.
NOTE: You may want to set up a second cross-box connection in the
opposite direction to verify connectivity in both directions (for
example, from 4-3 to 1-3).
124
Chapter 7
Configuring Cross-Box Packet Distribution
When configuring cross-box packet distribution, keep in mind that
many of the standard single-box commands have cross-box
equivalents. The table below summarizes these commands.
Cross-box commands start with the letters “xb” (for “cross-box”). In
contrast to single-box packet distribution commands, cross-box
commands will typically expect port numbers to be specified in the
format bid-pid (Box ID-Port ID) instead of just pid (Port ID).
Both single-box and cross-box packet distribution commands are
discussed in detail in Introducing Packet Distribution on page 197.
Single-Box Command
Cross-Box Equivalent
config port-filter
config xbport-filter
config connect
config xbconnect
config map
config xbmap
config mapping
config xbmapping
Troubleshooting Cross-Box Stacks
If cross-box traffic is not flowing across the stacked boxes as expected,
there are a number of steps you should follow:
1. Use the following commands on each box in the system to verify
all configured stacking information is correct and matches what’s
entered in your stack map.
•
Use the show system command to verify that Box_ID,
x1_bid, x2_bid, and active_link settings are configured
correctly for all systems.
•
Use the show connect command to verify that port-type is
configured correctly for all stacking ports.
Stacking GigaVUE-420 Boxes
125
•
Use the show port-params command to verify that cable
length is configured correctly for any GigaLINK-CU stacking
ports.
Correct any mistakes and see if this resolves the problem
2. If you are certain that stacking information has been correctly
entered for each box and traffic is still not flowing correctly,
verify that the active stacking ports on each box have their link
status set to 1, indicating that the link is up. You can do this with
the show port-params x1 and show port-params x2 commands.
The output from these commands give the link status of the x1
and x2 ports, respectively. Verify that linkstatus = 1 for all active
x1/x2 stacking ports in the stack. If it is not, make sure your
cables are good and that the connectors are securely fastened.
3. If the link status for all active stacking ports in the stack is 1, the
next step is to verify that packets can traverse the stack from one
end to the other. If you have not already done so, create a simple
xbconnect using a network port on the first box of the stack and
send traffic to a tool port on the end box in the stack (see Verifying
a Cross-Box Stack’s Connectivity on page 122 for details on how to
do this).
If the packets now can pass through from one edge of the stack to
the other edge, then the problem was likely in the original flow
configuration commands (for example, xbconnect, xbmap, or
xbmapping) and/or how they were applied to all the boxes.
Check the Stacking Rules on page 110 for any violations.
4. If packets still do not pass through using the simple xbconnect,
then try the show port-params command for x1 and x2 again and
verify that linkstatus = 1 for active x1 and x2 stacking ports as
you did in Step 2. All active stacking ports must show a
linkstatus = 1 to indicate the stack links are up.
If linkstatus =0 on an active stacking port, disconnect and
reconnect the cable at both ends and check the link status again. If
the links are now up then resend the traffic across the simple
xbconnect.
5. If packets still don’t pass, check the path from the first box to the
last box and every box in between.
126
Chapter 7
Do so by creating an xbconnect from 1-1 to 1-4, 2-4, 3-4, 4-4, and
so on until the n-4 in the last box. Continue to send traffic into 1-1
and monitor for packets coming out at 2-4, 3-4, 4-4, and so on.
Record which ports do not have traffic coming out. The link
between the last box with traffic coming out and the one without
traffic coming out is likely where the link is configured
improperly. In addition, Link Status must be 1 for each of the
ports in the xbconnection. You can check the Link Status for a
port by using a show port-params command on its system.
Making Changes to an Existing Cross-Box Stack
This section describes how to make changes to an existing cross-box
stack already in place. The following common scenarios are covered:
•
Adding a Box to the Edge of a Stack on page 127
•
Remove a Box from the Edge of a Stack on page 128
•
Adding a Box to the Middle of a Stack on page 128
•
Disconnect a Box in the Middle of a Stack on page 129
NOTE: In general, for any changes to a cross-box stack, you should
make a new stack map and completely specify all details before
making any changes.
Adding a Box to the Edge of a Stack
To add a new box to the stack at its edge, do the following:
1. Configure the new box using the steps in Configuring a Box’s
Stacking Information on page 114.
2. Check the x1_bid and x2_bid lists for all the other boxes in the
stack and modify them as necessary to include this added box
(using the config system x1_bid and config system x2_bid
commands).
3. The active_link option on the original edge box of the stack will
need to be changed to both if it was set to only x1 or x2 before.
4. Boot the new box and log in as a super user.
Stacking GigaVUE-420 Boxes
127
5. Delete all existing xbconnect and xbmaps on each system.
6. Verify that traffic can flow to the new box using the procedure in
Verifying a Cross-Box Stack’s Connectivity on page 122.
Remove a Box from the Edge of a Stack
Whenever you remove a box from a cross-box stack, you should
update your stack map with all the new configuration information
before making any changes.
Use the following procedure to remove a box located at the edge of a
stack:
1. Power off the box to be removed and disconnect its stacking
cable.
2. Use the new stack map to verify and correct the x1_bid and
x2_bid lists for all the other boxes in the stack
3. Once the new stack is complete and all boxes have been
configured correctly, remove all xbconnects and xbmaps and
apply the new xbconnect and xbmaps to each box in exactly the
same sequence. Since this is only a removal and no new stack
path is added, a stack path verification is not needed if there were
no problems with the path before.
Adding a Box to the Middle of a Stack
Whenever you make a change to a cross-box stack, you should
update your stack map with all the new configuration information
before making any changes.
To add a new box to the middle of the stack, do the following:
1. Configure the new box using the steps in Configuring a Box’s
Stacking Information on page 114.
2. Power off the box.
3. Insert the new box at the desired point in the stack by breaking
the stacking connection between the two boxes located there now.
128
Chapter 7
Then, connect the new box's stacking ports to each of its
neighbors according to the updated stack map.
4. Power on the new box and log on as a super user.
5. Check the x1_bid and x2_bid lists for all the other boxes in the
stack and modify them as necessary to include this added box
(using the config system x1_bid and config system x2_bid
commands).
6. Boot the new box and log in as a super user.
7. Delete all existing xbconnect and xbmaps on each system in the
stack.
8. Verify that traffic can flow to the new box using the procedure in
Verifying a Cross-Box Stack’s Connectivity on page 122.
Disconnect a Box in the Middle of a Stack
There are two ways to disconnect a box in the middle of a cross-box
stack:
•
Case 1: Create Two Separate Stacks on page 129
•
Case 2: Recreate Stack with One Fewer Box on page 130
Case 1: Create Two Separate Stacks
In this case, you remove the box and create two new stacks from the
previous larger stack. For each new stack:
1. Create a new stack map.
2. Reconfigure the x1_bid and x2_bid lists for all the boxes in the
stack.
3. Reconfigure the active_link settings for the boxes that are newly
located at the edge of the stack, if necessary.
4. Delete all existing xbconnect and xbmaps on each system in the
stack.
5. If there were no problems with the cross box traffic flow before,
you probably do not need to perform the stack verification
procedure in Verifying a Cross-Box Stack’s Connectivity on
page 122, unless the stack links between the boxes have been
Stacking GigaVUE-420 Boxes
129
rearranged. In that case, a stack path check should be performed
before the new xbconnect and xbmaps are applied to each of the
boxes.
Case 2: Recreate Stack with One Fewer Box
1. Create a new stack map since this is essentially a new stack.
2. Reconfigure the x1_bid and x2_bid lists for all the boxes in the
stack.
3. Delete all existing xbconnect and xbmaps on each system in the
stack.
4. Verify that traffic can flow to the new box using the procedure in
Verifying a Cross-Box Stack’s Connectivity on page 122.
130
Chapter 7
Power Loss Considerations for Cross-Box Stacks
This section provides some considerations for power loss to boxes in
a cross-box stack:
•
Power Loss on Box in the Middle of a Stack on page 131
•
Power Loss and Power Restore to the Entire Stack on page 131
Power Loss on Box in the Middle of a Stack
If you expect the power outage to be temporary, it’s generally best to
take no action at all – simply wait for the stack to restore itself once
the box is powered up again.
Any changes to the stack (for example, bypassing the non-functional
box) will require a new map configuration. Depending on the
complexity of your maps and your stack, it could take more time to
do this than it would to just wait for power to be restored (plus the
time required to change back to the initial configuration once power
is back).
Power Loss and Power Restore to the Entire Stack
Once power has been restored, the original stack will resume
operation, assuming all the boxes have their configuration saved in
flash. This is a good reason to perform a config save filename.cfg
after setting up cross-box packet distribution.
Stacking GigaVUE-420 Boxes
131
132
Chapter 7
Chapter 8
Configuring GigaVUE-420
Security Options
This chapter describes how to set GigaVUE-420 options relating to
security – which users can log into the box, how users are
authenticated, who owns which ports, and the security level
currently in place.
Previous chapters provided you with the basic information needed to
get you up and running with user accounts of different levels
authenticating locally to the box. This chapter focuses on security in
the broader context of an overarching security strategy.
The chapter includes the following sections:
•
About GigaVUE-420 Security on page 134
•
Configuring Users and Passwords on page 135
•
Configuring Lock Levels and Port Ownership on page 139
•
Configuring Authentication (AAA) on page 143
133
About GigaVUE-420 Security
GigaVUE-420 provides an interlocking set of options that let you
create a comprehensive security strategy for the unit. These options
are summarized in the table below:
Security Tools
Description
Account Levels
GigaVUE-420 uses three different account levels – super, normal, and audit. Each
account level has a different set of privileges. For normal users, these privileges
change depending on the overall lock-level in place on the unit (none, medium, or
high).
Super users can set up accounts using the config user command. See Configuring
Users and Passwords on page 135 for details.
Port Ownership
GigaVUE-420 can provide selective port access to different users. Super users can
assign port ownership to normal users using the config port-owner command.
Port privileges change for normal users depending on the overall lock-level in place
on the unit.
See Configuring Lock Levels and Port Ownership on page 139 for details.
Lock-Level
GigaVUE-420 provides three different overall security levels (called lock-levels) for
the unit – none, medium, or high. Privileges for normal users change depending on
the lock-level in place.
Super users can change the lock-level using the config system lock-level command.
See Configuring Lock Levels and Port Ownership on page 139 for details.
Authentication
GigaVUE-420 can authenticate users against a local user database or against the
database stored on an external TACACS+ or RADIUS server.
Super users can specify different authentication methods for the Console (serial)
port and the Ethernet (SSH2/Telnet) port using the config system aaa command.
See Configuring Authentication (AAA) on page 143 for details.
NOTE: The serial Console port must always retain local authentication as a fallback
option to prevent unintended lockouts.
134
Chapter 8
Configuring Users and Passwords
You use the config user command to set up local user accounts on the
GigaVUE-420 unit. You can set up different user account levels –
super, normal, and audit – so that each user has rights that are
appropriate for the type of work they will be doing with the
GigaVUE-420.
The config user command has the following syntax:
config user <name-string> <password> <password-again>
[level <audit | normal | super>]
[description "string"]
The table below describes the arguments for the config user
command:
Argument
Description
<name-string>
The name used for this user account. Names must consist of 5-30
alphanumeric characters.
<password> <password-again>
The password for this user account.
Acceptable passwords include between 6-30 alphanumeric characters. At
least one of the characters must be a numeral.
Configuring GigaVUE-420 Security Options
135
Argument
Description
level <audit | normal | user>
Specifies the account privileges for this user account. There are three
types of user accounts ranging from the most privileges to the least –
super, normal, and audit.
• Super users have access to all ports on the box regardless of the
lock-level in place. They can also perform all configuration commands.
• Normal users have access to different ports depending on the
lock-level in place. They cannot perform system configuration
commands.
• When lock-level = none, normal users have access to all network
and tool ports.
• When lock-level = medium, normal users have access to all
network ports. However, they can only set up connections, filters,
and maps for tool ports they own. Super users can assign port
ownership to normal users using the config port-owner command.
• When lock-level = high, normal users can only configure
connections, filters, and maps for network and tool ports they own.
NOTE: Appendix C, Lock-Level Reference provides full details on the
different policies in place at each lock-level.
• Audit users do not have access to any ports. Their access consists
mainly of the ability to use the show command to see what basic
settings are in place on the box.
description “string”
The description string may contain spaces and other characters, but must
be contained in quotation marks (for example, “IT User”). The maximum
number of characters in a description string is 125 alphanumeric
characters.
Description strings appear in the CLI display when performing a show
user command.
136
Chapter 8
Examples
The following config user commands create a new super user,
normal user, and audit user:
Command
Comments
config user MySuperUser 1password 1password level super
description “New Super User Account”
Creates a new account named
MySuperUser with the password
1password and the description “New
Super User Account.”
config user MyNormalUser 2password 2password level normal
description “New Normal User Account”
Creates a new account named
MyNormalUser with the password
2password and the description “New
Normal User Account.”
config user MyAuditUser 3password 3password level audit
description “New Audit User Account”
Creates a new account named
MyAuditUser with the password
3password and the description “New
Audit User Account.”
Changing Passwords
Super users can change passwords for all other users with the config
password command. The syntax for this command is as follows:
config password [user <name-string> <new-password> <new-password-again>]
So, for example, to change the password of the MyNormalUser
created in the previous example to 25password, a super user would
use the following command:
config password user MyNormalUser 25password 25password
Configuring GigaVUE-420 Security Options
137
Maximum Simultaneous Sessions
The following table summarizes GigaVUE-420’s support for
simultaneous sessions:
Session Type
Maximum Simultaneous Sessions
Telnet
20 Telnet Sessions
1 Serial Session
SSH2
10 SSH2 Sessions
1 Serial Session
138
Chapter 8
Configuring Lock Levels and Port Ownership
The config system lock-level and config port-owner commands
work together to specify what rights different accounts have on the
GigaVUE-420 unit.
The lock-level in force on the GigaVUE-420 can be none, medium, or
high. In general, as the lock-level increases, normal users have fewer
rights on the box, except for those ports to which they have been
assigned ownership using the config port-owner command.
Figure 8-1 summarizes this.
NOTE: The lock-level in place changes more than just port
availability. Complete details on the CLI rights available to each
account level (super, normal, and audit) at each lock-level (none,
medium, or high) are provided in Appendix C, Lock-Level Reference.
Configuring GigaVUE-420 Security Options
139
A normal user who
owns the Green
ports and does not
own the Red ports.
s
o wn
do
Lock-Level = None
Network Ports
Tool Ports
es
n’t
ow
n
Lock-Level = Medium
Network Ports
Tool Ports
Lock-Level = High
Network Ports
Tool Ports
1
4
1
4
1
4
2
5
2
5
2
5
3
6
3
6
3
6
When lock-level is set to
none, normal users have
access to all Network and
Tool ports. Port ownership
cannot be assigned when
the lock-level is none.
When lock-level = medium,
normal users have access to
all Network ports. However,
they can only set up
connections, filters, and maps
for Tool ports they own.
When lock-level = high,
normal users can only
configure connections, filters,
and maps for Network and
Tool ports they own.
Figure 8-1: How lock-level works with port-owner
140
Chapter 8
Syntax for the config system lock-level Command
You use the config system lock-level command to specify the
lock-level in place on the GigaVUE-420 unit. The three levels are
none, medium, and high, as summarized below:
config system lock-level <none | medium | high>
For example, to set the lock-level to high, a super user would use the
following command
config system lock-level high
Changing lock-level to none
You can only assign port ownership when the lock-level in place on
the GigaVUE-420 is either medium or high. Because of this, when
you change the lock-level from either medium or high to none, all
existing port-ownership assignments will be cleared. The
assignments will not be restored if you change the lock-level back to
medium or high.
Syntax for the config port-owner Command
Super users use the config port-owner command to assign port
ownership to local users.
NOTE: You can only assign port ownership when the lock-level in
place on the GigaVUE-420 is either medium or high. All users have
access to all ports when the lock-level is none.
NOTE: You assign port-ownership to TACACS+/RADIUS users
within the TACACS+/RADIUS server itself using an access control
list. See Setting up GigaVUE-420 Users in an External Authentication
Server on page 156 for details.
The config port-owner command has the following syntax:
config port-owner <port-alias | pid-list | pid-x..pid-y> owner <name-string>
The table below describes the arguments for the config port-owner
command:
Configuring GigaVUE-420 Security Options
141
Argument
Description
<port-alias | pid-list | pid-x..pid-y>
Specifies the ports to which the named user will be granted ownership.
You can grant ownership to a single port (either by alias or number), a
list of ports, or a contiguous series of ports.
owner <name-string>
The name of the account being granted port ownership.
Examples
The following config port-owner commands illustrate different
ways to assign port ownership:
Command
Comments
config port-owner 1..6 owner MyNormalUser
Grants ownership to ports 1-6 to the user named
MyNormalUser.
config port-owner ToolPort owner User2000
Grants ownership to the port with the alias ToolPort to
the user named User2000.
config port-owner 3 6 12 owner User3000
Grants ownership to ports 3, 6, and 12 to the user
named User3000.
142
Chapter 8
Configuring Authentication (AAA)
You use the config system aaa option to specify whether
GigaVUE-420 logins are authenticated against either a local user
database or the database in an external authentication server
(TACACS+ or RADIUS) You can also use an external authentication
server as your primary authentication method with local
authentication as a fallback (Figure 8-2). The fallback is used when an
authentication server is unreachable.
Separate User Databases for Local and External Users
The local and RADIUS/TACACS+ user databases are completely
separate. Users authenticating with RADIUS/TACACS+ do not need
to have duplicate accounts created in the local user database. They
only need to appear in the RADIUS/TACACS+ database. See Using
GigaVUE-420 with an External Authentication Server on page 148 for
details on how to assign rights to GigaVUE-420 users within the
RADIUS or TACACS+ server.
Local vs. External Authentication
When using external authentication
(RADIUS or TACACS+), logins are
verified against accounts stored
remotely on the external server.
External
Users
Local
Users
When using local authentication,
logins are verified against accounts
stored locally on the GigaVUE-420.
Figure 8-2: Local vs. External Authentication
Configuring GigaVUE-420 Security Options
143
Authentication Options
The config system aaa command provides flexible options for
authentication:
•
You can set the config system aaa option differently for logins
made via SSH2/Telnet over the Ethernet port and local logins
made over the Console (serial) port. For example, you could
specify that SSH2/Telnet logins be authenticated using RADIUS
or TACACS+ while local logins could rely on the local user
database.
•
You can set fallback options for both the Mgmt port and the
Console port. You do this by enabling both external (either
RADIUS and/or TACACS+) and local authentication. When you
do this, GigaVUE-420 will authenticate users using the methods
in the same order you specify them in the config system aaa
command.
For example, the following command specifies that users logging
in via SSH2/Telnet to the Mgmt port should first be
authenticated using the TACACS+ server(s) specified by the
config tac_server command. If those servers are unavailable,
authentication can then fall back to the local user database.
config system aaa ethernet tacacs+ local
The same command for a RADIUS server set up with config
rad_server would look like this:
config system aaa ethernet radius local
•
You can even use both RADIUS and TACACS+ for the same port
– GigaVUE-420 will try the methods in the same order in which
they are specified. For example:
config system aaa ethernet radius tacacs+ local
If the RADIUS servers are down, GigaVUE-420 uses the
TACACS+ servers. If the TACACS+ servers are down,
GigaVUE-420 falls back to local authentication.
Console Port Always Retains Local Authentication!
To prevent accidental lockouts, GigaVUE-420 always preserves local
authentication for the Console (serial) port. This way, if an external
144
Chapter 8
authentication server goes down, you can still gain access to the box
through the local Console port.
For example, after issuing the following command, the system would
automatically add local authentication to the Console port. It would
not let you leave the Console port with only TACACS+
authentication.
config system aaa serial tacacs+
Configuring GigaVUE-420 Security Options
145
Syntax for the config system aaa Command
Super users use the config system aaa command to specify how users
will be authenticated on both the Ethernet (SSH2/Telnet) and
Console (serial) port.
The config system aaa command has the following syntax:
config system aaa <serial | ethernet> <[tacacs+] [radius] [local]>
The table below describes the arguments for the config system aaa
command:
Argument
Description
<serial | ethernet>
Specifies which GigaVUE-420 port you are configuring authentication
for:
• serial – Console port.
• ethernet – Mgmt port.
<[tacacs+] [radius] [local]>
Specifies which authentication methods should be used for the
specified port and the order in which they should be used.
You can enable all authentication methods for either port. If you
enable more than one method, GigaVUE-420 uses the methods in the
same order in which they are specified, falling back as necessary. If
the first method fails, it will fall back to the secondary method, and so
on.
If you enable radius or tacacs+, you must also:
• Configure the RADIUS or TACACS+ server using the
corresponding config rad_server or config tac_server command.
• Set up GigaVUE-420 users within the RADIUS/TACACS+ server
itself.
These two steps are described in Using GigaVUE-420 with an
External Authentication Server on page 148
NOTE: GigaVUE-420 always preserves local authentication for the
Console (serial) port to prevent accidental lockouts.
146
Chapter 8
Examples
The following config system aaa commands demonstrate
different ways to set up authentication:
Command
Comments
config system aaa ethernet local
Specifies that SSH2/Telnet logins made over the Mgmt port will be
authenticated solely using the local user database created with the
config user command.
config system aaa ethernet tacacs+
local
Two examples of external authentication, one using a TACACS+
server and the other using a RADIUS server.
config system aaa ethernet radius
local
Both commands specify that SSH2/Telnet logins made over the
Mgmt port will be authenticated using the external servers set up
with the config tac_server or config rad_server command.
You can specify as many as five external authentication servers of
each type – if the first server experiences a failure, GigaVUE-420
will try the next until all of the named servers have been tried.
Servers are used in the same order they were specified.
If authentication fails with all of the named external servers, these
commands specify that GigaVUE-420 will then fall back to local
authentication.
config system aaa serial tacacs+
Specifies that local logins made over the Console port will be
authenticated using the TACACS+ servers set up with the config
tac_server command.
If you use this command, GigaVUE-420 will automatically add local
authentication to prevent you from accidentally locking yourself out
of the box should the TACACS+ servers fail.
Configuring GigaVUE-420 Security Options
147
Using GigaVUE-420 with an External
Authentication Server
If you enable either RADIUS or TACACS+ authentication with the
config system aaa command, you must also perform some additional
configuration tasks, both within GigaVUE-420 and the external server
itself:
1
Step 1: Once you have enabled RADIUS or TACACS+ authentication
using the config system aaa command described in Configuring
Authentication (AAA) on page 143, specify the RADIUS or TACACS+
servers to be used for authentication.
Configure
GigaVUE-420
See Specifying TACACS+ Servers in GigaVUE-420 on page 149 and
Specifying RADIUS Servers in GigaVUE-420 on page 152.
2
Configure the
Authentication Server
Step 2: Configure the external authentication Server by creating accounts
for GigaVUE-420 users within the server itself, specifying both the account
level and port ownership privileges.
See Setting up GigaVUE-420 Users in an External Authentication Server
on page 156.
Figure 8-3: Steps to Use GigaVUE-420 with a TACACS+ Server
Separate User Databases for Local and RADIUS/TACACS+
The local and RADIUS/TACACS+ databases are completely
separate. Users authenticating with RADIUS or TACACS+ do not
need to have duplicate accounts created in the local user database.
They only need to appear in the RADIUS/TACACS+ database.
When a RADIUS/TACACS+ user logs in successfully, GigaVUE-420
creates user account information dynamically in RAM. When the
session is terminated, GigaVUE-420 removes the account
information.
148
Chapter 8
Specifying TACACS+ Servers in GigaVUE-420
Super users use the config tac_server command to specify the
TACACS+ servers to be used for authentication. You can specify as
many as five different TACACS+ servers. Servers are used as
fallbacks in the same order they are specified – if the first server fails,
the second is tried, and so on, until all named servers have been used.
NOTE: Once a connection is made to a particular TACACS+ server,
the system will continue to connect to this TACACS+ server first until
the system is rebooted. Because of this, it is important to configure
the primary TACACS+ server as the first server and then configure
the backup TACACS+ servers as the second, third, fourth, or fifth.
Syntax for the config tac_server Command
The syntax for the config tac_server command is as follows:
config tac_server host <ipaddr>
key "string"
[port <value>]
[timeout <1~90>] (seconds)
[single_connection <1 | 0>]
[priv_lvl_check <1 | 0>]
[super_priv_lvl <2~15>]
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
[alias <alias-string>]
The table below describes the arguments for the config tac_server
command:
Argument
Description
host <ipaddr>
Specifies the IP address of the TACACS+ server.
key "string"
Specifies a string to be used for encryption of authentication packets
sent between GigaVUE-420 and the TACACS+ server.
An empty key string (“”) indicates that no key will be used. Without a
key, there will be no encryption of the packets between the TACACS+
server and the GigaVUE-420 system.
[port <value>]
Specifies the port to be used on the TACACS+ server. If you do not
specify a value, GigaVUE-420 will default to the standard TACACS+
port number of 49.
Configuring GigaVUE-420 Security Options
149
Argument
Description
[timeout <1~90>] (seconds)
Specifies how long GigaVUE-420 should wait for a response from the
TACACS+ server to an authentication request before declaring a
timeout failure. The default value is three seconds.
[single_connection <1 | 0>]
Specifies whether GigaVUE-420 should use the same connection for
multiple TACACS+ transactions (authentication, accounting, and so
on), or open a new connection for each transaction:
• 1 – TACACS+ transactions will use the same session with the
server. The socket will remain open after it is first opened.
• 0 – Each TACACS+ transaction opens a new socket. The socket is
closed when the session is done.
The default is disabled (0).
[priv_lvl_check <1 | 0>]
[super_priv_lvl <2~15>]
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
These options specify how privilege level checks are performed for
TACACS+ servers.
• priv_lvl_check specifies how GigaVUE-420 should assign user
rights for TACACS+ users.
• If this option is enabled (the default), the three _priv_lvl options
below it are used to map privilege levels for the corresponding
user types (Audit, Normal, and Super).
• If this option is not enabled, all TACACS+ users log in with
Super user rights.
• super_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Super user level when priv_lvl_check
is enabled.
• normal_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Normal user level when priv_lvl_check
is enabled.
• audit_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Audit user level when priv_lvl_check
is enabled.
NOTE: If no values are specified for the three _priv_lvl options and
privilege level checks are enabled, GigaVUE-420 uses 0, 1, and 2
(Audit, Normal, and Super, respectively).
NOTE: GigaVUE-420 will not let you enter out-of-order privilege
levels. The value specified for super must be higher than that
specified for normal, and so on.
[alias <alias-string>]
150
Specifies an alphanumeric alias for this TACACS+ server to be used in
show tac_server displays.
Chapter 8
Examples
The following config tac_server commands demonstrate different
ways to specify a TACACS+ server:
Command
Comments
config tac_server host 192.168.1.225 key "gv"
priv_lvl_check 1 super_priv_lvl 10 normal_priv_lvl 5
audit_priv_lvl 0 alias TAC1
Specifies that:
• Users logging in via TACACS+ will be
authenticated against the TACACS+ server at
192.168.1.225.
• Authentication packets will be encrypted using
the string gv.
• Default values will be used for the port,
timeout, and single_connection arguments.
• GigaVUE-420 will map the full 0-15 range of
TACACS+ user levels to its own levels.
TACACS+ users with privilege levels of 10 will
receive Super user privileges, 5 will receive
Normal, and 0 will receive Audit.
• The alias for this TACACS+ server is TAC1.
config tac_server host 192.168.1.12 key “mykey” port 234
alias TAC2
Specifies that:
• Users logging in via TACACS+ will be
authenticated against the TACACS+ server at
192.168.1.12.
• Authentication packets will be encrypted using
the string mykey.
• The non-standard port 234 will be used instead
of 49.
• Default values will be used for the timeout and
single_connection arguments.
• Standard 0-2 privilege level mappings will be
used.
• The alias for this TACACS+ server is TAC2.
NOTE: If this command was used after the
command in the previous row, this server would
be the backup TACACS+ server for the
previously-specified server.
Configuring GigaVUE-420 Security Options
151
Figure 8-4 shows the results of a show tac_server command for the
servers set up in the previous examples:
Figure 8-4: Results of a show tac_server Command
Specifying RADIUS Servers in GigaVUE-420
Super users use the config rad_server command to specify the
RADIUS servers to be used for authentication. You can specify as
many as five different RADIUS servers. Servers are used as fallbacks
in the same order they are specified – if the first server fails, the
second is tried, and so on, until all named servers have been used.
NOTE: Once a connection is made to a particular RADIUS server, the
system will continue to connect to this RADIUS server first until the
system is rebooted. Because of this, it is important to configure the
primary RADIUS server as the first server and then configure the
backup RADIUS servers as the second, third, fourth, or fifth.
152
Chapter 8
Syntax for the config rad_server Command
The syntax for the config rad_server command is as follows:
config rad_server host <ipaddr>
key "string"
[authen_port <1~65535>]
[account_port <1~65535>]
[timeout <1~90>] (seconds)
[max_tries <1~10>]
[priv_lvl_check <1 | 0>]
[super_priv_lvl <2~15>]
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
[alias <alias-string>]
The table below describes the arguments for the config rad_server
command:
Argument
Description
host <ipaddr>
Specifies the IP address of the RADIUS server.
key "string"
Specifies a string to be used for encryption of authentication packets
sent between GigaVUE-420 and the RADIUS server.
An empty key string (“”) indicates that no key will be used. Without a
key, there will be no encryption of the packets between the RADIUS
server and the GigaVUE-420 system.
[authen_port <1~65535>]
Specifies the authentication port to be used on the RADIUS server. If
you do not specify a value, GigaVUE-420 will default to the standard
RADIUS authentication port number of 1812.
[account_port <1~65535>]
Specifies the accounting port to be used on the RADIUS server. If you
do not specify a value, GigaVUE-420 will default to the standard
RADIUS accounting port number of 1813.
[timeout <1~90>] (seconds)
Specifies how long GigaVUE-420 should wait for a response from the
RADIUS server to an authentication request before declaring a
timeout failure. The default value is three seconds.
[max_tries <1~10>]
Specifies the maximum number of times GigaVUE-420 will retry a
failed connection to this RADIUS server before falling back to the next
authentication method specified by the config system aaa command
currently in place. The default value is three tries.
Configuring GigaVUE-420 Security Options
153
Argument
Description
[priv_lvl_check <1 | 0>]
[super_priv_lvl <2~15>]
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
These options specify how privilege level checks are performed for
RADIUS servers.
• priv_lvl_check specifies how GigaVUE-420 should assign user
rights for RADIUS users.
• If this option is enabled (the default), the three _priv_lvl options
below it are used to map privilege levels for the corresponding
user types (Audit, Normal, and Super).
• If this option is not enabled, all RADIUS users log in with Super
user rights.
• super_priv_lvl specifies the RADIUS privilege level that will be
mapped to GigaVUE-420’s Super user level when priv_lvl_check
is enabled.
• normal_priv_lvl specifies the RADIUS privilege level that will be
mapped to GigaVUE-420’s Normal user level when priv_lvl_check
is enabled.
• audit_priv_lvl specifies the RADIUS privilege level that will be
mapped to GigaVUE-420’s Audit user level when priv_lvl_check
is enabled.
NOTE: If no values are specified for the three _priv_lvl options and
privilege level checks are enabled, GigaVUE-420 uses 0, 1, and 2
(Audit, Normal, and Super, respectively).
NOTE: GigaVUE-420 will not let you enter out-of-order privilege
levels. The value specified for super must be higher than that
specified for normal, and so on.
[alias <alias-string>]
154
Specifies an alphanumeric alias for this RADIUS server to be used in
show rad_server displays.
Chapter 8
Examples
The following config rad_server commands demonstrate different
ways to specify a RADIUS server:
Command
Comments
config rad_server host 192.168.1.72 key "gvmp"
priv_lvl_check 1 super_priv_lvl 15 normal_priv_lvl 10
audit_priv_lvl 5 alias RAD1
Specifies that:
• Users logging in via RADIUS will be
authenticated against the RADIUS server at
192.168.1.72.
• Authentication packets will be encrypted using
the string gvmp.
• Default values will be used for the
authentication port, accounting port,
timeout, and max_tries arguments.
• GigaVUE-420 will map the full 0-15 range of
RADIUS user levels to its own levels. RADIUS
users with privilege levels of 15 will receive
Super user privileges, 10 will receive Normal,
and 5 will receive Audit.
• The alias for this RADIUS server is RAD1.
config rad_server host 192.168.1.76 key “lowkey”
authen_port 2500 account_port 2501 alias RAD2
Specifies that:
• Users logging in via RADIUS will be
authenticated against the RADIUS server at
192.168.1.76.
• Authentication packets will be encrypted using
the string lowkey.
• Non-standard authentication and accounting
ports will be used.
• Default values will be used for the timeout and
max_tries arguments.
• Standard 0-2 privilege level mappings will be
used.
• The alias for this RADIUS server is RAD2.
NOTE: If this command was used after the
command in the previous row, this server would
be the backup RADIUS server for the
previously-specified server.
Configuring GigaVUE-420 Security Options
155
Figure 8-4 shows the results of a show rad_server command for the
servers set up in the previous examples:
Figure 8-5: Results of a show rad_server Command
Setting up GigaVUE-420 Users in an
External Authentication Server
Each user logging into the GigaVUE-420 via an external
authentication server (either TACACS+ or RADIUS) must have an
account entry on the server. Accounts in the external server for
GigaVUE-420 users must conform to the following rules:
•
GigaVUE-420 accounts must have a password assigned.
•
GigaVUE-420 accounts must have the Shell (exec) setting enabled.
•
GigaVUE-420 accounts must be assigned a privilege level.
•
156
If the priv_lvl_check option is enabled (the default),
GigaVUE-420 users can be assigned any account level from
0-15. The account levels specified in the TACACS+/RADIUS
server will be mapped to the GigaVUE-420 levels using the
settings specified for super_priv_lvl, normal_priv_lvl, and
audit_user_lvl.
Chapter 8
•
•
If the priv_lvl_check option is disabled, GigaVUE-420 users
will all log in with Super user privileges.
GigaVUE-420 accounts must have an Access Control List value
specified. You construct the ACL string in the same way
regardless of whether you are using RADIUS or TACACS+.
However, Cisco ACS provides different fields for each security
protocol:
•
RADIUS users include the ACL as part of the Class field.
•
TACACS+ users include the ACL in the supplied ACL field.
See the following sections for details:
•
See Granting Port Ownership with an Access Control List on
page 157 for information on how to construct an ACS string.
•
See Configuring RADIUS Users in Cisco Access Control Server on
page 159 for information on where to supply the ACS string
for RADIUS.
•
See Configuring TACACS+ Users in Cisco Access Control Server
on page 162 for information on where to supply the ACS
string for TACACS+
Granting Port Ownership with an Access Control List
As described in Configuring Lock Levels and Port Ownership on
page 139, the lock-level in force on the GigaVUE-420 specifies what
rights normal accounts have on the GigaVUE-420 unit. As the
lock-level increases to either medium or high, normal users have
fewer rights on the box, except for those ports to which they have
been assigned ownership.
Local users are designated port ownership using the config
port-owner command. However, to assign port ownership to
externally authenticated users, you must create an access control list
(ACL) for the user and supply it in the appropriate location in the
RADIUS/TACACS+ server (see Configuring RADIUS Users in Cisco
Access Control Server on page 159 and Configuring TACACS+ Users in
Cisco Access Control Server on page 162).
NOTE: Privilege level and ACL values are separate entries in the
external authentication server configuration.
Configuring GigaVUE-420 Security Options
157
The ACL is a 32-bit word representing the GigaVUE-420 ports that
assigns port ownership to the user. The bits in the ACL are mapped
as follows:
Bits
Description
1-20
Ports 1-20 on the GigaVUE-420 system.
21-24
10 Gb ports (x1-x4) when configured as network or tool ports.
0, 25-31
Ignored.
You assign port ownership by filling in hex values for the bits in the
ACL:
•
Bits set to true (1) indicate that the user owns this port.
•
Bits set to false (0) indicate that the user does not own the port.
NOTE: The values shown in the Binary and Hex rows below would
provide a normal user ownership of ports 1, 3, 8, 13, 20, and x2 (the x2
10 Gb port configured as either a network or tool port) with the ACL
of 0x0050210a.
Bits
31
30
29
28
27
26
25
24
23
22
21
20
19
18
17
16
Ports
n/a
n/a
n/a
n/a
n/a
n/a
n/a
x4
x3
x2
x1
20
19
18
17
16
Binary
0
0
0
0
0
0
0
0
0
1
0
1
0
0
0
0
Hex
0
0
5
0
Bits
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
0
Ports
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
n/a
Binary
0
0
1
0
0
0
0
1
0
0
0
0
1
0
1
0
Hex
158
2
1
0
a
Chapter 8
Examples
The following examples illustrate how to fill out the ACL:
ACL Value
Meaning
0x005ffffe
Assigns a normal user ownership of all ports on
the GigaVUE-420.
0x0050210a
Assigns a normal user ownership of ports 1, 3, 8,
13, 20 and x2 (the x2 10 Gb port configured as
either a network or tool port)
Configuring RADIUS Users in Cisco Access Control Server
You can use Cisco’s Secure Access Control Server (ACS) to perform
external authentication of GigaVUE-420 users. Use the following
steps to configure the ACS to perform RADIUS authentication of
GigaVUE-420 users.
1. First, configure a RADIUS AAA client in ACS. Open Network
Configuration and change the AAA server type to RADIUS.
Make sure traffic is set to inbound/outbound.
2. In the Network Configuration panel, set the following options:
•
Set Authenticate Using to RADIUS (IETF).
•
Check the Log Update/Watchdog Packets from this AAA
Client box.
3. In the System Configuration: Logging panel, set the following
options:
a. Enable Log to CVS RADIUS Accounting.
b. Set the following fields as Logged Attributes:
•
NAS-IP-Address
•
Calling-Station-Id
•
User-Name
•
Description
•
Account-Status-Type
•
Account-Session-Id
Configuring GigaVUE-420 Security Options
159
•
Acct-Terminate-Cause
4. Create a RADIUS user group with no TACACS+ settings.
5. Uncheck every box in the RADIUS settings for the group except
the Class box. For the Class box, use a string that specifies the
privilege level and port ownership for users in the group.
•
The priv-lvl=x portion of the string specifies the privilege
level to be used for users in this group.
If the priv_lvl_check option is enabled in the GigaVUE-420
CLI (the default) and you did not specify a custom
normal_priv_lvl, use 1 for normal users. If you did assign a
custom value to normal_priv_lvl, use that value here.
•
The acl=0xXXXXXXXX portion of the string is the Access
Control List. As described in Granting Port Ownership with an
Access Control List on page 157, the ACL is a 32-bit word
representing the GigaVUE-420 ports that assigns port
ownership to the user.
So, for example, the following string in the Class box specifies
that normal users have a priv-lvl of 1 and grants ownership to all
normal users:
priv-lvl =1, acl=0x005ffffe
6. Associate users with this RADIUS group.
Figure 8-6 shows the ACL field in Cisco ACS for a RADIUS user.
160
Chapter 8
Supply the priv-lvl and
ACL in the Class field.
Figure 8-6: Supplying the ACL in the Class Field for RADIUS
Configuring GigaVUE-420 Security Options
161
Configuring TACACS+ Users in Cisco Access Control Server
You can use Cisco’s Secure Access Control Server (ACS) to perform
external authentication of GigaVUE-420 users. Use the following
steps to configure the ACS to perform TACACS+ authentication of
GigaVUE-420 users.
1. First, configure a TACACS+ AAA client in ACS.
2. Create a TACACS+ user group with no TACACS+ settings.
3. In the TACACS+ Settings page:
a. Check the Shell (exec) option.
b. Check the Access control list box and supply an ACL value in
the adjacent field to grant port ownership to users in this
group. See Granting Port Ownership with an Access Control List
on page 157 for information on how to construct an Access
Control List.
c. Check the Privilege level box and supply a value. This value
specifies the privilege level to be used for users in this group.
If the priv_lvl_check option is enabled on the GigaVUE-420
CLI (the default) and you did not specify a custom
normal_priv_lvl, use 1 for normal users. If you did assign a
custom value to normal_priv_lvl, use that value here.
4. Associate users with this TACACS+ group.
Figure 8-7 shows the ACL field in Cisco ACS for a TACACS+ user.
162
Chapter 8
Supply the ACL in the
corresponding field.
Supply the privilege
level in the
corresponding field.
Figure 8-7: Supplying the ACL in the Class Field for TACACS+
Configuring GigaVUE-420 Security Options
163
Differences in Commands for External and Local Users
Some common GigaVUE-420 commands work differently depending
on whether a user is logged in using an external authentication server
or the local user database:
Command
Description
show user all
This command now has a “single world view” and will
return different results depending on whether the user
authenticated locally or using an external server:
• A show user all from a local user will return only the
users defined in the local database,
• A show user all from an externally authenticated user
will return only the users currently logged in through the
external server.
show whoison
This command provides a “dual world view.” It will return
all users currently logged in and will display whether each
user has been authenticated locally or through an external
authentication server.
logout
This command also has a single world view:
• Local users can only log out other local users.
• Externally authenticated users can only log out other
externally authenticated users of the same type
(RADIUS or TACACS+).
As always, a user must have sufficient account privileges
to log out another user.
164
Chapter 8
Chapter 9
Using SNMP
This section describes how to use GigaVUE-420’s SNMP features. It
includes the following major sections:
•
•
Configuring SNMP Traps on page 166
•
Adding a Destination for SNMP Traps on page 167
•
Enabling GigaVUE-420 Events for SNMP Traps on page 169
•
Receiving Traps on page 172
Enabling GigaVUE-420’s SNMP Server on page 172
165
Configuring SNMP Traps
GigaVUE-420 can send SNMP v1/v2 traps to up to five destinations
based on a variety of events on the box. Configuring SNMP traps
consists of the following major steps:
1
Configure Trap
Destinations
Step 1: Use the config snmp_trap host options to specify the IP
addresses of up to five destinations for SNMP traps. For each
destination, you can also specify the community string, port, trap
version, and an alias.
See Adding a Destination for SNMP Traps on page 167 for
information on setting up trap destinations.
2
Specify Trap Events
Step 2: The config snmp_trap command includes switches to enable/
disable each of the events available for trapping. You can also use the
[all | none] switch to quickly enable/disable all of the available events at
once.
When GigaVUE-420 detects an enabled event, it forwards the
corresponding trap to each of the defined trap destinations.
See Enabling GigaVUE-420 Events for SNMP Traps on page 169 for
information on the events available for trapping..
Figure 9-1: Configuring SNMP Traps
NOTE: This release does not support SNMP v3.
166
Chapter 9
Adding a Destination for SNMP Traps
GigaVUE-420 can forward SNMP traps to up to five destinations.
Specify the destinations for SNMP traps with the config snmp_trap
host command. The config snmp_trap command has the following
syntax when adding hosts:
config snmp_trap
[host <ipaddr>] [community <string>]
[port <value>] [ver <1|2>]
[alias <alias-string>]
The only required value for an SNMP trap destination is the IP
address. If you configure a trap destination and do not specify values
for the other parameters, they will take the default values shown in
the table below. Naturally, however, you can change each of the
defaults to your own values with the corresponding command-line
setting.
Parameter
Description
Default Value if None Specified
community
Community String
public
port
Port
162 (well-known receiving port for SNMP traps)
ver
Version
v2
Example – Adding SNMP Trap Destinations
This example illustrates how to add several trap destinations, some
using the defaults and others with custom overrides.
Comments
Command
First, let’s set up our Trap Management station on
192.168.1.101 as a trap destination. This
destination accepts all of the default settings, so
we’ll just add it with its IP address and an alias.
config snmp_trap host 192.168.1.101 alias Trap_Mgmt
Next, we’ll add secondary management station on
192.168.1.25. This station runs on a non-standard
port with a private community string.
config snmp_trap host 192.168.1.25 community private
port 501 ver 1 alias jackstraw
Using SNMP
167
Comments
Command
That’s enough destinations for now. Let’s do a
show snmp command to see what we’ve
configured so far. See Figure 9-2 for the results.
show snmp
SNMP Server Status
GigaVUE-420’s SNMP Server is not
currently enabled. We’ll enable it later.
Trap Destinations
Current trap
destinations are
listed in the middle
of the show snmp
display.
Trap List
None of the events available for trapping are
currently enabled. We’ll enable them in the next
section.
Figure 9-2: SNMP Trap Destinations Configured
168
Chapter 9
Enabling GigaVUE-420 Events for SNMP Traps
The config snmp_trap command includes switches to enable/disable
each of the events available for trapping. The table below lists the
attributes for the config snmp_trap command that are related to
enabling traps.
Parameter
Description
[all | none]
Use this attribute to toggle all available trap events on or off. For
example, config snmp_trap all turns on all available trap events.
[configsave <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time the config save filename.cfg
command is used.
[fanchange 0|1]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when the speed of either of the system fans
drops below 4,800 RPM.
[firmwarechange <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it boots and detects that its firmware has
been updated from the previous boot.
[modulechange <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects a change in module type from
the last polling interval. This typically happens when a module is pulled
from a slot or inserted in an empty slot.
[powerchange 0|1]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects either of the following events:
• One of the two power supplies is powered on or off.
• Power is lost or restored to one of the two power supplies.
[portlinkchange <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a port’s link status changes from up
to down or vice-versa. This includes ports 1-20 as well as the 10
Gigabit ports (x1 and x2).
NOTE: The portlinkchange trap is not sent when the Management
port’s link status changes.
[pktdrop <0|1>]
Using SNMP
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it detects that packets have been
dropped on a data port.
169
Parameter
Description
[rxtxerror <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it receives one of the following
physical errors on a data port:
• Undersize error
• Fragment
• Jabber
• CRC or Alignment errors
• Unknown errors.
[systemreset <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it starts up, either as a result of
cycling the power or a soft reset initiated by the reset system
command.
[taptxchange <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a GigaTAP-Tx’s relays switch from
active to passive or passive to active as a result of the config
port-params taptx command.
[userauthfail <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a user login fails.
170
Chapter 9
Example – All Trap Events Enabled
Figure 9-2 shows the results of a config snmp_trap all command
enabling all of the available trap events.
Trap List
All of the events available for trapping are now enabled.
Figure 9-3: SNMP Trap Events Configured
Using SNMP
171
Receiving Traps
GigaVUE-420’s MIB is available for download from the company’s
standard FTP site. The MIB supports both the GigaVUE-420 and the
GigaVUE-MP. Contact Customer Support for details.
Once you have received a copy of the MIB, you can compile it into
your SNMP Management software to view intelligible descriptions of
the OIDs included in the traps.
Enabling GigaVUE-420’s SNMP Server
You can enable GigaVUE-420’s SNMP server so that management
stations can poll the GigaVUE-420 remotely using Get and GetNext
commands. GigaVUE-420 supports MIB polling using the MIB-II
System and Interface OIDs for the Mgmt port only.
You enable GigaVUE-420’s SNMP server with the config
snmp_server command. It has the following syntax:
config snmp_server
[enable <0|1>]
[community <string>]
[ver <1 | 1_2>]
[port <value>]
The only required parameter to turn on the SNMP server is enable 1.
If you turn on the SNMP Server and do not specify values for the
other parameters, they will take the default values shown in the table
below. Naturally, however, you can change each of the defaults to
your own values with the corresponding command-line setting.
172
Parameter
Description
Default Value if None Specified
community
Community String
public
port
Port
162
ver
Version
v1
Chapter 9
For example, to enable the SNMP server with its default settings, you
would use the following command:
config snmp_server enable 1
To enable the SNMP server with both v1 and v2 support, you would
use the following command:
config snmp_server enable 1 ver 1_2
Figure 9-4 shows the results of a show snmp command after enabling
the SNMP server with both v1 and v2 support.
SNMP Server
Local SNMP
Server is now
enabled.
Figure 9-4: SNMP Server Enabled
Once you have enabled the SNMP server, management stations will
be able to poll the MIB using standard Get and GetNext SNMP
commands. Most management stations have intuitive interfaces for
this.
Using SNMP
173
174
Chapter 9
Chapter 10
Using Configuration Files
GigaVUE-420 provides the ability to save and restore different sets of
connection information using configuration files. This section describes
how to use configuration files, including the following major topics:
•
What’s Saved In a Configuration File on page 176
•
Saving a Configuration File on page 177
•
Viewing the Contents of a Configuration File on page 179
•
Storing Configuration Files on a TFTP Server on page 179
•
Applying Configuration Files on page 180
•
Applying a Configuration File from Flash on page 181
•
Setting a Configuration File to Boot Next on page 182
•
Restoring Configuration Files in a Cross-Box Stack on page 183
GigaVUE-420 can maintain up to five configuration files stored in
flash memory. You can use the upload command to transfer
additional configuration files to a TFTP server for storage.
Configuration files can be downloaded from the TFTP server to
GigaVUE-420 using the install -cfg command and subsequently
restored using the config restore [filename] command.
175
You can set a particular configuration file to boot next either by using
the config file command’s nb attribute, or by using config save with
the nb attribute. For example:
config file gigavue.cfg nb
config save myconfig.cfg nb
NOTE: Configuration files include the Box ID of the unit saving the
file. You can only restore configuration files to a GigaVUE-420 unit
with the same Box ID.
What’s Saved In a Configuration File
Configuration files store all of the connection information in place on
the GigaVUE-420 when the file was saved. This includes:
•
Filters and port-filter associations (local and cross-box).
•
Connections (local and cross-box).
•
Map-rules, maps, and mappings (local and cross-box).
•
Port parameters (config port-params settings), including duplex,
medium, speed, cable length, taptx, nd so on.
•
Port-pair settings.
•
Pass-all settings.
•
Port-type settings.
•
Printout of the show connect command at the time the file was
saved.
What’s Saved Separately
The settings listed below are saved in a different area of flash and are
not affected by either the config save filename.cfg or the reset system
commands. These include:
176
•
All settings shown by the show system command.
•
SNMP server/trap settings.
•
TACACS servers.
•
RADIUS servers.
Chapter 10
•
SNTP servers.
Saving a Configuration File
You use the config save filename.cfg command to save a
configuration file. Configuration files must have a .cfg extension.
Use GigaVUE-420’s command completion feature to see a list of
available configuration files. For example, typing config save ? will
show you a list of the available configuration files.
You can also use the show file command to see which configuration
file was most recently restored as well as which configuration file is
set to load the next time the unit is rebooted. For example, in
Figure 10-1:
•
The factory-provided gigavue.cfg configuration file was restored
last – it has Last restored set to Yes.
•
The gigavue.cfg configuration file is also scheduled to load at the
next boot – it has Next boot file set to Yes. You can change the file
scheduled to boot next by using the nb option with either the
config save or config file commands. See Setting a Configuration
File to Boot Next on page 182.
NOTE: When you use the show file command without a filename, you
see the summary information shown in Figure 10-1. You can also use
the command with a filename to see detailed file information, as
described in Viewing the Contents of a Configuration File on page 179.
Using Configuration Files
177
Figure 10-1: Showing Configuration Files
178
Chapter 10
Viewing the Contents of a Configuration File
Restoring a configuration file to GigaVUE-420 overwrites the existing
connection information in place on the box with the connection
information stored in the configuration file. Because of this, it’s a
good idea to check the contents of the file before you apply it.
You can easily see the details of what’s been saved in a configuration
file by using the show file [filename] command. This will show a
detailed view of the configuration file’s contents, including the
printout of a show connect command for the file. This way, you can
see what’s in the file without having to restore it.
NOTE: The detailed output for the show file [filename.cfg] command
shows the connections (local and cross-box) and maps (local and
cross-box) but does not show the filters, port-filter, xbport-filters and
map-rules contained in the configuration file.
For example, to view the detailed contents of the default gigavue.cfg
file, you would use the following command:
show file gigavue.cfg
Storing Configuration Files on a TFTP Server
If you want to keep more than the five configuration files allowed on
the GigaVUE-420 at one time, you can use a TFTP server for storage.
Configuration files can be stored on a TFTP server using the upload
-cfg command. Then, you can download a configuration file from the
TFTP server using the install -cfg command.
Uploading a Configuration File to a TFP Server
For example, to store the configuration file named multi-map.cfg on
a TFTP server at 192.168.1.102, you would use the following
command:
upload -cfg multi-map.cfg 192.168.1.102
Using Configuration Files
179
Downloading a Configuration File from a TFTP Server
You can download configuration files from a TFTP server using the
install -cfg command. GigaVUE-420 will download the specified file
and store it in flash. If there are already five configuration files stored
in flash, you will need to use the delete file command to free up a slot
before a new file can be successfully downloaded and stored.
For example, to download multi-map.cfg from a TFTP server at
192.168.1.102, you would use the following command:
install -cfg multi-map.cfg 192.168.1.102
NOTE: Using the install -cfg command does not actually apply the
configuration file – it just downloads it from the TFTP server and
stores it in flash. You still have to apply the configuration file using
one of the methods in Applying Configuration Files on page 180.
Applying Configuration Files
You can apply configuration files to GigaVUE-420 in the following
ways:
•
Use the config restore command to apply the file immediately.
See Applying a Configuration File from Flash on page 181
•
Enable the nb (next boot) option for a configuration file and
reboot the unit.
See Setting a Configuration File to Boot Next on page 182.
See also:
•
Restoring Configuration Files in a Cross-Box Stack on page 183
Sharing Configuration Files with other GigaVUE-420 Systems
In general, it’s not recommended to share configuration files with
other GigaVUE-420 systems. For a configuration file to work on
another unit, all of the following must be true:
•
180
Box ID must be identical for source and target systems.
Chapter 10
•
Module configuration must be identical for source and target
systems.
If you have purchased multiple systems with the same configuration
and are using them as standalone systems, all of these conditions may
be true. However, be sure to verify these items before restoring a
configuration file on a unit other than the one where it was saved to
prevent a situation where the default configuration is restored
inadvertently.
Caution: Configuration Files and the delete stack_info command
IMPORTANT: Using the delete stack_info command on a GigaVUE-420
unit with a Box ID other than 1 results in a complete reset to factory
defaults of all packet distribution settings.
This happens because the delete stack_info command resets the
unit’s Box ID to 1. When the unit reboots after the delete stack_info
command, it discovers that the Box ID in its configuration file is
different than its new Box ID of 1 and resets all configuration file
settings to factory defaults.
Applying a Configuration File from Flash
You use the config restore [filename] command to apply a
configuration file stored in flash immediately. For example, to apply
multi-map.cfg, you would use the following command:
config restore multi-map.cfg
NOTE: When you restore a new configuration file and also want it to
load the next time the system is booted, use the show file command
to verify that the file has the nb attribute enabled.
Using Configuration Files
181
Setting a Configuration File to Boot Next
You can specify a configuration file to be used the next time the
GigaVUE-420 is booted by setting its nb option.
Enabling the nb option for a configuration file makes it the active
configuration file the next time the unit is booted. It will continue to
be used at each boot until the nb option is applied to a different
configuration file. There can be only one file with nb enabled at a
time.
NOTE: You cannot delete a configuration file with nb enabled. You
must enable nb for another configuration file before you can delete it.
NOTE: GigaVUE-420 will not let you delete all configuration files –
there will always be at least one configuration file with nb enabled.
Setting the nb Option
You set the nb option with either the config file command or the
config save command. These commands have the following syntax:
config file <filename> [nb] [description “string”]
config save <filename> [nb]
For example, to specify that multi-map.cfg be booted the next time
GigaVUE-420 starts, you could use the following command:
config file multi-map.cfg nb description “all maps enabled”
Alternatively, you can save a new configuration file and set it to boot
next with one command:
config save mynewconfigfile.cfg nb
Verifying the ‘Next Boot’ Configuration File
You can see which configuration file is set to boot next with the show
file command. Figure 10-2 shows the results of a show file command
after we set multi-map.cfg to boot next.
182
Chapter 10
Next Boot File
This configuration file
is set to boot next.
Figure 10-2: Configuration File with Boot Next Enabled
Restoring Configuration Files in a Cross-Box Stack
Packet distribution for cross-box stacks requires careful configuration
– it’s a good idea to back up configuration files for each of the boxes
in the stack so that it can be restored. Use the following procedure.
To save and restore configuration files for a cross-box stack:
1. Once your cross-box stack is up and running with successful
cross-box packet distribution commands, save configuration files
for each of the boxes in the stack.
Use filenames that clearly correspond to each of the boxes in the
stack. For example, the following format includes the Box ID:
file_name_A_bid_1.cfg
file_name_A_bid_2.cfg
Once you are finished, you should have a separate configuration
file for each box in the stack.
2. When restoring a stack to a previous configuration, restore each
box’s corresponding configuration file so that the settings for all
boxes in the stack are synchronized to the time when the files
Using Configuration Files
183
were saved. This way, packet distribution will work the same
way it did when the configuration files were saved.
184
Chapter 10
Chapter 11
Configuring Logging
GigaVUE-420 provides comprehensive logging capabilities to keep
track of system events. Logging is particularly useful for
troubleshooting system issues, as well as maintaining an audit trail.
You can specify what types of events are logged, view logged events
by priority, date, or name, and upload log files to a TFTP server for
troubleshooting.
Events are recorded in a local syslog.log file with date and
timestamps indicating exactly when each event took place and can
optionally be sent to a specified syslog server as well.
The syslog.log file itself is maintained in non-volatile memory on the
GigaVUE-420, allowing access to log files even in the event the
system’s flash memory is reset.
This chapter includes the following major topics:
•
•
Configuring Logging – A Roadmap on page 186
•
Specifying Which Events Are Logged on page 186
•
Viewing Log Files on page 190
Uploading Log Files for Troubleshooting on page 192
185
Configuring Logging – A Roadmap
Configuring logging consists of the following major steps:
1. Use the config system log-level command to specify which types
of events are logged.
See Specifying Which Events Are Logged, below.
2. Optional: Use the config syslog_server command to specify an
external syslog server as a destination for logged events.
See Specifying an External Syslog Server on page 188 for details.
3. Use the show log [logfile] command to view events in the logfile.
See Viewing Log Files on page 190 for details.
Specifying Which Events Are Logged
Use the config system log-level command to specify the log-level in
force on the GigaVUE-420. The log-level controls which events are
stored in the log file. Only events greater than or equal to the current
log-level are stored in the log file. The available log-levels are as
follows:
186
Log-Level
Description
Critical
The log-level with the least logging. Only Critical
events are written to the log file.
Error
Error and Critical events are written to the log file.
Info
Info, Error, and Critical events are written to the
log file. This is the default log-level.
Verbose
The log-level with the most logging. All available
events are written to the log file.
Chapter 11
About syslog.log
Logged events are recorded in the syslog.log file in non-volatile
memory on the GigaVUE-420. The maximum size of the syslog.log
file is 1 MB. When syslog.log reaches its maximum size, it “rolls
over” into syslog1.log and new events are written to a now empty
syslog.log file.
In addition to the active syslog.log file, GigaVUE-420 can maintain
up to seven additional syslogx.log files for a total of 8MB of potential
log file storage space. When the maximum of seven syslogx.log files
is reached, the oldest file is deleted and the newer files roll down in
name (syslog.log becomes syslog1.log, syslog1.log becomes
syslog2.log, and so on).
Listing Available Log Files
When used without any additional arguments, the show log
command lists all the available log files on the unit. For example,
Figure 11-1 shows the log files listed from oldest to newest. When the
current syslog.log reaches its maximum size, it will roll over to
become syslog1.log and each of the existing entries will roll down
one increment. The oldest log file, syslog7.log, will be deleted.
Log files are named sequentially and
roll over when the active syslog.log
reaches its maximum size of 1MB.
Figure 11-1: Listing Available Log Files
Configuring Logging
187
Specifying an External Syslog Server
Logged events are always written to the local syslog.log file. In
addition, you can optionally specify an external syslog server as a
destination for GigaVUE-420’s logging output. When an external
syslog server is specified, GigaVUE will send logged events via UDP
to the specified destination.
You can configure a maximum of one external syslog server. To
change the active syslog server, you delete the existing syslog server
and then add a new one.
Use the config syslog_server command to specify an external syslog
server. The command has the following syntax:
config syslog_server
host <ipaddr>
[port <value>]
[alias <alias-string>]
Argument
Description
host
The IP address of the external syslog server in
standard dotted-quad format.
port
The port number used by the syslog server. If you
do not specify a port, the default port of 514 is
used.
Note that if you do specify a non-standard port,
the syslog server must also be configured to listen
on the same port.
alias
An alias used to identify the syslog server.
Examples
The following example shows how to specify a syslog server at the IP
address of 192.168.1.75 with an alias of MySyslogServer:
config syslog_server host 192.168.1.75 alias MySyslogServer
This command specifies a syslog server at the IP address of
192.168.1.222 on the non-standard port of 4444:
config syslog_server host 192.168.1.222 port 4444 alias MySyslogServer
188
Chapter 11
Packet Format for Syslog Output
Syslog packets sent by the GigaVUE-420 to an external syslog server
conform to the format recommended by RFC 3164:
Keep in mind the following about this packet format:
Configuring Logging
•
Severity indications in the packet’s PRI field are derived from
corresponding event levels on the GigaVUE-420.
•
Timestamps are provided in Mmm dd hh:mm:ss format, where
Mmm is the standard English language abbreviation of the month
(for example, Jan, Feb, Mar, and so on).
•
Syslog packets include the system name defined for the
GigaVUE-420 using config system name. If no system name has
been configured, the IP address of the Mgmt port is used (IPv4 or
IPv6).
189
Viewing Log Files
You use the show log command to view:
•
A list of available log files.
•
A specified log file’s contents.
The show log command includes a variety of arguments that let you
filter the display of the log file, focusing on events matching a
specified priority, time/date, or name. The syntax for the show log
command is as follows:
[logfile]
[pri <verbose | info | error | critical>]
[type <system | periodic | stack | userif | notif | login>]
[start <mm-dd-yy>] [end <mm-dd-yy>] [delim] [tail <1~255>]
The table below lists and describes the arguments for the show log
commands.
NOTE: As described in Listing Available Log Files on page 187, you can
use the show log command without any additional arguments to see
a list of the log files available on the system.
Argument
Description
[logfile]
Specifies the name of the log file to be displayed. You
can use the show log command by itself to see a list
of available log files.
The show log [logfile] command with no additional
arguments will display all of the entries in the specified
log file. You can use Ctrl-C to interrupt the output
display of the show log command.
[pri <verbose | info | error | critical>]
190
Filters the log file display by event priority. Only events
greater than or equal to the specified priority will be
displayed.
Chapter 11
Argument
Description
[type <system | periodic | stack | userif | notif | login>]
Filters the display by event type. Only events
matching the specified type will be displayed:
• System – Includes system messages useful for
troubleshooting with Technical Support personnel.
• Periodic – Includes syslog.log rollover events.
• Stack – Stacking related events.
• Userif – User interface messages, including the
command line history.
• Notif – Asynchronous events, including SNMP trap
information, packet drop events, port link status
changes, system resets, configuration saves, and
so on.
• Login – Shows each time a user logged in locally,
via RADIUS, and via TACACS+
[start <mm-dd-yy>] [end <mm-dd-yy>]
Filters the display by date. Only events within the
specified date range will be displayed.
You can use the start and end arguments together or
by themselves. If you use start or end by itself,
GigaVUE implicitly uses the opposite end of the file as
the other end of the date range. For example, if you
use start by itself, matching events from the specified
start date to the end of the file will be displayed.
[delim]
Displays log file data in semicolon-delimited format,
suitable for importing into a spreadsheet or table.
To get the delimited data into a spreadsheet or table,
you can either cut and paste (many terminal
implementations support cut-and-paste functionality)
or configure the terminal used to access GigaVUE to
save the session to a file.
See Example – Saving a Log File to a Spreadsheet on
page 192 for details.
[tail <1~255>]
Configuring Logging
Shows only the last n lines of the log file. For
example, setting tail to 100 will show the last 100 lines
of the log file.
191
Example – Displaying Events in the Log File
You can combine the arguments for the show log command to see
exactly the information you want. For example, the following
command shows all Critical messages in syslog.log between October
25th, 2007 and October 27th 2007:
show log syslog.log pri critical start 10-25-07 end 10-27-07
This command shows events in syslog.log with a priority of Error or
higher from the last 200 lines in the log file:
show log syslog.log pri error tail 200
Uploading Log Files for Troubleshooting
You can upload log files to a TFTP server to help in troubleshooting.
Gigamon Technical Support personnel may ask you to do this to
assist in solving problems. You can upload log files using the upload
-log command. The command has the following syntax:
upload -log log_filename TFTP-server-ipaddr
For example, to upload syslog1.log to the TFTP server at 192.168.1.25,
you would use the following command:
upload -log syslog1.log 192.168.1.25
Example – Saving a Log File to a Spreadsheet
In this example, we’ll use the show log command’s delim attribute to
save a log file to comma-delimited format and import it into
Microsoft® Excel® .
To save a delimited log file into a spreadsheet:
1. Connect to the GigaVUE-420.
2. Most terminal implementations provide the ability to save a
session to a file. In this example, we’ll use Tera TermTM’s Log
feature to save GigaVUE’s show log output to a file.
192
Chapter 11
a. Use Tera Term’s File > Log command to specify the
destination file . As shown in Figure 11-2, we’ve specified that
output will be saved to the GV420_delimited text file. Click
Open when you have finished.
Figure 11-2: Saving Terminal Output to a Text File
b. Use the show log command with the delim attribute to
display the events that interest you in delimited format. In
this example, we’ll display the entire contents of the current
logfile (syslog.log; see Figure 11-3). The command is as
follows:
show log syslog.log delim
Configuring Logging
193
Figure 11-3: Using the Show Log Command with delim
c. Logfile entries are displayed on the screen. Depending on the
size of the logfile, this may take a few seconds. Once the
output stops, stop the terminal’s logging feature so that the
saved file only includes the output from the show log
command.
3. In Microsoft Excel, go to File > Open. In the dialog box that
appears, set Files of Type to All Files, navigate to the file saved
by your terminal, and open it.
4. Microsoft Excel displays a series of dialog boxes that let you
decide how to import the text file. The most important thing you
need to specify is the delimiter used in the text file. GigaVUE uses
semicolons to delimit fields; Figure 11-4 shows the import wizard
with semicolons specified as the delimiter.
194
Chapter 11
\
Figure 11-4: Specifying the Delimiter
5. Once you finish the Import Wizard, Microsoft Excel displays the
log file in standard spreadsheet format. You can sort and search
all fields, in addition to other standard spreadsheet tasks.
Configuring Logging
195
196
Chapter 11
Chapter 12
Introducing Packet
Distribution
This section introduces GigaVUE-420 packet distribution – what it is,
how you set it up, and the differences between connections and
maps. Once you’ve read this section, turn to Chapter 13, Connections,
Filters, and Pass-Alls and Chapter 14, Working with Maps (Single-Box
and Cross-Box) for detailed information on each.
The section includes the following major topics:
•
About Packet Distribution on page 198
•
About Single-Box and Cross-Box Distribution on page 201
•
Getting Started with Packet Distribution on page 203
•
Connecting vs. Mapping – The Differences on page 208
•
Sharing Network and Tool Ports on page 214
197
About Packet Distribution
Packet distribution is where GigaVUE-420’s real power is on display
– it’s where you decide how traffic arriving on network ports should
be sent to tool ports. You’ll decide which traffic should be forwarded,
where it should be sent, and how it should be handled once it arrives.
About Network and Tool Ports
GigaVUE-420 packet distribution starts with network ports and ends
with tool ports:
Network Ports Defined
•
Network ports are where you connect data sources for
GigaVUE-420.
For example, you could connect a switch’s SPAN port, tap a link
using a GigaTAP module, connect an external tap, or simply
connect an open port on a hub to an open port on the GigaPORT
module. Regardless, the idea is the same – network ports are
where data arrives at the GigaVUE-420.
NOTE: In their standard configuration, network ports only accept
data input – no data output is allowed. The exception to this is
when a network port is configured as part of a port-pair; for
example as part of an active tap using the GigaTAP-Tx module.
See GigaTAP-Tx Module on page 68 for details on this
configuration.
Tool Ports Defined
•
Tool ports are where you connect destinations for the data
arriving on network ports.
For example, you may connect an intrusion detection system on
one tool port, a forensic data recorder on another, and a
traditional protocol analyzer on a third. Regardless, the idea is the
same – tool ports are where you send the data arriving on
network ports.
NOTE: Tool ports only allow data output to a connected tool. Any
data arriving at the tool port from an external source will be
198
Chapter 12
discarded. In addition, a tool port’s link status must be 1 (“up”)
for packets to be sent out of the port. You can check a port’s link
status with the show port-params command.
Designating a Port’s port-type
In general, Ports 1-20 and x1 - x4 on the GigaVUE-420 can all be either
network ports or tool ports. You designate a port’s type using the
config port-type command.
NOTE: The exceptions are GigaTAP-Sx/Lx/Zx ports. These ports can
only be configured as network ports.
In addition, you can use the x1/x2 10 Gb fiber-optical ports as
network, tool, or stack ports. The x1/x2 ports are the only ports on
the GigaVUE-420 that can be used as stack ports.
Introducing Packet Distribution
199
Packet Distribution Illustrated
Figure 12-1 illustrates the concept of data flows between network
and tool ports. Data arrives from different sources at the network
ports on the left and is forwarded to different tools connected to
the tool ports on the right.
Figure 12-1: GigaVUE-420 Packet Distribution
Concepts Illustrated in Figure 12-1
Figure 12-1 illustrates a number of important points about setting up
packet distribution:
•
Traffic arriving at a single network port can be sent to multiple
destination tool ports.
Notice in Figure 12-1 that both Input B and Input C are sent to
three different tool ports.
•
Filters can be applied to both network ports and tool ports:
•
200
Filters applied to network ports are called pre-filters. Pre-filters
are useful when you want to filter traffic as it arrives and
before it is sent to network ports.
Chapter 12
•
Filters applied to tool ports are called post-filters. Post-filters
are useful if you want to send the same traffic to multiple tool
ports and have each one allow or deny different packets based
on specified criteria.
Notice in Figure 12-1 that post-filters are set to focus on different
parts of the data stream – traffic on a single VLAN, a single
subnet, and so on.
About Single-Box and Cross-Box Distribution
GigaVUE-420 supports both single-box and cross-box configurations:
•
In a single-box configuration, only a single GigaVUE-420 system
is used. You can forward traffic from network ports to tool ports
within the system.
•
In a cross-box configuration, as many as ten GigaVUE-420
systems are connected to one another using their 10 Gb stacking
ports. You can forward traffic arriving at a network port on one
GigaVUE-420 system to a tool port on another GigaVUE-420
system in the same cross-box stack.
NOTE: Chapter 7, Stacking GigaVUE-420 Boxes describes how to
connect and configure a cross-box stack.
The procedures for setting up packet distribution are conceptually
the same regardless of whether you’re working with a single-box
configuration or a cross-box stack. However, the commands you will
use are slightly different. Chapter 13, Connections, Filters, and Pass-Alls
and Chapter 14, Working with Maps (Single-Box and Cross-Box) provide
details on all packet distribution configuration commands, both
single-box and cross-box.
In general, the standard single-box commands all have cross-box
equivalents starting with the letters “xb” (for “cross-box”), as
summarized in the table below. Additionally, cross-box commands
will typically expect port numbers to be specified in the format
bid-pid (Box ID-Port ID) instead of just pid (Port ID) as they are in
single-box configurations.
Introducing Packet Distribution
201
Single-Box Command
Cross-Box Equivalent
config port-filter
config xbport-filter
config connect
config xbconnect
config map
config xbmap
config mapping
config xbmapping
config map-rule
config map-rule
Cross-Box Commands: Enter All Commands on All
Boxes
When you are entering cross-box configuration commands, you must
enter all commands in the same order on each box in the stack.
When setting up cross-box packet distribution, it’s often easiest to
create your commands in a text file and then paste the contents of the
text file into the CLI of each box in the stack.
202
Chapter 12
Getting Started with Packet Distribution
You manage packet distribution in the GigaVUE-420 command-line
interface. From there, you perform all packet distribution tasks –
designating ports as network or tool ports, setting up filters, mapping
network ports to tool ports, and so on.
As a starting point, it’s a good idea to use the show connect
command to see how the command-line interface visually represents
port configuration, filters, maps, and so on.
Figure 12-2 shows the results of the show connect command for an
out-of-the box GigaVUE-420. At this point, no connections have been
set up and no filters have been defined. Additionally, all of the ports
are set up as network ports – they appear in the Network Port list at
the left of the display.
Introducing Packet Distribution
203
Tool Port list
Once you change a port’s port-type to
tool, it appears in the Tool Port list.
Network Port list
Ports in parentheses
are RJ45 ports.
Ports without
parentheses are optical
ports (LC or SFP).
GigaTAP-Tx ports are
listed with +/- signs to
indicate whether the
relays are currently
open (+) or closed (-).
Stacking Port Information (GigaLINK)
Filter Lists (FID)
The lists at the bottom of the show connect display provide
information on the current configuration of the x1/x2 10 Gb
GigaLINK stack ports.
The FID columns show the pre- and
post-filters currently in place on each
port. The left FID column shows
pre-filters (filters bound to network
ports) and the right FID column shows
post filters (filters bound to tool ports)
For cross-box configurations, the Connected Box ID list will show
the Box ID(s) of the box(es) connected to x1, x2, or both.
Figure 12-2: Viewing Packet Distribution Configuration in the CLI
204
Chapter 12
Example – Designating and Connecting Tool Ports
In general, GigaVUE-420 ports can be either a network port or a tool
port. 1 Ports 1-20 and x3/x4 are all network ports by default.
However, as you decide which tools to use with the GigaVUE-420,
you will use the config port-type command to set some of the ports
as tool ports.
As an example, let’s set up some tool ports, filters, connections, and
maps to see how the command-line interface illustrates the packet
distribution in place on the box.
The table below lists and describes some basic packet distribution
commands. Don’t worry about the command specifics for now – this
is meant simply to provide you with a feeling for how the CLI
represents packet distribution. Following the table, Figure 12-3 shows
the results of a show connect command for the settings made in the
table.
Comments
Command
First, let’s designate Port 2 as a tool port.
config port-type 2 tool
Next, we’ll connect Port 1 (a network port) to Port 2 (a tool
port). This means that the traffic arriving on Port 1 will be
forwarded to Port 2.
config connect 1 to 2
Now, we’ll create a filter. Let’s create a filter that accepts all
traffic on VLAN 100. We’ll call it VLAN100
config filter allow vlan 100 alias VLAN100
Now that we’ve defined a filter, we can bind it to a port. Let’s
bind it to our tool port so that it will only accept traffic tagged
with VLAN 100.
config port-filter 2 VLAN100
Note that filters are reusable – we could bind this same
VLAN100 filter to other ports, as we needed it.
1.
The exceptions are GigaTAP ports already configured with a
port-pair and GigaTAP-Sx\Lx\Zx ports. These ports can only be
used as network ports. In addition, only x1 and x2 can be stacking
ports (although they can also be network or tool ports).
Introducing Packet Distribution
205
Comments
Command
Next, we’ll set up a tap on the GigaTAP-Sx module (Ports 13
- 16 in our example). Ports in optical tap modules (Sx, Lx, or
Zx) are always set up as taps – there is no additional
configuration to perform.
n/a
Now that we’ve connected the tap, we need to send the
traffic somewhere. Let’s connect the tap ports to the same
tool port we designated in the first step – Port 2.
config connect 13 14 to 2
We’ll be sending traffic from three different sources to the
same destination. However, because we have a post-filter
set up on the tool port, only traffic tagged with VLAN 100 will
be seen by the connected tool.
Figure 12-3 displays the results of a show connect command after
making the configuration commands in the previous table:
206
Chapter 12
Connections between
network and tool ports are
shown with arrows.
Filters in place are shown
with their numerical
identifier. Use the show
filter command to match a
numerical filter identifier
with a filter alias.
Figure 12-3: Sample Packet Distribution Configuration
Introducing Packet Distribution
207
Connecting vs. Mapping – The Differences
GigaVUE-420 provides two different ways to set up packet
distribution between network ports and tool ports – connections and
maps. Both are described below.
About Connections
Connections are simple one-to-one flows between a network port
and a tool port. You can set up filters on either end of a connection
(pre-filter or post-filter), set up multiple connections on a single
network port, or simply send all the data arriving on a network port
to a designated tool port.
When To Use Connections Instead of Maps
It’s generally best to use a connection when you’re trying to achieve
fairly simple packet distribution. If you find yourself setting up
multiple connections on a single network port with both pre- and
post-filters applied, you’ll usually be able to achieve the same results
more efficiently by using a map.
Connection Examples
Figure 12-4 illustrates some simple connections – an unfiltered
connection between network port 1 and tool port 5 as well as a
network port (3) with connections to two different post-filtered tool
ports (7 and 8).
The sample commands below could create these connections:
Command
Comments
config port-type 5 7 8 tool
Sets ports 5, 7, and 8 as Tool Ports.
config connect 1 to 5
Connects Network Port 1 to Tool Port 5.
config connect 3 to 7 8
Connects Network Port 3 to Tool Ports 7 and 8.
208
Chapter 12
Command
Comments
config port-filter 7 VLAN100
Binds the filter named VLAN100 to Tool Ports 7 and 8.
config port-filter 8 VLAN100
Network Ports
Tool Ports
1
5
2
6
3
Post
Filter
7
4
Post
Filter
8
Figure 12-4: Sample Connections
About Maps
Maps provide more robust capabilities for directing traffic than
connections do. Maps consist of one or more map-rules, each
directing traffic to one or more tool ports based on different packet
criteria. Map-rules function internally as pre-filters when used to
distribute traffic. You can combine many different rules in a logical
order to achieve exactly the packet distribution you would like.
IMPORTANT: Map-rules also have the advantage of not counting
against the limit of 100 tool port filters for the GigaVUE-420. When
possible, try to use maps instead of connections to preserve tool port
filter resources.
Introducing Packet Distribution
209
When To Use Maps
It’s generally best to use maps when you’re trying to set up a
multi-pronged packet distribution strategy. Maps are great for
distributing traffic to different ports based on different criteria. This is
particularly useful in the following situations:
•
Reduce Tool Port Packet Loss without Eliminating Traffic.
Sorting traffic at an input network port and forwarding it to
different tool ports can help reduce packet loss for your analysis
tools. You can reduce the load on each destination tool port and
still ensure that all traffic is seen (as opposed to pre-filters, which
can perform the same task by discarding matching traffic at the
input port).
•
Effective Analysis of Asynchronously Routed Environments.
Many networks use asynchronous routing of packets, where
requests and responses follow different routes between a client
and server. This sort of scenario is a challenge for traditional
packet analysis tools. With only a single point of connection to the
network, they can potentially see only one half of a given
conversation.
With GigaVUE-420, you can make physical connections between
multiple network ports on the GigaVUE-420 and SPAN ports for
the possible routes in your network. Then, you can set up a map
with rules that forward matching traffic to a tool port. For
example, you can set up rules that forward all traffic to and from
a particular server on a particular port, all traffic with a particular
range of application ports, and so on. This way, you can see the
packets you want to see, regardless of the path they took.
•
More Flexibility than Connections. With maps, you can set up
map-rules that use a combination of the virtual drop port, the
collector, and effective map-rules to meet a variety of traffic
distribution scenarios.
Differences Between Maps and Connections
Maps offer some important concepts that connections do not:
•
210
Virtual Drop Port – The virtual drop port is sort of like the Great
Packet Graveyard in the Sky. It’s where you send packets that
Chapter 12
don’t interest you. You can set up map-rules that look for packets
matching specific criteria and immediately discard them.
For example, you could set up a map-rule that sends all traffic
from a particular source IP address to the virtual drop port.
•
Collector – The collector, on the other hand, is the “Everything
Else” Bucket. It’s where you send packets that don’t match the
criteria specified by any of the other map-rules in a map.
For example, suppose you set up a map called VLAN-Map with
map-rules that send traffic from VLAN 101 to Tool Port 6, and
VLAN 102 to Tool Port 7. Now, you’re still interested in traffic
that doesn’t match either of those particular VLANs, but you
need a place to send it. Enter the collector. You can set up a final
map-rule that sends all packets not matching the other rules to a
designated collector port.
NOTE: If you do not specify a map-rule for the collector, any
traffic not matching the map-rules in a map will be silently
discarded.
Map Example
Figure 12-5 illustrates the map described above. This example shows
the map called VLAN-Map bound to Network Port 1. You bind maps
to network ports using the config mapping command.
Note that this is a single-tool map – each of the map-rules sends
traffic to only a single destination. See Single-Tool Maps vs. Multi-Tool
Maps on page 267 for a discussion of the differences between these
two map types, along with guidelines for when to use each.
Introducing Packet Distribution
211
Network Ports
1
Tool Ports
VLAN-Map
Map-Rule 1: Drop everything
from IP address 192.168.1.25.
Map-Rule 2: Send VLAN101
to Tool Port 6.
5
6
Map-Rule 3: Send VLAN102
to Tool Port 7.
7
Map-Rule 4: Send Everything Else
to the Collector on Tool Port 8.
8
Figure 12-5: Sample Map with Map-Rules
212
Chapter 12
Combining Pass-All with Connections and Maps
In addition to connections and maps, GigaVUE-420 also includes a
special config pass-all packet distribution command. The pass-all
command can be used to send all packets on a network or tool port to
another tool port, irrespective of the connections, xbconnections,
maps, or xbmaps already in place for the ports.
The pass-all command is particularly useful in the following
situations:
•
Redirecting all traffic to IDS monitors regardless of any filters
applied to network ports.
•
Temporary troubleshooting situations where you want to see all
traffic on a port without disturbing any of the connections,
cross-box connections, maps, or cross-box maps already in place
for the port.
See Using the Pass-All Command on page 250 for details on using the
config pass-all command.
Introducing Packet Distribution
213
Sharing Network and Tool Ports
GigaVUE-420 has four essential commands for packet distribution –
connect, xbconnect, map, and xbmap. The rules for port sharing
among these commands are summarized below:
Connect commands can share network ports with other connect
commands regardless of any applied filters.
Network ports cannot be shared by an xbconnect, map, or xbmap.
For example, a single network port could not have both a connect
command and a map bound to it. However, it could have two
connect commands bound, regardless of the filters in place.
This is illustrated in Figure 12-6.
Network Ports
Two connect commands
sharing a network port.
1
2
Tool Ports
Connection
Co
nn
ect
ion
5
6
3
7
4
8
Figure 12-6: Network Port with Shared Connect Commands
Tool ports can be shared, regardless of the filters in place.
In contrast to the GigaVUE-MP, filtered tool ports on the
GigaVUE-420 can be shared with a connect, map-rule, xbconnect, or
xbmap-rule.
214
Chapter 12
Chapter 13
Connections, Filters, and
Pass-Alls
This section describes how to set up GigaVUE-420 connections and
filters, as well as how to use pass-alls. The section describes both
single-box and cross-box connections.
NOTE: Be sure to read Chapter 12, Introducing Packet Distribution for
an understanding of the differences between connections and maps
(and when to use each).
The section includes the following major topics:
•
Cross-Box Config: Enter Commands on All Boxes on page 216
•
Connecting Network Ports to Tool Ports on page 216
•
Using Filters with Connections on page 219
•
Filter Examples on page 245
•
•
Filtering on RTP Traffic on page 245
•
MAC Address Filter Examples on page 246
Using the Pass-All Command on page 250
215
Cross-Box Config: Enter Commands on All Boxes
Keep in mind that when you are entering cross-box configuration
commands (for example, the xbconnect and xbport-filter commands
described in this chapter), you must enter all commands in the same
order on each box in the stack. When setting up cross-box packet
distribution, it’s often easiest to create your commands in a text file
and then paste the contents of the text file into the CLI of each box in
the stack.
Connecting Network Ports to Tool Ports
You use the config connect (single-box) or config xbconnect
(cross-box stacks) command to connect network ports to tool ports.
However, before you can connect a network port to a tool port, you
need to make sure you have actually set up the destination port as a
tool port. The basic procedure for connecting ports is as follows:
1. Use the config port-type command to configure the destination
port as a tool port.
2. Use the config connect / config xbconnect command to connect
the network port to the tool port.
3. Optional. Configure filters using the config filter command and
bind them to ports using the config port-filter / config
xbport-filter command.
Connection Syntax
You set up connections with the following command syntax:
216
Configuration
Command Syntax
Single-Box
config connect <network-port-alias | pid-list | pid-x..pid-y> to
<tool-port-alias | pid-list | pid-x..pid-y>
Cross-Box Stack
config xbconnect <bid-pid_list> to <bid-pid_list> alias <string>
Chapter 13
Notice that you can connect multiple network ports or tool ports with
a single command:
•
The pid-list (port id list) and bid-pid_list (box id-port id)
arguments let you select multiple non-contiguous ports. To enter
port IDs in a list, simply put a space between each port ID in the
list.
•
The pid-x..pid-y argument lets you select a series of adjacent
ports (for example, 2..5 selects ports 2, 3, 4, and 5).
For example:
Configuration
Command
Comments
Single-Box
config connect 1 to 2..4
This command connects network port 1 to tool
ports 2, 3, and 4.
Cross-Box Stack
config xbconnect 1-2 1-3 1-4 to 3-1
alias MyXBConnect
This command connects network ports 1-2,
1-3, and 1-4 to the cross-box tool port 3-1 and
names the connection MyXBConnect.
Showing Connections
Any time you make changes to the packet distribution configuration
in place on the GigaVUE-420, it’s a good idea to do a show connect to
verify your results. Figure 13-1 shows the results of a show connect
command for the config connect command in the previous example.
Connections, Filters, and Pass-Alls
217
Figure 13-1: Checking Connections with show connect Command
Deleting Connections
You can delete connections with the following command syntax:
Configuration
Command Syntax
Single-Box
delete connect [all | <port-alias | pid-list | pid-x..pid-y> to
<port-alias | pid-list | pid-x..pid-y>]
Cross-Box Stack
delete xbconnect [all | xbconnect-alias-list]
The delete command uses port ID lists in the same way as the config
connect command. So, for example to delete the entire connection set
up in the previous example, you would use the following command:
delete connect 1 to 2..4
Alternatively, you could just delete one of the connections. For
example, to delete just the connection to port 2:
delete connect 1 to 2
218
Chapter 13
Deleting Cross-Box Connections
You delete cross-box connections by specifying their aliases. For
example, to delete the cross-box connection set up in the previous
example, you would use the following command:
delete xbconnect MyXBConnect
NOTE: As with all cross-box commands, you must issue this
command in the CLI of all systems in the cross-box stack.
Using Filters with Connections
You use filters to include or exclude traffic on connections. You can
include or exclude traffic based on DSCP assured forwarding values,
MAC addresses, IPv4/IPv6 addresses, application port numbers,
ethertypes, VLAN IDs, protocols, TOS values, and so on.
GigaVUE-420 filters are hardware-based, performing pattern
matching at predefined offsets.
NOTE: Map-rules are similar to filters. The concept is the same, but
map-rules offer some different configuration options. See Mapping
Network Ports to Tool Ports on page 264 for details.
The section includes the following major topics:
•
Using Filters – Procedure on page 220
•
Pre-Filters vs. Post-Filters on page 220
•
IPv4/IPv6 and Filters on page 223
•
Config Filter Syntax on page 225
•
Combining Filters and Filter Logic on page 235
•
Working with User-Defined Pattern Match Filters on page 237
•
Mixing Allow and Deny Filters on page 242
•
Showing Filters on page 243
•
Deleting Filters on page 244
Connections, Filters, and Pass-Alls
219
Using Filters – Procedure
The basic procedure for setting up filters is as follows:
1. Use the config filter command to set up the filter.
2. Use the config port-filter (single-box) or config xbport-filter
(cross-box stacks) command to apply the filter to a port. You can
reuse the same filter with multiple different ports.
NOTE: You can only apply filters to network ports that are part of
a connection. If you try to apply a filter to a network port that is
not part of a connection, you will receive an error message.
However, you can apply filters to tool ports before they are part
of a connection.
Pre-Filters vs. Post-Filters
You can apply filters to both network ports and tool ports:
•
Filters applied to a network port are called pre-filters because they
allow or deny traffic before it is forwarded to tool ports.
•
Filters applied to a tool port are called post-filters because they
allow or deny traffic after is has been forwarded from a network
port.
Example: When to Use Pre-Filters and Post-Filters
When deciding whether to use a pre-filter or a post-filter, it’s
important to keep in mind that the GigaVUE-420 lets you use more
pre-filters than post-filters. The maximum number of post-filters
allowed on a single GigaVUE-420 box is 100. In contrast, a single
GigaVUE-420 can have 2048 network port-filters and single-tool
map-rules.
NOTE: See CLI Parameter Limits on page 341 for complete information
on the CLI limits related to filters.
220
Chapter 13
When to Use Post-Filters
Post-filters are useful when you are multicasting the same traffic to
multiple different tool ports. You can use post-filters to focus each
tool port on a different portion of the overall data stream.
With the limit of 100 post-filters in mind, however, you can use
post-filters when a network port has connections to more than one
tool port and you want each of the connected tool ports to focus on
different parts of the overall data stream. For example, in Figure 13-2,
Network Port 3 has separate connections to Tool Port 7 and Tool
Port 8. In this case, you would use post-filters to provide different
data to Tool Ports 7 and 8.
When to Use Pre-Filters
Pre-filters are useful for overcoming tool port oversubscription when
aggregating traffic from multiple network ports. For example, if you
have two 1 Gb connections sending traffic to a single 1 Gb tool port,
there are likely to be situations where the tool port would be
oversubscribed and drop packets. You can address this with
pre-filters, removing the parts of the overall data stream that do not
interest you.
NOTE: Because pre-filters use fewer resources than post-filters, you
should try to use them whenever possible.
In Figure 13-2 Port 1 and Port 2 are both connected to Tool Port 5. In
order to prevent oversubscription of this tool port, both Port 1 and
Port 2 use pre-filters.
Connections, Filters, and Pass-Alls
221
Network Ports
Tool Ports
1
Pre
Filter
5
2
Pre
Filter
6
3
Post
Filter
7
4
Post
Filter
8
Figure 13-2: Filter Points
222
Chapter 13
IPv4/IPv6 and Filters
GigaVUE-420 provides a variety of filters specific to IPv6 traffic,
including:
IPv6 Entity
Argument
IPv6 Source/Destination Addresses
ip6src/ip6dst
IPv6 Flow Labels
ip6fl
IPv6 Traffic
ipver 6
In addition to the explicit IPv6 filters listed above, you can use the
ipver argument to change how some of the other attributes are
interpreted.
When ipver is used by itself in a filter, it returns all traffic matching
the specified IP version, 4 or 6. However, when ipver is set to 6,
several of the other arguments are interpreted differently when used
in the same filter , as summarized below:
argument
ipver set to 4 (or not specified)
ipver set to 6
Matches all IPv4 traffic on the specified
port number.
Matches all IPv6 traffic on the specified
port number.
NOTE: Because of this, if you wanted to match all IPv4 and IPv6 traffic on a
portdst/portsrc
particular destination port (say, 500), you would need to construct two filters – one
for IPv4 and one for IPv6. For example:
config filter allow portdst 500 alias ipv4_500
config filter allow ipver 6 portdst 500 alias ipv6_500
When used with the <1-byte-hex>
argument, matches against the
protocol field in the standard IPv4
header.
protocol
When used with the <1-byte-hex>
argument, matches against the Next
Header field in the standard IPv6
header.
NOTE: These fields perform essentially the same service in both versions,
specifying what the next layer of protocol is. However, they have different names
and are found at different locations in the header. See Protocol Filters and IPv6 on
page 229 for a list of useful values for the <1-byte-hex> field.
Connections, Filters, and Pass-Alls
223
argument
ipver set to 4 (or not specified)
ipver set to 6
Matches against the standard TTL
(time-to-live) field in the IPv4 header.
Matches against the standard Hop Limit
field in the IPv6 header.
ttl
NOTE: These fields perform essentially the same service in both versions,
specifying how long a datagram can exist.
NOTE: The ipver argument is implicitly set to 4 – if you configure a
filter without ipver specified, GigaVUE-420 assumes that the IP
version is 4.
Examples
The following examples illustrate the points made in the table above:
Command
Description
config filter allow ipver 6 alias six_only
Creates a filter that accepts all IPv6 traffic.
config filter allow ipver 6 protocol 0x3a alias ICMPv6
Creates a filter that matches against the value for
ICMP (IPv6) against the IPv6 Next Header field.
NOTE: See Config Filter Syntax on page 225 for a
list of standard values for the Next Header field in
IPv6.
config filter allow ttl 35 alias ttlfilter
224
Creates a filter that matches values of 35 in the
TTL field of an IPv4 packet.
Chapter 13
Config Filter Syntax
The table below lists and describes the arguments for the config filter
command:
Argument
Description
[allow | deny]
Specifies whether the filter should include (allow) or
exclude (deny) traffic meeting the criteria specified
by the rest of the config filter command.
You can mix allow and deny filters on a single port.
[dscp <assured-forwarding-value>]
(af11~af13, af21~af23, af31~33, af41~43, ef)
Creates a filter pattern for a particular decimal
DSCP value. You can choose any value within the
four Assured Forwarding class ranges or ef for
Expedited Forwarding (the highest priority in the
DSCP model).
The valid DSCP values by Assured Forwarding
Class are as follows:
• Class 1 – 11, 12, 13
• Class 2 – 21, 22, 23
• Class 3 – 31, 32, 33
• Class 4 – 41, 42, 43
• Expedited Forwarding – ef
For example, config filter allow dscp ef will match
all traffic with expedited forwarding assigned.
[ethertype <2-byte-hex>]
Creates a filter pattern for the Ethertype value in a
packet (for example, config filter allow ethertype
0x86DD will match all traffic with an IPv6 Ethertype.
NOTE: To filter for VLANs use the predefined
VLAN filter element type instead of the 8100
Ethertype.
Connections, Filters, and Pass-Alls
225
Argument
Description
[ipfrag <0|1|2|3|4>]
Creates a filter for different types of IPv4 fragments:
• 0 – Matches unfragmented packets.
• 1 – Matches the first fragment of a packet.
• 2 – Matches unfragmented packets or the first
fragment of a packet.
• 3 – Matches all fragments except the first
fragment in a packet.
• 4 – Matches any fragment.
For example, config filter allow ipfrag 1 alias
headerfrags creates a filter named headerfrags
that matches the first fragment in a packet.
NOTE: The ipfrag argument only matches IPv4
fragments. To create a filter for IPv6 fragments, set
ipver to 6 and use the protocol argument with a
<1-byte-hex> value of 0x2c. This has the same
effect as option number 4 for IPv4 – it matches all
IPv6 fragments. For example:
config filter allow ipver 6 protocol 0x2c alias six_frags
[ipdst <dstaddr>] [ipdstmask <xxx.xxx.xxx.xxx | /nn>]
[ipsrc <srcaddr>] [ipsrcmask <xxx.xxx.xxx.xxx | /nn>]
Creates a filter for either a source or destination
IPv4 address or subnet.
Use subnet masks to match traffic from a range of
IP addresses. You can enter subnet masks using
either dotted-quad notation (<xxx.xxx.xxx.xxx>) or
in the bit count format (see Using Bit Count Subnet
Netmasks on page 233).
[ip6src <srcaddr>]
[ip6srcmask <xxxx::xxxx | /nn>]
[ip6dst <dstaddr>]
[ip6dstmask <xxxx::xxxx | /nn>]
Creates a filter for either a source or destination
IPv6 address or subnet. Enter IPv6 addresses as
eight 16-bit hexadecimal blocks separated by
colons. For example:
2001:0db8:3c4d:0015:0000:0000:abcd:ef12
Use subnet masks to match traffic from a range of
IP addresses. You can enter subnet masks either in
16-bit hexadecimal blocks separated by colons or in
the bit count format (see Using Bit Count Subnet
Netmasks on page 233).
226
Chapter 13
Argument
Description
[ip6fl <3-byte-hex>]
Creates a filter for the 20-bit Flow Label field in an
IPv6 packet. Packets with the same Flow Label,
source address, and destination address are
classified as belonging to the same flow. IPv6
networks can implement flow-based QoS using this
approach.
Specify the flow label as a 3-byte hexadecimal
pattern. Note, however, that only the last 20 bits are
used – the first four bits must be zeroes (specified
as a single hexadecimal zero in the CLI). For
example, to match all packets without flow labels,
you could use the following filter:
config filter allow ip6fl 0x000000 alias no_flow
Alternatively, to match the flow label of 0x12345,
you could use the following:
config filter allow ip6fl 0x012345 alias flow12345
[ipver <4|6>]
When used by itself, the ipver argument creates a
filter to match either all IPv4 or all IPv6 traffic.
You can also set ipver to 6 and use it together with
other arguments to change their meaning. See
IPv4/IPv6 and Filters on page 223 for more
information on ipver.
NOTE: The ipver argument is implicitly set to 4 – if
you configure a filter without ipver specified,
GigaVUE-420 assumes that the IP version is 4.
[macdst <macaddr>] [macdstmask <6-byte-hex>]
[macsrc <macaddr>] [macsrcmask <6-byte-hex>]
Creates a filter pattern for either a source or
destination MAC address.
Use the optional macsrcmask or macdstmask
argument to create a range of MAC addresses that
will satisfy the filter pattern.
NOTE: You can enter hexadecimal MAC
addresses in either 0xffffffffffff or ffffffffffff format.
See Examples of MAC Address Filters on page 175
for examples of how to use MAC address masks.
Connections, Filters, and Pass-Alls
227
Argument
Description
[portdst <single-port-number> | <x..y>] [even | odd]
Creates a filter for a source or destination
application port. You can also specify:
[portsrc <single-port-number> | <x..y>] [even | odd]
• A range of ports. For example config filter allow
portsrc 5000..5100 will match all source ports
from 5000 to 5100, inclusive.
• Either odd or even port numbers. The even |
odd arguments are useful when setting up filters
for VoIP traffic. Most VoIP implementations send
RTP traffic on even port numbers and RTCP
traffic on odd port numbers.
For example, config filter allow portsrc
5000..5100 odd will match all odd source ports
between 5000 and 5100.
228
Chapter 13
Argument
Description
[protocol <gre|icmp|igmp|ipv4ov4|ipv6ov4|rsvp|tcp|
udp|<1-byte-hex>>]
Creates a filter for a particular protocol. In this
release, you can create protocol filters for gre,
icmp, igmp, IPv4 over IPv4 (ipv4ov4), IPv6 over
IPv4 (ipv6ov4), rsvp, tcp, udp, and one-byte hex
values (<1-byte-hex>).
For example, config filter deny protocol gre will
create a filter that excludes all GRE traffic.
Protocol Filters and IPv6
The predefined protocol filters available for IPv4
(GRE, RSVP, and so on) are not allowed when
ipver is set to 6. This is because with the next
header approach used by IPv6, the next layer of
protocol data is not always at a fixed offset as it is in
IPv4.
To address this, GigaVUE-420 provides the
<1-byte-hex> option to match against the standard
hex values for these protocols in the Next Header
field. Here are standard 1-byte-hex values for both
IPv4 and IPv6:
0x00: Hop-By-Hop Option (v6 only)
0x01: ICMP (v4 only)
0x02: IGMP
0x04: IP over IP
0x06: TCP
0x11: UDP
0x29: IPv6 over IPv4
0x2b: Routing Option (v6 only)
0x2c: Fragment (v6 only)
0x2E: RSVP (v4 only)
0x2F: GRE (v4 only)
0x32: Encapsulation Security Payload (ESP)
Header (v6 only)
0x33: Authentication (v6 only)
0x3a: ICMP (v6 only)
0x3b: No Next Header (v6 only)
0x3c: Destination Option (v6 only)
Connections, Filters, and Pass-Alls
229
Argument
Description
[tcpctl <1-byte-hex>] [tcpctlmask <1-byte-hex>]
Creates a one-byte pattern match filter for the
standard TCP control bits (URG, SYN, FIN, ACK,
and so on). You can use the tcpctlmask argument
to specify which bits should be considered when
matching packets.
See Setting Filters for TCP Control Bits on
page 232 for a list of the hexadecimal patterns for
each of the eight TCP flags, along with some
examples.
[tosval <1-byte-hex>]
Creates a filter pattern for the Type of Service
(TOS) value in an IPv4 header. The TOS value is
how some legacy IPv4 equipment implements
quality of service traffic engineering. The standard
values are:
• Minimize-Delay: Hex 0x10 or 10
• Maximize-Throughput: Hex 0x08 or 08
• Maximize-Reliability: Hex 0x04 or 04
• Minimize-Cost: Hex 0x02 or 02
• Normal-Service: Hex 0000 or 00
NOTE: Most network equipment now uses DSCP
to interpret the TOS byte instead of the IP
precedence and TOS value fields.
[ttl <0~255> | <x..y>] (valid range 0..255)
Creates a filter for the Time to Live (TTL – IPv4) or
Hop Limit (IPv6) value in an IP packet.
• If there is no ipver argument included in the filter
(or if it is set to 4), GigaVUE-420 matches the
value against the TTL field in IPv4 packets.
• If ipver is set to 6 in the filter, GigaVUE-420
matches the value against the Hop Limit field in
IPv6 packets.
The TTL and Hop Limit fields perform the same
function, specifying the maximum number of hops a
packet can cross before it reaches its destination.
230
Chapter 13
Argument
Description
[uda1_data <16-byte-hex>] [uda1_mask <16-byte-hex>]
Creates up to two user-defined, 16-byte pattern
matches in a filter. A pattern is a particular
sequence of bits at a specific offset from the start of
a frame.
[uda2_data <16-byte-hex>] [uda2_mask <16-byte-hex>]
Setting a user-defined pattern match in
GigaVUE-420 consists of the following major steps:
• Specify the two global offsets to be used for
user-defined pattern matches using the config
uda command (uda1_offset and uda2_offset)
• Specify the data pattern and mask using the
config filter command with the
[udax_data][udax_mask] arguments. You use
the mask to specify which bits in the pattern must
match to satisfy the filter.
A single filter can contain up to two user-defined
pattern matches.
NOTE: Always use the predefined filter elements
instead of user-defined pattern matches when
possible.
See Working with User-Defined Pattern Match
Filters on page 237 for details.
[vlan <vlan id (1-4094)> | <x..y>] [odd | even]
Creates a filter pattern for a VLAN ID or range of
VLAN IDs. You can also use the odd | even
argument to match alternating VLAN IDs. For
example, config filter allow vlan 200..300 even
will match all even VLAN IDs between 200 and 300.
[alias <string>]
Use the alias argument to associate a textual alias
with a filter.
Aliases are optional. GigaVUE-420 automatically
creates a Filter ID for every filter you configure. You
can manage filters either by the automatically
generated numerical Filter ID or by the optional
alias.
NOTE: The easiest way to discover the
automatically generated Filter ID for a given filter is
to do a show filter command in the CLI. Each filter
will be shown along with its numerical ID.
Connections, Filters, and Pass-Alls
231
Setting Filters for TCP Control Bits
As described in the table above, you can use the tcpctl argument to
set one-byte pattern filters for the standard TCP control bits. The
table below summarizes the bit positions of each of the flags, along
with their corresponding hexadecimal patterns.
Flag
Bit Position
Pattern
Congestion Window
Reduced
X... ....
0x80
ECN Echo
.X.. ....
0x40
Urgent Pointer
..X. ....
0x20
Acknowledgment
...X ....
0x10
Push
.... X...
0x08
Reset
.... .X..
0x04
SYN
.... ..X.
0x02
FIN
.... ...X
0x01
Examples
The following filter matches packets with only the SYN bit set:
config filter allow tcpctl 0x02 tcpctlmask 0x3f alias syns_only
Many packets will have some combination of these bits set rather
than just one. So, for example, the following filter matches all packets
with both the ACK and SYN bits set:
config filter allow tcpctl 0x12 tcpctlmask 0x3f alias syns_acks
232
Chapter 13
Using Bit Count Subnet Netmasks
The table below summarizes the bit count subnet mask value for
standard dotted-quad IPv4 subnet masks. As described in Config
Filter Syntax on page 225, you can enter IP subnet masks in the bit
count format by using the /nn argument.
Bit count subnet masks are easier to visualize for IPv6 addresses,
specifying which portion of the total 128 bits in the address
correspond to the network address. So, for example, a subnet mask of
/64 indicates that the first 64 bits of the address are the network
address and that the remaining 64 bits are the host address. This
corresponds to the following hexadecimal subnet mask:
ffff:ffff:ffff:ffff:0000:0000:0000
Standard
Subnet Mask
Bit Count
Subnet Mask
255.255.255.255
/32
255.255.255.254
/31
255.255.255.252
/30
255.255.255.248
/29
255.255.255.240
/28
255.255.255.224
/27
255.255.255.192
/26
255.255.255.128
/25
255.255.255.0
/24
255.255.254.0
/23
255.255.252.0
/22
255.255.248.0
/21
255.255.240.0
/20
255.255.224.0
/19
255.255.192.0
/18
255.255.128.0
/17
Connections, Filters, and Pass-Alls
233
234
Standard
Subnet Mask
Bit Count
Subnet Mask
255.255.0.0
/16
255.254.0.0
/15
255.252.0.0
/14
255.248.0.0
/13
255.240.0.0
/12
255.224.0.0
/11
255.192.0.0
/10
255.128.0.0
/9
255.0.0.0
/8
254.0.0.0
/7
252.0.0.0
/6
248.0.0.0
/5
240.0.0.0
/4
224.0.0.0
/3
192.0.0.0
/2
128.0.0.0
/1
0.0.0.0
/0
Chapter 13
Combining Filters and Filter Logic
When working with filters, you can easily combine multiple criteria
into a single filter rule by combining them in the CLI command. You
can also bind multiple filters to a single network port. GigaVUE-420
processes filter definitions as follows:
•
Within a single filter, filter criteria are joined with a logical AND.
A packet must match each of the specified criteria to satisfy the
filter.
•
Multiple filters bound to a single port are joined with a logical
OR. A packet must match at least ONE of the filters to be allowed
or denied.
NOTE: When used in a filter with multiple criteria, the ipver
argument changes the interpretation of some filter arguments. See
IPv4/IPv6 and Filters on page 223 for details.
Examples of Filter Logic
For example, the filters shown in the table below are both set up with
filter criteria for vlan 100 and portsrc 23.
•
The first example combines the two criteria into a single filter and
binds it to a port. This joins the criteria with a logical AND.
•
The second example creates two separate filters – one for each of
the criteria – and binds them both to the same port. This joins the
criteria with a logical OR.
Connections, Filters, and Pass-Alls
235
Multiple Filter
Criteria Joined
with AND
Multiple Filters
Joined with OR
CLI Commands
Description
config filter allow vlan 100 portsrc 23 alias combofilter
Creates single filter called
combofilter with two criteria –
VLAN ID 100 and source port
23.
config port-filter 3 combofilter
Applies the filter named
combofilter to Port 3.
config filter allow vlan 100 alias vlanfilter
Creates filter called vlanfilter
with one criterion – VLAN ID
100.
config filter allow portsrc 23 alias portfilter
Creates filter called portfilter
with one criterion – source port
23.
config port-filter 3 vlanfilter portfilter
Applies the filters named
vlanfilter and portfilter to Port
3.
Because vlanfilter and
portfilter are separate filters,
they will be joined with a logical
OR. This means that a packet
can match either vlanfilter or
portfilter to be allowed on Port
3.
236
Chapter 13
Working with User-Defined Pattern Match Filters
The GigaVUE-420 lets you configure up to two user-defined, 16-byte
pattern matches in a filter or map-rule. A pattern is a particular
sequence of bits at a specific location in a frame.
NOTE: GigaVUE-420’s CLI refers to a pattern as a UDA
(“user-defined attribute”).
The major steps in setting up a user-defined pattern match are as
follows:
1
Configure
Global Offsets
Step 1: Use the config uda command to set up GigaVUE-420’s
global offsets for user-defined pattern matches.
You can set the two offsets at 4-byte boundaries from 2-126 bytes.
The offsets can not overlap. There are only two offsets in place on
the system at any one time (uda1_offset and uda2_offset) – the
same offsets are used by all pattern-based filters and map-rules.
See Specifying Offsets – config uda on page 238 for details.
2
Configure Patterns and
Masks
Step 2: .Use the uda1_data/uda1_mask and uda2_data/uda2_mask
arguments for the config filter and config map-rule commands to set
up the actual patterns and masks.
See Specifying Patterns and Masks – config udax_data/udax_mask on
page 239 for details.
Figure 13-3: Configuring User-Defined Pattern Matches
Connections, Filters, and Pass-Alls
237
User-Defined Pattern Match Syntax
This section describes the syntax for the commands used to set up
user-defined pattern match filters and map-rules:
•
Specifying Offsets – config uda on page 238
•
Specifying Patterns and Masks – config udax_data/udax_mask on
page 239
Specifying Offsets – config uda
You use the config uda command to specify the two global offsets to
be used for user-defined pattern matches. This command has the
following syntax:
config uda [uda1_offset <2~110>] [uda2_offset <2~110>]
GigaVUE-420 accepts offsets at four-byte boundaries ranging from
byte 2 to byte 110. This means that there are 27 valid offset positions
ranging from 0x01 (an offset of 2 bytes) to 0x6d (an offset of 110
bytes). Offsets are always frame-relative, not data-relative.
In many cases, you will be looking for patterns that do not start
exactly on a four-byte boundary. To search in these position, you
would set an offset at the nearest four-byte boundary and adjust the
pattern and mask accordingly.
Default Offsets
The default offsets are listed below. You can always see the current
offset values by using the show uda command.
238
Offset
Default Value
uda1_offset
14 (decimal); E (hexadecimal)
uda2_offset
30 (decimal); 1E (hexadecimal)
Chapter 13
Specifying Patterns and Masks – config udax_data/udax_mask
The user-defined pattern match syntax is identical for filters and
map-rules:
[uda1_data <16-byte-hex>] [uda1_mask1 <16-byte-hex>]
[uda2_data <16-byte-hex>] [uda2_mask2 <16-byte-hex>]
•
Both the udax_data and udax_mask arguments are specified as
sixteen-byte hexadecimal sequences. Specify the pattern in four
four-byte segments separated by hyphens. For example:
0x01234567-89abcdef-01234567-89abcdef
•
Masks specify which bits in the pattern must match. The mask
lets you set certain bits in the pattern as wild cards – any values in
the masked bit positions will be accepted.
•
Bits masked with binary 1s must match the specified pattern.
•
Bits masked with binary 0s are ignored.
User-Defined Pattern Match Rules
Keep in mind the following rules when creating user-defined pattern
matches:
•
Offsets are specified in decimal; patterns and masks are specified
in hexadecimal.
•
All hexadecimal values must be fully defined, including leading
zeroes. For example, to specify 0xff as a 16-byte value, you must
enter 00000000-00000000-00000000-000000ff.
•
You can use user-defined pattern matches as either standalone
filters/map-rules or in tandem with the other available
predefined criteria for filters/map-rules (for example, port
numbers, IP addresses, VLAN IDs, and so on).
•
You can use up to two separate user-defined pattern matches in a
single filter or map-rule. When two user-defined pattern matches
appear in the same filter/map-rule, they are joined with a logical
AND. However, note that the two patterns cannot use the same
offset.
•
You can not apply user-defined pattern match filters to a tool
port.
Connections, Filters, and Pass-Alls
239
240
•
You can only use user-defined pattern match filters in multi-tool
maps – they are not allowed in single-tool maps. Note, however,
that a multi-tool map can consist entirely of map-rules
forwarding packets to a single tool port.
•
User-defined pattern matches are combined in filters using the
same logic described in Combining Filters and Filter Logic on
page 235.
•
User-defined pattern matches used in maps are subject to the
same conflict and priority rules described in Map-Rule Priority and
Guidelines on page 280.
•
Avoid using user-defined pattern matches to filter for elements
that are available as predefined filters (for example, IP addresses,
MAC addresses, and so on).
Chapter 13
User-Defined Pattern Match Examples
Suppose you want to set up a filter that matches all traffic with a
particular MPLS label (0x00017). To do this, you can use a filter that
combines an ethertype filter for the MPLS ethertype (8847) with a
user-defined pattern match for the label itself.
The ethertype filter for MPLS does two things:
•
Ensures that the filter matches MPLS traffic.
•
Assures us that all traffic accepted by the filter will have an MPLS
label stack starting at an offset of 14 bytes (right after the DLC
header).
We’ll put the ethertype argument in the same filter with the
user-defined pattern match to make sure they’re joined with a logical
AND. The following example explains how to construct this filter.
Figure 13-4, below, shows the filter in the GigaVUE-420 CLI.
Description
Command
First, set the offset for the first user-defined
pattern match.
config uda uda1_offset 14
We know that MPLS label stacks start at an offset
of 14 bytes, right after the DLC header, so let’s set
that up.
Next, set up the filter itself. The filter will have two
parts – the ethertype filter and the user-defined
pattern match itself.
• The ethertype for MPLS is 0x8847.
config filter allow ethertype 0x8847 uda1_data
0x00017000-00000000-00000000-00000000 uda1_mask
0xfffff000-00000000-00000000-00000000 alias
MPLS_label
• We’re searching for the MPLS label of
0x00017. Fortunately, the offset of 14 is on a
four-byte boundary when counting from the
start of the valid range (2~110; so, 2, 6, 10, 14).
This makes it easy to supply the pattern – we
can start with the actual MPLS label and then
mask the rest with binary zeroes.
Connections, Filters, and Pass-Alls
241
Figure 13-4: Sample User-Defined Pattern Match Filter
Mixing Allow and Deny Filters
GigaVUE-420 lets you mix allow and deny filters on a single port.
Mixing allow and deny filters can be useful in a variety of situations.
The following example shows an allow filter set up to include all
traffic matching a particular source port range combined with a deny
filter configured to exclude ICMP traffic.
242
Description
CLI Commands
Create a filter called portfilter
with one criterion – a source
port range.
config filter allow portsrc 20..66 alias portfilter
Create a filter called
deny_icmp with one criterion
– protocol icmp.
config filter deny protocol icmp alias deny_icmp
Apply the two filters to Port 3.
config port-filter 3 portfilter deny_icmp
Chapter 13
Showing Filters
Any time you make changes to the filters in place on the
GigaVUE-420, it’s a good idea to verify your changes with a show
filter command. The show filter command provides you with the
filter definitions in place, as well as the ports to which they are
bound.
Figure 13-1 shows the results of a show filter command for the
config filter commands in the previous example. In this example,
vlanfilter and portfilter are both bound to Port 3. However,
combofilter is not.
Figure 13-5: Checking Filters with show filter Command
Connections, Filters, and Pass-Alls
243
Deleting Filters
Delete filters by using the delete filter command. If the filter you
want to delete is currently applied to a port, you must remove it from
the port first by using the delete port-filter (single-box) or delete
xbport-filter (cross-box stacks) command.
•
The delete port-filter command has the following syntax:
delete port-filter [all | <port-alias | pid> [all | filter-alias | fid-list]
•
The delete xbport-filter command has the following syntax:
delete xbport-filter [all | <bid-pid> [all | filter-alias | fid-list]]
•
The delete filter command has the following syntax:
delete filter [all | <filter-alias | fid-list]
For example, to delete the filter named vlanfilter bound to Port 3 in
the previous example, you would use the following commands:
244
Command
Comments
delete port-filter 3 vlanfilter
This command removes the filter named
vlanfilter from Port 3.
delete filter vlanfilter
This command deletes the filter named
vlanfilter.
Chapter 13
Filter Examples
This section provides some examples of filters:
•
Filtering on RTP Traffic on page 245
•
MAC Address Filter Examples on page 246
Filtering on RTP Traffic
You can use GigaVUE-420’s ability to filter on even or odd port
numbers to focus on different aspects of VoIP traffic.
VoIP implementations typically send RTP on even port numbers and
RTCP on the next available odd port number. The following example
constructs several filters designed to block RTP on the
even-numbered ports in its common ranges and binds them to
network ports 7 and 8.
Table 13-1: Blocking RTP Traffic on Common Ports
Command
Description
config port-type 1 tool
Sets Port 1 as a tool port.
config connect 7 8 to 1
Connects Network Ports 7 and 8 to
Tool Port 1.
config filter deny portsrc 5004 alias deny_src_5004
Constructs a filter named
deny_src_5004 to deny traffic with a
source port of 5004.
config filter deny portdst 5004 alias deny_dst_5004
Constructs a filter named
deny_dst_5004 to deny traffic with a
destination port of 5004.
config filter deny portsrc 16384..16624 even alias deny_src_cisco_rtp
Constructs a filter named
deny_src_cisco_rtp to deny traffic
with an even-numbered source port in
the range of 16384..16624. This is a
standard RTP port range used by
Cisco equipment.
Connections, Filters, and Pass-Alls
245
Table 13-1: Blocking RTP Traffic on Common Ports
Command
Description
config filter deny portdst 16384..16624 even alias deny_dst_cisco_rtp
Constructs a filter named
deny_dst_cisco_rtp to deny traffic
with an even-numbered source port in
the range of 16384..16624.
config port-filter 7 deny_src_5004
config port-filter 7 deny_dst_5004
These commands bind the four
RTP-blocking filters to Network Port 7.
config port-filter 7 deny_src_cisco_rtp
config port-filter 7 deny_dst_cisco_rtp
config port-filter 8 deny_src_5004
config port-filter 8 deny_dst_5004
These commands bind the four
RTP-blocking filters to Network Port 8.
config port-filter 8 deny_src_cisco_rtp
config port-filter 8 deny_dst_cisco_rtp
Saves changes to the gigavue.cfg
configuration file.
config save gigavue.cfg
MAC Address Filter Examples
This section provides several examples of how to use MAC address
filters with an address mask.
Example 1 – Deny Filter
In this example, we’ll set up a filter that denies packets with a source
MAC address matching that specified in the filter. The filter will use
the following values for macsrc and macsrcmask:
246
Field in config filter
Command
Value
macsrc
00 00 00 00 00 03
macsrcmask
FF FF FF FF FF FE
Chapter 13
Command:
config filter deny macsrc 000000000003 macsrcmask fffffffffffe alias macfilter
Result:
Packets with the following two MAC source addresses are denied:
•
00 00 00 00 00 02
•
00 00 00 00 00 03
All other MAC addresses will pass this filter.
Example 2 – Allow Filter
In this example, we will change the filter action we set up in Example
1 – Deny Filter from deny to allow.
Command:
config filter allow macsrc 000000000003 macsrcmask fffffffffffe alias macfilter
Result:
Only packets with the following two MAC source addresses are
accepted:
•
00 00 00 00 00 02
•
00 00 00 00 00 03
All other MAC addresses are denied.
Example 3 – Deny Filter
In this example, we’ll set up a filter that denies packets with a source
MAC address matching that specified in the filter. The filter will use
the following values for macsrc and macsrcmask:
Field in config filter
Command
Value
macsrc
00 00 00 00 00 03
Connections, Filters, and Pass-Alls
247
Field in config filter
Command
Value
macsrcmask
FF FF FF FF FF F1
Command:
config filter deny macsrc 000000000003 macsrcmask fffffffffff1 alias macfilter
Result:
Packets with the following eight MAC source addresses are denied:
•
00 00 00 00 00 01
•
00 00 00 00 00 03
•
00 00 00 00 00 05
•
00 00 00 00 00 07
•
00 00 00 00 00 09
•
00 00 00 00 00 0b
•
00 00 00 00 00 0d
•
00 00 00 00 00 0f
All other MAC addresses will pass this filter.
Example 4 – Denying Odd-Numbered MAC Addresses
In this example, we’ll set up a filter that denies packets with a source
MAC address matching that specified in the filter. The filter will use
the following values for macsrc and macsrcmask:
Field in config filter
Command
Value
macsrc
00 00 00 00 00 03
macsrcmask
00 00 00 00 00 01
Command:
config filter deny macsrc 000000000003 macsrcmask 00000000001 alias macfilter
248
Chapter 13
Result:
All odd-numbered MAC source addresses are denied:
•
00 00 00 00 00 01
•
00 00 00 00 00 03
•
ff ff ff ff ff fb
•
ff ff ff ff ff fd
•
ff ff ff ff ff ff
Only packets from even-numbered MAC source addresses will pass
through this filter. All the odd-numbered MAC source addresses are
denied.
Example 5 – Allowing Odd-Numbered MAC Addresses
In this example, we will change the filter action we set up in Example
4 – Denying Odd-Numbered MAC Addresses from deny to allow.
Command:
config filter allow macsrc 000000000003 macsrcmask 00000000001 alias macfilter
Result:
Only packets from odd-numbered MAC source addresses will pass
through this filter. All the even-numbered MAC source addresses are
denied.
Connections, Filters, and Pass-Alls
249
Using the Pass-All Command
In addition to connections and maps, GigaVUE-420 also includes a
special config pass-all packet distribution command. The pass-all
command can be used to send all packets on a network or tool port to
another tool port (or multiple tool ports) on the same box,
irrespective of the connections, xbconnections, maps, or xbmaps
already in place for the ports.
This section includes the following topics for the config pass-all
command
•
Syntax for config pass-all on page 250
•
Rules for config pass-all on page 252
•
Maximum Number of Pass-All Destinations on page 252
•
Pass-All Matrix on page 253
•
Filters and the config pass-all Command on page 254
•
Examples for config pass-all on page 256
•
Illustration of Pass-Alls in the Show Connect Screen on page 260
Syntax for config pass-all
The config pass-all command has the following syntax:
config pass-all <network/tool-port-alias | pid-list | pid-x..pid-y>
to <tool-port-alias | pid-list | pid-x..pid-y>
Notice that you can connect multiple ports with a single command:
•
The pid-list (port id list) argument let you select multiple
non-contiguous ports. To enter port IDs in a list, simply put a
space between each port ID in the list.
•
The pid-x..pid-y argument lets you select a series of adjacent
ports (for example, 2..5 selects ports 2, 3, 4, and 5).
For example:
250
Chapter 13
Command
Comments
config pass-all 1..4 to 5
This command sets up pass-alls from 1-4 to
tool port 5.
config pass-all 1 to 2..5
This command sets up pass-alls from 1 to
2-5.
Showing the Pass-Alls in Place
Use the standard show connect command to see the pass-alls in place
on the GigaVUE-420. The show connect display uses angle brackets
(>>) to indicate that a pass-all is in place. Figure 13-12 on page 261
shows the show connect display for a set of pass-alls.
Deleting a Pass-All
You can delete an existing pass-all with the delete pass-all command.
The command has the following syntax:
delete pass-all [all | <port-alias | pid-list | pid-x..pid-y>
to all | <port-alias | pid-list | pid-x..pid-y>]
For example, to delete the pass-all set up by the first command in the
table above, you could use the following command:
delete pass-all 1..4 to 5
You could also delete just a portion of the pass-all. For example, to
delete the pass-all from 3 to 5:
delete pass-all 3 to 5
Connections, Filters, and Pass-Alls
251
Rules for config pass-all
Keep in mind the following rules for the config pass-all command:
•
You can set up a config pass-all from:
•
Network Port(s) to Tool Port(s)
•
Tool Port to Tool Port(s)
NOTE: The destination for a pass-all must always be a tool port.
•
You cannot set up a config pass-all from network port to network
port.
•
Pass-alls are only supported within a single GigaVUE-420 box.
Within the box, you can set up pass-alls from any installed port to
any other port, including the rear GigaLINK ports (x1-x4).
•
A config pass-all cannot duplicate both endpoints of a connection
or map that’s already in place. For example, if Network Port 1 is
connected to Tool Port 2, you can’t set up a config pass-all 1 to 2,
too.
•
A config pass-all cannot be used with a port that is part of a
port-pair.
Maximum Number of Pass-All Destinations
The number of pass-all destinations available for a given source port
depends on whether it’s part of a single-tool map, a multi-tool map,
or no map at all:
•
Ports in Single-Tool Maps – Maximum of four destination ports
per system.
•
Ports in Multi-Tool Maps/Unmapped Ports – Maximum of 23
destination ports per system.
For example, consider a GigaVUE-420 with a single-tool map on
network ports 1-4. In this case, the total destinations for any pass-alls
from ports 1-4 cannot exceed four. The number of pass-alls available
to the remaining 20 ports in the system (5-20; x1-x4) is limited only by
the number of tool ports defined on the system – it could be as many
as 19 (20 minus a single port to be used as the source for the pass-all).
252
Chapter 13
By contrast, if network port 1 is part of a multi-tool map, you could
set up pass-alls between network port 1 and the other 23 ports on a
fully-populated system (so long as the other 23 were configured as
tool ports).
Pass-All Matrix
The table below summarizes the supported scenarios for sending
data with the config pass-all command.
Source
Destination
Supported?
Comments
Single Network Port
Multiple Network Ports
Single Tool Port
Single Tool Port
Multiple Tool Ports
Network Port in a Port-Pair
Single Network Port
Multiple Network Ports
Single Tool Port
Multiple Tool Ports
Multiple Tool Ports
Network Port in a Port-Pair
Single Network Port
Multiple Network Ports
Single Tool Port
Single or Multiple
Network Ports
Network ports can never be the
destination for a pass-all.
Multiple Tool Ports
Connections, Filters, and Pass-Alls
253
Filters and the config pass-all Command
When you set up a config pass-all, it interacts with filters differently
depending on whether it is passing traffic from a network port or a
tool port:
•
When you set up a pass-all from a network port to a tool port, the
traffic is passed to the destination tool port before any network
port filters are applied.
This points out one of the best use-cases for a pass-all – a way to
see all traffic arriving on a network port without taking down any
existing filters or map-rules.
•
When you set up a pass-all from a tool port to another tool port,
the traffic is passed to the destination tool port after any tool port
filters are applied. This means that the pass-all will send the
filtered traffic to the destination tool port.
Potential for Duplicate Packets on Destination Port
There are certain situations where using a pass-all to send packets to
the same destination as a connection or map can cause duplicate
packets. For example, consider the following scenario:
•
Network Port 1 is connected to Tool Port 7 and Tool Port 8.
•
Tool Port 7 has a post-filter set to allow only packets with a VLAN
ID of 100.
•
Tool Port 7 has a pass-all to Tool Port 8
In this situation, all packets with a VLAN ID of 100 will be duplicated
on Tool Port 8:
•
One copy will arrive because of the connection from Network
Port 1 to Tool Port 8.
•
A second copy will arrive because of the pass-all sending the
filtered VLAN 100 traffic from Tool Port 7 to Tool Port 8.
Figure 13-6 illustrates this.
254
Chapter 13
Network Ports
Tool Ports
1
5
6
Filter
VLAN
100
7
pass-all
8
Figure 13-6: Potential for Duplicate Packets
Connections, Filters, and Pass-Alls
255
Examples for config pass-all
Sending Unfiltered Traffic to an IDS
Intrusion Detection Systems need to see unfiltered traffic to work
effectively. However, you may want to use filters or maps to send
different portions of the same traffic source to different destinations.
This is the perfect place to use a pass-all. Figure 13-7 illustrates this:
Network Ports
Tool Ports
map
1
mapping
map-rule
map-rule
5
6
map-rule
7
8
IDS
Figure 13-7: Unfiltered Traffic to IDS
256
Chapter 13
Temporary Troubleshooting Situations
Under certain circumstances, you may want to see all of the traffic on
a particular port without disturbing any of the packet distribution
commands already in place for the port. The pass-all gives you a way
to do this. For example, suppose you have an existing map sending
traffic from Network Port 1 to Tool Ports 5..7 based on different
map-rule criteria (Figure 13-8).
Network Ports
Tool Ports
map
1
mapping
map-rule
map-rule
5
6
map-rule
7
8
Figure 13-8: Existing Map on Network Port 1
Complaints of slow response times on the network monitored by
Network Port 1 lead you to want to see all of the traffic rather than
just the portions broken out by your map. Because mapped network
ports can’t be shared, you can’t just connect the port to another tool
port. However, you also don’t want to take down your existing map.
In a situation like this, you could set up a pass-all for the mapped
network port and send the full set of traffic arriving at the network
port to another tool port. For example:
config pass-all 1 to 8
Now, the unfiltered set of traffic arriving on Network Port 1 is both
passed to Tool Port 8 and also distributed to Network Ports 5-7 based
on the existing map-rules (Figure 13-9).
Connections, Filters, and Pass-Alls
257
Network Ports
Tool Ports
map
1
map-rule
mapping
map-rule
5
6
map-rule
7
pass-all
8
Figure 13-9: Adding a Pass-All for Temporary Troubleshooting
258
Chapter 13
Sending Unfiltered Traffic to Multiple Destinations
You can also use the config pass-all command to see the same
tool-port-filtered data on multiple tool ports.
Consider the following scenario:
•
Network Ports 1-3 are connected to Tool Port 5.
•
Tool Port 5 has a port-filter set up to allow only VLAN IDs
100-500.
Figure 13-10 illustrates this scenario.
Network Ports
Tool Ports
Post
Filter
1
2
3
5
6
Three Connections to
Post-Filtered Tool Port
4
7
8
Figure 13-10: Adding a Pass-All for Temporary Troubleshooting
If you wanted different tools to analyze the same tool-port-filtered
data, you could set up a pass-all to multiple tool ports so that they
could all see the same data. For example:
config pass-all 5 to 6..8
With this configuration (Figure 13-11), Tool Ports 5-8 all see the same
tool-port-filtered data.
Connections, Filters, and Pass-Alls
259
Network Ports
1
2
Tool Ports
Post
Filter
5
config pass-all 5 to 6..8
6
3
7
4
8
Figure 13-11: Adding Pass-Alls to Multiple Tool Ports
Illustration of Pass-Alls in the Show Connect Screen
When you use the show connect command to display the connections
in place on the GigaVUE-420, the system uses right angle brackets
(>>) to indicate that a pass-all is in place:
•
Pass-alls from a network port to a tool port are shown with a
series of angle brackets linking the network port and tool port.
For example:
( 4) >>>>>>>>>>> ( 6)
•
Pass-alls from a tool port to a tool port are shown with a pair of
angle brackets linking the two tool ports. For example:
( 6)>> ( 7)
Figure 13-12 shows the show connect display for the pass-all set up
to multiple tool ports in the previous section.
260
Chapter 13
Angle brackets
indicate pass-alls in
place between tool
ports.
Figure 13-12: Show Connect with Pass-All to Multiple Tool Ports
Connections, Filters, and Pass-Alls
261
262
Chapter 13
Chapter 14
Working with Maps
(Single-Box and Cross-Box)
This section describes how to set up GigaVUE-420 maps. You
configure maps by mapping data from network ports to tool ports.
The chapter describes both single-box and cross-box maps.
NOTE: Be sure to read Chapter 12, Introducing Packet Distribution for
an understanding of the differences between connections and maps
(and when to use each).
The section includes the following major topics:
•
Cross-Box Config: Enter Commands on All Boxes on page 264
•
Mapping Network Ports to Tool Ports on page 264
•
Creating Maps: config map/config xbmap on page 266
•
Creating Map-Rules: config map-rule on page 271
•
Binding Maps to Ports: config mapping / config xbmapping on
page 273
•
Map-Rule Priority and Guidelines on page 280
•
Map Examples on page 282
263
Cross-Box Config: Enter Commands on All Boxes
Keep in mind that when you are entering cross-box configuration
commands (for example, the xbmap and xbmapping commands
described in this chapter), you must enter all commands in the same
order on each box in the stack. When setting up cross-box packet
distribution, it’s often easiest to create your commands in a text file
and then paste the contents of the text file into the CLI of each box in
the stack.
Mapping Network Ports to Tool Ports
You use maps to direct traffic arriving on network ports to tool ports
based on different criteria:
•
Single-box maps direct traffic from network ports to tool ports on
the same GigaVUE-420 system.
•
Cross-box maps direct traffic from a network port on one
GigaVUE-420 system to tool ports on other GigaVUE-420 systems
connected in a cross-box stack via their stacking ports. See
Stacking GigaVUE-420 Boxes on page 105 for information on how
to connect and configure a cross-box stack.
NOTE: For information on the differences between maps and
connections (and when you should use each), see Connecting vs.
Mapping – The Differences on page 208.
Figure 14-1 shows the major steps in creating a map. Figure 14-2
provides a conceptual illustration of the map components set up in
Figure 14-1.
264
Chapter 14
1
Create the Map
Step 1: Use the config map (single-box) or config xbmap
(cross-box stacks) command to create a map. These commands
create a map “container” for the map-rules you define in the next
step.
When you create a map, you give it a name (an alias) and specify
whether it is a single-tool or multi-tool map. See Creating Maps:
config map/config xbmap on page 266 for information on creating
the map.
2
Create Map-Rules for
the Map
Step 2: Use the config map-rule command to create map-rules for the
map. Map-rules direct traffic based on different packet criteria – MAC/IP
addresses, port numbers, VLAN IDs, protocols, and so on.
You can set up map-rules that direct packets to different tool ports,
map-rules that delete some packets right away (send them to the
“virtual drop port”), and map-rules that direct all traffic that doesn’t
match any of the other rules in the map to a designated “collector” port.
See Creating Map-Rules: config map-rule on page 271 for information
on creating map-rules.
3
Apply the Map to
Network Ports
Step 3: Use the config mapping (single-box) or config xbmapping
(cross-box stacks) command to bind the map to one or more network
ports. Binding the map to a network port applies all of its rules to traffic
arriving on the port. Traffic will be forwarded according to the rules in the
map.
See Binding Maps to Ports: config mapping / config xbmapping on
page 273 for information on binding maps to network ports.
Figure 14-1: Setting up a Map
Working with Maps (Single-Box and Cross-Box)
265
Network Ports
Tool Ports
map
1
mapping
map-rule
map-rule
5
6
map-rule
7
8
Figure 14-2: Map Components
Creating Maps: config map/config xbmap
The first step in setting up a map is using the config map (single-box)
or config xbmap (cross-box stacks) command to create a map
container. This container will hold all of your map-rules. You will
eventually bind the container to one or more network ports using the
config mapping or config xbmapping command.
When you create the map container, you must supply the following
information:
266
•
Whether the map is a single-tool map or a multi-tool map.
•
The name (alias) of the map.
Chapter 14
Single-Tool Maps vs. Multi-Tool Maps
There are two types of maps – single-tool and multi-tool. You use the
type [st | mt] argument to specify the map’s type as part of the
config map / config xbmap command (see Syntax for the config map /
config xbmap Commands on page 270) for details
•
Single-tool maps must consist entirely of map-rules that send
matching packets to a single tool port.
•
Multi-tool maps can have map-rules that send matching packets
to multiple tool port destinations. However, it is not a
requirement that they have at least one such rule.
For example, the map-rule config map-rule MT-Map rule ipdst
192.168.1.25 tool 4 5 sends all traffic with a destination IP address
of 192.168.1.25 to both tool ports 4 and 5. This rule could only be
part of a multi-tool map (a map with its type set to mt).
NOTE: Single-tool maps can still send traffic to multiple destinations –
it’s just that each individual rule within the map can only send traffic
to a single destination. So, a single-tool map could still have one rule
that sends traffic to tool port 4 and another rule that sends traffic to
tool port 5. However, a single-tool map could not have a single rule
that sent traffic to both tool port 4 and 5. Only a multi-tool map can
do that.
NOTE: See Map Example – Single-Tool vs. Multi-Tool on page 287 for
examples of each map type, along with the differences in the
commands used to create them.
Working with Maps (Single-Box and Cross-Box)
267
Map Types and Other GigaVUE-420 Features
It’s important to understand how the choice between a single-tool
and multi-tool map affects the availability of other GigaVUE-420
features:
Single-Tool Maps
Use single-tool maps if you want to use user-defined pattern match
filters. The trade-off is that you will have fewer port-pair and pass-all
resources for ports in single-tool maps. Single-tool maps consume
system resources needed to construct pass-alls and port-pairs.
Single-Tool Maps
Plus
Minus
Fewer Port-Pairs (2 instead of 12)
Support Pattern
Match Filters
Fewer Pass-All Destination Ports for Ports in the
Map (4 instead of 23)
Multi-Tool Maps
Multi-tool maps can consist entirely of map-rules that only send
traffic to a single tool port. There is no requirement that a multi-tool
map have at least one multi-tool rule.
This is important to keep in mind when deciding which type of map
to use – you can use a multi-tool map if you want to maximize the
number of pass-alls and port-pairs available for ports in the map. The
trade-off is that you will not be able to use user-defined pattern
matches in multi-tool map-rules.
Multi-Tool Maps
Plus
Minus
More Port-Pairs (12 instead of 2)
More Pass-All Destination Ports for Ports in the
Map (23 instead of 4)
268
No User-Defined Pattern
Match Map-Rules
Chapter 14
Supported Map Maximums
When creating maps on the GigaVUE-420, keep in mind the
following supported maximums:
Map Type
Maximum
Local maps (single-tool and multi-tool combined) per system
10
Cross-box single-tool maps per system
10
Cross-box multi-tool maps per system
10
Cross-box maps are counted separately for single-tool and multi-tool.
For example, a single GigaVUE-420 box could have:
•
10 single-tool cross-box maps.
•
10 multi-tool cross-box maps
•
5 local single-tool maps.
•
5 local multi-tool maps.
Working with Maps (Single-Box and Cross-Box)
269
Syntax for the config map / config xbmap Commands
The config map and config xbmap commands have the same syntax:
config map type [st | mt] alias <string>
config xbmap type [st | mt] alias <string>
The table below lists and describes the arguments for these
commands:
Argument
Description
[mt | st]
Specifies whether the map is a multi-tool (mt) or
single-tool (st) map.
See Single-Tool Maps vs. Multi-Tool Maps on
page 267 for more information.
alias
270
Creates a textual alias for this map. Aliases can
consist of a maximum of 30 alphanumeric characters.
You can also use hyphens (-) and the underscore (_)
character.
Chapter 14
Creating Map-Rules: config map-rule
The config map-rule command creates a map filter that directs
matching traffic to tool ports, cross-box tool ports, or a virtual drop
port. You can set map-rules that direct traffic based on MAC
addresses, IP addresses, application port numbers, ethertypes, VLAN
IDs, protocols, and TOS values.
Map-rules must be bound to an existing map. Whenever you set up a
new map-rule, you must specify the map to which it belongs with the
<map-alias> argument.
How GigaVUE-420 Processes Map-Rules
See Map-Rule Priority and Guidelines on page 280for details on how
GigaVUE-420 processes map-rules in a map.
Syntax for the config map-rule Command
The syntax for the config-map rule command is as follows:
config map-rule <map-alias>
rule
[collector]
[dscp <assured-forwarding-value>]
(af11~af13, af21~af23, af31~af33, af41~af43, ef)
[ethertype <2-byte-hex>]
[ipfrag <0|1|2|3|4>] [ipver <4|6>]
(0:no frag, 1:1st frag, 2:no frag or 1st frag, 3:frag but not 1st, 4:all frag)
[ipdst <dstaddr>] [ipdstmask <xxx.xxx.xxx.xxx | /nn>]
[ipsrc <srcaddr>] [ipsrcmask <xxx.xxx.xxx.xxx | /nn>]
[ip6src <srcaddr>] [ip6srcmask <xxxx::xxxx | /nn>]
[ip6dst <dstaddr>] [ip6dstmask <xxxx::xxxx | /nn>]
[ip6fl <3-byte-hex>]
[ipver <4|6>]
[macdst <macaddr>] [macdstmask <6-byte-hex>]
[macsrc <macaddr>] [macsrcmask <6-byte-hex>]
[portdst <single-port-number | <x..y>] [even | odd]
[portsrc <single-port-number | <x..y>] [even | odd]
[protocol <gre|icmp|igmp|ipv4ov4|ipv6ov4|rsvp|tcp|udp|<1-byte-hex>>]
[tcpctl <1-byte-hex>] [tcpctlmask <1-byte-hex>]
[tosval <1-byte-hex>]
[ttl <0~255> | <x..y>] (valid range 0..255)
[uda1_data <16-byte-hex>] [uda1_mask <16-byte-hex>]
[uda2_data <16-byte-hex>] [uda2_mask <16-byte-hex>]
[vlan <1~4094> | <x..y>] [even | odd]
tool <port-alias | pid | pid_list | bid-pid | bid-pid-list | drop>
Working with Maps (Single-Box and Cross-Box)
271
A map-rule consists of the following major components:
•
The name of the map to which the map-rule will belong
(<map-alias>).
•
The criteria for the rule itself. This consists of all the values
specified for the rule argument (MAC/IP addresses, application
ports, VLAN IDs, and so on).
•
The destination for traffic matching the rule argument. This
consists of the values specified for the tool argument. You can
send matching traffic to a tool port, a cross-box tool port, or a
virtual drop port.
Note: For local map-rules you specify the destination by its pid.
For cross-box map-rules, you specify the destination by bid-pid
(Box ID-Port ID; for example, 3-2).
Map-Rule Arguments Described
The arguments for the map-rule command are exactly the same as
those for the config filter command. See the following sections
describing filter arguments:
•
•
272
Using Filters with Connections on page 219
•
IPv4/IPv6 and Filters on page 223
•
Config Filter Syntax on page 225
•
Combining Filters and Filter Logic on page 235
•
Working with User-Defined Pattern Match Filters on page 237
Filter Examples on page 245
Chapter 14
Binding Maps to Ports:
config mapping / config xbmapping
The config mapping (single-box) and config xbmapping (cross-box
stacks) commands bind a map to one or more network ports (up to 23
network ports for single-box maps; up to 40 network ports for
cross-box maps). You can bind maps to a single port, a list of ports, or
a contiguous series of ports (single-box maps only).
Binding a map to a port is the last step in setting up the map. Once
you have completed the config mapping / config xbmapping
command, the map begins directing traffic on the mapped network
ports to the destinations specified by the map-rules in the map.
Syntax for config mapping /config xbmapping
The syntax for the config mapping command is as follows:
config mapping net <network-port-alias | network-port-id-list |
network-pid-x..network-pid-y>
map <map-alias>
The syntax for the config xbmapping command is as follows:
config xbmapping net <bid-pid_list> map <map-alias>
The table below lists and describes the arguments for the config
mapping and config xbmapping commands. Both single-box and
cross-box mappings consist of the following components:
•
The network ports to which the map is bound. This is specified by
the net argument.
•
The name of the map you are binding. This is specified by the
map argument.
Working with Maps (Single-Box and Cross-Box)
273
Argument
Description
net
Single-Box Maps (config mapping)
<network-port-alias | network-port-id-list | network-pid-x..network-pid-y>
Specifies the network ports to
which the named map will be
bound. You can bind maps to a
single port, a list of ports, or a
contiguous series of ports (up to 20
in all).
For example, config mapping net
MyPort map MyMap binds the
map named MyMap to the port
named MyPort. Similarly, config
mapping net 4..8 map MyMap
binds the map with the alias
MyMap to network ports 4 through
8.
Cross-Box Maps (config xbmapping)
<bid-pid_list>
Specifies the network ports to
which the named map will be
bound. You can bind maps to a
single port or a list of ports (up to
40, in all).
For example, config xbmapping
net 2-3 map MyXBMap binds the
map named MyXBMap to Port 3 on
Box ID 2.
map
<map-alias>
Specifies the map to be bound to
the named network ports.
If you don’t know the alias for a
map, use the show map-rule
command to display all maps
currently configured on the box.
274
Chapter 14
Showing Maps
Any time you make changes to the packet distribution configuration
in place on the GigaVUE-420, it’s a good idea to verify your results
with a show command. When working with maps, there are two
helpful show commands:
Show Command
Description
show map-rule [all | map-alias]
This command provides a detailed description of the requested
maps, regardless of whether the maps have been bound to a
network port. This command is useful in the following situations:
• When you want to see detailed information on a map’s
map-rules.
• When you want to see information on a map that has not yet
been bound to a network port.
show connect
This command provides a summary of all the packet distribution
configuration on the box, including a Mapping section that
summarizes the maps currently bound to network ports.
Figure 14-3 shows the results of a show map-rule command for the
VLAN-Map set up with the commands in the table below.
Description
CLI Command
First, create the VLAN-Map container using the
config map command. Because this map will consist
entirely of rules sending traffic to only a single
destination, we will set type to st (single-tool).
config map type st alias VLAN-Map
Next, we will create the map-rules for the VLAN-Map
using the config map-rule command. The first rule
drops all traffic from the IP address 192.168.1.25.
config map-rule VLAN-Map rule ipsrc 192.168.1.25
ipsrcmask /32 tool drop
We need map-rules that forward different VLAN IDs to
different ports. This map-rule for VLAN-Map sends
VLAN 101 to Tool Port 6.
config map-rule VLAN-Map rule vlan 101 tool 6
This map-rule for VLAN-Map sends VLAN 102 to Tool
Port 7.
config map-rule VLAN-Map rule vlan 102 tool 7
This map-rule sends all traffic not matching any other
rules in the map to Tool Port 8.
config map-rule VLAN-Map rule collector tool 8
Working with Maps (Single-Box and Cross-Box)
275
Description
CLI Command
Finally, we bind the map to Network Port 1 with the
config mapping command.
config mapping net 1 map VLAN-Map
Figure 14-3: Checking Maps with show map-rule Command
276
Chapter 14
Changing Maps
You make changes to maps differently depending on whether you
are working with a single-box map or a cross-box map:
Map Type
Editing/Deleting
Single-Box Map
You can make the following changes at any time, regardless of whether the map
has been bound to a network port using the config mapping command:
• Add or delete map-rules to/from a map regardless of whether it is currently
bound to a network port.
• Delete a mapping, removing the map from network port(s).
• Delete a map in its entirety, including mappings and map-rules.
Cross-Box Map
You can make the following changes at any time, regardless of whether the
xbmap has been bound to a network port using the config xbmapping
command:
• Add or delete map-rules to/from a xbmap regardless of whether it is currently
bound to a network port.
• Delete an xbmap in its entirety, including mappings and map-rules.
You cannot, however, delete a cross-box mapping once the map has been
bound. This is the difference in delete functionality between single-box and
cross-box maps.
NOTE: You must delete the cross-box map on all boxes in the cross-box stack.
Similarly, to use an updated version of the map, you must make the changes on
all boxes in the stack.
Adding Map-Rules to Single-Box/Cross-Box Maps
You can add a map-rule to a single-box or cross-box map at any time
by using the config map-rule command described in Creating
Map-Rules: config map-rule on page 271.
For example, the following command adds a new destination port
map-rule to the VLAN-MAP example shown in Figure 14-3 on
page 276:
config map-rule VLAN-MAP rule portdst 23 tool 2
Working with Maps (Single-Box and Cross-Box)
277
Deleting a Map-Rule from Single-Box/Cross-Box Maps
You can delete a map-rule from a single-box or cross-box map at any
time by using the delete map-rule command. You can delete:
•
All but one of the map-rules from a map (you must use delete
map to remove the final map-rule along with the map).
•
Map-rules sending data to a particular range of tool ports.
•
Specific Rule IDs.
NOTE: Use the show map-rule command to see the Rule ID
corresponding to a particular rule.
Delete Map-Rule Syntax
The syntax for the delete map-rule command is as follows:
delete map-rule <map-alias> [tool <port-id-list> | rule <rule-id-list>]]
For example, the following command deletes the rule we added to
VLAN-MAP in the previous row by specifying its Rule ID:
delete map-rule VLAN-MAP rule 5
Because this map-rule was the only map-rule bound to Tool Port 2,
we could also have deleted it by specifying its tool port, as follows:
delete map-rule VLAN-MAP tool 2
Deleting a Single-Box Mapping
You can delete a single-box map’s mapping by using the delete
mapping command. You can delete either all mappings on the box or
a specific mapping by specifying the name of the map.
IMPORTANT: You cannot delete mappings with cross-box maps.
NOTE: Deleting a mapping does not delete the map itself. It only
removes it from the network port(s) to which it is bound. Once you
delete a mapping you can reuse the map with other network ports by
using the config mapping command.
278
Chapter 14
Delete Mapping Syntax
The delete mapping command has the following syntax:
delete mapping [all | map-alias]
For example, to delete VLAN-MAP’s mapping, you would use the
following command:
delete mapping VLAN-MAP
Once the mapping for VLAN-MAP is deleted, you can rebind it using
the config mapping command.
Deleting a Single-Box/Cross-Box Map
You can delete a single-box or cross-box map in its entirety by using
the delete map/delete xbmap command. You can delete either all
maps on the box or a specific map by specifying the name of the map
The delete map command deletes all of the configuration associated
with the specified map(s) on the local GigaVUE-420, including:
•
Any mapping in place.
•
All map-rules for the map.
•
The map container itself.
NOTE: Note that the delete xbmap command must be issued on each
of the boxes in a cross-box stack to completely remove the xbmap.
Delete Map Syntax
The delete map command has the following syntax:
delete map [all | map-alias]
For example, to delete VLAN-MAP in its entirety, you would use the
following command:
delete map VLAN-MAP
Working with Maps (Single-Box and Cross-Box)
279
Combining Pass-All with Maps
You can use GigaVUE-420’s special config pass-all packet
distribution command in combination with maps and cross-box
maps.
The pass-all command is particularly useful when you want to send
all the traffic from filtered or mapped network ports to a security tool
that needs to see unfiltered traffic. It’s also useful in temporary
troubleshooting situations where you want to see all traffic on a port
without disturbing any of the maps or cross-box maps already in
place for the port.
See Using the Pass-All Command on page 250 for details on using the
config pass-all command.
Map-Rule Priority and Guidelines
GigaVUE-420 assigns priority to map-rules in a map in the same
order in which they are specified, with later matches taking priority
over earlier matches. This means that a packet matching multiple
rules in the same map will be forwarded to the destination specified
by the last map-rule it matches.
If you find that a particular packet is not forwarded to the destination
you expect because it matches multiple map-rules, you can adjust the
order of the map-rules in the map. Start by using the show map-rule
command to see the existing sequence of rules. Then, delete and
re-add the map-rule you want to match the packet. Re-adding the
map-rule adds it as the last rule in the map, thereby giving it the
highest priority.
280
Chapter 14
Map Creation Guidelines
Keep the following simple guidelines in mind when creating maps:
Apply Complicated Filters/Map-Rules First
Always apply the more complicated filters/map-rules first.
Complicated filters/map-rules include:
•
Filters/Map-Rules with value ranges (for example, a range of
port-numbers).
•
Filters/Map-Rules with multiple attributes.
•
User-Defined Pattern Matches.
Apply Collector Map-Rules Last
If your map includes a collector map-rule, it should always be the
last map-rule in the map. You can see examples of this in Map
Examples on page 282.
Resolving “No Resource for Operation” Errors
If you receive a No resource for operation error message when
adding map-rules or filters, do a config save followed by a config
restore and then try applying the map-rules or filters again.
Working with Maps (Single-Box and Cross-Box)
281
Map Examples
This section provides some sample maps along with the commands
used to create them.
•
Map Example – Selectively Forwarding VLAN Ranges on
page 282
•
Map Example – Single-Tool vs. Multi-Tool on page 287
Map Example – Selectively Forwarding VLAN Ranges
In this example, we will create a map that forwards different ranges
of VLAN IDs to different tool ports, including one cross-box
destination. Figure 14-4 illustrates our starting configuration:
282
•
The GigaVUE-420 with the Box ID of 1 has ports 1-4 set up as
network ports and ports 5-8 set up as tool ports.
•
The GigaVUE-420 with the Box ID of 2 also has ports 1-4 set up as
network ports and ports 5-8 set up as tool ports.
•
Box 1 and Box 2 are connected back-to-back in a cross-box stack
using the x1 stacking ports.
Chapter 14
Network Ports
1
Tool Ports
Network Ports
Tool Ports
5
1
6
2
3
7
3
7
4
8
4
8
2
GigaVUE-420
Box ID 1
x1
Stacking Port
GigaVUE-420
Box ID 2
5
6
x1
Stacking Port
Figure 14-4: Starting Configuration: Back-to-Back Cross-Box Connection
What this Map Will Do
We want to create a map called VLAN-Map and bind it to Network
Port 1 on GigaVUE-420 Box ID 1. This map will do the following:
•
Send traffic with VLAN IDs 1-99 to local Tool Port 5.
•
Send traffic with VLAN IDs 100-199 to local Tool Port 6.
•
Send traffic with VLAN IDs 200-299 to local Tool Port 7.
•
Send traffic with VLAN IDs 300-399 to the cross-box destination
of Tool Port 5 on GigaVUE-420 Box ID 2.
•
Send all other traffic to local Tool Port 8 using the collector rule.
Working with Maps (Single-Box and Cross-Box)
283
Commands to Create this Map
The table below lists and describes the commands used to create this
map.
Description
CLI Command
First, create the VLAN-Map container using the
config xbmap command. Because this map will
consist entirely of rules sending traffic to only a single
destination, we will set type to st (single-tool).
config xbmap type st alias VLAN-Map
Next, we will create the map-rules for the VLAN-Map
using the config map-rule command. We need
map-rules that forward different VLAN ranges to
different ports. The first command forwards VLANs
1-99 to Tool Port 5 on Box ID 1.
config map-rule VLAN-Map rule vlan 1..99 tool 1-5
This map-rule for VLAN-Map sends VLANs 100-199
to Tool Port 6 on Box ID 1.
config map-rule VLAN-Map rule vlan 100..199 tool 1-6
This map-rule for VLAN-Map sends VLANs 200-299
to Tool Port 7 on Box ID 1.
config map-rule VLAN-Map rule vlan 200..299 tool 1-7
This map-rule for VLAN-Map sends VLANs 300-399
to Tool Port 5 on Box ID 2.
config map-rule VLAN-Map rule vlan 300..399 tool 2-5
This map-rule sends all traffic not matching any other
rules in the map to Tool Port 8 on Box ID 1.
config map-rule VLAN-Map rule collector tool 1-8
Finally, bind the map to Network Port 1 on Box ID 1
with the config xbmapping command.
config xbmapping net 1-1 map VLAN-Map
Execute Cross-Box Commands on All Boxes in Stack!
For the cross-box map created in the table above to work correctly,
you would need to execute all of the commands in the table in the
same order on all boxes in the stack (Box ID 1 and Box ID 2 in this
example).
The easiest way to do this is to create a text file with these commands
and then paste the contents of the text file into the CLI of each box in
the stack.
284
Chapter 14
Showing the Map in the CLI
Once you have created the map using the commands in Commands to
Create this Map on page 284, it’s a good idea to use the show map-rule
command to verify that the map has been set up the way you
expected. Figure 14-5 shows the results of a show map-rule for this
map example.
This section shows that this is a
cross-box (Stacking), single-tool
map with the name VLAN-Map It
also shows that the map has been
applied to Network Port 1-1.
This section shows the
rules (1-5) configured
for this map.
Figure 14-5: Results of a show map-rule for VLAN-Map
Working with Maps (Single-Box and Cross-Box)
285
Map Illustration
Figure 14-6 shows conceptually how VLAN-Map is implemented.
Network Ports
Tool Ports
GigaVUE-420 Box ID 1
VLAN-Map
1-5
1-1
Map-Rule 1: Send VLANs
1-99 to Tool Port 1-5.
1-2
Map-Rule 2: Send VLANs
100-199 to Tool Port 1-6.
1-6
1-3
Map-Rule 3: Send VLANs
200-299 to Tool Port 1-7.
1-7
1-4
Map-Rule 4: Send VLANs 300-399 to
cross-box Tool Port 2-5.
1-8
Map-Rule 5: Send Everything Else
to the Collector on Tool Port 1-8.
Network Ports
Notice that the same
config xbmap, config
map-rule, and config
xbmapping commands
are executed on both
boxes in the stack.
However, the map is
only bound to Network
Port 1-1.
Tool Ports
GigaVUE-420 Box ID 2
VLAN-Map
2-1
Map-Rule 1: Send VLANs
1-99 to Tool Port 1-5.
2-5
2-2
Map-Rule 2: Send VLANs
100-199 to Tool Port 1-6.
2-6
2-3
Map-Rule 3: Send VLANs
200-299 to Tool Port 1-7.
2-7
2-4
Map-Rule 4: Send VLANs 300-399 to
cross-box Tool Port 2-5.
2-8
Map-Rule 5: Send Everything Else
to the Collector on Tool Port 1-8.
Figure 14-6: VLAN-Map as Implemented
286
Chapter 14
Map Example – Single-Tool vs. Multi-Tool
As described in Single-Tool Maps vs. Multi-Tool Maps on page 267,
single-tool and multi-tool maps have the following differences:
•
Single-tool maps must consist entirely of map-rules that send
matching packets to a single tool port.
•
Multi-tool maps can have map-rules that send matching packets
to multiple tool port destinations. However, it is not a
requirement that they have at least one such rule.
This section contrasts a single-tool map with a multi-tool map so you
can see the differences in how they are constructed.
Single-Tool Map
In this example, we will create a single-tool map called uda_map and
bind it to Network Port 1. Our starting configuration is as follows:
•
Ports 1-4 are set up as network ports.
•
Ports 5-8 are set up as tool ports.
Because this is a single-tool map, we will use a user-defined pattern
match (uda) as one of the map-rules. Recall from Map Types and Other
GigaVUE-420 Features on page 268 that multi-tool maps cannot use
user-defined pattern match map-rules.
This map will do the following:
•
Send packets on even source ports to local Tool Port 5.
•
Send packets matching a user-defined pattern match for a
particular MPLS label to local Tool Port 6.
•
Discard all traffic from the IP address 192.168.1.25.
•
Send all other traffic to local Tool Port 8 using the collector rule.
Working with Maps (Single-Box and Cross-Box)
287
Commands to Create this Map
The table below lists and describes the commands used to create this
map. Note the order in which the commands are specified in this map
– the more complicated rules (those including large attribute ranges
or UDAs) are specified first. In addition, the collector rule is specified
last, as it always should be. See Map Creation Guidelines on page 281
for a discussion of map creation guidelines.
Description
CLI Command
First, create the uda_map container using the config
map command. Because this map will consist entirely
of rules sending traffic to only a single destination, we
will set type to st (single-tool).
config map type st alias uda_map
Next, we will create the map-rules for uda_map using
the config map-rule command.
config map-rule uda_map rule portsrc 16384..16624
even tool 5
The first map-rule sends all traffic on even source
ports in the standard Cisco RTP range to Tool Port 5
(VoIP implementations typically send RTP on even
port numbers and RTCP on the next available odd port
number).
The next rule uses a user-defined pattern match to match traffic from a particular MPLS label (0x00017) and
send it to Tool Port 6. Because this is a single-tool map, we can include up to two user-defined pattern
matches in the rules. As shown below, creating a pattern-match rule consists of two steps – setting the offset
and setting the pattern.
First, set the offset for the user-defined pattern match.
We know that MPLS label stacks start at an offset of
14 bytes, right after the DLC header, so let’s set that
up.
config uda uda1_offset 14
Next, set up the map-rule itself. The map-rule will have
two parts – an ethertype match for MPLS and the
user-defined pattern match itself.
config map-rule uda_map rule ethertype 0x8847
uda1_data 0x00017000-00000000-00000000-00000000
uda1_mask 0xfffff000-00000000-00000000-00000000
tool 6
• The ethertype for MPLS is 0x8847.
• We’re searching for the MPLS label of 0x00017.
Fortunately, the offset of 14 is on a four-byte
boundary when counting from the start of the valid
range (2~110; so, 2, 6, 10, 14). This makes it easy
to supply the pattern – we can start with the actual
MPLS label and then mask the rest with binary
zeroes.
288
Chapter 14
Description
CLI Command
This map-rule discards all traffic from the IP address
192.168.1.25.
config map-rule uda_map rule ipsrc 192.168.1.25
ipsrcmask /32 tool drop
This map-rule sends all traffic not matching any other
rules in the map to Tool Port 8.
config map-rule uda_map rule collector tool 8
Finally, bind the map to Network Port 1 with the
config mapping command.
config mapping net 1 map uda_map
Figure 14-7 shows conceptually how uda_map is implemented.
Single-Tool Map with User-Defined Pattern Match
Network Ports
1
Tool Ports
uda_map
Map-Rule 1: Send packets on
even source ports to Tool Port
5
Map-Rule 2: Send packets
matching user-defined pattern
match to Tool Port 6.
6
Map-Rule 3: Drop everything
from IP address 192.168.1.25.
Map-Rule 4: Send everything else
to the Collector on Tool Port 8.
7
8
Figure 14-7: Single-Tool Map with User-Defined Pattern Match (UDA)
Working with Maps (Single-Box and Cross-Box)
289
Once you have created the map, it’s a good idea to use the show
map-rule command to verify that the map is set up the way you
expected. Figure 14-5 shows the results of a show map-rule for this
map example.
This section shows that this is a
single-tool map with the name
uda_map It also shows that the
map has been applied to Network
Port 1.
This section shows the
rules (1-4) configured
for this map.
Figure 14-8: Results of a show map-rule for uda_map
290
Chapter 14
Multi-Tool Map
In this example, we will create a multi-tool map called mt_map and
bind it to Network Port 1. Our starting configuration is the same as
the single-tool map in the previous section:
•
Ports 1-4 are set up as network ports.
•
Ports 5-8 are set up as tool ports.
Multi-Tool vs. Single-Tool Maps
In contrast to single-tool maps, multi-tool maps can include
map-rules that send matching traffic to multiple tool ports. The
tradeoff is that multi-tool maps cannot include user-defined pattern
matches in map-rules.
NOTE: See Map Types and Other GigaVUE-420 Features on page 268 for
a summary of the tradeoffs when deciding between single-tool and
multi-tool maps. In general, unless you need user-defined pattern
matches, it’s a good idea to use multi-tool maps to make the best use
of the GigaVUE-420’s resources.
Map Summary
This map will do the following:
•
Send all traffic from IP address 192.168.1.50 to Tool Ports 5, 6, and
7. This is a multi-tool map-rule – it sends matching traffic to
multiple tool ports.
•
Send all IPv6 traffic to local Tool Port 7.
•
Send all other traffic to local Tool Port 8 using the collector rule.
Working with Maps (Single-Box and Cross-Box)
291
Commands to Create this Map
The table below lists and describes the commands used to create this
map.
Description
CLI Command
First, create the mt_map container using the config
map command. Because this map includes a
multi-tool map-rule, we will set type to mt (multi-tool).
config map type mt alias mt_map
Recall from Single-Tool Maps vs. Multi-Tool Maps on
page 267 that multi-tool maps can have map-rules that
send matching packets to multiple tool port
destinations. However, it is not a requirement that they
have at least one such rule.
The first map-rule sends all traffic to and from IP
address 192.168.1.50 to Tool Ports 5, 6, and 7. A rule
like this is useful when you want multiple tools to focus
on traffic from a specific critical node (for example, a
database server).
config map-rule mt_map rule
ipsrc 192.168.1.50 ipsrcmask /32
ipdst 192.168.1.50 ipdstmask /32 tool 5 6 7
The next map-rule sends all IPv6 traffic to Tool Port 7.
config map-rule mt_map rule ipver 6 tool 7
The final map-rule sends all traffic not matching any
other rules in the map to Tool Port 8.
config map-rule mt_map rule collector tool 8
Finally, bind the map to Network Port 1 with the
config mapping command.
config mapping net 1 map mt_map
Figure 14-9 shows conceptually how mt_map is implemented
292
Chapter 14
Multi-Tool Map
Network Ports
1
Tool Ports
mt_map
Map-Rule 1: Send everything
from IP address 192.168.1.50
to Tool Ports 5, 6, and 7.
5
6
Map-Rule 2: Send all IPv6 traffic
to Tool Port 7.
7
Map-Rule 3: Send everything else
to the Collector on Tool Port 8.
8
Figure 14-9: Multi-Tool Map Example
Figure 14-5 shows this map in the show map-rule output.
Working with Maps (Single-Box and Cross-Box)
293
This section shows that this is a
single-tool map with the name
mt_map It also shows that the map
has been applied to Network Port 1.
This section shows the
rules (1-3) configured
for this map.
Figure 14-10: Results of a show map-rule for mt_map
294
Chapter 14
Appendix A
Command Line Reference
This section describes all GigaVUE-420 commands. Commands are
organized in the same order in which they are found in the CLI itself.
See the sections for top-level commands as follows:
•
config commands on page 296
•
delete commands on page 331
•
exit command on page 332
•
help command on page 333
•
history command on page 333
•
install commands on page 334
•
logout command on page 336
•
reset commands on page 336
•
show commands on page 337
•
upload command on page 340
295
config commands
Config commands let you configure operating parameters on the
GigaVUE-420 unit.
Config commands are always available to super users and never
available to audit users. Normal users have varying access to config
commands depending on the lock-level in place on the box – see
Appendix C, Lock-Level Reference for details..
config connect
You use the config connect command to connect network ports to
tool ports on the same box. All well-formed packets arriving on the
network ports are forwarded to the tool ports, except those removed
by any filters in place.
You set up connections with the following command syntax:
config connect <network-port-alias | pid-list | pid-x..pid-y> to
<tool-port-alias | pid-list | pid-x..pid-y>
Notice that you can connect multiple network ports or tool ports with
a single command:
•
The pid-list (port id list) and bid-pid_list (box id-port id)
arguments let you select multiple non-contiguous ports. To enter
port IDs in a list, simply put a space between each port ID in the
list.
•
The pid-x..pid-y argument lets you select a series of adjacent
ports (for example, 2..5 selects ports 2, 3, 4, and 5).
config file
You use the config file nb command to set a configuration file as the
file to be used the next time the GigaVUE-420 is booted. The syntax is
as follows:
config file <filename> [nb] [description “string”]
296
Appendix A
Enabling the nb option for a configuration file marks it for loading
the next time the unit is booted. It will continue to be used at each
boot until the nb option is applied to a different configuration file.
There can be only one file with nb enabled at a time.
NOTE: You cannot delete a configuration file with nb enabled. You
must enable nb for another configuration file before you can delete it.
NOTE: GigaVUE-420 will not let you delete all configuration files –
there will always be at least one configuration file with nb enabled.
See Setting a Configuration File to Boot Next on page 182 for details.
config filter command
Use this command to define filter rules. Once defined, you can apply
filters to a port with the config port-filter command.
GigaVUE-420 filters are hardware-based, performing pattern
matching at predefined offsets. You can specify one argument per
filter rule or combine multiple arguments. Multiple arguments in a
single filter are joined with a logical and. Multiple filters bound to a
port are processed with a logical or.
NOTE: Filters are for use with connections only. Maps use map-rules
instead of filters. The concept is the same, but map-rules offer some
different configuration options. See Mapping Network Ports to Tool
Ports on page 264 for details.
The table below lists and describes the arguments for the config filter
command:
Argument
Description
[allow | deny]
Specifies whether the filter should include (allow) or
exclude (deny) traffic meeting the criteria specified
by the rest of the config filter command.
You can mix allow and deny filters on a single port.
Command Line Reference
297
Argument
Description
[dscp <assured-forwarding-value>]
(af11~af13, af21~af23, af31~33, af41~43, ef)
Creates a filter pattern for a particular decimal
DSCP value. You can choose any value within the
four Assured Forwarding class ranges or ef for
Expedited Forwarding (the highest priority in the
DSCP model).
The valid DSCP values by Assured Forwarding
Class are as follows:
• Class 1 – 11, 12, 13
• Class 2 – 21, 22, 23
• Class 3 – 31, 32, 33
• Class 4 – 41, 42, 43
• Expedited Forwarding – ef
For example, config filter allow dscp ef will match
all traffic with expedited forwarding assigned.
[ethertype <2-byte-hex>]
Creates a filter pattern for the Ethertype value in a
packet (for example, config filter allow ethertype
0x86DD will match all traffic with an IPv6 Ethertype.
NOTE: To filter for VLANs use the predefined
VLAN filter element type instead of the 8100
Ethertype.
[ipfrag <0|1|2|3|4>]
Creates a filter for different types of IPv4 fragments:
• 0 – Matches unfragmented packets.
• 1 – Matches the first fragment of a packet.
• 2 – Matches unfragmented packets or the first
fragment of a packet.
• 3 – Matches all fragments except the first
fragment in a packet.
• 4 – Matches any fragment.
For example, config filter allow ipfrag 1 alias
headerfrags creates a filter named headerfrags
that matches the first fragment in a packet.
NOTE: The ipfrag argument only matches IPv4
fragments. To create a filter for IPv6 fragments, set
ipver to 6 and use the protocol argument with a
<1-byte-hex> value of 0x2c. This has the same
effect as option number 4 for IPv4 – it matches all
IPv6 fragments. For example:
config filter allow ipver 6 protocol 0x2c alias six_frags
298
Appendix A
Argument
Description
[ipdst <dstaddr>] [ipdstmask <xxx.xxx.xxx.xxx | /nn>]
Creates a filter for either a source or destination
IPv4 address or subnet.
[ipsrc <srcaddr>] [ipsrcmask <xxx.xxx.xxx.xxx | /nn>]
Use subnet masks to match traffic from a range of
IP addresses. You can enter subnet masks using
either dotted-quad notation (<xxx.xxx.xxx.xxx>) or
in the bit count format (see Using Bit Count Subnet
Netmasks on page 233).
[ip6src <srcaddr>]
[ip6srcmask <xxxx::xxxx | /nn>]
[ip6dst <dstaddr>]
[ip6dstmask <xxxx::xxxx | /nn>]
Creates a filter for either a source or destination
IPv6 address or subnet. Enter IPv6 addresses as
eight 16-bit hexadecimal blocks separated by
colons. For example:
2001:0db8:3c4d:0015:0000:0000:abcd:ef12
Use subnet masks to match traffic from a range of
IP addresses. You can enter subnet masks either in
16-bit hexadecimal blocks separated by colons or in
the bit count format (see Using Bit Count Subnet
Netmasks on page 233).
[ip6fl <3-byte-hex>]
Creates a filter for the 20-bit Flow Label field in an
IPv6 packet. Packets with the same Flow Label,
source address, and destination address are
classified as belonging to the same flow. IPv6
networks can implement flow-based QoS using this
approach.
Specify the flow label as a 3-byte hexadecimal
pattern. Note, however, that only the last 20 bits are
used – the first four bits must be zeroes (specified
as a single hexadecimal zero in the CLI). For
example, to match all packets without flow labels,
you could use the following filter:
config filter allow ip6fl 0x000000 alias no_flow
Alternatively, to match the flow label of 0x12345,
you could use the following:
config filter allow ip6fl 0x012345 alias flow12345
Command Line Reference
299
Argument
Description
[ipver <4|6>]
When used by itself, the ipver argument creates a
filter to match either all IPv4 or all IPv6 traffic.
You can also set ipver to 6 and use it together with
other arguments to change their meaning. See
IPv4/IPv6 and Filters on page 223 for more
information on ipver.
NOTE: The ipver argument is implicitly set to 4 – if
you configure a filter without ipver specified,
GigaVUE-420 assumes that the IP version is 4.
[macdst <macaddr>] [macdstmask <6-byte-hex>]
[macsrc <macaddr>] [macsrcmask <6-byte-hex>]
Creates a filter pattern for either a source or
destination MAC address.
Use the optional macsrcmask or macdstmask
argument to create a range of MAC addresses that
will satisfy the filter pattern.
NOTE: You can enter hexadecimal MAC addresses
in either 0xffffffffffff or ffffffffffff format.
See Examples of MAC Address Filters on page 175
for examples of how to use MAC address masks.
[portdst <single-port-number> | <x..y>] [even | odd]
[portsrc <single-port-number> | <x..y>] [even | odd]
Creates a filter for a source or destination
application port. You can also specify:
• A range of ports. For example config filter allow
portsrc 5000..5100 will match all source ports
from 5000 to 5100, inclusive.
• Either odd or even port numbers. The even |
odd arguments are useful when setting up filters
for VoIP traffic. Most VoIP implementations send
RTP traffic on even port numbers and RTCP
traffic on odd port numbers.
For example, config filter allow portsrc
5000..5100 odd will match all odd source ports
between 5000 and 5100.
300
Appendix A
Argument
Description
[protocol <gre|icmp|igmp|ipv4ov4|ipv6ov4|rsvp|tcp|
udp|<1-byte-hex>>]
Creates a filter for a particular protocol. In this
release, you can create protocol filters for gre,
icmp, igmp, IPv4 over IPv4 (ipv4ov4), IPv6 over
IPv4 (ipv6ov4), rsvp, tcp, udp, and one-byte hex
values (<1-byte-hex>).
For example, config filter deny protocol gre will
create a filter that excludes all GRE traffic.
Protocol Filters and IPv6
The predefined protocol filters available for IPv4
(GRE, RSVP, and so on) are not allowed when
ipver is set to 6. This is because with the next
header approach used by IPv6, the next layer of
protocol data is not always at a fixed offset as it is in
IPv4.
To address this, GigaVUE-420 provides the
<1-byte-hex> option to match against the standard
hex values for these protocols in the Next Header
field. Here are standard 1-byte-hex values for both
IPv4 and IPv6:
0x00: Hop-By-Hop Option (v6 only)
0x01: ICMP (v4 only)
0x02: IGMP
0x04: IP over IP
0x06: TCP
0x11: UDP
0x29: IPv6 over IPv4
0x2b: Routing Option (v6 only)
0x2c: Fragment (v6 only)
0x2E: RSVP (v4 only)
0x2F: GRE (v4 only)
0x32: Encapsulation Security Payload (ESP)
Header (v6 only)
0x33: Authentication (v6 only)
0x3a: ICMP (v6 only)
0x3b: No Next Header (v6 only)
0x3c: Destination Option (v6 only)
Command Line Reference
301
Argument
Description
[tcpctl <1-byte-hex>] [tcpctlmask <1-byte-hex>]
Creates a one-byte pattern match filter for the
standard TCP control bits (URG, SYN, FIN, ACK,
and so on). You can use the tcpctlmask argument
to specify which bits should be considered when
matching packets.
See Setting Filters for TCP Control Bits on
page 232 for a list of the hexadecimal patterns for
each of the eight TCP flags, along with some
examples.
[tosval <1-byte-hex>]
Creates a filter pattern for the Type of Service (TOS)
value in an IPv4 header. The TOS value is how
some legacy IPv4 equipment implements quality of
service traffic engineering. The standard values are:
• Minimize-Delay: Hex 0x10 or 10
• Maximize-Throughput: Hex 0x08 or 08
• Maximize-Reliability: Hex 0x04 or 04
• Minimize-Cost: Hex 0x02 or 02
• Normal-Service: Hex 0000 or 00
NOTE: Most network equipment now uses DSCP
to interpret the TOS byte instead of the IP
precedence and TOS value fields.
[ttl <0~255> | <x..y>] (valid range 0..255)
Creates a filter for the Time to Live (TTL – IPv4) or
Hop Limit (IPv6) value in an IP packet.
• If there is no ipver argument included in the filter
(or if it is set to 4), GigaVUE-420 matches the
value against the TTL field in IPv4 packets.
• If ipver is set to 6 in the filter, GigaVUE-420
matches the value against the Hop Limit field in
IPv6 packets.
The TTL and Hop Limit fields perform the same
function, specifying the maximum number of hops a
packet can cross before it reaches its destination.
302
Appendix A
Argument
Description
[uda1_data <16-byte-hex>] [uda1_mask <16-byte-hex>]
Creates up to two user-defined, 16-byte pattern
matches in a filter. A pattern is a particular
sequence of bits at a specific offset from the start of
a frame.
[uda2_data <16-byte-hex>] [uda2_mask <16-byte-hex>]
Setting a user-defined pattern match in
GigaVUE-420 consists of the following major steps:
• Specify the two global offsets to be used for
user-defined pattern matches using the config
uda command (uda1_offset and uda2_offset)
• Specify the data pattern and mask using the
config filter command with the
[udax_data][udax_mask] arguments. You use
the mask to specify which bits in the pattern must
match to satisfy the filter.
A single filter can contain up to two user-defined
pattern matches.
NOTE: Always use the predefined filter elements
instead of user-defined pattern matches when
possible.
See Working with User-Defined Pattern Match
Filters on page 237 for details.
[vlan <vlan id (1-4094)> | <x..y>] [odd | even]
Creates a filter pattern for a VLAN ID or range of
VLAN IDs. You can also use the odd | even
argument to match alternating VLAN IDs. For
example, config filter allow vlan 200..300 even
will match all even VLAN IDs between 200 and 300.
[alias <string>]
Use the alias argument to associate a textual alias
with a filter.
Aliases are optional. GigaVUE-420 automatically
creates a Filter ID for every filter you configure. You
can manage filters either by the automatically
generated numerical Filter ID or by the optional
alias.
NOTE: The easiest way to discover the
automatically generated Filter ID for a given filter is
to do a show filter command in the CLI. Each filter
will be shown along with its numerical ID.
Command Line Reference
303
config map command
You use the config map command to create a map container to hold
your map-rules. You will eventually bind the container to one or
more network ports using the config mapping command.
When you create the map container, you must supply the following
information:
•
Whether the map is a single-tool map or a multi-tool map (see
Single-Tool Maps vs. Multi-Tool Maps on page 267 for details).
•
The name (alias) of the map
The config map command has the following syntax:
config map type [st | mt] alias <string>
The table below lists and describes the arguments for this command:
Argument
Description
type [mt | st]
Specifies whether the map is a multi-tool (mt) or
single-tool (st) map.
See Single-Tool Maps vs. Multi-Tool Maps on
page 267 for more information.
alias
304
Creates a textual alias for this map. Aliases can
consist of a maximum of 30 alphanumeric characters.
You can also use hyphens (-) and the underscore (_)
character.
Appendix A
config map-rule
The config map-rule command creates a map filter that directs
matching traffic to tool ports, cross-box tool ports, or a virtual drop
port. You can set map-rules that direct traffic based on MAC
addresses, IP addresses, ports, ethertypes, VLAN IDs, protocols, and
TOS values.
Map-rules must be bound to an existing map. Whenever you set up a
new map-rule, you must specify the map to which it belongs with the
<map-alias> argument.
The syntax for the config-map rule command is as follows:
config map-rule <map-alias>
rule
[collector]
[dscp <assured-forwarding-value>]
(af11~af13, af21~af23, af31~af33, af41~af43, ef)
[ethertype <2-byte-hex>]
[ipfrag <0|1|2|3|4>] [ipver <4|6>]
(0:no frag, 1:1st frag, 2:no frag or 1st frag, 3:frag but not 1st, 4:all frag)
[ipdst <dstaddr>] [ipdstmask <xxx.xxx.xxx.xxx | /nn>]
[ipsrc <srcaddr>] [ipsrcmask <xxx.xxx.xxx.xxx | /nn>]
[ip6src <srcaddr>] [ip6srcmask <xxxx::xxxx | /nn>]
[ip6dst <dstaddr>] [ip6dstmask <xxxx::xxxx | /nn>]
[ip6fl <3-byte-hex>]
[ipver <4|6>]
[macdst <macaddr>] [macdstmask <6-byte-hex>]
[macsrc <macaddr>] [macsrcmask <6-byte-hex>]
[portdst <single-port-number | <x..y>] [even | odd]
[portsrc <single-port-number | <x..y>] [even | odd]
[protocol <gre|icmp|igmp|ipv4ov4|ipv6ov4|rsvp|tcp|udp|<1-byte-hex>>]
[tcpctl <1-byte-hex>] [tcpctlmask <1-byte-hex>]
[tosval <1-byte-hex>]
[ttl <0~255> | <x..y>] (valid range 0..255)
[uda1_data <16-byte-hex>] [uda1_mask <16-byte-hex>]
[uda2_data <16-byte-hex>] [uda2_mask <16-byte-hex>]
[vlan <1~4094> | <x..y>] [even | odd]
tool <port-alias | pid | pid_list | bid-pid | bid-pid-list | drop>
The table below lists and describes the arguments for the config
map-rule command. A map-rule consists of the following major
components:
•
The name of the map to which the map-rule will belong
(<map-alias>).
Command Line Reference
305
•
The criteria for the rule itself. This consists of all the values
specified for the rule argument (MAC/IP addresses, application
ports, VLAN IDs, and so on).
•
The destination for traffic matching the rule argument. This
consists of the values specified for the tool argument. You can
send matching traffic to a tool port, a cross-box tool port, or a
virtual drop port.
Map-Rule Arguments Described
The arguments for the map-rule command are exactly the same as
those for the config filter command. See config filter command on
page 297 for a description of each of the arguments.
config mapping command
The config mapping command binds a single-box map to one or
more network ports (up to 20 network ports). You can bind
single-box maps to a single port, a list of ports, or a contiguous series
of ports (single-box maps only).
config mapping net <network-port-alias | network-port-id-list |
network-pid-x..network-pid-y> map <map-alias>
•
The net argument specifies the network ports to which the map is
bound.
•
The map argument specifies the name of the map you are
binding.
config pass-all command
The config pass-all command can be used to send all packets on a
network or tool port to one or more tool ports, irrespective of the
connections, xbconnections, maps, or xbmaps already in place for the
ports.
The config pass-all command has the following syntax:
pass-all <network/tool-port-alias | pid-list | pid-x..pid-y>
to <tool-port-alias | pid-list | pid-x..pid-y>
306
Appendix A
Pass-alls are only supported within a single GigaVUE-420 box. In
contrast to the GigaVUE-MP, you can now set up pass-alls between
any ports on the GigaVUE-420. See Using the Pass-All Command on
page 250 for detailed information on using the pass-all command.
config password command
Super users can change passwords for all other users with the config
password command. The syntax for this command is as follows:
config password [user <name-string> <new-password> <new-password-again>]
If no user is specified, this command changes the password of the
user issuing the command.
Acceptable passwords include between 6-30 alphanumeric
characters. At least one of the characters must be a numeral.
config port-alias command
Use this command to give a convenient alias to a port. Port aliases
are limited to a maximum of 30 alphanumeric characters and must
include at least one alphabetical character to avoid confusion with
port numbers.
config port-alias [<port-id> <alias-string>]
config port-filter command
Use this command to apply specified filter(s) to a port. The syntax is
as follows:
config port-filter <port-id | port-alias> <filter-alias | fid-list>
config port-owner command
Super users use the config port-owner command to assign port
ownership to local users.
Command Line Reference
307
NOTE: You can only assign port ownership when the lock-level in
place on the GigaVUE-420 is either medium or high. All users have
access to all ports when the lock-level is none.
NOTE: You assign port-ownership to TACACS+ users within the
TACACS+ server itself using an access control list. See Setting up
GigaVUE-420 Users in an External Authentication Server on page 156 for
details.
The config port-owner command has the following syntax:
config port-owner <port-alias | pid-list | pid-x..pid-y> owner <name-string>
The table below describes the arguments for the config port-owner
command:
Argument
Description
<port-alias | pid-list | pid-x..pid-y>
Specifies the ports to which the named user will be granted ownership.
You can grant ownership to a single port (either by alias or number), a
list of ports, or a contiguous series of ports.
owner <name-string>
The name of the account being granted port ownership.
config port-pair command
Use this command to set up a port-pair on a pair of network ports
within the same GigaVUE-420 module. A port-pair is a bidirectional
connection in which traffic arriving on one port in the pair is
transmitted out the other (and vice-versa) as a passthrough tap.
A port-pair between ports of a GigaPORT module can be used as an
electronic tap for RJ45 or fiber-optical links, although without the
fail-over protection provided by GigaTAP-Sx/Lx/Zx and
GigaTAP-Tx. Ports in the GigaMGMT can be paired to form an
electronic tap for RJ45 links (again, without the GigaTAP-Tx’s
fail-over protection).
You must supply an alias for a port-pair. This alias is limited to 30
alphanumeric characters and must include at least one alphabetical
character to avoid confusion with port numbers.
308
Appendix A
Notes on Port-Pairs
•
Can be established between any ports on the same GigaVUE-420.
•
Can be established between ports using different speeds (for
example, from a 1 Gb port to a 10 Gb port).
NOTE: Depending on traffic volume, port-pairs between ports
using different speeds can cause packet loss when going from a
faster port to a slower port (for example, from 1 Gb to 100 Mbps,
from 10 Gb to 1 Gb, and so on).
•
Supports link status propagation – when one port goes down, the
other port goes down (and vice-versa).
config port-pair and GigaTAP-Tx
See Configuring Tap Connections on page 69 for information on using
the config port-pair command with a GigaTAP-Tx module.
config port-params commands
You use config port-params commands to specify the low-level
operating characteristics of GigaVUE-420 ports. The syntax is as
follows:
port-params <port-id>
[autoneg <0 | 1>]
[duplex <half | full>]
[forcelinkup <0 | 1>]
[medium <electrical | optical>]
[mtu <1518..9600>]
[speed 10 | 100 | 1000]
[taptx <active | passive>]
[ib_cable_len <1 | 5 | 10 | 15>] (meters)
The following table summarizes these options:
Command Line Reference
309
[autoneg <0|1>]
Enables and disables autonegotiation for a port. When autonegotiation is
enabled, duplex and speed settings are ignored (they are set via
autonegotiation).
The default is on, except for GigaTAP-Sx/Lx/Zx modules. For GigaTAP-Sx/Lx/
Zx modules, autonegotiation is always off and speed is always set to 1000.
NOTE: For 1 Gb speeds over copper, autonegotiation must be enabled, per
the IEEE 802.3 specification.
[duplex <half | full>]
Sets ports to be half or full duplex if autonegotiation is off (10/100 Mbps
operation only).
[forcelinkup <0 | 1>
Forces connection on an optical port (optical ports only). Use this option when
an optical GigaPORT tool port is connected to a legacy optical tool that does
not support autonegotiation.
[medium <electrical |
optical>]
Specifies whether a GigaPORT module’s port should use the optical or RJ45
port.
[mtu <1518..9600>]
Sets the maximum size of packets which are accepted on a port. Factory
default is 9600 bytes.
[speed <10 | 100 | 1000>]
Sets the port speed in Mb/s if autonegotiation is off.
[taptx <active | passive>]
Specifies whether the relays in the GigaTAP-Tx are open (active mode) or
closed (passive mode).
• In passive mode, the relays in the GigaTAP-Tx module are closed. This
means that traffic received on one port is repeated out the other port in the
pair but is never seen by the GigaVUE-420 – it simply flows between the
two ports.
Passive mode protects production links in case of power failure. The tap
will always revert to passive mode in the event of power loss.
• In active mode, the relays in the GigaTAP-Tx module are open. Traffic
received on one port is still repeated out the other port in the pair, but it
flows through the GigaVUE-420 as well, making it available to tool ports.
[ib_cable_len <1 | 5 | 10 |
15>] (meters)
Specifies the length of the InfiniBand copper cable attached to a
GigaLINK-CU port.
config port-type command
Use this command to designate a port’s type – network, tool, or
stack. The syntax is as follows:
310
Appendix A
config port-type <port-alias | pid-list | pid-x..pid-y> [network | tool | stack]
In general, Ports 1-20 on the GigaVUE-420 can all be either network
ports or tool ports. The exceptions are GigaTAP-Sx/Lx/Zx ports.
These ports can only be configured as network ports.
The x1 - x4 10 Gb ports on the GigaVUE-420 can all be used as either
network or tool ports. However, only the x1 and x2 10 Gb ports can
be used as stack ports.
config rad_server command
Use the config rad_server command to identify RADIUS servers
used for authentication. The arguments are described below. See
Using GigaVUE-420 with an External Authentication Server on page 148
for details on using GigaVUE-420 with a RADIUS server.
The syntax for the config rad_server command is as follows:
config rad_server host <ipaddr>
key "string"
[authen_port <1~65535>]
[account_port <1~65535>]
[timeout <1~90>] (seconds)
[max_tries <1~10>]
[priv_lvl_check <1 | 0>]
[super_priv_lvl <2~15>]
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
[alias <alias-string>]
The table below describes the arguments for the config rad_server
command:
Argument
Description
host <ipaddr>
Specifies the IP address of the RADIUS server.
key "string"
Specifies a string to be used for encryption of authentication packets
sent between GigaVUE-420 and the RADIUS server.
An empty key string (“”) indicates that no key will be used. Without a
key, there will be no encryption of the packets between the RADIUS
server and the GigaVUE-420 system.
Command Line Reference
311
Argument
Description
[authen_port <1~65535>]
Specifies the authentication port to be used on the RADIUS server. If
you do not specify a value, GigaVUE-420 will default to the standard
RADIUS authentication port number of 1812.
[account_port <1~65535>]
Specifies the accounting port to be used on the RADIUS server. If you
do not specify a value, GigaVUE-420 will default to the standard
RADIUS accounting port number of 1813.
[timeout <1~90>] (seconds)
Specifies how long GigaVUE-420 should wait for a response from the
RADIUS server to an authentication request before declaring a
timeout failure. The default value is three seconds.
[max_tries <1~10>]
Specifies the maximum number of times GigaVUE-420 will retry a
failed connection to this RADIUS server before falling back to the next
authentication method specified by the config system aaa command
currently in place. The default value is three tries.
[priv_lvl_check <1 | 0>]
[super_priv_lvl <2~15>]
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
These options specify how privilege level checks are performed for
RADIUS servers.
• priv_lvl_check specifies how GigaVUE-420 should assign user
rights for RADIUS users.
• If this option is enabled (the default), the three _priv_lvl options
below it are used to map privilege levels for the corresponding
user types (Audit, Normal, and Super).
• If this option is not enabled, all RADIUS users log in with Super
user rights.
• super_priv_lvl specifies the RADIUS privilege level that will be
mapped to GigaVUE-420’s Super user level when priv_lvl_check
is enabled.
• normal_priv_lvl specifies the RADIUS privilege level that will be
mapped to GigaVUE-420’s Normal user level when priv_lvl_check
is enabled.
• audit_priv_lvl specifies the RADIUS privilege level that will be
mapped to GigaVUE-420’s Audit user level when priv_lvl_check
is enabled.
NOTE: If no values are specified for the three _priv_lvl options and
privilege level checks are enabled, GigaVUE-420 uses 0, 1, and 2
(Audit, Normal, and Super, respectively).
NOTE: GigaVUE-420 will not let you enter out-of-order privilege
levels. The value specified for super must be higher than that
specified for normal, and so on.
[alias <alias-string>]
312
Specifies an alphanumeric alias for this RADIUS server to be used in
show rad_server displays.
Appendix A
config restore command
Use the config restore [filename] command to apply a configuration
file stored in flash immediately. For example, to apply gigavue.cfg,
you would use the following command:
config restore gigavue.cfg
NOTE: This will affect connectivity. All connections are deleted before
they are restored.
NOTE: The Box ID stored in the configuration file must match the Box
ID of the target system for a successful restore using a config file. In
addition, the file must have a .cfg extension.
config save command
Use the config save filename.cfg command to save the currently
configured GigaVUE-420 packet distribution settings to a
configuration file. Configuration files must have a .cfg extension.
You can include the nb (“next boot”) flag to specify that the saved
configuration file be loaded the next time the GigaVUE-420 unit
reboots. For example, to save a new configuration file named
myconfig.cfg and set it to boot next, you would use the following
command:
config save myconfig.cfg nb
Use GigaVUE-420’s command completion feature to see a list of
available configuration files. For example, typing config save ? will
show you a list of the available configuration files.
NOTE: System settings are automatically saved in a separate area of
flash when they are made. They are not part of the configuration file.
See Using Configuration Files on page 175 for details on working with
configuration files.
Command Line Reference
313
config snmp_server commands
Use the config snmp_server command to enable and configure
GigaVUE-420’s SNMP server so that management stations can poll
the GigaVUE-420 MIB using Get and GetNext commands.
GigaVUE-420 supports MIB polling using the MIB-II System and
Interface OIDs for the Mgmt port only.
The config snmp_server command has the following syntax:
config snmp_server
[enable <0|1>]
[community <string>]
[ver <1 | 1_2>]
[port <value>]
The only required parameter to turn on the SNMP server is enable 1.
If you turn on the SNMP Server and do not specify values for the
other parameters, they will take the default values shown in the table
below. Naturally, however, you can change each of the defaults to
your own values with the corresponding command-line setting.
Parameter
Description
Default Value if None Specified
community
Community String
public
port
Port
162
ver
Version
v1
For example, to enable the SNMP server with its default settings, you
would use the following command:
config snmp_server enable 1
config snmp_trap commands
GigaVUE-420 can forward SNMP traps to up to five destinations.
Specify trap events and destinations with the config snmp_trap host
command. The config snmp_trap command has the following
syntax:
314
Appendix A
snmp_trap [all|none]
[configsave <0|1>]
[firmwarechange <0|1>]
[portlinkchange <0|1>]
[pktdrop <0|1>]
[systemreset <0|1>]
[userauthfail <0|1>]
[host <ipaddr>]
[port <value>]
[alias <alias-string>]
[fanchange <0|1>]
[modulechange <0|1>]
[powerchange <0|1>]
[rxtxerror <0|1>]
[taptxchange <0|1>
[community <string>]
[ver <1|2>]
The table below summarizes the arguments for the config snmp_trap
command. See Using SNMP on page 165 for details on working with
all GigaVUE-420 SNMP options.
Parameter
Description
[all | none]
Use this attribute to toggle all available trap events on or off. For
example, config snmp_trap all turns on all available trap events.
[configsave <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time the config save filename.cfg
command is used.
[fanchange 0|1]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when the speed of either of the system fans
drops below 4,800 RPM.
[firmwarechange <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it boots and detects that its firmware has
been updated from the previous boot.
[modulechange <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects a change in module type from
the last polling interval. This typically happens when a module is pulled
from a slot or inserted in an empty slot.
[powerchange 0|1]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects either of the following events:
• One of the two power supplies is powered on or off.
• Power is lost or restored to one of the two power supplies.
Command Line Reference
315
Parameter
Description
[portlinkchange <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a port’s link status changes from up
to down or vice-versa. This includes ports 1-20 as well as the 10
Gigabit ports (x1 and x2).
NOTE: The portlinkchange trap is not sent when the Management
port’s link status changes.
[pktdrop <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it detects that packets have been
dropped on a data port.
[rxtxerror <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it receives one of the following
physical errors on a data port:
• Undersize error
• Fragment
• Jabber
• CRC or Alignment errors
• Unknown errors.
[systemreset <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it starts up, either as a result of
cycling the power or a soft reset initiated by the reset system
command.
[taptxchange <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a GigaTAP-Tx’s relays switch from
active to passive or passive to active as a result of the config
port-params taptx command.
[userauthfail <0|1>]
When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a user login fails.
config sntp_server command
Use this command to specify the IP address of an SNTP server to be
used for time synchronization. Once you have specified the IP
address of the SNTP server, you enable the use of SNTP with the
config system sntp 1 command.
See Setting Time from an SNTP Server on page 99 for details on setting
up SNTP.
316
Appendix A
config syslog_server
Use this command to specify an external syslog server as a
destination for GigaVUE-420’s logging output. You can configure a
maximum of one syslog server.
Specifying a syslog server is optional. Logged events are written to
the local syslog.log file regardless of whether an external syslog
server is specified.
The config syslog_server command has the following syntax:
config syslog_server
host <ipaddr>
[port <value>]
[alias <alias-string>]
NOTE: If you do not specify a port, the default port of 514 is used.
The following example shows how to specify a syslog server at the IP
address of 192.168.1.75 with an alias of MySyslogServer:
config syslog_server host 192.168.1.75 alias MySyslogServer
Command Line Reference
317
config system commands
Config system commands are only available to super users,
regardless of the lock level in place on the box. The following table
summarizes the available config system commands and their syntax.
Config System Commands
Description
config system [name name-string] [description
“string”]
Use this command to supply a system name and
description for identification purposes.
• Names are limited to 30 alphanumeric characters
with no spaces.
• Descriptions must use quotation marks. They are
limited to 125 alphanumeric characters. Spaces
are allowed.
config system [prompt <string>]
Use this command to create individualized prompts
for each GigaVUE-420. This makes it easy to open
CLI sessions with multiple GigaVUE systems and
always know which unit you are configuring.
Maximum of 20 alphanumeric characters. No spaces
allowed.
config system banner [<1 | 0>]
Use this command to specify that GigaVUE-420
display a customizable text banner when a user logs
in.
You must have first created and installed the
banner_file.txt file using the install -ban
banner_file.txt [TFTP-server-ipaddr] command.
See Using a Custom Login Banner on page 102 for
details
config system [date <mm-dd-yy>]
Use this command to set the system date.
config system [time <hh:mm:ss>]
Use this command to set the system time.
config system timezone <UTC | UTC+hh:mm |
UTC-hh:mm>
Use this command to set the system’s timezone as
an offset from coordinated universal time (UTC). The
timezone is used to convert the UTC time received
from an SNTP server to local time.
318
Appendix A
Config System Commands
Description
config system dst <1 | 0>
Use this command to enable/disable the use of
automatic daylight savings time adjustments.
NOTE: You can only enable this option if you have
specified onset and offset values for Daylight
Savings Time. In addition, the option is only
functional if SNTP is enabled and there is a valid
connection to an SNTP server.
config system [dst_onset <mm-dd-hh:mm>]
Specifies the date and time at which Daylight
Savings Time begins.
NOTE: DST starts and ends on a different day every
year – be sure to set this option correspondingly at
the start of every year.
config system [dst_offset <mm-dd-hh:mm>]
Specifies the date and time at which Daylight
Savings Time ends.
NOTE: DST starts and ends on a different day every
year – be sure to set this option correspondingly at
the start of every year.
config system [rootdis <1 | 0>]
Use this command to disable the root account. This
is handy if you suspect that the root account has
been compromised.
NOTE: This command is disabled if no other super
user other than the root user has been defined.
config system [sntp <1 | 0>]
Use this command to enable/disable the use of the
SNTP server specified with the config sntp_server
command for time synchronization.
See Configuring GigaVUE-420 Time Options on
page 99 for details on using an SNTP server.
config system [ssh2 <1 | 0>]
Use this command to toggle the supported protocol
for remote connections to the GigaVUE-420’s Mgmt
port between Telnet and SSH2. When SSH2 is
enabled, Telnet is disabled and vice-versa.
See SSH2 vs. Telnet on page 86 for details.
Command Line Reference
319
Config System Commands
Description
config system hostkey <dss | rsa> [<768~2048> (bits)]
Use this command to change the default host keys
provided with GigaVUE-420. Acceptable bit values
for the host keys are multiples of 8 between 768 2048 (for example, 768, 776, 784, and so on). If you
do not specify a key length, GigaVUE-420 defaults
to 1024 bits.
See Changing Public Host Keys on page 89 for
details.
config system [console_baud <9600 | 14400 | 19200 |
38400 | 57600 | 115200 >]
Use this command to change the baud rate setting of
the Console port. The default is 115200.
config system [console_width <32~1024] (characters)
Use this command to specify the width (in
characters) of the serial port’s CLI display. Use this
together with the width setting for your terminal
software to optimize line wrapping.
config system [mgmt_port <autoneg | duplex | speed |
mtu>]
Use these commands to configure the GigaVUE-420
Mgmt port’s autonegotiation, duplex, speed, and
MTU settings.
autoneg <1 | 0>
duplex <half | full>
speed <100 | 10>
mtu
<320~1518>
By default, autonegotiation is enabled and MTU is
set to 1518 bytes (the largest standard Ethernet
packet size). With autonegotiation enabled, the
Mgmt port will configure its duplex and speed
settings to whatever it is able to negotiate with the
connected port.
NOTE: GigaVUE-420’s Mgmt port supports RFC
1191 Path MTU Discovery and can automatically
decrease its MTU if it receives an
ICMP_Needs_Fragmentation packet.
NOTE: Per the 802.3 specification, autonegotiation
is mandatory for 1 Gb speeds over copper
(1000BASE-T).
config system [remote_timeout <x>]
Specifies how long GigaVUE-420 will wait before
timing out an inactive SSH2/Telnet session.
Valid values range from 10 to 86400 seconds. The
default is 300 seconds.
config system [dhcp_timeout <x>]
Specifies how long GigaVUE-420 will wait for a
response from a DHCP server before timing out the
attempt and reporting a failure.
Valid values are 4, 10, 30, 60, or 100 seconds. The
default is 10.
320
Appendix A
Config System Commands
Description
config system [dhcp <1|0>] [ipaddr <xxx.xxx.xxx.xxx>]
[subnetmask <xxx.xxx.xxx.xxx>]
Set up the network properties for the Mgmt port:
• dhcp specifies whether GigaVUE-420 will obtain
an IP address for its Mgmt port from a DHCP
server (1) or use a static address (0). If you set
dhcp to 1, do not supply values for ipaddr,
subnetmask, or gateway.
NOTE: If you enable DHCP, you can also use the
config system dhcp_timeout <4 | 10 | 30 | 60 |
100> command to specify the number of seconds
GigaVUE-420 will wait for a response from a
DHCP server after querying for an address.
• ipaddr specifies the static IP address to use.
• subnetmask specifies the subnet mask to be
used for the IP address.
The system must reboot to apply changes to the
dhcp setting.
config system [ipv6 <1 | 0>]
Specifies whether IPv6 is enabled for the
GigaVUE-420 Mgmt port. When IPv6 is enabled,
GigaVUE-420 will operate with support for both IPv4
and IPv6. You can use IPv6 addresses for SSH2,
Telnet, TACACS+, RADIUS, SNTP, and TFTP
applications.
See Configuring IPv6 Network Properties on
page 83.
config system [gateway <xxx.xxx.xxx.xxx>]
Specifies the default gateway to which
GigaVUE-420’s Mgmt port should direct its traffic. It
is not required.
config system [bid <1~10>]
Specifies the local GigaVUE-420’s Box ID. The Box
ID is used when creating cross-box stacks.
config system [x1_bid <bid-list>]
Specifies the Box IDs of the GigaVUE-420 systems
accessible from the local box’s x1 port when used as
a stacking port.
config system [x2_bid <bid-list>]
Specifies the Box IDs of the GigaVUE-420 systems
accessible from the local box’s x2 port when used as
a stacking port.
config system [active_link <x1 | x2 | both | none>]
Activates the x1 and/or x2 stacking ports on a
GigaVUE-420 system. You must activate the 10 Gb
ports you plan to use as stacking ports.
Command Line Reference
321
Config System Commands
Description
config system [lock-level <none | medium | high >]
Sets the lock-level in force on the GigaVUE-420 to
none, medium, or high. In general, as the lock-level
increases, normal users have fewer rights on the
box, except for those ports to which they have been
assigned ownership using the config port-owner
command.
• When lock-level = none, normal users have
access to all network and tool ports.
• When lock-level = medium, normal users have
access to all network ports. However, they can
only set up connections, filters, and maps for tool
ports they own. Super users can assign port
ownership to normal users using the config
port-owner command.
• When lock-level = high, normal users can only
configure connections, filters, and maps for
network and tool ports they own.
NOTE: Appendix C, Lock-Level Reference provides
full details on the different policies in place at each
lock-level.
322
Appendix A
Config System Commands
Description
config system [aaa <serial | ethernet> < tacacs+ |
local>]
Specifies how users will be authenticated on both
the Ethernet (SSH2/Telnet) and Console (serial)
port.
<serial | ethernet>
Specifies which GigaVUE-420 port you are
configuring authentication for:
• serial – Console port.
• ethernet – Mgmt port.
<tacacs+ | radius | local>
Specifies which authentication methods should be
used for the specified port and the order in which
they should be used.
You can enable all authentication methods for either
port. If you enable more than one method,
GigaVUE-420 uses the methods in the same order
in which they are specified, falling back as
necessary. If the first method fails, it will fall back to
the secondary method, and so on.
If you enable radius or tacacs+, you must also:
• Configure the RADIUS or TACACS+ server using
the corresponding config rad_server or config
tac_server command.
• Set up GigaVUE-420 users within the RADIUS/
TACACS+ server itself.
These two steps are described in Using
GigaVUE-420 with an External Authentication
Server on page 148
NOTE: GigaVUE-420 always preserves local
authentication for the Console (serial) port to prevent
accidental lockouts.
config system [log-level <critical | error | info |
verbose>]
Specifies the log-level in force on the GigaVUE-420.
The log-level with the least logging is critical – only
critical errors are written to the log file. In contrast,
the log-level with the most logging is verbose – all
events are written to the log file.
See Configuring Logging on page 185 for details on
working with the GigaVUE-420’s logging features.
Command Line Reference
323
config tac_server command
Use the config tac_server command to identify TACACS+ servers
used for authentication. The arguments are described below. See
Using GigaVUE-420 with an External Authentication Server on page 148
for details on using GigaVUE-420 with a TACACS+ server.
The syntax for the config tac_server command is as follows:
config tac_server host <ipaddr>
key "string"
[port <value>]
[timeout <1~90>] (seconds)
[single_connection <1 | 0>]
[priv_lvl_check <1 | 0>]
[super_priv_lvl <2~15>]
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
[alias <alias-string>]
The table below describes the arguments for the config tac_server
command:
Argument
Description
host <ipaddr>
Specifies the IP address of the TACACS+ server.
key "string"
Specifies a string to be used for encryption of authentication packets
sent between GigaVUE-420 and the TACACS+ server.
An empty key string (“”) indicates that no key will be used. Without a
key, there will be no encryption of the packets between the TACACS+
server and the GigaVUE-420 system.
[port <value>]
Specifies the port to be used on the TACACS+ server. If you do not
specify a value, GigaVUE-420 will default to the standard TACACS+
port number of 49.
[timeout <1~90>] (seconds)
Specifies how long GigaVUE-420 should wait for a response from the
TACACS+ server to an authentication request before declaring a
timeout failure. The default value is three seconds.
324
Appendix A
Argument
Description
[single_connection <1 | 0>]
Specifies whether GigaVUE-420 should use the same connection for
multiple TACACS+ transactions (authentication, accounting, and so
on), or open a new connection for each transaction:
• 1 – TACACS+ transactions will use the same session with the
server. The socket will remain open after it is first opened.
• 0 – Each TACACS+ transaction opens a new socket. The socket is
closed when the session is done.
The default is disabled (0).
[priv_lvl_check <1 | 0>]
[super_priv_lvl <2~15>]
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
These options specify how privilege level checks are performed for
TACACS+ servers.
• priv_lvl_check specifies how GigaVUE-420 should assign user
rights for TACACS+ users.
• If this option is enabled (the default), the three _priv_lvl options
below it are used to map privilege levels for the corresponding
user types (Audit, Normal, and Super).
• If this option is not enabled, all TACACS+ users log in with
Super user rights.
• super_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Super user level when priv_lvl_check
is enabled.
• normal_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Normal user level when priv_lvl_check
is enabled.
• audit_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Audit user level when priv_lvl_check
is enabled.
NOTE: If no values are specified for the three _priv_lvl options and
privilege level checks are enabled, GigaVUE-420 uses 0, 1, and 2
(Audit, Normal, and Super, respectively).
NOTE: GigaVUE-420 will not let you enter out-of-order privilege
levels. The value specified for super must be higher than that
specified for normal, and so on.
[alias <alias-string>]
Command Line Reference
Specifies an alphanumeric alias for this TACACS+ server to be used in
show tac_server displays.
325
config uda command
You use the config uda command to specify the two global offsets to
be used for user-defined pattern matches. This command has the
following syntax:
config uda [uda1_offset <2~110>] [uda2_offset <2~110>]
GigaVUE-420 accepts offsets at four-byte boundaries ranging from
byte 2 to byte 110. This means that there are 27 valid offset positions
ranging from 0x01 (an offset of 2 bytes) to 0x6d (an offset of 110
bytes). Offsets are always frame-relative, not data-relative.
In many cases, you will be looking for patterns that do not start
exactly on a four-byte boundary. To search in these position, you
would set an offset at the nearest four-byte boundary and adjust the
pattern and mask accordingly.
See Working with User-Defined Pattern Match Filters on page 237 for
details on how to set up user-defined pattern match filters/
map-rules.
326
Appendix A
config user command
Use the config user command to create user accounts. Name strings
have a maximum of 30 alphanumeric characters.
The config user command has the following syntax:
config user <name-string> <password> <password-again>
[level <audit | normal | super>]
[description "string"]
The table below describes the arguments for the config user
command:
Argument
Description
<name-string>
The name used for this user account. Names must consist of 5-30
alphanumeric characters.
NOTE: You can create a maximum of 40 user accounts on the
GigaVUE-420 box. A maximum of 20 users can be logged into the
GigaVUE-420 unit simultaneously.
<password> <password-again>
The password for this user account.
Acceptable passwords include between 6-30 alphanumeric characters. At
least one of the characters must be a numeral.
Command Line Reference
327
Argument
Description
level <audit | normal | user>
Specifies the account privileges for this user account. There are three
types of user accounts ranging from the most privileges to the least –
super, normal, and user.
• Super users have access to all ports on the box regardless of the
lock-level in place. They can also perform all configuration commands.
• Normal users have access to different ports depending on the
lock-level in place. They cannot perform system configuration
commands.
• When lock-level = none, normal users have access to all network
and tool ports.
• When lock-level = medium, normal users have access to all
network ports. However, they can only set up connections, filters,
and maps for tool ports they own. Super users can assign port
ownership to normal users using the config port-owner command.
• When lock-level = high, normal users can only configure
connections, filters, and maps for network and tool ports they own.
NOTE: Appendix C, Lock-Level Reference provides full details on the
different policies in place at each lock-level.
• Audit users do not have access to any ports. Their access consists
mainly of the ability to use the show command to see what basic
settings are in place on the box.
description “string”
The description string may contain spaces and other characters, but must
be contained in quotation marks (for example, “IT User”). The maximum
number of characters in a description string is 125 alphanumeric
characters.
Description strings appear in the CLI display when performing a show
user command.
config xbconnect command
Use this command to create cross-box connections between network
and tool ports on different boxes. All well-formed packets (subject to
filtering) appearing on the network port(s) will be forwarded to the
tool port(s).
config xbconnect <bid-pid_list> to <bid-pid_list> alias <string>
A unique alias is required for each instance of this command. All
xbconnect commands must be applied in exactly the same way on all
stacked systems.
328
Appendix A
config xbmap command
You use the config xbmap command to create a cross-box map
container to hold map-rules that send traffic to cross-box
destinations. You will eventually bind the container to one or more
network ports using the config xbmapping command.
When you create the map container, you must supply the following
information:
•
Whether the map is a single-tool map or a multi-tool map (see
Single-Tool Maps vs. Multi-Tool Maps on page 267 for details).
•
The name (alias) of the map
The config xbmap command has the following syntax:
config xbmap type [st | mt] alias <string>
The table below lists and describes the arguments for this command:
Argument
Description
type [mt | st]
Specifies whether the map is a multi-tool (mt) or
single-tool (st) map.
See Single-Tool Maps vs. Multi-Tool Maps on
page 267 for more information.
alias
Command Line Reference
Creates a textual alias for this map. Aliases can
consist of a maximum of 30 alphanumeric characters.
You can also use hyphens (-) and the underscore (_)
character.
329
config xbmapping command
The config xbmapping command binds a cross-box map to one or
more network ports (up to 40 network ports). You can bind cross-box
maps to a single port or a list of ports. The syntax is as follows:
config xbmapping net <bid-pid_list> map <map-alias>
•
The net argument specifies the network ports to which the map is
bound.
•
The map argument specifies the name of the map you are
binding.
config xbport-filter command
Use this command to apply specified filter(s) to a cross-box port. The
syntax is as follows:
config xbport-filter <bid-pid> <filter-alias| fid-list>
330
Appendix A
delete commands
You use delete commands to delete various configured entities on the
GigaVUE-420. Delete commands are always available to super users,
regardless of the lock-level in place. Normal users have varying
access to delete commands depending on the lock-level. See
Appendix C, Lock-Level Reference for details.
The table below summarizes the items you can delete:
Delete Commands
Description
delete all
This command erases all configured values for
connections, maps, filters, and port-types. However, it
retains system and user account definitions. Also
port-alias and prompt settings are NOT deleted. A
confirmation prompt will appear when you use this
command.
delete connect [all | <port-alias | pid-list |
pid-x..pid-y> to <port-alias | pid-list | pid-x..pid-y>]
Deletes the specified connections.
delete file [filename]
Deletes the specified configuration file(s).
delete filter [all | filter-alias | fid-list]
Deletes the specified filters. You cannot delete filters
that are currently bound to a port.
delete log [filename]
Deletes the specified log file.
delete pass-all [all | <port-alias | pid-list |
pid-x..pid-y> to all | <port-alias | pid-list |
pid-x..pid-y>]
Deletes the specified pass-alls.
delete port-alias [all | port-alias | pid-list]
Deletes a port’s alias.
delete port-pair [all | port-pair-alias]
Deletes a port-pairing, disabling packet repeating
between the ports.
delete port-filter [all | <port-alias | pid> [all |
filter-alias | fid-list]
Removes filters from ports. If a filter is bound to more
than one port, you can remove it selectively from only
one of the ports to which it is bound.
delete port-owner [all | <port-alias | pid-list |
pid-x..pid-y> owner <user-name>]
Removes port-ownership from a particular owner to
one or more ports.
delete map [all | map-alias]
Deletes one or more maps entirely. You can delete
maps that are currently bound to network ports.
Command Line Reference
331
Delete Commands
Description
delete mapping [all | map-alias]
Deletes a mapping between a map and network ports.
delete map-rule <map-alias> [tool <port-id-list> | rule
<rule-id-list>]
Deletes a map-rule from a map. Delete one or more
rules by tool port or rule id.
delete rad_server [all | server-alias | server-id]
Deletes the specified RADIUS servers.
delete snmp_trap [all | host-alias-list | host-id-list]
Deletes the specified SNMP trap destination(s)
delete sntp_server [all | server-alias | server-id]
Deletes the specified SNTP server(s).
delete stack_info
Resets the values for the bid, x1_bid, back_bid, and
active_link options to their default values. Note that
this will affect all existing xbconnections, xbport-filters,
and xbmaps. You must restart the system after using
this command.
delete syslog_server
Deletes the active syslog server. The GigaVUE-420
allows a maximum of one syslog server. You must
delete the existing syslog server before you can add a
new one using the config syslog_server command.
delete tac_server [all | server-alias | server-id]
Deletes a configured TACACS+ server.
delete user [all | user-name-list]
Deletes a user account The factory default super user
“root” is not deletable, but its password (root123) can
be changed by a super user or the root user.
delete xbconnect [all | xbconnect-alias-list]
Deletes the specified cross-box connections.
delete xbmap [all | xbmap-alias-list]
Deletes a cross-box map on the local box or the
cross-box map reference to a map on a remote box.
delete xbport-filter [all | <bid-pid> [all | filter-alias |
fid-list]]
Deletes the reference to a filter on a remote box.
exit command
Use this command to exit the current CLI session.
332
Appendix A
help command
Provides online help. Note that the GigaVUE-420 CLI provides a
variety of different types of online help. See Getting Help in the
Command Line Interface on page 91 for details.
history command
Use the history command to display the last 50 commands you’ve
issued during the current session.
After issuing the History command, you can repeat any of the
commands by typing !<command number>. For example, to repeat
command number 6 in the list, you would type !6 and press Enter.
This makes it easy to reuse a command that you’ve already entered in
the CLI.
The History command is particularly useful when trying to construct
complex map-rules or filters – long commands with exact syntax.
Occasionally, you may try to construct a complex map-rule before its
destination port is set up as a tool port, causing GigaVUE to reject the
rule. In a case like this, you could configure the destination port as a
tool port and then use the History command to reuse the previously
rejected config map-rule command. With the destination port
properly configured as a tool port, GigaVUE will no longer reject the
rule.
Command Line Reference
333
install commands
Super users can use the install command to install new GigaVUE or
redboot images, new config files, and a customizable text banner file.
The commands are summarized in the table below:
install command
Description
install image_name TFTP-server-ipaddr
Installs a new GigaVUE-420 software image.
For example, to install the GigaVUE-420 4.0
installation file named gv.bin.4.0.xx from a
TFTP server running on IP address
192.168.1.102, you would use the following
command:
install gv.bin.4.0.xx 192.168.1.102
The system will erase the existing image and
install the new one. Wait for this process to
complete. The system will inform you that the
image was installed successfully. When the
system prompt reappears, reset the system with
the reset system command.
install -ban banner_file.txt TFTP-server-ipaddr
Uploads the banner_file.txt file from the
specified TFTP server. For example:
install -ban banner_file.txt 192.168.254.5
Once banner_file.txt has been uploaded using
this command, its contents can be displayed as
a banner when a user logs in with the following
command:
config system banner 1
See Using a Custom Login Banner on page 102
for details on how to set up a custom banner.
install -cfg config_file.cfg TFTP-server-ipaddr
You can use this option to download a new
configuration file for the GigaVUE-420 from a
TFTP server. GigaVUE-420 can store up to five
configuration files in flash. If you want to use
more than five configuration files, you can
upload/download the files to/from a TFTP
server. For example:
install -cfg gigavue.cfg 192.168.254.5
334
Appendix A
install command
Description
install [-rb] redboot_image_name TFTP-server-ipaddr
The -rb option is used to install a new redboot
image. For example:
install -rb rbgvs420_1.bin 192.168.254.5
See Chapter 2, Updating the GigaVUE-420 for details on using the
install command to update the GigaVUE-420.
Command Line Reference
335
logout command
All users can use this command to log out from the current CLI
session. Super users can also use this command to log out a lower
level user. The syntax is as follows:
logout [user <name-string>]
This command works differently for local and RADIUS/TACACS+
users:
•
Local users can only log out other local users.
•
RADIUS/TACACS+ users can only log out other RADIUS/
TACACS+ users.
As always, a user must have sufficient account privileges to log out
another user.
reset commands
Super users can use reset commands to reset either port statistics or
the system configuration. The commands are summarized in the
table below:
Reset Command
Description
reset port-stats [all | port-alias | pid-list]
Resets MAC layer packet statistics for the specified ports to zero.
reset system [factory-default]
You can use the reset command without any arguments to reboot
the system.
If you use the reset system factory-default command, all settings
are returned to their factory defaults. Connections, filters, maps,
map-rules, port-params, port-types, and system settings are all
erased.
336
Appendix A
show commands
You use show commands to display the currently configured
parameters of various GigaVUE-420 options.
With the exception of the show diag command, show commands are
available to all users regardless of the lock-level in force on the box.
The show diag command is never available to normal users, but is
always available to audit and super users. See Appendix C, Lock-Level
Reference for detail.s
The table below lists and describes the available show commands.
Show Commands
Description
show connect [network | tool]
Displays connection circuits sorted by network or
tool ports, whichever is specified. Shows port-type
and alias for all ports, filter assignments by port,
port-pairs and port-pair aliases.
show diag
Displays all system configuration information for
the GigaVUE-420. You can save this information
to a file to ease field data collection for
troubleshooting.
show file [filename]
Displays information on configuration files
currently stored on the GigaVUE-420:
• If you use the command without a filename,
GigaVUE-420 returns a summary of all
configuration files stored on the unit, including
the status of nb flags, last restored, and so on.
• If you use the command with a filename,
GigaVUE-420 returns a detailed printout of the
configuration information stored in the
specified file.
show filter [all | filter-alias | fid-list] |
[group <apport|dscp|ethertype|ip6fl|ipaddr|ipfrag|
mac|multi|uda|protocol|tos|vlan|ttl|tcpctl>]
Displays configured filters with full descriptions
and which ports they are applied to, if any. Filters
can be displayed as a group of filter types using
the available arguments.
show hostkeys
Shows the DSS and RSA Public Keys installed on
the GigaVUE-420.
Command Line Reference
337
Show Commands
Description
show log [logfile]
[pri <verbose | info | error | fatal>]
[type <system | periodic | stack | userif | notif | login>]
[start <mm-dd-yy>] [end <mm-dd-yy>] [delim] [tail
<1..255>]
You use the show log command to view:
• A list of available log files (when used with no
logfile specified).
• A specified log file’s contents (when used with
a specified logfile).
Use the type, start/end, and tail arguments to
specify which logfile events are displayed.
Use the delim argument if you would like events
displayed in comma delimited format for export to
a spreadsheet.
See Viewing Log Files on page 190 for details on
these arguments.
show map-rule [all | map-alias]
Shows the map rule(s) of a specified map or list of
maps.
show port-filter [all | port-alias | pid-list | pid-x..pid-y]
Shows the active filters by port.
show port-params [all | port-alias | pid-list | pid-x..pid-y]
Shows the status of the specified port(s),
including network or tool port-type, link up or
down, half or full duplex, speed, MTU size, and
autonegotiation settings.
Changes to port parameter values will not appear
if the port link state is down. However, changes
will go into effect once the port is up.
show port-stats [all | port-alias | pid-list | pid-x..pid-y | full]
Shows the MAC layer packet statistics for the
specified ports. The default is to display a
condensed list of statistics. However, an optional
full list of statistics is available.
See Appendix D, Port Statistics Counters for
description of the port statistics.
show port-owner [all | port-alias | pid-list | pid-x..pid-y]
[owner <user-name-list>]
Displays the port-owners configured by super
users. You can display all port-owners, the
port-owners for a particular set of ports, or all
ports owned by a specific set of users.
show rad_server
Shows the settings for all currently configured
RADIUS servers, in the order they were
configured. RADIUS servers are used in the same
order they are specified in case fallback
authentication is needed. You can specify as
many as five.
338
Appendix A
Show Commands
Description
show snmp
Displays the current config snmp_server and
config snmp_trap settings in place on the unit.
show sntp_server
Displays the current config sntp_server settings
in place on the unit.
show syslog_server
Displays the current config syslog_server
settings in place on the unit.
show system
Shows the current config system settings in
place on the box, including name, description,
version, date, time, and DHCP/IP address
settings.
show symbols
Provides description of symbols used in
GigaVUE-420 CLI. Use this information to
interpret the CLI displays.
show tac_server
Shows the settings for all currently configured
TACACS+ servers, in the order they were
configured. TACACS+ servers are used in the
same order they are specified in case fallback
authentication is needed. You can specify as
many as five.
show uda
Shows the two global offsets currently configured
for UDA user-defined pattern match filters/
map-rules.
See Working with User-Defined Pattern Match
Filters on page 237 for details.
show user [all | audit | normal | super]
Shows the user accounts at or below your level
for this system.
NOTE: This command works differently for local
and TACACS+ users. See Differences in
Commands for External and Local Users on
page 164 for details.
show whoison
Shows the users currently logged into the system.
NOTE: This command works differently for local
and TACACS+ users. See Differences in
Commands for External and Local Users on
page 164 for details.
Command Line Reference
339
upload command
Use the upload command to transfer a configuration file or log file to
a TFTP server.
GigaVUE-420 can store up to five configuration files in flash. You can
use the upload and install commands to move configuration files on
and off a TFTP server for additional storage.
You can also use the upload command to transfer a log file off the
GigaVUE-420 for use in troubleshooting.
The upload command has the following syntax:
upload [-cfg] config_filename TFTP-server-ipaddr
upload [-log] log_filename TFTP-server-ipaddr
340
Appendix A
Appendix B
CLI Parameter Limits
This section provides information on supported configurations for
GigaVUE-420, including:
•
Supported ranges and default values for each of the parameters in
the GigaVUE-420 command line interface.
•
Supported stacking configurations
•
Supported configurations for 10 Gb ports
Details are provided in the table below.
NOTE: Default values are indicated in bold in the table below.
Parameter
Maximum Characters per line in CLI:
Value in GigaVUE-420 v4.0.xx
1024
System Parameters
system name
(maximum alphanumeric characters)
30
system description
(maximum alphanumeric characters)
125
341
Parameter
Value in GigaVUE-420 v4.0.xx
system prompt
(maximum alphanumeric characters)
20
remote_timeout
10 - 86400
Default is 300.
dhcp timeout
4 10 30 60 100
dhcp ipaddr
subnetmask format
x.x.x.x
console_baud
9600 11400 19200 38400 57600 115200
console_width
32 - 1024
Default is 80.
lock-levels
none med high
Maximum number of TACACS+ Servers per GigaVUE-420
Unit
5
Maximum number of RADIUS Servers per GigaVUE-420
Unit
5
Maximum number of SNMP Trap Destinations per
GigaVUE-420 Unit
5
Maximum number of SNTP Servers per GigaVUE-420 Unit
3
Supported Configurations for 10 Gb Ports (Stack, Network, Tool)
x1
Stack, Tool, or Network
x2
Stack, Tool, or Network
x3
Tool or Network
x4
Tool or Network
active_link
x1, x2, both, or none
Supported Configurations for Cross-Box Stacks
Maximum number of boxes in a cross-box stack
10
Maximum number of neighbors in a cross-box stack
9
Maximum number of ports per owner
in a cross-box stack
222
342
Appendix B
Parameter
Value in GigaVUE-420 v4.0.xx
User Parameters
Maximum number of users per box
40.
Of these 40 user accounts, a maximum of
20 (Telnet) or 10 (SSH2) can be logged
into the GigaVUE-420 unit simultaneously.
user name
(maximum alphanumeric characters)
30
password
(minimum and maximum alphanumeric characters)
6 - 30
user levels
• audit (au)
• normal (nu)
• super (su)
user description
(maximum alphanumeric characters)
60
Filter Parameters
AND filtering
Parameters in a single filter are joined with
a logical AND.
OR filtering
Multiple filters are joined with a logical OR.
Maximum parameters per filter entry
7
Maximum filters per network port (1 Gb or 10 Gb)
120
Maximum filters per tool port (1 Gb or 10 Gb)
100 (see the next line; if you have 100 tool
port filters on a single port, you cannot
have any other ports with tool port filters).
Maximum filters bound to tool ports per box
(tool port-filters)
100
Maximum tool ports with filters bound
23
Maximum number of filter entries in database
4,000
Maximum network port filters and single-tool map-rules
bound per box
2048
vlan filter range
1 - 4094.
Can also specify odd or even.
CLI Parameter Limits
343
Parameter
port filter range
Value in GigaVUE-420 v4.0.xx
0 - 65,535
Can also specify odd or even.
Maximum Connections – Single-Box Configurations
Maximum number of connections per 1 Gb port
23
Maximum number of connections per 10 Gb port
23
Maximums for xbconnections
Maximum number of cross-box connections
per 1 Gb port
20
Maximum number of cross-box connections
per 10 Gb port
20
Maximum number of network ports
per cross-box command
40
Maximum number of tool ports per cross-box command
40
Map Parameters – Single-Box Maps
Maximum number of parameter ranges per map-rule
1
map alias
(maximum alphanumeric characters)
30
Maximum number of local maps per box
(single-tool and multi-tool combined)
10
Maximum map-rules per map
120
Maximum parameters per map-rule
7
Maximum network ports per mapping
20
Maximum tool ports per map-rule
10
Maximum tool ports per map
23
Maximum multi-tool map-rules bound per box
512
Maximum network port filters and single-tool map-rules
bound per box
2048
Minimum/Maximum tool ports per multi-tool map rule
1 (minimum)
10 (maximum)
344
Appendix B
Parameter
Maximum collector destinations per map-rule
Value in GigaVUE-420 v4.0.xx
1 only
Map Parameters – Cross-Box Maps
Maximum number of parameter ranges per map-rule
1
xbmap alias
(maximum alphanumeric characters)
30
Maximum number of cross-box maps per box
20 (10 single-tool cross-box maps and 10
multi-tool cross-box maps)
Maximum map-rules per cross-box map
120
Maximum parameters per map-rule
7
Maximum network ports per cross-box mapping
40
Maximum tool ports per cross-box map
221
Minimum/Maximum tool ports per multi-tool map-rule
1, 10
Maximum collector destinations per map-rule
1 only
Port Parameters
mtu size range
1518 - 9600
port-alias
(maximum alphanumeric characters)
30
port-pair alias
(maximum alphanumeric characters)
30
Maximum port-owners per box
40
Maximum number of ports a normal user can own
24
SSH2/Telnet Parameters
Maximum number of simultaneous Telnet sessions to
one box
20 (in addition to one serial connection)
Maximum number of simultaneous SSH2 sessions to one
box
10 (in addition to one serial connection)
CLI Parameter Limits
345
346
Appendix B
Appendix C
Lock-Level Reference
This chapter summarizes the various options available to different
user account types depending on the current lock-level in place on
the GigaVUE-420 box. Commands are listed in the following sections:
•
About Lock-Levels and Port Ownership on page 347
•
Abbreviations in this Section on page 348
•
Login Command on page 349
•
Show Commands on page 349
•
Delete Commands on page 351
•
Config Commands on page 353
•
Install Command on page 355
•
Reset Commands on page 356
About Lock-Levels and Port Ownership
The lock-level in force on the GigaVUE-420 can be none, medium, or
high. In general, as the lock-level increases, audit and normal users
have fewer rights on the box, except for those ports to which they
have been assigned ownership:
347
•
When lock-level = none, normal users have access to all network
and tool ports.
•
When lock-level = medium, normal users have access to all
network ports. However, they can only set up connections, filters,
and maps for tool ports they own.
•
When lock-level = high, normal users can only configure
connections, filters, and maps for network and tool ports they
own.
Chapter 8, Configuring GigaVUE-420 Security Options describes how
to set up lock-levels and port ownership. This chapter provides the
details on who can do what at each of the supported lock-levels.
NOTE: This chapter doesn’t provide details on how to use CLI
commands. For that information, see Appendix A, Command Line
Reference or the corresponding sections in the rest of this document.
Abbreviations in this Section
The tables in this section use the following abbreviations:
348
•
au = Audit User
•
nu = Normal User
•
su = Super User
•
NP = Network Port(s)
•
TP = Tool Port(s)
•
= The corresponding account level has full rights for this
command at the indicated lock-level.
•
= The corresponding account level does not have rights for
this command at the indicated lock-level.
Appendix C
Login Command
The following table lists which account levels can log into
GigaVUE-420 at each supported lock-level.
Lock/
User
Level
None
Audit
User
Normal
User
Medium
Super
User
Audit
User
Normal
User
High
Super
User
Audit
User
Normal
User
Super
User
Must own at
least one
port.
login
Show Commands
The following table lists which show commands are available to
different account levels at each supported lock-level.
Lock/
User
Level
None
Audit
User
Normal
User
Medium
Super
User
Audit
User
Normal
User
High
Super
User
Audit
User
Normal
User
Super
User
show
Owned TP
and all NP.
Owned NP/
TP only.
map-rule
Owned TP
and all NP.
Owned NP/
TP only.
port-filter
Owned TP
and all NP.
Owned NP/
TP only.
connect
diag
file
filter
hostkeys
log
Lock-Level Reference
349
Lock/
User
Level
None
Audit
User
Normal
User
Medium
Super
User
Audit
User
Normal
User
High
Super
User
Audit
User
Normal
User
portparams
Owned TP
and all NP.
Owned NP/
TP only.
port-stats
Owned TP
and all NP.
Owned NP/
TP only.
Owned TP
and all NP.
Shows all
normal
users
sharing NP/
TP owned
by issuer.
Shows all
logged in
normal
users only.
Show all
logged in
normal
users only.
port-owner
Super
User
rad_server
snmp
sntp_
server
system
symbols
tac_server
uda
user
whoison
350
Appendix C
Delete Commands
The following table lists which delete commands are available to
different account levels at each supported lock-level.
Lock/
User
Level
None
Audit
User
Normal
User
Medium
Super
User
Audit
User
Normal
User
High
Super
User
Audit
User
Normal
User
Super
User
delete
all
Owned TP
and all NP.
Owned NP/
TP only.
pass-all
Owned TP
and all NP.
Owned NP/
TP only.
port-pair
All NP
(TP: n/a)
Owned NP/
TP only.
port-alias
Owned TP
and all NP.
Owned NP/
TP only.
port-filter
Owned TP
and all NP.
Owned NP/
TP only.
map
Owned TP
and all NP.
Owned NP/
TP only.
mapping
Owned TP
and all NP.
Owned NP/
TP only.
map-rule
Owned TP
and all NP.
Owned NP/
TP only.
connect
file
filter
log
port-owner
rad_server
snmp_trap
Lock-Level Reference
351
Lock/
User
Level
None
Audit
User
Normal
User
Medium
Super
User
Audit
User
Normal
User
High
Super
User
Audit
User
Normal
User
Super
User
sntp_
server
stack_info
tac_server
user
xbconnect
Owned TP
and all NP.
Owned NP/
TP only.
xbmap
Owned TP
and all NP.
Owned NP/
TP only.
xbport-filter
Owned TP
and all NP.
Owned NP/
TP only.
352
Appendix C
Config Commands
The following table lists which config commands are available to
different account levels at each supported lock-level.
Lock/User
Level
None
Audit
User
Normal
User
Medium
Super
User
Audit
User
Normal
User
High
Super
User
Audit
User
Normal
User
Super
User
config
Owned TP
and all NP.
Owned
NP/TP
only.
map
Owned TP
and all NP.
Owned
NP/TP
only.
map-rule
Owned TP
and all NP.
Owned
NP/TP
only.
mapping
Owned TP
and all NP.
Owned
NP/TP
only.
pass-all
Owned TP
and all NP.
Owned
NP/TP
only.
connect
file
filter
password
Own
account
only.
Own
account
only.
Own
account
only.
port-alias
Owned TP
and all NP.
Owned
NP/TP
only.
port-filter
Owned TP
and all NP.
Owned
NP/TP
only.
Lock-Level Reference
353
Lock/User
Level
None
Audit
User
Normal
User
Medium
Super
User
Audit
User
Normal
User
High
Super
User
Audit
User
Normal
User
Super
User
1
port-owner
All NP.
Owned
NP/TP
only.
port-params
Owned TP
and all NP.
Owned
NP/TP
only.
port-type
Owned TP
and all NP.
Owned
NP/TP
only.
Owned TP
and all NP.
Owned
NP/TP
only.
port-pair
rad_server
restore
save
snmp_server
snmp_trap
sntp_server
system
tac_server
uda
user
xbconnect
xbmap
2
4
xbmapping
3
4
354
Owned
cross-box
TP.4
Owned
cross-box
TP.4
4
4
Owned
cross-box
TP.
Owned
cross-box
TP.
4
4
Appendix C
Lock/User
Level
None
Audit
User
Normal
User
4
xbport-filter
Medium
Super
User
Audit
User
Normal
User
Owned
cross-box
TP.4
4
High
Super
User
Audit
User
Normal
User
Owned
cross-box
TP.
4
Super
User
4
1. Command does not apply at this lock-level.
2. Cross-box tool ports only. Cannot be applied to local tool ports.
3. Cross-box tool ports only. Cannot be applied to local tool ports.
4. Cross-box tool ports only. Cannot be applied to local tool ports.
Install Command
Only super users can install a new image on the GigaVUE-420,
regardless of the lock-level in place.
Lock/User
Level
None
Audit
User
Normal
User
Medium
Super
User
Audit
User
Normal
User
High
Super
User
Audit
User
Normal
User
Super
User
install
Lock-Level Reference
355
Reset Commands
The following table lists which reset commands are available to
different account levels at each supported lock-level.
Lock/User
Level
None
Audit
User
Normal
User
Medium
Super
User
Audit
User
Normal
User
High
Super
User
Audit
User
Normal
User
Super
User
reset
port-stats
Owned TP
and all NP.
Owned NP/
TP only.
port-stats all
system/
factory
default
356
Appendix C
Appendix D
Port Statistics Counters
This appendix describes the counters displayed by the show
port-params command. It also describes the differences in how the
counters are tabulated between the GigaVUE-420 and the
GigaVUE-MP:
Counter
IfInOctets
Definition
GigaVUE-420
GigaVUE-MP
Total Received Bytes.
Excludes undersize
frames.
Includes undersize
frames.
Excludes packets
with FCS/CRC
errors.
Includes packets with
FCS/CRC errors.
Includes all valid and error frames
with the exceptions noted in the
adjacent columns.
Total Received Packets
IfInUcastPkts
IfInNUcastPkts
Excludes multicast packets,
broadcast packets, packets with
FCS/CRC errors, MTU exceeded
errors, oversize packets, and pause
packets.
Total Received Broadcast and
Multicast packets
357
Counter
IfInDiscards
Definition
GigaVUE-420
GigaVUE-MP
Total Discarded Packets
Oversubscription/
bandwidth exceeded
on Tool port in ALL
configurations.
Oversubscription/
bandwidth exceeded
only on Tool ports in a
pass-all
configuration.
Excludes oversize
packets without FCS/
CRC.
Includes oversize
packets without FCS/
CRC.
Supported in
GigaVUE-420
Not supported in
GigaVUE-MP
Discards are counted in the following
cases:
• Traffic in on a Network port with no
logical connection
• Filters/map-rules applied on a
Network port.
• In packets on a Tool port.
• Pause frames.
• Bandwidth exceeded on a Tool
port due to oversubscription. See
the adjacent columns for
differences in how discards are
counted due to oversubscription.
Total Received Error Packets
IfInErrors
Error packets include undersize,
FCS/CRC, MTU exceeded, and
oversize packets.
Total Transmitted Bytes
IfOutOctets
Error packets are not transmitted, so
they are not counted here.
Total Transmitted Packets
IfOutUcastPkts
IfOutNUcastPkts
Error packets are not transmitted, so
they are not counted here. In
addition, multicast and broadcast
packets are not counted here.
Total Transmitted Broadcast and
Multicast Packets
Transmitted Packets Discarded
IfOutDiscards
IfOutErrors
358
This counter increments when a
packet is discarded at a tool port due
to a tool port filter.
Error packets seen on GigaVUE input
port are not transmitted to a Tool port.
Appendix D
Appendix E
Console Cable Pinouts
This appendix provides the DB9 and RJ45 pinouts for the serial cable
provided with the GigaVUE-420 unit for connections to the Console
port.
The figures below show the pin numbers for both the DB9 and the
RJ45 ends of the cable. Following the figures, the table shows how the
pins connect on either end of the cable.
DB9 Pinouts – Figure
Figure 5-1: Console Cable: DB9 Pinouts
359
RJ45 Pinouts – Figure
The RJ45-RJ45 cable uses straight-through wiring.
Figure 5-2: Console Cable: RJ45 Pinouts
DB9 to RJ45 Pinouts – Table
Pin Number
on DB9
360
Pin Number on
RJ45
Cable Color
1
No Connection
No Connection
2
6
Yellow
3
3
Black
4
2
Orange
5
4,5
Red and Green (Ground)
6
7
Brown
7
1
Blue
8
8
White
9
No Connection
No Connection
Appendix E
Index
Numerics
allowing odd MAC addresses
example
10GbE
stacking port options
-48 V DC
power supplies
108
A
aaa
143
configuring
and port ownership
vs. passive
active_link
157
82
back_bid
config system
example
config system 321
configuring 119
alarm cancel button 61
allow
allow filter 247
and 1 Gb speeds
authentication (aaa) 144
autonegotiation
banner
68
mixing with deny
144
321
back-to-back cross-box stack
135
configuring
active
and console port
configuring 143
B
access control list
accounts
audience 13
authentication
62
-48V power supplies 62
249
120
config system 318
custom display 102
bit count subnet masks 233
box IDs
config system bid
116, 321
242
361
C
cable lengths
configuring
chassis
CLI
118
GigaVUE-420
25
basics 91
default password 81
getting started 79
parameter limits 341
reference 295
starting session 79
structure of commands
syntax 92
combining filters 235
command completion 91
command help 92
command line
basics 91
connecting 79
getting started
reference 295
syntax 92
commands
79
external vs. local
config
164
box IDs 116, 321
connect 296
console_baud 320
console_width 320
date 318
dst 319
dst_offset 319
dst_onset 319
file 296
filter 297
filter syntax 225
hostkey 320
map type 304
mapping 306
362
93
map-rule 305
mgmt_port_mtu 85
mtu 310
pass-all 306
password 307
port-alias 307
port-filter 307
port-owner 307
port-pair 308
port-params 309, 310
port-params (autoneg) 310
port-params duplex 310
port-params speed 310
port-params taptx 310
port-type 310
restore 313
save 313
snmp_server 314
sntp 319
sntp_server 316
ssh2 319
syslog_server 317
system 318, 323
system active_link 321
system back_bid 321
system banner 318
system description 318
system dhcp 321
system dhcp_timeout 320
system gateway 321
system lock-level 322
system log-level 323
system prompt 318
system rootdis 319
system x1_bid 321
tac_server 324
uda 326
user 327
xbconnect 328
xbmap type 329
xbmapping 330
xbport-filter 330
config
config
config
config
config
config
config
map command 270
mapping 273
mapping command 273
map-rule command 271
port-owner command 141
rad_server command 153
system
ipv6
321
config system aaa command 146
config system lock-level command 141
config tac_server command 149
config user command 327
config xbmap command 270
config xbmapping 273
config xbmapping command 273
configuration
planning
110
configuration files
and delete stack_info 181
and the ‘nb’ option 182
applying 180
applying from flash 181
contents 179
from TFTP Server 180
restoring in cross-box stack 183
saved items 176
saving 177
sharing 180
storing on TFTP server 179
uploading to TFTP server 179
using 175, 185
connect
delete
to GigaVUE-420 CLI
via telnet 90
vs. mapping 208
connecting ports 216
deleting 218
deleting cross-box 219
differences with maps 210
examples 208
GigaVUE-420 59
introduced 208
showing 217
syntax 216
using filters with 219
connections and filters
using
215
console cable
pinouts
359
Console port
connections
console port
80
and local authentication
console port settings 80
console_baud
config
320
config
320
contacting sales 20
contacting support 19
conventions
documentation
16
conventions, notational 16
creating
cross-box maps
map-rules 271
maps 266
266
cross box commands
cross-box
79
144
console_width
executing on all systems
331
connecting
connecting systems (cross-box) 109
connections 59, 208
configuring
125
cross-box commands
executing on all systems
cross-box configurations
introduced
202, 216, 264
284
106
363
cross-box connections
deleting
219
cross-box distribution
compared to single-box
cross-box maps
creating
201
266
cross-box stack
configuring 114
connecting systems 109
planning 110
restoring config files 183
cross-box stack (4 systems)
example
121
cross-box stacks
troubleshooting
customer support
contacting
port-owner 331
port-pair 331
rad_server 332
snmp_trap 332
sntp_server 332
tac_server 332
user 332
xbconnect 332
xbmap 332
xbport-filter 332
delete all command 331
delete commands 331
and lock-level
delete map
125
syntax
279
syntax
279
syntax
278
351
delete mapping
19
delete map-rule
D
date
config 318
configuring
delete stack_info
and config files
stack_info
98
daylight savings time
automatic adjustments
deleting 332
100
DB9 pinouts 359
DC power supplies 62
DC powered GigaVUE-420 62
default password 81
default user 81
delete
connect 331
file 331
filter 331
log 331
map 331
mapping 332
map-rule 332
pass-all 331
port-alias 331
port-filter 331
364
181
delete syslog_server 332
deleting
connections
filters 244
218
deny
mixing with allow
242
deny filter 247
denying odd MAC addresses
example
description
248
config system
318
designating and connecting tool ports
example
dhcp
205
config system
321
config system
320
dhcp_timeout
dimensions
GigaVUE-420
documentation
conventions
using 14
42
procedure for using 220
syntax 225
using with connection 219
16
filter logic 235
DSS host keys 89
DST
dst
examples
automatic adjustment
config
319
config
319
config
319
dst_offset
dst_onset
duplex
config port-params
100
310
firmwarechange
SNMP trap
IPv6
example
allow filter 247
allowing odd MAC addresses 249
back-to-back cross-box stack 120
cross-box stack (4 systems) 121
deny filter 247
denying odd MAC addresses 248
designating and connecting tool
ports 205
filter logic 235
MAC address filters 246
exit command 332
SNMP trap
delete
filter
169, 315
226, 298
G
gateway
config system
321
Getting Started with Packet
Distribution 203
GigaLINK-ER
and GigaLINK-XR
17
and GigaLINK-FO
17
and GigaLINK-FO
17
GigaLINK-LR
GigaLINK-SR
GigaMUX module (base unit) 29, 30, 64
GigaPORT module 65
F
fanchange
235
combining 235
deleting 244
mixing allow and deny 242
post-filters defined 201
pre vs. post 220
pre-filters defined 200
showing 243
fragments
E
file
filters
port numbering
169, 315
247
247
66
network ports only
199, 311
network ports only
199, 311
GigaTAP-SX
331
delete 331
example of allow
example of deny
logic 235
GigaTAP-Lx
GigaTAP-SX/GigaTAP-LX modules 67
GigaTAP-TX module 68
GigaVUE-420 59
10GbE stacking ports
108
365
and TACACS+/Radius 148
chassis 25
connections 59
features and benefits 22
getting started 47
initial setup 95
modules 63
overview 21
physical dimensions and weight
product naming conventions 16
rack-mounting 52
replacing modules 75
security 133, 134
specifications 42
stacking 105
guide
how to use
14
command 92
command completion
word 92
history
command
host keys
config
91
42
and port-pair
local
separate from TACACS+/Radius
local users
320
log
and port ownership
configuring 139
delete
ib_cable_len 310
IDS
and config pass-all
install command 334
IPv4
and IPv6
83
359
347
331
and lock-level
349
config system
323
M
337
MAC address filters
map
256
148
command differences vs. external
lock-level
examples
366
69, 309
logout command 336
I
IPv6
321
link status propagation
log-level
89
83
L
login command
333
configuring
show
config system
lock-levels
help 91
hostkeys
ipv6
changing 141
config system 322
reference 347, 357,
H
hostkey
and IPv4 83
configuring 83
enabling 83
fragments 226, 298
supported applications
246
config type 304
delete 331
deleting single-box
examples 211, 280
illustrations 286
mapping 198
279
164
config 306
delete 332
deleting single-box
vs. connecting 208
multi-tool maps
278
N
map-rule
config 305
delete 332
deleting from single-box map
map-rules
adding to maps (single-box)
creating 271
how processed 271
priority with a map 271
name
configuring
278
277
names
modules
CLI settings
341
setting
configuring network settings
85
connecting to tool ports
defined 198
introduced 198
sharing 214
modules
169, 315
effects of replacing 75
GigaVUE-420 63
replacing 75
special considerations 74
MTU
automatic adjustment
for Mgmt port 85
mtu
config
310
216
notational conventions 16
O
offsets
default
238
online help 91
overview
GigaVUE-420
82
21
packet distribution
described 197
getting started
pass-all
modulechange
SNMP trap
182
P
mgmt_port_mtu
config
16
network ports
adding map-rules (single-box) 277
binding to ports 273
creating 266
differences with connections 210
introduced 209
modifying 277
showing 275
single-tool vs. multi-tool 267
vs. connections 208
Mgmt Port
98
nb option 182
maps
maximums
267
vs. single-tool
85
203
and filters 254
config 306
delete 331
deleting 251
in show connect screen 260
matrix 253
rules 252
showing 251
using 250
with connections and maps 213
passive
367
vs. active
password
ports
68
and maps 273
sharing 214
config 307
default 81, 96
root account 96
port-stats
reset
336
passwords
port-type
pattern matches
post-filters
config 310
setting 199
changing 137
configuring 135
defined 201
vs. pre-filters 220
when to use 221
examples 241
rules 239
syntax 238
pinouts
console cable
pktdrop
SNMP trap
power
359
169, 316
planning configuration 110
port numbering
GigaPORT module
port ownership
config
delete
307
331
config
delete
307
331
port-filter
port-owner
config
delete
port-pair
powerchange
SNMP trap
preface 13
pre-filters
61
169, 315
product names 16
prompt
config system
169, 316
rack-mounting
GigaVUE-420
309, 310
port-params (autoneg)
configuring
310
318
R
307
331
port-params
368
62
defined 200
vs. post-filters 220
when to use 221
and link status propagation
config 308
delete 331
config
DC
alarm cancel button
66
portlinkchange
SNMP trap
62
power supply
and lock-levels 347
configuring 139
port-alias
DC
power requirements 42
power supplies
69, 309
rad_server
52
delete 332
syntax 153
RADIUS
adding server to GigaVUE-420
configuring users in ACS 159
Radius
152
configuring servers in GigaVUE-420
152
separate from local
radius
command differences vs. local
replacing modules 75
reset
port-stats 336
system 336
reset command 336
356
and lock-level
restore
config
313
RJ45 pinouts 359
root account
password
rootdis
96
config system
319
filter example
245
RSA host keys 89
RTP
rxtxerror
SNMP trap
170, 316
S
safety 52
Sales
contacting
20
contacting
20
sales
save
config
saving
313
config files
177
saving changes 104
security
configuring 133
GigaVUE-420 134
serial settings 80
sessions
simultaneous
setup
initial
95
138
sharing
148
164
network ports 214
tool ports 214
show
hostkeys
337
show command 337
349
and lock-level
show connect 337
show diag 337
show file 337
show filter 337
show log 338
show map-rule 338
show port-filter 338
show port-owner 338
show port-params 338
show port-stats 338
show rad_server 338
show snmp 339
show sntp_server 339
show symbols 339
show syslog_server 339
show system 339
show tac_server 339
show uda 339
show user 339
show whoison 339
showing
connections
filters 243
maps 275
217
simultaneous sessions 138
single-box distribution
compared to cross-box
single-tool maps
vs. multi-tool
SNMP
201
267
adding trap destinations 167
configuring traps 166
enabling GigaVUE-420’s server
172
369
receiving traps 172
trap events 169
using 165
fanchange 169, 315
firmwarechange 169, 315
modulechange 169, 315
pktdrop 169, 316
portlinkchange 169, 316
powerchange 169, 315
rxtxerror 170, 316
systemreset 170, 316
taptxchange 170, 316
userauthfail 170, 316
snmp_server
314
delete
332
using for time
sntp
config
319
config
delete
316
332
updating
custom banner
subnet masks
bit count
support
GigaVUE-420
speed
CLI
config 317
deleting 332
SNMP trap
99
config
stacking
319
examples
119
stacking ports
370
323
170, 316
T
tac_server
config
delete
TACACS+
42
advantages 88
and host keys 89
enabling 86
vs. Telnet 86
ssh2
92
syslog_server
systemreset
config port-params
SSH2 138
19
contacting
syntax
102
233
config 318,
reset 336
45
specifications
125
system
sntp_server
software
troubleshooting
startup
snmp_trap
SNTP
118
stacks
SNMP trap
config
and cable length
specifying 119
310
324
332
adding server to GigaVUE-420 149
configuring port ownership for users 157
configuring servers in GigaVUE-420 149
configuring users 156
configuring users in ACS 162
separate from local 148
tacacs+
command differences vs. local
TACACS+ server settings 156
tap connections
configuring
taptx
69
config port-params
taptxchange
SNMP trap
170, 316
310
164
technical support
contacting
telnet
configuring 135
separate for local vs. external
19
using documentation 14
establishing connection 90
simultaneous sessions 138
V
TFTP
VLANs
storing config files 179
uploading config files 179
time
configuring
tool ports
traffic mapping 198
traps
adding destinations 167
configuring 166
GigaVUE-420 events 169
receiving 172
troubleshooting
cross-box stacks
125
vs. maps 208
216
weight
GigaVUE-420
X
x1_bid
config system
setting 117
x2_bid
setting
xbconnect
238
configuration files
user
179
userauthfail
SNMP trap
users
328
332
329
xbmapping
config
xbox
330
configuring
125
configuring
114
xbox stack
xbport-filter
config 327
default 81
delete 332
321
117
config type
delete 332
unpacking GigaVUE-420 51
updating GigaVUE-420 45
upload 340
uploading
42
word help 92
working with maps 263
xbmap
config 326
default offsets
282
W
config
delete
U
uda
selectively forwarding
98
connecting to network ports
defined 198
introduced 198
sharing 214
148
config
330
170, 316
371