Direrctor Xstream
Transcription
Direrctor Xstream
User Guide Data Monitoring Switch Doc. 800-0142-001 Rev A PUBDIRXU 2/10 PLEASE READ THESE LEGAL NOTICES CAREFULLY. By using a Net Optics Director Xstream device you agree to the terms and conditions of usage set forth by Net Optics, Inc. No licenses, express or implied, are granted with respect to any of the technology described in this manual. Net Optics retains all intellectual property rights associated with the technology described in this manual. This manual is intended to assist with installing Net Optics products into your network. Trademarks and Copyrights © 2008-2010 by Net Optics, Inc. Net Optics is a registered trademark of Net Optics, Inc. Director Xstream is a trademark of Net Optics, Inc. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged. Additional Information Net Optics, Inc. reserves the right to make changes in specifications and other information contained in this document without prior notice. Every effort has been made to ensure that the information in this document is accurate. Director Xstream Contents Chapter 1 Introduction............................................................................................... 1 Key Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Director Xstream Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Monitoring Links In-line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Director Xstream Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Director Xstream Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Chapter 2 Installing Director Xstream..................................................................... 10 Plan the Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Installation in a Restricted Access Location in Finland and Norway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Unpack and Inspect the Director Xstream device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Install SFP+ and SFP transceiver modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Rack Mount the Director Xstream device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Connect Power to Director Xstream. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Warnings and Symbols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Connect the local CLI Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Connect the remote CLI Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Use the CLI Help Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Configure Director Xstream using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Change the Director Xstream Login Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Assign a New Director Xstream IP Address, Netmask, and Gateway IP Address. . . . . . . . . . . . . . . . . . . 20 Disable a Port or Change Port Speed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Save and Load Director Xstream Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Use the CLI Command History Buffer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Understand the Commit Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Connect Span Ports to Director Xstream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Connect Director Xstream to the Network with In-line Taps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Connect Monitoring Tools to Director Xstream. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Configure a Matrix Switch connection in Director Xstream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Check the Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Director Xstream Chapter 3 Configuring Filters Using the CLI............................................................ 26 Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Copy Traffic From Any Network Port to Any Monitor Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Aggregate Traffic From Any Set of Network Ports to Any Monitor Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Regenerate Traffic to Any Set of Monitor Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Create Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Create Complex Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 View Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Understand Filter Interactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Exclusive filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Understand Pending and Active filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 User interactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Understand Filter Capacity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Appendix A Director Xstream Specifications............................................................. 40 Appendix B Command Line Interface......................................................................... 42 Director Xstream CLI Quick Reference.................................................. 43 Table of CLI Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Filter qualifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Appendix C Protocol Numbers.................................................................................... 47 Director Xstream Chapter 1 Introduction Net Optics Director Xstream is a key component for building a comprehensive, consolidated 10 Gigabit monitoring infrastructure for both network management and security. It extends the range of visibility for data monitoring across converged data and digital voice networks, while eliminating monitoring port contention and minimizing the number of tools needed to optimally manage the network. A single Director Xstream device enables you to tap into multiple network links, and direct copies of their traffic to multiple monitoring ports. It includes aggregation and regeneration functions, so the link-to-monitor-port mapping can be one-to-one, one-to-many, many-to-one, or many-to-many. In addition, it provides filtering: Each monitor port can be programmed to receive only traffic meeting user-defined filter criteria based on protocol, source and destination addresses, and other criteria. This filtering capability enables specific types of traffic such as voice over IP (VoIP) to be directed to particular monitoring tools. 10Gbps IDSRMON Analyzer 1 Analyzer 2 Forensic FTP DHCP UDP HTTP Tap 10Gbps 10Gbps 10Gbps 10Gbps Management 10Gbps Figure 1: Director Xstream in a typical application 1 10Gbps Port Aggregator 10Gbps Director Xstream Matrix switching, aggregation, and regeneration Each Director Xstream chassis supports twenty 10-Gigabit or 1-Gigabit network links using external in-line taps or Span ports. Four ports are provided for attaching monitoring tools, .Network and Span ports can be aggregated and regenerated to output ports in almost any combination. In fact, any port can be used for either a network input or a monitor output—or both at the same time if you split the TX and RX fibers in your cable. Modular design Director Xstream is modular to provide configuration flexibility. All 24 ports are SFP+ based, and accommodate either 10-Gigabit SFP+ transceiver modules or 1-Gigabit SFP modules. 10-Gigabit and 1-Gigabit modules can be used in any mix, and Director Xstream will perform any necessary data rate conversions. Monitor port-based filtering Director Xstream avoids the confusion of pre-filtering versus post-filtering by strictly tying filtering to the monitor ports. Each monitor port can be configured to have traffic from any number of network or Span ports directed to it, and each monitor port can apply multiple protocol-, address-, and vlan-based filters to the traffic. CRC Forwarding Director Xstream forwards all packets to the monitoring data stream, even if they contain CRC errors, providing full visibility of the network traffic. Jumbo Packets Director Xstream can be set to accept or reject jumbo packets, which are packets longer than the Ethernet standard maximum length of 1,518 bytes. This feature can be turned on or off using the system set CLI command. Director Xstream Management Director Xstream is configured and managed using a command-line interface (CLI) that will be familiar to most network administrators. The CLI can be accessed locally over and RS232 serial link, or remotely using a secure SSH connection. GUI tools will be available soon. Dual hot-swap power supplies Director Xstream is powered by two redundant power supplies, with either universal AC or -48V DC input. Either supply alone can power the device and the power supplies are hot-swappable, so you do not experience any monitoring down time if you should need to replace a power supply. Key Features Ease of Use • • • • 10 Gigabit and 1 Gigabit aggregation, regeneration, matrix switch, and filter functions in a single device 19-inch rack frame, 1U high Front-mounted connectors for quick and easy installation LED indicators show Link, and Activity status 2 Director Xstream • Modular design for configuration flexibility • RMON statistics; data can be used to assemble XML-based end-user reports, or it can be exported to a third party reporting tool such as a protocol analyzer • Text-based command-line interface (CLI) available through RS232 serial port • CLI also available remotely over secure SSH connection • Field-upgradeable software • RADIUS and TACACS+ authentication and authorization • Compatible with all major manufacturers’ monitoring devices, including protocol analyzers, probes, data loss prevention, database activity monitoring, Web application firewall, and intrusion detection and prevention systems Filtering • More than 1,000 filter elements per a chassis • Exclusive (drop matched packets) and inclusive (pass matched packets) filters • Filters based on • Source and destination MAC addresses, or ranges of addresses • Source and destination IP addresses, or ranges of addresses • Source and destination ports, or ranges of ports • IPv4 and IPv6 addressing • VLAN • All IP protocols such as ICMP, TCP, UDP, SCTP, and RDP Passive, Secure Technology • • • • • • Passive access at up to 10 Gbps In-line links do not interfere with the data stream or introduce a point of failure Optimized and tested for 1000Mbps copper and 1 and 10 Gbps fiber networks Redundant power to maximize uptime FCC, CE, VCCI, and C-Tick certified Fully RoHS and WEEE compliant Unsurpassed Support • Net Optics offers technical support throughout the lifetime of your purchase. Our technical support team is available from 8:00 to 17:00 Pacific Time, Monday through Friday at +1 (408) 737-7777 and via e-mail at [email protected]. FAQs are also available on Net Optics Web site at www.netoptics.com. About this Guide Please read this entire guide before installing Director Xstream. This guide applies to the following part numbers: Chassis Part Number Description DIR-2400X Director Xstream Main Chassis with 24 SFP+ ports DIR-2400X-DC Director Xstream Main Chassis with 24 SFP+ ports, -48VDC 3 Director Xstream Director Xstream Architecture The following diagram shows a schematic view of the internal architecture of the Director Xstream device. It is modelled as a matrix switch with filtering. The black dots indicate aggregating matrix switch connections on the input ports and regenerating matrix switch connections on the output ports. 1 4 SFP+ Monitor ports, receive side (inputs) 2 3 4 5 6 7 Aggregation plane 8 9 20 SFP+ Network ports, receive side (inputs) 10 11 12 13 14 ... Aggregate the traffic being received at network ports 4, 7, 8 Logical-OR filters 5, 6, & 7 24 Filters Priority 1 2 3 4 5 6 7 8 9 10 11 12 13 14 ... 1 2 Regenerate the traffic to monitor ports 2, 4 3 4 4 SFP+ Monitor ports, transmit side (outputs) 5 Regeneration plane 6 7 8 9 10 11 12 13 ... 14 24 Figure 2: Director Xstream internal architecture 4 20 SFP+ Network ports, transmit side (outputs) Director Xstream Director Xstream can be viewed as a matrix switch with 24 inputs and 24 outputs. For convenience, four ports are labelled monitor ports on the front bezel and twenty ports are labelled network ports, but all 24 ports are logically equivalent: The input side and the output side of any port can be used in a filter, and they can even be used simultaneously and independently if you split the transmit and receive fibers in your cable. to Director Xstream port Light travels Light travels Network connection – from external Tap or Span port Monitor connection – to monitoring device Figure 3: Splitting a cable to use transmit and receive sides of a port independently The upper half of the diagram is the aggregation plane. It enables the traffic from any set of input ports to be aggregated and sent to a filter. For example, the three dots on the second vertical line in the aggregation plane indicate that the traffic being received at network ports 8, 11, and 12 is being aggregated and sent to the filter at priority 2. The lower half of the diagram is the regeneration plane. It enables the traffic leaving any filter to be replicated to any set of output ports. For example, the two dots on the third vertical line in the regeneration plane indicate that the traffic out of the filter at priority 3 is being regenerated to monitor ports 2 and 4. The filters between the aggregation and regeneration planes represent the filter qualifiers such as protocol=TCP, IP address=10.20.30.1. Each filter can also have several individual qualifiers logically AND'd together, such as port=80 AND VLAN=140. (A note on terminology: In the CLI, a filter definition includes the specifications of which ports are inputs to and outputs from the filter. The set of filter qualifiers by itself may be referred to as a filter policy.) In the Figure 2, the filters are arranged in priority order from left to right, where the left-most filter at priority 1 is the highest priority, and the priority decreases moving to the right. The effect of the filter priorities is explained in the Regeneration section of the list that follow this paragraph. A total of 128 IPv4 filters and 128 IPv6 filters can be created simultaneously. Each filter can potentially have 10 or more qualifiers AND'd together, so the total number of filter elements available in Director Xstream exceeds 2,560. The connections (dots) shown in Figure 2 can be understood as follows: • Matrix switch. Filter 1, on the first vertical line in the diagram, represents a 1-to-1 matrix switch type connection, with the traffic from network port 2 being copied to monitor port 1. However, unlike a plain matrix switch, filter qualifiers can also be applied to select particular traffic of interest to send to the monitor port. • Aggregation. Filter 2 represents a many-to-one type connection, aggregating the traffic from three inputs, network ports 8, 11, and 12, filtering it, and sending the traffic selected by the filter to monitor port 3. • Regeneration. Filter 3 represents a one-to-many type connection, copying the traffic being received at network port 8, filtering it, and sending copies of the traffic selected by the filter to two output ports, monitor ports 2 and 4. Notice that the traffic from network port 12 is going into two filters, filters 2 and 3. Because filter 2 is higher priority than filter 3, all of the traffic selected by filter 2 goes to its output port, monitor port 3. However, filter 3 only receives the traffic that was not selected by filter 2. The important point is that if traffic from the same input port goes to more than one filter, the filters must be carefully constructed to make sure that each output receives all of the desired traffic, that is, to be sure than higher priority filters do not "consume" traffic that is needed by lower priority filters. This issue is discussed in more detail in Chapter 3. 5 Director Xstream • Aggregation plus regeneration. Filter 4 represents a many-to-many type connection. Traffic from network ports 9, 10, and 13 is aggregated, filtered, and regenerated to network ports 5, 7, 8, and 9. Notice that ports labelled network on the front bezel are, in this case, being used as monitor outputs. In fact, network port 9 is acting as both an input and an output simultaneously. The input traffic may be coming from an external Port Aggregator Tap, and the output side of the port is connected to a monitoring device. • Logical OR. It has already been mentioned that multiple filter qualifiers can be logically AND'd within one filter policy. Figure 2 shows how to create a logical OR condition of different filter qualifiers. Traffic from monitor port 2 (here being used as a network input) is directed to three filters, numbers 9, 10, and 11. The traffic selected by the three filters is sent to network port 12 (here being used as a monitor output). A logical OR of the qualifiers in filters 9, 10, and 11 has been created, because traffic selected by filter 5 OR selected by filter 6 OR selected by filter 7 goes to network port 12. For example, the three filters could select traffic with three different source IP addresses, and any traffic entering monitor port 2 originating from any of the three IP addresses will be sent to network port 12. • Complex filters. Filters 8 and 9 combine all of the above elements. Traffic from two input ports is aggregated; the aggregated traffic is filtered by a logical OR of two sets of filter qualifiers; and the traffic selected by the filters is regenerated to two output ports. The CLI syntax for creating filters is explained in detail in Chapter 3. As an introduction, Figure 4 shows the CLI commands that might be used to create the filters represented in Figure 2. Figure 5 shows how the filters would be displayed in the CLI. Arbitrary filter qualifiers are included in the example for illustration purposes. Net Net Net Net Net Net Net Net Net Net Net Optics> Optics> Optics> Optics> Optics> Optics> Optics> Optics> Optics> Optics> Optics> filter add filter add filter add filter add filter add filter add filter add filter add filter add commit in_ports=6 action=redir redir_ports=1 in_ports=8,11,12 ip_protocol=17 action=redir redir_ports=3 in_ports=8 vlan=120 action=redir redir_ports=2,4 in_ports=9-10,13 l4_src_port=80 l4_dst_port=80 action=redir redir_ports=5,7-9 in_ports=2 ip4_src=10.20.30.200 action=redir redir_ports=12 in_ports=2 ip4_src=10.20.30.205 action=redir redir_ports=12 in_ports=2 ip4_src=10.20.30.16 action=redir redir_ports=12 in_ports=3,4 ip4_src=10.20.4.0 ip4_dst=192.168.3.2 action=redir redir_ports=13-14 in_ports=3,4 ip4_src=192.168.3.2 ip4_dst=10.20.4.0 action=redir redir_ports=13-14 Figure 4: Creating the filters in Figure 2 6 Director Xstream Net Optics> filter running Filter #6 in_ports=2 mac_src=0:0:0:0:0:0/0:0:0:0:0:0 mac_dst=0:0:0:0:0:0/0:0:0:0:0:0 ip4_src=10.20.30.205/255.255.255.255 ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0 l4_src_port=0/0 l4_dst_port=0/0 vlan=0/0,action=redir redir_ports=12 Filter #1 in_ports=6 mac_src=0:0:0:0:0:0/0:0:0:0:0:0 mac_dst=0:0:0:0:0:0/0:0:0:0:0:0 ip4_src=0.0.0.0/255.255.255.255 ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0 l4_src_port=0/0 l4_dst_port=0/0 vlan=0/0,action=redir redir_ports=1 Filter #7 in_ports=2 mac_src=0:0:0:0:0:0/0:0:0:0:0:0 mac_dst=0:0:0:0:0:0/0:0:0:0:0:0 ip4_src=10.20.30.16/255.255.255.255 ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0 l4_src_port=0/0 l4_dst_port=0/0 vlan=0/0,action=redir redir_ports=12 Filter #2 in_ports=8,11,12 mac_src=0:0:0:0:0:0/0:0:0:0:0:0 mac_dst=0:0:0:0:0:0/0:0:0:0:0:0 ip4_src=0.0.0.0/255.255.255.255 ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=17 l4_src_port=0/0 l4_dst_port=0/0 vlan=0/0,action=redir redir_ports=3 Filter #8 in_ports=3,4 mac_src=0:0:0:0:0:0/0:0:0:0:0:0 mac_dst=0:0:0:0:0:0/0:0:0:0:0:0 ip4_src=10.20.4.0/255.255.255.255 ip4_dst=192.168.3.2/255.255.255.255 ip_protocol=0 l4_src_port=0/0 l4_dst_port=0/0 vlan=0/0,action=redir redir_ports=13,14 Filter #3 in_ports=8 mac_src=0:0:0:0:0:0/0:0:0:0:0:0 mac_dst=0:0:0:0:0:0/0:0:0:0:0:0 ip4_src=0.0.0.0/255.255.255.255 ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0 l4_src_port=0/0 l4_dst_port=0/0 vlan=0120/65535,action=redir redir_ports=2,4 Filter #9 in_ports=3,4 mac_src=0:0:0:0:0:0/0:0:0:0:0:0 mac_dst=0:0:0:0:0:0/0:0:0:0:0:0 ip4_src=192.168.3.2/255.255.255.255 ip4_dst=10.20.4.0/255.255.255.255 ip_protocol=0 l4_src_port=0/0 l4_dst_port=0/0 vlan=0/0,action=redir redir_ports=13,14 Filter #4 in_ports=9,10,13 mac_src=0:0:0:0:0:0/0:0:0:0:0:0 mac_dst=0:0:0:0:0:0/0:0:0:0:0:0 ip4_src=0.0.0.0/255.255.255.255 ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0 l4_src_port=80/65535 l4_dst_port=80/65535 vlan=0/0,action=redir redir_ports=5,7,8,9 IPv4 filter resource utilization: 7% Filter #5 in_ports=2 mac_src=0:0:0:0:0:0/0:0:0:0:0:0 mac_dst=0:0:0:0:0:0/0:0:0:0:0:0 ip4_src=10.20.30.200/255.255.255.255 ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0 l4_src_port=0/0 l4_dst_port=0/0 vlan=0/0,action=redir redir_ports=12 Net Optics> Figure 5: Viewing the filters created in Figure 4 7 Director Xstream Monitoring Links In-line To tap a network link in-line, use an external network Tap. The Net Optics Fiber Tap HD is an ideal companion for Director extreme. Fiber Tap HD packages eight fiber taps in a full-wide, 1/2-high chassis that does not require any power or cooling. Fiber Tap HD 1.5 U Figure 6: Fiber Tap HD provides eight half-duplex breakout in-line taps in a half-height chassis Director Xstream Front Panel The features of the Director Xstream front panel are shown in the following diagram. Port numbering 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13 4 SFP+ Monitor Ports 14 15 16 17 18 19 20 21 22 14 15 16 17 18 19 20 21 22 23 23 24 24 20 SFP+ Network Ports Figure 7: Director Xstream Front Panel SFP+ Ports The 24 SFP+ slots across the front panel accept either 10 Gbps SFP+ transceiver modules or 1 Gbps SFP transceiver modules. Different speed transceiver modules can be populated in any mix and Director Xstream performs any necessary data rate conversions. Unused ports can remain unpopulated. All 24 ports are logically and electrically equivalent, and can be used as network inputs, monitor outputs, or both simultaneously (using a split cable). The four ports on the left are labelled as monitor ports and the remaining ports are labelled as network ports to suggest where you might attach equipment. The ports are numbered 1 through 24 from left to right across the front panel. Link and Activity LEDs Each port has a Link LED and an Activity LED located above the port. The Link LED illuminates when the port has established a good link. The Activity LED blinks when traffic is passing through the port. 8 Director Xstream Director Xstream Rear Panel The features of the Director Xstream rear panel are shown in the following diagram. Management Port Management Port Power Supply Module Power Supply Module 1 0 1 0 Console Port AC Model Console Port Redundant Hot-swappable Power Supplies Management Port Power Supply Module + For use with -48V Only - - Management Port Power Supply Module + For use with -48V Only Console Port DC Model Console Port Redundant Hot-swappable Power Supplies Figure 8: Director Xstream Rear Panel Near the middle of the rear panel are two RJ45 connectors. The top connector is the management port, a 10/100/1000 network port for the remote management interfaces and software updates. The CLI runs over an SSH connection through this port. For maximum security you can connect the management port to an isolated management VLAN. The bottom connector is the console port, an RS232 serial port for local access to the CLI. At the right side of the rear panel are the dual redundant power supply modules. Director Xstream has two models, one with AC power supplies (universal-input 100-240VAC, 47-63Hz) and one with -48V DC power supplies. In both models, the power supply modules are hot-swappable and have integrated cooling fans. Any one power supply module can power the unit independently; dual supplies provide redundancy to maximize uptime. 9 Director Xstream Chapter 2 Installing Director Xstream This chapter describes how to install and connect Director Xstream devices. The procedure for installing Director Xstream follows these basic steps: 1. Plan the installation 2. Unpack and inspect the Director Xstream device 3. Install the SFP+ and SFP modules 4. Rack mount the Director Xstream device 5. Connect power to Director Xstream 6. Connect the command line interface (CLI) console port or management port 7. Log into the CLI 8. Use the CLI Help command 9. Configure Director Xstream parameters using the CLI 10.Connect Director Xstream to the network with Span ports and in-line links 11.Connect monitoring tools to Director Xstream 12.Configure a Matrix Switch connection in Director Xstream 13.Check the installation Plan the Installation Before you begin the installation of your Director Xstream device, determine the following: • IP address of the Director Xstream device, or a range of IP addresses if you are deploying multiple Director Xstream devices • Net Mask and Gateway address for Director Xstream • Port assignments and filters for the network and monitor port connections Make sure you have a suitable location to install the Director Xstream device. For power redundancy, use two independent power sources. 10 Director Xstream Installation in a Restricted Access Location in Finland and Norway Because of concerns about unreliable earthing in Finland and Norway, this equipment must be installed in a Restricted Access Location (RAL) in these countries. An RAL is defined as an access that can be gained only by trained service personnel who have been instructed about the reasons for the restricted access and any safety precautions that must be taken. In these cases, the use of a tool (such as lock and key) or other means of security is required for access to this equipment. Unpack and Inspect the Director Xstream device Carefully unpack the Director Xstream device, power supplies, and all cables that are provided. Director Xstream is delivered with the following: • • • • • • • • (1) Director Xstream device (2) Power cords (2) Cables, 3 Meter, RJ45, CAT 5e 4-Pair (1) DB9-to-RJ45 RS232 adapter for use with the CLI Screws and washers for mounting the device Director Xstream Quick Install Guide (1) CD containing the Director Xstream User Guide (this document) and CLI Command Reference manual Extended Warranty if purchased Check the packing slip against parts received. If any component is missing or damaged, contact Net Optics Customer Service immediately at +1 (408) 737-7777. (Note: SFP+ and SFP modules are ordered and shipped separately.) Install SFP+ and SFP transceiver modules SFP+ and SFP transceiver modules are shipped separately. Install them as desired in the SFP+ slots in the front on the chassis. For each module, remove the temporary plug from the SFP+ slot and insert the module until it clicks into place. Unused ports do not need to be populated with transceiver modules. Note:___________________________________________________________________________________________________ Net Optics warrants operation with SFP+ and SFP modules sold by Net Optics only. ________________________________________________________________________________________________________ Rack Mount the Director Xstream device Director Xstream is designed for mounting in a 19-inch rack, occupying one rack unit of height. To mount the Director Xstream device, simply slide it into the desired rack location and secure it using the supplied screws and washers at both sides of the front panel. The chassis is not designed for rear mounts. Connect Power to Director Xstream Supply AC power to Director Xstream using the power cords that were included with the unit; for DC power, you must supply your own cables. If you plan to use redundant power, make sure that you connect the power supplies to two separate, independent power sources for maximum protection. 11 Director Xstream Note:___________________________________________________________________________________________________ Each AC or DC power source should be independent of the other in order to have power redundancy. If you do not require power redundancy, the unit can be operated with a single power cord connected to a single AC or DC power source. In this case, either AC or DC power connector on the rear of the unit can be used for the connection. ________________________________________________________________________________________________________ Use the following procedures to safely connect AC or DC power to the unit. Management Port 1 0 1 0 Console Port AC Models Independent Power Sources Figure 9: Connecting redundant AC power supplies - - + + Caution:_ ______________________________________________________________________________________________ Management Port For use with -48V Only For use with -48V Only Use the AC power cords supplied with the product. If you use other AC power cords, they should have a wire gauge of at least 22 and a 230VAC 5A rating. Be sure to use a three-prong cords and connect them to sockets with good earth DC Models grounds. Earth ________________________________________________________________________________________________________ Ground Console Port Power Source 1 -48VDC To connect AC input power on AC models: Return Power Source 2 to one of the AC power connectors on the rear panel. 1. Connect one of the AC power cords -48VDC Return 2. Install a power supply clip over it to keep the AC power cord from accidently being unplugged from the AC power connector. 3. Plug the other end of the cord into an AC power source. 4. Push the "1" side of the module's power switch to activate power. The switch illuminates to indicate that power is active. 5. Repeat Steps 1 to 4 for the other AC power cord, connecting it to the remaining AC power connector on the rear panel. 12 AC Models Director Xstream Independent Power Sources + For use with -48V Only - - Management Port + For use with -48V Only Console Port DC Models Earth Ground Power Source 1 Power Source 2 -48VDC Return -48VDC Return Figure 10: Connecting redundant DC power supplies Caution:_ ______________________________________________________________________________________________ DC power cables should have a wire gauge of at least 16 and a 72VDC 4A rating. Always connect the earth grounds first, and keep the earth grounds connected whenever you are working on the device. When disconnecting the device from DC power, remove the earth ground connections last. ________________________________________________________________________________________________________ To connect DC input power on DC models: 1. If you have not already done so, unpack the Director Xstream and verify that you have appropriate DC power cables. You also need a Phillips screwdriver to complete the installation. 2. If present, remove the protective covers from the DC power terminal blocks. 3. Connect an earth ground lead to the terminal labeled with the ground symbol ( ), which is the left-most terminal, on both DC power terminal blocks on the rear of the chassis. Use the screwdriver to tighten the connections. 4. Connect one of the DC power cables to one of the DC power terminal blocks on the rear panel. Connect the negative (-48VDC) side of the cable to the terminal labeled with the minus symbol (—) and the positive (0V) side of the cable to the terminal labeled with the plus symbol (+). The minus terminal is in the center and the plus terminal is on the right. Use the screwdriver to tighten the connections. 5. Repeat Step 4 for the other DC power cable, connecting it to the remaining DC power terminal block on the rear panel. 6. Carefully connect the other ends of the DC power cables to two -48VDC power sources. If possible, turn off the power to the power source while you are making these connections. Be sure to connect the positive sides of the cables to the positive sides of the power sources, and the negative sides of the power cables to the negative sides of the power sources. 13 Director Xstream Warnings and Symbols Warnings on product WARNING: Warranty void if removed Two of the labels illustrated above cover screws on the chassis top cover near the front corners. They prevent you from taking the cover off without voiding your warranty. You should not take the cover off because there are no user‑serviceable parts inside, and there is a danger of electrical shock. Symbols on product Indicates WEEE compliance Indicates CE compliance Indicates RoHS compliance Indicates C-Tick compliance Indicates VCCI compliance Indicates MET compliance (U.S.A. safety) Connect the local CLI Interface All configuration options, filters, and status can be accessed using the Director Xstream Command Line Interface (CLI). You can run the CLI locally over the RS232 serial port or remotely over the management port. If you choose to run the CLI locally, connect a cable from the console RJ45 RS232 port on the back of the Director Xstream chassis to your computer. You can use a standard CAT5 network cable such as the one supplied with the unit; an adapter is provided to connect one end of the cable to a DB9 serial port on your computer. Alternately, you can obtain a USB serial adapter from you local computer store, and use it to connect through a USB port on your computer. The computer needs to have terminal emulation software such as HyperTerminal or minicom to access the Director Xstream CLI. 14 Director Xstream To connect the CLI for local use over the RS232 serial port: 1. Connect a PC with terminal emulation software such as HyperTerminal (or a Linux workstation running minicom) to Director Xsrtream using a network cable and a DB9 or USB serial adapter. Management Port 1 0 1 0 Console Port RJ45 to DB9 adapter Computer with terminal emulation software Figure 11: Connecting RS232 Cable to Director Xstream 2. Launch terminal emulation software and set the communication parameters to: 115200 baud 8 data bits No parity 1 stop bit No flow control The Net Optics CLI banner and login prompt are displayed in the Terminal Emulation software. *********************************************************** * Net Optics Command Line Interface (CLI) * * for Director * * * * Copyright (c) 2008-2010 by Net Optics, Inc. * * * * Restricted Rights Legend * * * * Use, duplication, or disclosure by the Government is * * subject to restrictions as set forth in subparagraph * * (c) of the Commercial Computer Software - Restricted * * Rights clause at FAR sec. 52.227-19 and subparagraph * * (c)(1)(ii) of the Rights in Technical Data and Computer * * Software clause at DFARS sec. 252.227-7013. * * * * Net Optics, Inc. * * 5303 Betsy Ross Drive * * Santa Clara, California 95054 * * (408) 737-7777 * * e-mail: [email protected] * * * *********************************************************** user login: Figure 12: CLI sign-on banner 3. Enter the user name. (The default user name is admin.) The Enter Password prompt is displayed. 15 Director Xstream 4. Enter the password. (The default password is netoptics.) For security, the password is not displayed as you type it. The Help command is automatically executed and the CLI prompt is displayed. login user: admin password: Net Optics> help Director Xstream Command ------------![#] commit del filter help history image list load logout ping port save show stats sysip system upgrade user quit or exit Main Help Menu Description --------------------------------------------------------- !number or up/down key for previous command - activate pending configuration changes - delete configuration file <filename> - configure filters - view CLI usage - display command history list - show and switch boot image - list configuration files - load configuration from <filename> - exit current CLI session - ping <ipaddr> - configure ports - save configuration to <filename> - show configuration: ‘running', 'factory', or <filename> - show or clear port statistics - show and set system IP address - show and set system parameters or restart system - upgrade alternate boot image file - manage user accounts - exit current CLI session Net Optics> Figure 13: Logging into the CLI Tip!_ ___________________________________________________________________________________________________ If you leave the system password at its default value, your system will be vulnerable to unwanted intrusions. Be sure to change it using the procedure Change the Director Xstream Login Password on page 20. ________________________________________________________________________________________________________ 16 Director Xstream Connect the remote CLI Interface To run the CLI remotely, connect a network cable from a network switch to the management port on the back of the Director Xstream chassis. Use any computer with an SSH client to access the CLI over the network. Note:___________________________________________________________________________________________________ Before connecting to the remote CLI interface for the first time, you must connect to the CLI locally and use the procedure on page 20 to assign Director Xstream an IP address that is available on your network. ________________________________________________________________________________________________________ Tip!_ ___________________________________________________________________________________________________ PuTTY is a freeware SSH client for Windows that can be downloaded from many sites on the Internet. ________________________________________________________________________________________________________ To connect the CLI for remote use over the Management port: 1. Connect the Director Xstream Management port to a network switch using a network cable. 2. Open Director Xstream from an SSH client on the network, using the IP address you assigned using the local CLI. The SSH port is 22. Director Xstream displays the shell login prompt. Note:___________________________________________________________________________________________________ Your SSH client might give you a security warning if the RSA key in Director Xstream is not known to the client, or does not match the RSA key known to the client (because you have regenerated the RSA key in Director Xstream). Different SSH clients can require different actions to enable them to accept the new RSA key. For example, in OS X and many Linux/Unix SSH clients, you need to locate the file known_hosts in the hidden directory /.ssh/ and remove the entry for the Director Xstream IP address, or simply delete the file. ________________________________________________________________________________________________________ 3. Enter director to log into the shell. The shell asks for the password. login as: director [email protected]'s password: Figure 14: Shell login Note: For some SSH clients, Steps 2 and 3 can be combined into a single command ssh [email protected]. 4. Enter netoptics as the password. For security, the password is not displayed as you type it. The Director Xstream CLI runs and the CLI sign-on banner and help menu are displayed. 17 Director Xstream login as: director [email protected]'s password: Last login: Thu Sep 4 09:40:31 2008 from 10.30.10.2 *********************************************************** * Net Optics Command Line Interface (CLI) * * for Director * * * * Copyright (c) 2008-2010 by Net Optics, Inc. * * * * Restricted Rights Legend * * * * Use, duplication, or disclosure by the Government is * * subject to restrictions as set forth in subparagraph * * (c) of the Commercial Computer Software - Restricted * * Rights clause at FAR sec. 52.227-19 and subparagraph * * (c)(1)(ii) of the Rights in Technical Data and Computer * * Software clause at DFARS sec. 252.227-7013. * * * * Net Optics, Inc. * * 5303 Betsy Ross Drive * * Santa Clara, California 95054 * * (408) 737-7777 * * e-mail: [email protected] * * * *********************************************************** Director Xstream Command ------------![#] commit del filter help history image list load logout ping port save show stats sysip system upgrade user quit or exit Main Help Menu Description --------------------------------------------------------- !number or up/down key for previous command - activate pending configuration changes - delete configuration file <filename> - configure filters - view CLI usage - display command history list - show and switch boot image - list configuration files - load configuration from <filename> - exit current CLI session - ping <ipaddr> - configure ports - save configuration to <filename> - show configuration: ‘running', 'factory', or <filename> - show or clear port statistics - show and set system IP address - show and set system parameters or restart system - upgrade alternate boot image file - manage user accounts - exit current CLI session Net Optics> Figure 15: Shell login as director (password "netoptics" is not displayed) Use the CLI Help Command To view CLI help information: 1. Enter Help (or ?) at the "Net Optics>" prompt. The Director Xstream Main Help Menu is displayed. 2. To view the syntax for changing Director Xstream filter parameters, enter help filter. 18 Director Xstream 3. Repeat Step 2 with the command of interest to view the syntax for any command available in the CLI. For a complete description of all of the CLI commands, see Appendix B. Tips!___________________________________________________________________________________________________ Help for an individual command is also displayed if the command is entered without the proper arguments. The tab key or the space bar can be used to automatically complete words in the CLI. This function works for commands as well as arguments. For example, typing the letter "i" followed by the tab key results in "image" being entered in the command line. Likewise, "pi<tab>" auto-completes to the "ping" command. However, "p<tab>" does not auto-complete, because it is ambiguous between the "ping" and "port" commands. To display a list of sub-commands and arguments for any command, press the ? key after entering the command. (A space is required between the command and the ?.) For example, type "filter add ?" to display a list of all the arguments that can be used to complete the command. ________________________________________________________________________________________________________ Configure Director Xstream using the CLI You should be logged into the Director Xstream CLI. The factory-set default values for Director Xstream are: • • • • • • • • Username: admin Password: netoptics IP Address: 10.60.4.180 (address for remote CLI, and for Indigo manager software, when available) Netmask: 255.0.0.0 (associated with IP Address) Manager IP Address: 192.168.1.2 (address for SNMP traps) Gateway IP Address: 10.0.0.1 (associated with Manager IP Address) All ports enabled, full duplex, maximum speed, and autonegotiation on Jumbo packets: Off A complete list of CLI commands can be viewed by typing Help at the CLI prompt. It is also provided in Appendix B. You will now use the CLI to: • • • • • • Change the login password Assign a new IP Address, Netmask, and Gateway IP Addresses Disable a port or change port speed Save and load Director Xstream configurations Use the CLI command history buffer Understand the commit commands Your CLI screen should be displaying the "Net Optics>" prompt as shown here: Net Optics> If you do not see the "Net Optics>" prompt, try typing Help followed by the Enter key. If the prompt is still not displayed, repeat the instructions in the preceding section Connect the local CLI Interface or Connect the remote CLI Interface and log in again. 19 Director Xstream Change the Director Xstream Login Password It is strongly recommended that you change the login password from the default to provide security against unauthorized access. To change the login password: 1. Enter user mod name=admin pw=<new password> priv=1. The password is changed. 2. Record the new password in a secure location. If you want to change the user name, use the user add command to create a new user account under that name. You can use the user del command to delete a user account. (The admin account cannot be deleted unless another account with admin privileges exists). Assign a New Director Xstream IP Address, Netmask, and Gateway IP Address Using the local RS232 serial interface to access the CLI, you need to configure the IP Address that will be used to access the Director Xstream CLI over SSH, and also to communicate with Indigo management software, when available. If Director Xstream must communicate through a Gateway to reach the network, then set the Gateway IP Address for that Gateway. If you are running the CLI remotely, you can change the IP Address, but when you do, you will lose your SSH connection since it is talking to the old IP Address. In that case, initiate a new SSH session to the new IP address and you can continue using the CLI remotely. To assign a new IP Address, Netmask, and Gateway IP Address to Director Xstream: 1. Enter sysip show. The current IP Address, Netmask, and Gateway IP Address are displayed. 2. Enter sysip set ipaddr=<new ip address> mask=<new netmask> gw=<new gateway>. The IP Address, Netmask, and Gateway IP Address are made pending. 3. Enter sysip show. Verify that the displayed "Pending Sysip Info" IP Address, Netmask, and Gateway IP Address are the desired values. 4. Enter sysip commit to activate the new IP Address, Netmask, and Gateway IP Address. Example:sysip set ipaddr=10.60.4.180 mask=255.0.0.0 gw=10.0.0.1 sysip commit Note:___________________________________________________________________________________________________ The sysip set command requires that all three arguments are present. The sysip changes must be committed using the sysip commit command. The simple commit command does not commit sysip changes. ________________________________________________________________________________________________________ 20 Director Xstream Disable a Port or Change Port Speed To disable a port, type port set ports=<n> admin=disable, where<n> is the number of the port you want to disable. To enable a port, type port set ports=<n> admin=enable. To view the current status of all of the ports, port show. Tip!_ ___________________________________________________________________________________________________ You can change the modes of multiple ports in a single command by specifying the ports in the portlist. Use a comma to separate items in the list, and use a dash (-) to indicate a range. For example, this portlist includes the first three monitor ports and the first network port: ports=1-3,5 ________________________________________________________________________________________________________ Note:___________________________________________________________________________________________________ By default, ports are disabled and the speed is 10000 (10G). To bring up all the ports, type port set ports=all admin=enable speed=10000. If you install 1G SFP transceivers in any ports, be sure to set their speed in the CLI to 1G by typing port set ports=<n> speed=1000. 10/100/1000 SFP transceivers and 10 Mbps and 100 Mbps links are not currently supported. ________________________________________________________________________________________________________ Save and Load Director Xstream Configurations The entire configuration of Director Xstream, including port configurations and filters, can be saved to and loaded from files stored on Director Xstream's internal disk. When working with these files from within the CLI, specify only a filename (up to 32 characters long) without an extension. The current configuration is kept in a file named running, which is updated whenever a commit command is executed (but not filter commit—see Understand the Commit Commands on page 22 ). This file is automatically loaded at power up or when the system is reset, so your configuration is persistent. However, you might want to save copies of various configurations that you use for different purposes. For example, each person that uses the device can maintain a separate configuration. To save the Director Xstream configuration: • Enter save <filename> where <filename> is the name for this configuration. The configuration is saved. To load a Director Xstream configuration: • Enter load <filename> where <filename> is the name of a saved configuration. The configuration is loaded. To view a list of all saved Director Xstream configurations: • Enter list. A list of Director Xstream configurations is displayed. To view a saved Director Xstream configuration: • Enter show <filename> where <filename> is the name of a saved configuration. The configuration is displayed. 21 Director Xstream Use the CLI Command History Buffer You can save some typing by using the command history buffer maintained by the CLI. The up- and down-arrow keys scroll forward and backward through the history buffer. To execute a command again, simply scroll to that command and press enter. Alternately, you can scroll to a command and then edit it in-line before executing it. You can see a history of all the buffered commands by entering the history command. Any command in the history buffer can be accessed directly by entering ![#] where [#] is the number of the command in the buffer. Operation of the command history buffer is illustrated in the following example. Net Optics> show show running - show running-configurations show factory - show factory-configurations show <filename> - show configurations in the file Net Optics> list Configuration Files ------------------test-1 test-3 Net Optics> help ping ping <ipaddr> - ping specified IP address Net Optics> sysip show Active System IP Address -----------------------IP addr: 10.60.4.178 IP mask: 255.0.0.0 Gateway: 10.0.0.1 Net Optics> history 1: show 2: list 3: help ping 4: sysip show Net Optics> !3 Net Optics> help ping ping <ipaddr> - ping specified IP address Net Optics> Figure 16: CLI command history buffer Understand the Commit Commands Many operations in Director Xstream follow a two-step process of first creating the changes you want, and then activating them with some form of a commit command. Changes that have not been activated are called pending changes. When changes are committed, they become active in Director Xstream and they become persistent, meaning that the changes stay in effect even if Director Xstream is restarted or power-cycled. The only exception to this rule is that the filter commit command makes pending filter changes active, but not persistent. filter commit can be used to try out new filters, but the previous set of filter can be recovered by restarting Director Xstream. Filter changes become persistent with a commit command, which can be executed with or without first executing a filter commit command. The commit command is a global commit for all pending changes except for sysip changes. 22 Director Xstream The following table lists all of the settings that use the pending/commit model, and tells you which commit commands effect them. Setting Commit commands filter add, delete, insert commit filter commit Persistent? yes no remote set commit remote commit yes yes server add, del, mod commit server commit yes yes snmp set, user_add, user_del, user_mod commit snmp commit yes yes sysip set sysip commit (but not commit) yes system set commit yes Connect Span Ports to Director Xstream To connect Director Xstream to the network using Span ports, plug the appropriate cable into a Director Xstream port. Plug the other end of the cable into the Span port of the switch. The Link LED for the port illuminates after a short delay to indicate that a link has been established. If traffic is flowing from the switch Span port to the Director Xstream port, the Activity LED blinks. Repeat for all desired Span port connections. 1 2 3 4 5 6 7 8 9 10 11 12 13 Figure 17: Span port connections 23 14 15 16 17 18 19 20 21 22 23 24 Director Xstream Connect Director Xstream to the Network with In-line Taps To connect Director Xstream to the network using an in-line installation, use external taps or port aggregator taps. For example, make an in-line connection using the Fiber Tap HD as shown in figure 18. Full-duplex traffic Fiber Tap HD Half-duplex traffic x 2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Figure 18: Making an in-line network connection using Fiber Tap HD Note:___________________________________________________________________________________________________ If you cannot see data on a the monitor port of a fiber tap, you might have the TX and RX fibers reversed. Try switching them to fix the problem. If the in-line link is passing data but you cannot see any monitoring data, try reversing the TX and RX fibers on both of the link's network ports. In this case, you must reverse both of the ports together in order to maintain the in-line link traffic. ________________________________________________________________________________________________________ Tip!_ ___________________________________________________________________________________________________ When using a half-duplex breakout tap (such as the Fiber Tap HD), the two half-duplex monitor data connectors can be plugged into any of the Director Xstream ports. They do not have to be adjacent ports. ________________________________________________________________________________________________________ Connect Monitoring Tools to Director Xstream To connect a monitoring tool to Director Xstream, simply plug the appropriate cable into the desired monitor port and plug the other end into the monitoring tool. The Link LED for the port should illuminate after a short delay to indicate that a link has been established. Repeat for all desired monitoring tool connections. 24 Director Xstream Configure a Matrix Switch connection in Director Xstream In order to monitor a network link, Director Xstream must be configured to copy the traffic from a network port to a monitor port. A simple connection is described in this section, operating Director Xstream as a matrix switch. For more complex switching and filtering, see Chapter 3. To monitor the traffic being received on port 5 with the tool connected to port 2: 1. Enter filter add in_ports=5 action=redir redir_ports=2. The switch connection is pending. 2. Enter filter commit. The switch connection is activated. 3. Verify that traffic present on network port 1 is visible on monitor port 2. Check the Installation You have connected Director Xstream to the network, monitoring tools, and power. It should now be functioning correctly. Check the status of the following: • Check the link status LEDs located on the front panel to verify that the links are connected. • Verify that traffic present on port 5 is visible on port 2. 25 Director Xstream Chapter 3 Configuring Filters Using the CLI This chapter describes how to use the CLI to determine which monitoring tools are connected to which network ports. It also explains how to create filters to limit the amount of traffic copied to monitor ports, so the monitoring tools receive only the traffic that is of interest to them. In this chapter, you will learn to: • • • • • • • • • Copy traffic from any network port to any monitor port Aggregate traffic from any set of network ports to any monitor port Regenerate traffic from any aggregated set of network ports to any set of monitor ports Create filters Create complex filters View filters Understand filter interactions Understand pending and active filters Understand filter capacity For a complete listing of filter commands in the CLI, see Appendix B. Syntax In the CLI, Director Xstream ports are numbered 1 through 24 going left to right across the front panel. The front panel is labelled to show port numbers 1 through 4 as monitor ports, and 5 through 24 as network ports, but any port can be included in a filter in_ports or redir_ports portlist. A portlist is a list of ports separated by commas; dashes can be used to specify ranges; for example, 1,2,3 and 1-3 mean the same thing. Space characters are not allowed in portlists (do not put a space after the comma). When you define a filter, you specify an action to be taken when the filter conditions are met. The action can be either drop or redir (meaning redirect). If the action is drop, then packets which meet the filter criteria are dropped, that is, they are not copied to any monitor port. If the action is redir, then packets which meet the filter criteria are copied to all monitor ports listed in the redir_ports=<portlist> argument. Copy Traffic From Any Network Port to Any Monitor Port Director Xstream can be used like a matrix switch to direct traffic from any network port to any monitor port. To create a simple switch connection, use a filter add command without specifying any filter qualifiers. (Simple switches are still referred to as filters, even if they don't perform any filtering action.) The filter add command creates pending filters (including switch settings); they are not activated until a filter commit command is executed. Any number of filter add commands can be issued prior to executing the filter commit command. Other CLI commands can be executed between the filter add commands as well. 26 Director Xstream Note:___________________________________________________________________________________________________ The filter commit command is similar to the commit command. However, filter commit activates the new filters in a dynamic fashion; when Director Xstream is reset, the running configuration file is restored and the new filters are lost. When a commit command is executed, the new filters are activated AND they are stored in the running configuration file, so they survive a Director Xstream restart. ________________________________________________________________________________________________________ To monitor port 5 traffic on port 2, and port 7 traffic on port 1: 1. Enter filter add in_ports=5 action=redir redir_ports=2. The switch connection is pending. 2. Enter filter add in_ports=7 action=redir redir_ports=1. The switch connection is pending. 3. Enter filter commit. The switch connection is activated. Port 5 Port 2 Port 7 Port 1 filter add in_ports=5 action=redir redir_ports=2 filter add in_ports=7 action=redir redir_ports=1 Figure 19: Matrix switch connections Aggregate Traffic From Any Set of Network Ports to Any Monitor Port Director Xstream can be used like a Port Aggregator or a Link Aggregator, copying traffic from multiple network ports to any monitor port. The filter add command is again used to do this. The only difference from using the command to connect a single network port to a single monitor port is that a list of network ports is specified. To copy aggregated traffic from port 5 and port 24 to port 3: 1. Enter filter add in_ports=5,24 action=redir redir_ports=3. The aggregation connection is pending. 2. Enter filter commit. The aggregation connection activated. Port 5 + Port 3 Port 24 filter add in_ports=5,24 action=redir redir_ports=3 Figure 20: Traffic aggregation 27 Director Xstream Regenerate Traffic to Any Set of Monitor Ports Director Xstream can be used like a Regeneration Tap, copying traffic from a network port (or aggregated group of network ports) to multiple monitor ports. The filter add command is used to do this. The only difference from using the command to connect a single or multiple network ports to a single monitor port is that a list of monitor ports is specified. To regenerate traffic from port 16 to ports 3, 4, and 5: 1. Enter filter add in_ports=16 action=redir redir_ports=3-5. The regeneration connection is pending. 2. Enter filter commit. The regeneration connection is activated. Port 3 Port 16 Port 4 Port 5 filter add in_ports=16 action=redir redir_ports=3-5 Figure 21: Traffic regeneration To aggregate traffic from ports 1 and 2 and regenerate the resulting stream to ports 9 and 10: 1. Enter filter add in_ports=1-2 action=redir redir_ports=9,10. The aggregation/regeneration connection is pending. 2. Enter filter commit. The aggregation/regeneration connection is activated. Port 9 + Port 10 Port 9 Port 10 filter add in_ports=1-2 action=redir redir_ports=9,10 Figure 22: Combined aggregation and regeneration 28 Director Xstream Create Filters Filters process a traffic stream by selecting packets based on criteria in the packet header. A filter is defined using a filter add command, which also specifies the input (network) ports and output (monitor) ports the filter applies to. The filter add command specifies the following behavior: • Traffic is aggregated from all the listed input ports • The aggregated traffic is compared to the filter qualifiers • Packets which match all of the specified filter qualifiers are copied to all of the listed output ports, assuming the action=redir • If the action=drop, the matching packets are not copied to any output port; this mechanism is used to create exclusive filters (see Exclusive filters on page 34) To send port 1 a copy of all traffic received at port 5 from IP addresses 192.168.10.0 to 192.168.10.15: 1. Enter filter add in_ports=5 ip4_src=192.168.10.0 ip4_src_mask= 255.255.255.240 action=redir redir_ports=1. A filter has been defined to select all IPv4 packets from port 5 with a source IP addresses of 192.168.10.0 and the lowest four address bits masked out (ignored); packets matching the filter are copied to port 1. 2. Enter filter commit. The filter is activated. Port 5 Source IP = 192.168.10.0 through 192.168.10.15 Port 1 filter add in_ports=5 ip4_src=192.168.10.0 ip4_src_mask= 255.255.255.240 action=redir redir_ports=1 Figure 23: Simple IP address filter with a mask To create a filter that selects IPv4 packets by protocol: 1. Enter filter add in_ports=3 ip_protocol=6 action=redir redir_ports=6,8. A filter has been defined to select all IPv4 packets received at network port 3 that use the TCP protocol and copy them to monitor port 6 and monitor port 8. (Protocols are designated by an industry-standard numbering system. See Appendix C for details.) 2. Enter filter commit. The filter is activated. Port 3 Protocol = TCP Port 6 Port 8 filter add in_ports=3 ip_protocol=6 action=redir redir_ports=6,8 Figure 24: Simple IPv4 protocol filter (with regeneration) 29 Director Xstream Available filter qualifiers are listed in Appendix B and include: • • • • • • • • • • ip_protocol ip4_src, ip4_src_mask ip4_dst, ip4_dst_mask ip6_src, ip6_src_mask ip6_dst, ip6_dst_mask l4_src_port, l4_src_port_mask l4_dst_port, l4_dst_port_mask mac_src, mac_src_mask mac_dst, mac_dst_mask vlan, vlan_mask IP protocol IPv4 source address and mask IPv4 destination address and mask IPv6 source address and mask IPv6 destination address and mask Layer 4 source port and mask Layer 4 destination port and mask Source MAC address and mask Destination MAC address and mask VLAN number Create Complex Filters Multiple filter qualifiers can be specified in a single filter add command. Packets must satisfy all of the filter qualifiers to be selected; in other words, the filter qualifiers have a logical AND connection. To select all TCP traffic arriving from IP address 192.186.10.0: 1. Enter filter add in_ports=5 ip4_src=192.186.10.0 ip_protocol=6 action=redir redir_ports=1. A filter has been defined to select all TCP packets from network port 5 with a source IP address of 192.186.10.0; packets matching the filter are copied to monitor port 1. 2. Enter filter commit. The filter is activated. Port 5 Source IP = 192.186.10.0 Protocol = TCP Port 1 filter add in_ports=5 ip4_src=192.186.10.0 ip_protocol=6 action=redir redir_ports=1 Figure 25: Logical AND filter connection A logical OR connection can be made between filters by specifying multiple filters with the same network and monitor port lists. To select all packets which are either TCP or UDP protocol: 1. Enter filter add in_ports=5 ip_protocol=6 action=redir redir_ports=1. A filter has been defined to select all TCP packets from port 5 and copy them to port 1. 2. Enter filter add in_ports=5 ip_protocol=17 action=redir redir_ports=1. Another filter has been defined to select all UDP packets from port 5 and copy them to port 1. 3. Enter filter commit. The filters are activated. 30 Director Xstream Protocol = TCP Port 5 + Port 1 Protocol = UDP filter add in_ports=5 ip_protocol=6 action=redir redir_ports=1 filter add in_ports=5 ip_protocol=17 action=redir redir_ports=1 Figure 26: Logical OR filter connection View Filters To view a list of all pending filters, enter filter list. To view the active filters, enter filter running. Net Optics> filter list Filter #1 in_ports=5 mac_src=00:00:00:00:00:00/00:00:00:00:00:00 mac_dst=00:00:00:00:00:00/00:00:00:00:00:00 ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0006 l4_src_port=0000/0000,l4_dst_port=0000/0000,vlan=0000/0000,action=redir redir_ports=1 Filter #2 in_ports=5 mac_src=00:00:00:00:00:00/00:00:00:00:00:00 mac_dst=00:00:00:00:00:00/00:00:00:00:00:00 ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0017 l4_src_port=0000/0000,l4_dst_port=0000/0000,vlan=0000/0000,action=redir redir_ports=1 IPv4 filter resource utilization: Net Optics> 1% Figure 27: Filter list command Tip!_ ___________________________________________________________________________________________________ The ID number (Filter #) shown above each filter in the filter list is the ID that applies for filter del id=<id> and filter ins id=<id> commands, because all three commands act on the pending filter list. Do not use the IDs in a filter running list as the reference for filter del or filter ins commands. ________________________________________________________________________________________________________ 31 Director Xstream Understand Filter Interactions It is important to understand that Director Xstream uses Content Addressable Memory (CAM) technology to implement filters. As each filter is defined, it is stored in the next available entry in the CAM. Each packet header is compared in the CAM, and the CAM returns the index of the first filter that the packet header matches. That filter, and only that filter, controls which monitoring ports receive a copy of the packet. Other filters are not executed for that packet. Therefore, filters are not completely independent; one filter can affect the operation of another. Let's walk through an example of a filter interaction that might be unexpected. First, we will set up a filter for an IP address: filter add in_ports=5 ip4_src=192.186.10.0 action=redir redir_ports=1 filter commit CAM Port 5 Source IP = 192.168.10.0 Address Port 1 1 Filter port 5 → ip4_src=192.186.10.0 → port 1 filter add in_ports=5 ip4_src=192.168.10.0 action=redir redir_ports=1 Figure 28: A simple IP address filter, shown with CAM All traffic from port 5 that comes from IP address 192.186.10.0 matches the first CAM entry and therefore is copied to port 1. Next, suppose we want another monitoring tool to see all the TCP traffic from port 5, so we set up this filter: filter add in_ports=5 ip_protocol=6 action=redir redir_ports=2 filter commit CAM Source IP = 192.186.10.0 Address Port 1 Filter interactions are not shown! Port 5 Protocol = TCP Filter 1 port 5 → ip4_src=192.186.10.0 → port 1 2 port 5 → ip_protocol=TCP → port 2 Port 2 filter add in_ports=5 ip4_src=192.186.10.0 action=redir redir_ports=1 filter add in_ports=5 ip_protocol=6 action=redir redir_ports=2 Figure 29: Incorrect flow diagram of two filters; filter interaction in CAM is neglected Have we achieved our goal of sending all the TCP traffic to port 2? Not quite. When a TCP packet arrives from 192.186.10.0, it should go to both port 1 and port 2. What actually happens is that the packet matches the filter at CAM address 1, so it is copied to port 1. But that is all that happens; it does not go to port 2. The flow is shown correctly in the following diagram. 32 Director Xstream CAM Source IP = 192.186.10.0 Network Port 5 match Monitor Port 1 Address no match Protocol = TCP Filter 1 port 5 → ip4_src=192.186.10.0 → port 1 2 port 5 → ip_protocol=TCP → port 2 Monitor Port 2 filter add in_ports=5 ip4_src=192.186.10.0 action=redir redir_ports=1 filter add in_ports=5 ip_protocol=6 action=redir redir_ports=2 Figure 30: Correct flow diagram for two interacting filters To achieve the desired result of sending all TCP traffic to monitor port 2, insert an additional filter at the top of the CAM to sends traffic meeting both criteria to both monitor ports, by entering: filter ins id=1 in_ports=5 ip4_src=192.186.10.0 ip_protocol=6 action=redir redir_ports=1,2 filter commit The flow diagram now looks as follows. CAM Port 5 Source IP = 192.186.10.0 & Protocol= TCP + Address Port 1 1 + Port 2 no match Source IP = 192.186.10.0 Filter port 5 → ip4_src=192.186.10.0 ip_protocol=TCP → port 1, port 2 2 port 5 → ip4_src=192.186.10.0 → port 1 3 port 5 → ip_protocol=TCP → port 2 match no match Protocol = TCP filter add in_ports=5 ip4_src=192.186.10.0 action=redir redir_ports=1 filter add in_ports=5 ip_protocol=6 action=redir redir_ports=2 filter ins id=1 in_ports=5 ip4_src=192.186.10.0 ip_protocol=6 action=redir redir_ports=1,2 Figure 31: Correct way to send all TCP traffic to monitor port 2 Now, packets that match both the IP address and protocol conditions are copied to both monitor ports, while packets that match only one of the conditions are directed to the desired monitor port. 33 Director Xstream Note:___________________________________________________________________________________________________ Instead of filter add, you can use a filter ins command to define filters. The only difference is that filter ins allows you to specify the filter's ID, which is its position in the pending filter list. (Use filter list so see the IDs of all pending filters.) When you use a filter ins command, include an argument id=<id> where <id> is a decimal number in the range 1 to 999. For example: filter ins id=2 in_ports=1 out_ports=2 defines a filter that sends all the traffic from port 1 to port 2 and places this filter in the second location in the pending filter list. ________________________________________________________________________________________________________ Tip!_ ___________________________________________________________________________________________________ The filter del command can be used to delete a filter from the pending filter list. The syntax is a filter del id=<id> where <id> is a decimal number in the range 1 to 999 corresponding to the position in the pending filter list. Use the filter list command so see the IDs of all pending filters. ________________________________________________________________________________________________________ Exclusive filters Filters can be specified using action=drop in order to create exclusive filters. (An exclusive filter excludes packets rather an including them.) For example, suppose you would like to monitor all traffic on a link except for the UDP traffic. To specify this filter, use the following commands. Note that the drop filter must come first so it is earlier in the CAM. filter add in_ports=5 ip_protocol=17 action=drop filter add in_ports=5 action=redir redir_ports=1 filter commit CAM Port 5 Protocol = UDP match Address (drop) no match All Filter 1 port 5 → ip_protocol=UDP action=drop 2 port 5 → port 1 Port 1 filter add in_ports=5 ip_protocol=17 action=drop filter add in_ports=5 action=redir redir_ports=1 Figure 32: Creating an exclusive filter Tip!_ ___________________________________________________________________________________________________ Filters that use exclusive sets of network ports (in other words, each network port is included in only a single filter) do not interact. For example, filter add in_ports=1-5 <filter_parameter_list> <monitor_port_list> does not interact with filter add in_ports=6-10 <filter_parameter_list> <monitor_port_list> ________________________________________________________________________________________________________ 34 Director Xstream Understand Pending and Active filters To understand the actions of filter commands such as filter commit, filter discard, and filter delete, it is helpful to visualize the pending filter list and the CAM that holds the active filters. The previous section explained how the active filters are stored in a CAM, which can be thought of as list of active filters. These filters, which are actively running in the device, can be referred to as active, running, or committed. Pending filters, that is, filters that have been defined using filter add and filter ins commands but not yet committed, are kept in a pending filter list that shadows the CAM. These filters can be referred to as pending or uncommitted. The following table shows which filter commands affect the pending filter list and which affect the CAM. Commands apply to Pending filter list CAM filter add filter del filter discard filter ins filter list filter sync commit filter commit filter running As can be seen from the table, most of the time you work with the contents of the pending filter list. When you have the filters set up the way you want them in the pending filter list, a commit or filter commit command transfers the contents of the pending filter list to the CAM, activating that filter set-up. (Remember that commit also changes Director Xstream's running configuration file—the file that is loaded when the system is reset—but filter commit does not.) A common workflow for changing the Director Xstream filter configuration might be as follows. To change the Director Xstream filter configuration: CAM Pending filter list Address Filter Address port 5 → ip_protocol=UDP action=drop 2 port 5 → port 1 Figure 33: Starting state 1. Enter filter running to view the currently active filters in the CAM. 35 Filter 1 Director Xstream Net Optics> filter running Filter #1 in_ports=5 mac_src=00:00:00:00:00:00/00:00:00:00:00:00 mac_dst=00:00:00:00:00:00/00:00:00:00:00:00 ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0017 l4_src_port=0000/0000,l4_dst_port=0000/0000,vlan=0000/0000,action=drop Filter #2 in_ports=5 mac_src=00:00:00:00:00:00/00:00:00:00:00:00 mac_dst=00:00:00:00:00:00/00:00:00:00:00:00 ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0000 l4_src_port=0000/0000,l4_dst_port=0000/0000,vlan=0000/0000,action=redir redir_ports=1 IPv4 filter resource utilization: Net Optics> 0% Figure 34: Filter running command 2. Enter filter sync. The contents of the CAM are copied to the pending filter list. CAM Pending filter list Address Filter Address Filter 1 port 5 → ip_protocol=UDP action=drop 1 port 5 → ip_protocol=UDP action=drop 2 port 5 → port 1 2 port 5 → port 1 Figure 35: After filter sync 3. Use filter add, filter ins, and filter del commands to change filters as desired. CAM Pending filter list Address Filter Address Filter 1 port 5 → ip_protocol=TCP action=drop 1 port 5 → ip_protocol=UDP action=drop 2 port 5 → port 1 2 port 5 → port 1 3 port 6 → port 2 Figure 36: Filter 1 has been changed and filter 3 has been added 36 Director Xstream 4. Enter filter list to view the pending filter list. Net Optics> filter list Filter #1 in_ports=5 mac_src=00:00:00:00:00:00/00:00:00:00:00:00 mac_dst=00:00:00:00:00:00/00:00:00:00:00:00 ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0017 l4_src_port=0000/0000,l4_dst_port=0000/0000,vlan=0000/0000,action=drop Filter #2 in_ports=5 mac_src=00:00:00:00:00:00/00:00:00:00:00:00 mac_dst=00:00:00:00:00:00/00:00:00:00:00:00 ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0000 l4_src_port=0000/0000,l4_dst_port=0000/0000,vlan=0000/0000,action=redir redir_ports=1 Filter #3 in_ports=6 mac_src=00:00:00:00:00:00/00:00:00:00:00:00 mac_dst=00:00:00:00:00:00/00:00:00:00:00:00 ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255 ip_protocol=0000 l4_src_port=0000/0000,l4_dst_port=0000/0000,vlan=0000/0000,action=redir redir_ports=2 IPv4 filter resource utilization: Net Optics> 2% Figure 37: Filter list command 6. Repeat steps 3 and 4 until the pending filter list is consistent with the desired filter configuration. 7. Enter filter commit. The contents of the pending filter list are copied to the CAM, activating the new filter configuration. CAM Pending filter list Address Filter Address Filter 1 port 5 → ip_protocol=TCP action=drop 1 port 5 → ip_protocol=TCP action=drop 2 port 5 → port 1 2 port 5 → port 1 3 port 6 → port 2 3 port 6 → port 2 Figure 38: After filter commit 37 Director Xstream Be aware of these similar pairs of similar commands: • filter list shows the pending filter list, while filter running shows the CAM • filter commit copies the pending filter list to the CAM, while filter sync copies the CAM to the pending filter list CAM Pending filter list Address Filter 1 2 filter commit → Address Filter 1 2 filter sync ← filter list to view contents filter running to view contents Figure 39: Pairs of similar filter commands Tip!_ ___________________________________________________________________________________________________ To clear the CAM so no filters are actively running, enter filter discard followed by filter commit. (After this command sequence, no data will be seen on any of the monitor ports because filters are required to direct data to them.) ________________________________________________________________________________________________________ Warning!_______________________________________________________________________________________________ User interactions When multiple users are logged into Director Xstream at the same time, each user has a separate pending filter list in which to create filter configurations. However, there is only one CAM, so any time a user executes a commit or filter commit command, the CAM takes on the filter configuration from that user's pending filter list, and those become the active filters on Director Xstream. In order to ensure that filters which you don't touch remain unaffected after you commit, use a filter sync command to get the current contents of the CAM before adding or modifying filters. Also be aware that, any time the filters are updated, all monitoring in progress can be momentarily disrupted as the new filters are loaded—even if the filters for a particular monitoring port are not affected by the update. Therefore configuration changes should always be coordinated between everyone who is using the system. ________________________________________________________________________________________________________ 38 Director Xstream Understand Filter Capacity The capacity of Director Xstream's filtering function is more than 2,000 filter elements per chassis, where a filter element is a port list or a filter parameter. For example, filter add in_ports=11-17 ip_protocol=6 vlan=100 action=redir redir_ports=1-3,10 creates a filter with four elements: 1.in_ports=11-17 2.ip_protocol=6 3.vlan=100 4.redir_ports=1-3,10 Counting filter elements is only a rough gauge of filter utilization, and is not recommended. Instead, examine the pending filter list or CAM contents with filter list and filter running commands. The filter resource utilization is displayed after the filter list. There are actually two separate CAMs, one for IPv4 filters and one for IPv6 filters. Each CAM has 128 locations, so the maximum number of IPv4 filters is 128 and the maximum number of IPv6 filters is 128, where a filter is created by a filter add or filter ins command. In other words, if you create a logical OR condition by adding two filters with the same input ports and output ports, it takes two CAM locations. Tip!_ ___________________________________________________________________________________________________ To create a filter in the IPv6 CAM instead of the IPv4 CAM, use the argument ipv6=y in the filter add or filter ins command when you create the filter. __________________________________________________________________________________________________________ 39 Director Xstream Appendix A Director Xstream Specifications Specifications Environmental Operating Temperature: 0˚C to 40˚C Storage Temperature: -10˚C to 70˚C Relative Humidity: 10% min, 95% max, non-condensing Mechanical Dimensions: 1.75” high x 17” wide x 17.5” deep Mounting: Surface or 19” rack mount (1U) Weight: 8 lbs (3.7 kg) Connectors SFP+ slots: 24, with 4 labelled as monitor ports and 20 labelled as network ports Management Port: (1) RJ45 10/100/1000 Copper Network Console Port: (1) RJ45 RS232 Power: (2) AC universal or (2) -48V DC depending on model Electrical Interface AC Input: 100-240VAC, 4.5A, 47-63Hz (Japan: 100‑125VAC, ~300 VA, 50-60Hz) DC Input: -48VDC nominal. -36 to -72VDC, 4.0A DC Receptacle: Terminal peak, 12-14 gauge wire Indicators Each port has a Link LED and an Activity LED The AC power supply modules have power on indicators integrated in the on/off switches Performance Hardware throughput: 240 Gbps; no packets dropped as long as monitor traffic does not exceed monitor port bandwidth Port mapping: Aggregation, any number of ports in; regeneration, any number of ports out; any-to-any, any-to-many, many-to-any, and many-to-many; any port can be used as an input, an output, or both simultaneously—monitor ports can be used as additional network ports, and network ports can be used as additional monitor ports TapFlow: Filter by IP source address, IP destination address, MAC source address, MAC destination address, source port, destination port, protocol, network port or port group, VLAN, utilization threshold Static Load Balancing: By IP addresses, MAC addresses, ports, VLANs, or other header field (implement with filters) RMON statistics: Current utilization, total packets, total bytes, CRC errors Device management: Remote software upgrades; RADIUS and TACACS+ supported, three servers each Indigo™ Management Software CLI—local RS232 and remote SSH, compatible with Director CLI Net Optics Web Manager—compatible with all major Web browsers (availability TBD) Net Optics System Manager—compatible with Windows XP, Windows 2000, and Windows 98 (availability TBD) Certifications FCC, CE, VCCI, and C-Tick certified Fully RoHS and WEEE compliant 40 Director Xstream Available Models Director Xstream DIR-2400X DIR-2400X-DC Director Xstream Main Chassis with 24 SFP+ ports Director Xstream Main Chassis with 24 SFP+ ports, -48VDC SFP+ kits SFP+KT-SR SFP+KT-LR SFP+KT-50SR Fiber SR SFP+ Transceiver Fiber LR SFP+ Transceiver Fiber SR 50um SFP+ Transceiver SFP kits SFPKT-SX SFPKT-50SX SFPKT-LX SFPKT-GCU SFPKT-CU3 GigaBit Fiber SX SFP with cable GigaBit Fiber SX SFP with cable 50μm GigaBit Fiber LX SFP with cable GigaBit Copper SFP with cable 10/100/1000 Copper SFP with cable [not currently supported on Director Xstream] 41 Director Xstream Appendix B Command Line Interface The CLI is not case sensitive; commands can be entered in upper or lower case. However, certain items such as user-defined text strings, user names, and passwords can be entered in upper, lower, or mixed case, and are case-sensitive. The tab key or the space bar can be used to automatically complete words in the CLI. This function works for commands as well as arguments. For example, typing the letter "i" followed by the tab key results in "image" being entered in the command line. Likewise, "pi<tab>" auto-completes to the "ping" command. However, "p<tab>" does not auto-complete, because it is ambiguous between the "ping" and "port" commands. To display a list of sub-commands and arguments for any command, press the ? key after entering the command. (A space is required between the command and the ?.) For example, type "filter add ?" to display a list of all the arguments that can be used to complete the command. Ports are numbered 1 through 24 going left to right across the front panel. Port numbers 1 through 4 are labelled as monitor ports on the front panel, and 5 through 24 are labelled as network ports. However, the ports are symmetric and any port can be included in a filter in_ports or redir_ports portlist. A portlist is a list of ports separated by commas; dashes can be used to specify ranges; for example, 1,2,3 and 1-3 mean the same thing. Space characters are not allowed in portlists (do not put a space after the comma). Privilege levels User accounts are assigned one of three privilege levels: • admin (level 1) – access to all CLI commands; only the admin level can use the user and port set commands • user (level 2) – access to all CLI commands except user and port set • view (level 3) – can access only these CLI read-only commands: help, history, list, ping, show, exit, logout, quit All accounts are authorized to use the user mod command to change their own passwords. Table key The table uses alternate row shading to distinguish commands and subcommands, as indicated in the following example. Command Arguments Example command1 subcommand1 for command1 Sub-Command arguments for subcommand1 an example of how to use command1 subcommand1 command2 subcommand1 for command2 arguments for subcommand1 an example of how to use command2 subcommand1 subcommand2 for command2 arguments for subcommand2 an example of how to use command2 subcommand2 subcommand3 for command2 arguments for subcommand3 an example of how to use command2 subcommand3 command3 subcommand1 for command3 arguments for subcommand1 an example of how to use command3 subcommand1 subcommand2 for command3 arguments for subcommand2 an example of how to use command3 subcommand2 42 Director Xstream Director Xstream CLI Quick Reference Table of CLI Commands Command Sub-Command ! Arguments Example <number> Net Optics> !3 commit Net Optics> commit del <filename> Net Optics> del my_config exit filter Net Optics> exit add [ipv6=<y|yes>] Net Optics> filter add in_ports=1-3 ip4_src=10.1.1.1 in_ports=<network_portlist> action=redir redir_ports=3,9 [<qual>=<value>] action=<redir|drop> [redir_ports=<monitor_portlist>] commit del Net Optics> filter commit id=<id> [ipv6=<y|yes>] Net Optics> filter del id=3 discard ins Net Optics> filter discard Net Optics> filter ins id=2 in_ports=1-3 id=<id> [ipv6=<y|yes>] ip4_src=10.1.1.1 action=drop in_ports=<network_portlist> [<qual>=<value>] action=<redir|drop> [redir_ports=<monitor_portlist>] list [ipv6=<y|yes>] Net Optics> filter list running [ipv6=<y|yes>] Net Optics> filter running sync help Net Optics> filter sync [<command>] Net Optics> help filter history Net Optics> history clear image Net Optics> history clear <1|2> Net Optics> image 2 show Net Optics> image show list load Net Optics> list running|factory|<filename> logout ping Net Optics> load my_config Net Optics> logout <address> Net Optics> ping 10.1.1.4 43 Director Xstream Command Sub-Command Arguments Example port set ports=<all|portlist> [admin=<enable|disable>] [speed=<1000|10000>] Net Optics> port set ports=1-3 admin=disable show Net Optics> port show quit Net Optics> quit save <filename> Net Optics> save my_config show running|factory|<filename> Net Optics> show my_config clear [ports=<all|portlist>] Net Optics> stats clear ports=all show ports=<all|portlist> Net Optics> stats show ports=m.2,n1.4 stats sysip commit Net Optics> sysip commit discard Net Optics> sysip discard set system ipaddr=<address> mask=<netmask> gw=<gateway> Net Optics> sysip set ipaddr=100.6.4.15 mask=255.255.0.0 gw=10.0.0.1 show Net Optics> sysip show restart Net Optics> system restart set [jumbo=<on|off>] Net Optics> system set jumbo=on show upgrade user Net Optics> system show srvip=<srvip> user=<username> pw=<password> file=<filename> Net Optics> upgrade srvip=168.192.20.2 user=bob pw=bobpw file=image021108 add name=<username> pw=<password> priv=<level> Net Optics> user add name=bob pw=bob-pw priv=3 del name=<username> Net Optics> user del name=bill mod name=<username> pw=<password> priv=<level> Net Optics> user mod name=bill pw=netbillpw priv=2 show Net Optics> user show 44 Director Xstream Filter qualifiers Switches and filters are defined using the filter add and filter ins commands. The filter add command syntax is: filter ipv6=y add in_ports=<portlist> <filter_qualifier_list> action=<redir|drop> redir_ports=<portlist> The <filter_qualifier_list> is a sequence of zero or more of the filter qualifiers as listed in the following table. If the <filter_qualifier_list> is empty, the filter add command specifies an aggregation of the traffic received on all of the in_ports. If the action=redir, the aggregated traffic stream is regenerated to all of the redir_ports. If the <filter_qualifier_list> contains qualifiers, aggregation and regeneration take place as described in the previous paragraph. However, the filter qualifiers are applied to the aggregated traffic stream before it is copied to the monitor ports. If multiple filter qualifiers are specified, a packet must satisfy all of the filter qualifiers in order to be copied to the monitor ports. In other words, the filter qualifiers are combined with a logical AND condition. A logical OR condition can be created by using multiple filter add commands with identical port lists. The filter add and filter ins commands define filters but do not activate them. A subsequent filter commit or commit command must be executed to activate the filters. This mechanism enables an interrelated group of filters to be activated simultaneously. It also allows you to double-check your filter definitions before you activate them. The commit command also rewrites the running Director Xstream configuration file (the configuration file that is loaded when the system is reset), while filter commit does not. Note that IPv6 and IPv4 filters are maintained separately. It is important to include the argument ipv6=y when dealing with IPv6 filters, and omit it when dealing with IPv4 filters. It is also important to note that packets are filtered using a Content Addressable Memory or CAM. Each filter is a CAM entry, and the CAM is filled in the order that the filter add commands are entered. filter ins commands create filters in specific locations in the CAM. When a packet is processed, the first filter in the CAM that matches the packet is the only filter that is activated. Each packet can activate exactly zero or one filters. See Understand filter interactions near the end of Chapter 3 for examples. All supported filter qualifiers are shown in the following table. Director Xstream Filter Qualifiers <qual> <value> Range Example Description ip_protocol 0 to 255 No ip_protocol=6 Layer 4 IP protocol ip4_src d.d.d.d Yes ip4_src=168.10.4.1 IPv4 source address ip4_src_mask d.d.d.d No ip4_src_mask=255.255.255.0 Mask for IPv4 source address ip4_dst d.d.d.d Yes ip4_dst=168.10.4.2 IPv4 destination address ip4_dst_mask d.d.d.d No ip4_dst_mask=255.255.255.0 Mask for IPv4 destination address ip6_src xxxx:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx No ip6_src=1234:5678:9abc:def0 :1234:5678:9abc:def0 IPv6 source address ip6_src_mask xxxx:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx No ip6_src_mask= ffff:ffff:ffff:ffff:ffff:ffff:ffff:fffe Mask for IPv6 source address 45 Director Xstream <qual> <value> Range Example Description ip6_dst xxxx:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx No ip6_dst=1234:5678:9abc:def0 :1234:5678:9abc:def0 IPv6 destination address ip6_dst_mask xxxx:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx No ip6_dst_mask= ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffc0 Mask for IPv6 destination address l4_src_port 0 to 65535 Yes l4_src_port=80 Layer 4 source port l4_src_port_mask 0 to 65535 No l4_src_port_mask=65535 Mask for Layer 4 source port l4_dst_port 0 to 65535 Yes l4_dst_port=80 Layer 4 destination port l4_dst_port_mask 0 to 65535 No l4_dst_port_mask=65520 Mask for Layer 4 destination port mac_src xx:xx:xx:xx:xx:xx No mac_src=01:23:45:67:89:ab MAC source address mac_src_mask xx:xx:xx:xx:xx:xx No mac_src_mask=ff:ff:ff:ff:ff:fc Mask for MAC source address mac_dst xx:xx:xx:xx:xx:xx No mac_dst=11:22:33:44:55:66 MAC destination address mac_dst_mask xx:xx:xx:xx:xx:xx No mac_dst_mask=ff:ff:ff:ff:ff:00 Mask for MAC destination address vlan 2 to 4094 Yes vlan=3820 VLAN number vlan_mask 0 to 4095 No vlan_mask=4080 Mask for VLAN number Key:x = a hex digit, 0 to f d = a decimal number, 0 to 255 For qualifiers that accept Ranges for the <value>, the actual range implemented in the filter is a superset of the requested range filter list displays the actual filter range as implemented. * See Appendix C for a complete list of protocol numbers. Some common protocols include: Number Keyword Protocol 1 ICMP Internet Control Message Protocol 2 IGMP Internet Group Message Protocol 6 TCP Transmission Control Protocol 17 UDP User Datagram Protocol 80 ISO-IP ISO Internet Protocol 89 OSPF Open Shortest Path First 132 SCTP Stream Control Transmission Protocol 46 Director Xstream Appendix C Protocol Numbers The official Assigned Internet Protocol Numbers list is maintained by the Internet Assigned Numbers Authority and can be found at http://www.iana.org/assignments/protocol-numbers. The list as of April 18, 2008 is reproduced in the following table (without references). Num Keyword Protocol 0 HOPOPT IPv6 Hop-by-Hop Option 1 ICMP Internet Control Message 2 IGMP Internet Group Management 3 GGP Gateway-to-Gateway 4 IP IP in IP (encapsulation) 5 ST Stream 6 TCP 7 Keyword Protocol 30 NETBLT Bulk Data Transfer Protocol 31 MFE-NSP MFE Network Services Protocol 32 MERITINP MERIT Internodal Protocol 33 DCCP Datagram Congestion Control Protocol Transmission Control 34 3PC Third Party Connect Protocol CBT CBT 35 IDPR 8 EGP Exterior Gateway Protocol Inter-Domain Policy Routing Protocol 9 IGP any private interior gateway (used by Cisco for their IGRP) 36 XTP XTP 37 DDP Datagram Delivery Protocol 38 IDPRCMTP IDPR Control Message Transport Proto 39 TP++ TP++ Transport Protocol 40 IL IL Transport Protocol 41 IPv6 Ipv6 42 SDRP Source Demand Routing Protocol 43 IPv6Route Routing Header for IPv6 10 BBNRCCMON Num BBN RCC Monitoring 11 NVP-II Network Voice Protocol 12 PUP PUP 13 ARGUS ARGUS 14 EMCON EMCON 15 XNET Cross Net Debugger 16 CHAOS Chaos 44 IPv6-Frag Fragment Header for IPv6 17 UDP User Datagram 45 IDRP 18 MUX Multiplexing Inter-Domain Routing Protocol 19 DCNMEAS DCN Measurement Subsystems 46 RSVP Reservation Protocol 47 GRE 20 HMP Host Monitoring General Routing Encapsulation 21 PRM Packet Radio Measurement 48 DSR Dynamic Source Routing Protocol 49 BNA BNA 50 ESP Encap Security Payload 51 AH Authentication Header 52 I-NLSP Integrated Net Layer Security TUBA 22 XNS-IDP XEROX NS IDP 23 TurnK-1 Turnk-1 24 TurnK-2 Turnk-2 25 LEAF-1 Leaf-1 26 LEAF-2 Leaf-2 27 RDP Reliable Data Protocol 53 SWIPE IP with Encryption 28 IRTP Internet Reliable Transaction 54 NARP 29 ISO-TP4 ISO Transport Protocol Class 4 NBMA Address Resolution Protocol 47 Director Xstream Num Keyword Protocol Num Keyword Protocol 55 MOBILE IP Mobility 85 NSFNET-IGP 56 TLSP Transport Layer Security Protocol using Kryptonet key management NSFNETIGP 86 DGP Dissimilar Gateway Protocol 87 TCF TCF 88 EIGRP EIGRP 89 OSPFIGP OSPFIGP 90 SpriteRPC Sprite RPC Protocol 91 LARP Locus Address Resolution Protocol 92 MTP Multicast Transport Protocol 57 SKIP SKIP 58 IPv6ICMP ICMP for IPv6 59 IPv6NoNxt No Next Header for IPv6 60 IPv6-Opts Destination Options for IPv6 61 62 any host internal protocol CFTP 63 CFTP any local network 93 AX.25 AX.25 Frames 94 IPIP IP-within-IP Encapsulation Protocol 95 MICP Mobile Internetworking Control Pro. 96 SCC-SP Semaphore Communications Sec. Pro. 97 ETHERIP Ethernet-within-IP Encapsulation ENCAP Encapsulation Header 64 SATEXPAK SATNET and Backroom EXPAK 65 KRYPTOLAN Kryptolan 66 RVD MIT Remote Virtual Disk Protocol 67 IPPC Internet Pluribus Packet Core any distributed file system 98 69 SAT-MON SATNET Monitoring 99 68 70 VISA VISA Protocol 71 IPCV Internet Packet Core Utility 72 CPNX Computer Protocol Network Executive 73 CPHB Computer Protocol Heart Beat 74 WSN Wang Span Network 75 PVP Packet Video Protocol any private encryption scheme 100 GMTP GMTP 101 IFMP Ipsilon Flow Management Protocol 102 PNNI PNNI over IP 103 PIM Protocol Independent Multicast 104 ARIS ARIS 105 SCPS SCPS 106 QNX QNX 107 A/N Active Networks 108 IPComp IP Payload Compression Protocol 109 SNP Sitara Networks Protocol 110 CompaqPeer Compaq Peer Protocol 76 BR-SATMON Backroom SATNET Monitoring 77 SUN-ND SUN ND PROTOCOL-Temporary 78 WB-MON WIDEBAND Monitoring 79 WBEXPAK WIDEBAND EXPAK 80 HTTP Hypertext Tranfer Protocol 81 VMTP VMTP 111 IPX-in-IP IPX in IP 82 SECUREVMTP SECURE-VMTP 112 VRRP Virtual Router Redundancy Protocol 83 VINES VINES 113 PGM 84 TTP TTP PGM Reliable Transport Protocol 114 48 any 0-hop protocol Director Xstream Num Keyword Protocol Num Keyword 115 L2TP Layer Two Tunneling Protocol 134 116 DDX D-II Data Exchange (DDX) 117 IATP Interactive Agent Transfer Protocol RSVPE2EIGNORE 135 Mobility Header 136 UDPLite 137 MPLSin-IP Protocol 118 STP Schedule Transfer Protocol 119 SRP SpectraLink Radio Protocol 120 UTI UTI 121 SMP Simple Message Protocol 138 manet MANET Protocols 122 SM SM 139 HIP Host Identity Protocol 123 PTP Performance Transparency Protocol 124 ISIS over IPv4 140 to 252 125 FIRE 110 CRTP Combat Radio Transport Protocol 127 CRUDP Combat Radio User Datagram 128 SSCOPMCE 129 IPLT 130 SPS Secure Packet Shield 131 PIPE Private IP Encapsulation within IP 132 SCTP Stream Control Transmission Protocol 133 FC Fibre Channel Unassigned Use for experimentation and testing 253 254 255 49 Use for experimentation and testing Reserved Director Xstream Limitations on Warranty and Liability Net Optics offers a limited warranty for all its products. IN NO EVENT SHALL NET OPTICS, INC. BE LIABLE FOR ANY DAMAGES INCURRED BY THE USE OF THE PRODUCTS (INCLUDING BOTH HARDWARE AND SOFTWARE) DESCRIBED IN THIS MANUAL, OR BY ANY DEFECT OR INACCURACY IN THIS MANUAL ITSELF. THIS INCLUDES BUT IS NOT LIMITED TO LOST PROFITS, LOST SAVINGS, AND ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING FROM THE USE OR INABILITY TO USE THIS PRODUCT, even if Net Optics has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of implied warranties or liability for incidental or consequential damages, so the above limitation or exclusion may not apply to you. Net Optics, Inc. warrants this Tap to be in good working order for a period of ONE YEAR from the date of purchase from Net Optics or an authorized Net Optics reseller. Should the unit fail anytime during the said ONE YEAR period, Net Optics will, at its discretion, repair or replace the product. This warranty is limited to defects in workmanship and materials and does not cover damage from accident, disaster, misuse, abuse or unauthorized modifications. If you have a problem and require service, please call the number listed at the end of this section and speak with our technical service personnel. They may provide you with an RMA number, which must accompany any returned product. Return the product in its original shipping container (or equivalent) insured and with proof of purchase. Additional Information Net Optics, Inc. reserves the right to make changes in specifications and other information contained in this document without prior notice. Every effort has been made to ensure that the information in this document is accurate. Net Optics is not responsible for typographical errors. THE WARRANTY AND REMEDIES SET FORTH ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHERS, EXPRESS OR IMPLIED. No Net Optics reseller, agent, or employee is authorized to make any modification, extension, or addition to this warranty. Net Optics is always open to any comments or suggestions you may have about its products and/or this manual. Send correspondence to Net Optics, Inc. 5303 Betsy Ross Drive Santa Clara, CA 95054 USA Telephone: +1 (408) 737-7777 Fax: +1 (408) 745-7719 E-mail: info@Net Optics.com / Internet: www.NetOptics.com All Rights Reserved. Printed in the U.S.A. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form, by any means, without prior written consent of Net Optics, Inc., with the following exceptions: Any person is authorized to store documentation on a single computer for personal use only and that the documentation contains Net Optics’ copyright notice. 50 www.netoptics.com © 2008-2010 by Net Optics, Inc. All Rights Reserved.
Similar documents
Director xStream Pro - Ixia Visibility Products
forensic traffic recorders, intrusion detection systems and protocol analyzers.
More information