Professional Documents
Culture Documents
Administrators Guide
Riverbed Technology
199 Fremont Street
San Francisco, CA 94105 USA
hwi-FM-2
Document Copyright
Riverbed and any Riverbed product or service name or logo used herein are
trademarks of Riverbed Technology. All other trademarks used herein belong to
their respective owners. The trademarks and logos displayed herein may not be
used without the prior written consent of Riverbed Technology or their
respective owners.
PATENTS
Riverbed Technology.
199 Fremont St.,
San Francisco CA 94105,
USA
General
Telephone: 415.247.8800
E-mail: info@riverbed.com
Web: http://www.riverbed.com
Technical Support
Telephone: 240.497.1200
Fax: 240.497.1064
E-mail: support@riverbed.com
This Documentation and Riverbed
This document and the accompanying product documentation describes the functions of the Riverbed
software product(s) (SOFTWARE) identified above (this document and the product documentation are
collectively referred to as DOCUMENTATION). Riverbed Technology, 199 Fremont St., San Francisco,
California 94105 is the sole owner of all rights, title, and interest to the DOCUMENTATION and SOFTWARE.
Nothing herein shall grant or imply a license to the DOCUMENTATION or SOFTWARE. The right to use the
DOCUMENTATION and SOFTWARE shall result only from entering into a Master Software License
Agreement and a Software Usage Agreement, and paying the applicable license fees.
hwi-FM-3
Confidential Information
The User agrees that the DOCUMENTATION, including this document, are the proprietary property of
Riverbed and constitutes a trade secret of Riverbed. The User agrees that access to and use of this document
does not grant any title or rights of ownership. The User shall not copy or reproduce, in whole or in part,
disclose or permit third parties access to this document without the prior written consent of Riverbed. This
document may not be stored, in whole or in part, in any media without the prior written consent of Riverbed.
Any unauthorized use of this document will be subject to legal action that may result in criminal and/or civil
penalties against the User.
hwi-FM-4
THE USER UNDERSTANDS AND ACCEPTS THAT RIVERBED SHALL NOT BE LIABLE FOR DAMAGES
WHICH ARE: (i) INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR CONSEQUENTIAL, OR (ii) THE
RESULT FROM LOSS OF USE, DATA, OR PROFITS, OR (iii) FROM THE USE OF THE SOFTWARE AND
DOCUMENTATION, WHETHER BROUGHT IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE,
EVEN IF Riverbed WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Export Controls
Any User of the DOCUMENTATION including this document shall comply with the laws of the United States,
including the provisions of the U.S. Department of Commerce, Bureau of Industry Security (BIS), Export
Administration Regulations (EAR), the U.S. Department of State, International Traffic in Arms Regulations,
and the U.S. Treasure Department, Office of Foreign Assets Control, regarding the export, re-export and
disclosure of the DOCUMENTATION or the SOFTWARE. Any export, re-export or disclosure of the
DOCUMENTATION or the SOFTWARE shall be subject to the prior written consent of Riverbed. Users shall
not remove any Destination Control Notices provided by Riverbed from the DOCUMENTATION or the
SOFTWARE.
hwi-FM-5
hwi-FM-6
Contents
Contents
Copyright and Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
adm-1-13
Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appliance Information Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accessing the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Administration > System Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accessing the Administration > System Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Accounts in the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Local Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Global Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Order of Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Admin Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Account Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Important Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create/Edit a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assign Roles to a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Network Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Outgoing Email Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Customizing Sender Names of Outgoing Emails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring an Appliance to Send Emails Using an SMTP Relay . . . . . . . . . . . . . . . . . . . . . . .
Running Diagnostics and Viewing Error Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Checking the Factory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Halting or Rebooting the Appliance from the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Up Private-Address to AS-Number Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring SYSLOG Alert Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Traceroute Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automated and Manual Traceroutes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Traceroute Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Traceroute Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Diagnostics in the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AppResponse Xpert/Release 9.0
15
18
19
19
21
22
22
24
24
24
25
25
25
26
27
28
28
29
30
31
32
32
34
35
36
37
38
39
41
41
42
42
43
43
45
45
47
47
48
49
50
51
53
adm-FM-7
Contents
Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Halting or Rebooting the Appliance from the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Traffic Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Network Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Software Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Licensing a New Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Activating an Extended Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Moving Licenses from One Appliance/Director to Another . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Diagnostics Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a Diagnostics Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting a Diagnostics Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Downloading a Diagnostics Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Removing Residual Data from Appliance Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rollback Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Diskwipe Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Important Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rollback and Diskwipe Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Running DiskWipe in Stand-Alone Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ResetData Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Application Stream Analysis (ASA) Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ASA Boost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Calculation of Round Trip Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VXLAN Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ignore Wire Length When Calculating Sizes for Pre-Sliced Packets . . . . . . . . . . . . . . . . . . . . .
Password Complexity Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable / Configure Password Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Lock a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
adm-2-77
Pre-installation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AppResponse Xpert Appliance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AppResponse Xpert Appliance Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Physical Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internal Address List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Single Span Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dual Span Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Copper/Fiber Tap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Placement Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Span Port Physical Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Traffic Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Traffic Symmetry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modified Frame Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encryption, Tunneling and Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
adm-FM-8
53
55
56
58
59
59
60
60
61
63
63
63
63
64
64
64
65
65
66
67
68
68
70
71
71
72
72
74
75
78
78
79
80
81
84
84
85
85
85
85
86
86
86
87
87
87
87
Contents
adm-3-135
adm-FM-9
Contents
IPv6 Support
adm-4-141
148
151
152
156
161
163
164
166
168
168
168
169
170
171
172
172
172
175
177
177
ADM-A-179
adm-FM-10
142
142
142
144
145
adm-5-147
App A
138
138
138
138
139
139
139
139
139
140
179
180
180
181
181
181
Contents
App B
adm-B-183
App C
adm-C-187
Tcpdump Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tcpdump Primitives and Qualifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Allowable Primitives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Combining Primitives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
App D
adm-D-193
Rollback Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Diskwipe Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Important Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rollback and Diskwipe Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Running DiskWipe in Stand-Alone Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ResetData Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
App E
193
193
194
194
195
196
adm-E-197
Index
187
187
188
190
197
198
198
199
206
207
207
209
209
209
209
211
adm-IX-213
adm-FM-11
Contents
adm-FM-12
NoteThis manual was last updated on June 13, 2014. Because release notes
and other documentation is sometimes updated after the product
documentation is distributed, it is good practice to visit the Riverbed website to
check for the latest version of the Release Notes and this and other manuals.
Go to https://support.riverbed.com, then navigate to the AppResponse Xpert
Appliance page.
For more information, see:
Audit Log
Appliance Information Window
Using the Command Line Interface
Administration > System Web Interface
Managing User Accounts
Configuring Network Parameters
Configuring Outgoing Email Parameters
Running Diagnostics and Viewing Error Logs
Checking the Factory Settings
Halting or Rebooting the Appliance from the CLI
Setting Up Private-Address to AS-Number Maps
Configuring SYSLOG Alert Destinations
Traceroute Parameters
SNMP Traps
Diagnostics in the Web Interface
Halting or Rebooting the Appliance from the Web Interface
Configuring Traffic Filters
AppResponse Xpert/Release 9.0
adm-1-13
adm-1-14
Audit Log
The Audit Log (View > Log > Audit Log) maintains a list of significant events that
have occurred on the system. The Audit Log of a Domain Director maintains a
list of events related to configuration distribution (see Distributing Configuration
Information on page dir-2-29 of the AppResponse Xpert Director User Guide).
The following events are recorded in the Audit Log:
New, changed or deleted configuration items - An audit log entry is generated
any time a configuration item is created, modified or deleted within a
Manager inside the Desktop Console. The audit log entry includes the name
of configuration item affected, the relevant Manager, the nature of the
configuration change and the user account that made the change. The audit
log on the director includes entries for all global configuration items. The
audit log on an appliance only includes entries for local configuration items.
User Logins - An audit log entry is generated any time a user connects or
disconnects to an AppResponse Xpert Appliance.
You can export the contents of an audit log to a CSV file: while the Audit Log
window is active, choose File > Export (entire log) or File > Export Selection
(selected rows only).
A typical Audit Log is shown in the following figure.
Figure 1-1 Audit Log
adm-1-15
By default, the Audit Log displays the last 500 entries. The number of entries
displayed can be changed; simply type in the number and press the Enter key.
Figure 1-2 Audit log - Show Selector
Alternatively, the Audit Log can be configured to display only entries that were
generated during the current time selection by choosing Project Time Interval.
For more information, see Time Selection on page ug-2-33.
The following fields can be displayed for event records in the Audit Log:
DateThe date and time that the entry was generated.
Manager/InterfaceThe name of the Manager that generated the audit
event.
ParameterThe name of the configuration item.
DescriptionA description of the event. e.g., GROUP CREATED, ALERT
DELETED, USER CONNECT.
Original ValueThe original value of a configuration item that has been
changed.
New ValueThe new value of a configuration item that has been changed.
ResultSpecifies whether the event causing the audit log entry was
successful.
NameThe user account that made the configuration change.
AddressThe IP address from which the user is connecting to the
AppResponse Xpert Appliance.
By default, the Name and Address fields are not displayed. However, you can
customize the fields to display.
adm-1-16
Related Topics
Administration and Maintenance
adm-1-17
The buttons on the Appliance Information window can be used in the following
ways:
RefreshDisplays up-to-the minute status information.
EmailSends a copy of the status (by email) to an intended recipient.
CopyCopies to a clipboard.
CancelCloses the window.
?Displays the AppResponse Xpert User Manual.
Related Topics
Administration and Maintenance
adm-1-18
adm-1-19
The CLI prompts for a valid username and password before granting access.
After logging in, type help and press Enter to see a list of valid commands.
Figure 1-6 Command Line Interface - Help
adm-1-20
adm-1-21
adm-1-22
Only one administrative user can be logged into the web interface at a time. If
an administrative user is already logged in and a second administrative user
attempts to access the web interface, the second user is granted access in
read-only mode. Only the special admin user is granted read-write access while
another administrative user is logged in.
Always use the logout link to exit the web interface. If you leave the appliance
web interface without clicking the logout link, it takes 20 minutes for your session
to expire. If you were granted administrative access, other users are not granted
read-write access (except admin) until the session expires.
Related Topics
Administration and Maintenance
adm-1-23
Account Types
Prior to version 4.0, each appliance maintained a database of local users
accounts which could be used to access that appliances.
With the introduction of version 4.0, the AppResponse Xpert Appliance can also
authenticate users against an external RADIUS server. For appliances that
belong to a domain, a user account can be granted global access to the domain.
Global access allows that account to log into any appliances within the domain.
RADIUS Accounts
adm-1-24
Order of Authentication
When a user logs in, the AppResponse Xpert Appliance attempts to
authenticate the account against RADIUS first, followed by accounts listed in
the User Admin Manager. Therefore, if there is an account in RADIUS with the
same name as an account in the Desktop Console User Admin Manager, the
one in RADIUS takes precedence. If authentication against RADIUS fails for
any reason (e.g., incorrect password, incorrect vendor-specific attribute in
RADIUS), the AppResponse Xpert Appliance attempts to authenticate against
the local or global users listed in the User Admin Manager.
adm-1-25
NoteThe password for the admin account cannot be changed using the User
Admin Manager. The CLI command passwd must be used instead.
Figure 1-8 User Admin Manager
The user admin manager is only available to user accounts with administrative
privileges.
To create a new user account, click the New button and supply the name,
description, password and privilege level (see also Account Privileges on
page adm-1-27).
Accounts created on a regular appliance are local to that appliance. Whereas,
accounts created on the Domain Director are global and can log into any
appliance within the domain. However, if a local account exists on an appliance
with the same name as a new global account, the appliance rejects the new
global account when the account configuration information is distributed by the
director. An error appears in the Director Update Log.
adm-1-26
Account Privileges
Each account is assigned a specific privilege which controls the operations that
the account is allowed to perform. The following table lists the account
privileges.
.
VSA String
Description
Basic
npinsight
Restricted
npread
Standard
npuser
Administrative
npadmin
adm-1-27
The user account associated with the current project is displayed at the top right
of the Desktop Console screen. Hover the mouse pointer over the user name to
see the privilege level of the user.
Figure 1-9 Current User Privilege Level
Related Topics
adm-1-28
adm-1-29
For the following tabs, move the items that a user can view/publish into the
Assigned column, or check Access All (if this option is available).
Insight Accessibility
Report Accessibility
Custom View (Web UI) Accessibility
Special Features
4 Click Apply or OK to save your changes.
End of Procedure 1-3
adm-1-30
adm-1-31
Noterootmasq is an advanced command; if you do not see it in the list, you can
enter expert to turn on expert mode.
adm-1-32
adm-1-33
Description
mta_relay
mta_relay_port
This parameter specifies the TCP port number used by the SMTP
relay. This parameter does not need to be configured. By default,
the appliance attempts to communicate with the mta_relay host
using TCP port 25.
[optional]
mta_masq_domain
[optional]
Related Topics
Administration and Maintenance
adm-1-34
adm-1-35
adm-1-36
adm-1-37
adm-1-38
emerg
alert
crit
err
warning
notice
info
debug
adm-1-39
SYSLOG priority
critical
major
minor
normal
adm-1-40
Traceroute Parameters
Traceroute is an important source of data for the AppResponse Xpert
Appliance. All topology information displayed in the IP topology tool is collected
through traceroute. In addition, all traceroute metrics are based on data
collected through traceroute.
adm-1-41
Traceroute Types
The AppResponse Xpert Appliance supports both standard ICMP traceroute
and TCP-based traceroute. Conventionally, traceroutes are performed by
sending out either UDP datagrams or ICMP echo request messages and
waiting for ICMP errors. The AppResponse Xpert Appliance can send out either
TCP SYN request or UDP datagrams and detects both ICMP errors and TCP
RST segments. Due to different traffic filtering, one form of traceroute may
provide more accurate results than the other for any given destination.
adm-1-42
SNMP Traps
In addition to user-configurable static and adaptive alerts (described in Alerting
and the Dashboard on page ug-11-357 of the AppResponse Xpert User Guide),
the AppResponse Xpert Appliance can be configured to generate alerts of two
other types:
Appliance alertsAppliance alerts are SNMP traps that are automatically
generated when the AppResponse Xpert Appliance experiences abnormal
environmental conditions or excessive resource consumption.
Heartbeat alertsHeartbeat alerts are SNMP traps sent periodically by the
AppResponse Xpert Appliance to indicate that the AppResponse Xpert
Appliance is functioning correctly. This includes an cold-start trap each time
the SNMP agent on the appliance is restarted. These cold-start traps occur
whenever the appliance is rebooted, or when changes are made to SNMP
settings through the web interface.
Configuring SNMP
SNMP must be configured through the web interface in order for the
AppResponse Xpert Appliance to generate SNMP traps. To configure SNMP,
begin by logging into the web interface. On the System menu, click snmp. The
following SNMP parameters can be set:
SNMP AgentEnable or disable the SNMP agent on the
AppResponse Xpert Appliance. If disabled, the SNMP agent does not
respond to SNMP queries.
CommunitySet the community string for the SNMP agent on the
AppResponse Xpert Appliance.
TrapsEnable or disable SNMP traps generated by the AppResponse Xpert
Appliance. This includes static alerts, appliance alerts and heartbeat alerts.
Trap DestinationThe AppResponse Xpert Appliance forwards traps to the
destination specified as a trap destination. The destination IP address, port
number and community string must be defined. The appliance can forward
traps to up to two destinations simultaneously.
Send Heartbeat TrapsEnable or disable heartbeat traps. The INTERVAL
parameter controls the frequency of heartbeat traps.
Snmp VersionSNMP version 1, 2c, or 3.
You can specify the SNMP version for the primary and secondary trap
destination. Version 3 has encryption and privacy features that are
unavailable in versions 1 and 2. The following options are available only
when SNMP v3 is selected:
Sec LevelSelect the security level:
NoAuthNoPriv (no authentication or privacy requested)
AuthNoPriv (authentication but no privacy requested)
AppResponse Xpert/Release 9.0
adm-1-43
The AppResponse Xpert SNMP MIB can be browsed using any MIB browser.
By default, the SNMP agent runs on UDP port 161. This port can be changed
through the web interface (see Configuring Network Ports on page adm-1-58).
Related Topics
Administration and Maintenance
adm-1-44
Bundles
Bundles are reports that can be generated on demand. The diagnostic bundles
contain information used for technical support troubleshooting. In general, this
informationwhich includes system configuration, serial numbers, software
versions, process status, and error logsis for Riverbed technical support to
assess the health of your AppResponse Xpert Appliance and can be used to
assist in troubleshooting. There are two types of bundles that can be created:
log bundles
core bundles
Log bundles are diagnostic bundles of all the logs and are used to help
troubleshoot possible issues with the AppResponse Xpert Appliance. Log
bundles created here are the same as using the CLI commands
diag-bundle-create and diag-bundle-delete. (See Diagnostics Bundles on
page adm-1-63.)
adm-1-45
Core files are created when the entire AppResponse Xpert OS kernel crashes
(resulting in a system reboot). Core bundles are one or more core files
packaged together. They are useful when working with support to troubleshoot
problems. Core bundles can be packaged up for delivery to Riverbed technical
support via FTP, after they are created in the CLI or the System > Administration
web UI. Follow instructions from Riverbed Technical Support.
Figure 1-12 Diagnostics TabBundle
Bundles are created as a gzip-ed .tar file (.gz). Assembling the bundles can take
a few minutes. Once complete you can download the file directly from the
Diagnostic tab.
To delete a bundle, click the red delete X to the left of the completed bundle.
adm-1-46
Subscription
The Diagnostic > Subscription page has four tabs:
Reports
Hardware Alerts
Software Alerts
Other alerts
Reports
The Reports sub-tab is used to send reports to selected recipients. Reports are
created according to a schedule that you set.
Figure 1-13 Diagnostics TabSubscriptionReports
adm-1-47
By default, the periodic automatic email report is sent to Riverbed to provide you
with the best support. You can generate manual reports at any time, but these
are usually generated at the request of a Riverbed technical support
representative.
You may view and manually email the report by clicking the status link on the
Diagnostic tab.
Alerts
The hardware alerts, software alerts, and other alerts sub-tabs are used to
configure to whom and when alerts are sent. Alerts are sent in real-time. Alert
types to be sent are selected in Settings.
Please note that at this time there are no other alerts available.
Figure 1-14 DiagnosticsSubscriptionAlerts
adm-1-48
4 Click Apply.
End of Procedure 1-9
Settings
The Settings link allows you to choose which alerts are to be sent and to set the
deduplication period. (See Alerts for information on to whom the alerts are sent.)
Alerts are sent in real-time.
Deduplication is when additional alerts are suppressed for the deduplication
interval after the end of the previous alert. For example, if the appliance
temperature is out of range, the CPUTEMP alert is sent. The alert continues to
be active until an acceptable temperature is restored. Alternatively, if the
temperature fluctuates above and below its temperature threshold,
deduplication suppresses additional alerts within the time period. By selected
Deduplication Period, the alert is only sent once at the time interval entered.
Figure 1-15
By default, all alerts are enabled except NICPKTRT (see table for explanation).
Procedure 1-10 Modifying Alerts
1 Select the + next the Hardware alerts. This expands the Hardware alert list.
2 Select Enable all to select all alerts, or select the check box next to specific alerts.
3 Enter the length of the deduplication period in minutes.
4 Repeat steps 1-3 for the Software alerts.
adm-1-49
5 Click Apply.
End of Procedure 1-10
Description
Severity Level
Critical
Critical
CPUTEMPMARG
Critical
Major
Minor
An alert generated when there is a hard drive or disk I/O failure. If this
error occurs, contact technical support.
Critical
Major
HSCBADPKT
Minor
Minor
Major
Critical
adm-1-50
Critical
Description
Severity Level
Major
Critical
Critical
Major
Software Alerts
Description
Severity Level
Major
Critical
Critical
DMCNAPPL: Connection to a
leaf node is broken.
Critical
Critical
DMCNSYNC: Cluster
connectivity error.
Major
Major
Minor
adm-1-51
Description
Severity Level
This alert is generated when the limit on the number of recorded IPs
per minute has been reached. When this happens, the topping
algorithm cannot guarantee that the top IPs by throughput are
retained.
Major
Major
Major
Critical
Minor
minor
Minor
Major
Major
SQLPROC:SQL connections
limit reached.
Major
Major
adm-1-52
Description
Severity Level
Critical
Minor
Major
Major
Status
The status link shows you the last report that was generated (for information
about how and to whom reports are sent, see Reports on page adm-1-47).
Figure 1-16 Diagnostics TabStatus
The report shown in the status Diagnostic Status window is the last report
generated. To manually send this report:
1) Enter the recipient email in the Send report to dialog box. Multiple
addresses are comma-separated.
2) Click Apply.
Log Viewer
The log utility is useful when working with Riverbed technical support to
troubleshoot problems.
adm-1-53
Related Topics
Administration and Maintenance
adm-1-54
adm-1-55
The following traffic filters can be configured through the web interface:
Network utilization metrics for IP addresses
TCP metrics for server IP addresses
TCP metrics for client IP addresses
All metrics for Business Groups
adm-1-56
adm-1-57
adm-1-58
When you purchase a new appliance, an upgrade, or a new feature, you receive
an Activation Key from Riverbed. This Key is needed to create the License Key
that loads the level of features appropriate for your appliance. For more
information, see:
adm-1-59
Adding a License
To activate a license on an appliance, you must enter the license key in the
License Manager (Desktop Console > Tools > License Manager).
Procedure 1-11 Adding a License
1 Open an instance of the Desktop Console and connect to the appliance.
The following steps describe how to do this:
1.1 Open the web UI: open a web browser and navigate to the following URL:
http://[appliance-ip-address]:8080
1.2 Click the Console link on the login page.
1.3 Connect to the appliance as a user with Administrator privileges.
2 Choose Tools > License Manager.
If the appliance does not have a product license installed, this window appears
automatically when you connect.
Figure 1-20 License Manager
adm-1-60
2 If the appliance has connectivity to the Internet, it automatically connects you to the
AppResponse Xpert Product Registration web page, which is already populated
with the serial number of the appliance. Fill out the remainder of the form with the
requested information and click Submit to generate your license key, which is
emailed to the email address you entered in the form.
3 If the appliance does not have connectivity to the Internet, go to the URL listed in
the License Manager to access the AppResponse Xpert Product Registration web
page. Enter the serial number of the appliance (listed in the License Manager), and
fill out the remainder of the form with the requested information. Click Submit to
generate your license key, which is emailed to the email address you entered in the
form.
4 Enter the license key in the text area labelled Enter License Key.
5 Click the Submit button.
End of Procedure 1-12
adm-1-61
Related Topics
Administration and Maintenance
adm-1-62
Diagnostics Bundles
Diagnostics bundles contain information required to diagnose
AppResponse Xpert Appliance internals. If you contact Riverbed Support to
submit an issue, you may be asked to generate and send a diagnostics bundle.
Bundles are created through the CLI and downloaded through the web
interface.
NoteDiagnostics bundles can only be created if AppResponse Xpert
Appliance disk utilization is below 90%.
For information about creating a diagnostic bundle from the web interface, see
Bundles on page adm-1-45.
Use zero as a begin and end date to delete all existing diagnostics bundles (e.g.,
diag-bundle-delete 0 0).
A list of existing diagnostics bundle can be seen through the web interface.
adm-1-63
Rollback Utility
The Rollback utility restores an AppResponse Xpert appliance to its default
factory settings. This means that all customer-specific data is removed from the
appliance, including:
configuration settings
data from database tables
logs
reports and report definitions
Diskwipe Utility
The DiskWipe utility overwrites all unused disk space on the specified disk
drives. More specifically, in one pass, the DiskWipe utility writes zeros to all
blocks on the disk drive(s) that have no data. (The DiskWipe Utility is similar to
the dd unix command.)
NoteBecause it writes to blocks that have no data, the DiskWipe utility should
be run only after the Rollback Utility.
adm-1-64
Important Notes
Note the following:
A rollback operation can take 10 to 20 minutes to complete, depending on
the hardware model.
The Rollback utility does not remove AppResponse Xpert software patches.
Therefore, you do not need to re-install software patches after Rollback.
adm-1-65
adm-1-66
ResetData Utility
The resetData CLI command deletes all traffic data stored on the appliance,
while retaining all user-specified configurations. Situations in which this
command can be useful include:
The appliance was configured incorrectly, resulting in inaccurate data, so
you correct the configuration and delete the data collected using the previous
configuration.
You want to move the appliance to a new location that requires only minor
changes to the appliance configuration, so you reconfigure the appliance and
delete all traffic data collected at the old location.
When you run the resetData command from the CLI, the following data is
deleted:
Metric data derived from monitored traffic, such as Application Stream
Analysis, Web Transaction Analysis, NetFlow Monitoring, and VoIP/Video
Monitoring
All packet capture data
All generated reports
The following data is retained:
All custom settings in the web UI
All custom settings in the Desktop Console: Business Group Manager,
Defined Application Manager, Preferred IP Manager, and so on
All certificate and private key information stored on the appliance (for
example, in the Web UI > System > Administration > Pages)
Note the following:
The resetData command is case-sensitive: all lowercase except for the
uppercase 'D'.
You must be logged in to the CLI as a user with Administrator privileges to
run this command.
adm-1-67
ASA Boost
Application Stream Analysis Boost (ASA Boost) mode that is useful for
monitoring traffic in high-throughput environments such as server farms or data
centers.
Note the following:
This mode is available on certain high-end appliance models only; maximum
processing speeds can vary based on the appliance model and conditions in
the production environment.
You can run ASA Boost at the same time as any of the following features:
RPM Integration
Web Transaction Analysis
NetFlow Data Collection
Database Performance
Module for VoIP Performance
Running ASA Boost together with one or more of these features will add
more load to the appliance and might reduce performance. For example: If
you enable ASA Boost at the same time as either Web Transaction Analysis
or Database Performance Monitoring, the peak packet processing rate on
the appliance will be reduced by up to 20%.
If you want to enable ASA Boost with any of these features, it is good practice
to check consumption on the appliance using the Performance Health Check
Insight. You should do this before you enable ASA Boost and periodically
while ASA Boost is enabled.
WARNINGIt is important to check consumption in the Performance Health
Check insight because, if the appliance gets overloaded, you could lose data.
To install or update the Performance Health Check insight on your appliance,
go to the Update Center (Desktop Console > Insights > Update Center) and
then navigate to the following section:
support.opnet.com/ace_live/insights/support > Tools
adm-1-68
You cannot run ASA Boost and CX-Tracer for AppResponse Xpert at the
same time.
The packet size limit is the maximum number of bytes per captured packet
that an appliance saves to disk. To optimize packet processing at the highest
traffic rates, you might need to set the packet size limit to 128 manually. To
change this setting, go to the Web Console > Administration > System >
Capture page.
adm-1-69
ASAmode default
6 After you have enabled ASA Boost, monitor the health of the appliance by running
the Appliance Health Check insight periodically to make sure that no issues have
resulted from enabling ASA Boost. You should check the networks health at the
following times after you enable ASA Boost:
A peak hour in a business day
The busiest day in a week
A typical business week
If these checks detect no performance issues, the appliance can safely run ASA
Boost with the current appliance configuration. If performance issues are detected,
you should do one or more of the following:
Disable ASA Boost
Disable one or more of the following processes if they are running at the same
time as ASA Boost (as described in step 2 on page 69):
Web Transaction Analysis
NetFlow Monitoring Module
Database Performance Monitoring
VoIP Monitoring Module
RPM Integration (Microflow Indexing)
Reduce traffic loads so that performance is no longer impacted.
End of Procedure 1-1
adm-1-70
To switch back to the new method later, enter the following command in the
CLI:
setNgfestats COUNT_ONLY_IMMEDIATE_RTT=1
VXLAN Decoding
This release supports decoding of encapsulated Virtual eXtensible LAN
(VXLAN) traffic. To enable VXLAN decoding, log in to the CLI as Administrator
and enter the following command:
setNgfestats DECODE_VXLAN_ENCAPSULATION=1
To disable VXLAN decoding, enter:
setNgfestats Ngfestats -d DECODE_VXLAN_ENCAPSULATION
adm-1-71
adm-1-72
pwverify Commands
Command
Description
enable
disable
edit
review
Displays the current configuration so that you can view the value of
each parameter.
commit
exit
Closes the editor. Note that changes are not automatically saved on
exit, to save changes, use the commit command.
The following table lists the parameters that you can configure to specify the
requirements for new passwords.
Table 1-2
pwverify Parameters
Parameter
Default Value
Description
ENABLED
no
OBSCURE_CHECKS_ENAB
yes
PASS_CHANGE_TRIES
When choosing a new password, the user only has this number
of attempts to choose a valid password. If the user does not
specify an valid password within the specified number of
attempts, the session terminates and the user will have to start
the password change operation again.
PASS_MIN_DAYS
-1
adm-1-73
Table 1-2
pwverify Parameters
Parameter
Default Value
Description
PASS_MAX_DAYS
-1
PASS_MAX_LEN
16
PASS_MIN_LEN
PASS_WARN_DAYS
-1
PASS_HISTORY
-1
PASS_LOCK_LIMIT
-1
yes
When this feature is turned on, the user is always notified about
the upcoming password expiration date.
PASS_ALWAYS_WARN
Change a Password
An administrator can change a user password using the alpasswd command.
Procedure 1-2 To Change a Password
1 Open the command line interface.
2 At the prompt, enter:
alpasswd username current-password new-password
adm-1-74
adm-1-75
adm-1-76
NoteThis manual was last updated on June 13, 2014. Because release notes
and other documentation is sometimes updated after the product
documentation is distributed, it is good practice to visit the Riverbed website to
check for the latest version of the Release Notes and this and other manuals.
Go to https://support.riverbed.com, then navigate to the AppResponse Xpert
Appliance page.
adm-2-77
Pre-installation Information
The following sections provide information that should be reviewed prior to
installing the AppResponse Xpert appliance.
adm-2-78
adm-2-79
NoteSFPs and XFPs are hot-swappable, so you do not need to power down
the appliance before you add or switch an SFP or XFP.
Instead of referring to specific models numbers, the rest of this manual only
uses the term AppResponse Xpert appliance to refer to all models except where
explicitly noted.
Physical Configurations
The AppResponse Xpert appliance can be connected to the network using
either a span port or a copper/fiber tap. The manner in which the appliance is
connected to the network is referred to as the physical configuration.
In many network configurations, the AppResponse Xpert appliance is attached
to a span port on a layer 3 switch. The AppResponse Xpert appliance has two
monitoring interfaces and can be attached to one or two span ports. During the
installation process, the user must configure the number of span ports
connected to the AppResponse Xpert appliance (see Step 4: Completing Setup
using the Administration > System Web Interface on page adm-2-126). The
span port is normally configured to send both inbound and outbound packets to
the AppResponse Xpert appliance so that both directions of network
communication are monitored.
A copper/fiber tap can be used to connect the AppResponse Xpert appliance if
a span port is not available at the desired location in the network. Copper/fiber
taps are installed inline directly within the target network. As a result, the
physical connectivity of the target link must be temporarily interrupted while the
tap is installed. The AppResponse Xpert appliance attaches directly to the tap.
Unlike a span port, the tap does not require reconfiguration of a switch.
adm-2-80
For most groups, an appliance can rely on packet data to determine the
direction of traffic flows (Inbound / Outbound) and the roles played by specific
IPs and groups (Client, Server, TCP Client, TCP Server). For some group types,
however, you must specify the range of Internal IPs for the appliance to
determine flow directions and IP roles.
By default, the Internal Address List includes all private IPs that are visible to the
appliance (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). To view or
edit this list, go to Administration > System > Setup > Internal Addresses.
Best Practice: Include All Server IPs in the Internal Address List
It is best practice to verify that all server IPs for all Defined Applications are
included in the Internal Address list. This is necessary to ensure that the
directions and roles of all metrics are interpreted correctly. If a server IP is not
included in this list, the directions and roles for some metrics might be the
opposite of what you expect.
This section discusses the following:
Groups Affected by the Internal Address List
How to Set the Internal Address List
Example: What Can Happen when a Server IP is not in the Internal Address
List
Groups Affected by
the Internal Address
List
An appliance uses the Internal Address list when it calculates metrics for the
following groups:
Application
Total Traffic
VLAN
Mon Interface Group
(if Administration > System > Interface Groups > [group] > Traffic relative to
option is set to Internal Addresses)
adm-2-81
3) Starting at the top of the Applications table, copy/paste all of the Server IPs
into a text file. Press the Down key to iterate through all entries. (Defined
applications of type Standard do not have a Server IPs field.)
4) Go to Administration > System > Setup > Internal Addresses.
5) Iterate through your list of Server IPs and verify that each server IP is
included in the Internal Address list. If a server IP is not included in an
address range or subnet, redefine or add a range to include this server IP.
WARNINGKeep the number of comma-separated items in the Internal
Address List as small as possible
When the appliance calculates metrics in real time, it checks monitored
packets against each comma-separated item (IP or IP range) in the Internal
Address list. A long or complex list can increase computation loads and affect
monitoring performance on the appliance.
To keep the Internal Address List as simple as possible, it is good practice to
Include no more than 15 comma-separated entries in the list.
Specify IP address ranges, rather than individual IPs, whenever possible.
Example: What Can
Happen when a
Server IP is not in
the Internal Address
List
An appliance monitors the application MyExtApp. The clients for MyExtApp are
included in the Internal Address list, but not the servers (Figure 2-2). If you open
an Applications table, you will see that the metrics for MyExtApp appear in the
reverse role from what is expected.
The Internal and External IPs are reversed: the MyExtApp servers are
External IPs, the clients are Internal IPs, and the metrics are shown in
relation to the clients.
An in-depth application analysis usually starts from the perspective of the
servers and then moves outward to the clients.
The role of clients and servers are reversed: MyExtApp metrics appear as
"[metric] (Clients)" rather than "[metric] (Servers)".
The throughput directions are reversed: for example,
"Throughput (Inbound)" measures traffic to the MyExtApp clients, not
the servers.
adm-2-82
Figure 2-2
adm-2-83
By editing the Internal Address list to include the servers for MyExtApp, you
ensure that the MyExtMap metrics identify the roles (Clients, Servers) and
directions (Inbound, Outbound) correctly.
Figure 2-3
If the AppResponse Xpert appliance is attached to only one span port, the user
must select the single span port physical configuration during system
configuration as described in Step 4: Completing Setup using the Administration
> System Web Interface on page adm-2-126.
Dual Span Port
NoteIn dual span port mode, the monitoring interfaces used must be of the
same type (copper or fiber).
adm-2-84
If the AppResponse Xpert appliance is attached to two span ports, the user
must select the dual span port physical configuration during system
configuration as described in Step 4: Completing Setup using the Administration
> System Web Interface on page adm-2-126.
Copper/Fiber Tap
With a copper or fiber tap, the user must select the copper or fiber tap Monitoring
Interface(s) Speed/Duplex Setting during system configuration as described in
Step 4: Completing Setup using the Administration > System Web Interface on
page adm-2-126. In this configuration, traffic direction is not ambiguous since
the AppResponse Xpert appliance receives outbound and inbound packets
through different monitoring interfaces. As a result, the internal address list does
not need to be specified.
The following taps, supplied by Netoptics, have been qualified for use with
AppResponse Xpert equipment. Other equivalent devices should work as well:
NETOPTICS P/N: 96042-G-30: SX Gigabit Splitter Module, Multimode
62.5/125um, 70:30 split (for optical Ethernet)
NETOPTICS P/N NET-96135-RM: 100BaseT TX Tap (for copper Ethernet)
The location of the AppResponse Xpert appliance dictates the traffic the
appliance is able to monitor. In general, the appliance is placed at a location of
network aggregation to maximize the monitored traffic. This often means that
the appliance is installed near a border/edge router. Select a network location
that allows the AppResponse Xpert appliance to monitor complete network
sessions, or install the appliance in a dual span port mode and monitor both
network paths.
Span Port Physical Configuration
If using the span port physical configuration, the appliance must be attached
directly to a device, typically a switch, supporting this feature. Each network
equipment vendor implements the span port feature differently, resulting in
different capabilities and limitations. However, all major vendors support basic
span port functionality.
adm-2-85
Traffic Volume
Select a network location that does not exceed the maximum traffic rate
supported by the AppResponse Xpert appliance. If this level is exceeded, a
fraction of the packets are dropped by the appliance. This reduces the accuracy
of collected metrics, but does not affect the network.
Traffic Symmetry
Asymmetric traffic occurs when traffic can take a different route between
endpoints in the incoming and outgoing directions. This condition often exists
within networks with redundant paths. However, the AppResponse Xpert
appliance cannot monitor traffic accurately if it is unable to monitor complete
network sessions. Under asymmetric conditions a number of traffic metrics
collected by the appliance are not measured accurately. Select a network
location that allows the AppResponse Xpert appliance to monitor complete
network sessions.
Modified Frame Formats
adm-2-86
The AppResponse Xpert appliance identifies the source and destination for
each packet based on the addresses in the IP header. Network address
translation, a procedure common in firewalls, load balancers and proxies,
replaces the original address with the IP address of an intermediary device. As
a result, all network sessions appear to originate from the network address
translation device rather than the actual originating device. If this is a concern,
select a network location before network address translation occurs.
Security
Additional Information
The following sections provides addition background information on
AppResponse Xpert appliance configuration and behavior.
AppResponse Xpert/Release 9.0
adm-2-87
adm-2-88
The following table lists the external services and the authorization controls
used to restrict access to these ports.
Table 2-1 External Services and Authorization Controls
External
Service
Transport
and Port
SNMP
HTTP
Authorization
Description
UDP 161
TCP 8080
Open.
HTTPS
TCP 8443
Password required.
BGP
TCP 179
Password required
and access restricted
to the IP address of
the BGP peer
configured in the web
interface. This port
shows up on scans,
but connections from
IP addresses other
than the BGP peer
are rejected by the
BGP application.z
adm-2-89
Transport
and Port
BGP-VTY (not
applicable to the
Domain Director)
SSH
Authorization
Description
TCP 3605
Password required
and access restricted
to the IP address of
the BGP peer
configured in the
Administration > web
interface. This port
shows up on scans,
but connections from
IP addresses other
than the BGP peer
are rejected by the
BGP-VTY
application.
TCP 22
Password required.
UDP 123
Open.
Netflow
UDP 9996
(inbound)
Open.
AppTransaction Xpert
Capture Manager
TCP 27401
Open
NTP
adm-2-90
Internal services are ports used by the AppResponse Xpert appliance for
interprocess communication. The following table lists the internal services and
the authorization controls used to restrict access to these ports.
Table 2-2 Internal Services and Authorization Controls
Internal
Service
Transport
and Port
NPlog
MySQL
Authorization
Description
TCP 4999
TCP 3306
adm-2-91
adm-2-92
adm-2-93
serial port
serial port
video port
adm-2-94
adm-2-95
serial port
serial port
video port
adm-2-96
adm-2-97
adm-2-98
mouse
high-speed network
interfaces
keyboard
serial port B
management port
USB ports
VGA port
power supply
units
serial port A
adm-2-99
The following figure shows the back panel of an AppResponse Xpert-3200 and
AppResponse Xpert-3700 appliance. For more information, see Back Panel
Ports on page adm-2-114.
Figure 2-10 Back Panel of AppResponse Xpert-3200
port #4
port #3
port #2
port #1
serial port
management port
VGA port
monitoring ports
power
USB ports
adm-2-100
port #4
port #3
port #2
port #1
management
port
VGA port
serial port
adm-2-101
The following figure shows the back panel of an AppResponse Xpert-3200 and
AppResponse Xpert-3700 appliance. For more information, see Back Panel
Ports on page adm-2-114.
Figure 2-12 Back Panel of AppResponse Xpert-3700
port #4
port #3
port #2
port #1
serial port
management port
monitoring ports
power
VGA port
USB ports
adm-2-102
port #4
port #3
port #2
port #1
management
port
VGA port
serial port
adm-2-103
The following figure shows the back panel of an AppResponse Xpert-4100 (1G)
appliance. For more information, see Back Panel Ports on page adm-2-114.
Figure 2-14 Back Panel of AppResponse Xpert-4100 (1G)
port #1
port #2
port #3
port #4
Monitoring interfaces:
four (4) 1-Gigabit
Ethernet ports
adm-2-104
port #1
port #2
Monitoring interfaces:
two (2) 10-Gigabit
Ethernet ports
adm-2-105
power
serial port
VGA
port
management port
adm-2-106
USB
ports
port #1
port #2
port #3
monitoring
ports
port #4
power
expansion
chassis port
serial port
VGA port
management port
port #1
port #2
port #3
monitoring
ports
port #4
adm-2-107
power
serial
port
VGA
port
management port
adm-2-108
port #1
port #2
USB ports
Monitoring interfaces:
two (2) 10-Gigabit Ethernet ports
power
port #1
serial port
port #2
VGA port
management port
expansion
chassis port
Monitoring interfaces:
two (2) 10-Gigabit Ethernet ports
adm-2-109
monitoring interfaces:
two (2) 10-Gigabit SFP+ ports
port #1
port #2
Serial port
VGA port
USB port
adm-2-110
adm-2-111
The following figure shows the back panel of an AppResponse Xpert Expansion
Chassis 200. For more information, see Procedure E-1 Connecting the
Appliance to One or More Expansion Chassis on page adm-E-199.
Figure 2-22 AppResponse Xpert Expansion Chassis 200 Back Panel
adm-2-112
The following figure shows the back panel of an AppResponse Xpert Expansion
Chassis 300. For more information, see Procedure E-1 Connecting the
Appliance to One or More Expansion Chassis on page adm-E-199.
Figure 2-23 AppResponse Xpert Expansion Chassis 300 Back Panel
adm-2-113
The AppResponse Xpert appliance back panel includes the following ports:
AC powerFor more information, see the specifications sheet for your
specific appliance.
Serial portRJ45 or DB-9
Management InterfaceRJ45 1Gb Ethernet
1 Monitoring interfaceRJ45 (copper) 10/100/1000 Mbps Ethernet (included
for 2200)
2 Monitoring interfacesRJ45 (copper) Gigabit Ethernet (included for 2100,
3100 and 3150)
2 Monitoring interfacesLC (fiber) Gigabit Ethernet (included for 2100 and
3100)
2 Monitoring interfacesLC (fiber) 10Gigabit Ethernet (included for 3150)
3 Monitoring interfacesSFP modules allowing copper or fiber 1Gigabit
Ethernet (included for 2200)
4 Monitoring interfacesSFP modules allowing copper or fiber 1Gigabit
Ethernet (included for 3170, 3200, 3300, 3700, 3800, 4100-1G, 4200, and
4300)
2 Monitoring interfacesXFP modules allowing SR or LR 10Gigabit Ethernet
(included for 4100-10G and 5000)
2 Monitoring interfacesSFP+ modules allowing SR or LR 10Gigabit
Ethernet (included for 5100 and 6000)
SVGA video port (to optionally connect a monitor)
Keyboard port to optionally connect a keyboard. Included on older appliance
models only. (For newer appliances, connect to the appliance using the CLI,
as described in Using the Command Line Interface on page adm-1-19).
adm-2-114
The following diagrams show the buttons and LEDs on the AppResponse Xpert
appliance front panel:
Figure 2-24 AppResponse Xpert Appliance Front Panel
The AppResponse Xpert appliance front panel includes the following ports:
A: RJ45 NIC activity LED (see B on back panel)
B: RJ45 NIC activity LED (see H on back panel)
C: Power/sleep button
D: Power/sleep LED
E: Hard drive status LED
F: System status LED
G: ID LED
H: ID button
I: Reset button
J: USB connector
K: Nonmaskable Interrupt (NMI) button
L: SVGA video port (to optionally connect a monitor)
adm-2-115
Power Switch
HDD Tray Activity LED
Failure LED
Power LED
Alarm Mute Button
Power switch
Power LED
USB 2.0 Port
System HDD
LAN 2 (top)
LAN 1 (bottom)
Alarm Mute Button
System Reset Button
adm-2-116
Additional Items
adm-2-117
adm-2-118
adm-2-119
Nothing appears on the monitor or serial port console until the appliance is
powered on and is booted up, which occurs in the next procedure Step 3: Initial
Setup using the CLI on page adm-2-123.
4 If you are not using the static IP for setup, connect an RJ45 CAT 5 Ethernet patch
cable between the AppResponse Xpert appliance Management interface and a
switch or router.
5 With the rackmount and wiring complete, proceed to one of the following
procedures, depending on your physical configuration.
Procedure 2-2 Wiring for Span Port Physical Configuration on page adm-2-120
Procedure 2-3 Wiring for Copper/Fiber Tap Physical Configuration on
page adm-2-121
End of Procedure 2-1
1 Configure a span port (or two span ports if both monitoring interfaces are used) on
the appropriate switch.
Consider spanning traffic in both directions so that the AppResponse Xpert
appliance can monitor all network traffic.
2 Connect the span port(s) to the AppResponse Xpert appliance:
NoteThe span port configuration and wiring of the monitoring interfaces can be
deferred until the remaining system configuration is complete. Keep in mind that
the appliance does not collect traffic until the span port is configured.
2.1 Connect the first span port to the AppResponse Xpert appliances first
monitoring interface:
For copper networks, use a standard RJ45 CAT 5E ethernet patch cable to
connect the span port to the RJ45 monitoring interface labeled 1.
For fiber networks, connect the span port to the monitoring interface labeled
1 using a fiber patch cable with an LC connector on the
AppResponse Xpert appliance side. In the event that an LC fiber patch
cable is not available, the AppResponse Xpert appliance includes an
LC/SC fiber patch cable and SC/SC female adapter.
2.2 (Optional) Connect the second span port to the AppResponse Xpert
appliances second monitoring interface. NOTEthe second monitoring
interface must be of the same type (e.g., copper) as the first monitoring
interface.
For copper networks, use a standard RJ45 CAT 5E ethernet patch cable to
connect the span port to the RJ45 monitoring interface labeled 2.
adm-2-120
For fiber networks, connect the second span port to the monitoring interface
labeled 2 using a fiber patch cable with an LC connector on the
AppResponse Xpert appliance side. In the event that an LC fiber patch
cable is not available, the AppResponse Xpert appliance includes an
LC/SC fiber patch cable and SC/SC female adapter.
3 With the span port configured and the wiring of the monitoring interfaces complete,
proceed to Step 3 of the installation procedure (Step 3: Initial Setup using the CLI
on page adm-2-123).
End of Procedure 2-2
1 Install the copper or fiber tap into the network segment carrying the traffic to be
monitored.
Refer to the installation instructions provided with the tap.
2 Connect the tap port facing the internal network to the first monitoring interface.
NoteConsider installing the copper or fiber tap before installing the
AppResponse Xpert appliance when it has the least detrimental effect on traffic.
adm-2-121
NoteA number of free SSH clients, such as Teraterm and putty, are available
for Windows.
After youve set the basic network parameters using the CLI, you can then
access the CLI over the network by using SSH to login to the appliance. You
can also access the Administration > System web interface to complete the
system configuration (as described in Step 4: Completing Setup using the
Administration > System Web Interface on page adm-2-126).
In general, the CLI should only be used to configure network parameters at
install time. All subsequent changes to network parameters should be
performed using the web interface.
adm-2-122
Installation Procedure
Overview:
The initial CLI login is admin with either a null password or an initial password of
npadmin.The admin login has administrative privileges and can be used to create
additional CLI logins as well as web interface logins.
While using the CLI, you can view the list of available commands by typing:
commands
Step 2 - Physical
Configuration
Step 3 - Initial Setup
3 At the password prompt, press Enter. If this does not work, enter npadmin and
press Enter.
NoteIf you are able to log in without a password, you must specify a password
now.
adm-2-123
CautionIP Address, Netmask, and Gateway changes may affect the visibility of
this system on the network.
Table 2-4 Required Parameters for the Setup Appliance
Parameter
Value Description
Hostname
Type the host name for the system. Enter the hostname only, do not
include the domain name. The hostname must be under 63 characters
long, contain only letters, digits, or dashes, and start with a letter and end
with either a letter or digit.
IP Address
Netmask
Default Gateway
Domain
Type the default, fully qualified domain name for the system used during
DNS resolution. Do not include the hostname. Each portion of the
domain name must be under 63 characters long, contain only letters,
digits, or dashes, and start with a letter and end with either a letter or
digit.
CAUTIONThe CLI should only be used to set the network parameters at install
time. All subsequent changes should be performed using the Administration >
System web interface.
7 Verify your new settings: At the setup prompt, type showall and then press
Enter.
8 To save the changes if the settings are correct, at the setup prompt type commit
and then press Enter.
9 Because these changes require a restart to take effect, when you are asked if you
want to restart the system, at the setup prompt type yes and then press Enter.
If the login prompt appears approximately two to three minutes after you reboot
the system, the reboot process is complete.
To quit the CLI without rebooting, type no at the reboot prompt, and then type quit
and press Enter.
10 With the initial setup of the appliance finished, proceed to Step 4a of the installation
procedure (Step 4: Completing Setup using the Administration > System Web
Interface on page adm-2-126).
NoteIf this is a first time installation, be sure to read the next section for
information on how to access the web interface (Accessing the Administration >
System Web Interface).
End of Procedure 2-4
adm-2-124
If you have never accessed the web interface before, follow these steps.
Key ConceptTo successfully connect to the web interface you must be able
to access the AppResponse Xpert appliance from your desktop machine via
TCP ports 8080 and 8443.
adm-2-125
Step 4: Completing Setup using the Administration > System Web Interface
2 Under Network Configuration Settings, verify the network parameters that were set
during the initial CLI configuration (as described in Step 3: Initial Setup using the
CLI on page adm-2-123):
Host Name
adm-2-126
Netmask
Domain
Gateway
IP Address
CAUTIONIP Address, Netmask, and Gateway changes may affect the visibility
of this system on the network.
3 From the Management Interface Speed/Duplex Settings drop-down list, select the
management network interface cards mode of operation (or media type) used for
communication. Note the following:
If the switch port to which the management port is connected is forced to a
specific speed or duplex setting, the management interface media type must be
configured to the same settings; otherwise, select autoselect.
The Administration > System > Setup web page displays the speed/duplex
settings and current status of the management and monitoring interfaces. The
management interface speed/duplex is set to autoselect by default. However, the
speed/duplex settings should be configured to the same value set on the
router/switch port.
Changes to the Management Interface settings may greatly affect the
responsiveness of the system.
4 (Optional) Configure the duplicate packet filter.
Under Physical Configuration, by default, the duplicate packet filter is enabled. The
appliance may receive multiple copies of the same packet.
In certain network configurations, the AppResponse Xpert appliance may receive
duplicate frames. For instance, if a span port is configured to mirror both inbound
and outbound traffic flow, packets between machines being spanned is sent to the
appliance twice. The appliance can be configured to detect and ignore these
packets using the duplicate packet filter.
Riverbed strongly recommends that the AppResponse Xpert appliance is deployed
in a manner such that duplicate packets are minimized or avoided altogether. Even
though the AppResponse Xpert appliance is capable of filtering duplicate packets,
the increased number of packets received and processed by the
AppResponse Xpert appliance can be very detrimental to overall system
performance.
NoteThe appliance must be rebooted before changes to the duplicate packet
filter take effect.
5 Under Domain Name Servers, type the DNS Server IP addresses used by the
AppResponse Xpert appliance to perform network IP address resolution (one
server address per line). Configure this option to see a fully qualified domain name
in the Console (instead of IP addresses).
adm-2-127
6 (Optional) Under Border Gateway Protocol Settings, enter the following settings to
give the AppResponse Xpert appliance access to BGP information required to map
IP addresses to AS numbers:
NoteYou can set the BGP Mode to Inactive if you do not have access to a BGP
router or you do not want to enter this information at this time.
Set the BGP Mode to Active to enable the AppResponse Xpert appliance to
exchange routing information with a border router -or- Inactive to terminate the
AppResponse Xpert appliances exchange of routing information with a border
router.
Enter the hostname of the router under Peer Router Name.
Enter the IP address of the router under Peer Router IP Address.
Under Appliance AS, type the autonomous system number (from 1 to 65535) of
the network in which the AppResponse Xpert appliance is located.
Under Peer Router AS, type the autonomous system number (from 1 to 65535)
of the network in which the border router is located.
Under Last Internal AS, type the autonomous system number of the router at the
border of your network. All AS numbers before this are not displayed in the traffic
report. As a result, the ISP AS number is identified as the 1st Hop after the Last
Internal AS.
The border router must also be configured to allow BGP peering with the
AppResponse Xpert appliance.
7 Under Internal addresses, enter the internal address list. This is a list of IP
addresses within the local network. The AppResponse Xpert appliance uses this
list to determine the direction of traffic flow (inbound or outbound) for the Total
Traffic group. Inbound and Outbound for all other groups are relative to the group
(as described in Physical Configurations on page adm-2-80).
NoteTo ensure accurate results, you must include all server IPs for all Server
Applications and Web Applications in the Internal Addresses list (Administration >
System > Setup page). This ensures that the Applications Table shows the IPs for
that application correctly (Internal IPs ==> [clients] and External IPs ==> [servers]).
The default setting for the Internal Address List is all private address ranges:
10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
8 Under Time Settings, enter the following:
Local Time Zone in which the AppResponse Xpert appliance is used.
Network Time Protocol (NTP) Servers used by the AppResponse Xpert
appliance to synchronize its clock (entered as one server address per line).
9 Set up hardware and software alerts on the appliance. For more information, see
Alerts on page adm-1-48 of AppResponse Xpert Administrators Guide.
NoteTo improve uptime, Riverbed strongly recommends that you set up
hardware and software alerts on all your AppResponse Xpert appliances.
End of Procedure 2-6
adm-2-128
NTP Servers
To prevent clock drift and to ensure that AppResponse Xpert appliance time
matches the time on other systems, it is strongly recommended that the
AppResponse Xpert appliance clock be synchronized with a known time source
using the NTP protocol. Public NTP servers are available if your organization
does not have internal servers. The IP address of the NTP server should always
be used rather than its hostname. Refer to the Public NTP Server List on
http://www.ntp.org/ for a complete list of public NTP servers and access
policies.
With the web interface running, click logout at the top of the page (see
Accessing the Administration > System Web Interface on page adm-2-125).
Installation and Configuration Complete
Now that the AppResponse Xpert appliance has been rackmounted and
configured, the AppResponse Xpert Console can be installed on a desktop
machine. Please refer to Installing the Desktop Console on page ug-2-28 of the
AppResponse Xpert User Guide.
NoteYou can log in again at any time (as described in Accessing the
Administration > System Web Interface on page adm-2-125).
If you close the browser window without clicking logout, the web interface does
not allow that user account to make administrative changes for 30 minutes. The
admin user is exempt from this rule.
adm-2-129
Safety Warnings
Heed Safety
Instructions
System Power
On/Off
Before working with your AppResponse Xpert appliance, whether you are using
this guide or any other resource as a reference, pay close attention to the safety
instructions. You must adhere to the assembly instructions in this guide to
ensure and maintain compliance with existing product certifications and
approvals.
WarningDisconnect all power before servicing.
AttentionDbrancher toute alimentation lectrique avant manipulation.
The power button DOES NOT turn off the system AC power.
To remove power from system, you must remove all AC power cords from the
wall outlet.
Battery
The lithium battery on the server board powers the real time clock (RTC) for up
to 10 years in the absence of power. When the battery starts to weaken, it loses
voltage, and the server settings stored in CMOS RAM in the RTC (for example,
the date and time) may be wrong. If you believe this situation is occurring,
contact your customer service representative. The battery is not user
serviceable. The RAID Controller Cards might contain a battery that is not
serviceable.
WARNINGRISK OF EXPLOSION IF BATTERY IS REPLACED BY AN
INCORRECT TYPE.
WARNINGDISPOSE OF USED BATTERIES ACCORDING TO THE
INSTRUCTIONS.
adm-2-131
Transmit Receptacle
Receive Receptacle #1
Transmit Receptacle
Receive Receptacle #2
Figure 2-29 shows fiber port allocations on the 4100-4S01X, 4200, and 4300
appliance models.
Figure 2-29 Fiber Port Allocations on 4100-4S01X (4x1GbE) and 4200 Appliances
Transmit Receptacle
Receive Receptacle #1
Transmit Receptacle
Receive Receptacle #2
adm-2-132
Transmit Receptacle #1
Transmit Receptacle #2
adm-2-133
NoteWe recommend that you print out a copy of this page and then post the
hardcopy in a prominent location near the appliance.
adm-2-134
adm-3-135
host
ping
alertdir
hostname
quit
core-bundle-create
ifconfig
reboot
core-bundle-delete
iostat
release-current
date
ipas-add-private-ips
release-list
df
ipas-display-private-ips
release-update
diag-bundle-create
ipas-undo-private-ips
setup
diag-bundle-delete
mailmgr
stty
dmq
man
sync
exit
netstat
traceroute
fset
nslookup
uptime
halt
ntpq
viewlog
help
passwd
adm-3-136
To see the time difference between the AppResponse Xpert Appliance and a
Unix system with an NTP time source, at the prompt type ntpdate -q
<server name>, and then press Enter. The offset should be less than 2
seconds. If more than 2 seconds, reboot the appliance to synchronize time with
your NTP server.
adm-3-137
Desktop Console
Download and set up the Desktop Console, and then either create or open a
project (see Installing the Desktop Console on page ug-2-28 of the
AppResponse Xpert User Guide).
adm-3-139
adm-3-140
4IPv6 Support
IPv6 Support
AppResponse Xpert now supports monitoring and analysis in IPv6
environments. This section describes how to configure an AppResponse Xpert
appliance to monitor IPv6 networks and how to verify that the IPv6 feature is
functioning correctly.
Topics Covered:
How to Set Up IPv6 on an Appliance on page adm-4-142
Verify Appliance Performance on page adm-4-142
Enable IPv6 on the Appliance on page adm-4-142
Verify Appliance Health with IPv6 Enabled on page adm-4-144
What You Need to Know About IPv6 Support in AppResponse Xpert on
page adm-4-145
adm-4-141
adm-4-142
6 Enable DNS support for IPv6. This step is optional, but highly recommended. If
DNS is not enabled or does not support IPv6, you will see only IPv6 addresses in
the output tables and charts. If you enable DNS, the information column in the
output tables and charts will instead show the hostnames, which are much more
readable and easier to work with.
6.1 Return to the System > Advanced > Advanced Data Collection Options.
6.2 Click on the System Configuration link.
6.3 Under DNS Configuration, specify the name of a DNS server that supports
IPv6.
6.4 Click Apply to save changes.
Figure 4-2 Enabling DNS Support for IPv6
Specify a DNS server that supports
IPv6 here.
adm-4-143
adm-4-144
adm-4-145
adm-4-146
Recovery
Backup Server
Appliance B
(target)
Fast Recovery
Use this method to quickly add or replace an appliance by transferring data
directly from one appliance to another.
Fast-Recovery
Appliance A
(source)
Appliance B
(target)
Backup Server
(not needed)
adm-5-147
adm-5-148
About Backups
NoteFor the most reliable disaster recovery plan, it is best to schedule regular
backups. On-demand backups are best when performed just before and/or just
after a major change to an appliance, such as a software upgrade.
Note the Global vs. Local statement before procedures for a description of
the difference between the two types of backups.
adm-5-149
Accessing the
Backup and
Recovery
Operations
The Administration > System > Backup navigation menu has five choices:
serversConfigures backup servers.
(See Defining Backup Servers.)
backup nowPerforms an on-demand backup.
(See Performing an On-Demand Backup.)
scheduleSchedules backups.
(See Scheduling a Backup.)
recoveryRestores configuration and/or other data from a backup.
(See Performing a Recovery.)
historyLists available backups and the status of in-progress backups.
(See Viewing a List of Backups.)
General Workflow
for Backup and
Recovery
adm-5-150
adm-5-151
adm-5-152
adm-5-153
Description
Name
Host
Protocol
Path
Specifies the path where backup files are stored on the backup
server. Each backup goes into its own directory under this path. (If
using SSH protocol, this is the same path used in a secure copy
(scp) command.)
User
Specifies the user name for logging into the backup server. If no user
name is specified, then the same user name that is used to login to
the AppResponse Xpert appliance is used.
Password/RSA Key
For FTP protocol, specify the password for logging into the backup
server.
For SSH protocol, specify the RSA key used in authentication
procedure. Either click Generate to generate a key or paste an
existing key.
Note the following:
The RSA Key must be generated and stored on the backup server
before the backup procedure can execute. This is accomplished
by adding the key to the $HOME/.ssh/authorized_keys file for the
appropriate user account on the backup server. For more
information, contact your system administrator or consult the ssh
manual pages.
When you select and copy the key from the RSA key field to paste
it in the authorized_keys file, be sure to select all characters in the
string. It is good practice to compare the string in the RSA field
and the authorized_keys file carefully to verify that the entire
string is copied.
If defining a global backup server (e.g., defining a backup server
on a AppResponse Xpert Director) using an RSA key, note that
the same RSA key will be used to connect to the backup server by
all AppResponse Xpert appliances in the domain.
adm-5-154
adm-5-155
Scheduling a Backup
For the most reliable disaster recovery plan, it is best to schedule regular
backups.
Global vs. LocalBackup schedules can be defined on local appliances or
for an entire domain. Global schedules must use global backup servers, but
local schedules can use local or global backup servers.
Backup schedules defined on a Director are automatically pushed to all
appliances in the domain. Whether a scheduled backup is defined globally or
locally is designated in the fourth column of the List of Backup Schedules
page. Global is defined with a blue globe; local is defined with a greyed-out
globe.
When a global backup schedule is pushed to the appliances in the domain,
the schedules are inactive by default. To activate the schedule, you must edit
the schedule on each appliance and change the status from inactive to active.
Additionally, it is best to change the start date and/or time to avoid having all
the appliances in a domain attempting backups to the same server at the
same time.
ImportantWhen editing a global schedule on an AppResponse Xpert
appliance (not a Director), you can only change Status (active/inactive),
Start date, and Start time.
Before scheduling backups, see Best Practices and Guidelines for Backup and
Recovery.
adm-5-156
adm-5-157
Description
Schedule name
Start date
Start time
Server name
Prefix
Compressed
adm-5-158
Indicates whether the backup files are compressed, using the gzip
algorithm. (Files are compressed when a check appears in the
checkbox.)
Description
Include
Frequency
Retry attempts
Minutes between
retry attempts
adm-5-159
adm-5-160
adm-5-161
The Backup estimation page refreshes every 10 seconds while the estimation is
in progress. When complete, the page lists the size of the backup files. Click Back
to return to the Backup Server Information page.
4 Click Backup.
The Backup progress page appears.
adm-5-162
adm-5-163
Performing a Recovery
Perform a recovery to restore the system configuration, traffic data, and reports,
to an appliance or Director from a selected backup.
Before performing a recovery, see Best Practices and Guidelines for Backup
and Recovery.
For information about restoring a backup to a different backup server, see
Restoring a Backup to a Different Appliance.
NoteBefore performing a recovery on an AppResponse Xpert appliance
that is connected to an expansion chassis, do the following:
Verify that the expansion chassis is connected and operational.
Backup the expansion chassis before performing the appliance recovery.
Additionally, when rebooting the AppResponse Xpert appliance, wait
30 seconds to 1 minute for the expansion chassis to reconnect with
appliance.
adm-5-164
Select the most recent checkbox to restore with the most recent backup. Or,
uncheck the checkbox and click Find backup archives to display a list of available
backups. You can then select a backup from the list.
8 Select the data to restore:
Click the Clock icon located to the left of the backup that you want to restore and
select the types of data to restore. Uncheck the ones you do not want to restore at
this time: opened (current tables), closed (archive tables), reports, and packet
capture (on appliances without High Speed Capture). Configuration data is always
restored.
NoteAll selected data is restored. You cannot choose specific files from a
backup to restore. However, you can restore data from a backup one set at a time,
called a partial recovery. For example: restore configuration files and later restore
traffic data, reports, and/or capture data.
9 Click Recover to start the process.
A recovery progress screen displays.
10 When the recovery process completes, click Reboot to reboot the appliance and to
activate the restored configuration files.
11 If the recovery is partial (you want to restore additional data (i.e., traffic data,
reports) from the selected backup):
11.1 Select the checkboxes for the data to restore.
11.2 Click Continue Recover.
adm-5-165
You can restore a backup to a different appliance from which the backup data
originated, by renaming the backup directory with the AppResponse Xpert
appliance to which the backup will be restored.
For example, suppose you have a backup on the backup server under the
following directory name:
ARX2_8.5.5_119908473000
where:
ARX2 = the hostname of the AppResponse Xpert appliance
8.5.5 = the AppResponse Xpert version
119908473000 = the UNIX or POSIX time (number of seconds since
January 1,1970)
Now suppose that you want to restore this backup to a different
AppResponse Xpert appliance: ARX5.
To restore the ARX5 appliance with the ARX2 backup, do the following:
1) Rename the backup directory by changing the appliance name from ARX2
to ARX5.
2) On ARX5 appliance:
a) Add the backup server.
(See Procedure 5-1 Defining Backup Servers.)
b) Perform a recovery.
(See Procedure 5-5 Recovering Data on an Appliance.)
Be sure to unselect the most recent checkbox and click
Find backup archives to find and select the backup that you want to
restore.
Important Notes
adm-5-166
The target device must have at least as much available disk space as the
source device.
You can verify the amount of disk space in the Desktop Console > View >
Appliance Info window. Scroll to the bottom and note the second-to-last line:
Disk Usage.
If you are recovering data that requires a specific license, you will need to
have that license installed on the target device to view that data.
If you are recovering data that requires a specific license, you will need to
have that license installed on the destination appliance to view that data.
If you have only one set of licenses, and need to transfer these licenses from
the source to the target, do the following:
a) Back up the data on the source device.
b) Recover the data to the target device.
c) Deregister the licenses on the source device:
i) Open the License Manager (Desktop Console > Tools > License
Manager).
ii) Copy or write down the serial number of the appliance.
iii) Go to www.riverbed.com/support and open a support case. Include
the serial number of the appliance in the initial request.
d) When Support notifies you that the licenses are available, add them on
the destination device.
After you generate a license key, you can add it to the device from the
Desktop Console > Tools > License Manager.
To verify and compare licenses, access the License Manager on each
appliance. Open the Desktop Console (Administration > Desktop Console)
and choose Tools > License Manager Note the list of licenses in the
License Manager.
adm-5-167
If you have an SSH server, Riverbed recommends that you back up and restore
over SSH. SSH is more reliable than FTP, especially for large backup/restore
operations.
Estimating Backup/Recovery Times
adm-5-168
Recovery Guidelines
adm-5-169
Description
FTP or SSH
Confirm
Connectivity
Verify the following and contact your network administrator if either of the following items fail:
From the backup server, try to ping the AppResponse Xpert appliance.
If there is a firewall between the backup server and the appliance, make sure that the
appropriate ports (FTP or SSH) are open for backup/restore.
Confirm the
Backup Directory
Path
Verify that the path to the backup directory is correctly defined in AppResponse Xpert.
Check
Permissions
Verify that the user performing the backup has read, write, delete, and execute permissions to
the backup directory on the backup server.
Check Logs
Obtain the exact error message in the br.log file. This file can be accessed through the
System > Administration web UI: Diagnostic > log viewer.
Related Topics
Fast Recovery
adm-5-170
Fast Recovery
Fast Recovery allows you to recover data directly from one AppResponse Xpert
device to another directly, without the step of transferring data via an
intermediate backup server. Fast Recovery offers the following advantages over
a standard Backup and Recovery:
Fast Recovery is significantly faster
Fast Recovery always recovers the most recent data from the appliance or
director (instead of archived data from a backup server).
Figure 5-1 Fast Recovery: No Backup Server Needed
Appliance A
(source device)
Appliance B
(target device)
Backup Server
(not needed)
NoteFast Recovery does not replace a standard Backup and Recovery and
is not always recommended. Fast Recovery is typically used to add or replace
an appliance when both source and target are running, available, and visible to
each other. You cannot use Fast Recovery to recover data on the same
appliance, or to recover data from a source device that has already been
decommissioned.
NoteFast Recovery is usually faster than an equivalent Backup and Recover
in part because Fast Recovery transfers uncompressed data while Backup and
Recovery compresses, transfers, and uncompresses the data. This eliminates
the compression/uncompression processing time, but also results in more data
being transferred across your network. The actual Fast Recovery time depends
on latency, bandwidth, utilization, and other conditions in your network. You
might want to start the Fast Recovery when network usage is minimallate at
night, for example, or during the weekend--especially if the amount of data
being transferred is very large.
This section discusses the following:
About the Data Restored in a Fast Recovery
Important Notes on page adm-5-172
Performing a Fast Recovery on page adm-5-175
Troubleshooting Fast Recoveries on page adm-5-177
adm-5-171
General Workflow
The Fast-Recovery process is performed using CLI commands and includes the
following steps:
1) Establish a public/private key authentication between the source and target
appliances.
2) Initiate and run the Fast-Recovery process.
Important Notes
Before you do a Fast Recovery, note the following:
Recovering downward to an older or lower-end device is not
recommended. Not all appliance/director models can used as the target
device for a specific source device. If the target device does not support the
source data, the Fast Recovery will exit with a warning message.
If the original appliance is part of a director domain, you must
Remove the original appliance from the domain,
Do the Fast Recovery, and
Add the new appliance to the domain.
If you are doing Fast Recovery between two directors, and the original
director has appliances in its domain, you must
Remove all appliances from the original directors domain,
Do the Fast Recovery, and
Add all appliances to the new directors domain.
adm-5-172
The target device must have the same or higher software release installed
as the source device. You can restore to a newer release, but not to an older
release.
You can verify the installed release in the System > Administration web UI >
System > Setup page (top-left corner).
If the source device is running a pre-8.5.5 software release, you must install
the following patch before you do a Fast Recovery:
Desktop Console >
Insights >
Update Center >
support.opnet.com/insights/support >
patches >
patchAV-all-xx00-R807_853-Backup-101
The target device must have at least as much available disk space as the
source device.
You can verify the amount of disk space in the Desktop Console > View >
Appliance Info window. Scroll to the bottom and note the second-to-last line:
Disk Usage.
NoteDuring the Fast-Recovery process, a warning message displays if
there is not enough space on the target device.
Depending on the hardware model and the data specified for recovery, the
recovery process can take several hours. For more information, see
Estimating Backup/Recovery Times on page adm-5-168.
While a Fast Recovery is in progress, all traffic monitoring is suspended on
the source device. For this reason, you should perform a Fast Recovery only
when you do not need to use the device for critical work.
If you are recovering data that requires a specific license, you will need to
have that license installed on the target device to view that data.
If you have only one set of licenses, and need to transfer these licenses from
the source to the target, do the following:
a) Fast-Recover the source device to the target device (as described in
Procedure 5-6 on page adm-5-175).
b) Deregister the licenses on the source device:
i) Open the License Manager (Desktop Console> Tools > License
Manager).
ii) Copy or write down the serial number of the appliance.
iii) Go to www.riverbed.com/support and open a support case. Include
the serial number of the appliance in the initial request.
When Support notifies you that the licenses are available, add them on
the destination device.
adm-5-173
After you obtain a license key, you can add it to the device from the
Desktop Console > Tools > License Manager.
adm-5-174
adm-5-175
adm-5-176
Related Topics
.Backup and Recovery
This command trims the 1-minute tables first; if the target percentage is not
reached, it trims some of the 5-minute tables.
Riverbed has the following guidelines for trimming databases for a Fast
Recovery:
When transferring data from lower- to a higher-model appliance, or between
two same-model appliances, you can trim the source database to 75%
(dbcleanup -f %75) in most cases.
When transferring data from a higher- to a lower-model appliance, you need
to trim the database by 50% (dbcleanup -f %50) in most cases.
When transferring data from a 4100, 4200, 5000, or 5100 to a 6000
appliance, you should trim the database by 50%. Although the 6000 has
more total disk space than these source models, it has less space allocated
for metric data (the extra space is dedicated to storing captured packets).
adm-5-177
If you're not interested in retaining the most recent data, you can discard
1-minute tables using the -x command-line argument. This effectively
reduces the database size by 50% while retaining all of the 5-minute, 1-hour,
and 1-day data:
fast-recover -s [hostname] -x 1
If you want to calculate a more precise percentage, you can also run the
following command to see disk usage and availability on the source and target:
df -H
Mounted on
/u1
My-target-appliance.mycompany.com> df -H
Filesystem
Size
Used
Avail Capacity
/dev/da0s4d
1.2T
0.3T
900G
25%
Mounted on
/u1
The key values here are Used on the source and Size on the target:
Size-on-target = 1.2T
Disk space on target available for Fast Recovery = 1.2T * 0.75 = 0.9T
Used-on-source = 1.5T
In this case, the source has much more data (1.5T) than it can transfer to the
target. You would need to trim the database by 50% (dbcleanup -f %50) to
bring the source database down to 0.75T. This is within the maximum threshold
on the target (0.9T) and would allow the Fast Recovery to proceed.
adm-5-178
179
NoteYou can copy the Update to a desktop or notebook computer and follow
the directions shown in Updating from a Local Host on page ADM-A-180.
180
Once the operation begins, you can use the Status box to see the status. During
the download and verify stages, you may stop the process by clicking the Stop
icon. However, if you do this, you lose what you have already
downloaded/verified and must start at the beginning.
WARNINGYou must not stop the process during the staging and installing
stages.
181
When you install a new release, the old release stays on the system but is not
installed. Once the you have verified that the new release is running smoothly,
select the delete release link to remove the old release.
Figure A-5 System Tab - Update - Delete
182
App B
Important Notes
Note the following:
You cannot downgrade any appliance or director to a previous release.
The CLI method is primarily intended for updating appliances that currently
have 8.5.5 or earlier installed. Riverbed recommends that you use the
System > Administration web UI to update or upgrade from 8.6.2 or higher.
The CLI method requires a local FTP or HTTP server that is visible to the
appliance you want to update.
If you do not have a local FTP or HTTP server, you can use the System >
Administration web UI to update the appliance.
release-update Commands
To download and install a new software release access the CLI, type
release-update and press Enter. The CLI displays the update menu which
provides the following commands:
download
Download a software release from a local web server. If the check
command was run previously, download provides a list of available software
releases. If the check command has not been run, you must provide the
complete URL to a software JAR. The download command supports URLs
with an embedded username and password. This can be useful for
transferring files from FTP servers requiring authentication.
ftp://username:password@host/path
http://username:password@host/path
This command transfers the software release to the appliance but does not
install it.
install
Install a software release that has been downloaded to the appliance. This
command provides a list of software JARs that are currently stored on the
appliance.
delete
183
Delete a software release that has been downloaded to the appliance. The
delete command provides a list of releases that are currently on the
appliance.
NoteBefore you start using the CLI to update an appliance, it is good
practice to delete any old JARs that are still stored on the appliance. This
frees up disk space that might be needed to store new JARs.
In this context, an old JAR corresponds to
Any release that is not the currently installed release (for appliances)
Any release that is neither the current release nor a release that needs
to be installed on any connected appliance. (for directors)
Suppose you want to install 9.0.3 on an 8.6.8 director. The director and all
connected appliances have been updated to 8.6.8, but the director still has
several older release JARs in its storage area. Therefore, you should delete
all JARS for all releases up to but not including 8.6.8.
To remove old JARs from an appliance or director, do the following steps:
a) Log in to the director as a user with Administrator privileges, using an
SSH-enabled program such as putty.
b) Enter the following command: release-update
The CLI displays the AppResponse Xpert Software Update menu.
c) Enter the following command: releases
The CLI displays all releases that are currently stored on the director.
d) For all old JARs (neither the current release nor a release needed to
update the director or a connected appliance), run the following
commands:
delete <release_number>
unpublish <release_number>
All JAR files for <release_number> are removed from the director.
e) For the release currently installed on the Director, run the following
command:
unpublish <release_number>
You must perform this step for the currently installed release if it was
installed on the director using the CLI rather than the System >
Administration web UI.
log
Examine a software installation log. A new log file is created each time a
software release is installed. The log command provides a list of available
software logs.
proxy
184
release-current Command
The release-current CLI command displays the current software release
running on the appliance. This command does not take arguments.
185
186
App C
Tcpdump Expressions
The expression consists of one or more primitives.
adm-C-187
Additionally, there are special primitive keywords that don't follow the pattern:
gateway, broadcast, less, greater and arithmetic expressions. For a list of the
allowable tcpdump primitives, see Table C-1 on page adm-C-188.
More complex filter expressions are built up by using the words and, or and
not to combine primitives. E.g., `host foo and not port ftp and not port ftp-data'.
To save typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or
ftp-data or domain' is exactly the same as `tcp dst port ftp or tcp dst port ftp-data
or tcp dst port domain'.
Allowable Primitives
The following table lists the allowable tcpdump primitives.
Table C-1 tcpdump Primitives
Primitive
Description
True if the IPv4/v6 destination field of the packet is host, which may be either an address or
a name.
host host
True if either the IPv4/v6 source or destination of the packet is host. Any of the above host
expressions can be prepended with the keywords, ip, arp, rarp, or ip6 as in: ip host host which
is equivalent to: ether proto \ip and host host If host is a name with multiple IP addresses,
each address is checked for a match.
True if the ethernet destination address is ehost. Ehost may be either a name from /etc/ethers
or a number (see ethers(3N) for numeric format).
gateway host
True if the packet used host as a gateway, i.e., the ethernet source or destination address
was host but neither the IP source nor the IP destination was host. Host must be a name and
must be found in both /etc/hosts and /etc/ethers. (An equivalent expression is ether host
ehost and not host host which can be used with either names or numbers for host / ehost.)
This syntax does not work in IPv6-enabled configuration at this moment.
True if the IPv4/v6 destination address of the packet has a network number of net. Net may
be either a name from /etc/networks or a network number (see networks(4) for details).
True if the IPv4/v6 source address of the packet has a network number of net. net net True
if either the IPv4/v6 source or destination address of the packet has a network number of net.
True if the IP address matches net with the specific netmask. May be qualified with src or dst.
Note that this syntax is not valid for IPv6 net.
net net/len
True if the IPv4/v6 address matches net a netmask len bits wide. May be qualified with src
or dst.
adm-C-188
Description
True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value of port.
The port can be a number or a name used in /etc/services (see tcp(4P) and udp(4P)). If a
name is used, both the port number and protocol are checked. If a number or ambiguous
name is used, only the port number is checked (e.g., dst port 513 prints both tcp/login traffic
and udp/who traffic, and port domain prints both tcp/domain and udp/domain traffic).
port port
True if either the source or destination port of the packet is port. Any of the above port
expressions can be prepended with the keywords, tcp or udp, as in: tcp src port port which
matches only tcp packets whose source port is port.
less length
True if the packet has a length less than or equal to length. This is equivalent to: len <=
length.
greater length
True if the packet has a length greater than or equal to length. This is equivalent to: len >=
length.
ip proto protocol
True if the packet is an ip packet (see ip(4P)) of protocol type protocol. Protocol can be a
number or one of the names icmp, igrp, udp, nd, or tcp. Note that the identifiers tcp, udp, and
icmp are also keywords and must be escaped via backslash (\), which is \\ in the C-shell. Note
that this primitive does not chase protocol header chain.
True if the packet is an IPv6 packet of protocol type protocol. Note that this primitive does not
chase protocol header chain.
True if the packet is IPv6 packet, and contains protocol header with type protocol in its
protocol header chain. For example, ip6 protochain 6 matches any IPv6 packet with TCP
protocol header in the protocol header chain. The packet may contain, for example,
authentication header, routing header, or hop-by-hop option header, between IPv6 header
and TCP header. The BPF code emitted by this primitive is complex and cannot be optimized
by BPF optimizer code in tcpdump, so this can be somewhat slow.
ip protochain protocol
ether broadcast
True if the packet is an ethernet broadcast packet. The ether keyword is optional.
ip broadcast
True if the packet is an IP broadcast packet. It checks for both the all-zeroes and all-ones
broadcast conventions, and looks up the local subnet mask.
ether multicast
True if the packet is an ethernet multicast packet. The ether keyword is optional. This is
shorthand for `ether[0] & 1!= 0'.
ip multicast
ip6 multicast
True if the packet is of ether type protocol. Protocol can be a number or a name like ip, ip6,
arp, or rarp. Note these identifiers are also keywords and must be escaped via backslash (\).
[In the case of FDDI (e.g., `fddi protocol arp'), the protocol identification comes from the 802.2
Logical Link Control (LLC) header, which is usually layered on top of the FDDI header.
Tcpdump assumes, when filtering on the protocol identifier, that all FDDI packets include an
LLC header, and that the LLC header is in so-called SNAP format.]
adm-C-189
Description
Abbreviations for: ether proto p where p is one of the above protocols. Note that tcpdump
does not currently know how to parse these protocols.
vlan [vlan_id]
True if the packet is an IEEE 802.1Q VLAN packet. If [vlan_id] is specified, only encountered
in expression changes the decoding offsets for the remainder of expression on the
assumption that the packet is a VLAN packet.
Abbreviations for: ip proto p or ip6 proto p where p is one of the above protocols.
True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic
expression composed of integer constants (expressed in standard C syntax), the normal
binary operators [+, -, *, /, &, |], a length operator, and special packet data accessors. To
access data inside the packet, use the following syntax: proto [expr: size] Proto is one of
ether, fddi, ip, arp, rarp, tcp, udp, icmp or ip6, and indicates the protocol layer for the index
operation. Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6
(this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given
by expr. Size is optional and indicates the number of bytes in the field of interest; it can be
either one, two, or four, and defaults to one. The length operator, indicated by the keyword
len, gives the length of the packet.
For example, `ether[0] & 1 != 0' catches all multicast traffic. The expression `ip[0]
& 0xf != 5' catches all IP packets with options. The expression `ip[6:2] & 0x1fff
= 0' catches only unfragmented datagrams and frag zero of fragmented
datagrams. This check is implicitly applied to the tcp and udp index operations.
For instance, tcp[0] always means the first byte of the TCP header, and never
means the first byte of an intervening fragment.
Combining Primitives
Primitives may be combined using:
A parenthesized group of primitives and operators (parentheses are special
to the Shell and must be escaped).
Negation (`!' or `not')
Concatenation (`&&' or `and')
Alternation (`||' or `or')
Negation has highest precedence. Alternation and concatenation have equal
precedence and associate left to right. Note that explicit and tokens, not
juxtaposition, are now required for concatenation.
adm-C-190
adm-C-191
adm-C-192
Rollback Utility
The Rollback utility restores an AppResponse Xpert appliance to its default
factory settings. This means that all customer-specific data is removed from the
appliance, including:
configuration settings
data from database tables
logs
reports and report definitions
Diskwipe Utility
The DiskWipe utility overwrites all unused disk space on the specified disk
drives. More specifically, in one pass, the DiskWipe utility writes zeros to all
blocks on the disk drive(s) that have no data. (The DiskWipe Utility is similar to
the dd unix command.)
NoteBecause it writes to blocks that have no data, the DiskWipe utility should
be run only after the Rollback Utility.
adm-D-193
Important Notes
Note the following:
A rollback operation can take 10 to 20 minutes to complete, depending on
the hardware model.
The Rollback utility does not remove AppResponse Xpert software patches.
Therefore, you do not need to re-install software patches after Rollback.
adm-D-195
ResetData Utility
The resetData CLI command deletes all traffic data stored on the appliance,
while retaining all user-specified configurations. Situations in which this
command can be useful include:
The appliance was configured incorrectly, resulting in inaccurate data, so
you correct the configuration and delete the data collected using the previous
configuration.
You want to move the appliance to a new location that requires only minor
changes to the appliance configuration, so you reconfigure the appliance and
delete all traffic data collected at the old location.
When you run the resetData command from the CLI, the following data is
deleted:
Metric data derived from monitored traffic, such as Application Stream
Analysis, Web Transaction Analysis, NetFlow Monitoring, and VoIP/Video
Monitoring
All packet capture data
All generated reports
The following data is retained:
All custom settings in the web UI
All custom settings in the Desktop Console: Business Group Manager,
Defined Application Manager, Preferred IP Manager, and so on
All certificate and private key information stored on the appliance (for
example, in the Web UI > System > Administration > Pages)
Note the following:
The resetData command is case-sensitive: all lowercase except for the
uppercase 'D'.
You must be logged in to the CLI as a user with Administrator privileges to
run this command.
adm-D-196
App E
adm-E-197
EXP-200
AL-4100
(expansion card required)
ARX-4200
(expansion card required)
EXP-300
ARX-4300
ARX-5000
(expansion card required)
X
X
ARX-5100
ARX-6000
(includes two controllers)
adm-E-198
1 Install the new Expansion Chassis in the equipment rack close to the appliance
(the supplied SAS cable is 1 meter in length).
2 Using the supplied AC power cords, connect the power supplies in each Expansion
Chassis to a conditioned power source.
3 Connect the appliance to the expansion chassis using SFF-8080 cables, based on
your appliance and Expansion Chassis model:
4100, 4200, and 5000 Appliance Connectivity with S-16 Expansion Chassis on
page adm-E-200
4100, 4200, and 5000 Appliance Connectivity with EXP-200 Expansion Chassis
on page adm-E-201
4300 and 5100 Appliance Connectivity with EXP-300 Expansion Chassis on
page adm-E-202
6000 Appliance Connectivity with EXP-300 Expansion Chassis on
page adm-E-204
4 Proceed to Step 2: Set Up the Expansion Chassis Disks on page adm-E-206.
End of Procedure E-1
adm-E-199
Device (Port)
Device (Port)
Figure E-1 4100 / 4200 / 5000 Appliance Connectivity with S16 Expansion
Chassis
Appliance
(expansion card, slot 5)
Expansion Chassis #1
Expansion Chassis #2
Expansion Chassis #3
adm-E-200
Device (Port)
Device (Port)
Figure E-2 4100 / 4200 / 5000 Appliance Connectivity with EXP-200 Expansion
Chassis
adm-E-201
adm-E-202
Device (Port)
Device (Port)
appliance (SAS-OUT)
Figure E-3 Port Connectivity between 4300 / 5100 Appliance and 300 Expansion Chassis
SAS-OUT port on
4300 / 5100 appliance
SAS-OUT
expansion chassis #1
A2-IN
A2-OUT
A1-IN
A1-OUT
expansion chassis #2
A2-IN
A2-OUT
A1-IN
A1-OUT
A2-OUT
A1-OUT
adm-E-203
6000 Appliance
Connectivity with
EXP-300 Expansion
Chassis
adm-E-204
Device (Port)
Device (Port)
ARX-6000 appliance
A2-OUT
A1-OUT
expansion chassis #1
A2-IN
A2-OUT
A1-IN
A1-OUT
expansion chassis #2
A2-IN
A2-OUT
A1-IN
A1-OUT
expansion chassis #3
A2-OUT
A1-IN
A1-OUT
A2-IN
A2-OUT
A1-IN
A1-OUT
adm-E-205
adm-E-206
Mounted on
UNENROLLED
Disk
mfid2p1
mfid3p1
Mounted on
/ex/1/0
/ex/2/0
raid Utility
raid is a command-line program that is useful for viewing high-level array and
device information for both internal and external RAID controllers. To view
high-level information about all RAID controllers, arrays, and devices, do the
following:
1) Open a CLI window and log in to the appliance as admin.
2) Run the command:
raid
3) From the RAID menu, run the command:
status
Figure E-5 shows an example of RAID status command output from an
appliance with one EXP-300 expansion chassis.
Figure E-5 raid status Output (Example)
RAID menu: status
ARX6000-000000 (rev. 2013-08)
mfi0/0 status as of 2013/08/13-01:10:42 GMT: ONLINE
AppResponse Xpert/Release 9.0
adm-E-207
VD
0
0
0
0
Name
0:252:00
0:252:01
0:252:02
0:252:03
Model
Number
ST480FN0021
ST480FN0021
ST480FN0021
ST480FN0021
Serial
Number
P3Y010AE
P3Y010FB
P3Y0114E
P3Y01140
SMART
Status
OK
OK
OK
OK
Port
Status
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Up
Up
Up
Up
Volume
Volume
Status
Optimal
Disk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
VD
0
0
0
0
0
0
0
0
0
0
0
0
1
1
1
1
1
1
1
1
1
1
1
Name
1:245:00
1:245:01
1:245:02
1:245:03
1:245:04
1:245:05
1:245:06
1:245:07
1:245:08
1:245:09
1:245:10
1:245:11
1:058:00
1:058:01
1:058:02
1:058:03
1:058:04
1:058:05
1:058:06
1:058:07
1:058:08
1:058:09
1:058:10
Model
Number
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
Volumes:
Volume Volume RAID Volume
ID
Name
Level Size
VD1/0 ARX6000GSB 6
18TB
VD1/1 E3B
6
18TB
Serial
Number
Z1Y02D05
Z1Y02D06
Z1Y02D07
Z1Y02D08
Z1Y02D09
Z1Y02D10
Z1Y02D11
Z1Y02D12
Z1Y02D13
Z1Y02D14
Z1Y02D15
Z1Y02D16
Z1Y02D17
Z1Y02D18
Z1Y02D19
Z1Y02D20
Z1Y02D21
Z1Y02D22
Z1Y02D23
Z1Y02D24
Z1Y02D25
Z1Y02D26
Z1Y02D27
SMART
Status
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
Port
Status
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Volume
Status
Optimal
Optimal
VD
0
0
0
0
0
0
0
0
0
0
0
0
1
1
1
1
1
Name
2:245:00
2:245:01
2:245:02
2:245:03
2:245:04
2:245:05
2:245:06
2:245:07
2:245:08
2:245:09
2:245:10
2:245:11
2:045:00
2:045:01
2:045:02
2:045:03
2:045:04
Number
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
Number
Z1Y02D43
Z1Y02D44
Z1Y02D45
Z1Y02D46
Z1Y02D47
Z1Y02D48
Z1Y02D49
Z1Y02D50
Z1Y02D51
Z1Y02D52
Z1Y02D53
Z1Y02D54
Z1Y02D55
Z1Y02D57
Z1Y02D58
Z1Y02D59
Z1Y02D60
Status
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
Status
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Online, Spun
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
Up
1
1
1
1
1
1
2:045:05
2:045:06
2:045:07
2:045:08
2:045:09
2:045:10
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
ST3000NM0033-9ZM178
Volumes:
Volume Volume
RAID Volume
ID
Name
Level Size
VD2/0 ARX6000GST 6
18TB
VD2/1 E3T
6
18TB
Z1Y02D61
Z1Y02D62
Z1Y02D63
Z1Y02D64
Z1Y02D65
Z1Y02D66
OK
OK
OK
OK
OK
OK
Online,
Online,
Online,
Online,
Online,
Online,
Spun
Spun
Spun
Spun
Spun
Spun
Up
Up
Up
Up
Up
Up
Volume
Status
Optimal
Optimal
where n is the controller number. For example, for the status of Controller 0,
enter:
tw_cli /c0 show
Disk
Mounted On
/ex/1/0
/ex/2/0
If the file system does not appear, repeat the steps in Installing and Configuring
an Expansion Chassis on page adm-E-198 to ensure that the file system is
configured and mounted correctly.
If this does not resolve the issue, contact Riverbed Technical Support.
adm-E-209
The Administration > System > Capture web page includes storage
configuration options for every Expansion Chassis that is connected to the
appliance. The following steps outline the general workflow:
1) Specify the percentage of total disk space reserved for Rolling Packet
Storage.
The Remaining Storage label updates automatically based on the new
percentage.
2) Specify the percentage of remaining disk space reserved for alert
snapshots and individual page views.
The Snapshot Storage and Individual Pages Storage fields update
automatically based on the new percentage.
3) Repeat this process for each Expansion Chassis that is connected to the
appliance.
4) Scroll to the bottom of the page and click Apply.
NoteThe configuration options for each expansion chassis are stored on the
chassis itself, not on the appliance to which it is attached. This ensures that the
chassis configuration is persistent even if you move the chassis to a different
appliance.
adm-E-210
adm-E-211
adm-E-212
Index
Index
A
activate an extended feature, adm-1-34, adm-1-60
alerts
appliance, adm-1-43
descriptions, adm-1-50 to adm-1-51
hardware, adm-1-48
heartbeat, adm-1-43
other, adm-1-48
settings, adm-1-49
software, adm-1-48
syslog, adm-1-39
appliance
available models, adm-2-79
BGP, adm-2-88
installation, adm-2-77
physical configuration, adm-2-80
appliance information window, adm-1-18
appliance overview, adm-2-78
ARX-1200
back panel, adm-2-94, adm-2-96
ARX-2100
back panel, adm-2-95
overview, adm-2-80
ARX-3100
back panel, adm-2-97
overview, adm-2-80
ARX-3150
back panel, adm-2-98
overview, adm-2-79
ARX-3170
back panel, adm-2-99, adm-2-101, adm-2-103
overview, adm-2-79
ARX-3200
back panel, adm-2-100
overview, adm-2-79
ARX-3300
overview, adm-2-79
ARX-3700
back panel, adm-2-102
overview, adm-2-79
ARX-4100
front panel, adm-2-116
ARX-4100 (10G)
back panel, adm-2-105
overview, adm-2-79
ARX-4100 (1G)
back panel, adm-2-104
overview, adm-2-79
ARX-4100-S16
back panel, adm-2-111
ARX-4200
AppResponse Xpert/Release 9.0
B
backup and recovery
backup
global vs. local, adm-5-149
on-demand, adm-5-161
pre-configurations and verifications, adm-5-151
schedule, adm-5-156
servers, adm-5-152
view list of, adm-5-163
best practices and guidelines, adm-5-168
error logs, adm-5-170
estimate backup/recovery time, adm-5-168
general workflow, adm-5-150
introduction, adm-5-148
recovery
different appliance, adm-5-166
guidelines, adm-5-169
partial, adm-5-165
same appliance, adm-5-164
SSH vs. FTP protocol, adm-5-168
troubleshoot, adm-5-170
BGP and the appliance, adm-2-88
BGP settings, adm-2-128
bundles
core, adm-1-45
log, adm-1-45
web interface, adm-1-45
C
CLI
software updates, adm-B-183
cli
installation, adm-2-122
configure number of span ports during installation, adm-2-127
configuring
using the cli, adm-2-123
copper tap, adm-2-85
core bundles, adm-1-45
adm-IX-213
D
COREFILE (software alert), adm-1-51
CPUCNT (hardware alert), adm-1-50
CPUTEMP (hardware alert), adm-1-50
CPUTEMPMARG (hardware alert), adm-1-50
D
DAQERR (software alert), adm-1-51
deduplication, adm-1-49
DIAGINT (software alert), adm-1-51
diagnostic reports
automatic, adm-1-45
email, adm-1-47
manual, adm-1-45
status, adm-1-53
web interface, adm-1-47, adm-1-53
diagnostics, adm-1-45
alert descriptions, adm-1-50 to adm-1-51
alert setttings, adm-1-49
alerts, adm-1-48
bundle, adm-1-45
log viewer, adm-1-53
reports, adm-1-47
status, adm-1-53
director
software update, ADM-A-181
DISKIO (hardware alert), adm-1-50
DMCNAPPL (software alert), adm-1-51
DMCNDIR (software alert), adm-1-51
DMCNSYNC (software alert), adm-1-51
dmq, adm-1-35
dns, adm-2-127
domain, adm-2-124, adm-2-127
dual span port, adm-2-84
H
halt, adm-1-37
hardware alerts
web interface, adm-1-48
host name, adm-2-126
HSCBADPKT (hardware alert), adm-1-50
I
installation
ACE Live appliance, adm-2-77
additional information, adm-2-87
appliance installation procedure, adm-2-118
cli, adm-2-122
inventory, adm-2-93
network coverage, adm-2-85
network placement considerations, adm-2-85
preparation sheet, adm-2-92
rackmount, adm-2-119
span port, adm-2-127
web interface, adm-2-125
wiring the appliance using a span port, adm-2-120
wiring the appliance using a tap, adm-2-121
internal address list, adm-2-81, adm-2-85, adm-2-128
internal services, adm-2-91
ip address, adm-2-127
IPDROP (software alert), adm-1-52
email
diagnostic reports, adm-1-47
encapsulation, adm-2-87
encryption, adm-2-87
external services, adm-2-88
mailmgr, adm-1-34
management console
troubleshooting, adm-3-139
management interface, adm-2-127
management nic, adm-2-127
manager
user admiin, adm-1-26
MIPMAPCHK (software alert), adm-1-52
modified frame formats, adm-2-86
mta_masq_domain, adm-1-34
mta_relay, adm-1-34
mta_relay_port, adm-1-34
G
gateway, adm-2-124, adm-2-127
adm-IX-214
N
NETFLOWDRP (hardware alert), adm-1-50
NETGW (software alert), adm-1-52
netmask, adm-2-127
network address translation, adm-2-87
network configuration settings, adm-2-126
network placement, adm-2-85
802.1q, adm-2-86
asymmetric traffic, adm-2-86
encapsulation, adm-2-87
encryption, adm-2-87
header obscurity, adm-2-87
isl, adm-2-86
jumbo frames, adm-2-86
maximum traffic rate, adm-2-86
modified frame formats, adm-2-86
network address translation, adm-2-87
network coverage, adm-2-85
security considerations, adm-2-87
span port, adm-2-85
tunneling, adm-2-87
NICCNT (hardware alert), adm-1-50
NICDOWN (hardware alert), adm-1-51
NICPKLIM (software alert), adm-1-52
NICPKTLSS (hardware alert), adm-1-51
NOTIFCHK (software alert), adm-1-52
NOTIFCON (software alert), adm-1-52
np appliance
troubleshooting, adm-3-135 to adm-3-136
verifying operations, adm-3-135
NTP public server, adm-2-129
NTPCON (software alert), adm-1-52
ntps, adm-2-128
O
other alerts
web interface, adm-1-48
P
physical configuration, adm-2-80
copper/fiber tap, adm-2-85
dual span port, adm-2-84
single span port, adm-2-84
physical configurations, adm-2-80
port
dual span, adm-2-84
single span, adm-2-84
ports
used for network communications, adm-2-88
preparation sheet, adm-2-92
privileges, adm-1-27
R
rackmount and wire the appliance, adm-2-119
AppResponse Xpert/Release 9.0
N
radius, adm-1-24
reboot, adm-1-37
recovery. See backup and recovery
release-current, adm-B-185
release-list, adm-B-185
release-update command, adm-B-183
restore. See backup and recovery
S
services
internal and external, adm-2-88
set the internal address list, adm-2-128
setup, adm-1-31
single span port, adm-2-84
snmp
agent port, adm-1-44
community string, adm-1-43
enable/disable snmp agent, adm-1-43
trap destination, adm-1-43
software alerts
web interface, adm-1-48
software update
appliance, ADM-A-179
deleting old releases, ADM-A-181
director, ADM-A-181
web ui, ADM-A-179
software updates in CLI, adm-B-183
span port
installation, adm-2-127
physical configuration, adm-2-85
SQLCHK (software alert), adm-1-52
SQLCON (software alert), adm-1-52
SQLPROC (software alert), adm-1-52
SQLRST (software alert), adm-1-52
SYSCRASH (software alert), adm-1-53
syslog alerts, adm-1-39
SYSPWR (hardware alert), adm-1-51
SYSREBOOT (software alert), adm-1-53
system requirements
web interface, adm-2-125
SYSTEMP (hardware alert), adm-1-51
T
tcp dump
expression format, adm-C-187
time zone, adm-2-128
traceroute
firewall configuration, adm-2-91
traceroutes
automated, adm-1-41
selection algorithm, adm-1-41
types, adm-1-42
traffic filters, adm-1-56
traffic symmetry, adm-2-86
traffic volume, adm-2-86
adm-IX-215
U
troubleshooting, adm-3-135
management console, adm-3-139
np appliance, adm-3-136
web interface, adm-3-138
U
Updating
software in CLI, adm-B-183
user admin manager, adm-1-26
V
verifying operations, adm-3-135
viewlog, adm-1-35
W
web interface, adm-2-125
adm-IX-216