SmartNA™ 10G Network Access (SmartNA-X)

SmartNA™ 10G Network Access (SmartNA-X)
SmartNA™ 10G Network Access
(SmartNA-X)
User Guide 1.0
C ONTENTS
C ONTENTS
2
Chapter 1 Overview ............................................................................................................................................................ 1
SmartNA-X features............................................................................................................................. 1
Hardware overview .............................................................................................................................. 2
Managing SmartNA-X ......................................................................................................................... 3
Managing SmartNA-X through the web UI ................................................................................................................................. 3
Managing SmartNA-X through the CLI ...................................................................................................................................... 6
Chapter 2 Introduction to network TAPs .......................................................................................................................... 8
What is a network TAP? ....................................................................................................................... 8
Suitable locations for placing TAPs ..................................................................................................... 9
Placing TAPs on individual servers ............................................................................................................................................. 9
Placing TAPs on multiple servers ...............................................................................................................................................10
Placing TAPs on multiple locations............................................................................................................................................10
Chapter 3 Setting up SmartNA-X .....................................................................................................................................12
Check items included..........................................................................................................................12
Installing the SmartNA-X chassis and TAP modules ..........................................................................13
Powering up the system ......................................................................................................................14
Connecting to the management port ..................................................................................................14
Logging in to SmartNA-X ...................................................................................................................14
Chapter 4 Administering SmartNA-X ..............................................................................................................................19
Logging in ...........................................................................................................................................19
Configuring SmartNA-X for the first time .........................................................................................22
Configuring network settings .............................................................................................................22
Enabling NTP .....................................................................................................................................23
Managing user accounts and authentication ......................................................................................24
Authenticating users...................................................................................................................................................................25
Enabling RADIUS and TACACS+ authentication servers ..........................................................................................................26
Enabling transaction logging..............................................................................................................27
Saving and restoring configurations ...................................................................................................28
Restoring default settings and custom configurations ...............................................................................................................29
Rebooting the system ..........................................................................................................................30
DRAFT
i
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
CONTENTS |
Updating system firmware ..................................................................................................................30
Monitoring system health ...................................................................................................................30
Chapter 5 Using the Web User Interface...........................................................................................................................32
Accessing the web UI ..........................................................................................................................32
Selecting options in the system diagram.............................................................................................33
Port speed indicator............................................................................................................................34
Further information ...................................................................................................................................................................34
Chapter 6 Configuring ports .............................................................................................................................................35
Configuring port communication settings .........................................................................................35
Configuring port failsafe and LFP (TAP mode) .................................................................................36
Testing failsafe............................................................................................................................................................................39
Configuring ports roles ......................................................................................................................39
Configuring port traffic thresholds ....................................................................................................40
Configuring port locking....................................................................................................................41
Saving port settings ............................................................................................................................42
Chapter 7 Creating Port Maps ..........................................................................................................................................44
About port maps .................................................................................................................................44
Creating port maps .............................................................................................................................46
Creating maps in the web UI.......................................................................................................................................................47
Creating port maps in the CLI ....................................................................................................................................................49
Typical map configurations ................................................................................................................49
Breakout TAP .............................................................................................................................................................................49
Aggregation TAPs.......................................................................................................................................................................49
Regeneration TAPs .....................................................................................................................................................................49
Chapter 8 Using Packet Filters ..........................................................................................................................................51
About packet filters ............................................................................................................................51
How packet filters work ..............................................................................................................................................................51
Creating packet filters ........................................................................................................................52
Adding filters to maps ........................................................................................................................53
Chapter 9 Using SNMP .....................................................................................................................................................55
About SNMP and SmartNA-X ............................................................................................................55
About VACM.......................................................................................................................................57
Configuring SNMP .............................................................................................................................58
SNMP default configuration .......................................................................................................................................................58
Enabling SNMP...........................................................................................................................................................................58
SNMP engine ID .........................................................................................................................................................................59
Configuring SNMP notifications ................................................................................................................................................59
Configuring SNMPv1/v2c communities .....................................................................................................................................60
Configuring trap managers (notification hosts) .........................................................................................................................61
Configuring SNMPv3 users with VACM ....................................................................................................................................62
Adding a member or security name to a group...........................................................................................................................63
Configuring views .......................................................................................................................................................................64
DRAFT
ii
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
CONTENTS |
Configuring the access control list..............................................................................................................................................65
Appendix A Command Line Interface Reference .............................................................................................................66
Command line notation......................................................................................................................67
Basic commands ............................................................................................................................................ 68
Commands for managing contact and location details ............................................................................... 77
Commands for managing network configuration ....................................................................................... 81
Commands for managing users .................................................................................................................... 92
Commands for managing authentication and accounting .......................................................................... 98
Commands for managing TAP modules .....................................................................................................111
Commands for managing TAP ports ..........................................................................................................112
Commands for managing port maps and packet filters .............................................................................131
Commands for managing SNMP.................................................................................................................150
Appendix B Web User-Interface Reference.....................................................................................................................187
System identity tab ...................................................................................................................................................................187
Mapping tab ..............................................................................................................................................................................188
Filters tab ..................................................................................................................................................................................190
SNMP tab ..................................................................................................................................................................................193
Security tab ...............................................................................................................................................................................197
System Health tab .....................................................................................................................................................................198
TAP module health tab .............................................................................................................................................................200
Port tab .....................................................................................................................................................................................201
Port Traffic tab .........................................................................................................................................................................203
Port Errors tab ..........................................................................................................................................................................203
Port health tab ..........................................................................................................................................................................204
Appendix C Specifications ..............................................................................................................................................206
SmartNA-X chassis ...........................................................................................................................206
10 Gbit/s TAP module SFP+ & SFP...................................................................................................208
1 Gbit/s TAP module (RJ45 & RJ45) .................................................................................................209
1 Gbit/s TAP module (LC & RJ45) ....................................................................................................210
1 Gbit/s TAP module (RJ45 & SFP)...................................................................................................211
1 Gbit/s TAP module LC & SFP ........................................................................................................212
Appendix D Troubleshooting .........................................................................................................................................213
Troubleshooting connections to SmartNA-X....................................................................................213
Connecting with IPv6 ...............................................................................................................................................................213
Troubleshooting the web UI .............................................................................................................214
Resolving web UI issues on Mac OSX .......................................................................................................................................215
Troubleshooting the CLI...................................................................................................................216
Troubleshooting SNMP ....................................................................................................................217
Resetting the system to the default configuration ............................................................................217
Appendix E Glossary .......................................................................................................................................................218
DRAFT
iii
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
CONTENTS |
Appendix F Hardware Warranty.....................................................................................................................................221
Appendix G Supported MIBs ..........................................................................................................................................222
Obtaining SmartNA MIB Files .........................................................................................................223
Appendix H IP Protocols ................................................................................................................................................224
Appendix I Technical Support & Contact Details ...........................................................................................................227
DRAFT
iv
C HAPTER 1
O VERVIEW
1
SmartNA™ 10G Network Access (SmartNA-X) provides a flexible and customizable Test Access Point (TAP)
solution. This chapter covers the following major topics:
• SmartNA-X features, page 1
• Hardware overview, page 2
• Managing SmartNA-X, page 3
SmartNA-X features
SmartNA-X 10G Network Access is a fully configurable filtering 10G TAP device that provides the following
advanced TAP features:
• Fail-safe ports
• Traffic replication and aggregation capabilities
• Flexible port maps
• Advanced packet filtering capabilities, including ability to filter 10G traffic to continue using 1G tools
• Ability to aggregate 1G links to a 10G port
• SSL secured management interfaces
• Easy to use web UI with support for click-n-drag port mappings.
• SNMP remote status monitoring and alert notifications
• Local or external authentication and authorization via RADIUS and TACACS+
• Hot-swappable TAP modules
• Dual independent power connectors
• Three user access levels: Administrator, Operator and Auditor
DRAFT
1
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
O VERVIEW | H ARDWARE OVERVIEW
Hardware overview
The SmartNA-X chassis (Figure 1-1 and Figure 1-2) supports four independently operating TAP modules that
are hot-swappable, fully configurable and available in various configurations of copper, single mode fiber,
multi-mode fiber, and SFP/SFP+ ports. Slot 1 supports 10 Gbit/s TAP modules (colored red), slots 2, 3 and 4
support 1 Gbit/s TAP modules (colored blue). Four ports on each module are used to TAP live traffic and
direct it to output ports where network tools can be used to capture and monitor your network data. The
management port provides access to the web UI and CLI, from where system and module settings can be
managed.
10 GBIT/S PORTS
1 GBIT/S PORTS
MANAGEMENT PORT
CONSOLE PORT
10G/1G TAP MODULE
PORT STATUS LEDS
1G TAP MODULES
POWER LEDS
Figure 1-1 Front view
TAP modules – Hot-swappable and fully configurable TAP modules available with Copper, Single mode Fiber,
Multi-mode Fiber, or SFP/SFP+ cage ports.
10G /1G/100M/10M Ports – 10 Gbit/s, 1 Gbit/s, 100 Mbit/s and 10 Mbit/s interfaces to access data flowing
across a computer network and to connect network tools running packet analysis software or a dedicated
capturing appliance. These ports do not have IP or MAC addresses and are transparent to other network
appliances1. Copper port pairs support ‘TAP’ mode for integrated failsafe and Link Failure Propagation (LFP)
mode.
Management Port – Provides access to the web UI and CLI. By default, the management port is assigned IP
address 192.168.254.100.
Port status LEDs – Indicates link state and activity.
Power LEDs – Indicate operational power supplies.
Power supply units (PSUs) – Dual independent power sockets (AC 100V–240V or DC -48V). If only one PSU
is to be fitted, it must be fitted in PSU-1, which is on the right-hand side when looking from the rear (see
Figure 1-2).
PSU-2
10 GBIT/S PORTS
PSU-1
Figure 1-2 Rear view
1.Flow control and error packets are dropped by the TAP ports.
DRAFT
2
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
O VERVIEW | M ANAGING S MARTNA-X
Managing SmartNA-X
You can manage SmartNA-X from a web browser over HTTPS or a terminal client supporting SSH. SmartNAX includes an SNMPv1/v2c/v3 agent for integration with your network management system (NMS). By
default, user authentication is performed locally, but can be managed by RADIUS or TACACS+ authentication
servers if required. For auditing purposes, RADIUS or TACACS+ accounting servers can be configured to
capture log information relating to SmartNA-X user transactions (local logging is not supported).
Managing SmartNA-X through the web UI
The SmartNA-X web UI provides access to administrator, user and audit level options in a secure web browser
environment. To access the web UI (Figure 1-3), open a Java 1.5+ enabled web browser and enter the IP
address for SmartNA-X. If this is the first time of logging on from a host, you’ll need to accept the SSL
certificate before you can continue—this will not compromise your network security. Once you are at the login
screen, enter your SmartNA-X username and password to access the web UI.
Figure 1-3 SmartNA-X web UI
The chassis graphic that is displayed when you login (Figure 1-4) provides an accurate representation of the
SmartNA-X hardware configuration. It shows which slots are populated, type of ports in each module, port
link up/down status, and on/off state of the two power supply units. If the hardware changes, such as another
module is inserted, the web UI will reflect the change in real-time.
PACKET FILTERS
CHASSIS
PORT MAPS
TAP MODULES
REAR PORTS
PORTS
Figure 1-4 SmartNA-X chassis graphic
DRAFT
3
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
O VERVIEW | M ANAGING S MARTNA-X
The web UI also provides access to all SmartNA-X configuration and management options. To access these
options, click on the system part you wish to configure. For example, clicking on the chassis (shown in blue in
Figure 1-4) shows options for network, SNMP, contact information, and other system-wide settings. Similarly,
clicking a port lets you access port configuration and information options.
See Appendix B, “Web User-Interface Reference”, page 187 for a description of all web UI options.
You can also use the web UI to create port mappings and add filters. To create a port mapping, you drag a line
from the source port to the destination port, as shown in Figure 1-5.
Figure 1-5 Creating a port map in the web UI
Ports are color-coded according to speed:
• Grey: Port is not UP
• Orange: 10 Mbits/s
• Yellow: 100 Mbits/s
• Green: 1 Gbits/s
• Cyan: 10 Gbits/s
DRAFT
4
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
O VERVIEW | M ANAGING S MARTNA-X
To aggregate packets from multiple ports, create a map and then drag other sources to the line (Figure 1-6).
You can also create an aggregation by selecting all the desired source ports (using the usual SHIFT/CTRLCLICK) and then dragging from one of them to the desired destination port.
Figure 1-6 Packet aggregating
To replicate packets to several ports, drag from a map line to other destination ports (Figure 1-7).
Figure 1-7 Replicating packets to several ports
To remove a port from a map, hold ALT (or ALT+CTRL depending on your browser) whilst dragging, or click
on the map and choose the Delete map button that appears. Note that removing the last source or destination
port removes the entire map.
DRAFT
5
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
O VERVIEW | M ANAGING S MARTNA-X
TIP: Hover the pointer over a line to dim the other lines in the map (Figure 1-8).
Figure 1-8 Hover over a map line to dim all other mappings
Managing SmartNA-X through the CLI
The Command Line Interface (CLI) is a network management application operated through a Secure Shell
(SSH) without the use of a Graphic User Interface (GUI) driven software application. The SmartNA-X CLI
provides access to a full set of administrative, user and audit level commands and allows for automated
configuration using a program such as Tcl, (“Tool Command Language”) with the Expect1 package installed.
See Appendix A, “Command Line Interface Reference”, page 66 for a description of all CLI commands.
Accessing the CLI
The SmartNA-X CLI can be accessed through a Secure Shell (SSH) via the device’s network interface address:
example.com ~# ssh admin@192.168.254.100
First time of connecting from a host, you will be asked to verify the authenticity of the SmartNA-X host.
Entering ‘yes’ will allow you to continue:
The authenticity of host '192.168.254.100 (192.168.254.100)' can't be established.
RSA key fingerprint is 50:e6:0b:6d:...
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.254.100' (RSA) to the list of known hosts.
You’ll then be asked to enter your login credentials to gain access to the CLI (as indicated by the
“CONTROLLER>” prompt):
Enter the account password to login:
admin@192.168.254.100's password: *****
Welcome to the Smart Network Access System
(c) Copyright 2007-2010 Network Critical Solutions Ltd, All Rights Reserved
Last login: Mon May 16 09:50:22 2011 from 192.168.254.111
CONTROLLER>
The CONTROLLER> prompt provides access to system Controller (motherboard) commands, including
commands for managing SNMP communities and groups, user accounts, network interface settings, port maps
and packet filters.
1.Expect is a tool for automating interactive applications such as ssh, telnet, ftp, passwd, fsck, rlogin, tip, etc.
DRAFT
6
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
O VERVIEW | M ANAGING S MARTNA-X
To manage module and port settings, you must select the chassis slot that the module is installed in. Slot are
numbered 1–4, left to right; the rear slot is slot 0. For example, to manage a module in the third slot, enter the
following command:
CONTROLLER>select slot 3
SLOT 3>
Command overview
The CLI supports the following set of commands:
• Help – displays help information for the specified set of commands. For example, help set displays help for
set commands, help show displays help for show commands, and help auth displays information on
authorization commands.
• Select – selects a slot or the SmartNA-X system management options, making it the current home location.
For example, select slot 1 selects the first slot, select controller selects SmartNA-X system management
options. Other commands may implicitly use the current location, for example in deciding which port a
show port command refers to.
• Set – writes system parameters. Set commands are limited to SmartNA-X Administrators and have no effect
when entered by users with Operator/user or Audit access.
• Show – reads system parameters and displays them on the screen.
• Create settings – saves the current system parameters to permanent memory.
• Restore – restores a previously saved set of parameters, discarding any unsaved changes in the process.
• Delete – deletes a previously saved set of parameters.
• Clear – clears counters or maps (depending on the clear command entered).
• Commit – commits changes to maps and filters.
• Reboot – reboots TAP modules and system motherboard.
• Exit/Quit – exits the CLI and implements any network changes made to the system.
Commands may be entered in UPPERCASE, lowercase, or a CoMbinAtioN of both.
Logging out
To logout of the CLI, enter exit or quit:
CONTROLLER>exit
Logging out allows other users to access the CLI and web UI (the management interfaces permit single user
access only), and applies changes to network configuration.
DRAFT
7
C HAPTER 2
I NTRODUCTION TO NETWORK TAP S
2
This chapter provides a brief introduction to network TAPs, for those users who haven’t used TAPs before. It
covers the following major topics:
• What is a network TAP?, page 8
• Suitable locations for placing TAPs, page 9
What is a network TAP?
At Network Critical we define a network TAP as a “Test Access Point”, or a hardware device inserted at a
specific point in the network where data can be accessed or “sniffed”.
A simple TAP copies traffic from a live network to a monitoring port, where it can be monitored or captured
for later analysis. With more advanced TAPs, such as those from Network Critical and used in SmartNA-X
systems, traffic can be aggregated from several input ports and replicated to one or more output ports. In
addition, you can employ packet filtering to reduce the amount of traffic reaching the network tool, thus
allowing the use of 1G tools on high capacity networks.
TAPs are inserted between two nodes in a network, such as between a switch and firewall. The network cable
between points A and B is replaced with a pair of cables, which are then connected to the TAP (Figure 2-1).
Traffic is actively routed through the TAP, without the network’s knowledge. This allows the TAP to make a
copy of the traffic, which is sent out of the monitoring port to be used by another tool without changing the
network traffic flow.
A
To Live Network
Device A
B
C
D
To Live Network
Device B
Figure 2-1 Tapping live network traffic
DRAFT
8
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
I NTRODUCTION TO NETWORK TAPS | S UITABLE LOCATIONS FOR PLACING TAPS
Once traffic has entered the SmartNA-X system it can be directed, or mapped, to monitoring ports within the
system. Tools can be attached to the monitoring ports and the traffic analyzed as required, as shown in Figure
2-2.
A
B
C
D
To Network
Monitoring Tool
To Network
Monitoring Tool
Figure 2-2 Connecting to network tools
Suitable locations for placing TAPs
Where you place a TAP on your network is of critical importance. Place a TAP in the wrong place and you may
take down the whole network, miss vital packets, or cause packets to be dropped on the network and/or
monitoring ports. This section explores the various locations you can place TAPs and the various advantages
and disadvantages associated with each.
Placing TAPs on individual servers
Figure 2-3 shows a configuration where TAPs are placed on the individual servers that are to be monitored. A
fully populated SmartNA-X chassis with four modules inserted will allow up to four servers to be monitored
(more if the C&D ports are used as failsafe TAPs on some types of module). This method allows for greater
control when scheduling network outages, since there is no need to take down all servers when placing TAPs.
This configuration is suitable for environments where servers are in a single location.
Figure 2-3 TAPs placed at server connection
DRAFT
9
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
I NTRODUCTION TO NETWORK TAPS | S UITABLE LOCATIONS FOR PLACING TAPS
Placing TAPs on multiple servers
If your environment consists of multiple servers and/or multiple server farms, the ideal TAP location would be
either before or after the Load Balancer. This configuration is demonstrated in Figure 2-4 and Figure 2-5. By
placing the TAP at these locations, you minimize the number of TAPs necessary to collect the data. A benefit
with monitoring the data before the Load Balancer (Figure 2-4), you will be able to observe the individual IP
addresses (requester of data) and have a better understanding of user traffic locations. However, the Load
Balancer’s IP address may take on the appearance as the web server providing the response to the requested
information. If your preference is to follow which servers are responding to the users request, refer to Figure 25.
Figure 2-4 TAP placed before Load Balancer
Placing TAPs on multiple locations
If your environment consists of multiple locations, placing the TAP behind the Load Balancer (Figure 2-5)
allows you to see which servers are responding to the requested information. However, the limitation here
would be understanding who is requesting the information. The Load Balancer typically will appear as the user
address making the requester of data appear as a single user.
Another possibility to address recognizing a users location depends on the type of Load Balancer you are
using. For example, if your Load Balancer supports it, you can enable “x-forward-for” so that the user IP is
DRAFT
10
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
I NTRODUCTION TO NETWORK TAPS | S UITABLE LOCATIONS FOR PLACING TAPS
included in the packet information. Other possibilities include instrumenting requester information into a
custom field embedded in the application. Both methods are common when monitoring user traffic.
Figure 2-5 TAP placed after load balancer
DRAFT
11
C HAPTER 3
S ETTING UP S MART NA-X
3
This chapter provides instructions on setting up the SmartNA-X hardware and connecting to the Management
Port. If access to the Management port is unavailable, access to the system via the Console port is also
described. The chapter covers the following major topics:
• Check items included, page 12
• Installing the SmartNA-X chassis and TAP modules, page 13
• Powering up the system, page 14
• Connecting to the management port, page 14
• Logging in to SmartNA-X, page 14
Check items included
The following items are included with the SmartNA-X system:
• SmartNA-X chassis
• SmartNA-X TAP modules (Red=10 Gbit/s, Blue=1 Gbit/s)
• 10G optical cables
• Serial Management Cable – DE-9 female to 8P8C (1.5 meters)
• Chassis rack mounting kit (brackets and screws)
• 2 x power leads
Check all items are included and report any missing or damaged items immediately to Network Critical for
replacement. See, Appendix I,“Technical Support & Contact Details” for contact information.
DRAFT
12
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S ETTING UP S MART NA-X | I NSTALLING THE S MART NA-X CHASSIS AND TAP MODULES
Installing the SmartNA-X chassis and TAP modules
CAUTION: Electrostatic discharge can damage electrical components. SmartNA-X components are wrapped
in antistatic bags to prevent this damage. Before handling SmartNA-X components, attach an antistatic wrist
strap to a grounded metal surface to prevent electrostatic discharge from damaging your hardware. If you do
not have a wrist strap, just prior to removing the product from ESD packaging and installing or replacing
hardware, touch an unpainted metal surface for a minimum of 5 seconds.
Follow these steps to set up the chassis with your TAP modules and install it into a server rack.
1. Unpack all supplied items and lay them on a workbench.
2. Attach the mounting brackets to either side of the SmartNA-X chassis using the screws provided (Figure 3-
1).
Figure 3-1 Attaching mounting brackets to the chassis
3. Install the appliance into a standard 19” rack (the appliance will occupy 1 rack unit).
4. Insert SmartNA-X TAP modules in the chassis slots as follows:
• Red module (max 10 Gbit/s) – insert in left-hand side slot only (as shown in Figure 3-2)
• Blue module (max 1 Gbit/s) – insert in any slot (including left-hand slot if desired)
CAUTION: Blanking plates MUST be fitted to unused slots to ensure correct cooling.
Figure 3-2 Red TAP modules must be inserted in the left-hand slot only, Blue TAP modules can be inserted in any slot.
DRAFT
13
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S ETTING UP S MART NA-X | POWERING UP THE SYSTEM
Powering up the system
The SmartNA-X chassis is factory fitted with dual independent power supply units (PSUs). The PSUs should be
fed from two truly independent supplies to eliminate single points of failure. If only one PSU is fitted, it should
be PSU-1, which is on right-hand side looking from rear, as indicated in Figure 3-3.
PSU-2
PSU-1
Figure 3-3 Location of PSU-1 and PSU-2
Power on to start the cold-boot sequence, which takes around 2-minutes to complete. You will not be able to
access the system until the cold-boot sequence is complete.
Connecting to the management port
The management port provides access to the web UI and CLI management interfaces. Attach an Ethernet cable
with an RJ45 connector to the management port (location of the port shown in Figure 3-4), and connect the
other end to your Admin network.
If you need to configure SmartNA-X locally (without connecting to a wired LAN), you can connect a PC to the
SmartNA-X Console port using a DE-9 female to 8P8C (RJ45) serial management cable (supplied).
MANAGEMENT PORT
Figure 3-4 SmartNA-X Console port
Logging in to SmartNA-X
You can log in to the SmartNA-X management system with a web browser or a terminal client. Logging in via a
web browser provides access to the web user interface, where you’ll be able to use mouse driven options to
configure ports, maps, SNMP, filters, etc. Logging in via a terminal client provides access to the SmartNA-X
command line interface (CLI), allowing you to configure settings using simple commands. If network access to
the system is not available (perhaps you don’t know the IP address), you may login via the Console port and
reset network settings using appropriate CLI commands.
DRAFT
14
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S ETTING UP S MART NA-X | L OGGING IN TO S MART NA-X
To login, you’ll need a username and a password. By default, SmartNA-X is configured with the default
usernames and passwords listed in Table 1 below.
CAUTION: For security, the default usernames and passwords should be changed in the first instance to
prevent unauthorized access to SmartNA-X.
User
Access details
Administrator
Full read-write access.
Default username: admin
Default password: admin
Operator
Read-write access to ports and modules only.
Default username: user
Default password: user
Audit
Read-only access.
Default username: audit
Default password: audit
Table 1 SmartNA-X default user accounts
Logging in to the web UI
To log in to the SmartNA-X web UI (Figure 3-5), you’ll need:
• network access to the SmartNA-X Management port (default IP: 192.168.254.100)
• a SmartNA-X username and password (see Table 1 for the defaults)
• a modern web browser (Internet Explorer 8.0+, Firefox, Chrome, Safari) supporting Java™ 1.5 (or later). If
you are having issues with logging into the web UI on Mac OSX, see the “Resolving web UI issues on Mac
OSX” section on page 215 for troubleshooting information.
Start your Java-enabled web browser and enter https://<SmartNA-X_address>. Enter your SmartNA-X
username and password and click Log in to login to the system. When you have finished working in the web
UI, logout to allow access to other users of the system.
Figure 3-5 Logging to the SmartNA-X web interface
Logging in to the CLI
To log in to the SmartNA-X CLI as Administrator, you’ll need:
• network access to the SmartNA-X Management port (default IP: 192.168.254.100)
DRAFT
15
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S ETTING UP S MART NA-X | L OGGING IN TO S MART NA-X
• a SmartNA-X admin username and password (see Table 1 for the defaults)
• a terminal client supporting SSH (Secure Shell)
1. Start your terminal client and enter the following command (where admin is the username and
192.168.254.100 is the default IP address):
user@example.com ~# ssh admin@192.168.254.100
2. Enter “yes” to accept the host connection if this is the first time you have connected from this host.
The authenticity of host '192.168.254.100' can't be established.
RSA key fingerprint is 9a:30:7b:95:ec:b4:fe:53:e1:a4:42:69:4f:15:5c:1a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.254.100' (RSA) to the list of known hosts.
3. Enter your SmartNA-X admin password to login:
admin@192.168.254.100’s password:*****
CONTROLLER>
4. For help in the CLI, you can use the help command. For example, to see a list of authentication and
authorization commands that are available, enter help auth:
CONTROLLER>help auth
The following are associated with authentication and authorization :
set authentication {Local, RADIUS, TACACS} : defines type of authentication
create radius authserver <Address> <Port> <shared secret> : add RADIUS
authentication server. <Port> should normally be 1812 for authentication
servers
delete radius authserver <Address> : remove RADIUS authentication server
create radius accserver <Address> <Port> <shared secret> : add RADIUS
accounting server. <Port> should normally be 1813 for accounting servers
delete radius accserver <Address> : remove a RADIUS accounting server
create tacacs authserver <Address> <shared secret> : add TACACS+
authentication server
delete tacacs authserver <Address> : remove TACACS+ authentication server
create tacacs accserver <Address> <shared secret>:
add TACACS+ accounting server (with logging implicitly enabled)
delete tacacs accserver <Address> : remove an accounting server
show radius : show radius servers
show tacacs : shows TACACS+ servers
set log <text> : creates a log entry with <text> if accounting is enabled.
user@example.com ~#
Logging in to the CLI locally
To log in to SmartNA-X as Administrator locally (without a network connection), you’ll need:
• direct connection from a PC to the Console port using a DE-9 female to 8P8C (RJ45) serial management
cable (supplied)
• a SmartNA-X admin username and password (see Table 1 for the defaults)
• a terminal emulator client
DRAFT
16
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S ETTING UP S MART NA-X | L OGGING IN TO S MART NA-X
1. Connect the DE-9 female to 8P8C serial management cable from PC to Console port (Figure 3-6).
2. Set up the terminal emulator program as 9600 baud, 8 data bits, No parity, 1 stop bit, Xon/Xoff flow control.
3. Start a session to SmartNA-X and login with your Admin username and password:
Username : admin
Password : ******
Login over serial connection
Command Line Parser
Built on Sep 25 2012 at 15:29:17 from svn revision 263M
Running at Authorisation level 3
User admin logged in from serial-connection
CONTROLLER>
4. Use regular SmartNA-X CLI commands to configure settings. For example, to configure the following
network settings:
IP: 192.168.0.122
subnet mask: 255.255.255.0
gateway: 192.168.0.254
enter the following commands:
CONTROLLER>set ipv4 static 192.168.0.122 255.255.255.0 gateway 192.168.0.254
Network settings will take effect when you exit CLI.
exit to enable new network settings
CONTROLLER>exit
Exiting CLI
exit to enable new network settings
Applying new IPv4 network settings
Addressing Mode : static
Address: 192.168.0.122
Netmask: 255.255.255.0
Gateway: 192.168.0.254
Connection to 192.168.0.122 closed.
admin@example.com:~$
NOTE: If the Console cable is disconnected before the session is terminated, the session over the Console port
will stay active and prevent any login to the Management port via web UI or CLI. If this happens, re-connect to
the system using the Console port and shut down the session properly by logging out.
The system allows only one user to be logged in at a time and will actively prevent another user from gaining
access to the system when attempting to connect via the Ethernet Management port. However, if a user
attempts to log in via the Console port, this will (by design) disconnect any other UI session that is currently
active.
In the event that someone logs in on the Console port while another UI is already performing some timeconsuming operation, such as applying a complicated mapping and filtering configuration, what happens to
that pending operation will depend on how far it has progressed. In particular, if it has already passed security
checks and started reconfiguring the system, it will attempt to complete its changes even though the original UI
session has expired.
In this case, the administrator who has logged in on the Console port may see unusual or inconsistent settings
via their CLI until the long-running operation completes, and we recommend against attempting to change
DRAFT
17
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S ETTING UP S MART NA-X | L OGGING IN TO S MART NA-X
any settings via the Console CLI during this period. If in doubt, we recommend that the administrator wait at
least 10 minutes before attempting to change anything; this will normally be long enough for any previous
operations to complete or time out, leaving the console CLI with sole control over the system.
CONSOLE PORT
Figure 3-6 SmartNA-X Console port
DRAFT
18
C HAPTER 4
A DMINISTERING S MART NA-X
4
This chapter describes SmartNA-X tasks that are normally carried out by Administrators when setting up and
configuring the device. The chapter covers the following major topics:
• Logging in, page 19
• Configuring SmartNA-X for the first time, page 22
• Configuring network settings, page 22
• Enabling NTP, page 23
• Managing user accounts and authentication, page 24
• Saving and restoring configurations, page 28
• Enter the following commands to restore the default configuration using the CLI:, page 29
• Updating system firmware, page 30
• Monitoring system health, page 30
Logging in
You can log in to SmartNA-X from a web browser or from a command line over a network link to the
Management port. Direct (local) access is also possible via the Console port when network access is not
available.
To login to the web UI or CLI, you will need:
• network access to the Management port (Figure 4-1) or access to the Console port (Figure 4-2) if connecting
locally
• a SmartNA-X user name and password. Admin credentials are needed to perform administrator tasks. Table
4-2, page 24 shows the default usernames and passwords set on all new SmartNA-X systems.
• a modern web browser (Internet Explorer 8.0+, Firefox, Chrome, Safari)
• Java™ 1.5 (or later) browser plugin
DRAFT
19
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | L OGGING IN
NOTE: The web UI (and CLI) support single user access only. Make sure there are no other users logged in
before attempting to access the web UI/CLI interface.
MANAGEMENT PORT
Figure 4-1 SmartNA-X Management port
Logging in to the web UI
1. Enter the SmartNA-X network address in a web browser. For example:
https://192.168.254.100
https://[2001:db8:1234::8a2e:370:fe56:dec4] (note the brackets).
We recommend using DNS for resolving IPv6 host names.
2. Enter your SmartNA-X account details and then click Log in.
For information on using the web UI, see Chapter 5,“Using the Web User Interface”.
Logging in to the CLI
To access the command line interface (CLI) use a terminal client which supports Secure Shell (SSH). To log in
to the CLI, follow these steps:
1. SSH to the SmartNA-X CLI:
user@example.com ~# ssh admin@192.168.254.100
2. If prompted, enter “yes” to continue connecting (you won’t need to do this a second time from this host):
The authenticity of host '192.168.254.100' can't be established.
RSA key fingerprint is 9a:30:7b:95:ec:b4:fe:53:e1:a4:42:69:4f:15:5c:1a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.254.100' (RSA) to the list of known hosts.
3. Enter your SmartNA-X password:
admin@192.168.254.100’s password:*****
CONTROLLER>
4. When you have finished entering commands in the CLI exit to allow access to other users:
CONTROLLER>exit
Exiting CLI
Connection to 192.168.254.100 closed.
user@example.com ~#
DRAFT
20
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | L OGGING IN
Logging in to the CLI locally
If you need to configure SmartNA-X locally (without connecting to a wired LAN), you can connect a PC to the
SmartNA-X Console port using a DE-9 female to 8P8C (RJ45) serial management cable (supplied). To open
the CLI by connecting to the SmartNA-X console port, follow these steps:
1. Connect the supplied DE-9 female to 8P8C serial management cable to the Console port on SmartNA-X
and to the COM port on a computer. Figure 4-2 shows the Console port location.
2. Set up a terminal emulator to communicate with SmartNA-X. Use the following settings for the terminal
emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and Xon/Xoff flow control.
3. Log in to the CLI using your SmartNA-X username and password:
Username : admin
Password : ******
Login over serial connection
Command Line Parser
Built on Sep 25 2012 at 15:29:17 from svn revision 263M
Running at Authorisation level 3
User admin logged in from serial-connection
CONTROLLER>
4. When you have finished entering commands in the CLI exit to allow access to other users:
CONTROLLER>exit
Exiting CLI
Connection to 192.168.254.100 closed.
user@example.com ~#
NOTE: If the Console cable is disconnected before the session is terminated, the session over the Console port
will stay active and prevent any login to the Management port via web UI or CLI. If this happens, re-connect to
the system using the Console port and shut down the session properly by logging out.
CONSOLE PORT
Figure 4-2 SmartNA-X Console port
DRAFT
21
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | CONFIGURING S MARTNA-X FOR THE FIRST TIME
Configuring SmartNA-X for the first time
To secure your SmartNA-X against unauthorized access and to prepare it for attaching to your live data
networks, an Administrator may wish to make the following initial configuration changes:
• Restore the system to a known state of configuration, as described in the “Restoring default settings and
custom configurations” section on page 29
• Configure security settings local, RADIUS or TACACS+ user authentication and configure user accounts
(you are strongly advised to change the default login accounts), as described in the “Authenticating users”
section on page 25
• Configure network settings, as described in the “Configuring network settings” section on page 22.
• Configure ports communications to match those of your data networks, as described in the “Configuring
port communication settings” section on page 35
• Synchronize device and network time, as described in the “Enabling NTP” section on page 23
• Configure SNMP and integrate SmartNA-X into your network management system (NMS), as described in
the “Configuring SNMP” section on page 58
Configuring network settings
By default, the SmartNA-X interface is assigned a static network address. You can change the default IP address
manually, or enable DHCP and let your DHCP server assign the IP, gateway and DNS addresses automatically.
Using the web UI to configure network settings
1. Log in to the web UI.
2. Click on the main chassis area to access system management settings.
3. Select the System identity tab.
4. If you want to use DHCP, select the Use DHCP checkbox. You should make a note of the system MAC
address as you may need to query your DHCP server for the new SmartNA-X IP address.
5. If you wish to enter your own static network settings, make sure DHCP is not selected and enter the
required IP address, subnet and gateway values. See Table 4-1 for a description of the fields.
DRAFT
22
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | E NABLING NTP
6. Click Review/apply, review the changes you have made, and then click Apply to implement the new
settings. At this point, after a short delay, you will be logout out of the web UI while the changes are
implemented. Of course, you’ll need to use the new network settings to reconnect to the SmartNA-X system.
Field
Description
System IPv4 address
IPv4 address of the network interface. Default: 192.168.254.100
IPv4 subnet
IPv4 network mask. Default: 255.255.255.0
IPv4 gateway
Ipv4 address of the network gateway. Default: 0.0.0.0
DNS server
IPv4 address of your network DNS server. When DHCP is enabled, the DNS setting
obtained from the DHCP server is not displayed in the web UI or CLI, although it is
used operationally (this also applies when accessing the web UI with IPv6 address to
enable DHCP).
System IPv6 address
IPv6 address of the network interface. Default: None
IPv6 prefix length
IPv6 prefix length. Default: None
IPv6 gateway
IPv6 address of the network gateway. Default: None
Table 4-1 Available network fields in the web UI
Using the CLI to configure ports
1. To enable DHCP for IPv4 (SmartNA-X does not support DHCP on IPv6), enter the following command
and then skip to Step 3.
CONTROLLER>set ipv4 dhcp
2. If setting up IPv4, enter the following commands to specify a static IP address, netmask, DNS, and gateway
address:
CONTROLLER>set IPv4 static <ip-address> <netmask> <gateway-address>
CONTROLLER>set IPv4 dns dns-address
3. If setting up IPv6, enter the following commands (the device can have both IPv4 and IPv6 addresses):
CONTROLLER>set IPv6 static <ip-address> <prefix-length> <gateway-address>
4. Exit from the CLI to implement the new network settings (the system will reboot):
CONTROLLER>exit
For reference information on the network commands, see the “Commands for managing network
configuration” section on page 81.
Enabling NTP
You can synchronize SmartNA-X system time with your network time server by enabling NTP (Network Time
Protocol). You may wish to do this so you can be sure time stamps in system log files are correctly
synchronized with your network time.
DRAFT
23
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | M ANAGING USER ACCOUNTS AND AUTHENTICATION
Using the web UI to enable NTP
1. Log in to the web UI.
2. Click on the main chassis area to access system settings.
3. Select the Security tab.
4. In the NTP Server field, enter the network address of your NTP server.
5. Click Review/apply, review the changes you have made, and then click Apply to implement the new
settings.
Using the CLI to enable NTP
Enter the following commands to enable NTP:
CONTROLLER>set ntp server <NTP-address>
CONTROLLER>exit
For reference information on the network commands, see the “Managing user accounts and authentication”
section on page 24.
Managing user accounts and authentication
This section covers information regarding SmartNA-X user accounts. For security, access to the management
system is restricted to authorized users, who must provide valid user credentials in order to access the
management system. Table 4-2 shows the user accounts that are initially enabled on the device. You should
change the log on credentials in the first instance to secure access to the system.
User
Access details
Administrator
Full read-write access to SmartNA-X. Typically assigned to network administrators who
initially deploy the box into the network and administer users.
Default username: admin
Default password: admin
Access level: admin
Operator
Read-write access to ports and module settings. Read-only access to system settings, such
as network configuration and user administration. Typically assigned to network security
administrators who use SmartNA-X to TAP data networks.
Default username: user
Default password: user
Access level: user
Audit
Read-only access. Typically assigned to technical auditors and other users who need access
to system information only.
Default username: audit
Default password: audit
Access level: audit
Table 4-2 SmartNA-X default user accounts
DRAFT
24
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | M ANAGING USER ACCOUNTS AND AUTHENTICATION
Authenticating users
Users must be authenticated before they can use the SmartNA-X management interfaces. Authentication can
be performed locally or via a RADIUS/TACACS+ authentication server. To enable RADIUS/TACACS+
authentication, see the “Enabling RADIUS and TACACS+ authentication servers” section on page 26.
Local users can be added by specifying the create user command in the CLI. For example, to add the following
user:
• Username: SNAX-user1
• Password: SNAX-pass1
• Access level: Operator/user
log in to the CLI as Administrator and enter the following command:
CONTROLLER>create user SNAX-user1 SNAX-pass1 user
See page 94 for information on the create user command.
Resetting passwords
Administrators can reset/change passwords with the set user password command. For example, to reset the
password for user SNAX-user1, log in as Administrator and enter this command at the prompt:
CONTROLLER>set user johnsmith password <new-password>
See page 95 for information on the set user password command.
Changing security levels
Locally managed users (user accounts which are not managed via an AAA server) can have their security level
changed by an Administrator, using the set user level command. The system has three security levels:
• Admin – Administrators have full read-write access to all system settings, including the ability to upgrade
firmware and manage user accounts.
• User – Users/Operators have read-write access to ports, modules, maps and filters.
• Audit - Auditors have read-only access to the system.
For example, to give “johnsmith” Admin access to the system, enter this command at the system prompt:
CONTROLLER>set user johnsmith level admin
See page 96 for information on the set user level command.
Removing users
Locally managed users can be removed from the system be an Administrator using the delete user command.
For example, to delete the account for Operator “johnsmith”, enter this command at the system prompt:
CONTROLLER>delete user johnsmith
DRAFT
25
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | M ANAGING USER ACCOUNTS AND AUTHENTICATION
You can use the show users command to output a list of all system users.
CONTROLLER>show users
See page 93 for information on the show users command.
Enabling RADIUS and TACACS+ authentication servers
The system can be configured to authenticate SmartNA-X accounts using RADIUS or TACACS+ servers to
valid account authentication and privileges. This section explains how to set up RADIUS and TACACS+
authentication servers in SmartNA-X. Refer to your RADIUS/TACACS+ authentication server documentation
for details of how to add user accounts to the server.
Using the web UI to add authentication servers
1. Log in to the web UI.
2. Click on the main chassis area to access system management settings.
3. Select the Security tab.
4. Select RADIUS or TACACS+ as supported by the authentication server. You may also select RADIUS/
Local or TACACS+/Local to fallback to local authentication if access to an authorization server fails.
5. Add or edit
a RADIUS or TACACS+ authentication server.
For RADUIS servers, specify the following configuration options:
• Server address: Specifies the network address of the authentication server.
• Server port: Specifies the communication port, usually 1812 for authentication servers.
• Shared secret: Specify the password/shared-secret required to access the authentication server. Passwords
are case-sensitive.
For TACACS+ servers, specify the following configuration option:
• Server address: Specify the network address of the authentication server.
To edit an existing server, click the
button.
6. Click Add server to finish setting up the server.
7. If your network has more than one authentication server running, you can add them as backup/failover
servers and the system will attempt to contact the second server in order to validate a user (the system will
not switch between RADIUS and TACACS+ servers though if both are defined). Note that a RADIUS server
will outright reject a validation request when secrets mismatch and will not attempt to validate the secret on
a second RADIUS server. However, RADIUS will attempt to validate the user on a second server if the user
account is not present on the first server. TACACS+ servers behave differently, and will attempt to contact a
backup server if either the user account is not present or if secrets mismatch.
8. If necessary, use the
button to move servers into the desired contact order when several backup servers
are being used.
9. Click Review/apply, review the changes you have made, and then click Apply to implement the new
settings.
DRAFT
26
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | E NABLING TRANSACTION LOGGING
Using the CLI to add authentication servers
1. Enable the authentication protocol used by the authentication server. The system supports RADIUS and
TACACS+ authentication servers:
CONTROLLER>set authentication {radius | tacacs}
2. Add a master authentication server and any backups employed by your network.
• To add a RADIUS server:
CONTROLLER>create radius authserver <ip-address> <port-num> <password>
• To add a TACACS+ server:
CONTROLLER>create tacacs authserver <ip-address> <password>
3. Exit to apply your updates:
CONTROLLER>exit
See the Commands for managing authentication and accounting, page 98 for information on the
authentication commands.
Enabling transaction logging
For auditing purposes, all SmartNA-X transactions can be logged to a RADIUS or TACACS+ accounting
server. Local logging is not supported by the system. This section explains how to enable accounting servers
using the web UI and CLI.
Using the web UI to configure accounting servers
1. Log in to the web UI.
2. Click on the main chassis area to access system management settings.
3. Select the Security tab.
4. Add or edit
a RADIUS or TACACS+ accounting server.
For RADIUS servers, specify the following configuration options:
• Server address: Specifies the network address of the accounting server.
• Server port: Specifies the communication port, usually 1813 for accounting servers.
• Shared secret: Specify the password/shared-secret required to access the accounting server. Passwords are
case-sensitive.
For TACACS+ servers, specify the following configuration option:
• Server address: Specify the network address of the accounting server.
To edit an existing server, click the
button.
5. Click Add server to finish setting up the server.
DRAFT
27
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | S AVING AND RESTORING CONFIGURATIONS
6. Add any backup servers employed on your network. You can use the
button to drag servers into desired
contact order.
7. Click Review/apply, review the changes you have made, and then click Apply to implement the new
settings.
Using the CLI to add accounting servers
1. Enable the protocol used by the accounting server (RADIUS and TACACS+ protocols are supported):
CONTROLLER>set accounting {radius | tacacs}
2. Add a master authentication server and any backups employed by your network.
• To add a RADIUS accounting server:
CONTROLLER>create radius accserver <IP-address> <port-num> <password>
• To add a TACACS+ accounting server:
CONTROLLER>create tacacs accserver <IP-address> <password>
3. Exit the CLI in order to apply your changes:
CONTROLLER>exit
See the Commands for managing authentication and accounting, page 98 for information on the
authentication commands.
Saving and restoring configurations
You can save the current SmartNA-X configuration to non-volatile memory and restore it at a later date. Saving
a configuration saves the current settings for port communication, port mappings, packets filters, and all
SNMP options (user accounts, network settings, system firmware and counter states are not saved/restored).
Using the web UI to save the current configuration
1. Log in to the web UI.
2. Click on the main chassis area to access system management settings.
3. Select the Management tab.
4. Click Saved Configurations. The Saved Configuration window appears.
5. Click Save current configuration and enter a suitable name for the configuration. Names may include
alphanumeric characters and the underscore character “_” only. Spaces and other symbols may not be used.
6. Click Save to finish.
DRAFT
28
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | S AVING AND RESTORING CONFIGURATIONS
Using the web UI to restore a saved configuration
1. Log in to the web UI.
2. Click on the main chassis area to access system management settings.
3. Select the Management tab.
4. Click Saved Configurations. The Saved Configuration window appears.
5. Click
to restore a configuration, and then click Load to confirm that you want to overwrite the existing
system configuration. You must log in again after restoring a configuration.
Using the CLI to save the current configuration
To save configurations at the command prompt, use the create settings command, together with a name for
the configuration. For example, to save a configuration called “tapconfiguration_net001”, enter the following
command at the prompt:
CONTROLLER>create settings "tapConfiguration_net001"
Using the CLI to restore a saved configuration
To restore a configuration and overwrite the existing settings, use the restore command, together with the
name of a previously saved configuration:
CONTROLLER>restore "tapConfiguration_net001"
Restoring default settings and custom configurations
The SmartNA-X default configuration and any Network Critical custom configurations can also be restored
using the web UI Management options or restore command.
Using the web UI to restore the default configuration
1. Log in to the web UI.
2. Click on the main chassis area to access system management settings.
3. Select the Management tab.
4. Click Saved Configurations. The Saved Configuration window appears.
5. Choose which configuration you want to restore. For example, to restore the default configuration, choose
“factory_defaults” and click
and then click Load to confirm that you want to overwrite the existing
system settings. You must log in again after restoring a configuration.
Using the CLI to restore the default configuration
Enter the following commands to restore the default configuration using the CLI:
CONTROLLER>restore "factory_defaults"
CONTROLLER>exit
DRAFT
29
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | R EBOOTING THE SYSTEM
Rebooting the system
You can reboot the system to reset it at any time. Note that rebooting will log you out of the system and prevent
connectivity for several minutes. A TAP mode link on the live network should not be affected more than
momentarily by a reboot, but traffic passing through the link will not be copied to other ports during the
reboot time. Counters will not be updated until the reboot process has completed.
Using the web UI to reboot the system
1. Log in to the web UI.
2. Click on the main chassis area to access system management settings.
3. Select the Management tab.
4. Click Reboot, and then click Reboot again to confirm.
After a short delay, the system will reboot and log you out of the web UI.
Using the web UI to reboot the system
Enter the following command to reboot the system:
CONTROLLER>reboot
Updating system firmware
Network Critical may periodically release new firmware updates to introduce new features and update system
functionality. For the latest firmware updates, contact Network Critical at support@networkcritical.com.
CAUTION: Using the wrong firmware update file can render your hardware inoperable. If in doubt, contact
Network Critical Support before applying an update.
To update system firmware, follow these steps:
1. Log in to the web UI (firmware updating is not supported in the CLI).
2. Click on the main chassis area to access system management settings.
3. Select the Management tab.
4. Click Update and Continue.
5. Enter your SmartNA-X Administrator username and password, and then click Choose file and select the
new firmware file.
6. Click Upload new firmware and wait for the process to finish and the system to automatically reboot (note
the implications of rebooting live TAPs as described in the “Rebooting the system” section on page 30).
Monitoring system health
System health can be monitored for high module temperatures and low/high port traffic levels. You may wish
to set up your SNMP trap manager to receive notifications when thresholds levels are exceeded. See the
DRAFT
30
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
ADMINISTERING S MART NA-X | M ONITORING SYSTEM HEALTH
“Configuring SNMP notifications” section on page 59 for instructions on enabling notifications, and
“Configuring trap managers (notification hosts)” section on page 61 for instructions on setting up the SNMP
notification manager.
The default health threshold settings are 60º C for temperature, and 75% (high threshold) and 50% (low
threshold) of maximum bandwidth capacity for ports. In the majority of cases these default thresholds will
provide adequate warning before packets start to be dropped or the system overheats. A clear notification is
generated as soon as the temperature falls 1º C below the specified threshold, or when traffic falls below the
lower threshold.
Using the web UI to configure health SNMP notification thresholds
1. Log in to the web UI.
2. Click on the module you want to configure, and select the Health tab.
3. Enter a temperature (in celsius) for the threshold value. The default threshold setting is 60ºC.
4. Click on the port you want to configure, and select the Health tab.
5. Enter the required traffic percent thresholds. The default thresholds are 75%/50% of maximum bandwidth
capacity.
6. Click Review/apply, review the changes you have made, and then click Apply to implement the new
settings.
DRAFT
31
C HAPTER 5
U SING THE W EB U SER I NTERFACE
5
This chapter provides information on managing SmartNA-X via the integrated web user-interface (UI). The
web UI supports a full set of administrative, user and audit options and is available to all SmartNA-X users,
although some options may be disabled if you don’t have the required access privileges. It contains the
following sections:
• Accessing the web UI, page 32
• Selecting options in the system diagram, page 33
Accessing the web UI
To access the web UI, you will need:
• IP address for SmartNA-X and a connection to the SmartNA-X management port
• a SmartNA-X user, admin or audit account
• Internet Explorer 8.0+, Firefox, Chrome, Safari with Java™ 1.5 (or later) plugin enabled
NOTE: The web UI (and CLI) support single user access only. Make sure there are no other users logged in
before attempting to access the web UI/CLI interface.
DRAFT
32
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING THE WEB USER I NTERFACE | S ELECTING OPTIONS IN THE SYSTEM DIAGRAM
Enter the SmartNA-X IP address (for example 192.168.254.100) in a web browser. If this is the first time you
have logged in, you will need to accept the security certificate (accepting the certificate does not compromise
your network security). Then enter your user credentials to authenticate your account.
Figure 5-1 SmartNA-X web UI with port mappings
Selecting options in the system diagram
The system diagram (Figure 5-2) provides a dynamically updated overview of your SmartNA-X system and
allows you to manage system settings, TAP modules, ports, maps and filters. If you don’t see the diagram, check
you have Java 1.5 or later installed and enabled in your browser. Using CTRL (or SHIFT) lets you select several
ports or modules at the same time and configure them together (handy when setting up multiple ports with the
same settings).
PACKET FILTERS
CHASSIS
PORT MAPS
TAP MODULES
REAR PORTS
PORTS
Figure 5-2 Web UI system diagram (the labels show the different clickable parts)
DRAFT
33
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING THE WEB USER I NTERFACE | PORT SPEED INDICATOR
Port speed indicator
A color key is used to indicate the maximum speed of the port:
• Orange = maximum 10 Mbit/s
• Yellow = maximum 100 Mbit/s
• Green = maximum 1 Gbit/s
• Cyan = maximum 10 Gbit/s
Further information
For further information on using the web UI, please refer to the following chapters:
• For details about using the web UI to configure network settings and other Administrator options, see
Chapter 4,“Administering SmartNA-X”.
• For details about using the web UI to configure ports, see Chapter 6,“Configuring ports”.
• For details about using the web UI to configure port maps, see Chapter 7,“Creating Port Maps”.
• For details about using the web UI to configure filters, see Chapter 8,“Using Packet Filters”.
For details about using the web UI to configure SNMP, see Chapter 9,“Using SNMP”.
DRAFT
34
C HAPTER 6
C ONFIGURING PORTS
6
This chapter describes how to configure SmartNA-X settings for port communications, port usage, and port
locking. It covers the following major topics:
• Configuring port communication settings, page 35
• Configuring port failsafe and LFP (TAP mode), page 36
• Configuring ports roles, page 39
• Configuring port traffic thresholds, page 40
• Configuring port locking, page 41
• Saving port settings, page 42
Configuring port communication settings
NOTE: You can only configure port communication settings on copper port (RJ45 connectors). Fiber and SFP/
SFP+ ports do not provide options for setting speed, duplex, etc.
For two devices connected to communicate reliably over copper cabling both ends of the link partnership must
have compatible port communication settings for speed, duplex, MDI/MDI-X, and master/slave roles. By
default, SmartNA-X copper ports are set up to find optimum settings through auto-negotiation. In the majority
of TAP deployments Auto produces the best results. However, you may want to specify static port settings
where auto negotiated settings are proving to be unreliable, or in a network critical deployment where any
delay caused by renegotiation of the link following a port failure (and failover to relay mode) cannot be
tolerated.
Using the web UI to configure port communications
1. Log in to the web UI.
2. Click on the port you want to configure and select the Port Configuration tab.
3. Using the menus, select the port speed, duplex, MDI/MDI-X and mastery (clock master) as required. Auto
is the recommended settings for all but the most critical situations. Setting anything other than Auto limits
the port speed to the value chosen, even if the link partner does not support that speed. Setting Auto will
also allow the link to renegotiate the link if line conditions change or the link partner is swapped.
DRAFT
35
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
CONFIGURING PORTS | CONFIGURING PORT FAILSAFE AND LFP (TAP MODE )
4. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
Using the CLI to configure port communications
1. Log in to the CLI as Administrator.
2. Select the TAP module you want to configure. Front modules are numbered 1–4 (left to right), and the rear
module is numbered slot 0.
CONTROLLER>select slot 4
3. Specify the port/link speed. Ports are labelled A–D (left to right). Auto is the default setting and is
recommended for all but the most critical TAP deployments (see the “Configuring port failsafe and LFP
(TAP mode)” section on page 36 for advice on configuring ports in critical deployments). Auto also allows
the link partners to renegotiate the connection when line conditions change. Valid options for copper ports
are: Auto, 10M, 100M or 1G.
SLOT4>set port A speed 100M
SLOT4>set port B speed 100M
4. Specify the port crossover mode, either MDI (normal) or MDI-X (crossover). To connect two ports of the
same configuration (MDI to MDI or MDI-X to MDI-X), an Ethernet crossover cable is needed to cross over
the transmit and receive signals in the cable, so that they are matched at the connector level. Otherwise, you
can select Auto and let the ports themselves detect the required cable connection type and configure the
connection appropriately.
SLOT4>set port A mdi mdi-x
SLOT4>set port B mdi mdi-x
5. Specify a port duplex mode that matches with the link partner, or leave it at the default auto to auto-
negotiate duplex.
SLOT4>set port A duplex auto
SLOT4>set port B duplex auto
6. Specify port mastery to determine which end of the link is responsible for the synchronization clock. The
link will only work if there is one Master and one Slave. For example, if port pairing AB are operating in
TAP mode, you are advised to force the partner of A to have the same settings as B, and vice versa. In the
case of Mastery, is done be setting A to Forcemaster and B to Forceslave (or the opposite). If the same ports
are in operating in non-TAP mode, you are advised to set the ports to either Preferslave or Prefermaster, but
not to Forceslave.
SLOT4>set port A mastering forcemaster
SLOT4>set port B mastering forceslave
Configuring port failsafe and LFP (TAP mode)
Copper port pairs (AB and CD)1 support ‘TAP mode’ for integrated fail-to-safe and Link Failure Propagation
(LFP). TAP mode allows the port to quickly failover to an integrated relay switch and maintain link up status
1. TAP mode is support on AB and CD port pairs only.
DRAFT
36
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
CONFIGURING PORTS | CONFIGURING PORT FAILSAFE AND LFP (TAP MODE )
in the event of a port or device failure. LFP allows the TAP to monitor each live port link: if one of the devices
connected to the live port fails, the paired port will immediately drop (LFP will re-establish connection as soon
as the devices are back up).
TAP mode requires port pairs to be mapped as follows:
AB, BA
or
CD, DC
Note that if power loss occurs, fail-to-safe (failsafe) will result in a small break in the connection before the
connection is re-established.
Tip: You can reduce failsafe delay by avoiding using ‘Auto’ port settings, as this may result in re-negotiation of
the link. To prevent re-negotiation, you should configure each TAP pair and its link partner as follows:
• same speed
• same duplex
• MDI and MDI-X
• Master! and Slave! (if Master/Slave settings are available on the link partner)
The general advice is to set port A the same as port B’s link partner, and port B the same as port A’s partner, as
shown in Figure 6-1.
Figure 6-1 Port configuration for minimizing failover delay
Using the web UI to enable TAP mode
1. Log in to the web UI.
2. Click on the port you want to configure and select the Port Configuration tab.
DRAFT
37
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
CONFIGURING PORTS | CONFIGURING PORT FAILSAFE AND LFP (TAP MODE )
3. Select the TAP option checkbox (if it is not already selected), as shown in Figure 6-2). TAP mode will
automatically be selected in the pair (AB and CD).
TAP OPTION
Figure 6-2 Port configuration tab with TAP option indicated
4. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
Using the CLI to enable TAP mode
1. Log in to the CLI as Administrator.
2. Select the TAP module you want to configure.
CONTROLLER>select slot 4
3. Enter the following command to enable TAP mode on port A (port B is automatically enabled as a result):
SLOT4>set port A tap on
SLOT4>show port A
speed
: set 1G
duplex
: set full
mdi
: set mdi-x
mastering : set preferslave
tap
: on
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 10
traffic threshold high: 100
DRAFT
38
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
CONFIGURING PORTS | CONFIGURING PORTS ROLES
Testing failsafe
You can test failsafe is enabled correctly as follows:
1. Set up failsafe on a port pair, as described in the “Configuring port failsafe and LFP (TAP mode)” section on
page 36.
2. Set up a live network TAP using the configured failsafe port pair (AB or CD). At this point traffic should be
flowing across the live link.
3. Remove the TAP module from the chassis. Relays close, causing the live link to drop briefly before the
connection is re-established. You should also be able to hear a “CLICK” when relays become activated.
4. Reinsert the module. Relays open, causing the live link to drop briefly before the connection is re-
established.
Configuring ports roles
When setting up a TAP, you may specify if a port is a ‘Network’ port or a ‘Tool’ port. Choosing either setting
does not have any bearing on the performance of the port, but can be used as an aid to identify the port’s role
within a TAP configuration. Leave the setting as ‘Unknown’ if you don’t care about port role.
Using the web UI to configure port roles
1. Select the SmartNA-X chassis.
2. Select the Port Configuration tab.
3. From the Usage menu, select Tool if the port is an output/network tool port, select Network if the port is an
input/TAP port. Choose Unknown if you don’t know (or don’t care) about the port usage.
4. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
Using the CLI to configure port roles
1. Select the slot to configure. For slot-number, specify the chassis slot. Slots are numbered 1-4 from left to
right.
Select slot slot-number
2. Specify the port tap mode, either on or off. Generally, you should enable tap mode for ports that are used as
TAP ports (connected to the live network), and disable tap mode when connecting to network tools. Failsafe
is enabled when tap mode is set to on.
3. For port-id use A, B, C, or D, where A is the left-most port. Multiple ports separated by commas can be
specified to set several ports together.
set port port-id tap {on, off}
DRAFT
39
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
CONFIGURING PORTS | CONFIGURING PORT TRAFFIC THRESHOLDS
The following example session enables TAP mode on ports on ports 2A and 2B:
CONTROLLER>select slot 2
SLOT1>select slot 2
SLOT2>set port a tap on
SLOT2>set port b tap on
SLOT2>show port a
speed
: set auto
duplex
: set auto
mdi
: set auto
mastering : set preferslave
tap
: on
autolock
: off
lock
: on
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 0
traffic threshold high: 100
SLOT2>show port b
speed
: set auto
duplex
: set auto
mdi
: set auto
mastering : set preferslave
tap
: on
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 0
traffic threshold high: 100
SLOT2>
Configuring port traffic thresholds
You can configure upper and lower traffic thresholds for a port as a percentage of the overall available channel
capacity. If the amount of data on the channel reaches either of these thresholds, an SNMP traffic trap is sent to
SNMP clients configured to receive these type of traps. See [Configuring SNMP clients]. A clear trap will also
be sent when traffic returns to normal levels [how many % above/below thresholds].
By default, traffic thresholds are set to 75% and 50%. In most cases, these settings will provide adequate
forewarning of ports being overloaded or under utilized, conditions which may indicate network or port issues
requiring administrator attention.
Using the web UI to port traffic thresholds
1. Select the port you want to configure.
2. Select the Health tab.
DRAFT
40
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
CONFIGURING PORTS | CONFIGURING PORT LOCKING
3. Enter the upper and lower traffic thresholds as a percentage of total capacity. The ‘high’ value must be
greater than the ‘low’ value. Setting the high to 100% or the low to 0% will inhibit the respective high/low
traffic trap, preventing it from being sent.
4. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
Configuring port locking
For security, TAP module ports can be locked to prevent access to live network data. Ports which have been
locked will NOT pass data in or out of the port. Two port locking modes are available:
• Lock – locks a port immediately.
• Autolock – locks a port when the cable is removed or the link goes down. To unlock an auto-locked port,
clear the Lock checkbox in the web UI, or enter the set port port-id off command in the CLI.
CAUTION: Do not lock a port that is connected to a live network, unless you really want to stop traffic on that
network.
Lock and Autolock options are not enabled by default.
Using the web UI to configure port locking
1. Select the port you want to configure.
2. Select the Port Configuration tab.
3. Choose port locking options as required. Choose Lock to immediately lock the port and stop all data from
entering and leaving it. Choose Autolock to lock the port when the link is broken to that port, usually
caused by a cable being disconnected. Clearing these options will unlock the port/turn off auto-locking.
4. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
Configure port locking in the CLI
Enter these commands to configure port locking in the CLI:
5. Select the slot to configure. For slot-number, specify the chassis slot. Slots are numbered 1-4 from left to
right:
Select slot slot-number
6. Specify lock mode on the port. Use ON to enable lock; OFF to disable lock and unlock the port. For port-id
use A, B, C, or D, where A is the left-most port. When setting multiple ports, a separate command must be
used for each port, for example:
set port a lock on
set port b lock on
7. Specify auto lock mode on the port. Use ON to enable autolock so the port is locked when the port loses the
link connection (such as when the cable is removed); OFF to disable auto lock. Disabling autolock will not
unlock a locked port. For that, use set port port-id lock off:
DRAFT
41
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
CONFIGURING PORTS | S AVING PORT SETTINGS
set port port-id autolock {ON, OFF}
The following example session enables autolock on ports 2A and 2B:
CONTROLLER>select slot 2
SLOT2>set port a autolock on
SLOT2>set port b autolock on
SLOT2>show port a
speed
: set auto
duplex
: set auto
mdi
: set auto
mastering : set preferslave
tap
: off
autolock
: on
lock
: on
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 0
traffic threshold high: 100
SLOT2>show port b
speed
: set auto
duplex
: set auto
mdi
: set auto
mastering : set preferslave
tap
: off
autolock
: on
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 0
traffic threshold high: 100
SLOT2>
Saving port settings
Once you have configured your ports, you may want to save your settings so they can be retrieved quickly at a
later date. You can do this through the web UI, by selecting the Management tab and choosing Save current
configuration (see Figure 6-3), or through the CLI with the create settings name command. Saving a
DRAFT
42
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
CONFIGURING PORTS | S AVING PORT SETTINGS
configuration not only saves the port communication settings, but also any port maps and port filters that have
been created, allowing you to configure different TAPs and quickly load them later as you need.
Figure 6-3 The Saved configurations window
DRAFT
43
C HAPTER 7
C REATING P ORT M APS
7
This chapter describes how to create port maps in the web UI and CLI interfaces. Port maps route data between
TAP ports and must be configured for every TAP that you set up. The chapter covers the following major
topics:
• About port maps, page 44
• Creating port maps, page 46
• Typical map configurations, page 49
About port maps
Port maps determine how tapped traffic within the SmartNA-X system flows from source port to destination
port. Maps that originate from the same source port are independent of one another, thus, traffic flowing along
a map is treated entirely separately from other maps originating from the same source. Multiple maps between
the same ports can also be created, although in this case the system only delivers one copy of the packet. Filters
can be applied to maps to screen which packet types reach the destination port(s). See Chapter 8,“Using Packet
Filters” for information on setting up and using filters.
SmartNA-X supports many-to-one maps (aggregation maps), and one-to-many maps (splitting map). Manyto-many maps are not explicitly allowed, although the same effect can be achieved by setting up multiple
aggregations and/or multiple replications.
DRAFT
44
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
C REATING PORT M APS | A BOUT PORT MAPS
An essential map arrangement when setting a live TAP is to link A and B ports so traffic is allowed to pass
upstream and downstream across the TAP. The map for this arrangement is shown in Figure 7-1 below.
Figure 7-1 TAP map for ports 1A and 1B
Tapped packets can then be replicated via maps to other ports in the system, as shown in Figure 7-2.
Figure 7-2 TAP ports replicated to ports C and D
DRAFT
45
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
C REATING PORT M APS | C REATING PORT MAPS
More complex port maps can also be created using several TAPs. For example, Figure 7-3 shows two TAP pairs
on ports 1AB and 3AB aggregated to ports 1C and 1D.
Figure 7-3 Multiple TAP aggregation map
Creating port maps
Port maps can be created in the web UI or CLI, depending on your working preference. Users may find it easier
to create maps in a browser, as you can simply click and drag between source and destination port(s) to create
maps. On the other hand, creating maps in the CLI allows you to use a series of simple commands that can be
scripted if required.
DRAFT
46
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
C REATING PORT M APS | C REATING PORT MAPS
Creating maps in the web UI
Maps are created in the web UI by clicking in the system diagram on the input port and dragging to the output
port (Figure 7-4). An arbitrarily colored line will connect the two ports, with arrows indicating the direction of
traffic flow, as shown in the lower part of the figure.
Figure 7-4 Creating a port map
The modularity of the SmartNA-X system allows you to connect ports and maps with almost unlimited
flexibility. For instance, you can map the upstream and downstream links to separate output ports for analysis
by separate tools (Figure 7-5).
Figure 7-5 Mapping the upstream/downstream input port to separate output ports
Aggregate input ports into one output stream (Figure 7-6).
Figure 7-6 Aggregating ports to one output port
DRAFT
47
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
C REATING PORT M APS | C REATING PORT MAPS
Direct input ports to one output port so filters can be used on one or both streams (Figure 7-7).
Figure 7-7 Directing input ports to one output port and applying a filter
Replicate a stream to different output ports (Figure 7-8).
Figure 7-8 Replicating a link to two output ports
Adding packet filters
Clicking on a map line opens the map configuration settings, letting you add and define packet filters, and
remove maps that are no longer required. For more information about creating and applying filters, see
Chapter 8,“Using Packet Filters”.
Using map shortcuts in the web UI
Several shortcuts can also be used when setting up maps:
• Select multiple ports (by holding SHIFT or CTRL) and drag from any one of them to another port to create
an aggregation map from all selected ports to the port at the end of the drag.
• Select multiple ports and drag from another port onto any of those selected to create a replication map from
the port at the start of the drag to all selected ports
• Drag between a module/one of multiple selected modules and a port to create an aggregation/replication
(dragging to/from the port) using all ports on the module or modules
TIP: Hover your mouse pointer over a map line to dim all other lines, as shown in Figure 7-9.
Figure 7-9 Hover over a map line to dim all other mappings
DRAFT
48
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
C REATING PORT M APS | TYPICAL MAP CONFIGURATIONS
Creating port maps in the CLI
To create port maps using the CLI, use the set map command. For example, to create a mapping for the
following ports:
1A -> 1B, 1C
1B -> 1A, 1D
Enter these commands at the prompt:
CONTROLLER>set map 1A to 1B 1C
CONTROLLER>set map 1B to 1A 1D
If you want to add filters to a map, use the following command:
CONTROLLER>set map port-source to port-destinaton require "filter1" exclude "filter2"
Here, filter1 is applied as a ‘require’ filter and will only allow through traffic which matches its condition. filter2
is applied as an ‘exclude’ filter and will remove all traffic that matches its condition. See page 134 for
information on the set map command.
Typical map configurations
This section describes some commonly deployed map configurations used when setting up network TAPs.
Breakout TAP
A breakout TAP copies packets travelling in one direction (A to B) to a output port (C), and packets travelling
in the other direction (B to A) to another output port (D).
Use breakout maps when:
• 100% guaranteed traffic collection is required.
• The network analyzer has dual ports running at the same speed as the live network.
Aggregation TAPs
An aggregation TAP takes packets from two or more network segments and sends them as single stream to one
or more output ports. It allows you to use just one monitoring tool to see all of your network traffic.
Use aggregating TAPs when
• 100% guaranteed traffic collection is not required. If the aggregated traffic rate exceeds the inbound network
bandwidth of the network tool, excess packets will be dropped at the monitoring port
• you want to use a single network tool to analyze several network segments
• the network tool has only a single interface.
Regeneration TAPs
A regeneration TAP sends packets from one network segment to two or more output ports. This allows you to
send a single traffic stream to a range of different monitoring tools, each serving a different purpose, whilst
taking traffic from the network only once.
DRAFT
49
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
C REATING PORT M APS | TYPICAL MAP CONFIGURATIONS
Use regeneration TAPs when you want to monitor the same data set with multiple network tools
DRAFT
50
C HAPTER 8
U SING P ACKET F ILTERS
8
This chapter describes how to use packet filters to restrict the traffic that reaches the output ports in your TAP
configuration. It covers the following major topics:
• About packet filters, page 51
• Creating packet filters, page 52
• Adding filters to maps, page 53
About packet filters
Packet filters let you selectively duplicate only the traffic of interest to your output ports, thereby enhancing the
utility of existing tools or enabling the creation of entirely new applications. When applied, filters will inspect
every packet at full duplex 10 Gigabits per second, allowing you to selectively duplicate only the traffic of
interest to either 10G or 1G ports.
Filters can be used to gain access to a particular subset of data and thereby reduce the amount of data reaching
the output port and your analysis tool. For example, a 1G tool running packet analysis software can be
connected to a 10G link and a filter applied to duplicate only relevant packets for debug—say ICMP packets
with a particular payload. Instead of receiving the entire 10G link, the tool now only receives the ICMP
packets.
How packet filters work
Filters work by comparing Ethernet packet headers against a set of user-defined filtering conditions based on
the Ethernet frame’s Layer 2 (MAC, VLAN), Layer 3 (IPv4, IPv6, ARP, MPLS), and Layer 4 (TCP, UDP, ICMP)
header information. Depending on how the filter has been applied to the stream, the filter will either:
silently drop matching packets and let all non-matching packets through, or
pass matching packets and silently drop all non-matching packets.
Setting up a filter is a two-stage process:
1. Create the filter, specifying all the header conditions you want the filter to match against (see the “Creating
packet filters” section on page 52 for instructions on setting up filters)
2. Apply the filter to a port map by setting it to pass or block matching packets (see the “Adding filters to maps”
section on page 53 for instructions on apply filters).
DRAFT
51
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING PACKET FILTERS | C REATING PACKET FILTERS
SmartNA-X allows you to add multiple filters to a map line and specify different pass or block settings for each.
This allows you to easily create complex rules to limit output to a precise subnet of data. You can even set up
logical AND/OR rules by using one of more map lines with filters applied, as follows:
• For a logical AND rule, use several filters on a single map line. Packets will pass if they match all of the
specified conditions for all of the map lines.
• For a logical OR rule, use one (or more) filters on two or more map lines connected to the same destination
port. Packets will pass if they match all of the specified filter conditions for any one of the map lines.
Note: If there are multiple map lines between the same pair of ports, and a packet matches all required filter
conditions for more than one of the maps, this will not result in multiple copies of the packet being delivered to
the destination port.
Creating packet filters
You can create filters in the web UI or CLI. We suggest using the SmartNA-X web UI wherever possible as it
provides plenty of assistance when making filter selections and will disable options which are not applicable for
a particular packet type.
Using the web UI to create filters
1. Log in to the web UI.
2. In the browser, click on the main part of the appliance to access the system management settings.
3. From the options, select the Filters tab. Any filters which have already been set up will be listed. You can edit
an existing filter by clicking on the icon, or you can create a new filter by clicking Add new filter. In both
cases, the filter set up dialog window appears where you can set up the filtering conditions.
4. Fill in the filtering conditions as required. Every filter must have a name (filter names are case-sensitive), but
all other settings are optional unless required to complete the option selected.
For instance, if you elect to filter on destination address, you must enter a valid IP address before you will be
allowed to save the filter. Fields highlighted in red indicate that field is mandatory or an invalid value has
been entered. Refer to the online information for help with entering filter conditions.
For the IP protocol field, if the required protocol is not listed, you may select Other and enter an ISO
designator numeric value (see Appendix H,“IP Protocols”, page 224), or a comma-separated list of multiple
values if filtering on several protocols.
5. Click Add filter when you have finished setting up the filter.
6. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
Note: By default, all filters are created with ‘ignore’ status. Which means, filters will ignore packets (not filter)
unless specifically set to ‘require’ or ‘exclude’ status on a selected map line. See the “Adding filters to maps”
section on page 53 for instructions on adding filters.
Using the CLI to create filters
To create packet filters in the CLI, use the appropriate set filter command for the packet type you want to filter
on (IPv4, IPv4, ARP, MPLS, or any IP packets). You can use the show filter command to output details of any
filters which currently exist on the system.
DRAFT
52
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING PACKET FILTERS | ADDING FILTERS TO MAPS
For example, to create a filter with the following conditions:
• Name: “subnet 198.168.10. tcp”
• Packet type: IPv4
• Protocol: TCP
• IP address source: 198.168.10.0/255.255.255.0
enter this command at the prompt:
CONTROLLER>set filter "subnet 198.168.10. tcp" ipv4 address src 198.168.10.0/255.255.255.0
protocol tcp
See page 137 for information on the set filter IPV4 command, and page 140 for the set filter IPv6 command.
Adding filters to maps
Using the web UI to set up filters
1. Log in to the web UI.
2. If necessary, configure port mappings as required.
3. Click on the port map you want to apply a filter to. The Map configuration window appears. If necessary,
create new filters are edit existing filters as required.
4. For all filters, choose the appropriate action to take for a packet match:
• Ignore – Pass all packets regardless of filter settings (default setting)
• Require – Pass matching packets only.
• Exclude – Drop matching packets only.
5. Click Review/apply and review your changes, and then click Apply to configure the system. Figure 8-1
shows example port mappings with filters applied.
Figure 8-1 Example mappings with filters applied
Using the web UI to set up filters
To apply packet filters in the CLI, use the set map command and specify the filter(s) you want to require or
exclude. You can use the show map command to display the current mapping configurations and view any
filters that have been applied.
For example, to create a map for 1A -> 1B, 1C and apply the following filters
• require “filter1” – allow traffic through which matches its conditions
DRAFT
53
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING PACKET FILTERS | ADDING FILTERS TO MAPS
• exclude “filter2” – remove traffic which matches its conditions
enter this command at the prompt:
CONTROLLER>set map 1A to 1B 1C require "filter1" exclude "filter2"
See page 134 for information on the set map command.
DRAFT
54
C HAPTER 9
U SING SNMP
9
This chapter describes how to use SNMP (Simple Network Management Protocol) to monitor SmartNA-X
temperature, traffic high/low, power on/off, system restarts, TAP module insertion/removal, and other
conditions requiring administrator attention. The chapter covers the following major topics:
• About SNMP and SmartNA-X, page 55
• Configuring SNMP, page 58
About SNMP and SmartNA-X
SNMP is an interoperable standards-based protocol for network management. SNMP is an application-layer
protocol that provides a message format for communication between SNMP managers and SNMP agents. The
SNMP manager can be part of your existing Network Management System (NMS).
Both agent and management information base (MIB) reside on the device that is being managed, in this case
SmartNA-X. An agent has local knowledge of management information and translates that information to or
from an SNMP specific form. A manager can request a value from the agent or store a value into the agent. The
agent can also respond to a manager’s requests to get or set data.
MIBs describe the structure of the management data of a device subsystem; they use a hierarchical namespace
containing object identifiers (OID).
Unsolicited messages, or notifications, alerting the SNMP manager to a condition on the managed device can
also be sent from the agent to the manager. Notifications can be sent for improper authentication, system
restarts, TAP modules withdrawn or inserted, link status up or down, and other significant events.
Supported versions
The SNMP agent used by SmartNA-X supports SNMP versions v1,v2c and v3. These versions essentially
provide three different security models. Table 9-1 identifies what the combinations of security models and
levels within these different security models mean. By a combination of authenticating and encrypting packets,
SNMPv3 is the most secure. SNMPv3 increases security to levels far beyond the simple community string
method used by SNMPv1/v2c by adding:
• packet encryption to prevent snooping by an unauthorized source
• integrity checks to ensure that a packet has not been tampered with in transit
• authentication checks to verify a message is from a valid source
SNMPv3 also adds View-based Access Control Method (VACM), which has the responsibility of checking
whether a specific type of access to a specific managed object is allowed. Access control occurs in the agent
DRAFT
55
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING SNMP | A BOUT SNMP AND S MART NA-X
when processing SNMP retrieval or modification request messages from a manger, and also when a
notification message must be sent to the manager. VACM elaborates on the community string concept by
allowing a much stricter and more dynamic access control model that is easy to administer.
Model
Level
Authentication
Encryption
What happens
v1
noAuth
Community secret
No
Uses a community secret
match for authentication.
v2c
noAuth
Community secret
No
Uses a community secret
match for authentication.
v3
noAuth
Username
No
Uses a community secret
match for authentication.
v3
auth
MD5 or SHA
No
Provides authentication
based on the MD5 or
SHA algorithms.
v3
priv
MD5 or SHA
DES, AES
Provides authentication
based on the MD5 or
SHA algorithms.
Provides DES and AES
encryption in addition to
authentication.
Table 9-1 SNMP Security Models and Levels
Agent functions
The SNMP agent responds to SNMP manager requests as follows:
• Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The
agent retrieves the value of the requested MIB variable and responds to the NMS with that value.
• Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS. The
SNMP agent changes the value of the MIB variable to the value requested by the NMS.
The SNMP agent also sends unsolicited notification messages to notify an NMS that a significant event has
occurred on the agent. Examples of notification conditions include, but are not limited to, when a port or
module goes up or down, when spanning-tree topology changes occur, and when authentication failures occur.
DRAFT
56
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING SNMP | A BOUT VACM
Manager functions
Table 9-2 lists the functions used by SNMP managers to request information, set values and set up
notifications.
Operation
Description
get-request
Retrieves a value from a specific variable.
get-next-request
Retrieves a value from a variable within a table.
get-bulk-request1
Retrieves large blocks of data that would otherwise require the transmission of many small
blocks of data, such as multiple rows in a table.
get-response
Replies to a get-request, get-next-request, and set-request sent by an NMS.
set-request
Stores a value in a specific variable.
trap
An unsolicited message sent by an SNMP agent to an SNMP manager when some event
has occurred. Traps are not acknowledged by the receiver, so the sender has no way of
knowing if the trap was received or not.
inform
An unsolicited message sent by an SNMP agent to an SNMP manager when some event
has occurred. Unlike traps, informs are acknowledged with an SNMP response PDU.
Table 9-2 SNMP manager operations
1. SNMPv2 only.
Community strings
An SNMP community string is a text string used to authenticate messages between a management station and
an SNMP v1/v2c engine. Community strings are superceded by SNMPv3 groups, which provide better
security. However, since there are many managers still using SNMPv1/v2c, community strings continue to be
widely used for authenticating access to the agent.
MIB access
The SNMP agent gathers data from the MIB. The agent can send notifications of certain events to the SNMP
manager, which receives and processes the notifications. Notifications are messages alerting the SNMP
manager to a condition on the network such as improper user authentication, restarts, link status (up or down),
TAP module in/out, and so forth. The SNMP agent also responds to MIB-related queries sent by the SNMP
manager in get-request, get-next-request, and set-request format.
For information on supported MIBs, see Appendixl G, “Supported MIBs”, page 222.
About VACM
When connecting with SNMPv1 or SNMPv2c, the only identification mechanism available is community
strings. For clients using SNMPv1/v2c, you can define community strings on SmartNA-X (SNMP >
Traditional access control: > Configure Communities) and ignore all the VACM options if you wish.
When connecting with SNMPv3, there is an alternative mechanism for identification and access control:
VACM. In this case, you provide a certain user’s credentials instead of a community string. On the SmartNA-X
device, users belong to groups, available settings are collected into views, and the access control list determines
which groups can access which views. This system allows for much more flexibility in both user configuration
and view configuration than is available with the community string mechanism, not to mention robust privacy
and authentication mechanisms, though at the expense of being more complicated to set up.
DRAFT
57
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING SNMP | CONFIGURING SNMP
Where a client wants to connect using an older version of SNMP but the access control on the SmartNA-X
device is configured using VACM, there is an alternative mechanism for defining community strings. To the
client, these appear like any other community string when connecting via SNMPv1 or SNMPv2c. Internally,
however, the community string is mapped onto a “security name” that is then added into groups, just like
native SNMPv3 users. Thus these VACM-style community strings can use all of the flexibility of the SNMPv3
view-based access control system, even though the client has no knowledge of SNMPv3.
Configuring SNMP
This section describes how to enable and configure SNMP in SmartNA-X. It covers the following topics:
• SNMP default configuration, page 58
• Enabling SNMP, page 58
• SNMP engine ID, page 59
• Configuring SNMP notifications, page 59
• Configuring trap managers (notification hosts), page 61
• Configuring SNMPv3 users with VACM, page 62
• Configuring SNMPv1/v2c communities, page 60
• Adding a member or security name to a group, page 63
• Configuring views, page 64
• Configuring the access control list, page 65
SNMP default configuration
Table show the default SNMP configuration.
Feature
Default Setting
SNMP agent
Disabled
SNMP community strings
No strings configured.
SNMP notification receiver
None configured
SNMP notifications
None enabled
Table 9-3 Default SNMP configuration
Enabling SNMP
For security, the SNMP agent in SmartNA-X is not enabled by default. It must first be enabled before you can
use SNMP functions.
Using the web UI to enable SNMP
1. Select the SNMP tab.
2. Select the SNMP enabled checkbox.
3. Click Review/apply, and then click Apply.
DRAFT
58
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING SNMP | CONFIGURING SNMP
Using the CLI to enable SNMP
Enter the following CLI command to enable SNMP:
CONTROLLER>snmp enable agent
Alternatively, you can use the set snmp on/off command and show snmp to show the current status of SNMP:
CONTROLLER>set snmp on
CONTROLLER>show snmp
SNMP : Enabled
See page 153 for information on the snmp enable agent command.
SNMP engine ID
The SNMP engine ID identifies the agent in the device and is a security feature of SNMPv3. Each SNMP packet
contains two engine IDs. One is used to identify security information – user name, key location. The second
one specifies where the packet payload is coming from and going to. The engine ID is automatically generated
by the system and is a product of the enterprise number of Network Critical (by IANA) and the MAC address
of the SmartNA-X ethernet interface, thus it is not user configurable.
Configuring SNMP notifications
You can enable SNMP notifications for health, SNMP, and system. When health notifications are enabled, traps
or informs, depending on how notifications have been configured, will be sent for the power, fan, and
temperature conditions. When SNMP notifications are enabled, traps or informs will be sent for SNMP cold or
warm starts, and SNMP authentication failures. For system notifications, traps or informs will be sent for link
changes, TAP module in/out, and traffic over or under a specified threshold level.
Using the web UI to configure SNMP notifications
1. Select the SNMP tab. Under “Send notifications”, choose the notifications to send, or clear all notifications
not to send any notifications. The following notifications are available (SNMP notification name in
brackets):
Health
• System temperature over threshold (nctapNotifySysTemperature)
• TAP module temperature over threshold (nctapNotifyTemperature)
• Power on/off (nctapNotifyPower)
• Fan on/off (nctapNotifyFan)
SNMP
• System power up/down (coldStart)
• System restart (warmStart)
• SNMP authentication failure (authenticationFailure)
System
• Link up (linkUp)
• Link down (linkDown)
DRAFT
59
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING SNMP | CONFIGURING SNMP
• Traffic high (nctapNotifyXSTrafficOver)
• Traffic low (nctapNotifyXSTrafficUnder)
• TAP module insertion/removal (nctapNotifyCard)
• CLI/web UI login failure (ncUnauthorisedAccess)
2. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
Using the CLI to configure SNMP notifications
In the CLI, use the snmp enable notifiy command to configure SNMP notifications. For example, to enable all
notifications, enter the following commands:
CONTROLLER>snmp enable notify all
CONTROLLER>snmp apply
To enable health notifications, enter the following commands:
CONTROLLER>snmp enable notify health
CONTROLLER>snmp apply
To disable notifications, use the snmp disable notify command. For example, to disable health notifications,
enter the following commands:
CONTROLLER>snmp disable notify health
CONTROLLER>snmp apply
See page 157 for information on the snmp notify command.
Configuring SNMPv1/v2c communities
An SNMP community defines the relationship between the SNMP manager and agent. Every community must
have a “community string”, which acts like a password to authenticate clients. You can also specify one or more
of these characteristics associated with the community:
• Read and write or read-only permission for the MIB objects accessible to the community
• An access list of IP addresses of the SNMP managers that are permitted to use the community string to gain
access to the agent
• A MIB view, which defines the subset of all MIB objects accessible to the given community
NOTE: SNMP communities are features of SNMPv1/SNMPv2c and therefore provide limited security. For
better security, consider implementing SNMPv3 and VACM instead.
Using the web UI to configure SNMP communities
1. Log in to SmartNA-X as Administrator.
2. Click on the chassis and select the SNMP tab.
3. Under “Traditional access control”, click Configure communities. The “SNMP Communities” settings
window appears.
DRAFT
60
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING SNMP | CONFIGURING SNMP
4. Click Add new community to set up a new community string, or click  to edit an existing community.
The “Add/Edit Community” window appears.
5. Select community settings from the following fields:
• Community string – Enter a secret/password string for the community to authenticate clients. The
community string is case-sensitive and must contain 1–32 alphanumeric characters (no spaces), and the
first character must be a letter.
• IP version – Specify whether this community allows access via IPv4 or IPv6.
• Source – (Optional) You may restrict access to the community from certain sources, by specifying the
source address, subnet or hostname.
• Type – Specify whether this community allows read-only or read-write access to clients.
• OID – (Optional) You may restrict access to the community to part of the MIB tree by specifying the OID.
6. Click Add community to finish setting up the community.
7. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
Using the web UI to configure SNMP communities
In the CLI, use the snmp create community communitySecret command to configure SNMP communities.
For example, to set up a community which is restricted to the subtree OID 1.3.6.1.4.1.31645 to clients on
subnet 192.168.0.0/16, use the following command:
CONTROLLER>snmp create community communitysecret oid 1.3.6.1.4.1.31645 source 192.168.0.0/16
CONTROLLER>snmp apply
See page 163 for information on the snmp create community command.
Configuring trap managers (notification hosts)
A trap manager, or notification host, is a management station that receives and processes SNMP notifications.
Notifications are system alerts that the system integrated SNMP agent generates when certain events occur. By
default, no trap manager is defined and no notifications are issued by the system. The maximum number of
notification hosts supported by the system is 255.
Using the web UI to configure notifications hosts (trap managers)
1. Under the SNMP tab, select the SNMP enabled checkbox.
2. Click Configure notification hosts. The “SNMP Notification Hosts” settings window appears.
3. Click Add new notification host to set up a new host, or click
to edit an existing notification host. The
“Add/Edit notification host” window appears.
4. Select notification host settings from the following fields:
• Destination – Specify the location of the notification host. The format should be:
{protocol}:]{host}[:{port}]
where:
protocol may be udp or udp6
host may be a hostname or an IPv4 or IPv6 address
DRAFT
61
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING SNMP | CONFIGURING SNMP
port is the UDP port on the host
• SNMP version – Specify whether notifications are be sent using SNMP v1, v2c or v3.
• Notification type – Specify whether notifications may be sent as traps or (where supported) informs.
• Credentials – For SNMP v1 or v2c, this is the community string to send with the notification. For SNMP
v3, this is an existing local user (for traps) or remote user (for informs).
• Engine ID – Specify the corresponding engine ID where a remote user is specified.
5. Click Add host to finish setting up the notification host.
6. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes on the system.
Using the CLI to configure notifications hosts (trap managers)
In the CLI, use the snmp create host command to configure SNMP notifications hosts. For example, to create
a notification host for 192.168.0.3 for SNMPv3 user1 (user1 must already exist), enter the following commands:
CONTROLLER>snmp create host 192.168.0.3 v3 user1
CONTROLLER>snmp apply
See page 159 for information on the snmp create host command.
Configuring SNMPv3 users with VACM
SmartNA-X uses VACM for identification and access control when connecting with SNMPv3. VACM allows
for much more flexibility in both user configuration and view configuration than is available with the
SNMPv1/2c community string mechanism, not to mention robust privacy and authentication mechanisms.
VACM can also deal with cases where a client wants to connect using an older version of SNMP, but the access
control on the SmartNA-X device is configured using VACM. In this case, the community string is mapped
onto a “security name” that is then added into groups, just like native SNMPv3 users.
Using the web UI to configure SNMPv3 users
1. Log in to SmartNA-X as Administrator.
2. Click on the chassis and select the SNMP tab.
3. Under “View-based access control”, click Configure users. The “SNMP Users” settings window appears.
4. Click Add new user to add a new user, or click  to edit an existing user. The “Add/Edit SNMP Users”
window appears.
5. Select user settings from the following fields:
• User name – Specify a name for the user. Names consist of 1–32 alphanumeric characters, and must begin
with a letter.
• Engine – (Optional) You may define local users (for most uses) and remote users (for use with sending
SNMPv3 informs). If this is a remote user, you must also specify the corresponding remote engine ID. An
engine ID consists of 10–64 hex digits.
• Authentication – (Optional) You may specify whether authentication is to be used, and if so whether to
use MD5 or SHA. If authentication is in use, you must also specify a passphrase. Authentication phrases
must be 8–64 ASCII characters (control characters are allowed) with no spaces. For users already set up
DRAFT
62
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING SNMP | CONFIGURING SNMP
on the device, either enter a new passphrase if you wish to make a change or leave this field blank to keep
the existing passphrase.
• Privacy – (Optional) You may specify whether encryption is to be used, and if so whether to use DES or
AES. If encryption is in use, you must also specify a passphrase. Privacy phrases must be 8–64 ASCII
characters (control characters are allowed) with no spaces. For users already set up on the device, either
enter a new passphrase if you wish to make a change or leave this field blank to keep the existing
passphrase.
6. Click Add user/Save changes to finish setting up the user.
7. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
Using the CLI to configure SNMPv3 users
In the CLI, use the snmp create user username command to configure SNMPv3 users. For example, to
configure an SNMPv3 user that has MD5 authentication and DES privacy, enter the following commands:
CONTROLLER>snmp create user user3 md5 myauthphrase des myprivhrase
CONTROLLER>snmp apply
See page 170 for information on the snmp create user command.
Adding a member or security name to a group
SNMPv3 groups allow you to combine users into groups of different authorization and access privileges. Users
belonging to a particular SNMP group inherit all of these attributes defined by the group, including access
policies to SNMP objects that defines which objects can be accessed for reading, writing, and creating, the list
of notifications its users can receive, as well as the security model and security level for its users.
Using the web UI to add members or security names to a group
1. Log in to SmartNA-X as Administrator.
2. Click on the chassis and select the SNMP tab.
3. Under “View-based access control”, click Configure groups. The “SNMP Groups” window appears.
4. Click Add new group to set up a new group, or click  to edit an existing group. The “Add/Edit Group
Member” window appears.
5. Select group settings from the following fields:
• Group name – Specify a name for the group. Names consist of 1–32 alphanumeric characters, and must
begin with a letter.
• Member – Specify the member you are adding to the group (you can only add one user at a time to a
group). The member may be an existing local SNMP user, or a security name assigned to an existing
VACM-enabled SNMP community. The membership will apply only when the specified security model is
used for a request. The same member may belong to different groups with different security models.
• Security model– Specify the group security model, either SNMPv1, SNMPv2c, or SNMPv3 USM.
6. Click Add group/Save changes to finish setting up the group.
7. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
DRAFT
63
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING SNMP | CONFIGURING SNMP
Using the CLI to add members or security names to a group
In the CLI, use the snmp create sectogroup command to create SNMP groups. For example, the following
command sets up group1 with USM security and maps user1:
CONTROLLER>snmp create sectogroup group1 usm user1
CONTROLLER>snmp apply
See page 185 for information on the snmp create sectogroup command.
Configuring views
A view is a mapping between SNMP objects and the access rights available for those objects. An object can
have different access rights in each view. Access rights indicate whether the object is accessible by either a
community string or a user.
Using the web UI to configure views
1. Select SNMP tab.
2. Under “View-based access control”, click Configure views. The “SNMP Groups” window appears.
3. Click Add new view to set up a new group, or click  to edit an existing view. The “Add/Edit view member”
window appears.
4. Select view settings from the following fields:
• Name – Specify a name for the view. Names consist of 1–32 alphanumeric characters, and must begin
with a letter.
• View type– Specify whether the view contains the tree below the specified OID or everything else.
• OID – Specify the position in the management tree below which this view applies.
• Mask – (Optional) May be used to specify that only some of the subidentifiers in the OID are to be
matched. The mask can be used to define a view covering a particular row (or rows) in a table, by
matching against the appropriate table index value but skipping the column sub-identifier.
5. Click Add view/Save changes to finish setting up the group.
6. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
Using the CLI to configure views
In the CLI, use the snmp create view command to configure views in the CLI. For example, the following
commands set up a view called None that excludes access to the entire OID. Users who are members of this
group will have no read, write or notify access to the MIB:
CONTROLLER>snmp create view None exclude .1
CONTROLLER>snmp apply
See page 177 for information on the snmp create view command.
DRAFT
64
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
USING SNMP | CONFIGURING SNMP
Configuring the access control list
The access control list maps a group (SNMPv3) or community (SNMPv1, v2c) to a read, write, or notify view,
depending on the request being processed. Get requests are mapped to the read view; set requests are mapped
to the write view; notify requests are mapped to a notify view.
Using the web UI to configure the access control list
1. Log in to SmartNA-X as an Administrator.
2. Click on the chassis and select the SNMP tab.
3. Under “View-based access control”, click Configure access control list. The “SNMP Access Control List”
window appears.
4. Click Add new access to set up a new group, or click  to edit an existing access list. The “Add/Edit access”
window appears.
5. Select access settings from the following fields:
• Group name – Specify the name of an existing group that will receive this access.
• Security model type – Specify the security model for the view, either any security model, SNMPv1,
SNMPv2c, SNMPv3 USM. Access will only be granted if the security model matches the request.
• Security level – Specify the security level for the view. Access will only be granted if the security of the
request meets the minimum requirement specified here. The order is: None (lowest), Authentication only,
Authentication + Privacy (highest).
• Read view – Specify the names of existing views to which get requests will be mapped. If no access is
required, create a ‘None’ view with no access to any MIB and specify it here.
• Write view – Specify the names of existing views to which set requests will be mapped. If no access is
required, create a ‘None’ view with no access to any MIB and specify it here.
• Notify view – Specify the names of existing views to which notify requests will be mapped. If no access is
required, create a ‘None’ view with no access to any MIB and specify it here.
6. Click Add view/Save changes to finish setting up the access control list.
7. Click Review/apply and review the changes you have made, and then click Apply to implement your
changes.
Using the CLI to configure the access control list
In the CLI, use the snmp create access command to configure an access control list. For example, to create
group1 with security and privacy enabled, and get and set requests to All view (include .1); notify requests to
None (exclude .1), enter the following commands:
CONTROLLER>snmp create access group1 usm priv All All None
See page 181 for information on the snmp create access command.
DRAFT
65
A PPENDIX A
C OMMAND L INE I NTERFACE R EFERENCE
A
This appendix describes the command line interface (CLI) commands that are available for SmartNA-X. It
includes the following sections:
• Command line notation, page 67
• Basic commands, page 68
• Commands for managing contact and location details, page 77
• Commands for managing network configuration, page 81
• Commands for managing users, page 92
• Commands for managing authentication and accounting, page 98
• Commands for managing TAP modules, page 111
• Commands for managing TAP ports, page 112
• Commands for managing port maps and packet filters, page 131
• Commands for managing SNMP, page 150
DRAFT
66
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Command line notation
Table A-1 shows the notation for commands entered at the SmartNA-X command line interface (CLI).
Format
Description
Bold text
Command keywords. Type exactly as shown.
Modifier
Command modifiers. Type exactly as shown.
Italic text
Placeholder for which you must supply a value. Angle brackets
“< >” are used to differentiate placeholders if several appear in
sequence.
{text in braces}
Set of required items. You must choose one from the list to
complete the command.
[text in brackets]
Optional items, separated by ‘|’ where there are several items to
choose from (choose one item from the list).
argument ...
Argument is repeatable.
[expression] ...
Expression is repeatable.
Vertical bar (|)
Separator for items which cannot be used together; choose one
item from the list.
Table A-1 Command line format
DRAFT
67
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Basic commands
The CLI supports the following basic commands:
• HELP, page 69
• SELECT, page 70
• COMMIT, page 71
• CREATE SETTINGS, page 72
• RESTORE, page 73
• DELETE SETTINGS, page 74
• REBOOT, page 75
• EXIT / QUIT, page 76
DRAFT
68
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
H ELP
Use the help command for information on command usage. Enter help (without any parameters) for general
information on entering commands. Enter help auth for information on remote authorization and
authentication commands, help net for information on networking commands, help filter for information on
packet filtering commands, help map for information on port mapping commands, and help port for
information setting port parameter commands.
Command form
help
help auth
help net
help filter
help map
help port
DRAFT
69
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ELECT
Use the select command to select the system Controller (motherboard) or a chassis slot. Selecting a slot will
give you access to the TAP module that is installed in the slot and allow you to view and configure its ports.
Command form
select slot [0-4]
select controller
SlotNumber
Examples
Specifies the chassis slot number. Front slots are numbered 1–4 (left to right); rear
ports are slot 0.
• Select slot 1 (left slot):
CONTROLLER>select slot 1
SLOT1>
• Select slot 0 (rear ports):
CONTROLLER>select slot 0
SLOT0>
• Select Controller:
SLOT1>select controller
CONTROLLER>
DRAFT
70
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
C OMMIT
Use the commit command to program the system with the maps and filters defined with set map and set filter
commands.
Command form
Example
commit
Commit maps and filters:
CONTROLLER>commit
Committing maps and filters
DRAFT
71
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
C REATE SETTINGS
Use the create settings command to save current settings for ports, port mappings, packet filters and SNMP
(not saved are network settings, firmware or counter states). Use the restore command to restore a profile.
Command form
create settings name-string
name-string
Example
Specifies a name for the settings. Names can include alphanumeric characters and
the underscore character “_” only. Spaces and punctuation characters can not be
used. name-string is case-sensitive, so config and Config will be saved separately.
Save current system settings to a configuration called config_tap1:
CONTROLLER>create settings config_tap1
Settings saved OK
DRAFT
72
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
R ESTORE
Use the restore command to restore the default configuration or a user-saved profile. Restoring a profile will
overwrite port settings, filters, port maps and SNMP settings. To see a list of profiles that are available for
restoring, use the restore command without the name-string parameter. Restoring “factory_defaults” will reset
the system to the default configuration.
Command form
restore name-string
name-string
Example
Specifies the name of the settings you want to restore. Using restore without the
name-string parameter outputs a list of the available profiles.
Restore system using saved configuration config_tap1:
CONTROLLER>restore config_tap1
applied settings OK
DRAFT
73
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
D ELETE SETTINGS
Use the delete settings command to remove saved settings.
Command form
delete settings name-string
name-string
Example
Specifies the settings name to remove.
Delete settings config_tap1:
CONTROLLER>delete settings config_tap1
deleted OK
DRAFT
74
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
R EBOOT
Use the reboot command to restart the current TAP module or the system motherboard when Controller is
selected. Rebooting the Controller/motherboard will log you out of the system and prevent connectivity for
several minutes. A TAP mode link on the live network should not be affected more than momentarily by a
reboot, but traffic passing through the link will not be copied to other ports during the reboot time. Counters
will not be updated until the reboot process has completed.
Command form
Examples
reboot
• Reboot slot 0 (rear ports):
CONTROLLER>select slot 0
SLOT 0>reboot
• Reboot system motherboard:
CONTROLLER>reboot
Rebooted card 0
Rebooted card 1
Rebooted card 2
Rebooted card 3
Rebooted card 4
Rebooted motherboard
CONTROLLER>
Broadcast message from root@SNAE-v2-122 (Sun Aug
5 15:44:00 2012):
The system is going down for reboot NOW!
Connection to 192.168.0.122 closed by remote host.
Connection to 192.168.0.122 closed.
admin@example.com:~$
DRAFT
75
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
E XIT / Q UIT
Use the exit or quit command to exit from the CLI and log out the current user. If any network configuring
changes are pending, they will be implemented after quitting from the CLI.
Command form
Example
exit or quit
Exit from the CLI:
CONTROLLER>exit
Exiting CLI
Connection to 192.168.0.122 closed.
admin@example.com:~$
DRAFT
76
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Commands for managing contact and location details
The CLI supports the following commands for setting the name, location and contact parameters used by
SNMP:
• SET/SHOW NAME, page 78
• SET/SHOW LOCATION, page 79
• SET/SHOW CONTACT, page 80
DRAFT
77
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET /S HOW NAME
Use the set name command to set a system name string. Use the show name command to display the system
name string.
Command form
set name name-string
show name
name-string
Examples
Specifies the appliance name. Use up to 19 alphanumeric characters (spaces
allowed). If the string includes a comma and you are using a RADIUS server, the
comma will replaced by an underscore when viewed in server logs. Default value:
“Network Critical”.
• Set the system name string to SmartNA-X 10G Network Access:
CONTROLLER>set name SmartNA-X 10G Network Access
• Show system name string:
CONTROLLER>show name
SmartNA-X 10G Network Access
DRAFT
78
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET /S HOW LOCATION
Use the set location command to specify the physical location of this device (for example, ‘Service rack, Boston
datacenter’). Use the show location command to display the current system location string.
Command form
set location location-string
show location
location-string
Example
Specifies the system location string. Use up to 19 alpha-numeric characters.
Spaces are allowed. If the string includes a comma and you are using a RADIUS
server, the comma will replaced by an underscore when viewed in server logs.
Default: “Network Critical”.
Set the system location string to Service rack, Boston datacenter:
CONTROLLER>set name Service rack, Boston datacenter
DRAFT
79
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET /S HOW CONTACT
Use the set contact command to configure contact information for the SmartNA-X administrator or
designated contact. Use the show contact command to display the current system contact string.
Command form
set contact contact_string
show contact
contact_string
Example
Specifies the contact name string. The string must start with a letter (A-Z, a-z)
and must contain only alphanumeric characters (A-Z, a-z, 0-9), spaces and
underscores (_). If the string includes a comma and you are using a RADIUS
server, the comma will replaced by an underscore when viewed in server logs.
Default: “Network Critical”.
Set the contact string to SmartNA-X Administrator Tel: 555 123 456:
CONTROLLER>set contact SmartNA-X Administrator Tel: 555 123 456
DRAFT
80
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Commands for managing network configuration
The CLI supports the following commands for configuring network settings:
• CREATE NTP, page 82
• DELETE NTP, page 83
• SHOW IPV4, page 84
• SET IPV4 STATIC, page 85
• SET IPV4 GATEWAY, page 86
• SET IPV4 DNS, page 87
• SET IPV4 DHCP, page 88
• SHOW IPV6, page 89
• SET IPV6 STATIC, page 90
• SET IPV6 GATEWAY, page 91
DRAFT
81
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
C REATE NTP
Use the create ntp command to add a time (NTP) server. Only one NTP server is allowed.
Command form
create ntp IP-addr
IP-addr
Example
Specifies the network IP address of the NTP server.
Add NTP server 192.168.10.100:
CONTROLLER>create ntp 192.168.10.100
DRAFT
82
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
D ELETE NTP
Use the delete ntp command to remove a time (NTP) server.
Command form
Example
delete ntp
Delete NTP server:
CONTROLLER>delete ntp
DRAFT
83
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW IP V 4
Use the show IPv4 command to display IPv4 settings for the SmartNA-X network interface:
Command form
Example
show IPv4
Show network interface IPv4 settings:
CONTROLLER>show ipv4
Addressing Mode : static
Address: 192.168.0.122
Netmask: 255.255.255.0
Gateway: 192.168.0.254
DNS Server: 0.0.0.0
DRAFT
84
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET IP V 4 STATIC
Use the set IPv4 static command to configure a static IPv4 network address, network mask, and optionally the
gateway address for SmartNA-X. The new configuration is not implemented until you log out (exit) from the
CLI.
Command form
Example
set IPv4 static <static-addr> <mask> [gateway <IPv4-gateway>]
static-addr
Specifies the network interface IPv4 address, in dotted-decimal format
(a.b.c.d). Default value: 192.168.254.100.
mask
Specifies the routing prefix of the network address, also known as the network
mask (netmask).
gateway <IPv4-gateway>
(Optional) Specifies the network gateway IPv4 address.
Configure static network settings as follows:
Address: 192.168.0.122
Subnet mask: 255.255.255.0
Gateway: 192.168.0.254
CONTROLLER>set ipv4 static 192.168.0.122 255.255.255.0 gateway 192.168.0.254
Network settings will take effect when you exit CLI.
exit to enable new network settings
CONTROLLER>exit
Exiting CLI
exit to enable new network settings
Applying new IPv4 network settings
Addressing Mode : static
Address: 192.168.0.122
Netmask: 255.255.255.0
Gateway: 192.168.0.254
Connection to 192.168.0.122 closed.
admin@example.com:~$
DRAFT
85
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET IP V 4 GATEWAY
Use the set ipv4 gateway command to configure the IPv4 network gateway address. The new configuration is
not implemented until you log out (exit) from the CLI. The CLI will not allow you to set gateway and IPv4
address to an invalid combination. If you are changing both at the same time, you should use the set ipv4 static
command with the gateway option specified, rather than issuing two separate commands to change IPv4
address and gateway.
Command form
set IPv4 gateway IPv4-addr
IPv4-addr
Example
Specifies the network gateway IPv4 address.
Configure gateway address 192.168.0.254:
CONTROLLER>set ipv4 gateway 192.168.0.254
CONTROLLER>show ipv4
Addressing Mode : static
Address: 192.168.0.122
Netmask: 255.255.255.0
Gateway: 192.168.0.254
DNS Server: 192.168.0.5
DRAFT
86
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET IP V 4 DNS
Use the set IPv4 dns command to configure a DNS server. The DNS protocol controls the Domain Name
System (DNS), a distributed database with which you can map host names to IP addresses. When you
configure DNS for SmartNA-X, you can substitute the host name for the IP address with commands that take
an address.
There is no IPv6 equivalent of this command.
Command form
set IPv4 dns IPv4-addr
IPv4-addr
Example
Specifies the network address of the DNS server. Default value: None.
Configure DNS server 192.168.0.5:
CONTROLLER>set ipv4 dns 192.168.0.5
CONTROLLER>show ipv4
Addressing Mode : static
Address: 192.168.0.122
Netmask: 255.255.255.0
Gateway: 192.168.0.254
DNS Server: 192.168.0.5
CONTROLLER>exit
Exiting CLI
Connection to 192.168.0.122 closed.
admin@example.com:~$
DRAFT
87
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET IP V 4 DHCP
Use the set ipv4 dhcp command to enable DHCP and have your DHCP server automatically assign network
settings, including IP address, gateway and DNS, to SmartNA-X. The new configuration is not implemented
until you log out (exit) from the CLI when accessing through the current (static) IPv4 address. The
requirement to exit the CLI does not apply if DHCP is enabled through the Console port or IPv6, and in these
cases the configuration will be implemented instantly.
Command form
Example
set ipv4 dhcp
Enable DHCP and exit to enable new network settings:
CONTROLLER>set ipv4 dhcp
Network settings will take effect when you exit CLI.
exit to enable new network settings
CONTROLLER>exit
DRAFT
88
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW IP V 6
Use the show IPv6 command to show all IPv6 settings.
Command form
Examples
show IPv6
Show IPv6 settings:
CONTROLLER>show ipv6
Set Global Address : 2001::5
Set Prefix Length : 16
Set Gateway : 2001::4
Link Local Address : fe80::21d:ffff:fe00:91ff
Active Global Address : 2001::5
Active Prefix Length : 16
Active Gateway : 2001::4
exit to enable new network settings
DRAFT
89
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET IP V 6 STATIC
Use the set IPv6 static command to configure a static IPv6 network address, prefix length, and optionally a
gateway address. SmartNA-X has a link-local IPv6 address implicitly set, but you may specify one additional
IPv6 address. The new configuration will not be implemented until you log out (exit) from the CLI.
Command form
set IPv6 static <IPv6-addr> <prefix-length> [gateway <IPv6-gateway>]
IPv6-addr
Specifies the network interface IPv6 address, in standard IPv6 format, such as
2001:db8::52:0:1
prefix-length
Specifies the network prefix length. The value must be in the range 16–124.
gateway <IPv6-gateway> (Optional) Specifies the network gateway IPv6 address.
Examples
Configure the following static IPv6 network settings:
IP address: 2001:db8::52:0:21
Prefix length: 64-bits
Gateway: 2001:db8::52:0:10
CONTROLLER>set ipv6 static 2001:db8::52:0:21 64 gateway 2001:db8::52:0:10
DRAFT
90
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET IP V 6 GATEWAY
Use the set IPv6 gateway command to configure the IPv6 network gateway address. The new configuration is
not implemented until you log out (exit) from the CLI.
Command form
set IPv6 gateway IPv6-addr
IPv6-addr
Examples
Specifies the network gateway IPv6 address.
Configure gateway address 2001:db8::52:0:10:
CONTROLLER>set ipv6 gateway 2001:db8::52:0:10
DRAFT
91
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Commands for managing users
The CLI supports the following commands for setting up SmartNA-X users:
• SHOW USERS, page 93
• CREATE USER, page 94
• SET USER PASSWORD, page 95
• SET USER LEVEL, page 96
• DELETE USER, page 97
DRAFT
92
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW USERS
Use the show users command to display the current system users.
Command form
Example
show users
Show SmartNA-X users:
CONTROLLER>show users
user : security level 2
admin : security level 3
audit : security level 1
DRAFT
93
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
C REATE USER
Use the create user command to create user accounts locally. User accounts have the following attributes:
• username
• password
• security level
Note that you cannot use this command to create RADIUS or TACACS+ users.
Command form
create user username password {1, 2, 3}
username
Creates a user with the specified username. Usernames are case-sensitive.
password
Sets the user password. Passwords are case-sensitive.
1, 2, 3
Assigns the user the specified security level:
1 - Auditor – read-only access
2 - Standard user – read-only access, limited read-write access
3 - Administrator – full read-write access
Examples
• Create an audit user with the following attributes:
username: audit1
password: audit1pass
security level: 1 (Audit user)
CONTROLLER>create user audit1 audit1pass 1
Creating user audit1
• Create a standard user with the following attributes:
username: user1
password: user1pass
security level: 2 (Standard user)
CONTROLLER>create user user1 user1pass 2
Creating user user1
• Create an admin user with the following attributes:
username: admin1
password: admin1pass
security level: 3 (Administrator)
CONTROLLER>create user admin1 admin1pass 3
Creating user admin1
DRAFT
94
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET USER PASSWORD
Use the set user password command to change the login password for the specified user when using local
authentication. If your system has been set up to authenticate users via an external authentication server, you
will need to manage user passwords on the external server instead.
Command form
Example
set user username password password
username
Specifies the user account name to change. User names are case-sensitive.
password
Specifies the new password for the specified user. Passwords are case-sensitive.
Change user1 password to user1pass:
CONTROLLER>set user user1 password user1pass
DRAFT
95
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET USER LEVEL
Use the set user level command to configure security level when using local authentication. If your system has
been set up to authenticate users via an external server, you will need to manage user accounts on the external
server instead. SmartNA-X provides three security levels, each with varying access to system/TAP module
options:
• Level1 (Auditors): Allows read-only access to system and module settings. This level should be used by
auditors and other users who require read-only access to the system.
• Level 2 (Operators): Allows limited write access to the system settings. This level should be used by users
who need to set up network TAPs and configure SNMP settings.
• Level 3 (Administrators): Allows full write access to all system and module settings. This level should be
assigned to SmartNA-X administrators only who require access to network settings, upload new system
software, and perform other system-related tasks.
Command form
set user username level {1, 2, 3}
username
Specifies the username of the account to change access level. The username
specified must already have been set up on the system.
1, 2, 3
Assigns the specified security level:
1 - read-only access to the system
2 - read-write access to modules, maps, filters and SNMP. No access to network
settings.
3 - admin level– full read-write access to the system, including module and ports,
SNMP, network settings, and firmware uploads
Example
Change user1 to security level 1 (Auditor):
CONTROLLER>set user user1 level 1
Changing level user user1
DRAFT
96
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
D ELETE USER
Use the delete user command to remove a locally authenticated account. Accounts must be deleted on your
AAA server is external authentication is enabled.
Command form
delete user username
username
Example
Specifies the name of the account to delete.
Remove local user user1.
CONTROLLER>delete user user1
Deleting user user1
DRAFT
97
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Commands for managing authentication and accounting
The CLI supports the following commands for setting up authentication and accounting:
• SHOW RADIUS, page 99
• SHOW TACACS, page 100
• SET AUTHENTICATION, page 101
• CREATE RADIUS AUTHSERVER, page 102
• DELETE RADIUS AUTHSERVER, page 103
• CREATE TACACS AUTHSERVER, page 104
• DELETE TACACS AUTHSERVER, page 105
• CREATE RADIUS ACCSERVER, page 106
• DELETE RADIUS ACCSERVER, page 107
• CREATE TACACS ACCSERVER, page 108
• DELETE TACACS ACCSERVER, page 109
• SET LOG, page 110
DRAFT
98
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW RADIUS
Use the show radius command to display the RADIUS server configuration information.
Command form
Example
show radius
Show RADIUS servers:
CONTROLLER>show radius
Authentication Server 192.168.10.22 port 1812
Accounting Server 192.168.10.23 port 1813
DRAFT
99
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW TACACS
Use the show tacacs command to display the TACACS+ server configuration information.
Command form
Example
show tacacs
Show TACACS+ servers:
CONTROLLER>show tacacs
Authentication server 192.168.10.24
Accounting Server 192.168.10.25
DRAFT
100
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET AUTHENTICATION
Use the set authentication command to define the authentication method used to verify user login credentials.
By default, user accounts are authenticated locally, but you can use an authentication server to authenticate
users by choosing either RADIUS or TACACS+, as required by your authentication server. User accounts must
be administered on the authentication server, not locally, once RADIUS/TACACS authentication is enabled.
Use the create radius authserver or create tacacs authserver commands to specify the address of your
authentication server.
Command form
set authentication {Local | RADIUS | TACACS | locrad | loctac}
{Local | RADIUS |
TACACS locrad | loctac}
The following authentication methods are supported:
• Local – authenticates users locally (this is the default).
• RADIUS – authenticates users remotely via the configured RADIUS
authentication server
• TACACS – authenticates users remotely via the configured TACACS+
authentication server
• locrad – allows both local and RADIUS users to log in. This is intended to be
used while setting up a RADIUS server to ensure that the system administrator
is not locked out. Once RADIUS is working, authentication should be changed
to RADIUS.
• loctac – allows both local and TACACS+ users to log in. This is intended to be
used while setting up a TACACS+ server to ensure that the system
administrator is not locked out. Once TACACS+ is working, authentication
should be changed to TACACS.
Examples
• Enable RADIUS authentication:
CONTROLLER>set authentication radius
Change accepted
• Enable TACACS+ authentication:
CONTROLLER>set authentication tacacs
Change accepted
• Enable local authentication:
CONTROLLER>set authentication local
Change accepted
DRAFT
101
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
C REATE RADIUS AUTHSERVER
Use the create radius authserver command to add a RADIUS authentication server. You must use also the set
authentication radius command to enable RADIUS server authentication. If your network has more than one
RADIUS authentication server running, you can add them as backup/failover servers and the system will
attempt to contact the second server in order to validate a user (the system will not switch between RADIUS
and TACACS+ servers though if both are defined). Note that a RADIUS server will outright reject a validation
request when secrets mismatch and will not attempt to validate the secret on a second RADIUS server.
However, RADIUS will attempt to validate the user on a second server if the user account is not present on the
first server. TACACS+ servers behave differently, and will attempt to contact a backup server if either the user
account is not present or if secrets mismatch.
Command form
Example
create radius authserver <IP-addr> <port> <password>
IP-addr
Specifies the network IP address of the RADIUS authentication server.
port
Specifies the RADIUS port, usually 1812 for authentication servers.
password
Specifies the password/shared-secret required to access the authentication server.
Passwords are case-sensitive.
Add a RADIUS authentication server with the following properties:
• IP address: 192.168.10.22
• Port: 1812
• Password: qwaszx
CONTROLLER>create radius authserver 192.168.10.22 1812 qwaszx
DRAFT
102
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
D ELETE RADIUS AUTHSERVER
Use the delete RADIUS authserver command to remove access to a RADIUS authentication server. Note that
users will not be able to access SmartNA-X unless local authentication is enabled (set authentication local) or
another authentication server is added (create radius authserver).
Command form
delete RADIUS authserver IP-addr
IP-addr
Example
Specifies the network IP address of the RADIUS authentication server.
Delete RADIUS authentication server 192.168.10.22:
CONTROLLER>delete radius authserver 192.168.10.22
removing RADIUS server
DRAFT
103
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
C REATE TACACS AUTHSERVER
Use the create tacacs authserver command to add a TACACS+ authentication server. You must use also the
set authentication tacacs command to enable TACACS+ server authentication. If your network has more than
one TACACS+ authentication server running, you can add them as backup/failover servers and the system will
attempt to contact the second server in order to validate a user if the account is not present or the secrets
mismatch on the first server.
Command form
Example
create tacacs authserver <IP-addr> <password>
IP-addr
Specifies the network IP address of the TACACS+ authentication server.
password
Specifies the password/shared-secret required to access the authentication server.
Passwords are case-sensitive.
Add a TACACS+ authentication server with the following properties:
IP address: 192.168.10.24
Password: qwaszx
CONTROLLER>create tacacs authserver 192.168.10.24 qwaszx
DRAFT
104
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
D ELETE TACACS AUTHSERVER
Use the delete tacacs authserver command to remove access to a TACACS+ authentication server. Note that
users will not be able to access SmartNA-X unless local authentication is enabled (set authentication local) or
another authentication server is added (create tacacs authserver).
Command form
delete tacacs authserver IP-addr
IP-addr
Example
Specifies the network address of the TACACS+ authentication server.
Delete TACACS+ authentication server 192.168.10.24:
CONTROLLER>delete tacacs authserver 192.168.10.24
DRAFT
105
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
C REATE RADIUS ACCSERVER
Use the create radius accserver command to add a RADIUS accounting server. Adding an accounting server
implicitly enables SmartNA-X logging. Note that local logging is not available on SmartNA-X.
Command form
Example
create radius accserver <IP-addr> <port> <password>
IP-addr
Specifies the network IP address of the RADIUS accounting server.
port
Specifies the RADIUS port, usually 1813 for accounting servers.
password
Specifies the password/shared-secret required to access the accounting server.
Passwords are case-sensitive.
Add a RADIUS accounting server with the following properties:
IP address: 192.168.10.23
Port: 1813
Password: qwaszx
CONTROLLER>create radius accserver 192.168.10.23 1813 qwaszx
DRAFT
106
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
D ELETE RADIUS ACCSERVER
Use the delete radius accserver command to remove the specified RADIUS accounting server.
Command form
delete radius accserver IP-addr
IP-addr
Example
Specifies the network IP address of the RADIUS accounting server.
Delete RADIUS accounting server 192.168.10.23:
CONTROLLER>delete radius accserver 192.168.10.23
DRAFT
107
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
C REATE TACACS ACCSERVER
Use the create tacacs accserver command to add a TACACS+ accounting server and implicitly enable
SmartNA-X audit logging. Note that local audit logging is not available on SmartNA-X.
Command form
Example
create tacacs accserver <IP-addr> <password>
IP-addr
Specifies the network IP address of the TACACS+ accounting server.
password
Specifies the password/shared-secret required to access the accounting server.
Passwords are case-sensitive.
Add a TACACS+ accounting server with the following properties:
• IP address: 192.168.10.25
• Password: qwaszx
CONTROLLER>create tacacs accserver 192.168.10.25 qwaszx
DRAFT
108
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
D ELETE TACACS ACCSERVER
Use the delete tacacs accserver command to remove the specified TACACS+ accounting server.
Command form
delete tacacs accserver IP-addr
IP-addr
Example
Specifies the network IP address of the TACACS+ accounting server.
Delete TACACS+ accounting server 192.168.10.25:
CONTROLLER>delete tacacs accserver 192.168.10.25
removing TACACS server
DRAFT
109
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET LOG
Use the set log command to add arbitrary log entries to SmartNA-X logs when using AAA accounting
server(s).
Command form
set log text-string
text
Examples
Specifies the text to add to the log entry.
Add the following log entries:
Ticket 243: Change IPV6 network settings <settings changed>:
End of Ticket 243
CONTROLLER>set log Ticket 243: Change IPV6 network settings <settings changed>
CONTROLLER>set log End of Ticket 243
DRAFT
110
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Commands for managing TAP modules
The CLI supports the following commands for managing TAP modules:
• SET/SHOW TEMPERATUREHIGH, page 113
• SHOW STATUS, page 114
• SHOW COUNTERS, page 115
• CLEAR COUNTERS, page 116
• SHOW RATES, page 117
• SHOW ERRORS, page 118
DRAFT
111
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Commands for managing TAP ports
The CLI supports the following commands for managing TAP ports:
• SHOW PORT, page 119
• SET PORT SPEED, page 120
• SET PORT DUPLEX, page 122
• SET PORT MDI, page 123
• SET PORT TAP, page 124
• SET PORT AUTOLOCK, page 125
• SET PORT LOCK, page 126
• SET PORT MASTERING, page 127
• SET PORT TRAFFICLOW, page 129
• SET PORT TRAFFICHIGH, page 130
DRAFT
112
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET /S HOW TEMPERATUREHIGH
Use the set temperaturehigh command to set the TAP module temperature threshold for SNMP. An SNMP
notification will be sent if SNMP health notification is enabled (with the snmp enable notify health
command) and the temperature exceeds the value set here.
Use the show temperaturehigh command to display the current temperature threshold value.
Command form
set temperaturehigh value
show temperaurehigh
value
Example
Specifies a value for the high temperature threshold. De
Set a high temperature threshold of 80C for the TAP module in slot 4:
SLOT4>set temperaturehigh 80
SLOT4>show status
Card Type: MODULE_RJ_RJ
Model: 5511
Serial Number: 3400270
Firmware Version: r594
Firmware Built: Wed 08 Aug 2012 14:20:28
Hardware Revision: 1.20
Temperature: 42
Up Time: 1 days 3 hours 40 mins 53 secs
Temperature High Threshold: 80
DRAFT
113
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW STATUS
Use the show status command to display selected TAP module and system status information. This
information may be requested when contacting your Network Critical Support Center.
Command form
Example
show status
Show Controller/system status:
CONTROLLER>show status
Power Supply 1: DOWN
Power Supply 2: UP
Fan 1: UP
Fan 2: UP
System Status: error - Contact Network Critical Support
Chassis Type: 1U
Model: 1U 1G/10G
Serial Number: 2200267
Firmware Version: r2508M
Firmware Built: Wed 08 Aug 2012 14:20:57
Hardware Revision: 1.20
Up Time: 0 days 22 hours 51 mins 20 secs
System Temperature High Threshold: 70
SLOT1>show counters
Port
BytesIn
A
9785952821
B
0
C
8173431488
D
8227665280
BytesOut
0
0
8227665280
8173431488
DRAFT
114
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW COUNTERS
Use the show counters command to display bytes in/out (since the last reset) for each port in the selected slot.
Command form
Example
show counters
Show counter information for the TAP module in slot 1:
SLOT1>show counters
Port
BytesIn
A
9785952821
B
0
C
8173431488
D
8227665280
BytesOut
0
0
8227665280
8173431488
DRAFT
115
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
C LEAR COUNTERS
Use the clear counters command to reset all traffic counters to zero.
Command form
Example
clear counters
Show and reset counters for the TAP module in slot 1:
SLOT1>clear counters
Cleared Counters OK
SLOT1>show counters
Port
BytesIn
A
0
B
0
C
0
D
0
BytesOut
0
0
0
0
SLOT1>
DRAFT
116
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW RATES
Use the show rates command to display traffic rates for the current slot. Input and output rates for each port
are shown as bytes/sec and as percentage of the total capacity available. Press return to stop the command.
Command form
Example
show rates
Show traffic rates for TAP module in slot 1:
CONTROLLER> select slot
SLOT1>show rates
Type return to stop.
A: in 0 (0 %) out 0 (0
B: in 0 (0 %) out 0 (0
C: in 0 (0 %) out 0 (0
D: in 0 (0 %) out 0 (0
Type return to stop.
A: in 0 (0 %) out 0 (0
B: in 0 (0 %) out 0 (0
C: in 0 (0 %) out 0 (0
D: in 0 (0 %) out 0 (0
Type return to stop.
A: in 0 (0 %) out 0 (0
B: in 0 (0 %) out 0 (0
C: in 0 (0 %) out 0 (0
D: in 0 (0 %) out 0 (0
Type return to stop.
A: in 0 (0 %) out 0 (0
B: in 0 (0 %) out 0 (0
C: in 0 (0 %) out 0 (0
D: in 0 (0 %) out 0 (0
1
%)
%)
%)
%)
%)
%)
%)
%)
%)
%)
%)
%)
%)
%)
%)
%)
DRAFT
117
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW ERRORS
Use the show errors command to display packet error details for the selected TAP module. The following
packet error details are returned:
• Undersize
• Fragments
• Oversize
• Jabber
• Receive Error / Rx Error
• FCS (frame check sequence)
Command form
Example
show errors
Show errors for module in slot 4:
SLOT4>show errors
Port UnderSize Fragments
A
0
0
B
0
0
C
0
0
D
0
0
OverSize
0
0
0
0
Jabber
0
0
0
0
DRAFT
RxError FCS_Error
0
0
0
0
0
0
0
0
118
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW PORT
Use the show port command to display port information.
Command form
Example
show port port-id
Show settings for port 4A:
CONTROLLER>select slot 4
SLOT4>show port A
speed
: set auto actual
duplex
: set auto actual
mdi
: set auto actual
mastering : set preferslave
tap
: on
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack
PORT UP
traffic threshold low : 0
traffic threshold high: 100
1G
full
mdi-x
actual slave
45 (RJ45)
DRAFT
119
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET PORT SPEED
Use the set port speed command to configure the speed of the specified copper port (A–D) of the selected TAP
module. Setting anything other than Auto fixes the port at the specified setting, even if the link partner is
unable to communicate at that setting or if network transmission conditions deteriorate. Note that SFP/SFP+
and fiber channel ports do not support port speed variance.
Command form
Example
set port port-id speed {Auto 10M | 100M | 1G | 10G}
port-id
Specifies the port to set. Front ports are labelled A to D, left to right, and rear
ports are labelled A and B. Only one port can be set at a time.
Auto 10M | 100M | 1G |
10G
Sets the port speed to auto negotiate, 10 Mbit/s, 100 Mbit/s, 1 Gbit/s, or 
10 Gbit/s. Use Auto (the default) to let the system auto-negotiate the optimum
port speed and automatically adjust speed if link conditions change. Setting a
fixed speed (10M, 100M, 1G or 10G) will fix the port at that speed, regardless of
line conditions or link partner.
Set port 4C to 1 Gbit/s:
CONTROLLER>select slot 4
SLOT4>set port C speed 1G
SLOT4>show port C
speed
: set 1G
duplex
: set full
mdi
: set mdi-x
mastering : set preferslave
tap
: off
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 10
traffic threshold high: 100
DRAFT
120
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Set slot 4 port D to auto speed:
CONTROLLER>select slot 4
SLOT4>set port D speed auto
SLOT4>show port D
speed
: set auto
duplex
: set auto
mdi
: set auto
mastering : set preferslave
tap
: on
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 0
traffic threshold high: 100
DRAFT
121
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET PORT DUPLEX
Use the set port duplex command to configure duplex of the specified port (A–D) of the currently selected
TAP module. In general, set duplex to match the link partner, or leave it at Auto to auto-negotiate duplex with
the link partner.
Command form
Examples
set port port-id duplex {Auto | Full | Half }
port-id
Specifies the port to set. Front ports are labelled A to D, left to right, and rear
ports are labelled A and B. Only one port can be set at a time.
Auto | Full | Half
Sets the port duplex to auto negotiate, full or half duplex. Use Auto (the default) to
let the system auto-negotiate the optimum duplex setting with the link partner.
• Set port 4C to full duplex:
CONTROLLER>select slot 4
SLOT4>set port C duplex full
SLOT4>show port C
speed
: set 1G
duplex
: set full
mdi
: set mdi-x
mastering : set preferslave
tap
: off
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 10
traffic threshold high: 100
• Set port 4D to half-duplex:
CONTROLLER>select slot 4
SLOT4>set port D duplex half
SLOT4>show port D
speed
: set auto
duplex
: set half
mdi
: set auto
mastering : set preferslave
tap
: off
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 0
traffic threshold high: 100
DRAFT
122
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET PORT MDI
Use the set port mdi command to specify the crossover mode of the port, either MDI (normal) or MDI-X
(crossover). To connect two ports of the same configuration (MDI to MDI or MDI-X to MDI-X), an Ethernet
crossover cable is needed to cross over the transmit and receive signals in the cable, so that they are matched at
the connector level. Otherwise, you can select Auto and let the ports themselves detect the required cable
connection type and configure the connection appropriately. For auto-MDI/MDI-X to operate correctly, the
data rate on the interface and duplex setting must be set to Auto.
Command form
Examples
set port port-id mdi {auto | mdi | mdi-x}
port-id
Specifies the port to set. Front ports are labelled A to D, left to right, and rear
ports are labelled A and B. Only one port can be set at a time.
Auto | MDI | MDI-X
Sets the MDI/MDI-X transmission mode. Default setting is Auto.
• Set port 4C to MDI-X:
CONTROLLER>select slot 4
SLOT4>set port C mdi mdi-x
SLOT4>show port C
speed
: set 1G
duplex
: set full
mdi
: set mdi-x
mastering : set preferslave
tap
: off
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 10
traffic threshold high: 100
• Set port 4D to MDI:
CONTROLLER>select slot 4
SLOT4>set port D mdi mdi
SLOT4>show port D
speed
: set auto
duplex
: set auto
mdi
: set mdi
mastering : set preferslave
tap
: off
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 0
traffic threshold high: 100
DRAFT
123
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET PORT TAP
Use the set port tap command to configure the specified ports as TAP ports of the currently selected TAP
module. TAP ports connect to the live network and as such must provide link-up status at all times. In the
event of a power failure or a module being pulled, a relay switch is instantly closed to maintain the network
connection when TAP is on. TAP off can be used when connecting to network tools, to prevent data being
captured when a module is pulled or when a general port failure has occurred.
Command form
Example
set port port-id tap {on | off }
port-id
Specifies the port to set. Front ports are labelled A to D, left to right, and rear
ports are labelled A and B. Only one port can be set at a time.
on | off
Sets the TAP mode to on or off. Off is the default setting for ports.
Enable TAP mode for port 4C:
CONTROLLER>select slot 4
SLOT4>set port C tap on
SLOT4>show port C
speed
: set 1G
duplex
: set full
mdi
: set mdi-x
mastering : set preferslave
tap
: on
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 10
traffic threshold high: 100
DRAFT
124
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET PORT AUTOLOCK
Use the set port autolock command to configure auto locking on the specified ports of the currently selected
TAP module. To prevent unauthorized users from accessing ports, you can set autolock so the port becomes
automatically locked if the cable is removed, preventing data transmission to/from the port. Once a port has
become locked, use the port lock off command to unlock it.
Command form
Examples
set port port-id autolock {on | off }
port-id
Specifies the port to set. Front ports are labelled A to D, left to right, and rear
ports are labelled A and B. Only one port can be set at a time.
on | off
Sets the port autolock to on or off. Off is the default setting for all ports.
• Enable autolock for port 4C:
SLOT4>set port C autolock on
SLOT4>show port C
speed
: set 1G
duplex
: set full
mdi
: set mdi-x
mastering : set preferslave
tap
: off
autolock
: on
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 10
traffic threshold high: 100
• Disable autolock for port 4D:
SLOT4>set port D autolock off
SLOT4>show port D
speed
: set auto
duplex
: set auto
mdi
: set mdi
mastering : set preferslave
tap
: off
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 0
traffic threshold high: 100
DRAFT
125
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET PORT LOCK
Use the port set port lock command to configure port locking of the currently selected TAP module. Locking
a port will prevent access to unauthorized users. This command is also used to unlock a port that has been
auto-locked.
Command form
Examples
set port port-id lock {on | off }
port-id
Specifies the port to set. Front ports are labelled A to D, left to right, and rear
ports are labelled A and B. Only one port can be set at a time.
on | off
Sets the port lock to on or off. Off is the default setting for all ports.
• Enable port lock for port 4C:
SLOT4>set port C lock on
SLOT4>show port C
speed
: set 1G
duplex
: set full
mdi
: set mdi-x
mastering : set preferslave
tap
: off
autolock
: on
lock
: on
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 10
traffic threshold high: 100
• Disable port lock for port 4D:
SLOT4>set port D lock off
SLOT4>show port D
speed
: set auto
duplex
: set auto
mdi
: set mdi
mastering : set preferslave
tap
: off
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 0
traffic threshold high: 100
DRAFT
126
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET PORT MASTERING
Use the port set port mastering command to configure port master/slave settings of the currently selected
TAP module. The command sets the port’s master/slave relationship with the link partner on a 1G RJ/copper
link when in TAP mode. In effect, it determines which end of the link is responsible for the synchronization
clock. The link will only work if there is one master and one slave.
For example, if port pairing AB are operating in TAP mode, you are advised to force the partner of A to have
the same settings as B, and vice versa, which (in the case of Mastery) is done be setting A to forcemaster and B
to forceslave (or the opposite). If the same ports are in operating in non-TAP mode, you are advised to set the
ports to either preferslave or prefermaster, but not to forceslave.
Command form
set port port-id mastering {forcemaster |forceslave |prefermaster | preferslave }
port-id
Specifies the port to set. Front ports are labelled A to D, left to right, and rear
ports are labelled A and B. Only one port can be set at a time.
forcemaster |forceslave
Sets the ports to the specified master/slave setting.
|prefermaster | preferslave
forcemaster – Force master. Use in TAP mode to set the port as the synch master.
forceslave – Force slave. Use in TAP mode to set the port as the synch slave.
prefermaster – Prefer master. Use in non-TAP mode to favour synch master.
preferslave – Prefer slave. Use in non-TAP mode to favour synch slave.
Examples
• Force master for port 4C:
SLOT4>set port C mastering forcemaster
SLOT4>show port C
speed
: set 1G
duplex
: set full
mdi
: set mdi-x
mastering : set forcemaster
tap
: off
autolock
: on
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 10
traffic threshold high: 100
DRAFT
127
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
• Prefer slave for port 4D:
SLOT4>set port C mastering preferslave
15250.510 Using default value for authentication type.
SLOT4>show port C
speed
: set 1G
duplex
: set full
mdi
: set mdi-x
mastering : set preferslave
tap
: off
autolock
: on
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 10
traffic threshold high: 100
DRAFT
128
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET PORT TRAFFICLOW
Use the port set port trafficlow command to set the low traffic thresholds used by SNMP to trigger a health
notification.
Command form
set port port-id trafficlow {0...100}
port-id
Example
Specifies the port to set. Front ports are labelled A to D, left to right, and rear
ports are labelled A and B. Only one port can be set at a time.
Set a traffic low threshold of 10% for port 4C:
SLOT4>set port C trafficlow 10
15390.090 Using default value for authentication type.
SLOT4>show port C
speed
: set 1G
duplex
: set full
mdi
: set mdi-x
mastering : set preferslave
tap
: off
autolock
: on
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 10
traffic threshold high: 100
DRAFT
129
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET PORT TRAFFICHIGH
Use the port set port traffichigh command to set the high traffic thresholds used by SNMP to trigger a health
notification.
Command form
set port port-id traffichigh {0...100}
port-id
Examples
Specifies the port to set. Front ports are labelled A to D, left to right, and rear
ports are labelled A and B. Only one port can be set at a time.
Set traffic high threshold of 90% for port 4D:
SLOT4>set port D traffichigh 90
15633.450 Using default value for authentication type.
SLOT4>show port D
speed
: set auto
duplex
: set auto
mdi
: set mdi
mastering : set preferslave
tap
: off
autolock
: off
lock
: off
usage
: undefined
port type : Registered Jack 45 (RJ45)
PORT DOWN
traffic threshold low : 10
traffic threshold high: 90
DRAFT
130
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Commands for managing port maps and packet filters
The CLI supports the following commands for managing maps and filters:
• SHOW MAPS, page 132
• CLEAR MAPS, page 133
• SET MAP, page 134
• SHOW FILTERS, page 136
• SET FILTER IPV4, page 137
• SET FILTER IPV6, page 140
• SET FILTER ANYIP, page 143
• SET FILTER ARP, page 145
• SET FILTER MPLS LABEL, page 148
• SET FILTER ANY, page 149
NOTE: Maps and filters are not committed/applied to the system until you have entered the commit
command. Until then, they remain pending and will be lost if the system is restarted.
CAUTION: The system does not provide warnings or feedback on the validity of your maps, or any risks to
your network which may be caused by overloaded ports and/or dropped packets. When setting up port
mappings be careful not to create illogical mappings, overload ports, or create maps that may result in packet
injection to a live network.
DRAFT
131
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW MAPS
Use the show maps command to review your mapping configurations before applying them with the commit
command.
Command form
show maps
Examples
Show maps:
CONTROLLER>show maps
maps
1.
destinationPorts
1. : Ch3B
excludedFilters
requiredFilters
sourcePorts
1. : Ch3A
2.
destinationPorts
1. : Ch3A
excludedFilters
requiredFilters
sourcePorts
1. : Ch3B
3.
destinationPorts
1. : Ch3C
excludedFilters
requiredFilters
sourcePorts
1. : Ch3A
4.
destinationPorts
1. : Ch3D
excludedFilters
requiredFilters
sourcePorts
1. : Ch3B
5.
destinationPorts
1. : Ch3A
excludedFilters
requiredFilters
sourcePorts
1. : ChRA
6.
destinationPorts
1. : Ch3B
excludedFilters
requiredFilters
sourcePorts
1. : ChRB
DRAFT
132
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
C LEAR MAPS
Use the clear maps command to remove all defined maps and all filter that have been defined.
Command form
clear maps
Example
Clear maps:
CONTROLLER>clear maps
DRAFT
133
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET MAP
Use the set map command to create port mappings. Packets received on a source port are sent to all of the
destination ports mapped to it. Pre-defined filters can be applied to maps to pass or block packets that match
the filtering conditions. See the “Commands for managing port maps and packet filters” section on page 131
for instructions on managing maps and filters.
A filter following the word ‘require’ will only allow through traffic that which matches its condition. A filter
following the word 'exclude' will remove all traffic that matches its condition.
You can set up maps between any ports in the system, including between ports on the same module, between
ports on different modules, between ports of different media types and speeds—be careful not to overload the
destination port when aggregating ports or mapping 10G and 1G ports—or between rear and front ports.
Once a map has been defined with the set map command, show the show map command to review the
mapping configuration, and use the commit command to apply mappings and filters.
Command form
set map in-port … to out-port … [require filter …] [exclude filter …]
in-port
Specifies the packet input port (the source port).
A front port is represented by a number to indicate the TAP module followed by a
letter A–D to specify the port on that module (for example, 1A 1B, ). Rear ports
are labelled RA and RB.
Where multiple ports are specified, packets will be aggregated and sent to the
specified destination ports, unless removed by a filter. Use spaces to separate
multiple ports.
out-port
Specifies the packet output port (the destination port).
A front port is represented by a number to indicate the TAP module followed by a
letter A–D to specify the port on that module (for example, 1A 1B). Rear ports are
labelled RA and RB.
Where multiple ports are specified, copies of the packets will be sent to each
destination ports, unless removed by a filter. Use spaces to separate multiple
ports.
Examples
require filter …
(Optional) Use require to add a filter that passes packets which match the filtering
conditions and drops all other packets. For filter, specify the name of a filter to
add (see set filter commands). Where a filter name contains spaces, it must be
contained within quotes.
exclude filter …
(Optional) Use exclude to add a filter that drops packets which match the filtering
conditions and passes all other packets. For filter, specify the name of a filter to
apply (see set filter commands). Where a filter name contains spaces, it must be
contained within quotes.
Create the following port mappings:
1A > 1B include filter HTTP
2A > 2B
DRAFT
134
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
2B > 2A
2C > 2D
2D > 2C
3A > 3B
3A > 3D include HTTP filter
3A > 4C exclude HTTP filter
3B > 3A
4A > 4B
2A > 2B, 2C, 2D, 3A, 3B, 4A, 4B, 1B include SMTP filter
4B > 4A
CONTROLLER>set
CONTROLLER>set
CONTROLLER>set
CONTROLLER>set
CONTROLLER>set
CONTROLLER>set
CONTROLLER>set
CONTROLLER>set
CONTROLLER>set
CONTROLLER>set
CONTROLLER>set
CONTROLLER>set
map
map
map
map
map
map
map
map
map
map
map
map
1A
2A
2B
2C
2D
3A
2D
3A
3B
4A
2A
4B
to
to
to
to
to
to
to
to
to
to
to
to
1B require filter HTTP
2B
2A
2D
2C
3B
3D require filter HTTP
4C exclude filter HTTP
3A
4B
2B, 2C, 2D, 3A, 3B, 4A, 4B, 1B require filter SMTP
4A
DRAFT
135
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S HOW FILTERS
Use the show filters command to display information for all filters, including any port maps they are bound to.
To remove filters, use the clear maps command, which will also remove all defined maps.
Command form
show filters
Examples
Show filters:
CONTROLLER> show filters
filters
arp_traffic
ipv4
destination : 192.168.0.1/255.255.255.0
source : 10.10.0.3
packetType : arp
protocol : 6
DRAFT
136
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET FILTER IPV 4
Use the set filter ipv4 command to create a filter for IPv4 packets. If no other conditions are specified, the filter
matches all packets of type IPv4. Additional IPv4 conditions can be specified to further refine the match
conditions. For example, specifying the VLAN number limits matches to those IPv4 packets which have the
specified VLAN header information. Multiple conditions can also be specified where all conditions must be
satisfied before a filter is considered a match. Packets matching an applied filter will either be passed or
dropped, depending the criteria specified in the set map command.
Command form
set filter name-string ipv4 [ipv4-conditions …]
name-string
Specifies the filter name. The name may contain spaces, but if it does, it must be
contained in quotes “…”; the name itself may not contain the quotes character.
Filter names are case-sensitive.
ipv4-conditions
(Optional) Provides additional filtering conditions for the specified protocol. All
conditions must be satisfied for the filter to match. For IPv4 packets, the following
additional filtering conditions may be specified:
[vlan vl-value] (Optional) Filters on the specified value matching the VLAN
number. For vl-value, the following formats are recognized:
• 100 – A single tag
• 100–110 – A range (inclusive)
• 0/1 – A value/mask pair (here: all even tags)
• 100,150 – Multiple tags. Use commas (no spaces) to separate VLANs.
The following caveats should be noted when filtering by VLAN:
• When a filter is set to permit VID 1, untagged packets will still be forwarded.
• Tagged packets with a VID of 1 will be forwarded untagged.
• Tagged packets with a VID of 0 will be dropped by SmartNA-X.
[mac src mac-value] (Optional) Filters on the specified value matching the source
MAC address. For mac-value, the following formats are recognized:
• 01:23:45:67:89:ab – A single address
• 01:23:45:67:89:ab,01:23:45:67:89:ac – Multiple addresses. Use commas (no
spaces) to separate addresses.
[mac dest mac-value] (Optional) Filters on the specified value matching the
destination MAC address.
[mac either mac-value] (Optional) Filters on the specified value matching either
the source or destination MAC address.
[protocol ptcl-value] (Optional) Filters on the specified value matching the
specified protocol type. ptcl-value may be an Assigned Internet Protocol Number
or one of the following keywords: TCP, UDP, ICMPV4, TCP_UDP.
DRAFT
137
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
[dscp dscp-value] (Optional) Filters on the specified value matching the DSCP
number. Use commas if specifying multiple DSCP values.
[port src prt-value] (Optional) Filters on the specified value matching the source
UDP or TCP port number. For prt-value, the following formats are recognized:
• 10 – A single port
• 10-20 – A range (inclusive)
• 10,15 – Multiple ports (multiple ports may each use a range).Use commas (no
spaces) to separate ports.
[port dest prt-value] (Optional) Filters on the specified value matching the
destination UDP or TCP port number.
[port either prt-value] (Optional) Filters on the specified value matching either the
source port number or the destination UDP or TCP port number.
[address src add-value] (Optional) Filters on the specified value matching the IP
source address. For add-value, the following formats are recognized:
• 192.168.0.1 – A single address
• 192.168.0.4-10 – A range (inclusive)
• 192.168.0.* – Wildcard (192.168.0.0-255)
• 10.10.0.0/255.255.255.252 – Mask (10.10.0.0-3)
• 10.10.0.3,10.10.0.5 – Multiple addresses. Use commas (no spaces) to separate
addresses.
Ranges and wildcards may be used in any segment.
Multiple addresses may each use ranges, wildcards, a prefix or a mask.
[address dest add-value] (Optional) Filters on the specified value matching the IP
destination address.
[address either add-value] (Optional) Filters on the specified value matching
either the IP source or destination address.
DRAFT
138
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Examples
• Set up IPv4 filter for TCP traffic from source address 10.10.0.3 to destinations on subnet 192.168.0.1/
255.255.255.0:
CONTROLLER>set filter tcp_traffic ipv4 protocol tcp address src 10.10.0.3 address dest
192.168.0.1/255.255.255.0
CONTROLLER>show filters
Use commit command to configure the switch with these.
filters
tcp_traffic
packetType : ipv4
protocol : 6
ipv4
source : 10.10.0.3
destination : 192.168.0.1/255.255.255.0
CONTROLLER>commit
Committing maps and filters
• Set up IPv4 filter for TCP and UDP packets on port 25 (UDP port 25 is reserved for Simple Mail Transfer
Protocol (SMTP) e-mail routing between mail servers):
CONTROLLER>set filter smtp_traffic ipv4 protocol tcp_udp port src 25
CONTROLLER>show filters
Use commit command to configure the switch with these.
filters
http
packetType : ipv4
smtp
packetType : ipv4
protocol : 6,17
port
source : 25
CONTROLLER>commit
Committing maps and filters
• Set up IPv4 filter for TCP and UDP packets on ports 80 (HTTP), 8080 (HTTP alternative), and 443
(HTTPS) from source addresses 10.10.0.* to destination addresses 192.168.0.*:
CONTROLLER>set filter html_traffic ipv4 protocol tcp_udp port src 80,8080,443 address
src 10.10.0.* address dest 192.168.0.*
CONTROLLER>show filters
html_traffic
packetType : ipv4
protocol : 6,17
port
source : 80,8080,443
ipv4
source : 10.10.0.*
destination : 192.168.0.*
CONTROLLER>commit
Committing maps and filters
DRAFT
139
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET FILTER IPV 6
Use the set filter ipv6 command to create a filter for IPv6 packets. If no other conditions are specified, the filter
matches all packets of type IPv6. Additional IPv6 conditions can be specified to further refine the match
conditions. For example, specifying the VLAN number limits matches to those IPv6 packets which have the
specified VLAN header information. Multiple conditions can also be specified where all conditions must be
satisfied before a filter is considered a match. Packets matching an applied filter will either be passed or
dropped, depending the criteria specified in the set map command.
Command form
set filter name-string ipv6 [ipv6-conditions …]
name-string
Specifies the filter name. The name may contain spaces, but if it does, it must be
contained in quotes “…”; the name itself may not contain the quotes character.
Filter names are case-sensitive.
ipv6-conditions
(Optional) Provides additional filtering conditions for the specified protocol. All
conditions must be satisfied for the filter to match. For IPv6 packets, the following
additional filtering conditions may be specified:
[vlan vl-value] (Optional) Filters on the specified value matching the VLAN
number. For vl-value, the following formats are recognized:
• 100 – A single tag
• 100–110 – A range (inclusive)
• 0/1 – A value/mask pair (here: all even tags)
• 100,150 – Multiple tags. Use commas (no spaces) to separate VLANs.
[mac src mac-value] (Optional) Filters on the specified value matching the source
MAC address. For mac-value, the following formats are recognized:
• 01:23:45:67:89:ab – A single address
• 01:23:45:67:89:ab,01:23:45:67:89:ac – Multiple addresses. Use commas (no
spaces) to separate addresses.
• [mac dest mac-value] (Optional) Filters on the specified value matching the
destination MAC address.
• [mac either mac-value] (Optional) Filters on the specified value matching
either the source or destination MAC address.
[protocol ptcl-value] (Optional) Filters on the specified value matching the
specified protocol type. ptcl-value may be an Assigned Internet Protocol Number
or one of the following keywords: TCP, UDP, TCP_UDP.
Note that no keyword exists to filter packets by ICMPv6, but you can still do so by
specifying the protocol number (58) instead.
[dscp dscp-value] (Optional) Filters on the specified value matching the DSCP
number. Use commas if specifying multiple DSCP values.
DRAFT
140
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
[port src prt-value] (Optional) Filters on the specified value matching the source
port number. For prt-value, the following formats are recognized:
• 10 – A single port
• 10-20 – A range (inclusive)
• 10,15 – Multiple ports (multiple ports may each use a range). Use commas (no
spaces) to separate ports.
[port dest prt-value] (Optional) Filters on the specified value matching the
destination port number.
[port either prt-value] (Optional) Filters on the specified value matching either the
source port number or the destination port number.
[address src add-value] (Optional) Filters on the specified value matching the IP
source address. You may give either a single specification, to find packets where
either the source or the destination address matches, or separate specifications for
source and/or destination address. The following formats are recognized in each
case:
2000:abcd:0:0:0:0:77:88 – A single address
2000:abcd::77:88 – A single address (eliding a single run of zero segments)
2000:abcd::77:88-99 – A range address (inclusive)
::ffff:0:0/96 – Prefix (any address starting 0:0:0:0:0:ffff)
2000::1,2000::3 – Multiple addresses. Use commas (no spaces) to separate
addresses.
Ranges may be used in any segment.
Multiple addresses may each use ranges or prefix notation.
[address dest add-value] (Optional) Filters on the specified value matching the IP
destination address.
[address either add-value] (Optional) Filters on the specified value matching
either the IP source or destination address.
DRAFT
141
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Examples
• Set up IPv6 filter for TCP/UDP traffic from source address 2001:db8:85a3::8a2e:370:7334 to destinations
2000:abcd::77:88-99:
CONTROLLER>set filter tcp6_traffic ipv6 protocol tcp_udp address src
2001:db8:85a3::8a2e:370:7334 address dest 2000:abcd::77:88-99
CONTROLLER>show filters
Use commit command to configure the switch with these.
filters
tcp6_traffic
packetType : ipv6
protocol : 6,17
ipv6
source : 2001:db8:85a3::8a2e:370:7334
destination : 2000:abcd::77:88-99
CONTROLLER>commit
Committing maps and filters
• Set up IPv6 filter for TCP and UDP packets on port 25 (UDP port 25 is reserved for Simple Mail Transfer
Protocol (SMTP) e-mail routing between mail servers):
CONTROLLER>set filter smtpv6_traffic ipv6 protocol tcp_udp port src 25
CONTROLLER>show filters
smtpv6_traffic
packetType : ipv6
protocol : 6,17
port
source : 25
CONTROLLER>commit
Committing maps and filters
DRAFT
142
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET FILTER ANYIP
Use the set filter anyip command to create a filter for IPv4 or IPv6 packets. If no other conditions are specified,
the filter matches all IP packets. Additional conditions can be specified to further refine the match conditions.
For example, specifying the VLAN number limits matches to those IP packets which have the specified VLAN
header information. Multiple conditions can also be specified where all conditions must be satisfied before a
filter is considered a match. Packets matching an applied filter will either be passed or dropped, depending the
criteria specified in the set map command.
Command form
set filter name-string anyip [anyip-conditions …]
name-string
Specifies the filter name. It may contain spaces, but if it does, it must be contained
in quotes “…”; the name itself may not contain the quotes character.
anyip-conditions
(Optional) Provides additional filtering conditions for the specified protocol. All
conditions must be satisfied for the filter to match. For IP packets, the following
additional filtering conditions may be specified:
[vlan vl-value] (Optional) Filters on the specified value matching the VLAN
number. For vl-value, the following formats are recognized:
• 100 – A single tag
• 100–110 – A range (inclusive)
• 0/1 – A value/mask pair (here: all even tags)
• 100,150 – Multiple tags. Use commas (no spaces) to separate VLANs.
The following caveats should be noted when filtering by VLAN:
• When a filter is set to permit VID 1, untagged packets will still be forwarded.
• Tagged packets with a VID of 1 will be forwarded untagged.
• Tagged packets with a VID of 0 will be dropped by SmartNA-X.
[mac src mac-value] (Optional) Filters on the specified value matching the source
MAC address. For mac-value, the following formats are recognized:
• 01:23:45:67:89:ab – A single address
• 01:23:45:67:89:ab,01:23:45:67:89:ac – Multiple addresses. Use commas (no
spaces) to separate addresses.
• [mac dest mac-value] (Optional) Filters on the specified value matching the
destination MAC address.
• [mac either mac-value] (Optional) Filters on the specified value matching
either the source or destination MAC address.
[protocol ptcl-value] (Optional) Filters on the specified value matching the
specified protocol type. ptcl-value may be an Assigned Internet Protocol Number
or one of the following keywords: TCP, UDP, ICMPV4, TCP_UDP.
[dscp dscp-value] (Optional) Filters on the specified value matching the DSCP
number. Use commas if specifying multiple DSCP values.
DRAFT
143
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
[port src prt-value] (Optional) Filters on the specified value matching the source
port number. For prt-value, the following formats are recognized:
• 10 – A single port
• 10-20 – A range (inclusive)
• 10,15 – Multiple ports (multiple ports may each use a range). Use commas (no
spaces) to separate ports.
[port dest prt-value] (Optional) Filters on the specified value matching the
destination port number.
[port either prt-value] (Optional) Filters on the specified value matching either the
source port number or the destination port number.
Examples
• Set up IPv4/IPv6 filter for TCP/UDP traffic from MAC address 01:23:45:67:89:ab to MAC addresses
01:23:45:67:89:ab or 01:23:45:67:89:ac:
CONTROLLER>set filter tcp6_traffic ipv6 protocol tcp_udp mac src
01:23:45:67:89:ab,01:23:45:67:89:ac mac dest 01:23:45:67:89:ab,01:23:45:67:89:ac
CONTROLLER>show filters
Use commit command to configure the switch with these.
filters
tcp6_traffic
packetType : ipv6
protocol : 6,17
ipv6
source : 2001:db8:85a3::8a2e:370:7334
destination : 2000:abcd::77:88-99
CONTROLLER>commit
Committing maps and filters
DRAFT
144
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET FILTER ARP
Use the set filter arp command to create a filter for ARP (Address Resolution Packets) packets. If no other
conditions are specified, the filter matches all ARP packets. Additional conditions can be specified to further
refine the match conditions. For example, specifying the VLAN number limits matches to those ARP packets
which have the specified VLAN header information. Multiple conditions can also be specified where all
conditions must be satisfied before a filter is considered a match. Packets matching an applied filter will either
be passed or dropped, depending the criteria specified in the set map command.
Command form
set filter name-string arp [arp-conditions …]
name-string
Specifies the filter name. It may contain spaces, but if it does, it must be contained
in quotes “…”; the name itself may not contain the quotes character.
arp-conditions
(Optional) Provides additional filtering conditions for the specified protocol. All
conditions must be satisfied for the filter to match. For ARP packets, the following
additional filtering conditions can be specified:
[vlan vl-value] (Optional) Filters on the specified value matching the VLAN
number. For vl-value, the following formats are recognized:
• 100 – A single tag
• 100–110 – A range (inclusive)
• 0/1 – A value/mask pair (here: all even tags)
• 100,150 – Multiple tags. Use commas (no spaces) to separate VLANs.
[mac src mac-value] (Optional) Filters on the specified value matching the source
MAC address. For mac-value, the following formats are recognized:
• 01:23:45:67:89:ab – A single address
• 01:23:45:67:89:ab,01:23:45:67:89:ac – Multiple addresses. Use commas (no
spaces) to separate addresses.
[mac dest mac-value] (Optional) Filters on the specified value matching the
destination MAC address.
[mac either mac-value] (Optional) Filters on the specified value matching either
the source or destination MAC address.
DRAFT
145
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
[address src add-value] (Optional) Filters on the specified value matching the IP
source address. For add-value, the following formats are recognized:
• 192.168.0.1 – A single address
• 192.168.0.4-10 – A range (inclusive)
• 192.168.0.* – Wildcard (192.168.0.0-255)
• 10.10.0.0/255.255.255.252 – Mask (10.10.0.0-3)
• 10.10.0.3,10.10.0.5 – Multiple addresses. Use commas (no spaces) to separate
addresses.
Ranges and wildcards can be used in any segment.
Multiple addresses can each use ranges, wildcards, a prefix or a mask.
[address dest add-value] (Optional) Filters on the specified value matching the IP
destination address.
[address either add-value] (Optional) Filters on the specified value matching
either the IP source or destination address.
Examples
• Set up ARP filter for traffic from source address 10.10.0.3 to destinations on subnet 192.168.0.1/
255.255.255.0:
CONTROLLER>set filter arp_traffic address src 10.10.0.3 address dest 192.168.0.1/
255.255.255.0
CONTROLLER>show filters
Use commit command to configure the switch with these.
filters
arp_traffic
packetType : ipv4
protocol : 6
ipv4
source : 10.10.0.3
destination : 192.168.0.1/255.255.255.0
CONTROLLER>commit
Committing maps and filters
• Set up ARP filter for MAC destinations 01:23:45:67:89:ab, 01:23:45:67:89:ac.
CONTROLLER>set filter arp_mac ipv4 mac dest 01:23:45:67:89:ab,01:23:45:67:89:ac
CONTROLLER>show filters
Use commit command to configure the switch with these.
filters
http
packetType : ipv4
smtp
packetType : ipv4
protocol : 6,17
port
source : 25
CONTROLLER>commit
Committing maps and filters
DRAFT
146
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
• Set up IPv4 filter for TCP and UDP packets on ports 80 (HTTP), 8080 (HTTP alternative), and 443
(HTTPS) from source addresses 10.10.0.* to destination addresses 192.168.0.*:
CONTROLLER>set filter html_traffic ipv4 protocol tcp_udp port src 80,8080,443 address
src 10.10.0.* address dest 192.168.0.*
CONTROLLER>show filters
html_traffic
packetType : ipv4
protocol : 6,17
port
source : 80,8080,443
ipv4
source : 10.10.0.*
destination : 192.168.0.*
CONTROLLER>commit
Committing maps and filters
• Set up ARP filter for TCP/UDP traffic from MAC address 01:23:45:67:89:ab to MAC addresses
01:23:45:67:89:ab or 01:23:45:67:89:ac:
CONTROLLER>set filter tcp6_traffic ipv6 protocol tcp_udp mac src
01:23:45:67:89:ab,01:23:45:67:89:ac mac dest 01:23:45:67:89:ab,01:23:45:67:89:ac
CONTROLLER>show filters
Use commit command to configure the switch with these.
filters
tcp6_traffic
packetType : ipv6
protocol : 6,17
ipv6
source : 2001:db8:85a3::8a2e:370:7334
destination : 2000:abcd::77:88-99
CONTROLLER>commit
Committing maps and filters
DRAFT
147
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET FILTER MPLS LABEL
Use the set filter mpls label command to create a filter for MPLS (Multiprotocol Label Switching) packets with
an ethertype of 0x8847 or 0x8848 (the system does not process MPLS encapsulated in IP). The filter can be
further refined by specifying an MPLS label. Packets matching an applied filter will either be passed or
dropped, depending the criteria specified in the set map command.
Command form
set filter name-string mpls label value,…
name-string
Specifies the filter name. It may contain spaces, but if it does, it must be contained
in quotes “…”; the name itself may not contain the quotes character.
value
Filter traffic by MPLS label. Where the MPLS header for a packet contains
multiple labels, this will test the top label in the stack. The following formats are
recognized:
• 100 – A single label
• 100-110 – A range (inclusive)
• 100,150 – Multiple labels (may also use ranges). Use commas (no spaces) to
separate labels.
Example
Set up a filter for MPLS label 100:
CONTROLLER>set filter mpls_traffic mpls label 10
DRAFT
148
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
S ET FILTER ANY
Use the set filter any command to create a filter for matching VLAN, or MAC source, or MAC destination (of
either source and destination) header information for any EtherType. Packets matching an applied filter will
either be passed or dropped, depending the criteria specified in the set map command.
Command form
set filter name-string any [any-conditions …]
name-string
Specifies the filter name. It may contain spaces, but if it does, it must be contained
in quotes “…”; the name itself may not contain the quotes character.
any-conditions
(Optional) Provides additional filtering conditions for the specified protocol. All
conditions must be satisfied for the filter to match. The following additional
filtering conditions may be specified:
[vlan vl-value] (Optional) Filters on the specified value matching the VLAN
number. For vl-value, the following formats are recognized:
• 100 – A single tag
• 100–110 – A range (inclusive)
• 0/1 – A value/mask pair (here: all even tags)
• 100,150 – Multiple tags. Use commas (no spaces) to separate VLANs.
The following caveats should be noted when filtering by VLAN:
• When a filter is set to permit VID 1, untagged packets will still be forwarded.
• Tagged packets with a VID of 1 will be forwarded untagged.
• Tagged packets with a VID of 0 will be dropped by SmartNA-X.
[mac src mac-value] (Optional) Filters on the specified value matching the source
MAC address. For mac-value, the following formats are recognized:
• 01:23:45:67:89:ab – A single address
• 01:23:45:67:89:ab,01:23:45:67:89:ac – Multiple addresses. Use commas (no
spaces) to separate addresses.
[mac dest mac-value] (Optional) Filters on the specified value matching the
destination MAC address.
[mac either mac-value] (Optional) Filters on the specified value matching either
the source or destination MAC address.
DRAFT
149
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Commands for managing SNMP
This section describes the SNMP commands that are used to view, create and delete SNMP related
configurations. Commands are entered in the SmartNA-X command-line interface and require Administrator
access to run.
For security, the SNMP agent is disabled on SmartNA-X by default. Although you can still configure SNMP
notifications, users, views and groups, you’ll need to enable the agent to expose management data and send
notifications. To enable the SNMP agent, enter the following commands:
CONTROLLER>snmp enable agent
To confirm the agent is enabled, use this command:
CONTROLLER>snmp show agent
SNMP : Enabled
If you need to disable the agent, use this command:
CONTROLLER>snmp disable agent
CONTROLLER>snmp show agent
SNMP : Disabled
The CLI supports the following SNMP commands:
• SNMP basic commands, page 151
• SNMP notify commands, page 156
• SNMPv1/v2c commands, page 162
• SNMP View-based Access Control Module (VACM) commands, page 168
DRAFT
150
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP basic commands
• SNMP SHOW ALL, page 152
• SNMP AGENT / SET SNMP / SHOW SMNP, page 153
• SNMP APPLY, page 154
• SNMP SHOW ENGINEID, page 155
DRAFT
151
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP SHOW ALL
Use the snmp show all command to output SNMP configuration information.
SNMP
Command form
Example
SNMPv1, SNMPv2c, SNMPv3
snmp show all
Output all SNMP configuration information:
CONTROLLER>snmp show all
SNMP : Enabled
SNMP
notify : on
system notify : on
health notify : on
Community number 0
IP protocol version : ipv4
comString : public
Community Type : ro
oid :
source :
...
Notify Host number 2
host : 192.168.0.3
Notify type : trap
Version Set : v2c
sec name : public
DRAFT
152
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP AGENT / SET SNMP / SHOW SMNP
Use the snmp agent command to enable and disable the SNMP agent, or to show the agent’s current status.
The agent must be enabled to expose management data and send notifications.
SNMP
Command form
SNMPv1, SNMPv2c, SNMPv3
snmp {show | enable | disable} agent
set snmp {on | off }
show snmp
Examples
show | enable | disable
Use show to show the current enabled or disabled state the SNMP agent. Use
enable to enable the SNMP agent. Use disable to disable the SNMP agent.
{on | off }
Use on to enable SNMP. Use off to disable SNMP.
• Show status of the SNMP agent:
CONTROLLER>snmp show agent
SNMP : Disabled
• Enable the SNMP agent:
CONTROLLER>snmp enable agent
CONTROLLER>snmp show agent
SNMP : Enabled
DRAFT
153
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP APPLY
Use the snmp apply command to apply all pending SNMP changes. Note, the system does not allow you to
partially implement pending SNMP changes.
SNMP
Command form
Example
SNMPv1, SNMPv2c, SNMPv3
snmp apply
Apply pending SNMP configuration changes:
CONTROLLER>snmp disable agent
CONTROLLER>snmp show agent
SNMP : Disabled
DRAFT
154
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP SHOW ENGINE ID
Use the snmp show engineID command to display the SNMP engine identity. The engine identity is
automatically generated from the enterprise number of Network Critical (by IANA) and MAC address of
“eth0” interface.
SNMP
Command form
Example
SNMPv3
snmp show engineId
Display the SNMP engine identity:
CONTROLLER>snmp show engineid
Engine ID : 0x80007b9d03001dff00eef4
DRAFT
155
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP notify commands
• SNMP NOTIFY, page 157
• SNMP SHOW HOST, page 158
• SNMP CREATE HOST, page 159
• SNMP DELETE HOST, page 161
DRAFT
156
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP NOTIFY
Use the snmp notify command to show the current status of notifications, and to enable and disable SNMP
notifications. SNMP notifications can be sent as traps or informs. Traps are unreliable because the receiver
does not send acknowledgments when it receives traps, so the sender cannot determine if the traps were
received. Whereas an SNMP entity that receives an inform request acknowledges the message with an SNMP
response. If the sender never receives the response, the inform request can be sent again, thus informs are more
likely to reach their intended destination.
SNMP
Command form
SNMPv1, SNMPv2c, SNMPv3
snmp {show | enable | disable} notify {all | snmp | system | health}
{show | enable | disable}
Show, enable or disable notifications.
{all | snmp | system |
health}
Choose which notifications the command applies (notification names shown in
brackets):
• Use all to select all notification types
• Use snmp for the following notifications: system power up/down (coldStart),
system restart (warmStart), SNMP authentication failure
(authenticationFailure)
• Use system for the following notifications: link status up (linkUp), link status
down (linkDown), traffic over high threshold (nctapNotifyXSTrafficOver),
traffic under low threshold (nctapNotifyXSTrafficUnder), TAP module
insertion/removal (nctapNotifyCard), CLI/web UI login failure
(ncUnauthorisedAccess)
• Use health for the following notifications: system temperature over threshold
(nctapNotifySysTemperature), TAP module temperature over threshold
(nctapNotifyTemperature), power on/off (nctapNotifyPower), fan on/off
(nctapNotifyFan)
Examples
• Show notifications:
CONTROLLER>snmp notify show
• Enable all SNMP notifications:
CONTROLLER>snmp enable notify all
• Enable health-related notifications:
CONTROLLER>snmp enable notify health
• Disable system-related notifications:
CONTROLLER>snmp disable notify system
DRAFT
157
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP SHOW HOST
Use the snmp show host command to show recipients for SNMP notifications.
SNMP
Command form
Example
SNMPv1, SNMPv2c, SNMPv3
snmp show host
Show SNMP notification recipients:
CONTROLLER>snmp show host
DRAFT
158
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP CREATE HOST
Use the snmp create host command to configure the recipients of SNMP notifications, either traps or informs.
Traps are asynchronous, unacknowledged messages sent from the agent to the SNMP managers listed in the
host receiver table. Informs (available in SNMPv2c and SNMPv3 only) are asynchronous messages sent from
the agent to the manager that require acknowledgement.
Informs consume more system resources, since each has to be held in memory until an acknowledgment is
received (at which point the inform is discarded). The inform will be resent if an acknowledge is not received
within a certain period.
Trap are sent by default if the notification type is unspecified.
SNMP
Command form
SNMPv1, SNMPv2c, SNMPv3
snmp create host HOST [v1 | v2c | v3] communitySecret [trap | {inform engine-id}]
HOST
Specifies details of the host where notifications are to be sent. The host is specified
by its hostname or IP address, and may optionally specify the UDP transport type
and port number to use when sending notifications.
HOST uses the following format:
{[udp: | udp6:]address[:port]}
(Optional) For udp:/udp6:, specify the UDP message type, either UDP or UDPv6,
used by the host/manager. If UDP type is not specified, it is assumed to be UDP.
For address, specify the hostname or address in IPv4 or IPv6 format of the
manager. A UDP port number may optionally be specified. If port is not specified,
it is assumed to be the default UDP port (162).
For example, udp:192.168.0.4:162 sets up host 192.168.0.4 on UDP port 162.
[v1 | v2c | v3]
(Optional) Specifies the host SNMP version used by the host/manager and thus
the format of the notifications sent.
communitySecret
Specify the community secret needed to access the host. The following
restrictions apply to the community secret:
• maximum of 32 alpha-numeric characters (case sensitive)
• no spaces, punctuation or other special characters
• first character must be a letter
[trap | {inform engine-id} (Optional) Specifies the type of notifications to send, either traps or informs.
For engine-id, specify the engine-id of the manager (this option is required when
used with SNMPv3 informs.
Examples
• Set up SNMPv3 trap notifications for user1 on host 192.168.0.3 (traps and UDP 162 is implied by defaults):
CONTROLLER>snmp create host 192.168.0.3 v3 user1
DRAFT
159
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
• Set up SNMPv3 inform notifications for remoteUser on host 192.168.0.3 with engine id
0x80007b9d03001dffe67899:
CONTROLLER>snmp create host 192.168.0.3 v3 remoteUser inform 0x80007b9d03001dffe67899
• Set up SNMPv2c trap notifications for community commsecret on host 192.168.0.4:162:
CONTROLLER>snmp create host udp:192.168.0.4:162 v2c commsecret
• Set up SNMPv1 trap notifications for community public on host 192.168.0.5:
CONTROLLER>snmp create host 192.168.0.5 v1 public
DRAFT
160
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP DELETE HOST
Use the snmp delete host command to stop sending SNMP notifications to a manager/host.
SNMP
Command form
SNMPv1, SNMPv2c, SNMPv3
snmp delete host HOST [v1 | v2c | v3] [trap | inform]
HOST
Specifies details of the host to stop sending messages to.
HOST uses the following format:
{[udp: | udp6:]address[:port]}
(Optional) For udp:/udp6:, specify the UDP message type to stop sending, either
UDP or UDPv6. If UDP type is not specified, it is assumed to be UDP.
For address, specify the hostname or address in IPv4 or IPv6 format of the
manager you want to stop sending notifications to. A UDP port number may
optionally be specified. If port is not specified, it is assumed to be the default UDP
port (162).
Examples
[v1 | v2c | v3]
(Optional) Specifies the host SNMP version used by the host/manager and thus
the format of the notifications that you want to stop sending. If unspecified, it is
assume to be SNMPv3.
[trap | inform]
(Optional) Specifies the type of notifications to stop sending, either traps or
informs.
• Delete inform notifications for SNMPv3 remoteUser on host 192.168.0.3 with engine id
0x80007b9d03001dffe67899:
CONTROLLER>snmp delete host 192.168.0.5 v3 remoteUser inform 0x80007b9d03001dffe67899
• Delete SNMPv2c trap notifications on host 192.168.0.4:162:
CONTROLLER>snmp delete host udp:192.168.0.4:162 v2c
DRAFT
161
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMPv1/v2c commands
• SNMP CREATE COMMUNITY, page 163
• SNMP DELETE COMMUNITY, page 165
• SNMP SHOW COMMUNITY, page 166
DRAFT
162
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP CREATE COMMUNITY
Use the snmp create community command to create the community secret used in SNMP v1/v2c get and set
requests. A community secret authenticates messages between a management station and an SNMP v1/v2c
engine. Optionally, you can specify one or more of these characteristics associated with the community secret:
• Read and write or read-only permission for the MIB objects accessible to the community
• A list of object identifiers (OIDs) that are accessible to the community
• An access list of IP addresses of the SNMP managers that are permitted to use the community secret to gain
access to the agent
• The IP version permitted to access the MIB objects accessible to the community
Note that community secrets are exchanged in clear text (unencrypted) and are therefore not secure. For better
security, consider implementing SNMPv3 and VACM instead.
SNMP
Command form
SNMPv1, SNMPv2c
snmp create community communitySecret [ro | rw] [oid OID] [source source] [IP_V4 | IP_V6]
communitySecret
Specifies a community secret that acts like a password and permits access to the
SNMP protocol. The following restrictions apply to the community secret:
• maximum of 32 alpha-numeric characters (case sensitive)
• no spaces, punctuation or other special characters
• first character must be a letter
Examples
[ro| rw]
(Optional) Specifies read-only or read-write (the default) access for the
community. Use ro if you want the community to be able to retrieve the value of
MIB objects but not be able to change values. Use rw if you want the community
to be able to read and write MIB objects. Default: rw
[oid OID]
(Optional) Restricts access to the subtree rooted at the specified OID(s). If you do
not specify this option, the community will have access to all the OID tree.
Default: .1
[source source]
(Optional) Restricts access from the specified source address, subnet or
hostname. For source, specify either a hostname or IP address, or a subnet,
represented as IP/MASK (e.g. 10.10.10.0/255.255.255.0), or IP/BITS (e.g.
10.10.10.0/24), or the IPv6 equivalent.
[IP_V4 | IP_V6]
(Optional) Restricts access to sources using IPv4 or IPv6. Default: IP_v4
• Create a read-write community that accepts requests from all sources on all MIBS:
CONTROLLER>snmp create community mysecret
• Create a read-only community which accepts get requests from all sources on all MIBS
CONTROLLER>snmp create community mysecret ro
DRAFT
163
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
• Create the read-write community with access to only proprietary Network-Critical MIBS from 192.168 subnet.
CONTROLLER>snmp create community mysecret oid 1.3.6.1.4.1.31645 source 192.168.0.0/16
DRAFT
164
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP DELETE COMMUNITY
Use the snmp delete community command to delete the specified community secret.
SNMP
Command form
SNMPv1, SNMPv2c
snmp delete community communitySecret
communitySecret
Example
Specify the community secret to delete.
Delete community mysecret.
CONTROLLER>snmp delete community mysecret
DRAFT
165
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP SHOW COMMUNITY
Use the snmp show community command to display SNMP community information.
SNMP
Command form
Example
SNMPv1, SNMPv2c
snmp show community
Show community information:
CONTROLLER>snmp show community
Community number 0
IP protocol version : ipv6
comString : priSystem6
Community Type : rw
oid : ncSystemMIB
source : fec0:2:0:1111:0:5efe:836b:8101
Community number 1
IP protocol version : ipv4
comString : priRack
Community Type : rw
oid : .1.3.6.1.4.1.31645.2.2.1
source : 192.168.0.104
Community number 15
IP protocol version : ipv4
comString : privcomm
Community Type : rw
oid :
source :
...
DRAFT
166
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP View-based Access Control Module (VACM) commands
VACM (RFC 2575) is designed for inter-working of multiple versions of SNMP (v1, v2c and v3). The Access
Control subsystem of an SNMP engine has the responsibility for checking whether a specific type of access
(read, write, notify) to a particular object (MIB instance) is allowed.
Elements of the View-based Access Control Module:
• Groups – defines the access rights to objects afforded to all security names which belong to that group. A
group is identified by a group name. The combination of a security model (SNMPv1/v2c or USM) and a
security name maps to at most one group.
• Security levels – identifies the level of security that will be assumed when checking for access rights to an
object. Different access rights for members of a group can be defined for different levels of security, namely
noAuthNoPriv, authNoPriv, and authPriv (see Table 9-1, page 56).
• Security names – defines the principals (users) on whose behalf access is requested.
• Security models – defines the security model under which access is requested (USM, SNMPv1 or
SNMPv2c).
VACM examples
Given a pre-existing user johnsmith (which can be set up using the snmp create user command), we could
configure full read-write access to the whole OID tree using the following commands:
CONTROLLER>snmp
CONTROLLER>snmp
CONTROLLER>snmp
CONTROLLER>snmp
create
create
create
create
sectogroup RWGroup usm johnsmith
view All include .1
view None exclude .1
access RWGroup usm priv All All None
This creates a new security group named “RWGroup” containing the SNMPv3 user “johnsmith”, a new view
“All” containing the full OID tree, and a new view “None” excluding the full OID tree. And then allows those
users in the group “RWGroup” (i.e. “johnsmith”) both read- and write-access to the view “All” (i.e. the full OID
tree) when using authenticated SNMPv3 requests, and excluded notify-access to the view “None” (i.e. the full
OID tree).
As a second example, we could set up read-only access to a portion of the OID tree (for example .1.3) for an
SNMPv1/2c community using the commands:
CONTROLLER>snmp
CONTROLLER>snmp
CONTROLLER>snmp
CONTROLLER>snmp
create
create
create
create
comtosec comm2secname VACMCommunity 192.168.254.100 ipv4
sectogroup testgroup usm comm2secname
view mainview include .1.3
access testgroup usm noAuth mainview None None
This maps an existing SNMPv1 community “VACMCommunity” to a security username named
“comm2secname”, and creates a new security group named “testgroup” containing “comm2secname”, a new
view “mainview” containing just the OID tree based on .1.3, and then allows those users in the group
“testgroup” (i.e. “comm2secname”) read-access, but not write- or notify-access to the view “mainview”.
DRAFT
167
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP View-based Access Control Module (VACM) commands
• SNMP SHOW USER, page 169
• SNMP CREATE USER, page 170
• SNMP DELETE USER, page 172
• SNMP SHOW SECTOGROUP, page 173
• SNMP CREATE SECTOGROUP, page 174
• SNMP DELETE SECTOGROUP, page 175
• SNMP SHOW VIEW, page 176
• SNMP CREATE VIEW, page 177
• SNMP DELETE VIEW, page 179
• SNMP SHOW ACCESS, page 180
• SNMP CREATE ACCESS, page 181
• SNMP DELETE ACCESS, page 183
• SNMP SHOW COMTOSEC, page 184
• SNMP CREATE COMTOSEC, page 185
• SNMP DELETE COMTOSEC, page 186
DRAFT
168
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP SHOW USER
Use the show snmp user command to display information on each SNMP username in the group username
table.
SNMP
Command form
Example
SNMPv3
snmp show user
Display SNMP users:
CONTROLLER>snmp show user
User number 0
Engine : local
EngineId :
Name : user8
Auth type : sha
authPhrase : 12345678
priv type : aes
priv phrase : 12345678
User number 1
...
User number 16
Engine : remote
EngineId : 0x80007b9d03001dff004360
Name : user
Auth type : md5
authPhrase : testing123
priv type : priv_none
priv phrase :
User number 17
Engine : remote
EngineId : 0x80007b9d03001dff004360
Name : audit
Auth type : auth_none
authPhrase :
priv type : priv_none
priv phrase :
DRAFT
169
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP CREATE USER
Use the snmp create user command to create USM (user based security model) users with authentication and
privacy options. A remote engine identity is required when an SNMPv3 inform is configured. The engine
identity is used to compute the security digest for authenticating and encrypting packets sent to a user on the
remote host.
To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device
where the user resides. Also, before you configure remote users for a particular agent, configure the SNMP
engine ID, using the command snmp-server engineID with the remote option. The remote agent's SNMP
engine ID is needed when computing the authentication/privacy digests from the password. If the remote
engine ID is not configured first, the configuration command will fail.
SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For informs, the
authoritative SNMP agent is the remote agent. You need to configure the remote agent's SNMP engine ID in
the SNMP database before you can send proxy requests or informs to it.
NOTE: Any users created must be added VACM access control tables for them to be operative. username is
used as security-name in the snmp create sectogroup command. Privacy options are valid only when
authentication is specified.
SNMP
Command form
SNMPv3
snmp create user username [auth {none | MD5 authphrase | SHA authphrase} ] [priv {none | DES passphrase |
AES passphrase} ] [local | remote engine-id]
username
The username for the new user. The following restrictions apply to the username:
• maximum of 32 alpha-numeric characters (case sensitive)
• no spaces, punctuation or other special characters
• first character must be a letter
auth {none | MD5
authphrase | SHA
authphrase}
(Optional) Specifies the method of message encryption used by the authorizing
client such as the router to authorize the user. The following encryption methods
are available (choose one):
none specifies that no authorization message encryption is used by the
authorizing client.
MD5 authphrase specifies that message authentication support is provided by
using the message digest algorithm 5 (MD5). passphrase specifies the passphrase
(8–64 characters) used to authenticate the user.
SHA authphrase specifies that the message authentication support is provided by
Secure Hash Algorithm (SHA). passphrase specifies the passphrase (8–64
characters) used to authenticate the user.
DRAFT
170
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
priv {none | DES
passphrase | AES
passphrase}
(Optional) Specifies the method of encryption for all SNMP messages/packets.
none specifies that no SNMP message encryption is used.
DES specifies that SNMP packets are encrypted using the 56-bit CBC-DES
privacy authentication algorithm. passphrase specifies the passphrase (8–64
characters) used to authenticate the user.
AES specifies that SNMP packets are encrypted using the Advanced Encryption
Standard (AES) algorithm. passphrase specifies the passphrase (8–64 characters)
used to authenticate the user.
[local | remote engine-id] (Optional) Specifies the location of the agent that receives SNMPv3 inform
messages. Specify local (default option) if the agent is local. Specify remote engineid if inform messages are to be sent to the specified remote agent. Default: local
Examples
• Create a local user with no authentication and privacy options:
CONTROLLER>snmp create user user2
• Create local user with MD5 authentication and DES privacy:
CONTROLLER>snmp create user user3 md5 myauthphrase des myprivhrase
• Create a remote user with MD5 authentication and DES privacy:
CONTROLLER>snmp create user remoteuser sha myauthphrase aes myprivphrase remote
0x80007b9d03001dffe67899
Create a remote user remoteuser1 with the specified SHA authorization, AES privacy and engine ID:
snmp delete user user1 // remove local user1
snmp delete user remoteuser remote 0x80007b9d03001dffe67899 -- remove remoteuser with
specified engine-id
DRAFT
171
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP DELETE USER
Use the snmp delete user command to delete a user. A remote engine identity is required when an SNMPv3
inform is configured.
SNMP
Command form
Examples
SNMPv3
snmp delete user username [local, remote engine-id]
username
Specifies the name of the user to delete.
local, remote engine-id
(Optional) Specifies the location of the agent that receives SNMPv3 inform
messages. Use local (default option) if the agent is local. Use remote engine-id if
inform messages are to be sent to the specified remote agent.
• Remove local user1:
CONTROLLER>snmp delete user user1
• Remove remote user with specified engine-id:
CONTROLLER>snmp delete user remoteuser remote 0x80007b9d03441dffa67899
DRAFT
172
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP SHOW SECTOGROUP
Use the show snmp sectogroup command to show groups, together with security model, view settings, and
storage type details. A group defines the access rights afforded to all securityNames which belong to that group.
SNMP
Command form
Example
SNMPv3
snmp show sectogroup
Show groups information:
CONTROLLER>snmp show sectogroup
SectoGroup number 0
Security Model : v1
sec name : port3CSec
group name : port3CGrp
SectoGroup number 1
Security Model : v2c
sec name : port3C6Sec
group name : port3CGrp
SectoGroup number 2
Security Model : v1
sec name : port3DSec
group name : port3DGrp
SectoGroup number 3
...
DRAFT
173
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP CREATE SECTOGROUP
Use the snmp create sectogroup command to map security names into a named group. Several group
directives can specify the same group name, allowing a single access setting to apply to several users and/or
community strings.
A group defines the access rights afforded to all securityNames which belong to that group. The combination
of a securityModel and a securityName maps to at most one group. A group is identified by a groupName.
SNMP
Command form
SNMPv3
snmp create sectogroup groupname {usm | v1 | v2c} securityName
groupname
Specifies the group name to create. The following restrictions apply to the group
name:
• maximum of 32 alpha-numeric characters (case sensitive)
• no spaces, punctuation or other special characters
• first character must be a letter
usm, v1, v2c
Specifies the group’s Security Model, either USM (User Security Model, see RFC
3414), or SNMPv1/v2c. USM is the most secure, with all SNMPv3 packets
authenticated, encrypted, and decrypted. SNMPv1 and SNMPv2c is unsecured,
with authentication amounting to nothing more than a password (community
string) sent in clear text between a manager and agent.
securityName
Specifies the security name created with the snmp create user command
(SNMPv3), or one of the securityNames created with the snmp create comtosec
command (SNMPv2c/v3). The following restrictions apply to the security name:
• maximum of 32 alpha-numeric characters (case sensitive)
• no spaces, punctuation or other special characters
• first character must be a letter
Examples
• Map security name user1 into the USM security group group1:
CONTROLLER>snmp create sectogroup group1 usm user1
• Map security name user2 into the USM security group group1:
CONTROLLER>snmp create sectogroup group1 usm user2
• Map security name v1User into the SNMPv1 security group group3:
CONTROLLER>snmp create sectogroup group3 v1 v1User
• Map security name v2User into the SNMPv2c security group group4:
CONTROLLER>snmp create sectogroup group4 v2c v2User
DRAFT
174
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP DELETE SECTOGROUP
Use the snmp delete sectogroup command to delete (unmap) a security name from a group. You can use the
snmp show sectogroup command to output a list of groups and users.
SNMP
Command form
Example
SNMPv3
snmp delete sectogroup {usm | v1 | v2c} securityname
usm, v1, v2c
Specifies the security model: USM, v1 or v2c.
securityname
Specifies the security name to delete. The security name must have already name
created with the snmp create user command (SNMPv3), or one of the security
names created with the snmp create comtosec command (SNMPv2c/v3).
Delete SNMPv2c user2:
CONTROLLER>snmp delete sectogroup v2c user2
DRAFT
175
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP SHOW VIEW
Use the snmp show view command to show defined named views (subsets of the OID tree).
SNMP
Command form
Example
SNMPv3
snmp show view
Show SNMP views:
CONTROLLER>snmp show view
View number 0
view type : include
mibTree : .1.3.6.1.4.1.31645.2.2.3.3.1.1.1.11
mask : 0xff:fa
name : portconfig3C
View number 1
view type : include
mibTree : NCTAP-MIB::psIndex.11
mask : 0xff:fa
name : portstate3C
View number 2
view type : exclude
mibTree :
.iso.org.dod.internet.private.enterprises.networkcritical.products.ncTapMIB.ports.port
config.pcTable.pcEntry.pcIndex.11
mask : 0xff:fa
name : portconfigNo3C
View number 3
view type : include
mibTree : ports
mask :
name : portconfigNo3C
...
DRAFT
176
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP CREATE VIEW
Use the snmp create view command to create a named subset view of the OID tree. A view is a mapping
between SNMP objects and the access rights available for those objects. An object can have different access
rights in each view. Access rights indicate whether the object is accessible by either a community string or a
user.
Create MIB views to control the OID range that SNMPv3 users can access. For example, create a view that
excludes access to the OID root; any user within such a group will have no read, write or notify access to the
MIB. The system does not create any MIB views by default.
SNMP
Command form
SNMPv3
snmp create view viewname {include | exclude} {object-identifier [mask]}
{viewname}
Specifies a name to identify the MIB view. The following restrictions apply to the
view name:
• maximum of 32 alpha-numeric characters (case sensitive)
• no spaces, punctuation or other special characters
• first character must be a letter
{include | exclude}
Specifies whether to include or exclude the view subtree or family of subtrees
from the MIB view.
{object-identifier [mask]} Specifies the OID string of the subtree to include or exclude from the view. OID
string is 256 characters in length. For example, the system subtree is specified by
the OID string .1.3.6.1.2.1.1.
(Optional) For mask, specify a list of hex octets (optionally separated by ‘.’ or ‘:’)
with the set bits indicating which sub identifiers in the view OID to match
against. If not specified, this defaults to matching the OID exactly (all bits set).
The OID mask is 47 characters in length. The format of the OID mask is
xx.xx.xx...or xx.xx.xx... and is 16 octets in length. Each octet is 2 hexadecimal
characters separated by either . (period) or : (colon). Only hex characters are
accepted in this field. For example, OID mask FA.80 is 11111010.10000000.
A family mask is used to define a family of view subtrees. The family mask
indicates which sub-identifiers of the associated family OID string are significant
to the family’s definition. A family of view subtrees allows control access to one
row in a table, in a more efficient manner.
More usefully, the mask can be used to define a view covering a particular row (or
rows) in a table, by matching against the appropriate table index value but
skipping the column sub-identifier. For more information, see
http://www.net-snmp.org/wiki/index.php/
Vacm#VACM_Masks.2C_or_How_to_restrict_access_to_a_particular_index_.2
8row.29_in_a_Table.
DRAFT
177
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
Example
• Create a view named All with access to the OID subtree starting from .1 (the MIB root level). Users in such
a group will have read, write, or notify access to the entire MIB depending on the type of access set by the
snmp create access command for the group.
CONTROLLER>snmp create view All include .1
• Create a view named None with excluded access to the OID subtree starting from .1 (the MIB root lever).
Effectively, any user in this group will have no read, write or notify access to the MIB.
CONTROLLER>snmp create view None exclude .1
• Create a view named NC with access to the OID subtree starting at .1.3.6.1.4.1.31645 (Network Critical
proprietary MIBs).
CONTROLLER>snmp create view NC include .1.3.6.1.4.1.31645
• Create a view named mgmt that is excluded from the MIB subtree starting at .iso.org.dod.mgmt:
CONTROLLER>snmp create view mgmt exclude .iso.org.dod.mgmt
• Create a view named ifRow4 that has access to OID subtree .1.3.6.1.2.1.2.2.1.0.4 with sub identifier 0xff:a0
in the view OID to match against:
CONTROLLER>snmp create view ifRow4 include .1.3.6.1.2.1.2.2.1.0.4 0xff:a0
• Below, the first two examples define the same view, covering the whole of the .iso subtree, with the third
example ignoring the subidentifiers not covered by the mask:
CONTROLLER>snmp create view iso1 include .iso 0xf0
CONTROLLER>snmp create view iso2 include .iso
CONTROLLER>snmp create view iso3 include .iso.org.dod.mgmt 0xf0
DRAFT
178
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP DELETE VIEW
Use the snmp delete view command to delete a named view of the OID tree. A view is created by the snmp
create view command and is a mapping between SNMP objects and the access rights available for those
objects.
SNMP
Command form
Examples
SNMPv3
snmp delete view {viewname} {object-identifier}
view-name
Specifies the view name to delete.
object-identifier
Specifies the OID string of the subtree to delete from the view. OID string is 256
characters in length. For example, the system subtree is specified by the OID
string .1.3.6.1.2.1.1.
• Delete the view named All with OID string .1:
CONTROLLER>snmp delete view All .1
• Delete the view named custom_v with OID string sysUpTime.0:
CONTROLLER>snmp delete view custom_v sysUpTime.0
DRAFT
179
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP SHOW ACCESS
Use the snmp show access command to show group of users/communities to one of three views, depending on
the request being processed.
SNMP
Command form
Examples
SNMPv3
snmp show access
Show snmp show access:
CONTROLLER>snmp show access
Access number 0
Security Model : any
Security Level : noAuth
group name : port3CGrp
context :
context match : exact
read view : portstate3C
write view : portconfig3C
notify view : portstate3C
Access number 1
Security Model : any
Security Level : noAuth
group name : portNo3CGrp
context :
context match : exact
read view : portstateNo3C
write view : portconfigNo3C
notify view : portstateNo3C
DRAFT
180
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP CREATE ACCESS
Use the snmp create access command to map a group to a read, write, or notify view, depending on the request
being processed. Get requests are mapped to the read view, set request are mapped to the write view, and notify
requests are mapped to a notify view.
SNMP
Command form
SNMPv3
snmp create access group-name {any | usm | v1 | v2c} {noAuth | auth| priv} {read-viewname} 
{write-viewname} {notify-viewname}
group-name
Specifies the group (which contains users and/or community strings) to map.
Groups are created with the snmp create sectogroup command.
any, usm, v1, v2c
Specifies the group’s security model, either USM (User Security Model, see RFC
3414), or SNMPv1/v2c. USM is the most secure, with all SNMPv3 packets
authenticated, encrypted, and decrypted. SNMPv1 and SNMPv2c is unsecured,
with authentication amounting to nothing more than a password (community
string) sent in clear text between a manager and agent.
noAuth, auth, priv
Specifies the security level:
noAuth authenticates a packet by a string match of the user name.
auth authenticates a packet by using either the MD5 or SHA algorithms.
priv authenticates a packet by using either the MD5 or SHA algorithms and
encrypts the packet using the DES or AES algorithm.
read-viewname
Specifies the view to which get requests are mapped. This parameter must be
specified. If no access is required, create a view called ‘None’ that excludes access
to the OID root and specify it here. See the examples for the relevant command.
The following restrictions apply to the read view name:
• maximum of 32 alpha-numeric characters (case sensitive)
• no spaces, punctuation or other special characters
• first character must be a letter
write-viewname
Specifies the view to which set requests are mapped. If no access is required,
create a view called ‘None’ that excludes access to the OID root and specify it here.
See the examples for the relevant command. The following restrictions apply to
the write view name:
• maximum of 32 alpha-numeric characters (case sensitive)
• no spaces, punctuation or other special characters
• first character must be a letter
DRAFT
181
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
notify-viewname
Specifies the view to which notify requests are mapped. If no access is required,
create a view called ‘None’ that excludes access to the OID root and specify it here.
See the examples for the relevant command.
The following restrictions apply to the notify view name:
• maximum of 32 alpha-numeric characters (case sensitive)
• no spaces, punctuation or other special characters
• first character must be a letter
Examples
• Create access group called group1 with USM security and packet authentication and encryption enabled.
Assign get and set requests to All view (include .1); notify requests to None (exclude .1):
CONTROLLER>snmp create access group1 usm priv All All None
• Create access group called group2 with SNMPv1/v2c and USM security, user name authentication (no
encryption). Assign get and set requests to custom_v view; notify requests to None (exclude .1):
CONTROLLER>snmp create access group2 any noAuth custom_v custom_v None
• Create access group called group3 with SNMPv2c security, user name authentication (no encryption).
Assign get and set requests to NC view; notify requests to None (exclude .1):
CONTROLLER>snmp create access group3 v2c noAuth NC NC None
DRAFT
182
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP DELETE ACCESS
Use the snmp delete access command to delete the specified access group.
SNMP
Command form
Example
SNMPv3
snmp delete access group-name {any | usm | v1 | v2c} {noAuth | auth | priv} {read-viewname} 
{write-viewname} {notify-viewname}
group-name
Specifies the name of the group.
{any | usm | v1 | v2c}
Specifies the security model. Since the same group can have multiple access
commands defined, each with a different security model, this limits deletion to
the group with the specified security model, or all models if all is specified.
noAuth | auth | priv}
Specifies the security model. Since the same group can have multiple access
commands defined, each with a different see model, this limits deletion to the
group with the specified security level.
read-viewname
Specifies the view to which get requests are mapped.
write-viewname
Specifies the view to which set requests are mapped.
notify-viewname
Specifies the view to which notify requests are mapped.
Delete the access group named group2 with any SNMPv1/v2c and USM security and no authorization
security:
CONTROLLER>snmp delete access group2 any noAuth
DRAFT
183
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP SHOW COMTOSEC
Use the snmp show comtosec command to show SNMPv1 or SNMPv2c community secret to security name
mappings.
SNMP
Command form
Example
SNMPv3
snmp show comtosec
Show current community secrets to security name mappings:
CONTROLLER>snmp show comtosec
DRAFT
184
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP CREATE COMTOSEC
Use the snmp create comtosec command to map a security name to an SNMPv1/v2c style community string.
Mapping can be from a particular range of source addresses or globally (“default”). The same community
secret can be specified in several separate directives (with different source tokens), and the first source/
community combination that matches the incoming request will be selected. Various source/community
combinations can also map to the same security name.
SNMP
Command form
SNMPv3
snmp create comtosec {securityName} {communitySecret} [source SOURCE [ipv4 | ipv6]]
securityName
Specifies the security name to create. The following restrictions apply to the
security name:
• maximum of 32 alpha-numeric characters (case sensitive)
• no spaces, punctuation or other special characters
• first character must be a letter
communitySecret
Specifies a community secret that acts like a password and permits access to the
SNMP protocol. Note this communitySecret has no reference to the community
secret defined with the snmp community command. The following restrictions
apply to the community secret:
• maximum of 32 alpha-numeric characters (case sensitive)
• no spaces, punctuation or other special characters
• first character must be a letter
[source SOURCE [ipv4 | (Optional) A restricted source can either be a specific hostname (or address), or a
ipv6]]
subnet, represented as IP/mask (such as, 10.10.10.0/255.255.255.0), or IP/bits
(such as, 10.10.10.0/24), or the IPv6 equivalents.
You may optionally specify to which requests (IPv6 or IPv4) this command
applies. Default is IPv4.
Examples
• Map v1user (security name) to netcrit (v1/v2c style community secret):
CONTROLLER>snmp create comtosec v1user netcrit
• Map v2Sec to commsecret restricted from sources 192.168.0.0/16:
CONTROLLER>snmp create comtosec v2Sec commsecret source 192.168.0.0/16
DRAFT
185
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
COMMAND L INE I NTERFACE R EFERENCE | COMMAND LINE NOTATION
SNMP DELETE COMTOSEC
Use the snmp delete comtosec command to remove a community secret to a security name mapping.
SNMP
Command form
SNMPv3
snmp delete comtosec securityName communitySecret [source SOURCE [ipv4 | ipv6]]
securityName
Specifies the security name of the mapping to delete.
communitySecret
Specifies the community string of the mapping to delete. Note this community
secret has no reference to the community secret defined with the snmp
community command.
[source SOURCE [ipv4 | A restricted source can either be a specific hostname (or address), or a subnet ipv6]]
represented as IP/MASK (e.g. 10.10.10.0/255.255.255.0), or IP/BITS (e.g.
10.10.10.0/24), or the IPv6 equivalents.
You may optionally specify to which requests (IPv6 or IPv4) this command
applies. Default is IPv4.
Examples
• Delete mapping v1user (security name) to netcrit (v1/v2c style community string):
CONTROLLER>snmp delete comtosec v1user netcrit
• Delete mapping v2Sec to commsecret restricted from sources 192.168.0.0/16:
CONTROLLER>snmp delete comtosec v2Sec commsecret source 192.168.0.0/16
DRAFT
186
A PPENDIX B
W EB U SER -I NTERFACE R EFERENCE
B
This section provides reference information for the configuration options and system data available via the
SmartNA-X web UI.
System identity tab
The System identity tab (Figure B-1) is available after clicking on the chassis. It provides access to the system
options shown in Table B-1, page 188.
Figure B-1 The System identity tab
DRAFT
187
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Table B-1 System identity tab options
Option
Description
System name
Sets the name of the appliance, as used by SNMP and elsewhere. Default: None.
The system’s unique network identifier is displayed in the adjacent System MAC address field,
together with the IPv6 link-local address in the System link local-address field.
System location
Sets the location of the appliance, as used by SNMP and elsewhere. Default: None.
System contact
Sets the system contact name, as used by SNMP and elsewhere. Default: None.
Use DHCP
Enables or disables DHCP. Default: Disabled (recommended).
The current active status of this setting on the system is displayed in the adjacent Active DHCP
setting field.
System IPv4 address
Sets the device network interface IPv4 address. Default: 192.168.254.100.
The current active address is shown in the adjacent Active IPv4 address field.
IPv4 subnet
Sets the device IPv4 subnet mask. Default: 255.255.255.0.
The current active subnet mask is shown in the adjacent Active IPv4 subnet field.
IPv4 gateway
Sets the IPv4 network gateway address.
The current active gateway address is shown in the adjacent Active IPv4 gateway field.
DNS server
Sets the address of the DNS server. Default: None
System IPv6 address
Sets the device network interface IPv6 address. Default: None.
The current active gateway address is shown in the adjacent Active IPv6 address field.
System MAC address
Shows the SmartNA-X MAC address.
System link local
address
Shows the IPv6 link local address.
IPv6 prefix length
Sets the IPv6 prefix length. Default: None.
The current active gateway address is shown in the adjacent Active IPv6 prefix length field.
IPv6 gateway
Sets the IPv6 network gateway address.
The current active gateway address is shown in the adjacent Active IPv6 gateway field.
Mapping tab
The Mapping tab (Figure B-2) is available after clicking on the chassis. It lists port maps and provides options
for adding and removing filters. Maps are created by dragging from the source to destination port. Selecting
DRAFT
188
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
the edit icon for a map is the same as clicking on the map on the diagram. If there are too many maps to draw
them all, the extra ones will still appear on, and therefore be accessible from, this list.
Figure B-2 The Mapping tab showing the Map configuration window
DRAFT
189
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Filters tab
The Filters tab (Figure B-3) is available after clicking on the chassis. It shows all available filters and allows you
to edit, add and delete them. The table below shows the options that are available when setting up packet filters.
Figure B-3 The Filters tab showing the Add filter window
Table B-2 Filters tab options
Option
Description
Filter name
All filters must have a unique name. This is used to label any maps where the filter is applied.
Packet type
All filters must specify a packet type. This corresponds approximately to the EtherType in the packet
header, and determines which additional layer 2, 3 and 4 filter fields are applicable.
MPLS packets may be further filtered by the top MPLS label in the stack. All non-MPLS packet types
can instead be filtered by VLAN tag and MAC address at layer 2.
ARP packets can additionally be filtered by IPv4 address at layer 3 and by DSCP at layer 4.
IP packets can additionally be filtered by IP address, if you specify IPv4 or IPv6, and by IP protocol
(TCP, etc.) at layer 3. At layer 4, they can be filtered by DSCP, and if an IP protocol is specified, also by
relevant additional fields such as port.
DRAFT
190
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Table B-2 Filters tab options (continued)
Option
Description
MPLS top of stack label (Available when MPLS protocol type is selected). Filter traffic by MPLS label. Where the MPLS header
for a packet contains multiple labels, this will test the top label in the stack. The following formats are
recognized:
100 – A single label
100-110 – A range (inclusive)
0/1 – A value/mask pair (here: all even labels)
100, 150 – Multiple labels
Multiple labels may each use a range or mask.
VLAN tag
Filter by VLAN tag. The following formats are recognized:
100 – A single tag
100-110 – A range (inclusive)
0/1 – A value/mask pair (here: all even tags)
100, 150 – Multiple tags
Multiple tags may each use a range or mask.
The following caveats should be noted when filtering by VLAN:
• When a filter is set to permit VID 1, untagged packets will still be forwarded.
• Tagged packets with a VID of 1 will be forwarded untagged.
• Tagged packets with a VID of 0 will be dropped by SmartNA-X.
MAC address
Filter any non-MPLS packet type by MAC address.
You may give either a single specification, to find packets where either the source or the destination
address matches, or separate specifications for source and/or destination address. In each case, the
following formats are recognized:
01:23:45:67:89:ab – A single address
01:23:45:67:89:ab, 01:23:45:67:89:ac – Multiple addresses
For ARP packets, use source for the sender address and destination for the target address.
IPv4 address
Filter IPv4 or ARP packets by IP address.
You may give either a single specification, to find packets where either the source or the destination
address matches, or separate specifications for source and/or destination address. The following
formats are recognized in each case:
192.168.0.1 – A single address
192.168.0.4-10 – A range (inclusive)
192.168.0.* – Wildcard (192.168.0.0-255)
10.10.0.0/255.255.255.252 – Mask (10.10.0.0-3)
10.10.0.3, 10.10.0.5 – Multiple addresses
Ranges and wildcards may be used in any segment(s).
Multiple addresses may each use either ranges and wildcards or a mask.
For ARP packets, use source for the sender address and destination for the target address.
DRAFT
191
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Table B-2 Filters tab options (continued)
Option
Description
IPv6 addressing
Filter IPv6 packets by IP address.
You may give either a single specification, to find packets where either the source or the destination
address matches, or separate specifications for source and/or destination address. The following
formats are recognized in each case:
2000:abcd:0:0:0:0:77:88 – A single address
2000:abcd::77:88 – A single address (eliding a single run of zero segments)
2000:abcd::77:88-99 – A range address (inclusive)
2000::* – A wildcard (here: 2000::0-ffff)
::ffff:0:0/96 – Prefix (any address starting 0:0:0:0:0:ffff)
2000::1, 2000::3 – Multiple addresses
Ranges and wildcards may be used in any segment(s).
Multiple addresses may each use either ranges and wildcards or prefix notation.
Internet protocol
Filter IP traffic by its internet protocol, for example whether it uses a transport protocol such as TCP,
UDP or ICMPv4.
If you specify TCP, UDP or both, you may further filter by the corresponding layer 4 ports.
DSCP
Filter traffic by the DSCP specified in the packet header. Separate multiple DSCP numbers with
commas.
Port
Filter TCP or UDP packets by port number.
You may give either a single specification, to find packets where either the source or the destination
port matches, or separate specifications for source and/or destination port.
The following formats are recognized in each case:
10 – A single port
10-20 – A range (inclusive)
0/1 – A value/mask pair (here: all even ports)
10,15 – Multiple ports
Multiple ports may each use a range.
Common examples for TCP include:
80, 8080, 443 – HTTP/HTTPS
25 – SMTP
20-21, 989-990 – FTP/FTPS
22 – SSH
23 – Telnet
DRAFT
192
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
SNMP tab
The SNMP tab (Figure B-4) is available after clicking on the chassis. It provides access to the SNMP options
and client settings shown in the tables below.
Figure B-4 The SNMP tab
Table B-3 SNMP tab options
Option
Description
SNMP enabled
Enables or disabled the SNMP agent. Default: Disabled.
Engine ID
The SNMP engine ID identifies the agent in the device and is a security feature of SNMPv3. The
engine ID is automatically generated by the system and is a product of the enterprise number of
Network Critical (by IANA) and the MAC address of the ‘eth0’ interface, thus it is not user
configurable.
Send notifications
Allows notifications to be sent for the following system alerts:
Health – power, fan, TAP module temperature, system temperature
SNMP – cold start, warm start, authentication failure
System – link up/down, module in/out, traffic overload/underload
Configure notification See Table B-4.
hosts
Configure
communities
Options for configuring traditional SNMP v1, v2c communities. See Table B-5.
Configure users
Options for configuring view-based users. See Table B-6.
Configure
Options for configuring view-based access communities (SNMPv3). See Table B-7
communities (VACM)
Configure groups
Options for configuring view-based groups. See Table B-8.
DRAFT
193
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Table B-3 SNMP tab options (continued)
Option
Description
Configure views
Options for configuring view-based views. See Table B-9, page 196.
Configure access
control
Options for configuring view-based access control. See Table B-10, page 196.
Table B-4 Options for configuring SNMP notification hosts
Option
Description
Destination
Specify the location of the notification host. The format must be:
[protocol:]address [:port]
protocol may be udp or udp6.
address may be a hostname or an IPv4 or IPv6 address.
port is the UDP port on the host.
For example, udp:192.168.0.4:162 sets up host 192.168.0.4 on UDP port 162.
SNMP version
Specifies the host SNMP version used by the host/manager and thus the format of the notifications
sent. If not specified, the version is assumed to be SNMPv3.
Notification type
Notifications may be sent as traps or (where supported) informs.
Credentials
For SNMP v1 or v2c, this is the community string to send with the notification.
For SNMP v3, this is an existing local user (for traps) or remote user (for informs).
Engine ID
Where a remote user is specified, the corresponding engine ID must also be given.
Table B-5 Options for configuring traditional communities (SNMP v1, v2c)
Option
Description
Community string
Specifies a community string for the community. The string must consist of 1–32 alphanumeric
characters, and must begin with a letter.
IP version
Specifies whether this community string allows access via IPv4 or IPv6.
Source
Restrict access to specific hosts by specifying the source for SNMP requests here. The following
formats are recognized:
Hostname – myserver.mycompany.com
IPv4 Address – 192.168.50.1
IPv4 Subnet (address/mask) – 192.168.50.1/255.255.255.0
IPv4 Subnet (address/prefix length) – 192.168.50.1/24
For IPv6 access, use the equivalent formats.
Type
Specify whether read-only or read/write access is permitted for this community.
OID
Limits the SNMP OID tree which can be accessed by the SNMP agent. If set to 0.0, any OID value can
be accessed. If set to a point in the OID tree, only values below that point can be seen. For example, if
set to 1.3.6.1.2.1.2 (the Interface part of the MIB-2 MIB, only the Interface OIDs would be visible to
this user entry.
DRAFT
194
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Table B-6 Options for configuring SNMP Users
Option
Description
User name
Specify a name for the user. Names consist of 1–32 alphanumeric characters, and must begin with a
letter.
You may define local users (for most uses) and remote users (for use with sending SNMPv3 informs).
If this is a remote user, you must also specify the corresponding remote engine ID.
Engine
If setting up a remote user, you must specify the engine ID of the remote SNMP agent. Engine IDs
consists of 10–64 hex digits.
Authentication
Specify whether authentication is to be used, and if so whether to use MD5 or SHA authentication.
If authentication is in use, you must also specify a passphrase in the Authentication phrase field that
appears. Authentication phrases must be 8–64 ASCII non-control characters.
For users already set up on the device, either enter a new passphrase if you wish to make a change or
leave this field blank to keep the existing passphrase.
Privacy
Specifies whether encryption is to be used, and if so whether to use DES or AES.
If encryption is in use, you must also specify a passphrase in the Privacy phrase field that appears.
Privacy phrases must be 8–64 ASCII non-control characters.
For users already set up on the device, either enter a new passphrase if you wish to make a change or
leave this field blank to keep the existing passphrase.
Table B-7 Options for configuring view-based communities (SNMP v3)
Option
Description
Community string
Specifies a community string for the community. The string must consist of 1–32 alphanumeric
characters, and must begin with a letter.
IP version
Specifies whether this community string allows access via IPv4 or IPv6.
Source
Restrict access to specific hosts by specifying the source for SNMP requests here. The following
formats are recognized:
Hostname – myserver.mycompany.com
IPv4 Address – 192.168.50.1
IPv4 Subnet (address/mask) – 192.168.50.1/255.255.255.0
IPv4 Subnet (address/prefix length) – 192.168.50.1/24
For IPv6 access, use the equivalent formats.
Security name
Specifies the security name to add to a group as part of the SNMP view-based access control system,
like an SNMPv3 user.
Table B-8 Options for configuring view-based groups (SNMP v3)
Option
Description
Group name
Specifies a name for the SNMP group.
Group names consist of 1–32 alphanumeric characters, and must begin with a letter.
DRAFT
195
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Table B-8 Options for configuring view-based groups (SNMP v3)
Option
Description
Member details
Specifies details of the member you are adding to the group. This may be one of:
An existing local SNMP user
A security name assigned to an existing VACM-enabled SNMP community
The membership will apply only when the specified security model is used for a request. The same
member may belong to different groups with different security models.
Security model
The security name you specify here may be added to a group as part of the SNMP view-based access
control system, like an SNMPv3 user.
Table B-9 Options for configuring view-based view (SNMP v3)
Option
Description
Name
Specifies a name for the view.
View type
Indicates whether this view contains the tree below the specified OID or everything else.
OID
Specifies the position in the management tree below which this view applies.
Mask
May be used to specify that only some of the subidentifiers in the OID are to be matched.
Table B-10 Options for configuring view-based access control (SNMP v3)
Option
Description
Group name
You must specify the name of an existing group that will receive this access.
Security model
Access will only be granted if the security model matches the request.
Security level
Access will only be granted if the security of the request meets the minimum requirement specified
here.
The order is:
None (lowest)
Auth
Auth+Priv (highest)
Context
Specify the context name to use for requests, and whether it works as a prefix or requires an exact
match. The context string may be up to 32 alphanumeric characters. This setting is optional.
Read view
Specify the name of an existing view, or leave blank if read access is not required.
Write view
Specify the name of an existing view, or leave blank if write access is not required.
Notify view
Specify the name of an existing view, or leave blank if notify access is not required.
DRAFT
196
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Security tab
The Security tab (Figure B-5) provides access to settings for adding network authentication and accounting
servers.
Figure B-5 The Security tab showing the Edit RADIUS server window
DRAFT
197
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Table B-11 Security tab options
Option
Description
Authenticate users via
Specifies how users should be authenticated when logging in. The options are:
Local – Users are authenticated locally by the system.
RADIUS – Users are authenticated by a RADIUS server.
RADIUS/Local – Users will be authenticated by a RADIUS server if access to the server is available,
falling back to local authentication if access to a RADIUS server is not available.
TACACS+ – Users are authenticated by a TACACS+ server.
TACACS+/Local – Users will be authenticated by a TACACS+ server if access to the server is
available, falling back to local authentication if access to a TACACS+ server is not available.
NTP Server
Specifies the IP address of a NTP (Network Time Protocol) server. System time will be synchronized
with the NTP server when specified.
RADIUS
authentication
Allows you to specify options for configuring authentication via a RADIUS authentication server.
Click Add server to set up a new server, or click the edit options to update an existing server. The
system will attempt to contact the first RADIUS server in the list, and move on to the next server if it is
inaccessible. Servers can be ordered by dragging with the
button.
The following options are available when configuring RADIUS authentication servers:
Server address – IPv4 address of the RADIUS server (hostnames not supported). A given server (IP
address) has only a single shared secret. This means, if the same server is listed for both authentication
and accounting, and the user changes the shared secret via one of them, the shared secret for the other
is implicitly changed to match.
Server port – RADIUS UDP request port. RADIUS uses 1812 for Authentication and 1813 for
Accounting, although some older servers use ports 1645 and 1646 (authentication and accounting,
respectively). Check settings on the server to confirm which ports to use.
Shared secret – A text string that serves as a password between SmartNA-X and the RADIUS server.
When creating and using a shared secret for use by SmartNA-X, you must:
• use the same case-sensitive shared secret on both RADIUS server and SmartNA-X device.
• use a different shared secret for each RADIUS server-RADIUS client pair.
• use alphanumeric characters only (no spaces allowed).
TACACS+
authentication
Allows you to specify options for configuration authentication via a TACACS+ authentication server.
Click Add server to set up a new server, or click the edit options to update an existing server. The
system will attempt to contact the first TACACS+ server in the list, and move on to the next server if it
is inaccessible. Servers can be ordered by dragging with the
button.
Server address – IPv4 address of the TACACS+ server (hostnames are not supported).
Shared secret – TACACS+ shared secret text string between the SmartNA-X device and the TACACS+
server host. The secret entered here must match that used by the server. When creating and using a
shared secret for use by SmartNA-X, you must:
• use the same case-sensitive shared secret on both TACACS+ server and SmartNA-X device.
• use the same shared secret for each TACACS+ server-TACACS+ client pair.
• use alphanumeric characters only (no spaces allowed).
RADIUS accounting
Allows you to specify options for configuring a RADIUS accounting server. Adding an accounting
server implicitly enables logging. Click Add server to set up a new server, or click the edit options to
update an existing server. The system will attempt to contact the first RADIUS server in the list, and
move on to the next server if it is inaccessible. Servers can be ordered by dragging with the
button.
DRAFT
198
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
System Health tab
The system Health tab (Figure B-6) is available after clicking on the chassis. It provides general information for
the system state. t shows the current state of the system, including access to the system health information
shown in Table B-12.
Figure B-6 The System Health tab
Table B-12 System Health tab options
Status
Description
Fan 1, Fan 2
Shows the state of each fan, either up (working) or down (not working).
Firmware build
Shows the firmware build date.
Firmware revision
Shows the firmware revision. You may be asked to provide this information when contacting Network
Critical Support.
Hardware revision
Shows the hardware version. You may be asked to provide this information when contacting Network
Critical Support.
Model number
Shows the SmartNA-X model number. You may be asked to provide this information when contacting
Network Critical Support.
PSU 1, PSU 2
Shows the state of the power supply units, either up (connected) or down (not connected). For power
outage redundancy, connect to independent power supplies.
Serial number
Show the serial number. You may be asked to provide this information when contacting Network
Critical Support.
System status
Shows the overall health of the system. Under normal circumstances, the system status will always be
‘OK’. If an internal error is detected, the system status will change to ‘Contact Network Critical’. If
configured, an SNMP system health (SH) notification will also be sent should this condition occur. See
the “SNMP tab” section on page 193 for instructions on enabling the SH notification.
System temperature
Shows the temperature of the SmartNA-X chassis. If the temperature rises above a set threshold, an
SNMP notification will be sent to your configured SMNP managers.
System uptime
Shows the length of time in days, hours, minutes and seconds since the last reboot.
DRAFT
199
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
TAP module health tab
The TAP module Health tab is available after clicking on a TAP module. It provides access to the module
properties shown in Table B-13.
Figure B-7 TAP module Health tab
Table B-13 TAP module health tab options
Option
Description
Firmware built
System firmware inception
Card uptime
Time since last reboot/system startup
Firmware revision
System firmware revision number
Hardware revision
Hardware revision number
Model number
System model number
Serial number
SmartNA-X devices serial number
Temperature
Current system temperature
Temperature threshold Sets the upper temperature threshold (in Celsius) for the SNMP system to send over-temperature
Notifications to SNMP clients set up to receive temperature notifications. The default threshold is set
(ºC)
at 60ºC.
DRAFT
200
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Port tab
The Port configuration tab (Figure B-8) is available after clicking on a port. It provides access to the port
settings shown in Table B-14.
Figure B-8 The Port configuration tab
Table B-14 Port configuration tab options
Option
Description
Description
Enter a description for the port’s intended purpose to be entered.
Usage
Declares the port’s intended usage:
Tool – Port is connected to a network tool, such as a monitoring computer or data analysis equipment
Network – Port is connected to a live network
Unknown – Usage is not known/open
This setting is optional (the port will operate as normal whatever setting is selected).
Type
Show the port type, either SFP (1G port), SFP+ (10G port) or RJ (1G port).
Speed
Sets the link speed, limiting the port to the selected value (even if the link partner doesn’t support it).
Auto (negotiated speed) can be used for all ports which support this setting but may introduce a fail to
safe delay operating in ‘TAP’ mode. See the “Configuring port failsafe and LFP (TAP mode)” section
on page 36 for instructions.
Available for copper ports only.
DRAFT
201
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Table B-14 Port configuration tab options (continued)
Option
Description
MDI
Specifies the crossover mode of the port, either MDI (normal) or MDI-X (crossover).
To connect two ports of the same configuration (MDI to MDI or MDI-X to MDI-X), an Ethernet
crossover cable is needed to cross over the transmit and receive signals in the cable, so that they are
matched at the connector level. Otherwise, you can select Auto and let the ports themselves detect the
required cable connection type and configure the connection appropriately. For auto-MDI/MDI-X to
operate correctly, the data rate on the interface and duplex setting must be set to Auto.
Available for copper ports only.
Duplex
Sets the data flow mode for the link, and should generally match that of the attached device. Auto can
be used to auto-negotiate the duplex mode but may introduce a small delay during failover. See the
“Configuring port failsafe and LFP (TAP mode)” section on page 36 for instructions.
Available for copper ports only.
Mastery
Sets the ports master/slave relationship with the link partner on a 1G RJ/copper link when in TAP
mode. In effect, it determines which end of the link is responsible for the synchronization clock. The
link will only work if there is one master and one slave.
The following master/slave settings are available:
Master! – Force Master
Slave! – Force Slave
Master? – Prefer Master
Slave? – Prefer Slave
For example, in TAP mode on port AB, you should force the partner of A to have the same settings as
B, and vice versa, which (in the case of Mastery) is done be setting A to Master! and B to Slave! (or the
opposite).
In non-TAP mode on port AB, you should set ports to either Master? or Slave?, but not to force. It
doesn’t matter which role is preferred.
Available for copper ports only.
TAP
Enables failsafe and LFP (Link Failure Propagation) mode on the TAP pair (AB/CD). TAP pairs will
continue to pass traffic if there is a power or application failure. If one of the devices connected to the
live port fails, the other live port will immediately drop. Once the failed connected device is back online, the other live port will immediately come back on-line. See the “Configuring port failsafe and LFP
(TAP mode)” section on page 36 for instructions.
Available for copper ports only.
Autolock
A security feature that automatically triggers Lock if the link drops, which could indicate the cable has
been disconnected from the port or the link partner end. To unlock the port, remove the Lock
selection. This option is not enabled by default.
Lock
A security feature that locks the port to prevent its usage. Lock can also be auto-triggered if Autolock
is enabled and a cable is removed. This option is not enabled by default.
DRAFT
202
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Port Traffic tab
The port Traffic tab (Figure B-9) provides traffic statistics for the selected port, showing details for the total
number of bytes and packets received and sent since rebooting, byte rate per second, and the overall utilization
of the port.
Figure B-9 The Port traffic tab
Port Errors tab
The port Errors tab (Figure B-10) shows details of any packet errors on the port. A large number of errors may
indicate the port has been misconfigured in relation to the link partner. In general, to avoid errors, the port
settings on the two communicating devices must match.
DRAFT
203
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Figure B-10 The port Errors tab
Port health tab
The port Health tab (Figure B-11) is available after clicking on a port. It provides access to the settings shown
in Table B-16.
Figure B-11 The port heath tab
DRAFT
204
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
WEB U SER -I NTERFACE R EFERENCE |
Table B-16 Port Health tab options
Option
Description
Traffic threshold
(high) (%)
Sets the high traffic threshold (entered as a percentage of the port’s total available carrying capacity)
for the SNMP system to send traffic high/low Notifications to SNMP clients set up to receive this type
of notification. The default high traffic threshold is 75%.
Traffic threshold
(low) (%)
Sets the low traffic threshold (entered as a percentage of the port’s total available carrying capacity) for
the SNMP system to send traffic high/low Notifications to SNMP clients set up to receive this type of
notification. The default low traffic threshold is 50%.
Description
Set by choosing the
button and entering a summary of the port usage.
DRAFT
205
A PPENDIX C
S PECIFICATIONS
C
This appendix provides specification details for SmartNA-X chassis and available TAP modules:
• SmartNA-X chassis, page 206
• 10 Gbit/s TAP module SFP+ & SFP, page 208
• 1 Gbit/s TAP module (RJ45 & RJ45), page 209
• 1 Gbit/s TAP module (LC & RJ45), page 210
• 1 Gbit/s TAP module (RJ45 & SFP), page 211
• 1 Gbit/s TAP module LC & SFP, page 212
SmartNA-X chassis
Figure C-1 SmartNA-X chassis
Ports
2 x Management ports 10/100/1000Mb
User definable: (copper, single-mode fiber, multi-mode fiber, SFP/SFP+ cage
ports available)
Max. 16 x 1Gb
Max. 4 x 10Gb
Slots
1 x 10G/1G module
3 x 1G module
Power
AC: 100V-240V
DC: -42V to -63V
30W (no modules)
DRAFT
206
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S PECIFICATIONS | S MART NA-X CHASSIS
Physical
Dimensions:450mm (w) x 44mm (h) x 450mm (d)
Weight: Kg (including single power supply)
Compliance
Emissions: EN55022 class A
Immunity:
ESD: EN61000-4-2
Radiated: EN61000-4-3
EFT/Burst: EN61000-4-4
Surge: EN61000-4-5
Conducted: EN61000-4-6
Power frequency magnetic field: IEC 61000-4-8
Voltage dips & interruptions: IEC 61000-4-11
Harmonics: EN 61000-3-2
Flicker: EN 61000-3-3
Safety: EN60950-1; UL60950-1
Environment
RoHS compliance
Operating temperature: 0C to 40C
Operating relative humidity: 20% to 80% non-condensing
Storage relative humidity: 15% to 85% non-condensing
Storage temperature: -20C to 70C
Standards and protocols
IEEE 8023 10Base-T
IEEE 8023u 100Base-TX
IEEE 8023ab 1000Base-T
IEEE 802.3z 1000BASE-X
IEEE 802.3ae 10GBASE-X
Management
CLI via SSH
Web UI via HTTPS
SNMPv1/v2v/v3
Authentication /
authorisation
RADIUS
Latency
10G between chassis slots:
TACACS+
1G between chassis slots:
MTBF
TBD
MTU (Maximum
Transmission Unit)
10240 (untagged traffic)
10244 (802.1q tagged traffic)
DRAFT
207
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S PECIFICATIONS | 10 G BIT / S TAP MODULE SFP+ & SFP
10 Gbit/s TAP module SFP+ & SFP
Part number
5501
Ports
2 SFP+ 10G Ports A&B
2 SFP 1G Ports C&D
Standards and protocols
Depends upon SFP / SFP+ modules fitted
Latency
10G: Port A to B: (TBD)
1G: Port C to D: (TBD)
Power
11W
MTBF
TBD
MTU (Maximum
Transmission Unit)
10240 bytes (untagged and tagged traffic)
DRAFT
208
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S PECIFICATIONS | 1 G BIT/ S TAP MODULE (RJ45 & RJ45)
1 Gbit/s TAP module (RJ45 & RJ45)
Part number
5511
Ports
4 copper 10/100/1000M Ports A,B,C & D
Standards and protocols
IEEE 8023 10Base-T
IEEE 8023u 100Base-TX
IEEE 8023ab 1000Base-T
Latency
1G: Port A to B, C to D: (TBD)
Power
6W max
MTBF
TBD
MTU (Maximum
Transmission Unit)
10240 bytes (untagged traffic)
10244 bytes (tagged traffic)
DRAFT
209
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S PECIFICATIONS | 1 G BIT/ S TAP MODULE (LC & RJ45)
1 Gbit/s TAP module (LC & RJ45)
Part number
552x
Ports
2 LC fixed 1G Ports A & B
2 copper 10/100/1000M Ports C & D
Standards and protocols
Depends upon fiber modules fitted Ports A & B only
IEEE 8023 10Base-T
IEEE 8023u 100Base-TX
IEEE 8023ab 1000Base-T
Latency
1G: Port A to B: (TBD)
1G: Port C to D: (TBD)
Power
6W
MTB
TBD
MTU (Maximum
Transmission Unit)
10240 bytes (untagged traffic)
10244 bytes (tagged traffic)
DRAFT
210
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S PECIFICATIONS | 1 G BIT/ S TAP MODULE (RJ45 & SFP)
1 Gbit/s TAP module (RJ45 & SFP)
Part number
5531
Ports
2 copper 10/100/1000M Ports A & B
2 SFP 1G Ports C&D
Standards and protocols
IEEE 8023 10Base-T
IEEE 8023u 100Base-TX
IEEE 8023ab 1000Base-T
Depends upon SFP modules fitted Ports C & D
Latency
1G: Port A to B: (TBD)
1G: Port C to D: (TBD)
Power
5W
MTBF
TBD
MTU (Maximum
Transmission Unit)
10240 bytes (untagged traffic)
10244 bytes (tagged traffic)
DRAFT
211
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S PECIFICATIONS | 1 G BIT/ S TAP MODULE LC & SFP
1 Gbit/s TAP module LC & SFP
Part number
554x
Ports
2 LC fixed 1G Ports A & B
2 SFP 1G Ports C&D
Standards and protocols
Depends upon fiber modules fitted Ports A & B
Depends upon SFP modules fitted Ports C & D
Latency
1G: Port A to B: (TBD)
1G: Port C to D: (TBD)
Power
3W
MTBF
TBD
MTU (Maximum
Transmission Unit)
10240 bytes (untagged traffic)
10244 bytes (tagged traffic)
DRAFT
212
A PPENDIX D
T ROUBLESHOOTING
D
Troubleshooting connections to SmartNA-X
A simple ping test can be used to check the SmartNA-X IP address is reachable from the local machine. If
DHCP is enabled, your DHCP server will automatically assign an IP address to SmartNA-X and you should
check the DHCP server active client list for the correct IP to ping. If DHCP is not enabled, you’ll need to know
the static IP that has been assigned to SmartNA-X (the default is 192.168.254.100/255.255.255.0) in order to
ping it.
If you are unable to reach the SmartNA-X device, try connecting a cable directly to the local machine and
setting the computer’s IP to an address on the same subnet. Once you’ve made a connection, you’ll be able to
change the SmartNA-X network address so it is on the correct subnet then reset the computer’s IP back to its
original IP. Direct connections can be made via the Management or Console ports using the appropriate cables
and connection methods. See the “Logging in” section on page 19 for information how to log in to the web UI,
CLI, and locally.
If all else fails, you can try connecting with IPv6 and resetting the IPv4 address after logging in, as described in
the next section.
Connecting with IPv6
If you forget the IPv4 address that allows you to configure SmartNA-X, you may use the fixed link-local IPv6
address to gain access to the system and reset the IPv4 address. Alternatively, you can connect a PC to the
Console port and reset IPv4 access locally. See the “Logging in to the CLI locally” section on page 21 for details
on how to log in via Console.
To find your SmartNA-X IPv6 address, ping the network IPv6 link-local address (ff02::1) to return the linklocal address of all connected devices. If you do this with SmartNA-X disconnected and connected you should
be able to easily identify the correct IPv6 address. The relevant commands for Linux and Windows are shown
below:
Linux – ping6 ff02::1%interface
Windows – ping6 ff02::1%interface
DRAFT
213
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
TROUBLESHOOTING | TROUBLESHOOTING THE WEB UI
where interface is the local Ethernet interface, as specified by the ifconfig command.
~# ping6 ff02::1%eth0 #SmartNA-X disconnected
PING ff02::1%eth0(ff02::1) 56 data bytes
64 bytes from fe80::e269:95ff:fe03:dde7: icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from fe80::21d:ffff:fe54:99ee: icmp_seq=1 ttl=64 time=2.63 ms
64 bytes from fe80::21d:ffff:fe9a:de02: icmp_seq=1 ttl=64 time=7.21 ms
64 bytes from fe80::6ef0:49ff:fe97:c836: icmp_seq=1 ttl=64 time=9.18 ms
^C
~# ping6 ff02::1%eth0 #SmartNA-X connected
PING ff02::1%eth0(ff02::1) 56 data bytes
64 bytes from fe80::e269:95ff:fe03:dde7: icmp_seq=1 ttl=64 time=0.024 ms
64 bytes from fe80::21d:ffff:fe54:99ee: icmp_seq=1 ttl=64 time=2.63 ms
64 bytes from fe80::21d:ffff:fe9a:de02: icmp_seq=1 ttl=64 time=6.11 ms
64 bytes from fe80::21d:ffff:fe56:dec4: icmp_seq=1 ttl=64 time=8.36 ms
64 bytes from fe80::6ef0:49ff:fe97:c836: icmp_seq=1 ttl=64 time=9.41 ms
^C
When you have the correct link-local IPv6 address, use it to connect to the management interface and reset the
IPv4 address—suitable commands and example output are provided below:
~# ssh admin@fe80::21d:ffff:fe56:dec4%eth0
...
admin@fe80::21d:ffff:fe56:eec4%eth0’s password:*****
CONTROLLER>set ipv4 static 192.168.0.122 255.255.255.0 gateway 192.168.0.254
Network settings will take effect when you exit CLI.
exit to enable new network settings
CONTROLLER>exit
Exiting CLI
exit to enable new network settings
Applying new IPv4 network settings
Addressing Mode : static
Address: 192.168.0.122
Netmask: 255.255.255.0
Gateway: 192.168.0.254
Connection to 192.168.0.122 closed.
admin@example.com:~#
You will now be able to access SmartNA-X using the reset IPv4 address:
~# ssh admin@192.168.0.122
...
admin@192.168.0.122’s password:*****
CONTROLLER>
Troubleshooting the web UI
The SmartNA-X web UI has been written to comply with W3C recommendations and using standard Java 1.5
for the applet. In principle the system should run on any platform that supports web standards, including the
latest versions of Internet Explorer Firefox, Chrome, Opera, and Safari.
Users should note the following browser limitations:
• Internet Explorer 7 (IE7) is not recommended.
DRAFT
214
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
TROUBLESHOOTING | TROUBLESHOOTING THE WEB UI
• In IE8 some cosmetic details may differ from screenshots of more modern browsers, but no functionality
should be affected.
• The IcedTea Java plugin installed by default on some Linux distributions should not be used. Instead, you
should remove it and use the proprietary Sun/Oracle Java plugin instead.
Resolving web UI issues on Mac OSX
Issues have been found on Mac OSX machines when attempting to login to the web UI. Although the login
screen is displayed, it is not possible to login to the web UI.
To fix this issue on Mac OSX 10.6, you should select the option for Enable applet plug-in and Web Start
applications in the General section of the Java Preferences application (found in Applications/Utilities) and
restart the browser. This will cause a “Verify Certificate” window to appear upon connection to the web UI.
Click “Trust” in order to login to the web UI. On systems running Mac OSX 10.7 and Java 7, you’ll need to use
Oracle’s Java System Preferences panel, which contains similar options for enabling, disabling, and otherwise
configuring the installed Java runtimes.
DRAFT
215
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
TROUBLESHOOTING | TROUBLESHOOTING THE CLI
Troubleshooting the CLI
If you are unable to connect to the SmartNA-X CLI, we suggest running your SSH client in verbose mode in
order to print debug messages:
~$ ssh -v admin@192.168.254.100
OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.254.100 [192.168.254.100] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian6+squeeze1
debug1: match: OpenSSH_5.5p1 Debian-6+squeeze1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 52:5a:1d:41:2c:77:de:3f:30:d1:b8:d2:6e:e4:bb:c1
debug1: Host '192.168.254.100' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/id_rsa
debug1: Trying private key: /home/user/.ssh/id_dsa
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug1: Next authentication method: password
admin@192.168.254.100's password:
The SmartNA-X public host key must be in the known hosts list, in this case /home/user/.ssh/known_hosts.
The following error will be displayed when the remote host key changes (after you’ve connected earlier with a
valid remote host key):
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
52:5a:1d:41:2c:77:de:3f:30:d1:b8:d2:6e:e4:bb:c1.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts: 8
Permission denied (publickey,password).
DRAFT
216
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
TROUBLESHOOTING | TROUBLESHOOTING SNMP
In this case, you must remove the key to proceed further. Use the following command to remove the offending
key (change the 8d according to the line number shown (highlighted) in the warning message):
# sed -i '8d' ~/.ssh/known_hosts
After removing the key, try connecting to SmartNA-X again and accepting the RSA key.
Troubleshooting SNMP
Most SNMP issues can be resolved quickly by:
• Verifying that the SmartNA-X SNMP agent has been enabled.
• Verifying that the community string or view-based access control (VACM) settings are properly configured
on the system by using the SNMP web UI configuration windows. By default, no community string or user is
configured on the system.
Cannot receive any notifications from the system
This condition means that the notification destination is not configured correctly on the system. Verify that
you configured the notification destination properly in the “SNMP Notification Hosts” window.
Resetting the system to the default configuration
Resetting the system to the default configuration returns port settings, filters, port maps and SNMP settings to
their factory defaults. Network settings and user accounts are not reset. To reset the system to the default
configuration, open the web UI and select the Management tab, click Saved Configurations and choose
“factory_defaults” from the list of available profiles. You can also do the same using the CLI by entering the
following commands:
CONTROLLER>restore factory_defaults
applied settings OK
DRAFT
217
A PPENDIX E
G LOSSARY
E
community string
A text string used to authenticate messages between a management station and an SNMP v1/v2c engine.
context
Context name, or “context” in short, is a collection of management information accessible by an SNMP
entity. An item of management information may exist in more than one context. An SNMP entity
potentially has access to many contexts. In other words, if a management information has been defined
under certain context by an SNMPv3 entity, then any management application can access that information
by giving that context name. The “context name” is an octet string which has at least one management
information.
engine-id
An engine ID is defined as the administratively unique identifier of an SNMPv3 engine, and is used for
identification. An engine-id is also used to compute the security digest for authentication and encryption.
Please refer to RFC 3411, “An Architecture for Describing Simple Network Management Protocol (SNMP)
Management Frameworks” for more details.
Failsafe/fail-over
Failsafe (or fail-over) maintains full-duplex pass through capability to protect network links from downtime
in the event of a product failure.
Link failure propagation (LFP)
LFP allows attached network devices to detect if link state is lost on the adjacent network device. In effect,
LFP simulates direct connection of the two devices by a cable, in that if one of the connected devices fails the
other device will immediately be taken down.
Management information base (MIB)
SNMP itself does not define which information (which variables) a managed system should offer. Rather,
SNMP uses an extensible design, where the available information is defined by management information
bases (MIBs). MIBs describe the structure of the management data of a device subsystem; they use a
hierarchical namespace containing object identifiers (OID). Each OID identifies a variable that can be read
or set via SNMP. MIBs use the notation defined by ASN.1.
RADIUS
RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary
server and one or two backups) and maintain separate authentication and accounting for each RADIUS
DRAFT
218
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
G LOSSARY |
server employed. For authentication, this allows a different password for each user instead of having to rely
on maintaining and distributing switch-specific passwords to all users. For accounting, this can help you
track network resource usage.
security level
A type of security algorithm performed on each SNMP packet. The three levels are: noauth, auth, and priv.
noauth authenticates a packet by a string match of the user name. auth authenticates a packet by using
either the MD5 or SHA algorithms. priv authenticates a packet by using either the MD5 or SHA algorithms
and encrypts the packet using the DES or AES algorithm. For SNMP V1/V2 it’s noauth, but with V3 you
have the options to have to specify authentication and privacy options.
security model
The security strategy used by the SNMP agent. Currently, three security models are supported by Network
Critical: SNMPv1, SNMPv2c, and USM (User-based Security Model).
security name
A term used in VACM sectogroup command. It could be SNMP user name created using 'snmp user'
command for SNMPV3 or security name created using snmp comtosec command for SNMPV1 and
SNMPV2.
SNMP
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on
IP networks. It is used mostly in network management systems to monitor network-attached devices for
conditions that warrant administrative attention. SNMP is a component of the Internet Protocol Suite as
defined by the Internet Engineering Task Force (IETF). It consists of a set of standards for network
management, including an application layer protocol, a database schema, and a set of data objects.
SNMP exposes management data in the form of variables on the managed systems, which describe the
system configuration. These variables can then be queried and set by managing applications.
SNMP agent
An agent is a network-management software module that resides on a managed device. An agent has local
knowledge of management information and translates that information to or from an SNMP specific form.
SNMP engine
A copy of SNMP that can either reside on the local or remote device. Each SNMP engine is uniquely
identified by an engineId.
SNMP group
A group is a set of zero or more <securityModel, securityName> tuples on whose behalf SNMP management
objects can be accessed. A group defines the access rights afforded to all securityNames which belong to that
group. The combination of a securityModel and a securityName maps to at most one group. A group is
identified by a groupName. The View-based Access Control Model uses the securityModel and the
securityName as inputs to the Access Control module when called to check for access rights. It determines
the groupName as a function of securityModel and securityName.
SNMP manager
In typical SNMP uses, one or more administrative computers, called managers, have the task of monitoring
or managing (configuring) a group of devices on a network. Each managed system executes, at all times, a
software component called an agent which reports information via SNMP to the manager.
DRAFT
219
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
G LOSSARY |
TACACS+
TACACS+ (Terminal Access Controller Access-Control System) provides a centralized database against
which to perform Authentication, Authorization, and Accounting (AAA).
VACM
VACM (View Based Access Control Module) is a mechanism that regulates access to MIB objects by
providing a fine-grained access control mechanism associating users/community strings with MIB views.
DRAFT
220
A PPENDIX F
H ARDWARE W ARRANTY
F
Subject to the provisions described below, this NETWORK CRITICAL SOLUTIONS product is protected for
one (1) year from date of purchase against defect in material and workmanship.
Should a product fail to perform as described above within the warranted period, it will be repaired or replaced
with the same or functionally equivalent product by NETWORK CRITICAL SOLUTIONS, at its discretion,
free of charge provided you: (1) return the product to a NETWORK CRITICAL SOLUTIONS designated
repair facility with shipping charge prepaid, and (2) provide NETWORK CRITICAL SOLUTIONS with proof
of the original date of purchase. Repaired or replacement products will be returned to you with shipping
charges prepaid.
Replacement products may be refurbished or contain refurbished materials. If NETWORK CRITICAL
SOLUTIONS, by its sole determination, is unable to repair or replace the defective product, it will refund the
depreciated purchase price of the product.
This warranty does not apply if, in the judgement of NETWORK CRITICAL SOLUTIONS, the product fails
due to damage from shipment, handling, storage, accident, abuse or misuse, or if it has been used or
maintained in a manner not conforming to the product manual instructions, has been modified in any way, or
has had any serial number removed or defaced. Repair by anyone other than NETWORK CRITICAL
SOLUTIONS or an approved agent will void this warranty. The maximum liability of NETWORK CRITICAL
SOLUTIONS under this warranty is limited to the purchase price of the product covered by the warranty.
Prior to returning any defective product, the end customer or the reseller from whom the end customer
originally purchased the product must obtain a Return Materials Authorisation (RMA) number from
NETWORK CRITICAL SOLUTIONS. All defective products should be returned to NETWORK CRITICAL
SOLUTIONS with shipping charges prepaid. NETWORK CRITICAL SOLUTIONS will not accept collect
shipments.
Except as specifically provided in this agreement or as required by law, the warranties and remedies stated
above are exclusive and in lieu of all others, oral or written, express or implied. Any or all other warranties,
including implied warranties of merchantability, fitness for a particular purpose and non-infringement of third
party rights are expressly excluded. NETWORK CRITICAL SOLUTIONS shall not under any circumstances
be liable to any person for any special, incidental, indirect or consequential damages, including without
limitation, damages resulting from use or malfunction of the product, loss of profits or revenues or costs of
replacement goods, even if NETWORK CRITICAL SOLUTIONS is informed in advance of the possibility of
such damages.
DRAFT
221
A PPENDIX G
S UPPORTED MIB S
G
Table G-1 lists the proprietary SNMP MIBs supported by Network Critical’s SmartNA-X network TAP device:
MIB
Description
NCPRODUCTIDS-MIB
Unique IDs for Network Critical products.
NCSYSTEM-MIB
System information of Network Critical products
NCTAP-MIB
Information specific to TAPs and proprietary notifications (traps). The 64-bit packet in and out
counters (psHCInPackets and psHCOutPackets respectively) in NCTAP-MIB are accessible
through SNMPv2 and v3 only. This is a limitation in the SNMPv1 standard.
Table G-1 Proprietary MIBs supported
DRAFT
222
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
S UPPORTED MIB S | O BTAINING S MARTNA MIB FILES
Table G-1 lists the standard MIBs supported by SmartNA-X:
MIB
Description
IANAifType-MIB
Interface types referenced in IF-MIB.
IF-MIB
Interface Info and notifications (linkUP and linkDown)
NOTIFICATION-LOG-MIB
Partial read-only support of objects in this MIB.
The following restrictions apply to objects within the NlmLogVariableTable table:
• nlmLogVariableID (supported)
• nlmLogVariableValueType (supported)
• nlmLogVariableTimeTicksVal (supported for 1st entry only)
• nlmLogVariableInteger32Val (not supported)
• nlmLogVariableOctetStringVal (not supported)
• nlmLogVariableOidVal (not supported)
The following restrictions apply to objects within the NlmLogTable table:
• nlmLogTime TimeStamp (supported)
• nlmLogDateAndTime DateAndTime (supported)
• nlmLogEngineID SnmpEngineID (not supported)
• nlmLogEngineTAddress TAddress (not supported)
• nlmLogEngineTDomain TDomain (not supported)
• nlmLogContextEngineID SnmpEngineID (not supported)
• nlmLogContextName SnmpAdminString (not supported)
• nlmLogNotificationID (accessible by column only)
SNMP-FRAMEWORK-MIB
Read-only support of objects in this MIB.
SNMP-NOTIFICATION-MIB
Read-only support of objects in this MIB.
SNMP-TARGET-MIB
Read-only support of objects in this MIB.
SNMP-USER-BASED-SM-MIB
Read-only support of objects in this MIB.
SNMP-VIEW-BASED-ACM-MIB
Read-only support of objects in this MIB.
SNMPv2-CONF-MIB
Conformance definitions referenced in SNMPv2-MIB.
SNMPv2-MIB
System info and snmp notifications ( coldStart, warmStart and authenticationFailure)
Table G-2 Standard MIBs supported
Obtaining SmartNA MIB Files
SmartNA MIB files can be downloaded from the Network Critical, at the following web address: 
http://www.networkcritical.com/Support/SmartNA-Tools
DRAFT
223
A PPENDIX H
IP P ROTOCOLS
H
Table H-1 lists some of the IP protocols1 that you can filter on the SmartNA-X network tapping device. In each
table, the ‘Protocol’ column lists the protocol name, the ‘Identifier’ column lists other names for the same
protocol, and the ‘ISO Designator’ column lists the numeric designator for each protocol. For instructions on
using IP protocols with filters, see Chapter 8,“Using Packet Filters”, page 51.
Protocol
Identifier
ISO Designator
IPv6 Hop-by-Hop Option
HOPOPT
0
Internet Control Message Protocol
ICMP
1
Internet Group Management Protocol
IGMP
2
IPv4 (encapsulation)
IPv4
4
Internet Stream Protocol
ST
5
Transmission Control Protocol
TCP
6
Exterior Gateway Protocol
EGP
8
Network Voice Protocol
NVP-II
11
Xerox PUP
PUP
12
ARGUS
ARGUS
13
EMCON
EMCON
14
Cross Net Debugger
XNET
15
CHAOS
CHAOS
16
User Datagram Protocol
UDP
17
Multiplexing
MUX
18
XNS-IDP
IDP
22
ISO-TP4
TP4
29
Datagram Congestion Control Protocol
DCCP
33
Xpress Transport Protocol
XTP
36
Datagram Delivery Protocol
DDP
37
Table H-1 IP Protocols
1. SmartNA-X supports filtering on any of the numeric protocols 0–255.
DRAFT
224
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
IP P ROTOCOLS |
Protocol
Identifier
ISO Designator
IL Transport Protocol
IL
40
IPv6 (encapsulation)
IPv6
41
Routing Header for IPv6
IPv6-Route
43
Fragment Header for IPv6
IPv6-Frag
44
Resource Reservation Protocol
RSVP
46
Generic Routing Encapsulation
GRE
47
BNA
BNA
49
Encapsulating Security Payload
ESP
50
Authentication Header
AH
51
IP with Encryption (SwIPe)
SWIPE
53
NBMA Address Resolution Protocol
NARP
54
Transport Layer Security Protocol (using Kryptonet key management) TLSP
56
Simple Key-Management for Internet Protocol
SKIP
57
ICMP for IPv6
IPv6-ICMP
58
No Next Header for IPv6
IPv6-NoNxt
59
Destination Options for IPv6
IPv6-Opts
60
Versatile Message Transaction Protocol
VMTP
81
Secure Versatile Message Transaction Protocol
SECURE-VMTP
82
EIGRP
EIGRP
88
Open Shortest Path First
OSPF
89
Ethernet-within-IP Encapsulation
ETHERIP
97
Encapsulation Header
ENCAP
98
Protocol Independent Multicast
PIM
103
IP Payload Compression Protocol
IPComp
108
Virtual Router Redundancy Protocol,
VRRP
112
Table H-1 IP Protocols (continued)
DRAFT
225
S MART NA™ 10G N ETWORK A CCESS (S MART NA-X)
IP P ROTOCOLS |
Protocol
Identifier
ISO Designator
PGM Reliable Transport Protocol
PGM
113
Layer Two Tunneling Protocol Version 3
L2TP
115
IS-IS over IPv4
—
124
Stream Control Transmission Protocol
SCTP
132
Fibre Channel
FC
133
UDP Lite
—
136
MPLS-in-IP
—
137
MANET Protocols
manet
138
Host Identity Protocol
HIP
139
Site Multihoming by IPv6 Intermediation
Shim6
140
Table H-1 IP Protocols (continued)
DRAFT
226
A PPENDIX I
T ECHNICAL S UPPORT & C ONTACT D ETAILS I
For technical support, see our support pages on the web at http://www.networkcritical.com/support/. Your
Network Critical regional Support Center can also provide help:
• North and South America
Tel: +1 (716) 558-7280
Email: support-us@networkcritical.com
• Europe
Tel: +44 (0)118 954 3210
Email: support@networkcritical.com
Please supply the following information when contacting your Support Center:
• Model number
• Hardware revision
• Serial number
• Firmware revision
This information is available from the web UI Health tab or by running the show status command.
DRAFT
227
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising