Net Optics Director User's Manual
Contents
1. pues pr Figure 8 Installing Director Network Modules Install SFP and XFP Monitor port Modules SFP and XFP modules are shipped separately Install them as desired in the SFP and XFP slots in the front on the chassis and the two XFP slots in the rear For each module remove the temporary plug from the SFP or XFP slot and insert the module until it clicks into place The photograph on the cover of this Guide shows properly installed SFP and XFP modules Rack Mount the Director device Director is designed for rack mounting in a 19 inch rack panel The panel occupies one rack unit To rack mount the Director device simply slide it into the desired rack location and secure it using the four supplied screws Director hi 3dOptics Connect Power to Director For power fault protection Director is equipped with redundant power connections If one power source becomes unavailable due to an interruption in AC power or failure of the power brick the other power source keeps Director operating normally If both power sources become unavailable Director passively keeps all in line network links open passing all traffic between the network ports When power is not available no data is seen at the Monitor ports Management RS232 INPUT OUTPUT Port y ii e E juni Meeta nE P N PAD GCU 48V Figure 9 Connecting redundant power supplies Supply power to Director using the2. following table without references e iiieencaesusto 7 IGP Exterior Gateway Protocol any private interior gateway used by Cisco for their IGRP BBN BBN RCC Monitoring RCC MON C up usero mux wumewo DCN DCN Measurement Subsys MEAS tems wwe rosi vonon pw Packet Raa a N N PUP UDP MUX HMP Rop Reiabe Daa Protocol IRTP Internet Reliable Transaction ISO TP4 ISO Transport Protocol Class 4 Lm a 2 Lm a EN x EEN 11 13 14 15 16 19 20 21 22 23 24 25 26 27 28 29 Du Keyword Pro NETBLT Bulk Data Transfer Protocol 31 MFE NSP MFE Network Services Protocol 32 MERIT MERIT Internodal Protocol INP 33 DCCP Datagram Congestion Control Protocol Bla sad Protocol s boe DatsuramDelvery Protocol 38 IDPR IDPR Control Message CMTP Transport Proto TP Transport Protocol 42 SDRP Source Demand Routing Protocol 43 IPv6 Routing Header for IPv6 Route IPv6 Frag Fragment Header for IPv6 45 Inter Domain Routing Pro tocol RSVP Reservation Protocol 47 GRE General Routing Encapsula tion 48 DSR Dynamic Source Routing Protocol Encap Security Payload Authentication Header I NLSP Integrated Net Layer Security TUBA SWIPE IP with Encryption NARP NBMA Address Resolution Protocol i 3dOptics MOBILE IP Mobility TLSP Transport Layer Security Protocol using K
3. Be aware of these similar pairs of commands filter discard clears the pending filter list while filter clear clears the CAM filter list shows the pending filter list while filter running shows the CAM e filter commit copies the pending filter list to the CAM while filter sync copies the CAM to the pending filter list Pending filter list CAM a y O pog 2 jo fes 2 C pj oa NN OL filter discard to clear filter clear to clear filter list to view contents filter running to view contents Figure 45 Pairs of similar filter commands Filter capacity The capacity of Director s filtering function is roughly 1 000 filter elements per chassis where a filter element is a port list or a filter parameter For example filter add in_ports n1 1 n1 7 ip_proto 6 vlan 100 action redir redir_ports m 1 m 5 m 10 has four filter elements 1 in_ports n1 1 n1 7 2 ip_proto 6 3 vlan 100 4 redir_ports m 1 m 5 m 10 Counting filter elements is only a rough gauge of filter utilization and is not recommended Instead examine the pending filter list or CAM contents with filter list and filter running commands The filter resource utilization is displayed after the filter list Warning User interactions When multiple users are logged into Director at the same time each user has a separate pending filter list in which to create filter configurations However there is only one CAM so any time a user execut
4. show port show Displays the current port status and settings Shows a list of filenames of saved Director device configurations see save command lt filename gt load my_configuration 1 Arguments lt filename gt is the name of the file to load a string do not include an extension Loads a previously saved Director configuration see save command logout Exits the CLI shell same as exit and quit Note To maintain system security control is not returned to the command shell passwd Interactively changes the password of the SSH user account module show Lists information about Director hardware modules including system serial number DNM types and XFPs A MAiOptics reset Reboots the Director device also called warm boot similar to power cycling the device reloads the quit Exits the CLI shell same as exit and logout Note To maintain system security control is not returned to the command shell default configuration Sub Command lt filename gt save my_configuration 1 Arguments lt filename gt is the name of the file where the configuration is saved a string do not include an extension Saves the Director device configuration to a file saved information includes port set up and filters running factory show my_configuration 1 lt filename gt Arguments running to show configuration that is currently operating factory to show configuration set at the factory lt filename gt is
5. JS fa sOptics User Guide amp DIRECTOR Data Monitoring Switch PLEASE READ THESE LEGAL NOTICES CAREFULLY By using a Net Optics Director device you agree to the terms and conditions of usage set forth by Net Optics Inc No licenses express or implied are granted with respect to any of the technology described in this manual Net Optics retains all intellectual property rights associated with the technology described in this manual This manual is intended to assist with installing Net Optics products into your network Trademarks and Copyrights 2008 by Net Optics Inc Net Optics is a registered trademark of Net Optics Inc Director is a trademark of Net Optics Inc Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged Additional Information Net Optics Inc reserves the right to make changes in specifications and other information contained in this document without prior notice Every effort has been made to ensure that the information in this document is accurate A h 3dOptics Director Contents Chapter 1 Introduction Key Featites s uesce beenden E E E mper aee ate aie Be acerca Mace irse fondo A anne RN I RU dd ea s 2 bout this Mides p osos ae aie brpRUDPUI pa PER eene p ORBI bM Pa med ey 3 Director Architecture 42i e eee Re Ke VE UVCERCEREEURS mA RA A MERE TEE E ERU A RS 4 USB DOFL ooo OCURRE a egal ene
6. port n2 1 n2 2 are an in line link pair so are n2 3 n2 4 and so on m 1 m 2 m 3 m 10 Monitor ports t1 1 t1 2 Configurable 10 Gigabit ports on the front panel t2 1 t2 2 Configurable 10 Gigabit ports on the rear panel Most commands accept lists of ports In port lists port names are separated by commas and a dash desig nates a range Do not include any space characters in the list do not put a space after the comma For example nl Jnl 2 nl 3 n1 4 nl 5 nl 10 is a list that includes Network Ports 1 through 10 on DNM 1 When you define a filter you specify an action to be taken when the filter conditions are met The action can be either drop or redir meaning redirect If the action is drop then packets which meet the filter criteria are dropped that is they are not copied to any Monitor port If the action is redir then packets which meet the filter criteria are copied to all Monitor ports listed in the redir_ports lt portlist gt argument 25 A h 3dOptics Director Copy Traffic From Any Network Port to Any Monitor Port Director can be used like a Matrix Switch to direct traffic from any Network port to any Monitor port To create a simple switch connection use a filter add command without specifying any filters The filter add command creates pending filters including switch settings they are not activated until a filter commit command is executed Any number of filter add commands may be
7. power supplies and all cables that are provided Director is delivered with the following 1 Director device 2 Power cords Director Quick Install Guide one sheet 1 CD containing the Director User Guide this document Network and monitor cables RS 232 DB9 cable for use with the CLI Extended Warranty if purchased Check the packing slip against parts received If any component is missing or damaged contact Net Optics Customer Service immediately at 1 408 737 7777 Note XFP modules are ordered and shipped separately A h 3dOptics Director Install Director Network Modules If the Director Network Modules DNMs are not already installed when you receive the unit install them by sliding them into the DNM slots in the front panel If there is a plate covering the DNM slot remove it by unscrewing two thumb screws and then install the DNM module The DNM circuit boards ride in the rails provided in the slots Push in the DNM firmly until you feel the connectors mate and the bezel is flush with the front panel but do not force them If you encounter resistance withdraw the module and try again making sure to align the circuit board in the rails and slide the module straight in When the DNM is fully seated fasten it to the front panel with the two captured thumbscrews If you are only using a single DNM it should be installed in the left slot Slot 1 ae TT Ty as slot WIP sot Y _ mannm
8. 1 associated with Manager IP Address All ports enablesd A complete list of CLI commands can be viewed by typing Help at the CLI prompt It is also provided in Appendix B You will now use the CLI to Change the login password Assign a new IP Address Netmask and Gateway IP Addresses Assign new remote manager IP Address Change port modes Setthe date and time Save and load Director configurations Try out the CLI Help command Your CLI screen should be displaying the Net Optics prompt as shown here Net Optics If you do not see the Net Optics gt prompt try typing Help followed by the Enter key If the prompt is still not dis played repeat the instructions in the preceding section Connect the local CLI Interface or Connect the remote CLI Interface and log in again Change Director Password It is strongly recommended that you change the login password from the default to provide security against unauthorized access To change the login password 1 Enter user mod name admin pw lt new password priv 1 The password is changed 2 Record the new password in a secure location If you wish to change the user name use the user add command to create a new user account under that name You can use the user del command to delete the admin account if you wish A h 3dOptics Director Assign a New Director IP Address Netmask and Gateway IP Address If you are using the local RS 232 serial
9. 3 Enter filter commit The filters are activated 31 i 3dOptics Network Port 1 Network Port 2 _ XFP Port 1 1 Network Port 3 Network Port 4 E Network Port 11 XFP Port 1 2 filter add in ports n1 1 n1 4 action redir redir ports t1 1 filter add in ports n1 11 action redir redir ports t1 2 Figure 32 Configurable 10 Gigabit XFP ports used as Monitor ports with aggregation To use one XFP port as a Span port and the other XFP port as a Monitor port 1 Enter filter add in_ports t1 1 ip_proto 6 action redir redir_ports m 1 A filter has been defined to select all IPv4 TCP packets from 10 Gigabit Port 1 1 and copy them to Monitor Port 1 10 Gigabit XFP Port 1 1 is configured as a Span port Enter filter add in_ports n1 11 action redir redir_ports t1 2 A filter has been defined to copy all the traffic from 1 Gigabit Network Port 11 to 10 Gigabit Port 1 2 10 Gigabit XFP Port 1 2 is configured as a Monitor port Enter filter commit The filters are activated XFP Port 1 1 gt ier L Monitor Port 1 Network Port 11 _ gt XFP Port 1 2 filter add in ports t1 1 ip proto 6 action redir redir_ports m 1 filter add in ports n1 11 action redir redir ports t1 2 Figure 33 Configurable 10 Gigabit XFP ports used one Span port and one Monitor port 32 h 3dOptics Director Understand filter interactions It is important to understan
10. Network Port 5 lt 4 are not shown ee po Protocol TCP a rF Monitor Port 2 filter add in ports n1 5 ip src 192 186 10 0 action redir redir ports m 1 filter add in ports n1 5 ip proto 6 action redir redir_ports m 2 Figure 35 Incorrect flow diagram of two filters filter interaction in CAM is neglected 33 i 3dOptics Director Have we achieved our goal of sending all the TCP traffic to Monitor Port 2 Not quite What happens when an TCP packet arrives from 192 186 10 0 It matches the filter at CAM address 1 so it is copied to Monitor Port 1 But that is all that happens it does not go to Monitor Port 2 The flow is correctly shown in the following diagram Sauer ete h Network Port5 o 3oadon 7 Monitor Port 1 n1 5 ip src 192 186 10 0 m 1 n1 5 ip_proto TCP m 2 ea a a o Protocol TCP MEL filter add in ports n1 5 ip src 192 186 10 0 action redir redir ports m 1 filter add in ports n1 5 ip proto 6 action redir redir ports m 2 t gt Monitor Port 2 Figure 36 Correct flow diagram for two interacting filters To achieve the desired result of sending all TCP traffic to Monitor Port 2 clear the existing filters filter discard command and create three new filters by entering filter add in ports nl 5 ip_src 192 186 10 0 ip_proto 6 action redir redir_ports m 1 m 2 filter add in_ports n1 5 ip_src 192 186 10 0 action redir redir_ports m 1 filter add in_
11. Number Description DNM 100 6 Port 10 100 1000 Copper In Line Module DNM 110 12 Port 10 100 1000 Copper Span Module DNM 200 6 Port Gigabit SX Fiber 62 5um In Line Module DNM 210 12 Port Gigabit SX Fiber 62 5um Span Module DNM 220 6 Port Gigabit SX Fiber 50um In Line Module DNM 230 12 Port Gigabit SX Fiber 50um Span Module DNM 300 6 Port Gigabit LX Fiber In Line Module DNM 310 12 Port Gigabit LX Fiber Span Module DNM 320 6 Port Gigabit ZX Fiber In Line Module DNM 330 12 Port Gigabit ZX Fiber Span Module LENOptics Director Architecture The following diagram shows a schematic view of the architecture of the Director device shown as a Matrix Switch with filtering The black dots indicate aggregating Matrix Switch connections between Network Ports and Monitor Ports n1 1 DNM with c3 6 in line ni 5 network ports eo rE o n1 9 n1 11 m c n2 1 n2 2 gt n2 3 n2 4 DNM with gt n2 5 12 Span or n2 6 out of band Os ee ae A network ports gt n27 n2 8 n2 9 gt n2 10 gt n2 11 gt n2 12 r t14 E t1 2 Four configurable oO _ S 10GbE XFP ports oe t2 2 Filters XZ X S X Key lt gt Network or Span port 10 SFP monitor ports W Monitor Port Aggregating switch conection Alternate configurations for 10 GbE XFP ports Figure 1 Director internal architecture Director can be viewed as a matrix switch with up to 28 inputs or Network por
12. TBA Change Port Modes To change the port mode 1 Enter port set ports lt portlist gt autoneg lt on off gt speed lt 101 1001 1000 gt duplex lt full half gt to set the mode of a 10 100 1000 Copper port Example Enter port set ports n1 5 autoneg off speed 100 to set Network Port 5 in DNM 1 to 100Mbps fixed speed Duplex mode is left in its default state of full duplex 2 Repeat Step 1 as desired for ports n1 2 to n1 12 n2 1 ton2 12 m 1 to m 12 and t1 1 to t2 2 this procedure only affects 10 100 1000 Copper ports You can change the modes of multiple ports in a single command by specifying the ports in the portlist Use a comma to separate items in the list and use a dash to indicate a range For example this portlist includes the first three ports in DNM 1 and the first port in DNM 2 ports n1 1 n1 3 n2 1 A h 3dOptics Director Set the Current Date and Time Director maintains a time of day clock which is used to record the time of traffic peak utilization events Time is based on the 24 hour clock The clock must be initialized using the CLI or another management tool To change the current date and time 1 Enter time hh mm ss where hh is hour mm is minutes and ss is seconds 2 Enter date mm dd yyyy where mm is month dd is day of the month and yyyy is year Example time 12 20 00 date 06 24 2008 Save and Load Director Configurations The entire configuration of Director includi
13. command must be executed to activate the filters This mechanism enables an interrelated group of filters to be activated simultaneously It also allows you to double check your filter definitions before you activate them The commit command also rewrites the default Director configuration the defaultcfg file while filter commit does not Note that IPv6 and IPv4 filters are maintained separately It is important to include the ipv6zy argument when dealing with IPv6 filters and omit it when dealing with IPv4 filters It is also important to note that packets are filtered using a Content Addressable Memory or CAM Each filter is a CAM entry and the CAM is filled in the order that the filter add commands are entered Filter ins commands create filters in specific locations in the CAM When a packet is processed the first filter in the CAM that matches the packet is the only filter that is activated Each packet can activate exactly zero or one filters See Understand filter interactions near the end of Chapter 3 for examples All supported filter qualifiers are shown in the table on the following page 49 LENOptics Director Filter Parameters was evas Exmpe Deserpion ip dst mask IPv4 address mask ip dst mask 255 255 255 0 Mask for IPv4 destination ad dress ip6 src IPv6 address ip6 src 1234 5678 9abc def0 12 IPv6 source address 34 5678 9abc defO ip6 src IPv6 address mask ip6 src mask Mask for IPv6
14. issued prior to executing the filter commit command Other CLI commands may be executed between the filter add commands as well Note The filter commit command is similar to the commit command However filter commit activates the new filter in a dynamic fashion when Director is reset the default filters are restored and the new filter is lost When a commit command is executed the new filter is activated AND it is stored as the new default configuration so it survives a Director reset To monitor Network Port 1 on Monitor Port 2 and Network Port 3 on Monitor Port 1 1 Enter filter add in_ports n1 1 action redir redir_ports m 2 The switch connection is pending 2 Enter filter add in_ports n1 3 action redir redir_ports m 1 The switch connection is pending 3 Enter filter commit The switch connection is activated Network Port 1 Monitor Port 2 Network Port 3 Monitor Port 1 filter add in ports n1 1 action redir redir_ports m 2 filter add in ports n1 3 action redir redir ports m 1 Figure 22 Matrix switch connections Aggregate Traffic From Any Set of Network Ports to Any Monitor Port Director can be used like a Port Aggregator or a Link Aggregator copying traffic from multiple Network ports to any Monitor port The filter add command is again used to do this The only difference from using the command to connect a single Network port to a single Monitor port is that a list of Network ports is specif
15. ports 1 Enter filter add in_ports t1 1 ip_proto 6 action redir redir_ports m 1 A filter has been defined to select all IPv4 TCP packets from 10 Gigabit Port 1 1 and copy them to Monitor Port 1 2 Enter filter add in_ports t1 1 ip_proto 17 action redir redir_ports m 2 A filter has been defined to select all IPv4 UDP packets from 10 Gigabit Port 1 1 and copy them to Monitor Port 2 3 Enter filter add in_ports t1 2 action redir redir_ports m 3 A filter has switch been defined to copy all traffic from10 Gigabit Port 1 2 to Monitor Port 3 4 Enter filter commit The filters are activated Protocol fale Monitor Port 1 XFP Port 1 1 Protocol UDP gt Monitor Port 2 XFP Port 1 2 _ gt Monitor Port 3 filter add t1 1 ip proto 6 action redir redir_ports m 1 filter add t1 1 ip proto 17 action redir redir_ports m 2 filter add t1 2 action redir redir_ports m 3 Figure 31 Configurable 10 Gigabit XFP ports used as Network ports To use both front panel XFP ports as Monitor ports 1 Enter filter add in_ports n1 1 n1 4 action redir redir_ports t1 1 A filter has been defined to aggregate the traffic from the first four 1 Gigabit Network Ports and copy the aggregated traffic to 10 Gigabit Port 1 1 2 Enter filter add in_ports n1 11 action redir redir_ports t1 2 A filter switch has been defined to copy all the traffic from 1 Gigabit Network Port 11 to 10 Gigabit Port 1 2
16. power cords that were included with the unit If you plan to use redundant power make sure that you connect the power supplies to two separate independent power sources for maximum protection One or both Front Panel Power LEDs are illuminated depending on whether you used one power supply or two Connect the local CLI Interface All configuration options filters and status can be accessed using the Director Command Line Interface CLI You can run the CLI locally over the RS 232 serial port or remotely over the Management port If you choose to run the CLI locally connect a DB9 cable from the RS 232 port on the back of the Director chassis to your computer the computer needs to have terminal emulation software such as HyperTerminal to access the Director CLI To connect the CLI for local use over the RS 232 serial port 1 Connect a PC with terminal emulation software such as HyperTerminal or a Linux workstation running minicom to Director using the RS 232 DB9 cable supplied with Director TN Management RS232 INPUT OUTPUT 5 Port y E m Em as L Model Dual ig Capper Port Agg Tap Ab XXXXXX PIN PAD GCU 48V To computer with terminal emulation software Figure 10 Connecting RS 232 Cable to Director h 3dOptics Director 2 Launch terminal emulation software and set communication parameters to 115200 baud 8 data bits No parity 1 stop bit No flow control The Net Op
17. redir redir_ports m 3 m 5 The regeneration connection is pending 2 Enter filter commit The regeneration connection is activated Monitor Port 3 Network Port 1 Monitor Port 4 Monitor Port 5 filter add in ports n1 1 action redir redir_ports m 3 m 5 Figure 24 Traffic regeneration To aggregate traffic from Network Port 10 and Network Port 11 and regenerate the resulting stream to Monitor Ports 9 and 10 1 Enter filter add in ports n1 10 n1 11 action redir redir_ports m 9 m 10 The aggregation regeneration connection is pending 2 Enter filter commit The aggregation regeneration connection is activated Network Port 10 4 O Monitor Port 9 Monitor Port 10 Network Port 11 filter add in ports n1 10 n1 11 action redir redir_ports m 9 m 10 Figure 25 Combined aggregation and regeneration 27 h 3dOptics Director Create Filters Filters process a traffic stream by selecting packets based on criteria in the packet header A filter is defined using a filter add command which also specifies the Network ports and Monitor ports the filters apply to The filter add command specifies the following behavior Traffic is aggregated from all the listed Network ports Then the filter parameters are applied Packets which match all of the specified filter parameters are copied to all of the listed Monitor ports assuming the action redir Ifthe action drop the matching packets are not copi
18. source address mask FEEF FEEFFE FEEFEE TREE FEE ip6_dst IPv6 address ip6_dst 1234 5678 9abc IPv6 destination address ip6_dst_ IPv6 address mask ip6_dst_mask Mask for IPv6 destination ad mask TTE TFT TEETE FEEF FEE FEF FEF dress l14_src_port I4 src port 80 Layer 4 source port I4 src port Port mask I4 src port mask ffff Mask for Layer 4 source port mask I4 dst port I4 dst port 80 Layer 4 destination port l4 dst port Port mask I4 dst port mask fff0 Mask for Layer 4 destination mask port MAC address mac src 01 23 45 67 89 ab MAC source address MAC address mask mac src mask ff fFTfTETff Mask for MAC source address mask MAC address mac dst 11 22 33 44 55 66 MAC destination address mac dst MAC address mask mac dst mask ff fEffffff 00 Mask for MAC destination mask address VLAN number vian 128 VLAN See Appendix C for a complete list of protocol numbers Some common protocols include Number Keyword Protocol 1 ICMP Internet Control Message Protocol 2 IGMP Internet Group Message Protocol 6 TCP Transmission Control Protocol 17 UDP User Datagram Protocol 89 OSPF Open Shortest Path First 132 SCTP Stream Control Transmission Protocol 50 i 3dOptics Appendix C Protocol Numbers The official Assigned Internet Protocol Numbers list is maintained by the Internet Assigned Numbers Authority and can be found at http www iana org assignments protocol numbers The list as of April 18 2008 is reproduced in the
19. the name of a saved configuration file to display a string do not include an extension Displays the contents of the specified configuration or saved configuration file see save command Sub Command Arguments Example and description stats clear ports all lt portlist gt Stats clear ports all Clears RMON statistics for the designated ports show ports all lt portlist gt stats show ports m 2 n1 4 Displays RMON statistics for the designated ports sysip commit sysip commit Activates pending changes defined with sysip set discard sysip discard Clears any pending changes defined with sysip set mask lt netmask gt Arguments gw lt gateway gt lt address gt is the IP address default 192 168 1 2 lt mask gt is the netmask default 255 0 0 0 required 192 168 1 1 Sets the Director IP address netmask and gateway IP address requires a sysip commit command to set ipaddr lt address gt sysip set ipaddr 192 168 1 2 mask 255 255 0 0 gt Note All three arguments are lt gateway gt is the gateway IP address default activate the new settings show sysip show Displays the current Director IP address information as well as any pending IP address information that was set with a sysip set command 47 9 i 3dOptics Sub Command Example and description EMEN upgrade user This command is only available at root level srvip lt svrip gt user lt username gt pw lt passwd gt file lt filename gt No
20. we REALEM bees Ue ep pa Na teda 5 Director Management EP 5 Typical Applications nie a nece a A ete A E EE gcn ee 6 In line Monitoring of 10 Gigabit Links cesis iiia tae eee a hii AE 8 Director Front Panel 2 5 04 cacc si ee orECPT eS ERE Rep peque e px d eee o E bee Fee gue ps 9 Director Rear Panel acy obese eR Babee sade aes UBER Ned wae KCN UPS fb ie 10 Chapter 2 Installing Director Pl n he Installation x 5 45 deese fe eee in c Re Pee ea da Rue m f de dc ee to Paul haa y dn 12 Unpack and Inspect the Director device oie ree Feet ne adn sans since Re eo n Der Rte De e Rte RR 12 Install Director Network Modules soc scke eke aes CER aR eee Fan per vane VC EU UE a 13 Install SFP and XFP Monitor port Modules sssseleeeeee e 13 Rack Mount the Director device uei gaara tite are see aes He are Unis Rode Haar eae RM MR Re Creed 13 Connect Power to DITeCtOE ruinn aiaei posite EREA here arte RC Musa te INTR AUR IR cef Gat Rr ros 14 Connect the local CLI Interface sas cueese neetes here e ee exe ye mr kg Rx ROCHE eR OR RA S e Rr e re 14 Connect the remote CLI Interface 4 4 e RUP eb ees EREE dedi add hina ea eb RUE Mecty 15 Log into the CEL ctetu p RREWEEIP eee tears EUR ae Paw Thee HE ERA 16 Configure Director usine th CLL spoenen eas debuts eas eae ely aia din Rane oa oes ael 17 Using the CLI Command History Buffer 2 0 0 ees 21 Connect Span Ports to Director voies ce acti eae Dit a ale wes deanna deeds Reda cd SA S
21. 0 Copper Network Configuration CLD Port 1 RS 232 DB9 USB Port 1 Reserved for future functionality Power 2 AC universal Electrical Interface Power 100 240VAC 2A 47 63Hz Japan 100 125VAC 120 VA 50 60Hz 48VDC available Indicators All ports Link LEDs with speed indication on Copper ports All ports Activity LEDs 1 Alarm LED 2 Power LEDs Performance Hardware throughput 74Gbps TapFlow Smart filtering More than 1 000 filter elements per chassis filter by IP source address IP destination ad dress MAC source address MAC destination address source port destination port protocol network port or port group VLAN RMON statistics for each Network and Monitor port Current utilization peak utilization peak time total packets total bytes CRC errors collision packets Internal disk drive 2 5 inch SATA 30 Gigabyte 5400 RPM Software Net Optics Web Manager compatible with all major Web browsers Net Optics System Manager compatible with Windows XP Windows 2000 and Windows 98 SNMP v3 support 41 h 3dOptics Director Specifications DNM Copper Interface 12 RJ45 Network Ports 10 100 1000Mbps 6 In line links or 12 Span ports depending on model 22 24 AWG unshielded twisted pair cable CAT5e or better recommended Fiber Optic Interface 12 Gigabit SX LX or ZX Network Ports LC type 6 In line links or 12 Span ports depending on model Fiber Types Corning Multimod
22. 0000 14 src port 0000 14 dst port 0000 vLan 0000 action redir in ports t1 02 redir ports t1 01 Filter 3 src mac 00 00 00 00 00 00 dst mac 00 00 00 00 00 00 src ip 0 0 0 0 255 255 255 255 dst ip 0 0 0 0 255 255 255 255 ip proto 0000 14 src port 0000 14 dst port 0000 vLan 0000 action redir in ports n1 01 n1 02 n1 03 n1 04 redir_ports m 01 m 10 IPv4 filter resource utilization 2 Net Optics gt Figure 30 Filter list command The ID number Filter shown above each filter in the filter list is the ID that applies for filter del id lt id gt and filter ins id lt id gt commands because all three commands act on the pending filter list Do not use the IDs ina filter running list as the reference for filter del or filter ins commands 30 A bAOptics Director Work with configurable 10 Gigabit ports The two configurable 10 Gigabit XFP ports on the front panel are designated t1 1 on the left and t1 2 on the right and the two on the rear panel are t2 1 on the left and t2 2 on the right They can be used in Network port lists and Monitor port lists The 10 Gigabit ports are configured for Network or Monitor as required by the filter add commands you enter Some examples follow If separate filter add commands require different configurations for the same XFP port the port is configured as required for the command that was entered last To use both front panel XFP ports as Network
23. In line DNM models support 6 in line links while Span DNM models support 12 Span ports The diagram shows one in line and one Span DNM Both in line and Span DNMs are available with either Copper or SX LX or ZX Fiber interfaces Different DNM types can be mixed in the same chassis for example one in line Copper DNM and one Span Fiber DNM The modules are hot pluggable for easy serviceability One or both DNM slots can be populated The DNM slots are numbered 1 for the slot on the left and 2 for the slot on the right If only one slot is populated it should be slot 1 The four configurable 10 Gigabit XFP ports are shown in the first four columns and last four rows of the diagram The four dark black rows indicate that all four ports are configured as Span inputs The four dimmed columns indicate that the ports can alternately be configured as Monitor ports The four ports may be configured as Both Span Both Monitor One Span and one Monitor In addition the two 10 Gigabit ports on the back of the chassis t2 1 t2 2 can be used as uplink ports to daisy chain chassis for expansion USB port A USB port located on the back is reserved for future functionality Director Management Director can be configured and managed using a command line interface CLI that will be familiar to most network administrators The CLI runs locally over an RS 232 serial port or remotely over a secure SSH connection Net Optics GUI based Indigo managemen
24. In line Monitoring of 10 Gigabit Links To create an in line link on a 10 Gigabit network segment use an external network Tap Figure 4 shows an LC Fiber Tap being used to send two half duplex data streams to two 10 Gigabit Director ports This configuration creates a fully passive secure in line Tap for the 10 Gigabit network link It is capable of transferring up to 20 Gbps of total traffic from the full duplex link to Director 10 Gbps LC Fiber Tap Eya 10 Gbps Router P Switch Director Figure 4 10 Gigabit in line network connection using a network Tap Figure 5 shows a 10 GigaBit Port Aggregator Tap being used to combine the traffic moving in both directions on a full duplex 10 Gigabit link and send the resulting traffic stream to a single 10 Gigabit Director port This Tap is also fully passive and secure The aggregated traffic from both directions on the link should be less than 10 Gbps otherwise it will exceed the capacity of the Port Aggregator s monitor port and packets may be dropped However this should not be a problem in most cases because network links typically operate at 30 percent or less capacity to prevent congestion Port Aggregator Tap Monitoring tools Figure 5 10 Gigabit in line network connection using a Port Aggregator Tap A h 3dOptics Director Director Front Panel The features of the Director front panel are shown in the following diagram 10 SFP 2 XFP DN
25. M with 10 100 1000 DNM with SX Fiber Monitor Configurable Copper Network Ports Network Ports Ports 10GbE Ports 6 In line or 12 Span Ports 6 In line or 12 Span Ports A OO001 00001 0000 e amp Power LEDs Monitor Ports 2 Director Network Module DNM Slots EE JL J Network Ports Figure 6 Director Front Panel Monitor Port LEDs Each Monitor port has two light emitting diode LED indicators The Link LED is illuminated when a link is estab lished The Activity LED blinks when traffic is passing through the port They are located in the middle between the two rows of SFPs DNM Network Port LEDs Each 10 100 1000 Network or Span port has two LEDs The Link LED is illuminated when a link is established The Activity LED blinks when traffic is passing through the port The Link LED also indicates the link speed amber for 10Mbps yellow for 100Mbps and green for a 1000Mbps 1 Gbps They are integrated in the RJ 45 connectors Link on the left and Activity on the right Each 1 Gigabit Fiber Network or Span port has a single LED It illuminates solid when a link is established and it flashes when traffic is passing through the port These Link LEDs are located below the LC fiber connectors 10 Gigabit Port LEDs Each configurable 10 Gigabit port has a single LED It illuminates solid when a link is established and it flashes when traffic is passing through the port These Link LEDs are located to the left of
26. MAGES INCURRED BY THE USE OF THE PRODUCTS INCLUDING BOTH HARDWARE AND SOFTWARE DE SCRIBED IN THIS MANUAL OR BY ANY DEFECT OR INACCURACY IN THIS MANUAL ITSELF THIS INCLUDES BUT IS NOT LIMITED TO LOST PROFITS LOST SAVINGS AND ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING FROM THE USE OR INABILITY TO USE THIS PRODUCT even if Net Optics has been advised of the possibility of such damages Some states do not allow the exclusion or limitation of implied warranties or liability for incidental or consequential damages so the above limitation or exclusion may not apply to you Net Optics Inc warrants this Tap to be in good working order for a period of ONE YEAR from the date of purchase from Net Optics or an authorized Net Optics reseller Should the unit fail anytime during the said ONE YEAR period Net Optics will at its discretion repair or replace the product This warranty is limited to defects in workmanship and materials and does not cover damage from accident disaster misuse abuse or unauthorized modifications If you have a problem and require service please call the number listed at the end of this section and speak with our technical ser vice personnel They may provide you with an RMA number which must accompany any returned product Return the product in its original shipping container or equivalent insured and with proof of purchase Additional Information Net Optics Inc reserves the right to make changes in specification
27. Network Port 1 to Monitor Port 1 and places this filter in the second location in the pending filter list The filter del command can be used to delete a filter from the pending filter list The syntax is a filter del id lt id gt where id is a decimal number in the range 1 to 999 corresponding to the position in the pending filter list Use the filter list command so see the IDs of all pending filters Exclusive filters Filters can be specified using action drop in order to create exclusive filters An exclusive filter excludes packets rather an including them For example suppose you would like to monitor all traffic on a link except for the UDP traffic To specify this filter use the following commands Note that the drop filter must come first so it is earlier in the CAM filter add in ports nl 1 ip_proto 17 action drop filter add in ports n1 1 action redir redir_ports m 1 filter commit M Network Port 1 gt Protocol gt UDP n1 1 ip_proto UDP action drop dinis pu om I Monitor Port 1 ee filter add in_ports n1 1 ip_proto 17 action drop filter add in_ports n1 1 action redir redir_ports m 1 Figure 38 Creating an exclusive filter If you only define switch connections with no filtering the CAM is not involved and the switches do not interact Filters that use exclusive sets of Network ports each Network port is included in only a single filter do not interact For example fil
28. Rights in Technical Data and Computer Software clause at DFARS sec 252 227 7013 Net Optics Inc 5303 Betsy Ross Drive Santa Clara California 95054 USA 1 408 737 7777 o ee Ke He X OR ee K K ok oko oe ok oko ok ok ke ok ok oe ok ok oko ok ok K FK oe ke oko oe ok K oko e oe ke FK 3K K ok FK K 2K oe AK K K oe KK KEK login user Figure 14 Shell login as customer password netoptics is not displayed Log into the CLI Each Director maintains a list of accounts for users authorized for access to that particular Director The default account for new systems is User Name admin and Password netoptics To log into the CLI 1 Enter the user name The default user name is admin The Enter Password prompt is displayed 2 Enter the password The default password is netoptics For security the password is not displayed as you type it The CLI prompt is displayed login user admin password Net Optics Figure 15 Logging into the CLI A hi 3dOptics Director Configure Director using the CLI You should be logged into the Director CLI The factory set default values for Director are Username admin Password netoptics P Address 10 60 4 180 address for remote CLI and for Indigo manager software when available Netmask 255 0 0 0 associated with IP Address Manager IP Address 192 168 1 2 address for SNMP traps Gateway IP Address 10 0 0
29. any CLI command Displays information about the specified CLI command if command is omitted displays a list of all CLI commands history Displays a numbered list of previously executed CLI commands any command can be executed directly by entering the command number preceded by an exclamation point up and down arrow keys can be used to scroll through the command history buffer see command 45 A MAiOptics Sub Command Arguments Example and description Sub Command image lt 1 2 gt image 2 Arguments Valid values are 1 and 2 Chooses which system image to boot from see upgrade command show image show Lists the names of both system images and indicates which one is running and which one is selected to boot from arrow next to image name LU list i passwd This command is only available at root level i lt address gt ping 10 1 1 4 Arguments lt address gt is an IP address Pings the specified IP address to check for connectivity port set ports lt portlist gt port set n1 1 n1 3 autoneg on duplex full autoneg lt on off gt Arguments duplex lt full half gt lt portllist gt is a portlist speed lt 10 100 1000 gt For other arguments select a value from the listed choices For 10 100 100 Copper interface Network and Moni tor ports enables or disables autonegotiation selects the duplex mode and sets the fixed speed 10Mbps 100Mbps or 1000Mbps if autonegotiation is off
30. ation Each Director chassis supports up to 12 in line network links or 28 Span ports For monitoring up to 14 ports are provided Network and Span ports can be aggregated and regenerated to output ports in almost any combination Modular design Director is modular to provide configuration flexibility Director Network Modules DNMs support SX multi mode and LX single mode fiber links and 10 100 1000 Copper links Each DNM provides either 6 in line network links or 12 Span ports The Director Chassis includes two DNM slots they can be populated with the same or different DNM types Ten 1 Gigabit Monitor ports are SFP based accepting any mix of Copper SX and LX interface modules Four 10 Gigabit ports are XFP based accepting SR LR and ER interface modules Flexible 10 Gigabit support Four 10 Gigabit ports can be configured as Network Span or Monitor ports They can be configured for the same or different functions Traffic from multiple 1 Gigabit Network or Span ports can be aggregated to a 10 Gigabit Monitor port Conversely traffic from a 10 Gigabit Network or Span port can be dis aggregated to multiple 1 Gigabit Monitor ports through appropriate filtering For example traffic from different IP address ranges could be directed to separate Monitor ports Expandable Two 10 Gigabit ports on the rear of the unit enable daisy chaining up to ten Director chassis to expand the number of available ports for a total of 380
31. ction A logical OR connection can be made between filters by specifying multiple filters with the same network and monitor port lists To select all packets which are either TCP or UDP protocol 1 Enter filter add in_ports n1 5 ip_proto 6 action redir redir_ports m 1 A filter has been defined to select all IPv4 TCP packets from Network Port 5 and copy them to Monitor Port 1 2 Enter filter add in_ports n1 5 ip_proto 17 action redir redir_ports m 1 Another filter has been defined to select all IPv4 UDP packets from Network Port 5 and copy them to Monitor Port 1 3 Enter filter commit The filters are activated 29 9 h 3dOptics Director Protocol TCP Network Port 5 Ge Monitor Port 1 Protocol UDP filter add in_ports n1 5 ip_proto 6 action redir redir_ports m 1 filter add in_ports n1 5 ip_proto 17 action redir redir_ports m 1 Figure 29 Logical OR filter connection View filters To view a list of all pending filters enter filter list To view the active filters enter filter running Net Optics filter list Filter 1 src mac 00 00 00 00 00 00 dst mac 00 00 00 00 00 00 src ip 0 0 0 0 255 255 255 255 dst ip 0 0 0 0 255 255 255 255 ip proto 0000 14 src port 0000 14 dst port 0000 v1an 0000 action redir in ports t1 01 redir ports t1 02 Filter 2 src mac 00 00 00 00 00 00 dst mac 00 00 00 00 00 00 src ip 0 0 0 0 255 255 255 255 dst ip 0 0 0 0 255 255 255 255 ip proto
32. d that Director uses Content Addressable Memory CAM technology to implement filters As each filter is defined it is stored in the next available entry in the CAM Each packet header is compared in the CAM and the CAM returns the index of the first filter that the packet header matched That filter and only that filter controls which monitoring ports receive a copy of the packet Other filters are not executed for that packet Therefore filters are not completely independent one filter can affect the operation of another Let s walk through an example of a filter interaction that may be unexpected First we will set up a filter for an IP address filter add in_ports n1 5 ip_src 192 186 10 0 action redir redir_ports m 1 filter commit ne eae P E 1 nt 5ip_sro 192 186 100m1 1921681015 1 n1 5 ip_src 192 186 10 0 m 1 filter add in ports n1 5 ip_src 192 168 10 0 ip src mask 255 255 255 240 action redir redir_ports m 1 Figure 34 A simple IP address filter Shown with CAM All traffic from Network Port 5 that comes from IP address 192 186 10 0 matches the first CAM entry and therefore is copied to Monitor Port 1 Next suppose we want another monitoring tool to see all the TCP traffic from Network Port 5 so we set up this filter filter add in ports nl 5 ip proto 6 action redir redir portszm 2 filter commit Source IP 192 186 10 0 7 Monitor Port 1 n1 5 ip_src 192 186 10 0 m 1 he Filter interactions n1 5 ip proto TCP m 2
33. e c eoe euni nnn hnuuuuuuuuuuuuuuuuauuuuuunuuuauuuunuuananuus 4S Filter parameters oci isa aan edt ears adum edge qt Qe edm ess aee denen Se aegis 49 Appendix C Protocol NumbOers 0 22202u2szsacuRanu2RaRuRanassaRRRERRRnR2SRRRaR RREERR Ra RRRRERER D A Limitations on Warranty and Liability ecce eere ene n nnn OF h 3dOptics Director Chapter 1 Introduction Net Optics Director is a key component for building a comprehensive consolidated monitoring infrastructure for both network management and security It extends the range of visibility for data monitoring across converged data and digital voice networks while eliminating monitoring port contention and minimizing the number of tools needed to optimally manage the network A single Director device enables you to tap into multiple network links and direct their traffic to multiple monitoring ports It includes aggregation and regeneration functions so the link to monitor port mapping can be one to one one to many many to one or many to many In addition it provides filtering Each Monitor port can be programmed to receive only traffic meeting user defined filter criteria based on protocol source and destination addresses and other criteria This filtering capability enables specific types of traffic such as voice over IP VoIP to be directed to particular monitoring tools Matrix switching aggregation and regener
34. e 62 5 125um Corning Multimode 50 125um Corning Singlemode 8 5 125um Transceiver SX GigaBit 850nm VCSEL supports 62 5 125um SX GigaBit 850nm VCSEL supports 50 125um LX GigaBit 1310nm laser supports 8 5 125um ZX GigaBit 1550nm laser supports 8 5 125um Safety Class 1 eye safe laser emitter type conforms to the applicable requirements per US 21 CFR J and EN 60825 1 also UL 1950 applications Environmental Operating Temperature 0 C to 55 C Storage Temperature 10 C to 70 C Relative Humidity 10 min 95 max non condensing Certifications FCC CE FCC VCCI C Tick and WEEE certified Fully RoHS compliant Available Models Models Main Chassis DIR 3400 Director Main Chassis with 10 SFP monitor ports DIR 7400 Director Main Chassis with 10 SFP monitor ports 2 XFP IOGDE ports 2 XFP uplink ports DNMs DNM 100 6 Port 10 100 1000 Copper In Line Module DNM 110 12 Port 10 100 1000 Copper Span Module NM 200 6 Port Gigabit SX Fiber 62 5um In Line Module M 210 12 Port Gigabit SX Fiber 62 5um Span Module M 220 6 Port Gigabit SX Fiber 50um In Line Module M 230 12 Port Gigabit SX Fiber 501m Span Module GOU09 Anz M 300 6 Port Gigabit LX Fiber In Line Module M 310 12 Port Gigabit LX Fiber Span Module M 320 6 Port Gigabit ZX Fiber In Line Module M 330 12 Port Gigabit ZX Fiber Span Module gugtug ZZZZ 42 9 i 3dOptics Director Appendix B Command Line Interface The command line i
35. e Ue on 22 Connect Director With In line Network Links seeleeseeseeeee I I 23 Connect Monitoring Tools to Director 1 cese ek baad eae ee e ae RR RR RR E RR x ena 24 Configure a Matrix Switch connection in Director liess 24 Check the Installation vua ede whens Ox Qe xw Yo o ed CES EE EON de ee Te WEE a aue 24 A h 3dOptics Director Chapter 3 Configuring Filters Using the CLI n C C weal 25 Copy Traffic From Any Network Port to Any Monitor Port 0 00 0 cece eee 26 Aggregate Traffic From Any Set of Network Ports to Any Monitor Port eese eeeel 26 Regenerate Traffic to Any Set of Monitor Ports 1 0 ee 27 Create IMSS DH EEE E T E E EAE TE E E EE 28 Create Complex FIETSE 45 aes rrara an EROR Alt stn aa Soin te aae edid un A 29 Miew Alters i sos re EUER UE eed PNLPTeO Mei HpX CEE em EEEE E ETE ENE RA 30 Work with configurable 10 Gigabit ports cere 5495 co5 00s cee ke E RES Ea VOR CR CE es 31 Understand filter interactions 2 0 25 incites cree eee ease Hee ee Fee eR e Me e E OE SRE UE eg 33 Understand pending and active Alters reete aer deed eee ee Rabe Re es er ate ae oa X dcc ea 36 Chapter 4 Daisy chaining Multiple Director Chassis eere rene nens 40 Appendix A Director Specifications Lee eer er eren en nana uuuauuuuu unn auuu uuu uauaaun ananas 44 Appendix B Command Line Interfac
36. ed to any Monitor port this mechanism is used to create exclusive filters To send Monitor Port 1 all traffic received at Network Port 5 from IP addresses 192 168 10 0 to 192 168 10 15 1 Enter filter add in_ports n1 5 ip src 192 168 10 0 ip src mask 255 255 255 240 action redir redir_ ports m 1 A filter has been defined to select all IPv4 packets from Network Port 5 with a source IP addresses of 192 168 10 0 and the lowest four address bits masked out ignored packets matching the filter are copied to Monitor Port 1 2 Enter filter commit The filter is activated Source IP Network Port 5 1192 168 10 0 Monitor Port 1 192 168 10 15 filter add in ports n1 5 ip_src 192 168 10 0 ip src mask 255 255 255 240 action redir redir_ports m 1 Figure 26 Simple IP address filter To create a filter that selects IPv4 packets by protocol 1 Enter filter add in_ports n1 3 ip4 prot 3 action redir redir_ports m 6 m 8 A filter has been defined to select all IPv4 packets that use the TCP protocol received at Network Port 3 and copy them to Monitor Port 6 and Monitor Port 8 Protocols are designated by an industry standard numbering system See Appendix C for details 2 Enter filter commit The filter is activated Monitor Port 6 Protocol Network Port 3 etwork Port 3 gt TCP Monitor Port 8 filter add in_ports n1 3 ip4_prot 3 action redir redir_ports m 6 m 8 Figure 27 Simple IPv4 protocol filter with reg
37. eneration Available filter parameters are listed in Appendix B and include e ip_proto IP protocol 28 h 3dOptics Director ip_src ip_src_mask IPv4 source address and mask ip_dst ip_dst_mask IPv4 destination address and mask ip6_src ip6_src_mask IPv6 source address and mask ip6_dst ip6_dst_mask IPv6 destination address and mask e 14 src_port 14_src_port_mask Layer 4 source port and mask e 14 dst_port 14_dst_port_mask Layer 4 destination port and mask mac src mac src mask MAC source address and mask mac dst mac dst mask MAC destination address and mask vlan VLAN number Create Complex Filters Multiple filter parameters can be specified in a single filter add command Packets must satisfy all of the filter parameters to be selected in other words the filter parameters have a logical AND connection To select all TCP traffic arriving from IP address 192 186 10 0 1 Enter filter add in_ports n1 5 ip_src 192 186 10 0 ip proto 6 action redir redir_ports m 1 A filter has been defined to select all IPv4 TCP packets from Network Port 5 with a source IP address of 192 186 10 0 packets matching the filter are copied to Monitor Port 1 2 Enter filter commit The filter is activated Source IP Protocol 192 186 10 0 TCP Network Port 5 Monitor Port 1 filter add in_ports n1 5 ip_src 192 186 10 0 ip proto 6 action redir redir_ports m 1 Figure 28 Logical AND filter conne
38. es a commit or filter commit command the CAM takes on the filter configuration from that user s pending filter list and those become the active filters on Director For this reason it is a good idea to use a filter syne command to get the current contents of the CAM before adding or modifying filters that way the filters that you don t touch remain unaffected after you commit 39 A bAOptics Director Chapter 4 Daisy chaining Multiple Director Chassis This chapter describes how to expand the capacity of Director by daisy chaining multiple Director chassis The complete set of chassis becomes a single logical system with up to 380 total ports By using long reach ER links chassis can be physically separated by as much as 25 miles 40 kilometers enabling monitoring of entire campuses or multiple campuses with a single Director system Daisy chaining chassis is not supported in the initial release of Director This chapter will be expanded when daisy chain functionality becomes available 40 A bAOptics Director Appendix A Director Specifications Specifications chassis Mechanical Dimensions 1 6 high x 15 65 deep x 17 wide Mounting Surface or 19 rack mount 1U Weight TBA Connectors Network Port Slots 2 Director Network Module DNM Monitor Ports 10 SFP Configurable 10Gigabit Ports 4 XFP 2 can be used for uplinks to daisy chain chassis Management Port 1 RJ45 10 100 100
39. f the monitoring tools can be used to observe any of the connected network links and the connections can be switched easily using the Director CLI without ever moving a cable or touching the tools A set of possible data flows is indicated by the colored circles on the links in the diagram One of the network monitoring tools is capable of handling more than 1 Gbps so it is attached to a 10 Gigabit XFP port Through this port the tool can be sent aggregated traffic up to 10 Gbps For example the colored circles in the diagram indicate that traffic from four links is being aggregated and sent to this port Four streams of traffic are also being aggregated to the red monitoring tool on the upper left Since this is a 1 Gbps Monitor port aggregated data up to 1 Gbps can be sent to the red tool If the aggregated traffic exceeds 1 Gbps packets will be dropped To avoid dropping packets filters should be configured to reduce the aggregated traffic load to 1 Gbps or less The two green RMON monitoring tools at the bottom are the same type of tool Two identical tools provide the capabil ity of monitoring a greater amount of data than a single tool can handle Another reason to use identical monitoring tools is to provide redundancy in case one of the tools fails In addition Director can be configured to send different types of traffic to each tool for example all the TCP traffic to one tool and the UDP traffic to the other A MAiOptics
40. g filter list n1 1 ip_proto TCP action drop n1 1 ip_proto UDP action drop a es Figure 42 Filter 1 has been changed and filter 3 has been added 37 h 3dOptics Director 4 Enter filter list to view the pending filter list Net Optics filter list Filter 1 src mac 00 00 00 00 00 00 dst mac 00 00 00 00 00 00 src ip 0 0 0 0 255 255 255 255 dst ip 0 0 0 0 255 255 255 255 ip proto 0006 14 src port 0000 14 dst port 0000 v1an 0000 action drop in ports Filter 2 src mac 00 00 00 00 00 00 dst mac 00 00 00 00 00 00 src ip 0 0 0 0 255 255 255 255 dst ip 0 0 0 0 255 255 255 255 ip proto 0000 14 src port 0000 14 dst port 0000 v1an 0000 action redir in ports ni 1 redir_ports m 1 Filter 3 src mac 00 00 00 00 00 00 dst mac 00 00 00 00 00 00 src ip 0 0 0 0 255 255 255 255 dst ip 0 0 0 0 255 255 255 255 ip proto 0000 14 src port 0000 14 dst port 0000 v1an 0000 action redir in ports ni 2 redir ports m 2 IPv4 filter resource utilization 2 Net Optics Figure 43 Filter list command 6 Repeat steps 3 and 4 until the pending filter list is consistent with the desired filter configuration 7 Enter filter commit The contents of the pending filter list are copied to the CAM activating the new filter configuration Pending filter list n1 1 ip_proto TCP action drop n1 1 ip_proto TCP action drop Figure 44 After filter commit 38 A bAOptics Director
41. ied To copy aggregated traffic from Network Port 1 and Network Port 2 to Monitor Port 3 1 Enter filter add in_ports n1 1 n1 2 action redir redir_ports m 3 The aggregation connection is pending 2 Enter filter commit The aggregation connection activated Note that in this example Network Port 1 and Network Port 2 may be Span ports or they can be a paired in line network link The Network port list in the filter add command always applies to the traffic received at the port not the traffic transmitted out the port Therefore if Network Port 1 and Network Port 2 are an in line link then Director has been configured to act as a Port Aggregator combining the traffic from both directions on the in line link and copying it to the Monitor port 26 A i 3dOptics Director Network Port 1 i Gy Monitor Port 3 Network Port 2 1 filter add in portszn1 1 n1 2 action redir redir_ports m 3 Figure 23 Traffic aggregation Regenerate Traffic to Any Set of Monitor Ports Director can be used like a Regeneration Tap copying traffic from a Network port or aggregated group of Network ports to multiple Monitor ports The filter add command is used to do this The only difference from using the command to connect a single or multiple Network ports to a single Monitor port is that a list of Monitor ports is specified To regenerate traffic from Network Port 1 to Monitor Ports 3 4 and 5 1 Enter filter add in_ports n1 1 action
42. illuminated Check the link status LEDs located on the front panel to verify that the links are connected Verify that traffic is flowing through in line connections to attached network devices Verify that traffic present on Network port 1 is visible on Monitor Port 2 24 i 3dOptics Chapter 3 Configuring Filters Using the CLI This chapter describes how to use the CLI to determine which monitoring tools are connected to which Network ports It also explains how to create filters to limit the amount of traffic copied to Monitor ports so the monitoring tools receive only the traffic that is of interest to them In this chapter you will learn to Copy traffic from any Network port to any Monitor port Aggregate traffic from any set of Network ports to any Monitor port Regenerate traffic from any aggregated set of Network ports to any set of Monitor ports Create filters Create complex filters View filters Work with configurable 10 Gigabit ports Understand filter interactions For a complete listing of filter commands in the CLI see Appendix B Syntax In the CLI Director ports are specified by alpha numeric names as follows nl 1 n1 2 n1 3 n1 12 Network ports in the first DNM the slot on the left for in line DNM models port nl 1 n1 2 are an in line link pair so are n1 3 n1 4 and so on n2 1 n2 2 n2 3 n2 12 Network ports in the second DNM the slot on the right for in line DNM models
43. ined using filter commands AND saves the changes as the new default configuration date 06 24 2008 Arguments date is mm dd yyyy Sets the system calendar date if date is omitted the current date is displayed del my configuration 1 Arguments filename is the name of the file to delete a string do not include an extension Deletes a previously saved Director configuration file see save command exit Exits the CLI shell same as ogout and quit Note To maintain system security control is not returned to the command shell filter add in ports n1 1 n1 3 ip src 10 1 1 1 action drop Arguments ipv6 y for IPv6 addressing omit for IPv4 network portlist traffic from the network ports specified in this portlist is aggregated before being sent to the filter qual and value are filter qualifiers and values as listed in the table that follows this table any number of lt qual gt lt value gt pairs may be included Specify redir or drop as the filter action if redir packets matching all of the qual are copied to all of the Monitor ports specified in the portlist monitor portlist if drop packets matching all of the qual are dropped Defines a filter including the network and monitor ports involved in the filter filter is pending inactive until activated by a filter commit or commit command Note If the filter command does not include any qual it defines aggregation regeneration and
44. interface to access the CLI then you need to configure the IP Address that Indigo management software when available will use to communicate with Director If Director must communicate through a Gateway to reach the network then set the Gateway IP Address for that Gateway If you are running the CLI remotely you can change the IP Address but when you do you will lose your SSH connection since it is talking to the old IP Address In that case initiate a new SSH session to the new IP address and you can continue using the CLI remotely To assign a new IP Address Netmask and Gateway IP Address to Director 1 Enter sysip show The current IP Address Netmask and Gateway IP Address are displayed 2 Enter sysip set ipaddr lt new ip address gt mask lt new netmask gt gw lt new gateway gt The IP Address Netmask and Gateway IP Address are made pending 3 Enter sysip show Verify that the displayed Pending Sysip Info IP Address Netmask and Gateway IP Address are the desired values 4 Enter sysip commit to activate the new IP Address Netmask and Gateway IP Address Example sysip set ipaddr 10 60 4 180 mask 255 0 0 0 gw 10 0 0 1 sysip commit The sysip set command requires that all three arguments are present Assign a New Manager IP Address Configure the Manager IP Address to the IP Address of the remote management server for example an IBM Tivoli or HP OpenView server To assign a new Manager IP address to Director
45. line Network connections Connect Monitoring Tools to Director To connect a monitoring tool to Director simply plug the appropriate cable into the desired 1 Gigabit or 10 Gigabit Monitor port and plug the other end into the monitoring tool The Link LED for the port should illuminate after a short delay to indicate that a link has been established Repeat for all desired monitoring tool connections Note In the CLI the Monitor ports are designated using the letter m followed by a dot and then the port number For example the Monitor port on the upper left is m 1 and the Monitor port on the lower right is m 10 Configure a Matrix Switch connection in Director In order to monitor a network link Director must be configured to copy the traffic from a Network or Span portto a Monitor port A simple connection is described in this section operating Director as a Matrix Switch For more complex switching and filtering see Chapter 3 To monitor Network Port 1 in DNM 1 on Monitor Port 2 1 Enter filter add in_ports n1 1 action redir redir_ports m 2 The switch connection is pending 2 Enter filter commit The switch connection is activated 3 Verify that traffic present on Network Port 1 is visible on Monitor Port 2 Check the Installation You have connected Director to the network monitoring tools and power It should now be functioning correctly Check the status of the following Check that at least one power LED is
46. matrix switching functions without filtering filter clear Clears all active filters A MAiOptics Sub Command Example and description filter commit filter commit continued Activates pending filters previously defined using filter add and filter ins commands but does NOT save the changes as the new default configuration ipv6 y filter del id 3 id lt id gt Arguments ipv6 y for IPv6 addressing omit for IPv4 id is a decimal number from 1 to 999 that identifies which filter is to be deleted Deletes a pending filter discard filter discard Clears all pending filters ins id lt id gt filter ins id myfilter 1 in_ports n1 1 n1 3 ip_ ipv6 y src 10 1 1 1 action drop in_ports lt network_portlist gt Arguments lt qual gt lt value gt lt id gt is a decimal number from 1 to 999 that action lt redir drop gt specifies the priority of this filter the address for redir_ports lt monitor_portlist gt the filter in the filter CAM The rest of the filter parameters are as defined for the filter add command Defines and prioritizes a filter list ipv6 y filter list Arguments ipv6 y for IPv6 addressing omit for IPv4 Displays all pending filters with filter IDs running ipv6 y filter running Arguments ipv6 y for IPv6 addressing omit for IPv4 Displays all active filters filter sync Loads the pending filter list with a copy of the currently active filters command help filter Arguments command is
47. ng filter list to the CAM activating that filter set up Remeber that commit also changes Director s default configuration but filter commit does not A common workflow for changing the Director filter configuration might be as follows To change the Director filter configuration Pending filter list n1 1 ip_proto UDP action drop Eje 0 1 d S E Figure 39 Starting state 36 A MAiOptics 1 Enter filter running to view the currently active filters in the CAM Net Optics gt filter running Filter 1 src_mac 00 00 00 00 00 00 dst mac 00 00 00 00 00 00 src ip 0 0 0 0 255 255 255 255 dst ip 0 0 0 0 255 255 255 255 ip proto 0017 14 src port 0000 14 dst port 0000 v1an 0000 action drop in ports Filter 2 src mac 00 00 00 00 00 00 dst mac 00 00 00 00 00 00 src ip 0 0 0 0 255 255 255 255 dst ip 0 0 0 0 255 255 255 255 ip proto 0000 14 src port 0000 14 dst port 0000 v1an 0000 action redir in_ports n1 1 redir_ports m 1 IPv4 filter resource utilization 2 Net Optics gt Figure 40 Filter running command 2 Enter filter sync The contents of the CAM are copied to the pending filter list Pending filter list CAM n1 1 ip proto UDP action drop n1 1 ip proto UDP action drop Z JET Figure 41 After filter sync 3 Use filter add filter ins and filter del commands to change filters as desired Pendin
48. ng port configurations and filters can be saved to and loaded from files stored on Director s internal disk drive When working with these files from within the CLI specify only a filename up to 32 characters long without an extension The current configuration is automatically kept in a file named defaultcfg This file is automatically loaded at power up or when the system is reset so your configuration is persistent However you may wish to save copies of various configurations that you use for different purposes For example each person that uses the device can maintain a separate configuration To save the Director configuration e Enter save filename where filename is the name for this configuration The configuration is saved To load a Director configuration Enter load filename where filename is the name of a saved configuration The configuration is loaded To view a list of all saved Director configurations Enter list A list of Director configurations is displayed To view a saved Director configuration Enter show filename where filename is the name of a saved configuration The configuration is displayed i 3dOptics Using the CLI Help Command To view CLI help information 1 Enter Help at the Net Optics prompt The list of help topics is displayed commit date del filter help history image list load Logout module passwd ping port reset save show stats sysi
49. not applicable 1 root 2 admin 3 user Modifies a user account show user show Lists all the currently defined user accounts 48 A i 3dOptics Director Filter parameters Switches and filters are defined using the filter add and filter ins commands The filter add command syntax is filter ipv6 y add in_ports lt portlist gt lt filter_parameter_list gt action lt redir drop gt redir_ports lt portlist gt The lt filter_parameter_list gt is a sequence of zero or more of the filter qualifiers as listed in the following table If the lt filter_parameter_list gt is empty the filter add command specifies an aggregation of the traffic received on all of the in_ports If the action redir the aggregated traffic stream is regenerated to all of the redir_ports If the lt filter_parameter_list gt contains filters aggregation and regeneration take place as described in the previous paragraph However the filters are applied to the aggregated traffic stream before it is copied to the monitor ports If multiple filter qualifiers are specified a packet must satisfy all of the filter qualifiers in order to be copied to the monitor ports In other words the filter qualifiers are combined with a logical AND condition A logical OR condition can be created by using multiple filter add commands with identical port lists The filter add and filter ins commands define filters but do not activate them A subsequent filter commit or commit
50. nterface CLI is case sensitive commands must be entered in lower case However certain items such as user defined text strings user names and passwords may be entered in upper lower or mixed case and are case sensitive also The tab key can be used to automatically complete words in the CLI This function works for commands as well as arguments For example typing the letter t followed by the tab key results in time being entered in the command line Likewise da lt tab gt auto completes to the date command However d lt tab gt does not auto complete because it is ambiguous between the date and del commands To display a list of sub commands and arguments for any command press the tap key twice after entering the command A space is required between the command and the lt tab gt lt tab gt For example type filter add lt tab gt lt tab gt to display a list of all the arguments that can be used to complete the command Port numbering Network ports are numbered ns p where sis the DNM module 1 or 2 1 is on the left 2 is on the right pis the port number within the DNM 1 through 12 e for example n2 1 and n2 12 are the lowest and highest port numbers in the second DNM Monitor ports are numbered m 1 through m 10 Configurable 10 Gigabit ports are numbered t1 1 and t1 2 front panel and t2 1 and t2 2 rear panel aportlist is a list of ports separated by commas dashes may be used to
51. o complete because it is ambiguous between the date and del commands Tip To display a list of sub commands and arguments for any command press the tap key twice after entering the command A space is required between the command and the tab tab For example type filter add tab tab to display a list of all the arguments that can be used to complete the command 20 A h 3dOptics Director Using the CLI Command History Buffer You can save a lot of typing by using the command history buffer maintained by the CLI The up and down arrow keys scroll forward and backward through the history buffer To execute a command again simply scroll to that com mand and press enter Alternately you can scroll to a command and then edit it in line before executing it You can see a history of all the buffered commands by entering the history command Any command in the history buffer can be accessed directly by entering where is the number of the command in the buffer Operation of the command history buffer is illustrated in the following example Net Optics gt show show name show running factory default or file name Net Optics list Current config file s test 1 test 7 Net Optics gt help ping ping ipaddr ping ipaddr Net Optics gt sysip show Current Sysip Info IP addr 10 60 4 178 IP mask 255 0 0 0 Gateway 10 0 0 1 Net Optics gt history 1 show 2 Lis
52. o many critical links pass in line through Director it s good to know that they are completely passive connections Director does not slow down or interfere with the in line traffic and the links stay open to pass traffic even if both of the Director power supplies are removed When power is removed 10 100 1000 Copper in line links may be dropped for a short period of time less than 1 second while relays switch to open the link Subsequently the network re establishes the links and traffic resumes flowing ere T nn s Purple line ARA ele 2 indicates an et E p in line Tap Figure 3 Detail of in line Taps shown in Figure 2 In the middle of Figure 2 three other departmental switches are monitored through their Span ports One of the switches handles IOGDE traffic so its Span port goes to one of the Director 1 OGbE XFP ports One of the other switches IGbE Span ports carries three distinct types of traffic e mail VoIP and Web pages as indicated by the three colored circles on the Span link i 3dOptics Director In this installation Director has ten additional Span ports and one in line link that are available for expansion when more links need to be monitored Monitoring Tools Still referring to Figure 2 six monitoring tools are connected to Director They include protocol and performance analyzers RMON probes and an intrusion detection system IDS Any o
53. p time upgrade user quit or exit Net Optics gt Net Optics gt help save local config to hardware set system date delete file name set for filter command view cli usage display command history list switch image list xml file load file name logout from cm server show installed modules in the system change password for ssh user s account ping ipaddr set port command reset the whole system save file name show running factory default or file name show clear ports statistics show and set system network IP address set system time upgrade image file manage user account exit current cli session Lj Figure 16 Director CLI Help command 2 To view the syntax for changing Director filter parameters enter help filter 3 Repeat Step 2 with the command of interest to view the syntax for any command available in the CLI For a complete description of all of the CLI commands see Appendix B Tip Help for an individual command is also displayed if the command is entered without the proper arguments Tip The tab key can be used to automatically complete words in the CLI This function works for commands as well as arguments For example typing the letter t followed by the tab key results in time being entered in the command line Likewise da lt tab gt auto completes to the date command However d lt tab gt does not aut
54. ports in a fully expanded system when available Monitor port based filtering Director avoids the confusion of pre filtering versus post filtering by strictly tying filtering to the Monitor ports Each Monitor port can be configured to have traffic from any number of Network or Span ports directed to it and each Monitor port applies up to 30 protocol address and utilization based filters to the traffic A h 3dOptics Director Key Features Ease of Use Tap aggregation regeneration matrix switch and filter functions in a single device e 19 inch rack frame 1U high Front mounted connectors for quick and easy installation LED indicators show Power Link and Activity status Modular design for configuration flexibility RMON statistics including network utilization filtering data can be used to assemble XML based end user reports or it may be exported to a third party reporting tool such as a protocol analyzer Text based command line interface CLI available through RS 232 serial port e CLI also available remotely over secure SSH connection Field upgradeable software Compatible with all major manufacturers monitoring devices including protocol analyzers probes and intrusion detection and prevention systems Monitor port Filtering 1 000 filter elements per a chassis Exclusive drop matched packets and inclusive pass matched packets filters Filters based on IP protocol IP addres
55. ports n1 5 ip_proto 6 action redir redir_ports m 2 filter commit The flow diagram now looks as follows Source IP Minter Poti Address Filter 192 186 10 0 gt n1 5 ip_src 192 186 10 0 ip_proto TCP Protocol Monitor Port 2 m 1 m 2 TCP n1 5 ip src 192 186 10 0 Network Port 5 amp Ke m n1 5 ip_proto TCP m 2 192 186 10 0 no match M Protocol TCP filter add in_ports n1 5 ip_src 192 186 10 0 ip_proto 6 action redir redir_ports m 1 m 2 filter add in_ports n1 5 ip_src 192 186 10 0 action redir redir_ports m 1 filter add in_ports n1 5 ip_proto 6 action redir redir_ports m 2 Figure 37 Correct way to send all TCP traffic to Monitor Port 2 Now packets that match both the IP address and protocol conditions are copied to both monitor ports while packets that match only one of the conditions are directed to the desired monitor port 34 A h 3dOptics Director Note Instead of filter add you can use a filter ins command to define filters The only difference is that filter ins allows you to specify the filter s ID which is its position in the pending filter list Use filter list so see the IDs of all pending filters When you use a filter ins command the first argument must be id lt id gt where lt id gt is a decimal number in the range 1 to 999 For example filter ins id 2 in_ports n1 1 out_ports m 1 defines a filter that sends all the traffic from
56. r follows these basic steps 1 Plan the installation 2 Unpack and inspect the Director device 3 Install the DNM modules 4 Install the SFP and XFP modules 5 Rack mount the Director device 6 Connect power to Director 7 Connect the command line interface CLI RS 232 DB9 port or the Management port 8 Log into the CLI 9 Configure Director parameters using the CLI 10 Connect Director to the network with Span ports and in line links 11 Connect the monitoring tools to Director 12 Configure a Matrix Switch connection in Director 13 Check the installation This chapter pertains to installing a single Director Chapter 4 addresses daisy chaining up to 10 Director chassis into a single logical system 11 A h 3dOptics Director Plan the Installation Before you begin the installation of your Director device determine the following P address of the Director device or a range of IP addresses if you are deploying multiple Director devices Net Mask for Director P address of the remote management console if deployed over a WAN this address is used for SNMP traps Gateway to the remote management console if deployed over a WAN Port assignments and filters for the Network and Monitor port connections Make sure you have a suitable location to install the Director device For power redundancy use two independent power sources Unpack and Inspect the Director device Carefully unpack the Director device
57. ryptonet key management SKIP SKIP IPv6 ICMP for IPv6 ICMP IPv6 No Next Header for IPv6 NoNxt 64 SAT SATNET and Backroom EXPAK EXPAK 65 KRYPTO Kryptolan RV MIT Remote Virtual Disk Protocol IPPC Internet Pluribus Packet Core 55 56 57 58 o o Zz any distributed file system SAT MON SATNET Monitoring 70 71 72 VISA VISA Protocol IPCV Internet Packet Core Utility CPNX Computer Protocol Network Executive CPHB Computer Protocol Heart Beat D SN Wang Span Network PVP Packet Video Protocol BR SAT Backroom SATNET Monitor MON ing SUN ND SUN ND PROTOCOL Tem porary WB MON WIDEBAND Monitoring WB WIDEBAND EXPAK EXPAK ISO IP ISO Internet Protocol VMTP VMTP SECURE SECURE VMTP VMTP VINES VINES TTP TTP oa li 78 79 81 82 83 co A ETE bil ES M ECE EE EN EA ECE EE El a di ECE Ed lt a ECE Keyword Protocol NSFNET NSFNET IGP IGP T DG Dissimilar Gateway Protocol T o Oo eo 88 EIGRP EIGRP OSPFIGP OSPFIGP C Sprite Sprite RPC Protocol LARP Locus Address Resolution Protocol M Multicast Transport Protocol AX AX 25 Frames IP within IP Encapsulation Protocol A U O P 25 MICP Mobile Internetworking Con trol Pro SCC SP Semaphore Communications Sec Pro ETHERIP Ethernet within IP Encapsu lation ENCAP Encapsulation Header any private encryption scheme GMTP GMTP IFMP Ipsilon Flo
58. s and other information contained in this document without prior notice Every effort has been made to ensure that the information in this document is accurate Net Optics is not responsible for typographical errors THE WARRANTY AND REMEDIES SET FORTH ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHERS EXPRESS OR IMPLIED No Net Optics reseller agent or employee is authorized to make any modification extension or addition to this warranty Net Optics is always open to any comments or suggestions you may have about its products and or this manual Send correspondence to Net Optics Inc 5303 Betsy Ross Drive Santa Clara CA 95054 USA Telephone 1 408 737 7777 Fax 1 408 745 7719 Email info Net Optics com Internet www Net Optics com All Rights Reserved Printed in the U S A No part of this publication may be reproduced transmitted transcribed stored in a retrieval system or translated into any language or computer language in any form by any means without prior written consent of Net Optics Inc with the following exceptions Any person is authorized to store documentation on a single computer for personal use only and that the documentation contains Net Optics copyright notice 54 www netoptics com 2008 by Net Optics Inc All Rights Reserved
59. ses layer 4 ports MAC addresses and VLANs Source and destination MAC addresses or ranges of addresses Source and destination IP addresses or ranges of addresses Source and destination ports or ranges of ports Supports IPv4 and IPv6 protocols VLAN Protocols all IP protocols such as ICMP TCP UDP and RDP Passive Secure Technology Passive access at up to 10 Gbps n line links do not interfere with the data stream or introduce a point of failure Optimized and tested for 10 100 and 1000Mbps copper and 1 and 10 Gpbs fiber networks Redundant power to maximize uptime n line links default to open under a complete power fail condition ensuring network availability FCC CE VCCI C Tick and WEEE certified Fully RoHS compliant Unsurpassed Support Net Optics offers technical support throughout the lifetime of your purchase Our technical support team is available from 8 00 to 17 00 Pacific Time Monday through Friday at 1 408 737 7777 and via e mail at ts support netoptics com FAQs are also available on Net Optics Web site at www netoptics com A bAOptics Director About this Guide Please read this entire guide before installing Director This guide applies to the following part numbers Chassis Part Number Description DIR 3400 Director Main Chassis with 10 SFP monitor ports DIR 7400 Director Main Chassis with 10 SFP monitor ports 2 XFP 10GbE ports 2 XFP uplink ports DNM Part
60. specify ranges for example n1 1 n1 2 n1 3 and n1 1 n1 3 mean the same thing NOTE Do not include any space characters in the list do not put a space after the comma A string is a string of characters up to 32 characters in length not case sensitive valid characters are A Z a z 1 9 Privilege levels User accounts are assigned at one of three privilege levels root level 1 access to all CLI commands only the root level can use the user and passwd commands admin level 2 access to all CLI commands except user and passwd user level 3 can access only these CLI read only commands help history list ping show exit logout quit The CLI commands are specified in the following table 43 9 i 3dOptics Sub Command Arguments commit 7 a number date filename ipv6 y lt qual gt lt value gt action lt redir drop gt Notes argument is required If action redir then argument is required filter clear in_ports lt network_portlist gt redir_ports lt monitor_portlist gt The command may include any number of lt qual gt up to the limit of Director s filter resources approximately 1 000 lt qual gt per chassis The action lt redir drop gt redir_ports lt monitor_portlist gt Example and description I3 Executes a command from the CLI command history buffer see history command commit Activates pending changes previously def
61. t 3 help ping 4 sysip show Net Optics gt 3 Net Optics gt help ping ping ipaddr ping ipaddr Net Optics gt Figure 17 CLI command history buffer 21 A MAOptics Connect Span Ports to Director To connect Director to the network using Span ports be sure that at least one of your DNMs is a Span model Use ports in that DNM to connect to the network Span port numbering is shown in the following diagram It is the same for Span DNMs and in line DNMs Port amp n11 2 3 a 5 6 Port n2 1 2 3 4 Dy 46 Port ni7 8 9 IQ aa 2 Port n2 8 95 10 jh 2 Port numbers in purple Figure 18 Port numbering for Span DNM models Note DNM 1 is on the left and DNM 2 is on the right In the CLI the Network ports are designated using the letter n followed by the DNM number a dot and then the port number For example the Network port on the upper left is n1 1 and the Network port on the lower right is n2 12 To connect a Span port 1 Plug the appropriate cable into a Director Span port 2 Plug the other end of the cable into the Span port of the switch The Link LED for the port illuminates after a short delay to indicate that a link has been established If the traffic if flowing from the Span port two Link LEDs blink Repeat for all desired Span port connections Figure 19 Span port connections 22 A h 3dOptics Director Connect Director With In line Ne
62. t tools which will be available soon include Web Manager A Web browser based tool to manage a single Director at a time from anywhere in the world System Manager An SNMP platform based tool to mange all the Director and other Net Optics iTap enabled devices on your network A h 3dOptics Director Typical Application The following diagram shows a typical application using Director to implement a comprehensive consolidated monitoring infrastructure zu Ars a ea 8 IDS Analyzer 1 p E Ma la SY PA SX TM Q NEN A Analyzer Forensic 8 8o LN m m iun me TM X8 Vx RMON 1 RMON 2 Figure 2 Director centric network monitoring infrastructure In this example eight network links are monitored by six monitoring devices The company s external access is protect ed by a firewall shown in the upper left of the diagram The link runs through a router then in line through Director and then to a switch that distributes traffic throughout a department Network Links The rest of the department s switches are shown but only the connections to Director are illustrated The four depart ment switches shown in the lower right are cross connected for fault tolerance All four of the cross connected links are passed in line through Director as indicated by the slanting purple lines so they can be thoroughly monitored for performance tuning security and trouble shooting Because s
63. te All four arguments are required name lt username gt pw lt password gt priv lt level gt Note All three arguments are required name lt username gt name lt username gt pw lt password gt priv lt level gt Note All three arguments are required time 13 02 00 Arguments time is hh mm ss Sets the system time of day if lt time gt is omitted the current time is displayed upgrade srvip 168 192 20 2 user bob pw bobpw file image021108 Arguments lt svrip gt is the IP address of the server that the new image file is on lt username gt is the user name needed for FTP access to the server lt passwd gt is the password needed for FTP access to the server lt filename gt is the name of the image file Replaces the backup system boot image the one that is not the current image with the image in the specified file see image command user add name bob pw bob pw priv 3 Arguments username is the username a string password is the password a string level is 1 2 or 3 other values not applicable 1 root 2 admin 3 user Creates a new user account user del name bill Arguments username is the user name of the account you wish to delete Deletes a user account user mod name bill pw billpw priv 2 Arguments username is the user name of the account you want to change a string password is the new password for the account to a string level is 1 2 or 3 other values
64. ter add in_ports n1 1 n1 5 filter parameter list monitor port list does not interact with filter add in ports n1 6 n1 10 filter parameter list monitor port list 35 A h 3dOptics Director Understand pending and active filters To understand the actions of filter commands such as filter commit filter discard and filter delete it is helpful to visualize the pending filter list and the CAM that holds the active filters The previous section explained how the active filters are stored in a CAM which can be thought of as list of active filters These filters which are actively running in the device may be referred to as active running or committed Pending filters that is filters that have been defined using filter add and filter ins commands but not yet committed are kept in a pending filter list that shadows the CAM These filters may be referred to as pending or uncommitted The following table shows which filter commands affect the pending filter list and which affect the CAM Commands apply to Pending filter list CAM filter add commit filter del filter clear filter discard filter commit filter ins filter running filter list filter sync As can be seen from the table most of the time you work with the contents of the pending filter list When you have the filters set up the way you want them in the pending filter list a commit or filter commit command transfers the con tents of the pendi
65. that can be downloaded from many sites on the Internet To connect the CLI for remote use over the Management port 1 Connect the Director Management port to a network switch using a network cable 2 Open Director from an SSH client on the network using the IP address you assigned using the local CLI The SSH port is 22 Director displays the shell login prompt login as Figure 12 Shell login prompt i 3dOptics Director 3 Enter customer to log into the shell The shell asks for the password login as customer customer 10 60 4 18 s password Figure 13 Shell login 4 Enter netoptics as the password For security the password is not displayed as you type it The Director CLI runs and the CLI sign on banner and login prompt are displayed login as customer customer 10 60 4 8 s password Last login Thu Sep 4 09 40 31 2008 from 10 30 1 62 KKK K oko ok ok ok ok ok ok ok ok ok ok ok ok ok ok ok ok ok ok K K 2K ee ok ok ok oe ok oO ok K K ok ok ok ok oe oe K K ok OK OK K K OK K OK Net Optics Command Line Interface CLI Copyright c 2008 by Net Optics Inc Restricted Rights Legend o o o o Use duplication or disclosure by the Government is subject to restrictions as set forth in subparagraph c of the Commercial Computer Software Restricted Rights clause at FAR sec 52 227 19 and subparagraph c C1 Cii of the
66. the XFP fiber connectors Power LEDs Two LED indicators for power one for each of the redundant power supplies A bAOptics Director Director Rear Panel The features of the Director rear panel are shown in the following diagram 2 XFP Management Daisy chain Power Supply Power Supply USB Port Port 10GbE Ports Module Module RS232 Management INPUT OUTPUT Port RS 232 Port _SR LR or ER Redundant Hot swappable Fiber XFP Modules Power Supplies Figure 7 Director Rear Panel Major features of the rear panel include USB Port Reserved for future functionality e RS 232 Port DBO9 serial port for the CLI Management Port A 10 100 1000 network port for the remote management interfaces and software updates the CLI runs over an SSH connection through this port Indigo management tools when available will connect through this port XFP Daisy chain 10GbE Ports Accepts SR LR and ER XFP transceiver modules for daisy chaining up to 10 chassis Power Supply Modules Universal input 100 240VAC 0 5Amp 47 63Hz hot swappable power supplies with integrated cooling fans each supply can power the unit independently dual supplies provide redundancy to maximize uptime 48VDC models are also available h 3dOptics Director Chapter 2 Installing Director This chapter describes how to install and connect Director devices The procedure for installing Directo
67. tics CLI banner and login prompt are displayed in the Terminal Emulation software KK K oko ok ok ok k kK ok ok ok ok ok ok ok ok ok ok ok ok ok ok K 2K K K ok ok oe 2 oO K K K ok oe oe ok oe 2 OK ok K OK OK OK OK OK Net Optics Command Line Interface CLI Copyright c 2008 by Net Optics Inc Restricted Rights Legend o ee X X Use duplication or disclosure by the Government is subject to restrictions as set forth in subparagraph c of the Commercial Computer Software Restricted Rights clause at FAR sec 52 227 19 and subparagraph c C1 Cii of the Rights in Technical Data and Computer Software clause at DFARS sec 252 227 7013 Net Optics Inc 5303 Betsy Ross Drive Santa Clara California 95054 USA 11 408 737 7777 eK He Ke He oX OR K K K ee K K K ee oe ee Oe ok ok K FK oe ke oko oe ER OK oe KK K K login user Figure 11 CLI sign on banner Connect the remote CLI Interface If you choose to run the CLI remotely connect a network cable from a switch to the Management port on the back of the Director chassis Use any computer with an SSH client to access the CLI over the network Note Before connecting to the remote CLI interface for the first time you must connect to the CLI locally and use the procedure on page 18 to assign Director an IP address that is available on your network PuTTY is a freeware SSH client for Windows
68. ts and 14 outputs or Monitor ports Any number of inputs can be directed to each of the outputs Director aggregates the traffic from those Network ports and sends them to the Monitor ports For example the diagram shows Traffic from the first in line Network link n1 1 n1 2 is being directed to the first SFP Monitor port m 1 Traffic from two in line Network links n1 3 n1 4 and n1 7 n1 8 plus three Span Network ports n2 3 n2 7 and n2 11 is being aggregated and directed to the second SFP Monitor port m 2 Traffic from one in line Network link n1 11 n1 12 is being regenerated to two SFP Monitor ports m 9 and m 10 The traffic from the in line Network links to the Monitor ports may include the traffic being received at the odd numbered Network port at the left side of the diagram at the even numbered Network port at the right side of the diagram or both the diagram doesn t include this level of detail In addition filters shown at the bottom of the diagram are configured independently for each Monitor port one or more filters per port and applied on the aggregated traffic for that port For example the second SFP Monitor port could have two filters where one filter selects the TCP traffic from the two in line Network links and the second filter selects the UDP traffic from the three Span Network ports i 3dOptics Director The inputs are divided into three groups two DNMs plus the 10GbE ports
69. twork Links To connect Director to the network using an in line installation be sure that at least one of your DNMs is an in line model Tap port pairs for each link are located side by side with three links across the top row and three links across the bottom row This is true for both Fiber and 10 100 1000 DNMs Link 1 2 3 Link 7 8 9 Port nl 1 2 3 A a 16 Port n2 1 2 3 4 3 46 Port amp n1 7 8 9 10 TT 2 Port n2 7 8 9 A10 A 12 Link 4 5 6 Link 10 11 12 Port numbers in purple In line link numbers in green Figure 20 Port and link numbering for in line DNM models To connect an in line network link 1 Plug the appropriate cable into an odd numbered Network port Port m o 2 Plug the other end of the cable into the source switch or router The Link LED for the port illuminates after a short delay to indicate that a link has been established 3 Plug another cable into the connector immediately to the right of Port m o It will be numbered 1 higher or Port m o 1 4 Plug the other end of the cable into the destination switch or router The Link LED for the port illuminates after a short delay to indicate that a link has been established If present traffic passes between the source and destination switches or routers and the two Link LEDs blink Repeat for all desired in line network connections 23 A h 3dOptics Director Figure 21 In
70. w Management Protocol PNNI PNNI over IP P Protocol Independent Mul ticast ARIS ARIS 97 100 101 102 104 105 106 107 108 SCPS SCPS a S N Al Active Networks IPComp IP Payload Compression Protocol N Sitara Networks Protocol Compaq Compaq Peer Protocol Peer IPX in IP IPX in IP VRRP Virtual Router Redundancy Protocol PGM Reliable Transport Protocol F TP M x N 109 P 110 111 112 113 PGM 114 any O hop protocol NISOptics 115 L2TP Layer Two Tunneling Protocol 116 DDX D II Data Exchange DDX 117 IATP Interactive Agent Transfer Protocol 118 119 120 121 122 123 IGNORE i 4 Mobility Header STP Schedule Transfer Protocol UDPLite si SRP SpectraLink Radio Protocol 137 MPLS SMP Simple Message Protocol MANET Protocols S SM Host Identity Protocol M SM PTP Performance Transparency Unassigned Protocol Use for experimentation and testing 124 ISIS over 125 FIRE o 4 EE Use for experimentation and 110 CRTP Combat Radio Transport testing 127 CRUDP Combat Radio User Data gram 128 SSCOP MCE 130 SPS Secure Packet Shield 131 PIPE Private IP Encapsulation within IP 132 SCTP Stream Control Transmission Protocol 133 FC Fibre Channel 53 A i 3dOptics Director Limitations on Warranty and Liability Net Optics offers a limited warranty for all its products INNO EVENT SHALL NET OPTICS INC BE LIABLE FOR ANY DA
Download Pdf Manuals
Related Search