Professional Documents
Culture Documents
Gigavue 420
Gigavue 420
User’s Guide
Software Version 4.0
COPYRIGHT
© 2006-2008 Gigamon Systems LLC. All Rights Reserved. No part of this publication may be reproduced,
transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any
means without the written permission of Gigamon Systems, LLC.
TRADEMARK ATTRIBUTIONS
Gigamon, Gigamon Systems, GigaVUE-420, and GigaVUE-MP are registered trademarks or trademarks of
Gigamon Systems, LLC. All other registered and unregistered trademarks herein are the sole property of their
respective owners.
Contents
3
GigaVUE-MP – Rear View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Differences in Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Differences in Maps and Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Differences in Restrictions on Legacy Commands . . . . . . . . . . . . . . . . . . 34
Differences in Stacking Commands for 10 Gb Ports . . . . . . . . . . . . . . . . 35
Differences in Port-Stat Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Differences in Mgmt Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
New Features in GigaVUE-420 v4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
System Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Filter and Map-Rule Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Traffic Distribution Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
GigaVUE-420 Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
GigaVUE-420 Physical Dimensions and Weight . . . . . . . . . . . . . . . . . . . . . . . . 42
Power Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Environmental Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4 Contents
GigaTAP-Sx/GigaTAP-Lx/GigaTAP-Zx Modules . . . . . . . . . . . . . . . . . . . . . . 67
GigaTAP-Tx Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Passive Mode vs. Active Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Configuring Tap Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
GigaLINK Modules (CU and XR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Using Modules – Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Traffic Distribution and Replacing Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Contents 5
Create the Stack Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Create the Configuration Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configuring a Box’s Stacking Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Assigning Box IDs: config system bid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Designating Stacking Ports: config port-type . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Specifying Neighbor Boxes: config system x1_bid/x2_bid . . . . . . . . . . . . . . 117
Sample Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Configuring Cable Lengths (GigaLINK-CU Stacking Ports) . . . . . . . . . . . . . 118
Activating Stacking Ports: config system active_link . . . . . . . . . . . . . . . . . . . 119
Stack Examples: CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Example: Two-Box Cross-Box Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Example: Cross-Box Stack with Four Systems . . . . . . . . . . . . . . . . . . . . 121
Making Physical Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Verifying a Cross-Box Stack’s Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Check the show diag Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Set Up Cross-Box Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Configuring Cross-Box Packet Distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Troubleshooting Cross-Box Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Making Changes to an Existing Cross-Box Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Adding a Box to the Edge of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Remove a Box from the Edge of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Adding a Box to the Middle of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Disconnect a Box in the Middle of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Power Loss Considerations for Cross-Box Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Power Loss on Box in the Middle of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Power Loss and Power Restore to the Entire Stack . . . . . . . . . . . . . . . . . . . . . 131
6 Contents
Configuring Authentication (AAA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Syntax for the config system aaa Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Using GigaVUE-420 with an External
Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Specifying TACACS+ Servers in GigaVUE-420 . . . . . . . . . . . . . . . . . . . 149
Specifying RADIUS Servers in GigaVUE-420 . . . . . . . . . . . . . . . . . . . . . 152
Setting up GigaVUE-420 Users in an
External Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Differences in Commands for External and Local Users . . . . . . . . . . . . . . . . 164
Contents 7
Specifying an External Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Packet Format for Syslog Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Viewing Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Uploading Log Files for Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Example – Saving a Log File to a Spreadsheet . . . . . . . . . . . . . . . . . . . . . . . . . 192
8 Contents
Combining Filters and Filter Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Examples of Filter Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Working with User-Defined Pattern Match Filters . . . . . . . . . . . . . . . . . . . . . 237
User-Defined Pattern Match Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
User-Defined Pattern Match Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
User-Defined Pattern Match Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Mixing Allow and Deny Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Showing Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Deleting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Filter Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Filtering on RTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
MAC Address Filter Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Example 1 – Deny Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Example 2 – Allow Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Example 3 – Deny Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Example 4 – Denying Odd-Numbered MAC Addresses . . . . . . . . . . . 248
Example 5 – Allowing Odd-Numbered MAC Addresses . . . . . . . . . . . 249
Using the Pass-All Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Syntax for config pass-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Rules for config pass-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Maximum Number of Pass-All Destinations . . . . . . . . . . . . . . . . . . . . . 252
Pass-All Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Filters and the config pass-all Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Examples for config pass-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Illustration of Pass-Alls in the Show Connect Screen . . . . . . . . . . . . . . 260
Contents 9
Syntax for config mapping /config xbmapping . . . . . . . . . . . . . . . . . . . 273
Showing Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Changing Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Adding Map-Rules to Single-Box/Cross-Box Maps . . . . . . . . . . . . . . . 277
Deleting a Map-Rule from Single-Box/Cross-Box Maps . . . . . . . . . . . 278
Deleting a Single-Box Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Deleting a Single-Box/Cross-Box Map . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Combining Pass-All with Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Map-Rule Priority and Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Map Creation Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Map Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Map Example – Selectively Forwarding VLAN Ranges . . . . . . . . . . . . . . . . . 282
What this Map Will Do. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Commands to Create this Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Showing the Map in the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Map Illustration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Map Example – Single-Tool vs. Multi-Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Single-Tool Map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Multi-Tool Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
10 Contents
config restore command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
config save command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
config snmp_server commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
config snmp_trap commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
config sntp_server command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
config syslog_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
config system commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
config tac_server command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
config uda command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
config user command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
config xbconnect command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
config xbmap command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
config xbmapping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
config xbport-filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
delete commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
exit command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
help command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
history command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
install commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
logout command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
reset commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
show commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
upload command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Contents 11
Port Statistics Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
12 Contents
About This Guide
13
How To Use This Guide
This User’s Guide is divided into several main sections. Each section
corresponds to a different stage of GigaVUE-420 operations, as
summarized below.
Section Chapter
Welcome to GigaVUE-420 4.0 Chapter 1, Introducing GigaVUE-420 4.0
These chapters introduce you to the
GigaVUE-420 and orient
GigaVUE-MP customers to the new
product. They also describe how to Chapter 2, Updating the GigaVUE-420
upgrade the system once new
versions are available.
Chapter 3, Getting Started with GigaVUE-420: A Roadmap
14
Section Chapter
Appendixes Appendix A, Command Line Reference
These chapters provide useful Appendix B, CLI Parameter Limits
reference information. You will likely
return to these chapters as you have Appendix C, Lock-Level Reference
specific questions about
GigaVUE-420 features. Appendix D, Port Statistics Counters
16
Engineering Product Sales Product Name Description
Name
GigaLINK-SR Optional 10 Gb optical Short Range interface for
stacking, network or tool port use.
GigaVUE-420 Models
There are four basic GigaVUE-420 models available:
18
Contacting Customer Support
Contact Gigamon Systems LLC’s Support department with product
questions using the information in Table i. The Customer Service
department’s hours of operation are from 7:30 AM to 5:30 PM Pacific
Time, Monday through Friday.
E-Mail support@gigamon.com
Web http://www.gigamon.com
Sales info@gigamon.com
20
Chapter 1
GigaVUE-420 Overview
GigaVUE-420 is an out-of-band data access switch for enterprise
networks. It provides dynamic connectivity for 10 Gb and 1 Gb
Ethernet network monitor, compliance, and archival tools, including:
• Intrusion Detection Systems
• Protocol Analyzers
• VoIP Analyzers
21
• Application Performance Monitors
• Stream-to-Disk Data Recorders
Filtering and Mapping Direct traffic from any network port to any tool
(Any-to-Any) port. Use filters to focus on particular traffic types.
Use map-rules to send different types of traffic to
different tool ports.
22 Chapter 1
Figure 1-1: GigaVUE-420 Features
Benefit Descriptions
Share SPAN Ports Connect a SPAN port to a network port on the GigaVUE-420. Then, use
GigaVUE-420’s command-line interface to multicast that traffic to multiple
different tool ports, giving multiple different tools access to the same data.
You can apply different filters to individual tool ports to ensure that each tool
sees the data that best suits its individual strengths.
Aggregate Links Send the data from multiple different network ports to one or more tool ports,
allowing you to combine traffic from multiple access points into a single
stream for analysis.
Filter Packets Set both pre-filters and post-filters, allowing or denying traffic that meets
specified criteria, including IP address and port ranges, VLAN IDs, protocols,
and so on.
• Pre-filters are filters applied on a network port.
• Post-filters are filters applied on a tool port.
Fault Tolerant Taps GigaTAP modules protect production links at all times (for copper, relay
closes if power fails; for fiber, optical link maintains connection).
Modularized Design Install once and never touch any links again. You can move, add, and
reconfigure tools at will without affecting production networks.
10 Gb Support • Support for up to four separate 10 Gb ports, allowing for a full tap of both
sides of two full-duplex 10 Gb links.
• Aggregate multiple 1 Gb network ports to 10 Gb tool port.
• Split out 10 Gb network port to multiple 1 Gb tool ports.
• 10 Gb ports in x1/x2 slots can be used for stacking multiple GigaVUE-420
systems.
24 Chapter 1
GigaVUE-420 Chassis
Each GigaVUE-420 unit consists of a 1U, rack-mountable, 19”-wide
chassis. The chassis comes equipped with a 4-port base unit
(GigaMGMT) permanently installed on the front side, available with
either copper or optical ports. Figure 1-2 shows front and rear views
of the GigaVUE-420:
Base Ports –
Optional Front Module Slots
Optical Version
26 Chapter 1
Chassis Front – 10/100/1000 Modules
28 Chapter 1
GigaVUE-420 – Front View
The GV-420’s base module Both systems accept the same optional
includes four ports (copper module types (GigaPORT and GigaTAP) and
or optical) instead of eight, support a maximum of 20 ports on the front
giving you more slots for side. However, the GV-420 has four optional
different module types. module slots instead of three.
30 Chapter 1
Differences in Software Features
GigaVUE-MP users will have no trouble adjusting to the
GigaVUE-420 – the new system’s CLI works much the same as the
old system. However, there are some key differences, as summarized
in the tables below.
Maximum Number of Network Port Filters and 2520 network port-filters 2048
Single-Tool Map-Rules Bound per Box 3600 map-rules
Filtered Tool Port Sharing Filtered tool ports cannot be shared Filtered tool ports can be shared
with a map-rule. with a connect, map-rule,
xbconnect, or xbmap-rule.
Applying Filters to Filters can only be applied to tool ports Filters can now be applied to tool
Unconnected Tool Ports with a connection in place. ports without a connection in place.
NOTE: You still cannot apply a
filter to a network port without a
connection in place.
32 Chapter 1
Feature GigaVUE-MP 3.5 GigaVUE-420 4.0
Matches all fragments for all Can be combined with IP Address
conversations. Intended to be used in and Port filters to focus on
a single map-rule with no other fragments associated with specific
attributes. traffic.
Single-Tool Maps
Single-Tool Maps
Plus Minus
Fewer Port-Pairs (2 instead of 12)
Support Pattern
Match Filters Fewer Pass-All Destination Ports for Ports in the
Map (4 instead of 23)
Multi-Tool Maps
Plus Minus
More Port-Pairs (12 instead of 2)
No User-Defined Pattern
More Pass-All Destination Ports for Ports in the Match Map-Rules
Map (23 instead of 4)
34 Chapter 1
Differences in Stacking Commands for 10 Gb Ports
Many of the arguments for the stacking commands in the
GigaVUE-MP used “front” and “back” designators for the 10 Gb
ports. Because the GigaVUE-420’s 10 Gb ports are all on the back of
the unit now, the arguments for these commands have changed to
use x1 and x2 instead. The table below summarizes the differences.
Specifying Stack Neighbors config system front_bid <1-10> config system x1_bid <1-10>
These commands inform the config system back_bid <1-10> config system x2_bid <1-10>
local GigaVUE-420 of the boxes
reachable from its stacking ports.
These commands are renamed
so that they no longer use the
“front” and “back” designators.
36 Chapter 1
New Features in GigaVUE-420 v4.0
This section summarizes the major features in GigaVUE-420 v4.0,
including the changes relative to the GigaVUE-MP 3.5 release.
Features are grouped into the following major categories:
• System Management Features on page 37
• Filter and Map-Rule Features on page 39
• Traffic Distribution Features on page 41
Feature Description
Logging GigaVUE-420 introduces comprehensive logging capabilities to
keep track of events on the unit. Logged events are always written
to the local syslog.log file. In addition, you can optionally specify
an external syslog server as a destination for GigaVUE-420’s
logging output.
First, check the log-level to make sure the events you’re interested
in will be logged (the default log-level is Info, but you can change
it). Then, use the show log command to view available log files and
log file contents. You can filter the show log output by priority, type,
and date range. You can also use the tail argument to show only
the last x entries in the log.
See Configuring Logging on page 185 for information on working
with logging.
Upload Log Files You can use the upload -log command to upload saved log files to
a TFTP server. This can be useful for troubleshooting issues with
Support staff. If you used the delim option to display the log file in
comma-delimited format, you can easily import the file into a
spreadsheet application.
See Uploading Log Files for Troubleshooting on page 192 for
details.
Save Adds “Next Boot” Flag The config save command now includes a new nb (“next boot”)
argument, allowing you to specify that a newly saved configuration
file should be loaded at the next system boot. In previous GigaVUE
products, you could only enable the next boot flag for a
configuration file using the config file command
See Setting a Configuration File to Boot Next on page 182 for
details.
38 Chapter 1
Filter and Map-Rule Features
Feature Description
IPv6 Filters GigaVUE-420 adds several new filter options for IPv6:
• Allow or deny traffic from specific IPv6 source or destination
addresses.
• Allow or deny IPv6 packets matching a particular IPv6 Flow
Label.
• Allow or deny traffic based on IP version (IPv4 or IPv6).
See Config Filter Syntax on page 225 for details on these options.
Improved Pattern Match Filters GigaVUE-420 significantly enhances the user-defined pattern
match filters available in the GigaVUE-MP 3.5 product:
• You can now use 16-byte patterns instead of the 4-byte patterns
available in the GigaVUE-MP 3.5.
• Offsets can now be set at 4-byte boundaries from offsets of
2-126 bytes instead of the 0-80 byte range supported in the
GigaVUE-MP 3.5.
• You now set offsets for user-defined pattern matches separately
from the patterns themselves.
See Working with User-Defined Pattern Match Filters on page 237
for details.
Filters for TCP Control Bits GigaVUE-420 adds built-in filter support for any of the eight
standard control bits (“flags”) in the TCP header (ACK, SYN, FIN,
and so on).
See Config Filter Syntax on page 225 for details.
Filters for TTL/Hop Limit Values GigaVUE-420 adds the ability to filter on Time To Live (TTL; IPv4)
or Hop Limit (IPv6) values. These fields perform the same function,
specifying the maximum number of hops a packet can cross before
it reaches its destination.
See Config Filter Syntax on page 225 for details.
40 Chapter 1
Traffic Distribution Features
Feature Description
Config Pass-All Enhancements The GigaVUE-420 relaxes some of the restrictions on the config
pass-all command from the GigaVUE-MP 3.5:
• You can set up pass-alls between any of the ports on each
GigaVUE-420 chassis, including the 10 Gb ports. In contrast, the
GigaVUE-MP requires that pass-alls be established either
between Ports 1-8 (the GigaMGMT base unit) or Ports 9-20 (the
optional module slots).
• You can set up pass-alls to multiple tool port destinations instead
of just a single tool port.
See Using the Pass-All Command on page 250 for details.
Tool Port Sharing A filtered tool port can now be shared among multiple connection
types (for example, an xbconnect and a map-rule).
Specification Value
Width • 17.31 inches (without mounting ears)
• 19.0 inches including the front mounting
ears
Height 1.75 inches (1U)
Power Requirements
The GigaVUE-420 is powered by dual redundant, load-sharing,
hot-swappable power supplies. The GigaVUE-420 can be ordered
with either dual 100-240V 50-60Hz AC power supplies, or dual -48V
DC power supplies. The table below summarizes the electrical
characteristics of the unit:
42 Chapter 1
Power Supply Type Requirement
AC Power Supplies 100 to 240V AC, 50-60 Hz
Frequency: 50/60 Hz
Environmental Specifications
The following table summarizes the GigaVUE-420’s environmental
specifications:
Specification Value
Operating Temperature 32ºF to 104ºF (0ºC to 40ºC)
Item Description
Updated GigaVUE-420 This is the image file containing the updated v4.0
Image software (gvb4003).
You can obtain this image by contacting Technical
Support via either e-mail or telephone:
• E-mail: support@gigamon.com
• Telephone: (408) 263-2022
45
Update Procedure
1. Copy the new GigaVUE-420 installation file to your TFTP server.
2. Log in to the system to be updated as a super user.
NOTE: Normal users do not have the necessary privileges to
update the GigaVUE-420 software.
3. Use the config save command to save your configuration to flash
memory for version migration.
4. Use the following command to install the GigaVUE-420 software:
install image_name TFTP-server-ipaddr
5. The system may warn you that another image file already exists
in the system. Press y to confirm that you want to install the new
image.
The system will erase the existing image and install the new one.
Wait for this process to complete. The system will inform you that
the image was installed successfully.
6. When the system prompt reappears, reset the system with the
reset system command.
7. When the login prompt appears, log in and use the config save
command to save your configuration in the new v4.0 format.
46 Chapter 2
Chapter 3
47
First Steps – Getting Connected and into the CLI
You’ve received your GigaVUE-420 unit and now you’re ready to get
up and running. Figure 3-1 shows the major steps you need to
perform to get the GigaVUE-420 out of the box, into a rack, plugged
in, and running on your network:
See the sections beginning with Command Line Basics on page 91.
48 Chapter 3
Next Steps
Once you’ve performed the initial configuration of the GigaVUE-420
unit, installing, connecting, and configuring the unit, you’re ready to
get started mapping traffic between network and tool ports.
Rack-Mounting the
GigaVUE-420
This section describes how to unpack and rack-mount the
GigaVUE-420 chassis. The section covers the following major topics:
• Unpacking GigaVUE-420 on page 51
• Rack-Mounting the GigaVUE-420 on page 52
Unpacking GigaVUE-420
Unpack GigaVUE-420 and inspect the box it was shipped in. If the
carton was damaged, please file a claim with the carrier who
delivered it. Next, select a suitable location for the rack unit that will
hold the GigaVUE-420.
Choose a location that is clean, dust free, and well ventilated. You
will need access to a grounded power outlet. Avoid areas where heat,
electrical wire, and electromagnetic fields are generated.
Plan for enough clearance in front of a rack so you can open the front
door completely (approximately 25 inches) and enough clearance in
the back of the rack to allow sufficient airflow and easy access for
servicing the 10 Gb connections.
51
Rack-Mounting the GigaVUE-420
This section describes how to rack-mount the GigaVUE-420 in a
standard 1U rack space using the hardware provided with the
chassis. You can install the GigaVUE-420 in racks with a minimum
width of 17.75”.
Safety Precautions
There are a wide variety of racks available on the market. Make sure
you consult the instructions provided by your rack vendor for
detailed mounting instructions before installing the GigaVUE-420
chassis.
NOTE: Before rack-mounting the GigaVUE-420, make sure you have
read the following safety precautions:
• The GigaVUE-420 chassis weighs approximately 31 pounds when
fully populated. Make sure you install any stabilizers provided
for the rack before installing the chassis. Unsecured racks can tip
over.
• Make sure you install boxes in the rack from the bottom up with
the heaviest boxes at the bottom.
• Make sure you provide adequate ventilation to the systems
installed in the rack.
52 Chapter 4
Rack Mounting Hardware
Figure 4-1 shows the rack mount hardware included with the
GigaVUE-420. You use this hardware together with the supplied
screws to rack mount the system in either a four-post or two-post
rack.
The slide assemblies make it easy to adjust the mount points to fit
racks of varying widths:
• The unit can slide forward and backward on the slide assembly to
fit the width of the rack.
• There are two attachment points on the side of the GigaVUE-420
for the slide assemblies, making it easy to adjust the width to fit
the rack (Figure 4-2).
54 Chapter 4
To mount the GigaVUE-420 chassis in a four-post rack:
1. Attach the orange rack ears to the front of the unit using the
supplied screws.
2. As shown in Figure 4-1 on page 53, the slide assemblies consist of
two parts – a flat tab with a beveled edge and a sliding bracket
that fits over the tab. Attach the flat tabs to the GigaVUE-420 at
one of the two rear positions (see Figure 4-2). Select the position
that best fits the width of your rack.
3. Attach the bracket portions of the slide assembly to the rear posts
of the rack with the supplied screws.
4. Slide the chassis into the rack space occupied by the brackets,
making sure that the tabs fit into the brackets.
5. Slide the unit in until the orange rack ears are flush with the front
rack posts.
6. Attach the orange rack ears to the front posts of the rack with the
supplied screws.
56 Chapter 4
To center-mount the GigaVUE-420 chassis in a two-post rack:
1. Attach the orange rack ears to the middle of the unit using the
supplied screws.
As shown in Figure 4-3, you can attach the rack ears facing
towards either the front or the rear of the chassis. Select the
orientation that best fits your rack. For example, one position may
provide better clearance for rack doors at the front of the chassis.
2. While one person supports the weight of the unit with the rack
ears flush to the chassis, a second person can attach the ears to the
rack with the supplied screws.
59
NOTE: See Appendix E, Console Cable Pinouts for details on the
connectors on this cable.
DB9-to-RJ45 Console
Cable (RJ45 End)
2. Connect the DB9 end of the Console cable to a PC’s COM port.
3. Make sure the power supply switches are both in the off position.
Then, plug power cables into each of the GigaVUE-420’s dual
power supplies (Figure 5-2).
NOTE: For information on connecting the optional DC power
supplies, see Connecting -48 V DC Power Supplies on page 62.
60 Chapter 5
4. Plug the other end of the power cables into a power source that
can supply adequate power. For optimal power protection, plug
the power supplies into separate circuits.
For information on GigaVUE-420 power requirements, see Power
Requirements on page 42.
5. Turn on the power switches for each of the dual power supplies
(Figure 5-3).
6. See Establishing a Configuration Session with GigaVUE-420 on
page 79 for information on how to connect to the GigaVUE-420’s
command-line interface.
Ground terminal
0V Return Terminal
-48V Terminal
62 Chapter 5
5. Connect the neutral and negative power cables to the DC power
source:
• Connect the neutral wire to the 0V (RTN) connector on the DC
power source.
• Connect the negative wire to the -48v connector on the DC
power source.
6. Repeat Step 2 through Step 5 for the second DC power supply in
the GigaVUE-420.
7. Once you have connected the DC power connections, switch the
power buttons for each of the power supplies to the ON position.
GigaVUE-420 Modules
This section describes each of the GigaVUE-420 modules. All
GigaVUE-420 systems are shipped with the 4-port GigaMGMT
(page 64) base unit with either copper or optical Ethernet ports. Then,
you can use the following modules in the front and rear slots:
Modules for Front Slots The four front slots in the GigaVUE-420 chassis can be filled with
any combination of the following optional modules:
• GigaPORT Module (page 65)
• GigaTAP-Sx/Lx/Zx Module (page 67)
• GigaTAP-Tx Module (page 68)
NOTE: The modules listed above are interchangeable between the
GigaVUE-MP and the GigaVUE-420. If you have existing versions
from the GigaVUE-MP, you can use them in the GigaVUE-420.
Modules for Rear Slots The four rear slots in the GigaVUE-420 chassis can be filled with
any combination of the following optional 10 Gb modules:
• GigaLINK-CU (page 73)
• GigaLINK-XR (page 73)
The table below lists and describes the connectors on the GigaMGMT
base module:
64 Chapter 5
Table 5-1: GigaMGMT Base Module Connectors
Connector Description
Mgmt Use the Mgmt port for remote configuration of the GigaVUE-420 over a 10/100/
1000 Ethernet network. See Remote Connections to the Mgmt Port on page 82
for information on establishing a Telnet or SSH configuration session with the
GigaVUE-420.
Console Use the Console port for local configuration of the GigaVUE-420 over a serial
connection. See Local Connections to the Console Port using the Console Cable
on page 80 for information on establishing a serial configuration session with the
GigaVUE-420 in a terminal window.
Tool/Network Ports Ports 1-4 can be used as either network (input) or tool (output) ports. There are
(1-4) separate copper and optical models available:
• Copper 10/100/1000 UTP Ethernet ports.
• Fiber-optical Gigabit Ethernet ports.
GigaPORT Module
The GigaPORT module provides flexible connectivity to a total of
four copper and/or fiber-optical Gigabit Ethernet network ports –
there are four ports for each.
9 11 9 11
10 12 10 12
GigaPORT
66 Chapter 5
GigaTAP-Sx/GigaTAP-Lx/GigaTAP-Zx Modules
GigaTAP-Sx and Lx modules provide the ability to tap fiber-optical
Gigabit Ethernet links (1000BASE-Sx, 1000BASE-Lx, or 1000BASE-Zx,
respectively). The GigaTAP-Sx/Lx/Zx modules use a fiber-optic
splitter to tap the signal flowing through the module for distribution
to GigaVUE-420 tool ports. There are two pairs of LC ports for
tapping two different links.
NOTE: GigaTAP-Sx/Lx/Zx ports can only be used as network ports.
They cannot be used as tool ports.
Optical tap
port pair.
Optical tap
port pair.
68 Chapter 5
Configuring Tap Connections
There are two main configuration steps when tapping a link with the
GigaTAP-Tx:
• Set up the Port-Pair on page 69
• Verify End Node Status and Open the Relays on page 70
Notes on Port-Pairs
• Port-pairs can be established between any ports on the same
GigaVUE-420.
• Port-pairs support link status propagation – when one port goes
down, the other port goes down (and vice-versa).
• Port-pairs between GigaMGMT or GigaPORT ports can be used
as an electronic tap for RJ45 or fiber-optical links, although
without the fail-over protection provided by the GigaTAP-Tx and
GigaTAP-Sx/Lx/Zx.
• Port-pairs can be established between ports using different
speeds (for example, from a 1 Gb port to a 10 Gb port).
NOTE: Depending on traffic volume, port-pairs between ports
using different speeds can cause packet loss when going from a
faster port to a slower port (for example, from 1 Gb to 100 Mbps,
from 10 Gb to 1 Gb, and so on).
If the link status on the end nodes is not good (LEDs are not green),
check the following:
• Verify that the combined cable length is less than 100 meters.
• Verify that autonegotiation settings match. If autonegotiation is
not enabled on one of the endpoints, you must manually
configure the port-params of the connected tap ports to match,
followed by a config save. See config port-params commands on
page 309 for details.
• Most newer Ethernet interfaces support autosensing (Auto-MDI/
MDI-X; part of the 1000BASE-T standard). However, if your
equipment does not support this feature (or it is disabled), you
may need to use a crossover cable.
8. Open the relays for the ports used to tap the link in the
GigaTAP-Tx using the config port-params <port-id> taptx active
command. Once you have opened the relays, verify that the green
link LEDs for both ports in the port-pair have illuminated.
70 Chapter 5
Example:
For example, consider the tap scenario shown in Figure 5-10:
Switch B
Switch A
13 14 15 16
GigaTAP-Tx
To set up this tap scenario, you would issue the following commands
in the GigaVUE-420 CLI:
Command Description
config port-pair 13 14 alias switch-tap This command sets up the port
pair between ports 13 and 14 so
that traffic received on 13 is
repeated out 14 (and vice-versa).
In this example, we’ve given our
port-pair the alias switch-tap.
config port-params 13 taptx active This command opens the relays
on port 13 and the adjacent port
(14).
Once you have set up the tap, it’s always a good idea to do a show
connect in the GigaVUE-420 CLI to review the settings in place.
Figure 5-11 shows the results of a show connect once this example
has been set up.
72 Chapter 5
GigaLINK Modules (CU and XR)
GigaLINK modules provide high-speed connectivity to 10 Gb links
and can be used as network, tool, or stacking ports. GigaLINK
modules can be installed in the x1, x2, x3, and x4 slots at the rear of
the unit. However, only the x1 and x2 slots can be used as stacking
ports.
Module Description
GigaLINK-CU
10 Gb copper module. Accepts 1/5/10/15 meter
CX4 copper cable (InfiniBand).
GigaLINK-XR
10 Gb optical module. Available with the
following XFP optical transceivers:
• SR – 850nm (300 meter)
• LR – 1310nm (2m - 10km)
• ER – 1550 nm (40km)
See the table below for details on each of these
transceivers.
74 Chapter 5
Transceiver Description Cabling/Distances
ER XFP Ports Cabling
Supports 10 • One 10-Gigabit Ethernet port Low metal content, single-mode fiber-optic,
Gb ER (IEEE 802.3ae Type complying with ITU-T G.652 and ISO/IEC 793-2
1550nm 10Gbase-ER 1550nm serial Type B1
distance of up optics)
to 80 km. • Duplex: full Maximum distance
• Connectors: LC 9/125 μm single-mode cable = 2 m to 40 km; 80
km extra long reach 10 Gb XFP available by
Optical characteristics (dBm) special order.
• Tx power: -1 to +2
• Rx sensitivity : -11.3 to -1 (*2)
(*1) OMA (*2) Stressed Rx
sensitivity in OMA.
76 Chapter 5
Remove and Reinsert Same
Remove and Insert Different Module Type
Connection Module Type
Types show connect show connect show connect
show connect after reinsert
after removal after reinsert after removal
Connections Connections
Connections on affected ports
persist. Connections persist.
Port-Pair deleted; other connections
Missing ports restored. Missing ports
remain.
marked ?. marked ?.
Connections Connections
Connections on affected ports
persist. Connections persist.
Pass All deleted; other connections
Missing ports restored. Missing ports
remain.
marked ?. marked ?.
Connections
No Connections Connections No changes.
persist. No No changes. No action
or Maps Using persist. No local No action
local ports needed.
Removed Ports ports missing. needed.
missing.
79
• Locally, via a serial connection to the Console port.
See Local Connections to the Console Port using the Console Cable on
page 80.
• Remotely, via a Telnet or SSH2 connection to the Mgmt port.
See Remote Connections to the Mgmt Port on page 82
NOTE: The same commands are available in the command-line
interface regardless of how you connect.
80 Chapter 6
NOTE: Users with super privileges can change the baud rate
for the Console port.
• Data bits – 8
• Parity – None
• Stop bits – 1
• Flow control – None
Figure 6-1: Setting COM Port Properties for the Console Connection
6. Click OK.
7. The terminal session begins. You may need to press Enter a few
times before you see the login: prompt from GigaVUE-420.
8. Log in to the command-line interface with the following default
user account and password:
User root
Password root123
NOTE: The Mgmt port supports Auto MDI-X. There is no need to use
a crossover cable.
You can also configure the Mgmt port’s physical settings. By default,
the Mgmt port is configured to autonegotiate its configuration with
the connected equipment. If required by the connected equipment,
you can disable this setting and set specific values for speed, duplex,
and MTU. See Mgmt Port Configuration Procedure on page 84 for the
procedure.
NOTE: Per the 802.3 specification, the Mgmt port can only achieve 1
Gb speeds if autonegotiation is enabled. Although autonegotiation is
optional for most Ethernet variants, it is mandatory for Gigabit
copper (1000BASE-T).
82 Chapter 6
About IPv4/IPv6 for the Mgmt Port
IPv4 is always active and available on the GigaVUE-420, regardless of
whether IPv6 is also enabled. You can set up the Mgmt port with
either a static or dynamic IPv4 address.
NOTE: If you configure the Mgmt port to use DHCP, it will obtain a
new IPv4 address from a DHCP4 server each time it reboots. After
each reboot, you will need to learn this address in order to connect
via SSH2/Telnet
You can also enable IPv6 on the GigaVUE-420 with the following
command, followed by a reboot:
config system ipv6 1
These are the only methods supported for IPv6 address generation.
GigaVUE-420 does not support either static IPv6 addresses or
DHCP6 for IPv6 address assignment. The show system command
will inform you of the unit’s IPv6 address.
Telnet
TACACS+
RADIUS
TFTP
SNTP
SNMP
DHCP
NOTE: You can still use
DHCP4 for the unit’s IPv4
address when IPv6 is
enabled.
84 Chapter 6
config system mgmt_port autoneg <1 | 0>]
Where:
• dhcp specifies whether GigaVUE-420 will obtain an IPv4
address for its Mgmt port from a DHCP4 server (1) or use a
static address (0). If you set dhcp to 1, do not supply values
for ipaddr, subnetmask, or gateway.
NOTE: If you enable DHCP, you can also use the config
system dhcp_timeout <4 | 10 | 30 | 60 | 100> command to
specify the number of seconds GigaVUE-420 will wait for a
response from a DHCP server after querying for an address.
• ipaddr specifies the static IPv4 address to use.
Enabling IPv6 lets you use IPv6 addresses for SSH2, Telnet,
TACACS+, RADIUS, SNTP, and TFTP. See Configuring IPv6
Network Properties on page 83 for more information.
By default, Telnet is enabled. You use the config system ssh2 <1 | 0>
command to specify which remote protocol you would like to use.
For example, to enable SSH2, you would use the following command:
config system ssh2 1
86 Chapter 6
Once SSH2 is enabled, Telnet connections are no longer accepted
(and vice-versa – SSH2 connections are not available when Telnet is
enabled).
TIP: If you generate new public host keys before enabling SSH, you
will save an extra reboot of the unit. See Changing Public Host Keys on
page 89.
88 Chapter 6
Changing Public Host Keys
You can use the config system hostkey command to change the
default host keys provided with GigaVUE-420. The command has the
following syntax:
config system hostkey <dss | rsa> [<768~2048> (bits)]
Acceptable bit values for the host keys are multiples of 8 between 768
- 2048 (for example, 768, 776, 784, and so on). If you do not specify a
key length, GigaVUE-420 defaults to 1024 bits.
90 Chapter 6
Command Line Basics
This section provides a quick orientation to the GigaVUE-420
command-line interface – how to get help, how to enter commands,
and so on.
Command Completion
If you have partially typed a command, you can press Tab and the
CLI will attempt to complete the command for you based on what’s
been entered so far. If it is unable to complete the command, the CLI
will simply redraw the line with the cursor at the end of the line.
When you are typing a command and are not sure how to spell the
word you are working on, type a ? mark immediately following the
partially-typed word. The CLI will show you a list of all possible
words using the word entered so far.
For example, if you typed config x?, the CLI would return the
following possible commands based on what you’ve entered so far:
xbconnect xbmap xbmapping xbport-filter
Command Help
When you are typing a command and have finished a word but are
not sure what the rest of the syntax is, you can type a space after the
word and then a ?. The CLI will list all possible commands using the
words you have entered so far. For example, if you type config
system ?, the CLI will return all possible config system commands.
92 Chapter 6
CLI informs you that the syntax for the name argument is as
follows:
config system [name name-string] [description “string”]
Command Structure
In general, GigaVUE-420 commands are structured as follows:
<verb> <object> <arguments>
You can loosely interpret this as Do this (verb) to this (object) like
this (argument). The following table summarizes this:
This command sets port number 8 to be a tool port. The verb, object,
and argument are as follows:
In general, the commands you will use most frequently are config,
show, and delete.
Command Description
? Display help.
94 Chapter 6
Command Description
upload Upload a configuration or log file to a TFTP server.
There are a few more steps you should perform to complete the initial
configuration before you get to the fun stuff – setting up network
ports, tool ports, and mapping traffic. These tasks include:
• Configure some basic user accounts (optional).
See Initial User Account Configuration (Optional) on page 96.
• Configure the GigaVUE-420 name and date.
See Configuring the GigaVUE-420 Name and Date on page 98.
• Configure the GigaVUE-420 time options.
See Configuring GigaVUE-420 Time Options on page 99.
• Configure a custom login banner.
See Using a Custom Login Banner on page 102.
• Save your changes!
See Saving Changes on page 104.
96 Chapter 6
• Normal users have access to different ports depending on the
lock-level in place. They cannot perform most system
configuration commands.
• Audit users do not have access to any ports. Their access
consists mainly of the ability to use the show command to see
what basic settings are in place on the box.
NOTE: Figure 6-3 shows the port ownership for each of these
account types when system lock-level is set to none.
NOTE: Lock-Level Reference on page 347 provides full details on the
different privileges for each user level depending on the
lock-level in place.
The following config user commands create a new super user,
normal user, and audit user:
Command Comments
config user MySuperUser 1password 1password level super Creates a new account named
description “New Super User Account” MySuperUser with the password
1password and the description “New
Super User Account.”
config user MyNormalUser 2password 2password level normal Creates a new account named
description “New Normal User Account” MyNormalUser with the password
2password and the description “New
Normal User Account.”
config user MyAuditUser 3password 3password level audit Creates a new account named
description “New Audit User Account” MyAuditUser with the password
3password and the description “New
Audit User Account.”
2. Once you have configured these basic user accounts, use the
show user all command to review your settings. Figure 6-3 shows
the results of a show user all after adding the users in the table
above.
NOTE: After entering the name and date, you may want to do a show
system to verify your settings.
98 Chapter 6
Configuring GigaVUE-420 Time Options
GigaVUE-420 includes a variety of features for setting the time,
including:
• Time can be set either manually or using an SNTP server.
• Time can optionally adjust automatically for daylight savings
time start and end.
• Timezone options for adjustment of UTC time received from an
SNTP server.
NOTE: Even if you are using SNTP, it’s a good idea to configure time
manually as well. GigaVUE-420 will automatically fall back to the
manual time setting if it is unable to synchronize with the specified
SNTP server.
100 Chapter 6
NOTE: Start and end dates for Daylight Savings Time change every
year in some countries. If you decide to use automatic adjustments,
make sure you change the onset and offset every year.
Command Comments
config system dst_onset 03-11-02:00 Specifies that Daylight Savings Time starts on March
11th at 02:00 AM.
config system dst_offset 11-04-02:00 Specifies that Daylight Savings Time ends on November
4th at 02:00 AM.
config system dst 1 Turns on the use of automatic Daylight Savings Time
adjustments.
The next time you log in to the GigaVUE-420, you will see the
customizable banner (Figure 6-4).
102 Chapter 6
Figure 6-4: Customizable Login Banner
However, it’s a good idea to get into the habit of using the config
save filename.cfg command. Later on, when you start setting up
packet distribution with connections and maps, your changes will
added to the active configuration right away but won’t be saved
across a system reboot unless you use the config save filename.cfg
command to write your changes to flash.
NOTE: The name of the factory-provided configuration file in v4.0 is
gigavue.cfg. You can see the name of the most recently booted
configuration file by using the show file command and looking for
the file with Last restored set to Yes. In Figure 6-5, you can tell that
GigaVUE-420 is currently operating with the factory-provided
gigavue.cfg configuration file and that this is also the configuration
file that will be booted next (Next boot file = Yes).
104 Chapter 6
Chapter 7
105
• Troubleshooting Cross-Box Stacks on page 125
• Making Changes to an Existing Cross-Box Stack on page 127
• Power Loss Considerations for Cross-Box Stacks on page 131
106 Chapter 7
x1 x2
x1 x2
x1 x2
x1 x2
You can stack two systems together with only a single 10 Gb module
installed in each unit’s x1 slot. However, to stack three or more
GigaVUE-420 boxes, the middle systems must have an additional 10
Gb module installed in the x2 slot.
108 Chapter 7
Creating Cross-Box Stacks: A Roadmap
Setting up a cross-box stack consists of the major steps shown in
Creating Cross-Box Stacks: Major Steps on page 109.
1 Plan the Stack Step 1: Identify Requirements, Create a Map, and Write a
Per-Box Configuration Plan
3 Make Physical Step 3: Connect the Boxes According to the Stack Map
Connections
See Making Physical Connections on page 122 for details.
Rule Description
Rule 1 All GigaVUE-420 systems in a cross-box stack must run the same
version of software.
Rule 3 Only the x1 and x2 10 Gb ports can be used as stacking ports. The
x3 and x4 10 Gb ports can not be used as stacking ports.
Rule 5 All commands for cross-box connections and cross-box maps must
be applied to all boxes in exact same order.
Identifying Requirements
When identifying your requirements, ask the following questions:
• How many boxes will be stacked? Are they all running the same
version of software?
• Will I be connecting copper-to-copper or optical-to-optical
stacking ports?
• Are my optical-to-optical connections using the same XFP type?
110 Chapter 7
• How long will my cable runs be?
• Copper cable runs are limited to a maximum length of 15
meters.
• Fiber cable runs are limited by the XFP type.
SR: 300 meter
LR: 2m - 10km
ER: 40km
See GigaLINK Modules (CU and XR) on page 73 for details on the
cable lengths supported by each GigaLINK-XR XFP type.
• How can I minimize the number of boxes data will need to cross
from input network ports to destination tool ports?
Draw a simple picture showing each of the boxes in the stack along
with their Box IDs and how they will be connected (x1, x2, or both). A
simple diagram will make it much easier to connect the cables and
perform the system configuration commands correctly. For example,
you could draw a simple picture like the one shown in Figure 7-3.
In addition, you may want to label each box so that you can match up
the individual boxes with your diagram. Something as simple as a
post-it with a Box ID and IP address attached to the top of each unit
may save you unnecessary confusion later on.
Box ID 2 10 meters
cable
5 meters 192.168.1.25
cable
x1 CU x2 CU
Stacking Port Stacking Port
112 Chapter 7
Create the Configuration Plans
Once you have drawn your stack map, it’s easy to write up
configuration plans for each box in the stack showing the values for
the configuration commands you will need to issue. For example, the
plans for the stack map in Figure 7-3 could look like this:
port-type x1 stack
active_link x1
x1_bid 23
x2_bid n/a
port-type x1 x2 stack
active_link both
x1_bid 1
x2_bid 3
port-type x1 stack
active_link x1
x2_bid n/a
114 Chapter 7
1 Assign the Unique Step 1: Use the config system bid command to assign a unique
Box ID Box ID to the GigaVUE-420.
See Assigning Box IDs: config system bid on page 116 for
information on assigning a Box ID.
Step 3: Use the config system x1_bid and config system x2_bid
3 Specify the Box ID(s) commands to specify Box IDs for all systems accessible through the x1
Connected to the and x2 stacking ports, respectively.
Stacking Port(s)
See Specifying Neighbor Boxes: config system x1_bid/x2_bid on
page 117 for information on specifying the Box IDs for neighbor boxes.
Activate the Stacking Step 5: Use the config system active_link command to activate the
5 stacking ports on the GigaVUE-420.
Port(s)
You can specify x1, x2, or both. You can only enable active_link for x1
and x2 10 Gb modules that are actually installed in the chassis.
See Activating Stacking Ports: config system active_link on page 119 for
information on setting the active_link option.
You can stack as many as 10 boxes in this release. Because of this, you
can select Box ID values from 1-10, inclusive. The default Box ID is 1.
NOTE: You must reboot the system to apply changes made to the Box
ID.
NOTE: The CLI will not let you set port-type to stack for any ports
other than x1 and x2.
Save Changes!
Make sure you perform a config save to save your port-type changes
to flash.
116 Chapter 7
Specifying Neighbor Boxes: config system x1_bid/
x2_bid
You use the config system x1_bid and config system x2_bid
commands to inform the local GigaVUE-420 of the boxes reachable
from its x1 and x2 stacking ports, respectively. GigaVUE-420 uses this
information to distribute traffic up and down the stack correctly.
You must specify the Box IDs of all boxes reachable from the x1 and
x2 stacking ports – not just the immediately adjacent box.
Sample Commands
So, for example, consider our earlier example from Figure 7-3 on
page 112. The first system in this stack (Box ID 1) has only its x1
stacking port connected. Both of the other boxes (2 and 3) are
reachable from this connector. So, the configuration command for
this box is:
config system x1_bid 2 3
Save Changes!
Make sure you perform a config save to save any changes to the cable
length settings.
118 Chapter 7
Activating Stacking Ports: config system active_link
You use the config system active_link command to activate the x1/
x2 stacking ports on a GigaVUE-420 system. You must activate the 10
Gb ports you plan to use as stacking ports.
GigaVUE-420 Box ID 1
config system bid 1
config port-type x1 stack
config system x1_bid 2
x1
config system active_link x1
config save
GigaVUE-420 Box ID 2
config system bid 2 x1
config port-type x1 stack
config system x1_bid 1
config system active_link x1
config save
120 Chapter 7
Example: Cross-Box Stack with Four Systems
Figure 7-6 shows a more complex stack with four GigaVUE-420’s
connected in a chain. The endpoints of the stack only have a single 10
Gb module installed in slot x1 – the other slots are unpopulated. The
middle systems, however, have all four 10 Gb slots populated and are
using x1 and x2 as stacking ports.
GigaVUE-420 Box ID 1
config system bid 1
config port-type x1 stack x1
config system x1_bid 2 3 4
config system active_link x1
config save
GigaVUE-420 Box ID 2
config system bid 2
config port-type x1 x2 stack
config system x1_bid 1 x1 x2
config system x2_bid 3 4
config system active_link both
config save
GigaVUE-420 Box ID 3
config system bid 3
config port-type x1 x2 stack
config system x1_bid 1 2 x1 x2
config system x2_bid 4
config system active_link both
config save
GigaVUE-420 Box ID 4
config system bid 4
config port-type x1 stack
config system x1_bid 1 2 3
config system active_link x1
config save
x1
122 Chapter 7
Box 1 HW=2 Active_link=x1
GigaMgmt-CU GigaPORT GigaPORT (slots 1, 2, 3)
GigaPORT GigaPORT GigaLINK-CU (slots 4, 5,x1)
Unknown Unknown Unknown (slots x2,x3,x4)
So, for example, you could issue the following command on each of
the boxes shown in Figure 7-6 on page 121.
config xbconnect 1-2 to 4-2 alias stacktest
Issue the exact same xbconnect command on each box in the stack.
Then, send traffic across this xbconnection to verify connectivity.
NOTE: If data does not appear, see Troubleshooting Cross-Box Stacks on
page 125 for tips on resolving the problem.
NOTE: You may want to set up a second cross-box connection in the
opposite direction to verify connectivity in both directions (for
example, from 4-3 to 1-3).
124 Chapter 7
Configuring Cross-Box Packet Distribution
When configuring cross-box packet distribution, keep in mind that
many of the standard single-box commands have cross-box
equivalents. The table below summarizes these commands.
126 Chapter 7
Do so by creating an xbconnect from 1-1 to 1-4, 2-4, 3-4, 4-4, and
so on until the n-4 in the last box. Continue to send traffic into 1-1
and monitor for packets coming out at 2-4, 3-4, 4-4, and so on.
Record which ports do not have traffic coming out. The link
between the last box with traffic coming out and the one without
traffic coming out is likely where the link is configured
improperly. In addition, Link Status must be 1 for each of the
ports in the xbconnection. You can check the Link Status for a
port by using a show port-params command on its system.
128 Chapter 7
Then, connect the new box's stacking ports to each of its
neighbors according to the updated stack map.
4. Power on the new box and log on as a super user.
5. Check the x1_bid and x2_bid lists for all the other boxes in the
stack and modify them as necessary to include this added box
(using the config system x1_bid and config system x2_bid
commands).
6. Boot the new box and log in as a super user.
7. Delete all existing xbconnect and xbmaps on each system in the
stack.
8. Verify that traffic can flow to the new box using the procedure in
Verifying a Cross-Box Stack’s Connectivity on page 122.
In this case, you remove the box and create two new stacks from the
previous larger stack. For each new stack:
1. Create a new stack map.
2. Reconfigure the x1_bid and x2_bid lists for all the boxes in the
stack.
3. Reconfigure the active_link settings for the boxes that are newly
located at the edge of the stack, if necessary.
4. Delete all existing xbconnect and xbmaps on each system in the
stack.
5. If there were no problems with the cross box traffic flow before,
you probably do not need to perform the stack verification
procedure in Verifying a Cross-Box Stack’s Connectivity on
page 122, unless the stack links between the boxes have been
130 Chapter 7
Power Loss Considerations for Cross-Box Stacks
This section provides some considerations for power loss to boxes in
a cross-box stack:
• Power Loss on Box in the Middle of a Stack on page 131
• Power Loss and Power Restore to the Entire Stack on page 131
Configuring GigaVUE-420
Security Options
This chapter describes how to set GigaVUE-420 options relating to
security – which users can log into the box, how users are
authenticated, who owns which ports, and the security level
currently in place.
133
About GigaVUE-420 Security
GigaVUE-420 provides an interlocking set of options that let you
create a comprehensive security strategy for the unit. These options
are summarized in the table below:
Port Ownership GigaVUE-420 can provide selective port access to different users. Super users can
assign port ownership to normal users using the config port-owner command.
Port privileges change for normal users depending on the overall lock-level in place
on the unit.
See Configuring Lock Levels and Port Ownership on page 139 for details.
Lock-Level GigaVUE-420 provides three different overall security levels (called lock-levels) for
the unit – none, medium, or high. Privileges for normal users change depending on
the lock-level in place.
Super users can change the lock-level using the config system lock-level command.
See Configuring Lock Levels and Port Ownership on page 139 for details.
Authentication GigaVUE-420 can authenticate users against a local user database or against the
database stored on an external TACACS+ or RADIUS server.
Super users can specify different authentication methods for the Console (serial)
port and the Ethernet (SSH2/Telnet) port using the config system aaa command.
See Configuring Authentication (AAA) on page 143 for details.
NOTE: The serial Console port must always retain local authentication as a fallback
option to prevent unintended lockouts.
134 Chapter 8
Configuring Users and Passwords
You use the config user command to set up local user accounts on the
GigaVUE-420 unit. You can set up different user account levels –
super, normal, and audit – so that each user has rights that are
appropriate for the type of work they will be doing with the
GigaVUE-420.
The table below describes the arguments for the config user
command:
Argument Description
<name-string> The name used for this user account. Names must consist of 5-30
alphanumeric characters.
description “string” The description string may contain spaces and other characters, but must
be contained in quotation marks (for example, “IT User”). The maximum
number of characters in a description string is 125 alphanumeric
characters.
Description strings appear in the CLI display when performing a show
user command.
136 Chapter 8
Examples
The following config user commands create a new super user,
normal user, and audit user:
Command Comments
config user MySuperUser 1password 1password level super Creates a new account named
description “New Super User Account” MySuperUser with the password
1password and the description “New
Super User Account.”
config user MyNormalUser 2password 2password level normal Creates a new account named
description “New Normal User Account” MyNormalUser with the password
2password and the description “New
Normal User Account.”
config user MyAuditUser 3password 3password level audit Creates a new account named
description “New Audit User Account” MyAuditUser with the password
3password and the description “New
Audit User Account.”
Changing Passwords
Super users can change passwords for all other users with the config
password command. The syntax for this command is as follows:
config password [user <name-string> <new-password> <new-password-again>]
138 Chapter 8
Configuring Lock Levels and Port Ownership
The config system lock-level and config port-owner commands
work together to specify what rights different accounts have on the
GigaVUE-420 unit.
Network Ports Tool Ports Network Ports Tool Ports Network Ports Tool Ports
1 4 1 4 1 4
2 5 2 5 2 5
3 6 3 6 3 6
140 Chapter 8
Syntax for the config system lock-level Command
You use the config system lock-level command to specify the
lock-level in place on the GigaVUE-420 unit. The three levels are
none, medium, and high, as summarized below:
config system lock-level <none | medium | high>
For example, to set the lock-level to high, a super user would use the
following command
config system lock-level high
The table below describes the arguments for the config port-owner
command:
owner <name-string> The name of the account being granted port ownership.
Examples
The following config port-owner commands illustrate different
ways to assign port ownership:
Command Comments
config port-owner 1..6 owner MyNormalUser Grants ownership to ports 1-6 to the user named
MyNormalUser.
config port-owner ToolPort owner User2000 Grants ownership to the port with the alias ToolPort to
the user named User2000.
config port-owner 3 6 12 owner User3000 Grants ownership to ports 3, 6, and 12 to the user
named User3000.
142 Chapter 8
Configuring Authentication (AAA)
You use the config system aaa option to specify whether
GigaVUE-420 logins are authenticated against either a local user
database or the database in an external authentication server
(TACACS+ or RADIUS) You can also use an external authentication
server as your primary authentication method with local
authentication as a fallback (Figure 8-2). The fallback is used when an
authentication server is unreachable.
Local
Users
• You can even use both RADIUS and TACACS+ for the same port
– GigaVUE-420 will try the methods in the same order in which
they are specified. For example:
config system aaa ethernet radius tacacs+ local
144 Chapter 8
authentication server goes down, you can still gain access to the box
through the local Console port.
For example, after issuing the following command, the system would
automatically add local authentication to the Console port. It would
not let you leave the Console port with only TACACS+
authentication.
config system aaa serial tacacs+
The table below describes the arguments for the config system aaa
command:
Argument Description
<serial | ethernet> Specifies which GigaVUE-420 port you are configuring authentication
for:
• serial – Console port.
• ethernet – Mgmt port.
<[tacacs+] [radius] [local]> Specifies which authentication methods should be used for the
specified port and the order in which they should be used.
You can enable all authentication methods for either port. If you
enable more than one method, GigaVUE-420 uses the methods in the
same order in which they are specified, falling back as necessary. If
the first method fails, it will fall back to the secondary method, and so
on.
If you enable radius or tacacs+, you must also:
• Configure the RADIUS or TACACS+ server using the
corresponding config rad_server or config tac_server command.
• Set up GigaVUE-420 users within the RADIUS/TACACS+ server
itself.
These two steps are described in Using GigaVUE-420 with an
External Authentication Server on page 148
NOTE: GigaVUE-420 always preserves local authentication for the
Console (serial) port to prevent accidental lockouts.
146 Chapter 8
Examples
The following config system aaa commands demonstrate
different ways to set up authentication:
Command Comments
config system aaa ethernet local Specifies that SSH2/Telnet logins made over the Mgmt port will be
authenticated solely using the local user database created with the
config user command.
config system aaa ethernet tacacs+ Two examples of external authentication, one using a TACACS+
local server and the other using a RADIUS server.
Both commands specify that SSH2/Telnet logins made over the
config system aaa ethernet radius Mgmt port will be authenticated using the external servers set up
local with the config tac_server or config rad_server command.
You can specify as many as five external authentication servers of
each type – if the first server experiences a failure, GigaVUE-420
will try the next until all of the named servers have been tried.
Servers are used in the same order they were specified.
If authentication fails with all of the named external servers, these
commands specify that GigaVUE-420 will then fall back to local
authentication.
config system aaa serial tacacs+ Specifies that local logins made over the Console port will be
authenticated using the TACACS+ servers set up with the config
tac_server command.
If you use this command, GigaVUE-420 will automatically add local
authentication to prevent you from accidentally locking yourself out
of the box should the TACACS+ servers fail.
148 Chapter 8
Specifying TACACS+ Servers in GigaVUE-420
Super users use the config tac_server command to specify the
TACACS+ servers to be used for authentication. You can specify as
many as five different TACACS+ servers. Servers are used as
fallbacks in the same order they are specified – if the first server fails,
the second is tried, and so on, until all named servers have been used.
NOTE: Once a connection is made to a particular TACACS+ server,
the system will continue to connect to this TACACS+ server first until
the system is rebooted. Because of this, it is important to configure
the primary TACACS+ server as the first server and then configure
the backup TACACS+ servers as the second, third, fourth, or fifth.
The table below describes the arguments for the config tac_server
command:
Argument Description
host <ipaddr> Specifies the IP address of the TACACS+ server.
[port <value>] Specifies the port to be used on the TACACS+ server. If you do not
specify a value, GigaVUE-420 will default to the standard TACACS+
port number of 49.
[single_connection <1 | 0>] Specifies whether GigaVUE-420 should use the same connection for
multiple TACACS+ transactions (authentication, accounting, and so
on), or open a new connection for each transaction:
• 1 – TACACS+ transactions will use the same session with the
server. The socket will remain open after it is first opened.
• 0 – Each TACACS+ transaction opens a new socket. The socket is
closed when the session is done.
The default is disabled (0).
[priv_lvl_check <1 | 0>] These options specify how privilege level checks are performed for
[super_priv_lvl <2~15>] TACACS+ servers.
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
• priv_lvl_check specifies how GigaVUE-420 should assign user
rights for TACACS+ users.
• If this option is enabled (the default), the three _priv_lvl options
below it are used to map privilege levels for the corresponding
user types (Audit, Normal, and Super).
• If this option is not enabled, all TACACS+ users log in with
Super user rights.
• super_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Super user level when priv_lvl_check
is enabled.
• normal_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Normal user level when priv_lvl_check
is enabled.
• audit_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Audit user level when priv_lvl_check
is enabled.
NOTE: If no values are specified for the three _priv_lvl options and
privilege level checks are enabled, GigaVUE-420 uses 0, 1, and 2
(Audit, Normal, and Super, respectively).
NOTE: GigaVUE-420 will not let you enter out-of-order privilege
levels. The value specified for super must be higher than that
specified for normal, and so on.
[alias <alias-string>] Specifies an alphanumeric alias for this TACACS+ server to be used in
show tac_server displays.
150 Chapter 8
Examples
Command Comments
config tac_server host 192.168.1.225 key "gv" Specifies that:
priv_lvl_check 1 super_priv_lvl 10 normal_priv_lvl 5
• Users logging in via TACACS+ will be
audit_priv_lvl 0 alias TAC1
authenticated against the TACACS+ server at
192.168.1.225.
• Authentication packets will be encrypted using
the string gv.
• Default values will be used for the port,
timeout, and single_connection arguments.
• GigaVUE-420 will map the full 0-15 range of
TACACS+ user levels to its own levels.
TACACS+ users with privilege levels of 10 will
receive Super user privileges, 5 will receive
Normal, and 0 will receive Audit.
• The alias for this TACACS+ server is TAC1.
config tac_server host 192.168.1.12 key “mykey” port 234 Specifies that:
alias TAC2
• Users logging in via TACACS+ will be
authenticated against the TACACS+ server at
192.168.1.12.
• Authentication packets will be encrypted using
the string mykey.
• The non-standard port 234 will be used instead
of 49.
• Default values will be used for the timeout and
single_connection arguments.
• Standard 0-2 privilege level mappings will be
used.
• The alias for this TACACS+ server is TAC2.
NOTE: If this command was used after the
command in the previous row, this server would
be the backup TACACS+ server for the
previously-specified server.
152 Chapter 8
Syntax for the config rad_server Command
The syntax for the config rad_server command is as follows:
config rad_server host <ipaddr>
key "string"
[authen_port <1~65535>]
[account_port <1~65535>]
[timeout <1~90>] (seconds)
[max_tries <1~10>]
[priv_lvl_check <1 | 0>]
[super_priv_lvl <2~15>]
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
[alias <alias-string>]
The table below describes the arguments for the config rad_server
command:
Argument Description
host <ipaddr> Specifies the IP address of the RADIUS server.
[authen_port <1~65535>] Specifies the authentication port to be used on the RADIUS server. If
you do not specify a value, GigaVUE-420 will default to the standard
RADIUS authentication port number of 1812.
[account_port <1~65535>] Specifies the accounting port to be used on the RADIUS server. If you
do not specify a value, GigaVUE-420 will default to the standard
RADIUS accounting port number of 1813.
[timeout <1~90>] (seconds) Specifies how long GigaVUE-420 should wait for a response from the
RADIUS server to an authentication request before declaring a
timeout failure. The default value is three seconds.
[max_tries <1~10>] Specifies the maximum number of times GigaVUE-420 will retry a
failed connection to this RADIUS server before falling back to the next
authentication method specified by the config system aaa command
currently in place. The default value is three tries.
[alias <alias-string>] Specifies an alphanumeric alias for this RADIUS server to be used in
show rad_server displays.
154 Chapter 8
Examples
Command Comments
config rad_server host 192.168.1.72 key "gvmp" Specifies that:
priv_lvl_check 1 super_priv_lvl 15 normal_priv_lvl 10
• Users logging in via RADIUS will be
audit_priv_lvl 5 alias RAD1
authenticated against the RADIUS server at
192.168.1.72.
• Authentication packets will be encrypted using
the string gvmp.
• Default values will be used for the
authentication port, accounting port,
timeout, and max_tries arguments.
• GigaVUE-420 will map the full 0-15 range of
RADIUS user levels to its own levels. RADIUS
users with privilege levels of 15 will receive
Super user privileges, 10 will receive Normal,
and 5 will receive Audit.
• The alias for this RADIUS server is RAD1.
156 Chapter 8
• If the priv_lvl_check option is disabled, GigaVUE-420 users
will all log in with Super user privileges.
• GigaVUE-420 accounts must have an Access Control List value
specified. You construct the ACL string in the same way
regardless of whether you are using RADIUS or TACACS+.
However, Cisco ACS provides different fields for each security
protocol:
• RADIUS users include the ACL as part of the Class field.
• TACACS+ users include the ACL in the supplied ACL field.
See the following sections for details:
• See Granting Port Ownership with an Access Control List on
page 157 for information on how to construct an ACS string.
• See Configuring RADIUS Users in Cisco Access Control Server on
page 159 for information on where to supply the ACS string
for RADIUS.
• See Configuring TACACS+ Users in Cisco Access Control Server
on page 162 for information on where to supply the ACS
string for TACACS+
Bits Description
1-20 Ports 1-20 on the GigaVUE-420 system.
0, 25-31 Ignored.
You assign port ownership by filling in hex values for the bits in the
ACL:
• Bits set to true (1) indicate that the user owns this port.
• Bits set to false (0) indicate that the user does not own the port.
NOTE: The values shown in the Binary and Hex rows below would
provide a normal user ownership of ports 1, 3, 8, 13, 20, and x2 (the x2
10 Gb port configured as either a network or tool port) with the ACL
of 0x0050210a.
Bits 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16
Binary 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0
Hex 0 0 5 0
Bits 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Ports 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 n/a
Binary 0 0 1 0 0 0 0 1 0 0 0 0 1 0 1 0
Hex 2 1 0 a
158 Chapter 8
Examples
The following examples illustrate how to fill out the ACL:
Figure 8-6 shows the ACL field in Cisco ACS for a RADIUS user.
160 Chapter 8
Supply the priv-lvl and
ACL in the Class field.
Figure 8-6: Supplying the ACL in the Class Field for RADIUS
Figure 8-7 shows the ACL field in Cisco ACS for a TACACS+ user.
162 Chapter 8
Supply the ACL in the
corresponding field.
Figure 8-7: Supplying the ACL in the Class Field for TACACS+
Command Description
show user all This command now has a “single world view” and will
return different results depending on whether the user
authenticated locally or using an external server:
• A show user all from a local user will return only the
users defined in the local database,
• A show user all from an externally authenticated user
will return only the users currently logged in through the
external server.
show whoison This command provides a “dual world view.” It will return
all users currently logged in and will display whether each
user has been authenticated locally or through an external
authentication server.
164 Chapter 8
Chapter 9
Using SNMP
165
Configuring SNMP Traps
GigaVUE-420 can send SNMP v1/v2 traps to up to five destinations
based on a variety of events on the box. Configuring SNMP traps
consists of the following major steps:
1 Configure Trap Step 1: Use the config snmp_trap host options to specify the IP
Destinations addresses of up to five destinations for SNMP traps. For each
destination, you can also specify the community string, port, trap
version, and an alias.
See Enabling GigaVUE-420 Events for SNMP Traps on page 169 for
information on the events available for trapping..
166 Chapter 9
Adding a Destination for SNMP Traps
GigaVUE-420 can forward SNMP traps to up to five destinations.
Specify the destinations for SNMP traps with the config snmp_trap
host command. The config snmp_trap command has the following
syntax when adding hosts:
config snmp_trap
[host <ipaddr>] [community <string>]
[port <value>] [ver <1|2>]
[alias <alias-string>]
ver Version v2
Comments Command
First, let’s set up our Trap Management station on config snmp_trap host 192.168.1.101 alias Trap_Mgmt
192.168.1.101 as a trap destination. This
destination accepts all of the default settings, so
we’ll just add it with its IP address and an alias.
Next, we’ll add secondary management station on config snmp_trap host 192.168.1.25 community private
192.168.1.25. This station runs on a non-standard port 501 ver 1 alias jackstraw
port with a private community string.
Trap Destinations
Current trap
destinations are
listed in the middle
of the show snmp
display.
Trap List
168 Chapter 9
Enabling GigaVUE-420 Events for SNMP Traps
The config snmp_trap command includes switches to enable/disable
each of the events available for trapping. The table below lists the
attributes for the config snmp_trap command that are related to
enabling traps.
Parameter Description
[all | none] Use this attribute to toggle all available trap events on or off. For
example, config snmp_trap all turns on all available trap events.
[configsave <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time the config save filename.cfg
command is used.
[fanchange 0|1] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when the speed of either of the system fans
drops below 4,800 RPM.
[firmwarechange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it boots and detects that its firmware has
been updated from the previous boot.
[modulechange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects a change in module type from
the last polling interval. This typically happens when a module is pulled
from a slot or inserted in an empty slot.
[powerchange 0|1] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects either of the following events:
• One of the two power supplies is powered on or off.
• Power is lost or restored to one of the two power supplies.
[portlinkchange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a port’s link status changes from up
to down or vice-versa. This includes ports 1-20 as well as the 10
Gigabit ports (x1 and x2).
NOTE: The portlinkchange trap is not sent when the Management
port’s link status changes.
[pktdrop <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it detects that packets have been
dropped on a data port.
[systemreset <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it starts up, either as a result of
cycling the power or a soft reset initiated by the reset system
command.
[taptxchange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a GigaTAP-Tx’s relays switch from
active to passive or passive to active as a result of the config
port-params taptx command.
[userauthfail <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a user login fails.
170 Chapter 9
Example – All Trap Events Enabled
Figure 9-2 shows the results of a config snmp_trap all command
enabling all of the available trap events.
Trap List
Once you have received a copy of the MIB, you can compile it into
your SNMP Management software to view intelligible descriptions of
the OIDs included in the traps.
ver Version v1
172 Chapter 9
For example, to enable the SNMP server with its default settings, you
would use the following command:
config snmp_server enable 1
To enable the SNMP server with both v1 and v2 support, you would
use the following command:
config snmp_server enable 1 ver 1_2
Figure 9-4 shows the results of a show snmp command after enabling
the SNMP server with both v1 and v2 support.
SNMP Server
Local SNMP
Server is now
enabled.
Once you have enabled the SNMP server, management stations will
be able to poll the MIB using standard Get and GetNext SNMP
commands. Most management stations have intuitive interfaces for
this.
175
You can set a particular configuration file to boot next either by using
the config file command’s nb attribute, or by using config save with
the nb attribute. For example:
config file gigavue.cfg nb
config save myconfig.cfg nb
NOTE: Configuration files include the Box ID of the unit saving the
file. You can only restore configuration files to a GigaVUE-420 unit
with the same Box ID.
The settings listed below are saved in a different area of flash and are
not affected by either the config save filename.cfg or the reset system
commands. These include:
• All settings shown by the show system command.
• SNMP server/trap settings.
• TACACS servers.
• RADIUS servers.
176 Chapter 10
• SNTP servers.
You can also use the show file command to see which configuration
file was most recently restored as well as which configuration file is
set to load the next time the unit is rebooted. For example, in
Figure 10-1:
• The factory-provided gigavue.cfg configuration file was restored
last – it has Last restored set to Yes.
• The gigavue.cfg configuration file is also scheduled to load at the
next boot – it has Next boot file set to Yes. You can change the file
scheduled to boot next by using the nb option with either the
config save or config file commands. See Setting a Configuration
File to Boot Next on page 182.
NOTE: When you use the show file command without a filename, you
see the summary information shown in Figure 10-1. You can also use
the command with a filename to see detailed file information, as
described in Viewing the Contents of a Configuration File on page 179.
178 Chapter 10
Viewing the Contents of a Configuration File
Restoring a configuration file to GigaVUE-420 overwrites the existing
connection information in place on the box with the connection
information stored in the configuration file. Because of this, it’s a
good idea to check the contents of the file before you apply it.
You can easily see the details of what’s been saved in a configuration
file by using the show file [filename] command. This will show a
detailed view of the configuration file’s contents, including the
printout of a show connect command for the file. This way, you can
see what’s in the file without having to restore it.
NOTE: The detailed output for the show file [filename.cfg] command
shows the connections (local and cross-box) and maps (local and
cross-box) but does not show the filters, port-filter, xbport-filters and
map-rules contained in the configuration file.
NOTE: Using the install -cfg command does not actually apply the
configuration file – it just downloads it from the TFTP server and
stores it in flash. You still have to apply the configuration file using
one of the methods in Applying Configuration Files on page 180.
See also:
• Restoring Configuration Files in a Cross-Box Stack on page 183
180 Chapter 10
• Module configuration must be identical for source and target
systems.
NOTE: When you restore a new configuration file and also want it to
load the next time the system is booted, use the show file command
to verify that the file has the nb attribute enabled.
You set the nb option with either the config file command or the
config save command. These commands have the following syntax:
config file <filename> [nb] [description “string”]
config save <filename> [nb]
Alternatively, you can save a new configuration file and set it to boot
next with one command:
config save mynewconfigfile.cfg nb
You can see which configuration file is set to boot next with the show
file command. Figure 10-2 shows the results of a show file command
after we set multi-map.cfg to boot next.
182 Chapter 10
Next Boot File
184 Chapter 10
Chapter 11
Configuring Logging
185
Configuring Logging – A Roadmap
Configuring logging consists of the following major steps:
1. Use the config system log-level command to specify which types
of events are logged.
See Specifying Which Events Are Logged, below.
2. Optional: Use the config syslog_server command to specify an
external syslog server as a destination for logged events.
See Specifying an External Syslog Server on page 188 for details.
3. Use the show log [logfile] command to view events in the logfile.
See Viewing Log Files on page 190 for details.
Log-Level Description
Critical The log-level with the least logging. Only Critical
events are written to the log file.
Error Error and Critical events are written to the log file.
186 Chapter 11
About syslog.log
Logged events are recorded in the syslog.log file in non-volatile
memory on the GigaVUE-420. The maximum size of the syslog.log
file is 1 MB. When syslog.log reaches its maximum size, it “rolls
over” into syslog1.log and new events are written to a now empty
syslog.log file.
Argument Description
host The IP address of the external syslog server in
standard dotted-quad format.
Examples
188 Chapter 11
Packet Format for Syslog Output
Syslog packets sent by the GigaVUE-420 to an external syslog server
conform to the format recommended by RFC 3164:
The show log command includes a variety of arguments that let you
filter the display of the log file, focusing on events matching a
specified priority, time/date, or name. The syntax for the show log
command is as follows:
[logfile]
[pri <verbose | info | error | critical>]
[type <system | periodic | stack | userif | notif | login>]
[start <mm-dd-yy>] [end <mm-dd-yy>] [delim] [tail <1~255>]
The table below lists and describes the arguments for the show log
commands.
NOTE: As described in Listing Available Log Files on page 187, you can
use the show log command without any additional arguments to see
a list of the log files available on the system.
Argument Description
[logfile] Specifies the name of the log file to be displayed. You
can use the show log command by itself to see a list
of available log files.
The show log [logfile] command with no additional
arguments will display all of the entries in the specified
log file. You can use Ctrl-C to interrupt the output
display of the show log command.
[pri <verbose | info | error | critical>] Filters the log file display by event priority. Only events
greater than or equal to the specified priority will be
displayed.
190 Chapter 11
Argument Description
[type <system | periodic | stack | userif | notif | login>] Filters the display by event type. Only events
matching the specified type will be displayed:
• System – Includes system messages useful for
troubleshooting with Technical Support personnel.
• Periodic – Includes syslog.log rollover events.
• Stack – Stacking related events.
• Userif – User interface messages, including the
command line history.
• Notif – Asynchronous events, including SNMP trap
information, packet drop events, port link status
changes, system resets, configuration saves, and
so on.
• Login – Shows each time a user logged in locally,
via RADIUS, and via TACACS+
[start <mm-dd-yy>] [end <mm-dd-yy>] Filters the display by date. Only events within the
specified date range will be displayed.
You can use the start and end arguments together or
by themselves. If you use start or end by itself,
GigaVUE implicitly uses the opposite end of the file as
the other end of the date range. For example, if you
use start by itself, matching events from the specified
start date to the end of the file will be displayed.
You can combine the arguments for the show log command to see
exactly the information you want. For example, the following
command shows all Critical messages in syslog.log between October
25th, 2007 and October 27th 2007:
show log syslog.log pri critical start 10-25-07 end 10-27-07
192 Chapter 11
a. Use Tera Term’s File > Log command to specify the
destination file . As shown in Figure 11-2, we’ve specified that
output will be saved to the GV420_delimited text file. Click
Open when you have finished.
194 Chapter 11
\
5. Once you finish the Import Wizard, Microsoft Excel displays the
log file in standard spreadsheet format. You can sort and search
all fields, in addition to other standard spreadsheet tasks.
Introducing Packet
Distribution
This section introduces GigaVUE-420 packet distribution – what it is,
how you set it up, and the differences between connections and
maps. Once you’ve read this section, turn to Chapter 13, Connections,
Filters, and Pass-Alls and Chapter 14, Working with Maps (Single-Box
and Cross-Box) for detailed information on each.
197
About Packet Distribution
Packet distribution is where GigaVUE-420’s real power is on display
– it’s where you decide how traffic arriving on network ports should
be sent to tool ports. You’ll decide which traffic should be forwarded,
where it should be sent, and how it should be handled once it arrives.
198 Chapter 12
discarded. In addition, a tool port’s link status must be 1 (“up”)
for packets to be sent out of the port. You can check a port’s link
status with the show port-params command.
200 Chapter 12
• Filters applied to tool ports are called post-filters. Post-filters
are useful if you want to send the same traffic to multiple tool
ports and have each one allow or deny different packets based
on specified criteria.
Notice in Figure 12-1 that post-filters are set to focus on different
parts of the data stream – traffic on a single VLAN, a single
subnet, and so on.
202 Chapter 12
Getting Started with Packet Distribution
You manage packet distribution in the GigaVUE-420 command-line
interface. From there, you perform all packet distribution tasks –
designating ports as network or tool ports, setting up filters, mapping
network ports to tool ports, and so on.
Figure 12-2 shows the results of the show connect command for an
out-of-the box GigaVUE-420. At this point, no connections have been
set up and no filters have been defined. Additionally, all of the ports
are set up as network ports – they appear in the Network Port list at
the left of the display.
Ports in parentheses
are RJ45 ports.
Ports without
parentheses are optical
ports (LC or SFP).
The lists at the bottom of the show connect display provide The FID columns show the pre- and
information on the current configuration of the x1/x2 10 Gb post-filters currently in place on each
GigaLINK stack ports. port. The left FID column shows
pre-filters (filters bound to network
For cross-box configurations, the Connected Box ID list will show ports) and the right FID column shows
the Box ID(s) of the box(es) connected to x1, x2, or both. post filters (filters bound to tool ports)
204 Chapter 12
Example – Designating and Connecting Tool Ports
In general, GigaVUE-420 ports can be either a network port or a tool
port. 1 Ports 1-20 and x3/x4 are all network ports by default.
However, as you decide which tools to use with the GigaVUE-420,
you will use the config port-type command to set some of the ports
as tool ports.
The table below lists and describes some basic packet distribution
commands. Don’t worry about the command specifics for now – this
is meant simply to provide you with a feeling for how the CLI
represents packet distribution. Following the table, Figure 12-3 shows
the results of a show connect command for the settings made in the
table.
Comments Command
First, let’s designate Port 2 as a tool port. config port-type 2 tool
Next, we’ll connect Port 1 (a network port) to Port 2 (a tool config connect 1 to 2
port). This means that the traffic arriving on Port 1 will be
forwarded to Port 2.
Now, we’ll create a filter. Let’s create a filter that accepts all config filter allow vlan 100 alias VLAN100
traffic on VLAN 100. We’ll call it VLAN100
Now that we’ve defined a filter, we can bind it to a port. Let’s config port-filter 2 VLAN100
bind it to our tool port so that it will only accept traffic tagged
with VLAN 100.
Note that filters are reusable – we could bind this same
VLAN100 filter to other ports, as we needed it.
Now that we’ve connected the tap, we need to send the config connect 13 14 to 2
traffic somewhere. Let’s connect the tap ports to the same
tool port we designated in the first step – Port 2.
We’ll be sending traffic from three different sources to the
same destination. However, because we have a post-filter
set up on the tool port, only traffic tagged with VLAN 100 will
be seen by the connected tool.
206 Chapter 12
Connections between Filters in place are shown
network and tool ports are with their numerical
shown with arrows. identifier. Use the show
filter command to match a
numerical filter identifier
with a filter alias.
About Connections
Connections are simple one-to-one flows between a network port
and a tool port. You can set up filters on either end of a connection
(pre-filter or post-filter), set up multiple connections on a single
network port, or simply send all the data arriving on a network port
to a designated tool port.
Connection Examples
Figure 12-4 illustrates some simple connections – an unfiltered
connection between network port 1 and tool port 5 as well as a
network port (3) with connections to two different post-filtered tool
ports (7 and 8).
Command Comments
config port-type 5 7 8 tool Sets ports 5, 7, and 8 as Tool Ports.
208 Chapter 12
Command Comments
config port-filter 7 VLAN100 Binds the filter named VLAN100 to Tool Ports 7 and 8.
config port-filter 8 VLAN100
1 5
2 6
Post
3 Filter 7
4 Post 8
Filter
About Maps
Maps provide more robust capabilities for directing traffic than
connections do. Maps consist of one or more map-rules, each
directing traffic to one or more tool ports based on different packet
criteria. Map-rules function internally as pre-filters when used to
distribute traffic. You can combine many different rules in a logical
order to achieve exactly the packet distribution you would like.
210 Chapter 12
don’t interest you. You can set up map-rules that look for packets
matching specific criteria and immediately discard them.
For example, you could set up a map-rule that sends all traffic
from a particular source IP address to the virtual drop port.
• Collector – The collector, on the other hand, is the “Everything
Else” Bucket. It’s where you send packets that don’t match the
criteria specified by any of the other map-rules in a map.
For example, suppose you set up a map called VLAN-Map with
map-rules that send traffic from VLAN 101 to Tool Port 6, and
VLAN 102 to Tool Port 7. Now, you’re still interested in traffic
that doesn’t match either of those particular VLANs, but you
need a place to send it. Enter the collector. You can set up a final
map-rule that sends all packets not matching the other rules to a
designated collector port.
NOTE: If you do not specify a map-rule for the collector, any
traffic not matching the map-rules in a map will be silently
discarded.
Map Example
Figure 12-5 illustrates the map described above. This example shows
the map called VLAN-Map bound to Network Port 1. You bind maps
to network ports using the config mapping command.
VLAN-Map
1 5
Map-Rule 1: Drop everything
from IP address 192.168.1.25.
212 Chapter 12
Combining Pass-All with Connections and Maps
In addition to connections and maps, GigaVUE-420 also includes a
special config pass-all packet distribution command. The pass-all
command can be used to send all packets on a network or tool port to
another tool port, irrespective of the connections, xbconnections,
maps, or xbmaps already in place for the ports.
See Using the Pass-All Command on page 250 for details on using the
config pass-all command.
Network Ports
Tool Ports
Two connect commands
sharing a network port. Connection
1 5
Co
2 nn 6
ect
ion
3 7
4 8
214 Chapter 12
Chapter 13
215
Cross-Box Config: Enter Commands on All Boxes
Keep in mind that when you are entering cross-box configuration
commands (for example, the xbconnect and xbport-filter commands
described in this chapter), you must enter all commands in the same
order on each box in the stack. When setting up cross-box packet
distribution, it’s often easiest to create your commands in a text file
and then paste the contents of the text file into the CLI of each box in
the stack.
Connection Syntax
You set up connections with the following command syntax:
216 Chapter 13
Notice that you can connect multiple network ports or tool ports with
a single command:
• The pid-list (port id list) and bid-pid_list (box id-port id)
arguments let you select multiple non-contiguous ports. To enter
port IDs in a list, simply put a space between each port ID in the
list.
• The pid-x..pid-y argument lets you select a series of adjacent
ports (for example, 2..5 selects ports 2, 3, 4, and 5).
For example:
Cross-Box Stack config xbconnect 1-2 1-3 1-4 to 3-1 This command connects network ports 1-2,
alias MyXBConnect 1-3, and 1-4 to the cross-box tool port 3-1 and
names the connection MyXBConnect.
Showing Connections
Any time you make changes to the packet distribution configuration
in place on the GigaVUE-420, it’s a good idea to do a show connect to
verify your results. Figure 13-1 shows the results of a show connect
command for the config connect command in the previous example.
Deleting Connections
You can delete connections with the following command syntax:
The delete command uses port ID lists in the same way as the config
connect command. So, for example to delete the entire connection set
up in the previous example, you would use the following command:
delete connect 1 to 2..4
218 Chapter 13
Deleting Cross-Box Connections
220 Chapter 13
When to Use Post-Filters
Post-filters are useful when you are multicasting the same traffic to
multiple different tool ports. You can use post-filters to focus each
tool port on a different portion of the overall data stream.
With the limit of 100 post-filters in mind, however, you can use
post-filters when a network port has connections to more than one
tool port and you want each of the connected tool ports to focus on
different parts of the overall data stream. For example, in Figure 13-2,
Network Port 3 has separate connections to Tool Port 7 and Tool
Port 8. In this case, you would use post-filters to provide different
data to Tool Ports 7 and 8.
In Figure 13-2 Port 1 and Port 2 are both connected to Tool Port 5. In
order to prevent oversubscription of this tool port, both Port 1 and
Port 2 use pre-filters.
Pre
1 Filter 5
Pre
2 Filter
6
Post
3 Filter 7
4 Post 8
Filter
222 Chapter 13
IPv4/IPv6 and Filters
GigaVUE-420 provides a variety of filters specific to IPv6 traffic,
including:
In addition to the explicit IPv6 filters listed above, you can use the
ipver argument to change how some of the other attributes are
interpreted.
NOTE: Because of this, if you wanted to match all IPv4 and IPv6 traffic on a
portdst/portsrc particular destination port (say, 500), you would need to construct two filters – one
for IPv4 and one for IPv6. For example:
config filter allow portdst 500 alias ipv4_500
config filter allow ipver 6 portdst 500 alias ipv6_500
When used with the <1-byte-hex> When used with the <1-byte-hex>
argument, matches against the argument, matches against the Next
protocol field in the standard IPv4 Header field in the standard IPv6
header. header.
protocol
NOTE: These fields perform essentially the same service in both versions,
specifying what the next layer of protocol is. However, they have different names
and are found at different locations in the header. See Protocol Filters and IPv6 on
page 229 for a list of useful values for the <1-byte-hex> field.
Examples
The following examples illustrate the points made in the table above:
Command Description
config filter allow ipver 6 alias six_only Creates a filter that accepts all IPv6 traffic.
config filter allow ipver 6 protocol 0x3a alias ICMPv6 Creates a filter that matches against the value for
ICMP (IPv6) against the IPv6 Next Header field.
NOTE: See Config Filter Syntax on page 225 for a
list of standard values for the Next Header field in
IPv6.
config filter allow ttl 35 alias ttlfilter Creates a filter that matches values of 35 in the
TTL field of an IPv4 packet.
224 Chapter 13
Config Filter Syntax
The table below lists and describes the arguments for the config filter
command:
Argument Description
[allow | deny] Specifies whether the filter should include (allow) or
exclude (deny) traffic meeting the criteria specified
by the rest of the config filter command.
You can mix allow and deny filters on a single port.
[ipdst <dstaddr>] [ipdstmask <xxx.xxx.xxx.xxx | /nn>] Creates a filter for either a source or destination
[ipsrc <srcaddr>] [ipsrcmask <xxx.xxx.xxx.xxx | /nn>] IPv4 address or subnet.
Use subnet masks to match traffic from a range of
IP addresses. You can enter subnet masks using
either dotted-quad notation (<xxx.xxx.xxx.xxx>) or
in the bit count format (see Using Bit Count Subnet
Netmasks on page 233).
[ip6src <srcaddr>] [ip6srcmask <xxxx::xxxx | /nn>] Creates a filter for either a source or destination
[ip6dst <dstaddr>] [ip6dstmask <xxxx::xxxx | /nn>] IPv6 address or subnet. Enter IPv6 addresses as
eight 16-bit hexadecimal blocks separated by
colons. For example:
2001:0db8:3c4d:0015:0000:0000:abcd:ef12
Use subnet masks to match traffic from a range of
IP addresses. You can enter subnet masks either in
16-bit hexadecimal blocks separated by colons or in
the bit count format (see Using Bit Count Subnet
Netmasks on page 233).
226 Chapter 13
Argument Description
[ip6fl <3-byte-hex>] Creates a filter for the 20-bit Flow Label field in an
IPv6 packet. Packets with the same Flow Label,
source address, and destination address are
classified as belonging to the same flow. IPv6
networks can implement flow-based QoS using this
approach.
Specify the flow label as a 3-byte hexadecimal
pattern. Note, however, that only the last 20 bits are
used – the first four bits must be zeroes (specified
as a single hexadecimal zero in the CLI). For
example, to match all packets without flow labels,
you could use the following filter:
config filter allow ip6fl 0x000000 alias no_flow
Alternatively, to match the flow label of 0x12345,
you could use the following:
config filter allow ip6fl 0x012345 alias flow12345
[macdst <macaddr>] [macdstmask <6-byte-hex>] Creates a filter pattern for either a source or
[macsrc <macaddr>] [macsrcmask <6-byte-hex>] destination MAC address.
Use the optional macsrcmask or macdstmask
argument to create a range of MAC addresses that
will satisfy the filter pattern.
NOTE: You can enter hexadecimal MAC
addresses in either 0xffffffffffff or ffffffffffff format.
See Examples of MAC Address Filters on page 175
for examples of how to use MAC address masks.
228 Chapter 13
Argument Description
[protocol <gre|icmp|igmp|ipv4ov4|ipv6ov4|rsvp|tcp| Creates a filter for a particular protocol. In this
udp|<1-byte-hex>>] release, you can create protocol filters for gre,
icmp, igmp, IPv4 over IPv4 (ipv4ov4), IPv6 over
IPv4 (ipv6ov4), rsvp, tcp, udp, and one-byte hex
values (<1-byte-hex>).
For example, config filter deny protocol gre will
create a filter that excludes all GRE traffic.
[ttl <0~255> | <x..y>] (valid range 0..255) Creates a filter for the Time to Live (TTL – IPv4) or
Hop Limit (IPv6) value in an IP packet.
• If there is no ipver argument included in the filter
(or if it is set to 4), GigaVUE-420 matches the
value against the TTL field in IPv4 packets.
• If ipver is set to 6 in the filter, GigaVUE-420
matches the value against the Hop Limit field in
IPv6 packets.
The TTL and Hop Limit fields perform the same
function, specifying the maximum number of hops a
packet can cross before it reaches its destination.
230 Chapter 13
Argument Description
[uda1_data <16-byte-hex>] [uda1_mask <16-byte-hex>] Creates up to two user-defined, 16-byte pattern
[uda2_data <16-byte-hex>] [uda2_mask <16-byte-hex>] matches in a filter. A pattern is a particular
sequence of bits at a specific offset from the start of
a frame.
Setting a user-defined pattern match in
GigaVUE-420 consists of the following major steps:
• Specify the two global offsets to be used for
user-defined pattern matches using the config
uda command (uda1_offset and uda2_offset)
• Specify the data pattern and mask using the
config filter command with the
[udax_data][udax_mask] arguments. You use
the mask to specify which bits in the pattern must
match to satisfy the filter.
A single filter can contain up to two user-defined
pattern matches.
NOTE: Always use the predefined filter elements
instead of user-defined pattern matches when
possible.
See Working with User-Defined Pattern Match
Filters on page 237 for details.
[vlan <vlan id (1-4094)> | <x..y>] [odd | even] Creates a filter pattern for a VLAN ID or range of
VLAN IDs. You can also use the odd | even
argument to match alternating VLAN IDs. For
example, config filter allow vlan 200..300 even
will match all even VLAN IDs between 200 and 300.
Examples
The following filter matches packets with only the SYN bit set:
config filter allow tcpctl 0x02 tcpctlmask 0x3f alias syns_only
Many packets will have some combination of these bits set rather
than just one. So, for example, the following filter matches all packets
with both the ACK and SYN bits set:
config filter allow tcpctl 0x12 tcpctlmask 0x3f alias syns_acks
232 Chapter 13
Using Bit Count Subnet Netmasks
The table below summarizes the bit count subnet mask value for
standard dotted-quad IPv4 subnet masks. As described in Config
Filter Syntax on page 225, you can enter IP subnet masks in the bit
count format by using the /nn argument.
Bit count subnet masks are easier to visualize for IPv6 addresses,
specifying which portion of the total 128 bits in the address
correspond to the network address. So, for example, a subnet mask of
/64 indicates that the first 64 bits of the address are the network
address and that the remaining 64 bits are the host address. This
corresponds to the following hexadecimal subnet mask:
ffff:ffff:ffff:ffff:0000:0000:0000
255.255.255.254 /31
255.255.255.252 /30
255.255.255.248 /29
255.255.255.240 /28
255.255.255.224 /27
255.255.255.192 /26
255.255.255.128 /25
255.255.255.0 /24
255.255.254.0 /23
255.255.252.0 /22
255.255.248.0 /21
255.255.240.0 /20
255.255.224.0 /19
255.255.192.0 /18
255.255.128.0 /17
255.254.0.0 /15
255.252.0.0 /14
255.248.0.0 /13
255.240.0.0 /12
255.224.0.0 /11
255.192.0.0 /10
255.128.0.0 /9
255.0.0.0 /8
254.0.0.0 /7
252.0.0.0 /6
248.0.0.0 /5
240.0.0.0 /4
224.0.0.0 /3
192.0.0.0 /2
128.0.0.0 /1
0.0.0.0 /0
234 Chapter 13
Combining Filters and Filter Logic
When working with filters, you can easily combine multiple criteria
into a single filter rule by combining them in the CLI command. You
can also bind multiple filters to a single network port. GigaVUE-420
processes filter definitions as follows:
• Within a single filter, filter criteria are joined with a logical AND.
A packet must match each of the specified criteria to satisfy the
filter.
• Multiple filters bound to a single port are joined with a logical
OR. A packet must match at least ONE of the filters to be allowed
or denied.
NOTE: When used in a filter with multiple criteria, the ipver
argument changes the interpretation of some filter arguments. See
IPv4/IPv6 and Filters on page 223 for details.
config filter allow vlan 100 alias vlanfilter Creates filter called vlanfilter
with one criterion – VLAN ID
100.
config filter allow portsrc 23 alias portfilter Creates filter called portfilter
with one criterion – source port
23.
236 Chapter 13
Working with User-Defined Pattern Match Filters
The GigaVUE-420 lets you configure up to two user-defined, 16-byte
pattern matches in a filter or map-rule. A pattern is a particular
sequence of bits at a specific location in a frame.
NOTE: GigaVUE-420’s CLI refers to a pattern as a UDA
(“user-defined attribute”).
You can set the two offsets at 4-byte boundaries from 2-126 bytes.
The offsets can not overlap. There are only two offsets in place on
the system at any one time (uda1_offset and uda2_offset) – the
same offsets are used by all pattern-based filters and map-rules.
In many cases, you will be looking for patterns that do not start
exactly on a four-byte boundary. To search in these position, you
would set an offset at the nearest four-byte boundary and adjust the
pattern and mask accordingly.
Default Offsets
The default offsets are listed below. You can always see the current
offset values by using the show uda command.
238 Chapter 13
Specifying Patterns and Masks – config udax_data/udax_mask
The user-defined pattern match syntax is identical for filters and
map-rules:
[uda1_data <16-byte-hex>] [uda1_mask1 <16-byte-hex>]
[uda2_data <16-byte-hex>] [uda2_mask2 <16-byte-hex>]
• Masks specify which bits in the pattern must match. The mask
lets you set certain bits in the pattern as wild cards – any values in
the masked bit positions will be accepted.
• Bits masked with binary 1s must match the specified pattern.
• Bits masked with binary 0s are ignored.
240 Chapter 13
User-Defined Pattern Match Examples
Suppose you want to set up a filter that matches all traffic with a
particular MPLS label (0x00017). To do this, you can use a filter that
combines an ethertype filter for the MPLS ethertype (8847) with a
user-defined pattern match for the label itself.
We’ll put the ethertype argument in the same filter with the
user-defined pattern match to make sure they’re joined with a logical
AND. The following example explains how to construct this filter.
Figure 13-4, below, shows the filter in the GigaVUE-420 CLI.
Description Command
First, set the offset for the first user-defined config uda uda1_offset 14
pattern match.
We know that MPLS label stacks start at an offset
of 14 bytes, right after the DLC header, so let’s set
that up.
Next, set up the filter itself. The filter will have two config filter allow ethertype 0x8847 uda1_data
parts – the ethertype filter and the user-defined 0x00017000-00000000-00000000-00000000 uda1_mask
pattern match itself. 0xfffff000-00000000-00000000-00000000 alias
MPLS_label
• The ethertype for MPLS is 0x8847.
• We’re searching for the MPLS label of
0x00017. Fortunately, the offset of 14 is on a
four-byte boundary when counting from the
start of the valid range (2~110; so, 2, 6, 10, 14).
This makes it easy to supply the pattern – we
can start with the actual MPLS label and then
mask the rest with binary zeroes.
Create a filter called config filter deny protocol icmp alias deny_icmp
deny_icmp with one criterion
– protocol icmp.
242 Chapter 13
Showing Filters
Any time you make changes to the filters in place on the
GigaVUE-420, it’s a good idea to verify your changes with a show
filter command. The show filter command provides you with the
filter definitions in place, as well as the ports to which they are
bound.
Figure 13-1 shows the results of a show filter command for the
config filter commands in the previous example. In this example,
vlanfilter and portfilter are both bound to Port 3. However,
combofilter is not.
Command Comments
delete port-filter 3 vlanfilter This command removes the filter named
vlanfilter from Port 3.
244 Chapter 13
Filter Examples
This section provides some examples of filters:
• Filtering on RTP Traffic on page 245
• MAC Address Filter Examples on page 246
config filter deny portsrc 5004 alias deny_src_5004 Constructs a filter named
deny_src_5004 to deny traffic with a
source port of 5004.
config filter deny portdst 5004 alias deny_dst_5004 Constructs a filter named
deny_dst_5004 to deny traffic with a
destination port of 5004.
config filter deny portsrc 16384..16624 even alias deny_src_cisco_rtp Constructs a filter named
deny_src_cisco_rtp to deny traffic
with an even-numbered source port in
the range of 16384..16624. This is a
standard RTP port range used by
Cisco equipment.
macsrcmask FF FF FF FF FF FE
246 Chapter 13
Command:
config filter deny macsrc 000000000003 macsrcmask fffffffffffe alias macfilter
Result:
Packets with the following two MAC source addresses are denied:
• 00 00 00 00 00 02
• 00 00 00 00 00 03
Command:
config filter allow macsrc 000000000003 macsrcmask fffffffffffe alias macfilter
Result:
Only packets with the following two MAC source addresses are
accepted:
• 00 00 00 00 00 02
• 00 00 00 00 00 03
Command:
config filter deny macsrc 000000000003 macsrcmask fffffffffff1 alias macfilter
Result:
Packets with the following eight MAC source addresses are denied:
• 00 00 00 00 00 01
• 00 00 00 00 00 03
• 00 00 00 00 00 05
• 00 00 00 00 00 07
• 00 00 00 00 00 09
• 00 00 00 00 00 0b
• 00 00 00 00 00 0d
• 00 00 00 00 00 0f
macsrcmask 00 00 00 00 00 01
Command:
config filter deny macsrc 000000000003 macsrcmask 00000000001 alias macfilter
248 Chapter 13
Result:
Command:
config filter allow macsrc 000000000003 macsrcmask 00000000001 alias macfilter
Result:
This section includes the following topics for the config pass-all
command
• Syntax for config pass-all on page 250
• Rules for config pass-all on page 252
• Maximum Number of Pass-All Destinations on page 252
• Pass-All Matrix on page 253
• Filters and the config pass-all Command on page 254
• Examples for config pass-all on page 256
• Illustration of Pass-Alls in the Show Connect Screen on page 260
Notice that you can connect multiple ports with a single command:
• The pid-list (port id list) argument let you select multiple
non-contiguous ports. To enter port IDs in a list, simply put a
space between each port ID in the list.
• The pid-x..pid-y argument lets you select a series of adjacent
ports (for example, 2..5 selects ports 2, 3, 4, and 5).
For example:
250 Chapter 13
Command Comments
config pass-all 1..4 to 5 This command sets up pass-alls from 1-4 to
tool port 5.
Deleting a Pass-All
You can delete an existing pass-all with the delete pass-all command.
The command has the following syntax:
delete pass-all [all | <port-alias | pid-list | pid-x..pid-y>
to all | <port-alias | pid-list | pid-x..pid-y>]
For example, to delete the pass-all set up by the first command in the
table above, you could use the following command:
delete pass-all 1..4 to 5
You could also delete just a portion of the pass-all. For example, to
delete the pass-all from 3 to 5:
delete pass-all 3 to 5
252 Chapter 13
By contrast, if network port 1 is part of a multi-tool map, you could
set up pass-alls between network port 1 and the other 23 ports on a
fully-populated system (so long as the other 23 were configured as
tool ports).
Pass-All Matrix
The table below summarizes the supported scenarios for sending
data with the config pass-all command.
Multiple Network Ports Single or Multiple Network ports can never be the
Single Tool Port Network Ports destination for a pass-all.
254 Chapter 13
Network Ports Tool Ports
1 5
Filter
VLAN 7
100 pass-all
map
1 5
mapping map-rule
map-rule 6
map-rule
7
IDS
256 Chapter 13
Temporary Troubleshooting Situations
Under certain circumstances, you may want to see all of the traffic on
a particular port without disturbing any of the packet distribution
commands already in place for the port. The pass-all gives you a way
to do this. For example, suppose you have an existing map sending
traffic from Network Port 1 to Tool Ports 5..7 based on different
map-rule criteria (Figure 13-8).
map
1 5
mapping map-rule
map-rule 6
map-rule
7
map
1 5
mapping map-rule
map-rule 6
map-rule
7
8
pass-all
258 Chapter 13
Sending Unfiltered Traffic to Multiple Destinations
You can also use the config pass-all command to see the same
tool-port-filtered data on multiple tool ports.
Post
1 Filter 5
2 6
3 7
Three Connections to
Post-Filtered Tool Port
4 8
With this configuration (Figure 13-11), Tool Ports 5-8 all see the same
tool-port-filtered data.
Post
1 Filter 5
config pass-all 5 to 6..8
2 6
3 7
4 8
• Pass-alls from a tool port to a tool port are shown with a pair of
angle brackets linking the two tool ports. For example:
( 6)>> ( 7)
Figure 13-12 shows the show connect display for the pass-all set up
to multiple tool ports in the previous section.
260 Chapter 13
Angle brackets
indicate pass-alls in
place between tool
ports.
263
Cross-Box Config: Enter Commands on All Boxes
Keep in mind that when you are entering cross-box configuration
commands (for example, the xbmap and xbmapping commands
described in this chapter), you must enter all commands in the same
order on each box in the stack. When setting up cross-box packet
distribution, it’s often easiest to create your commands in a text file
and then paste the contents of the text file into the CLI of each box in
the stack.
Figure 14-1 shows the major steps in creating a map. Figure 14-2
provides a conceptual illustration of the map components set up in
Figure 14-1.
264 Chapter 14
1 Step 1: Use the config map (single-box) or config xbmap
Create the Map (cross-box stacks) command to create a map. These commands
create a map “container” for the map-rules you define in the next
step.
When you create a map, you give it a name (an alias) and specify
whether it is a single-tool or multi-tool map. See Creating Maps:
config map/config xbmap on page 266 for information on creating
the map.
Step 2: Use the config map-rule command to create map-rules for the
2 Create Map-Rules for
map. Map-rules direct traffic based on different packet criteria – MAC/IP
the Map
addresses, port numbers, VLAN IDs, protocols, and so on.
You can set up map-rules that direct packets to different tool ports,
map-rules that delete some packets right away (send them to the
“virtual drop port”), and map-rules that direct all traffic that doesn’t
match any of the other rules in the map to a designated “collector” port.
map
1 5
mapping map-rule
map-rule 6
map-rule
7
When you create the map container, you must supply the following
information:
• Whether the map is a single-tool map or a multi-tool map.
• The name (alias) of the map.
266 Chapter 14
Single-Tool Maps vs. Multi-Tool Maps
There are two types of maps – single-tool and multi-tool. You use the
type [st | mt] argument to specify the map’s type as part of the
config map / config xbmap command (see Syntax for the config map /
config xbmap Commands on page 270) for details
• Single-tool maps must consist entirely of map-rules that send
matching packets to a single tool port.
• Multi-tool maps can have map-rules that send matching packets
to multiple tool port destinations. However, it is not a
requirement that they have at least one such rule.
For example, the map-rule config map-rule MT-Map rule ipdst
192.168.1.25 tool 4 5 sends all traffic with a destination IP address
of 192.168.1.25 to both tool ports 4 and 5. This rule could only be
part of a multi-tool map (a map with its type set to mt).
Single-Tool Maps
Single-Tool Maps
Plus Minus
Fewer Port-Pairs (2 instead of 12)
Support Pattern
Match Filters Fewer Pass-All Destination Ports for Ports in the
Map (4 instead of 23)
Multi-Tool Maps
Multi-Tool Maps
Plus Minus
More Port-Pairs (12 instead of 2)
No User-Defined Pattern
More Pass-All Destination Ports for Ports in the Match Map-Rules
Map (23 instead of 4)
268 Chapter 14
Supported Map Maximums
When creating maps on the GigaVUE-420, keep in mind the
following supported maximums:
The table below lists and describes the arguments for these
commands:
Argument Description
[mt | st] Specifies whether the map is a multi-tool (mt) or
single-tool (st) map.
See Single-Tool Maps vs. Multi-Tool Maps on
page 267 for more information.
270 Chapter 14
Creating Map-Rules: config map-rule
The config map-rule command creates a map filter that directs
matching traffic to tool ports, cross-box tool ports, or a virtual drop
port. You can set map-rules that direct traffic based on MAC
addresses, IP addresses, application port numbers, ethertypes, VLAN
IDs, protocols, and TOS values.
272 Chapter 14
Binding Maps to Ports:
config mapping / config xbmapping
The config mapping (single-box) and config xbmapping (cross-box
stacks) commands bind a map to one or more network ports (up to 23
network ports for single-box maps; up to 40 network ports for
cross-box maps). You can bind maps to a single port, a list of ports, or
a contiguous series of ports (single-box maps only).
Binding a map to a port is the last step in setting up the map. Once
you have completed the config mapping / config xbmapping
command, the map begins directing traffic on the mapped network
ports to the destinations specified by the map-rules in the map.
The table below lists and describes the arguments for the config
mapping and config xbmapping commands. Both single-box and
cross-box mappings consist of the following components:
• The network ports to which the map is bound. This is specified by
the net argument.
• The name of the map you are binding. This is specified by the
map argument.
map
<map-alias> Specifies the map to be bound to
the named network ports.
If you don’t know the alias for a
map, use the show map-rule
command to display all maps
currently configured on the box.
274 Chapter 14
Showing Maps
Any time you make changes to the packet distribution configuration
in place on the GigaVUE-420, it’s a good idea to verify your results
with a show command. When working with maps, there are two
helpful show commands:
show connect This command provides a summary of all the packet distribution
configuration on the box, including a Mapping section that
summarizes the maps currently bound to network ports.
Figure 14-3 shows the results of a show map-rule command for the
VLAN-Map set up with the commands in the table below.
Next, we will create the map-rules for the VLAN-Map config map-rule VLAN-Map rule ipsrc 192.168.1.25
using the config map-rule command. The first rule ipsrcmask /32 tool drop
drops all traffic from the IP address 192.168.1.25.
We need map-rules that forward different VLAN IDs to config map-rule VLAN-Map rule vlan 101 tool 6
different ports. This map-rule for VLAN-Map sends
VLAN 101 to Tool Port 6.
This map-rule for VLAN-Map sends VLAN 102 to Tool config map-rule VLAN-Map rule vlan 102 tool 7
Port 7.
This map-rule sends all traffic not matching any other config map-rule VLAN-Map rule collector tool 8
rules in the map to Tool Port 8.
276 Chapter 14
Changing Maps
You make changes to maps differently depending on whether you
are working with a single-box map or a cross-box map:
Cross-Box Map You can make the following changes at any time, regardless of whether the
xbmap has been bound to a network port using the config xbmapping
command:
• Add or delete map-rules to/from a xbmap regardless of whether it is currently
bound to a network port.
• Delete an xbmap in its entirety, including mappings and map-rules.
You cannot, however, delete a cross-box mapping once the map has been
bound. This is the difference in delete functionality between single-box and
cross-box maps.
NOTE: You must delete the cross-box map on all boxes in the cross-box stack.
Similarly, to use an updated version of the map, you must make the changes on
all boxes in the stack.
Because this map-rule was the only map-rule bound to Tool Port 2,
we could also have deleted it by specifying its tool port, as follows:
delete map-rule VLAN-MAP tool 2
278 Chapter 14
Delete Mapping Syntax
Once the mapping for VLAN-MAP is deleted, you can rebind it using
the config mapping command.
For example, to delete VLAN-MAP in its entirety, you would use the
following command:
delete map VLAN-MAP
See Using the Pass-All Command on page 250 for details on using the
config pass-all command.
280 Chapter 14
Map Creation Guidelines
Keep the following simple guidelines in mind when creating maps:
282 Chapter 14
Network Ports Tool Ports Network Ports Tool Ports
1 5 1 5
GigaVUE-420 GigaVUE-420
2 Box ID 1 6 2 Box ID 2 6
3 7 3 7
4 8 4 8
x1 x1
Stacking Port Stacking Port
Next, we will create the map-rules for the VLAN-Map config map-rule VLAN-Map rule vlan 1..99 tool 1-5
using the config map-rule command. We need
map-rules that forward different VLAN ranges to
different ports. The first command forwards VLANs
1-99 to Tool Port 5 on Box ID 1.
This map-rule for VLAN-Map sends VLANs 100-199 config map-rule VLAN-Map rule vlan 100..199 tool 1-6
to Tool Port 6 on Box ID 1.
This map-rule for VLAN-Map sends VLANs 200-299 config map-rule VLAN-Map rule vlan 200..299 tool 1-7
to Tool Port 7 on Box ID 1.
This map-rule for VLAN-Map sends VLANs 300-399 config map-rule VLAN-Map rule vlan 300..399 tool 2-5
to Tool Port 5 on Box ID 2.
This map-rule sends all traffic not matching any other config map-rule VLAN-Map rule collector tool 1-8
rules in the map to Tool Port 8 on Box ID 1.
Finally, bind the map to Network Port 1 on Box ID 1 config xbmapping net 1-1 map VLAN-Map
with the config xbmapping command.
For the cross-box map created in the table above to work correctly,
you would need to execute all of the commands in the table in the
same order on all boxes in the stack (Box ID 1 and Box ID 2 in this
example).
The easiest way to do this is to create a text file with these commands
and then paste the contents of the text file into the CLI of each box in
the stack.
284 Chapter 14
Showing the Map in the CLI
Once you have created the map using the commands in Commands to
Create this Map on page 284, it’s a good idea to use the show map-rule
command to verify that the map has been set up the way you
expected. Figure 14-5 shows the results of a show map-rule for this
map example.
GigaVUE-420 Box ID 1
VLAN-Map
286 Chapter 14
Map Example – Single-Tool vs. Multi-Tool
As described in Single-Tool Maps vs. Multi-Tool Maps on page 267,
single-tool and multi-tool maps have the following differences:
• Single-tool maps must consist entirely of map-rules that send
matching packets to a single tool port.
• Multi-tool maps can have map-rules that send matching packets
to multiple tool port destinations. However, it is not a
requirement that they have at least one such rule.
Single-Tool Map
In this example, we will create a single-tool map called uda_map and
bind it to Network Port 1. Our starting configuration is as follows:
• Ports 1-4 are set up as network ports.
• Ports 5-8 are set up as tool ports.
Next, we will create the map-rules for uda_map using config map-rule uda_map rule portsrc 16384..16624
the config map-rule command. even tool 5
The next rule uses a user-defined pattern match to match traffic from a particular MPLS label (0x00017) and
send it to Tool Port 6. Because this is a single-tool map, we can include up to two user-defined pattern
matches in the rules. As shown below, creating a pattern-match rule consists of two steps – setting the offset
and setting the pattern.
First, set the offset for the user-defined pattern match. config uda uda1_offset 14
We know that MPLS label stacks start at an offset of
14 bytes, right after the DLC header, so let’s set that
up.
Next, set up the map-rule itself. The map-rule will have config map-rule uda_map rule ethertype 0x8847
two parts – an ethertype match for MPLS and the uda1_data 0x00017000-00000000-00000000-00000000
user-defined pattern match itself. uda1_mask 0xfffff000-00000000-00000000-00000000
tool 6
• The ethertype for MPLS is 0x8847.
• We’re searching for the MPLS label of 0x00017.
Fortunately, the offset of 14 is on a four-byte
boundary when counting from the start of the valid
range (2~110; so, 2, 6, 10, 14). This makes it easy
to supply the pattern – we can start with the actual
MPLS label and then mask the rest with binary
zeroes.
288 Chapter 14
Description CLI Command
This map-rule discards all traffic from the IP address config map-rule uda_map rule ipsrc 192.168.1.25
192.168.1.25. ipsrcmask /32 tool drop
This map-rule sends all traffic not matching any other config map-rule uda_map rule collector tool 8
rules in the map to Tool Port 8.
Finally, bind the map to Network Port 1 with the config mapping net 1 map uda_map
config mapping command.
uda_map
1 Map-Rule 1: Send packets on 5
even source ports to Tool Port
290 Chapter 14
Multi-Tool Map
In this example, we will create a multi-tool map called mt_map and
bind it to Network Port 1. Our starting configuration is the same as
the single-tool map in the previous section:
• Ports 1-4 are set up as network ports.
• Ports 5-8 are set up as tool ports.
Map Summary
The first map-rule sends all traffic to and from IP config map-rule mt_map rule
address 192.168.1.50 to Tool Ports 5, 6, and 7. A rule ipsrc 192.168.1.50 ipsrcmask /32
like this is useful when you want multiple tools to focus ipdst 192.168.1.50 ipdstmask /32 tool 5 6 7
on traffic from a specific critical node (for example, a
database server).
The next map-rule sends all IPv6 traffic to Tool Port 7. config map-rule mt_map rule ipver 6 tool 7
The final map-rule sends all traffic not matching any config map-rule mt_map rule collector tool 8
other rules in the map to Tool Port 8.
Finally, bind the map to Network Port 1 with the config mapping net 1 map mt_map
config mapping command.
292 Chapter 14
Multi-Tool Map
mt_map
1 Map-Rule 1: Send everything 5
from IP address 192.168.1.50
to Tool Ports 5, 6, and 7.
6
294 Chapter 14
Appendix A
295
config commands
Config commands let you configure operating parameters on the
GigaVUE-420 unit.
config connect
You use the config connect command to connect network ports to
tool ports on the same box. All well-formed packets arriving on the
network ports are forwarded to the tool ports, except those removed
by any filters in place.
Notice that you can connect multiple network ports or tool ports with
a single command:
• The pid-list (port id list) and bid-pid_list (box id-port id)
arguments let you select multiple non-contiguous ports. To enter
port IDs in a list, simply put a space between each port ID in the
list.
• The pid-x..pid-y argument lets you select a series of adjacent
ports (for example, 2..5 selects ports 2, 3, 4, and 5).
config file
You use the config file nb command to set a configuration file as the
file to be used the next time the GigaVUE-420 is booted. The syntax is
as follows:
config file <filename> [nb] [description “string”]
296 Appendix A
Enabling the nb option for a configuration file marks it for loading
the next time the unit is booted. It will continue to be used at each
boot until the nb option is applied to a different configuration file.
There can be only one file with nb enabled at a time.
NOTE: You cannot delete a configuration file with nb enabled. You
must enable nb for another configuration file before you can delete it.
NOTE: GigaVUE-420 will not let you delete all configuration files –
there will always be at least one configuration file with nb enabled.
See Setting a Configuration File to Boot Next on page 182 for details.
The table below lists and describes the arguments for the config filter
command:
Argument Description
[allow | deny] Specifies whether the filter should include (allow) or
exclude (deny) traffic meeting the criteria specified
by the rest of the config filter command.
You can mix allow and deny filters on a single port.
298 Appendix A
Argument Description
[ipdst <dstaddr>] [ipdstmask <xxx.xxx.xxx.xxx | /nn>] Creates a filter for either a source or destination
[ipsrc <srcaddr>] [ipsrcmask <xxx.xxx.xxx.xxx | /nn>] IPv4 address or subnet.
Use subnet masks to match traffic from a range of
IP addresses. You can enter subnet masks using
either dotted-quad notation (<xxx.xxx.xxx.xxx>) or
in the bit count format (see Using Bit Count Subnet
Netmasks on page 233).
[ip6src <srcaddr>] [ip6srcmask <xxxx::xxxx | /nn>] Creates a filter for either a source or destination
[ip6dst <dstaddr>] [ip6dstmask <xxxx::xxxx | /nn>] IPv6 address or subnet. Enter IPv6 addresses as
eight 16-bit hexadecimal blocks separated by
colons. For example:
2001:0db8:3c4d:0015:0000:0000:abcd:ef12
Use subnet masks to match traffic from a range of
IP addresses. You can enter subnet masks either in
16-bit hexadecimal blocks separated by colons or in
the bit count format (see Using Bit Count Subnet
Netmasks on page 233).
[ip6fl <3-byte-hex>] Creates a filter for the 20-bit Flow Label field in an
IPv6 packet. Packets with the same Flow Label,
source address, and destination address are
classified as belonging to the same flow. IPv6
networks can implement flow-based QoS using this
approach.
Specify the flow label as a 3-byte hexadecimal
pattern. Note, however, that only the last 20 bits are
used – the first four bits must be zeroes (specified
as a single hexadecimal zero in the CLI). For
example, to match all packets without flow labels,
you could use the following filter:
config filter allow ip6fl 0x000000 alias no_flow
Alternatively, to match the flow label of 0x12345,
you could use the following:
config filter allow ip6fl 0x012345 alias flow12345
[macdst <macaddr>] [macdstmask <6-byte-hex>] Creates a filter pattern for either a source or
[macsrc <macaddr>] [macsrcmask <6-byte-hex>] destination MAC address.
Use the optional macsrcmask or macdstmask
argument to create a range of MAC addresses that
will satisfy the filter pattern.
NOTE: You can enter hexadecimal MAC addresses
in either 0xffffffffffff or ffffffffffff format.
See Examples of MAC Address Filters on page 175
for examples of how to use MAC address masks.
[portdst <single-port-number> | <x..y>] [even | odd] Creates a filter for a source or destination
[portsrc <single-port-number> | <x..y>] [even | odd] application port. You can also specify:
• A range of ports. For example config filter allow
portsrc 5000..5100 will match all source ports
from 5000 to 5100, inclusive.
• Either odd or even port numbers. The even |
odd arguments are useful when setting up filters
for VoIP traffic. Most VoIP implementations send
RTP traffic on even port numbers and RTCP
traffic on odd port numbers.
For example, config filter allow portsrc
5000..5100 odd will match all odd source ports
between 5000 and 5100.
300 Appendix A
Argument Description
[protocol <gre|icmp|igmp|ipv4ov4|ipv6ov4|rsvp|tcp| Creates a filter for a particular protocol. In this
udp|<1-byte-hex>>] release, you can create protocol filters for gre,
icmp, igmp, IPv4 over IPv4 (ipv4ov4), IPv6 over
IPv4 (ipv6ov4), rsvp, tcp, udp, and one-byte hex
values (<1-byte-hex>).
For example, config filter deny protocol gre will
create a filter that excludes all GRE traffic.
[tosval <1-byte-hex>] Creates a filter pattern for the Type of Service (TOS)
value in an IPv4 header. The TOS value is how
some legacy IPv4 equipment implements quality of
service traffic engineering. The standard values are:
• Minimize-Delay: Hex 0x10 or 10
• Maximize-Throughput: Hex 0x08 or 08
• Maximize-Reliability: Hex 0x04 or 04
• Minimize-Cost: Hex 0x02 or 02
• Normal-Service: Hex 0000 or 00
NOTE: Most network equipment now uses DSCP
to interpret the TOS byte instead of the IP
precedence and TOS value fields.
[ttl <0~255> | <x..y>] (valid range 0..255) Creates a filter for the Time to Live (TTL – IPv4) or
Hop Limit (IPv6) value in an IP packet.
• If there is no ipver argument included in the filter
(or if it is set to 4), GigaVUE-420 matches the
value against the TTL field in IPv4 packets.
• If ipver is set to 6 in the filter, GigaVUE-420
matches the value against the Hop Limit field in
IPv6 packets.
The TTL and Hop Limit fields perform the same
function, specifying the maximum number of hops a
packet can cross before it reaches its destination.
302 Appendix A
Argument Description
[uda1_data <16-byte-hex>] [uda1_mask <16-byte-hex>] Creates up to two user-defined, 16-byte pattern
[uda2_data <16-byte-hex>] [uda2_mask <16-byte-hex>] matches in a filter. A pattern is a particular
sequence of bits at a specific offset from the start of
a frame.
Setting a user-defined pattern match in
GigaVUE-420 consists of the following major steps:
• Specify the two global offsets to be used for
user-defined pattern matches using the config
uda command (uda1_offset and uda2_offset)
• Specify the data pattern and mask using the
config filter command with the
[udax_data][udax_mask] arguments. You use
the mask to specify which bits in the pattern must
match to satisfy the filter.
A single filter can contain up to two user-defined
pattern matches.
NOTE: Always use the predefined filter elements
instead of user-defined pattern matches when
possible.
See Working with User-Defined Pattern Match
Filters on page 237 for details.
[vlan <vlan id (1-4094)> | <x..y>] [odd | even] Creates a filter pattern for a VLAN ID or range of
VLAN IDs. You can also use the odd | even
argument to match alternating VLAN IDs. For
example, config filter allow vlan 200..300 even
will match all even VLAN IDs between 200 and 300.
When you create the map container, you must supply the following
information:
• Whether the map is a single-tool map or a multi-tool map (see
Single-Tool Maps vs. Multi-Tool Maps on page 267 for details).
• The name (alias) of the map
The table below lists and describes the arguments for this command:
Argument Description
type [mt | st] Specifies whether the map is a multi-tool (mt) or
single-tool (st) map.
See Single-Tool Maps vs. Multi-Tool Maps on
page 267 for more information.
304 Appendix A
config map-rule
The config map-rule command creates a map filter that directs
matching traffic to tool ports, cross-box tool ports, or a virtual drop
port. You can set map-rules that direct traffic based on MAC
addresses, IP addresses, ports, ethertypes, VLAN IDs, protocols, and
TOS values.
The table below lists and describes the arguments for the config
map-rule command. A map-rule consists of the following major
components:
• The name of the map to which the map-rule will belong
(<map-alias>).
The arguments for the map-rule command are exactly the same as
those for the config filter command. See config filter command on
page 297 for a description of each of the arguments.
• The net argument specifies the network ports to which the map is
bound.
• The map argument specifies the name of the map you are
binding.
306 Appendix A
Pass-alls are only supported within a single GigaVUE-420 box. In
contrast to the GigaVUE-MP, you can now set up pass-alls between
any ports on the GigaVUE-420. See Using the Pass-All Command on
page 250 for detailed information on using the pass-all command.
The table below describes the arguments for the config port-owner
command:
Argument Description
<port-alias | pid-list | pid-x..pid-y> Specifies the ports to which the named user will be granted ownership.
You can grant ownership to a single port (either by alias or number), a
list of ports, or a contiguous series of ports.
owner <name-string> The name of the account being granted port ownership.
308 Appendix A
Notes on Port-Pairs
• Can be established between any ports on the same GigaVUE-420.
• Can be established between ports using different speeds (for
example, from a 1 Gb port to a 10 Gb port).
NOTE: Depending on traffic volume, port-pairs between ports
using different speeds can cause packet loss when going from a
faster port to a slower port (for example, from 1 Gb to 100 Mbps,
from 10 Gb to 1 Gb, and so on).
• Supports link status propagation – when one port goes down, the
other port goes down (and vice-versa).
[duplex <half | full>] Sets ports to be half or full duplex if autonegotiation is off (10/100 Mbps
operation only).
[forcelinkup <0 | 1> Forces connection on an optical port (optical ports only). Use this option when
an optical GigaPORT tool port is connected to a legacy optical tool that does
not support autonegotiation.
[medium <electrical | Specifies whether a GigaPORT module’s port should use the optical or RJ45
optical>] port.
[mtu <1518..9600>] Sets the maximum size of packets which are accepted on a port. Factory
default is 9600 bytes.
[speed <10 | 100 | 1000>] Sets the port speed in Mb/s if autonegotiation is off.
[taptx <active | passive>] Specifies whether the relays in the GigaTAP-Tx are open (active mode) or
closed (passive mode).
• In passive mode, the relays in the GigaTAP-Tx module are closed. This
means that traffic received on one port is repeated out the other port in the
pair but is never seen by the GigaVUE-420 – it simply flows between the
two ports.
Passive mode protects production links in case of power failure. The tap
will always revert to passive mode in the event of power loss.
• In active mode, the relays in the GigaTAP-Tx module are open. Traffic
received on one port is still repeated out the other port in the pair, but it
flows through the GigaVUE-420 as well, making it available to tool ports.
[ib_cable_len <1 | 5 | 10 | Specifies the length of the InfiniBand copper cable attached to a
15>] (meters) GigaLINK-CU port.
310 Appendix A
config port-type <port-alias | pid-list | pid-x..pid-y> [network | tool | stack]
The table below describes the arguments for the config rad_server
command:
Argument Description
host <ipaddr> Specifies the IP address of the RADIUS server.
[account_port <1~65535>] Specifies the accounting port to be used on the RADIUS server. If you
do not specify a value, GigaVUE-420 will default to the standard
RADIUS accounting port number of 1813.
[timeout <1~90>] (seconds) Specifies how long GigaVUE-420 should wait for a response from the
RADIUS server to an authentication request before declaring a
timeout failure. The default value is three seconds.
[max_tries <1~10>] Specifies the maximum number of times GigaVUE-420 will retry a
failed connection to this RADIUS server before falling back to the next
authentication method specified by the config system aaa command
currently in place. The default value is three tries.
[priv_lvl_check <1 | 0>] These options specify how privilege level checks are performed for
[super_priv_lvl <2~15>] RADIUS servers.
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
• priv_lvl_check specifies how GigaVUE-420 should assign user
rights for RADIUS users.
• If this option is enabled (the default), the three _priv_lvl options
below it are used to map privilege levels for the corresponding
user types (Audit, Normal, and Super).
• If this option is not enabled, all RADIUS users log in with Super
user rights.
• super_priv_lvl specifies the RADIUS privilege level that will be
mapped to GigaVUE-420’s Super user level when priv_lvl_check
is enabled.
• normal_priv_lvl specifies the RADIUS privilege level that will be
mapped to GigaVUE-420’s Normal user level when priv_lvl_check
is enabled.
• audit_priv_lvl specifies the RADIUS privilege level that will be
mapped to GigaVUE-420’s Audit user level when priv_lvl_check
is enabled.
NOTE: If no values are specified for the three _priv_lvl options and
privilege level checks are enabled, GigaVUE-420 uses 0, 1, and 2
(Audit, Normal, and Super, respectively).
NOTE: GigaVUE-420 will not let you enter out-of-order privilege
levels. The value specified for super must be higher than that
specified for normal, and so on.
[alias <alias-string>] Specifies an alphanumeric alias for this RADIUS server to be used in
show rad_server displays.
312 Appendix A
config restore command
Use the config restore [filename] command to apply a configuration
file stored in flash immediately. For example, to apply gigavue.cfg,
you would use the following command:
config restore gigavue.cfg
NOTE: This will affect connectivity. All connections are deleted before
they are restored.
NOTE: The Box ID stored in the configuration file must match the Box
ID of the target system for a successful restore using a config file. In
addition, the file must have a .cfg extension.
You can include the nb (“next boot”) flag to specify that the saved
configuration file be loaded the next time the GigaVUE-420 unit
reboots. For example, to save a new configuration file named
myconfig.cfg and set it to boot next, you would use the following
command:
config save myconfig.cfg nb
See Using Configuration Files on page 175 for details on working with
configuration files.
ver Version v1
For example, to enable the SNMP server with its default settings, you
would use the following command:
config snmp_server enable 1
314 Appendix A
snmp_trap [all|none]
[configsave <0|1>] [fanchange <0|1>]
[firmwarechange <0|1>] [modulechange <0|1>]
[portlinkchange <0|1>] [powerchange <0|1>]
[pktdrop <0|1>] [rxtxerror <0|1>]
[systemreset <0|1>] [taptxchange <0|1>
[userauthfail <0|1>]
[host <ipaddr>] [community <string>]
[port <value>] [ver <1|2>]
[alias <alias-string>]
The table below summarizes the arguments for the config snmp_trap
command. See Using SNMP on page 165 for details on working with
all GigaVUE-420 SNMP options.
Parameter Description
[all | none] Use this attribute to toggle all available trap events on or off. For
example, config snmp_trap all turns on all available trap events.
[configsave <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time the config save filename.cfg
command is used.
[fanchange 0|1] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when the speed of either of the system fans
drops below 4,800 RPM.
[firmwarechange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it boots and detects that its firmware has
been updated from the previous boot.
[modulechange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects a change in module type from
the last polling interval. This typically happens when a module is pulled
from a slot or inserted in an empty slot.
[powerchange 0|1] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects either of the following events:
• One of the two power supplies is powered on or off.
• Power is lost or restored to one of the two power supplies.
[pktdrop <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it detects that packets have been
dropped on a data port.
[rxtxerror <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it receives one of the following
physical errors on a data port:
• Undersize error
• Fragment
• Jabber
• CRC or Alignment errors
• Unknown errors.
[systemreset <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it starts up, either as a result of
cycling the power or a soft reset initiated by the reset system
command.
[taptxchange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a GigaTAP-Tx’s relays switch from
active to passive or passive to active as a result of the config
port-params taptx command.
[userauthfail <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a user login fails.
See Setting Time from an SNTP Server on page 99 for details on setting
up SNTP.
316 Appendix A
config syslog_server
Use this command to specify an external syslog server as a
destination for GigaVUE-420’s logging output. You can configure a
maximum of one syslog server.
NOTE: If you do not specify a port, the default port of 514 is used.
config system [prompt <string>] Use this command to create individualized prompts
for each GigaVUE-420. This makes it easy to open
CLI sessions with multiple GigaVUE systems and
always know which unit you are configuring.
Maximum of 20 alphanumeric characters. No spaces
allowed.
config system banner [<1 | 0>] Use this command to specify that GigaVUE-420
display a customizable text banner when a user logs
in.
You must have first created and installed the
banner_file.txt file using the install -ban
banner_file.txt [TFTP-server-ipaddr] command.
See Using a Custom Login Banner on page 102 for
details
config system [date <mm-dd-yy>] Use this command to set the system date.
config system [time <hh:mm:ss>] Use this command to set the system time.
config system timezone <UTC | UTC+hh:mm | Use this command to set the system’s timezone as
UTC-hh:mm> an offset from coordinated universal time (UTC). The
timezone is used to convert the UTC time received
from an SNTP server to local time.
318 Appendix A
Config System Commands Description
config system dst <1 | 0> Use this command to enable/disable the use of
automatic daylight savings time adjustments.
NOTE: You can only enable this option if you have
specified onset and offset values for Daylight
Savings Time. In addition, the option is only
functional if SNTP is enabled and there is a valid
connection to an SNTP server.
config system [dst_onset <mm-dd-hh:mm>] Specifies the date and time at which Daylight
Savings Time begins.
NOTE: DST starts and ends on a different day every
year – be sure to set this option correspondingly at
the start of every year.
config system [dst_offset <mm-dd-hh:mm>] Specifies the date and time at which Daylight
Savings Time ends.
NOTE: DST starts and ends on a different day every
year – be sure to set this option correspondingly at
the start of every year.
config system [rootdis <1 | 0>] Use this command to disable the root account. This
is handy if you suspect that the root account has
been compromised.
NOTE: This command is disabled if no other super
user other than the root user has been defined.
config system [sntp <1 | 0>] Use this command to enable/disable the use of the
SNTP server specified with the config sntp_server
command for time synchronization.
See Configuring GigaVUE-420 Time Options on
page 99 for details on using an SNTP server.
config system [ssh2 <1 | 0>] Use this command to toggle the supported protocol
for remote connections to the GigaVUE-420’s Mgmt
port between Telnet and SSH2. When SSH2 is
enabled, Telnet is disabled and vice-versa.
See SSH2 vs. Telnet on page 86 for details.
config system [console_baud <9600 | 14400 | 19200 | Use this command to change the baud rate setting of
38400 | 57600 | 115200 >] the Console port. The default is 115200.
config system [console_width <32~1024] (characters) Use this command to specify the width (in
characters) of the serial port’s CLI display. Use this
together with the width setting for your terminal
software to optimize line wrapping.
config system [mgmt_port <autoneg | duplex | speed | Use these commands to configure the GigaVUE-420
mtu>] Mgmt port’s autonegotiation, duplex, speed, and
autoneg <1 | 0> MTU settings.
duplex <half | full>
By default, autonegotiation is enabled and MTU is
speed <100 | 10>
mtu <320~1518>
set to 1518 bytes (the largest standard Ethernet
packet size). With autonegotiation enabled, the
Mgmt port will configure its duplex and speed
settings to whatever it is able to negotiate with the
connected port.
NOTE: GigaVUE-420’s Mgmt port supports RFC
1191 Path MTU Discovery and can automatically
decrease its MTU if it receives an
ICMP_Needs_Fragmentation packet.
NOTE: Per the 802.3 specification, autonegotiation
is mandatory for 1 Gb speeds over copper
(1000BASE-T).
config system [remote_timeout <x>] Specifies how long GigaVUE-420 will wait before
timing out an inactive SSH2/Telnet session.
Valid values range from 10 to 86400 seconds. The
default is 300 seconds.
config system [dhcp_timeout <x>] Specifies how long GigaVUE-420 will wait for a
response from a DHCP server before timing out the
attempt and reporting a failure.
Valid values are 4, 10, 30, 60, or 100 seconds. The
default is 10.
320 Appendix A
Config System Commands Description
config system [dhcp <1|0>] [ipaddr <xxx.xxx.xxx.xxx>] Set up the network properties for the Mgmt port:
[subnetmask <xxx.xxx.xxx.xxx>]
• dhcp specifies whether GigaVUE-420 will obtain
an IP address for its Mgmt port from a DHCP
server (1) or use a static address (0). If you set
dhcp to 1, do not supply values for ipaddr,
subnetmask, or gateway.
NOTE: If you enable DHCP, you can also use the
config system dhcp_timeout <4 | 10 | 30 | 60 |
100> command to specify the number of seconds
GigaVUE-420 will wait for a response from a
DHCP server after querying for an address.
• ipaddr specifies the static IP address to use.
• subnetmask specifies the subnet mask to be
used for the IP address.
The system must reboot to apply changes to the
dhcp setting.
config system [ipv6 <1 | 0>] Specifies whether IPv6 is enabled for the
GigaVUE-420 Mgmt port. When IPv6 is enabled,
GigaVUE-420 will operate with support for both IPv4
and IPv6. You can use IPv6 addresses for SSH2,
Telnet, TACACS+, RADIUS, SNTP, and TFTP
applications.
See Configuring IPv6 Network Properties on
page 83.
config system [bid <1~10>] Specifies the local GigaVUE-420’s Box ID. The Box
ID is used when creating cross-box stacks.
config system [x1_bid <bid-list>] Specifies the Box IDs of the GigaVUE-420 systems
accessible from the local box’s x1 port when used as
a stacking port.
config system [x2_bid <bid-list>] Specifies the Box IDs of the GigaVUE-420 systems
accessible from the local box’s x2 port when used as
a stacking port.
config system [active_link <x1 | x2 | both | none>] Activates the x1 and/or x2 stacking ports on a
GigaVUE-420 system. You must activate the 10 Gb
ports you plan to use as stacking ports.
322 Appendix A
Config System Commands Description
config system [aaa <serial | ethernet> < tacacs+ | Specifies how users will be authenticated on both
local>] the Ethernet (SSH2/Telnet) and Console (serial)
port.
<serial | ethernet>
Specifies which GigaVUE-420 port you are
configuring authentication for:
• serial – Console port.
• ethernet – Mgmt port.
config system [log-level <critical | error | info | Specifies the log-level in force on the GigaVUE-420.
verbose>] The log-level with the least logging is critical – only
critical errors are written to the log file. In contrast,
the log-level with the most logging is verbose – all
events are written to the log file.
See Configuring Logging on page 185 for details on
working with the GigaVUE-420’s logging features.
The table below describes the arguments for the config tac_server
command:
Argument Description
host <ipaddr> Specifies the IP address of the TACACS+ server.
[port <value>] Specifies the port to be used on the TACACS+ server. If you do not
specify a value, GigaVUE-420 will default to the standard TACACS+
port number of 49.
[timeout <1~90>] (seconds) Specifies how long GigaVUE-420 should wait for a response from the
TACACS+ server to an authentication request before declaring a
timeout failure. The default value is three seconds.
324 Appendix A
Argument Description
[single_connection <1 | 0>] Specifies whether GigaVUE-420 should use the same connection for
multiple TACACS+ transactions (authentication, accounting, and so
on), or open a new connection for each transaction:
• 1 – TACACS+ transactions will use the same session with the
server. The socket will remain open after it is first opened.
• 0 – Each TACACS+ transaction opens a new socket. The socket is
closed when the session is done.
The default is disabled (0).
[priv_lvl_check <1 | 0>] These options specify how privilege level checks are performed for
[super_priv_lvl <2~15>] TACACS+ servers.
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
• priv_lvl_check specifies how GigaVUE-420 should assign user
rights for TACACS+ users.
• If this option is enabled (the default), the three _priv_lvl options
below it are used to map privilege levels for the corresponding
user types (Audit, Normal, and Super).
• If this option is not enabled, all TACACS+ users log in with
Super user rights.
• super_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Super user level when priv_lvl_check
is enabled.
• normal_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Normal user level when priv_lvl_check
is enabled.
• audit_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Audit user level when priv_lvl_check
is enabled.
NOTE: If no values are specified for the three _priv_lvl options and
privilege level checks are enabled, GigaVUE-420 uses 0, 1, and 2
(Audit, Normal, and Super, respectively).
NOTE: GigaVUE-420 will not let you enter out-of-order privilege
levels. The value specified for super must be higher than that
specified for normal, and so on.
[alias <alias-string>] Specifies an alphanumeric alias for this TACACS+ server to be used in
show tac_server displays.
In many cases, you will be looking for patterns that do not start
exactly on a four-byte boundary. To search in these position, you
would set an offset at the nearest four-byte boundary and adjust the
pattern and mask accordingly.
See Working with User-Defined Pattern Match Filters on page 237 for
details on how to set up user-defined pattern match filters/
map-rules.
326 Appendix A
config user command
Use the config user command to create user accounts. Name strings
have a maximum of 30 alphanumeric characters.
The table below describes the arguments for the config user
command:
Argument Description
<name-string> The name used for this user account. Names must consist of 5-30
alphanumeric characters.
NOTE: You can create a maximum of 40 user accounts on the
GigaVUE-420 box. A maximum of 20 users can be logged into the
GigaVUE-420 unit simultaneously.
description “string” The description string may contain spaces and other characters, but must
be contained in quotation marks (for example, “IT User”). The maximum
number of characters in a description string is 125 alphanumeric
characters.
Description strings appear in the CLI display when performing a show
user command.
328 Appendix A
config xbmap command
You use the config xbmap command to create a cross-box map
container to hold map-rules that send traffic to cross-box
destinations. You will eventually bind the container to one or more
network ports using the config xbmapping command.
When you create the map container, you must supply the following
information:
• Whether the map is a single-tool map or a multi-tool map (see
Single-Tool Maps vs. Multi-Tool Maps on page 267 for details).
• The name (alias) of the map
The table below lists and describes the arguments for this command:
Argument Description
type [mt | st] Specifies whether the map is a multi-tool (mt) or
single-tool (st) map.
See Single-Tool Maps vs. Multi-Tool Maps on
page 267 for more information.
• The net argument specifies the network ports to which the map is
bound.
• The map argument specifies the name of the map you are
binding.
330 Appendix A
delete commands
You use delete commands to delete various configured entities on the
GigaVUE-420. Delete commands are always available to super users,
regardless of the lock-level in place. Normal users have varying
access to delete commands depending on the lock-level. See
Appendix C, Lock-Level Reference for details.
delete filter [all | filter-alias | fid-list] Deletes the specified filters. You cannot delete filters
that are currently bound to a port.
delete port-filter [all | <port-alias | pid> [all | Removes filters from ports. If a filter is bound to more
filter-alias | fid-list] than one port, you can remove it selectively from only
one of the ports to which it is bound.
delete port-owner [all | <port-alias | pid-list | Removes port-ownership from a particular owner to
pid-x..pid-y> owner <user-name>] one or more ports.
delete map [all | map-alias] Deletes one or more maps entirely. You can delete
maps that are currently bound to network ports.
delete map-rule <map-alias> [tool <port-id-list> | rule Deletes a map-rule from a map. Delete one or more
<rule-id-list>] rules by tool port or rule id.
delete rad_server [all | server-alias | server-id] Deletes the specified RADIUS servers.
delete snmp_trap [all | host-alias-list | host-id-list] Deletes the specified SNMP trap destination(s)
delete sntp_server [all | server-alias | server-id] Deletes the specified SNTP server(s).
delete stack_info Resets the values for the bid, x1_bid, back_bid, and
active_link options to their default values. Note that
this will affect all existing xbconnections, xbport-filters,
and xbmaps. You must restart the system after using
this command.
delete user [all | user-name-list] Deletes a user account The factory default super user
“root” is not deletable, but its password (root123) can
be changed by a super user or the root user.
delete xbmap [all | xbmap-alias-list] Deletes a cross-box map on the local box or the
cross-box map reference to a map on a remote box.
delete xbport-filter [all | <bid-pid> [all | filter-alias | Deletes the reference to a filter on a remote box.
fid-list]]
exit command
Use this command to exit the current CLI session.
332 Appendix A
help command
Provides online help. Note that the GigaVUE-420 CLI provides a
variety of different types of online help. See Getting Help in the
Command Line Interface on page 91 for details.
history command
Use the history command to display the last 50 commands you’ve
issued during the current session.
After issuing the History command, you can repeat any of the
commands by typing !<command number>. For example, to repeat
command number 6 in the list, you would type !6 and press Enter.
This makes it easy to reuse a command that you’ve already entered in
the CLI.
install -ban banner_file.txt TFTP-server-ipaddr Uploads the banner_file.txt file from the
specified TFTP server. For example:
install -ban banner_file.txt 192.168.254.5
Once banner_file.txt has been uploaded using
this command, its contents can be displayed as
a banner when a user logs in with the following
command:
config system banner 1
See Using a Custom Login Banner on page 102
for details on how to set up a custom banner.
install -cfg config_file.cfg TFTP-server-ipaddr You can use this option to download a new
configuration file for the GigaVUE-420 from a
TFTP server. GigaVUE-420 can store up to five
configuration files in flash. If you want to use
more than five configuration files, you can
upload/download the files to/from a TFTP
server. For example:
install -cfg gigavue.cfg 192.168.254.5
334 Appendix A
install command Description
install [-rb] redboot_image_name TFTP-server-ipaddr The -rb option is used to install a new redboot
image. For example:
install -rb rbgvs420_1.bin 192.168.254.5
reset commands
Super users can use reset commands to reset either port statistics or
the system configuration. The commands are summarized in the
table below:
reset system [factory-default] You can use the reset command without any arguments to reboot
the system.
If you use the reset system factory-default command, all settings
are returned to their factory defaults. Connections, filters, maps,
map-rules, port-params, port-types, and system settings are all
erased.
336 Appendix A
show commands
You use show commands to display the currently configured
parameters of various GigaVUE-420 options.
With the exception of the show diag command, show commands are
available to all users regardless of the lock-level in force on the box.
The show diag command is never available to normal users, but is
always available to audit and super users. See Appendix C, Lock-Level
Reference for detail.s
The table below lists and describes the available show commands.
show filter [all | filter-alias | fid-list] | Displays configured filters with full descriptions
[group <apport|dscp|ethertype|ip6fl|ipaddr|ipfrag| and which ports they are applied to, if any. Filters
mac|multi|uda|protocol|tos|vlan|ttl|tcpctl>] can be displayed as a group of filter types using
the available arguments.
show hostkeys Shows the DSS and RSA Public Keys installed on
the GigaVUE-420.
show map-rule [all | map-alias] Shows the map rule(s) of a specified map or list of
maps.
show port-filter [all | port-alias | pid-list | pid-x..pid-y] Shows the active filters by port.
show port-params [all | port-alias | pid-list | pid-x..pid-y] Shows the status of the specified port(s),
including network or tool port-type, link up or
down, half or full duplex, speed, MTU size, and
autonegotiation settings.
Changes to port parameter values will not appear
if the port link state is down. However, changes
will go into effect once the port is up.
show port-stats [all | port-alias | pid-list | pid-x..pid-y | full] Shows the MAC layer packet statistics for the
specified ports. The default is to display a
condensed list of statistics. However, an optional
full list of statistics is available.
See Appendix D, Port Statistics Counters for
description of the port statistics.
show port-owner [all | port-alias | pid-list | pid-x..pid-y] Displays the port-owners configured by super
[owner <user-name-list>] users. You can display all port-owners, the
port-owners for a particular set of ports, or all
ports owned by a specific set of users.
338 Appendix A
Show Commands Description
show snmp Displays the current config snmp_server and
config snmp_trap settings in place on the unit.
show user [all | audit | normal | super] Shows the user accounts at or below your level
for this system.
NOTE: This command works differently for local
and TACACS+ users. See Differences in
Commands for External and Local Users on
page 164 for details.
show whoison Shows the users currently logged into the system.
NOTE: This command works differently for local
and TACACS+ users. See Differences in
Commands for External and Local Users on
page 164 for details.
You can also use the upload command to transfer a log file off the
GigaVUE-420 for use in troubleshooting.
340 Appendix A
Appendix B
System Parameters
system name 30
(maximum alphanumeric characters)
341
Parameter Value in GigaVUE-420 v4.0.xx
system prompt 20
(maximum alphanumeric characters)
remote_timeout 10 - 86400
Default is 300.
console_width 32 - 1024
Default is 80.
x3 Tool or Network
x4 Tool or Network
342 Appendix B
Parameter Value in GigaVUE-420 v4.0.xx
User Parameters
Maximum number of users per box 40.
Of these 40 user accounts, a maximum of
20 (Telnet) or 10 (SSH2) can be logged
into the GigaVUE-420 unit simultaneously.
user name 30
(maximum alphanumeric characters)
password 6 - 30
(minimum and maximum alphanumeric characters)
Filter Parameters
AND filtering Parameters in a single filter are joined with
a logical AND.
Maximum filters per tool port (1 Gb or 10 Gb) 100 (see the next line; if you have 100 tool
port filters on a single port, you cannot
have any other ports with tool port filters).
map alias 30
(maximum alphanumeric characters)
344 Appendix B
Parameter Value in GigaVUE-420 v4.0.xx
Maximum collector destinations per map-rule 1 only
xbmap alias 30
(maximum alphanumeric characters)
Maximum number of cross-box maps per box 20 (10 single-tool cross-box maps and 10
multi-tool cross-box maps)
Port Parameters
mtu size range 1518 - 9600
port-alias 30
(maximum alphanumeric characters)
port-pair alias 30
(maximum alphanumeric characters)
SSH2/Telnet Parameters
Maximum number of simultaneous Telnet sessions to 20 (in addition to one serial connection)
one box
Maximum number of simultaneous SSH2 sessions to one 10 (in addition to one serial connection)
box
Lock-Level Reference
347
• When lock-level = none, normal users have access to all network
and tool ports.
• When lock-level = medium, normal users have access to all
network ports. However, they can only set up connections, filters,
and maps for tool ports they own.
• When lock-level = high, normal users can only configure
connections, filters, and maps for network and tool ports they
own.
348 Appendix C
Login Command
The following table lists which account levels can log into
GigaVUE-420 at each supported lock-level.
Must own at
login least one
port.
Show Commands
The following table lists which show commands are available to
different account levels at each supported lock-level.
show
Owned TP Owned NP/
connect
and all NP. TP only.
diag
file
filter
hostkeys
log
Shows all
normal
Owned TP users
port-owner
and all NP. sharing NP/
TP owned
by issuer.
rad_server
snmp
sntp_
server
system
symbols
tac_server
uda
user
350 Appendix C
Delete Commands
The following table lists which delete commands are available to
different account levels at each supported lock-level.
delete
all
file
filter
log
port-owner
rad_server
snmp_trap
sntp_
server
stack_info
tac_server
user
352 Appendix C
Config Commands
The following table lists which config commands are available to
different account levels at each supported lock-level.
config
Owned TP Owned
connect and all NP. NP/TP
only.
file
filter
Owned TP Owned
map and all NP. NP/TP
only.
Owned TP Owned
map-rule and all NP. NP/TP
only.
Owned TP Owned
mapping and all NP. NP/TP
only.
Owned TP Owned
pass-all and all NP. NP/TP
only.
Owned TP Owned
port-alias and all NP. NP/TP
only.
Owned TP Owned
port-filter and all NP. NP/TP
only.
Owned TP Owned
port-params and all NP. NP/TP
only.
Owned TP Owned
port-type and all NP. NP/TP
only.
rad_server
restore
save
snmp_server
snmp_trap
sntp_server
system
tac_server
uda
user
Owned TP Owned
xbconnect and all NP. NP/TP
only.
Owned Owned
2 4 4 4
xbmap cross-box cross-box
TP.4 TP.
Owned Owned
3 4 4 4
xbmapping cross-box cross-box
TP.4 TP.
354 Appendix C
Lock/User None Medium High
Level
Audit Normal Super Audit Normal Super Audit Normal Super
User User User User User User User User User
Owned Owned
4 4 4 4
xbport-filter cross-box cross-box
TP.4 TP.
Install Command
Only super users can install a new image on the GigaVUE-420,
regardless of the lock-level in place.
install
reset
Owned TP Owned NP/
port-stats
and all NP. TP only.
port-stats all
system/
factory
default
356 Appendix C
Appendix D
357
Counter Definition GigaVUE-420 GigaVUE-MP
Total Discarded Packets Oversubscription/ Oversubscription/
IfInDiscards Discards are counted in the following bandwidth exceeded bandwidth exceeded
cases: on Tool port in ALL only on Tool ports in a
configurations. pass-all
• Traffic in on a Network port with no configuration.
logical connection
• Filters/map-rules applied on a
Network port.
• In packets on a Tool port.
• Pause frames.
• Bandwidth exceeded on a Tool
port due to oversubscription. See
the adjacent columns for
differences in how discards are
counted due to oversubscription.
358 Appendix D
Appendix E
This appendix provides the DB9 and RJ45 pinouts for the serial cable
provided with the GigaVUE-420 unit for connections to the Console
port.
The figures below show the pin numbers for both the DB9 and the
RJ45 ends of the cable. Following the figures, the table shows how the
pins connect on either end of the cable.
359
RJ45 Pinouts – Figure
The RJ45-RJ45 cable uses straight-through wiring.
2 6 Yellow
3 3 Black
4 2 Orange
6 7 Brown
7 1 Blue
8 8 White
9 No Connection No Connection
360 Appendix E
Index
361
C map-rule 305
cable lengths mgmt_port_mtu 85
configuring 118 mtu 310
chassis pass-all 306
GigaVUE-420 25 password 307
CLI port-alias 307
basics 91 port-filter 307
default password 81 port-owner 307
getting started 79 port-pair 308
parameter limits 341 port-params 309, 310
reference 295 port-params (autoneg) 310
starting session 79 port-params duplex 310
structure of commands 93 port-params speed 310
syntax 92 port-params taptx 310
combining filters 235 port-type 310
command completion 91 restore 313
command help 92 save 313
command line snmp_server 314
basics 91 sntp 319
connecting 79 sntp_server 316
getting started 79 ssh2 319
reference 295 syslog_server 317
syntax 92 system 318, 323
commands system active_link 321
external vs. local 164 system back_bid 321
config system banner 318
box IDs 116, 321 system description 318
connect 296 system dhcp 321
console_baud 320 system dhcp_timeout 320
console_width 320 system gateway 321
date 318 system lock-level 322
dst 319 system log-level 323
dst_offset 319 system prompt 318
dst_onset 319 system rootdis 319
file 296 system x1_bid 321
filter 297 tac_server 324
filter syntax 225 uda 326
hostkey 320 user 327
map type 304 xbconnect 328
mapping 306 xbmap type 329
362
xbmapping 330 connecting systems (cross-box) 109
xbport-filter 330 connections 59, 208
config map command 270 deleting 218
config mapping 273 deleting cross-box 219
config mapping command 273 differences with maps 210
config map-rule command 271 examples 208
config port-owner command 141 GigaVUE-420 59
config rad_server command 153 introduced 208
config system showing 217
ipv6 321 syntax 216
config system aaa command 146 using filters with 219
config system lock-level command 141 connections and filters
config tac_server command 149 using 215
config user command 327 console cable
config xbmap command 270 pinouts 359
config xbmapping 273 Console port
config xbmapping command 273 connections 80
configuration console port
planning 110 and local authentication 144
configuration files console port settings 80
and delete stack_info 181 console_baud
and the ‘nb’ option 182 config 320
applying 180 console_width
applying from flash 181 config 320
contents 179 contacting sales 20
from TFTP Server 180 contacting support 19
restoring in cross-box stack 183 conventions
saved items 176 documentation 16
saving 177 conventions, notational 16
sharing 180
creating
storing on TFTP server 179
cross-box maps 266
map-rules 271
uploading to TFTP server 179
maps 266
using 175, 185
cross box commands
connect
delete 331 executing on all systems 202, 216, 264
cross-box
connecting
to GigaVUE-420 CLI 79 configuring 125
cross-box commands
via telnet 90
executing on all systems 284
vs. mapping 208
cross-box configurations
connecting ports 216
introduced 106
363
cross-box connections port-owner 331
deleting 219 port-pair 331
cross-box distribution rad_server 332
compared to single-box 201 snmp_trap 332
cross-box maps sntp_server 332
creating 266 tac_server 332
cross-box stack user 332
configuring 114 xbconnect 332
connecting systems 109 xbmap 332
planning 110 xbport-filter 332
restoring config files 183 delete all command 331
cross-box stack (4 systems) delete commands 331
example 121 and lock-level 351
cross-box stacks
delete map
troubleshooting 125 syntax 279
customer support
delete mapping
contacting 19 syntax 279
delete map-rule
D syntax 278
date delete stack_info
config 318 and config files 181
configuring 98 stack_info
daylight savings time deleting 332
automatic adjustments 100 delete syslog_server 332
DB9 pinouts 359 deleting
DC power supplies 62 connections 218
DC powered GigaVUE-420 62 filters 244
default password 81 deny
default user 81 mixing with allow 242
delete deny filter 247
connect 331 denying odd MAC addresses
file 331 example 248
filter 331 description
log 331 config system 318
map 331
designating and connecting tool ports
mapping 332
example 205
dhcp
map-rule 332
config system 321
pass-all 331
dhcp_timeout
port-alias 331
config system 320
port-filter 331
dimensions
364
GigaVUE-420 42 procedure for using 220
documentation syntax 225
conventions 16 using with connection 219
using 14 filter logic 235
DSS host keys 89 examples 235
DST filters
automatic adjustment 100 combining 235
dst deleting 244
config 319 mixing allow and deny 242
dst_offset post-filters defined 201
config 319 pre vs. post 220
dst_onset pre-filters defined 200
config 319 showing 243
duplex firmwarechange
config port-params 310 SNMP trap 169, 315
fragments
E IPv6 226, 298
example
allow filter 247 G
allowing odd MAC addresses 249 gateway
back-to-back cross-box stack 120 config system 321
cross-box stack (4 systems) 121 Getting Started with Packet
deny filter 247 Distribution 203
denying odd MAC addresses 248 GigaLINK-ER
designating and connecting tool and GigaLINK-XR 17
ports 205 GigaLINK-LR
filter logic 235 and GigaLINK-FO 17
MAC address filters 246 GigaLINK-SR
exit command 332 and GigaLINK-FO 17
GigaMUX module (base unit) 29, 30, 64
F GigaPORT module 65
fanchange port numbering 66
SNMP trap 169, 315 GigaTAP-Lx
file network ports only 199, 311
delete 331 GigaTAP-SX
filter network ports only 199, 311
delete 331 GigaTAP-SX/GigaTAP-LX modules 67
example of allow 247 GigaTAP-TX module 68
example of deny 247 GigaVUE-420 59
logic 235 10GbE stacking ports 108
365
and TACACS+/Radius 148 and IPv4 83
chassis 25 configuring 83
connections 59 enabling 83
features and benefits 22 fragments 226, 298
getting started 47 supported applications 83
initial setup 95 ipv6
modules 63 config system 321
overview 21
physical dimensions and weight 42 L
product naming conventions 16 link status propagation
rack-mounting 52 and port-pair 69, 309
replacing modules 75 local
security 133, 134 separate from TACACS+/Radius 148
specifications 42 local users
stacking 105 command differences vs. external 164
guide lock-level
how to use 14 changing 141
config system 322
H reference 347, 357, 359
help 91 lock-levels
command 92
and port ownership 347
configuring 139
command completion 91
log
word 92
history
delete 331
login command
command 333
host keys
and lock-level 349
log-level
configuring 89
hostkey
config system 323
logout command 336
config 320
hostkeys
show 337 M
MAC address filters
I examples 246
map
ib_cable_len 310
config type 304
IDS
delete 331
and config pass-all 256
install command 334
deleting single-box 279
IPv4 examples 211, 280
and IPv6 83 illustrations 286
IPv6 mapping 198
366
config 306 multi-tool maps
delete 332 vs. single-tool 267
deleting single-box 278
vs. connecting 208 N
map-rule name
config 305 configuring 98
delete 332 names
deleting from single-box map 278 modules 16
map-rules nb option 182
adding to maps (single-box) 277 setting 182
creating 271 network ports
how processed 271 connecting to tool ports 216
priority with a map 271 defined 198
maps introduced 198
adding map-rules (single-box) 277 sharing 214
binding to ports 273 notational conventions 16
creating 266
differences with connections 210
O
introduced 209
offsets
modifying 277
default 238
showing 275
online help 91
single-tool vs. multi-tool 267
overview
vs. connections 208
GigaVUE-420 21
maximums
CLI settings 341
Mgmt Port P
configuring network settings 82 packet distribution
mgmt_port_mtu described 197
config 85 getting started 203
modulechange pass-all
SNMP trap 169, 315 and filters 254
modules config 306
effects of replacing 75 delete 331
GigaVUE-420 63 deleting 251
replacing 75 in show connect screen 260
special considerations 74 matrix 253
MTU rules 252
automatic adjustment 85 showing 251
for Mgmt port 85 using 250
mtu with connections and maps 213
config 310 passive
367
vs. active 68 ports
password and maps 273
config 307 sharing 214
default 81, 96 port-stats
root account 96 reset 336
passwords port-type
changing 137 config 310
configuring 135 setting 199
pattern matches post-filters
examples 241 defined 201
rules 239 vs. pre-filters 220
syntax 238 when to use 221
pinouts power
console cable 359 DC 62
pktdrop power requirements 42
SNMP trap 169, 316 power supplies
planning configuration 110 DC 62
port numbering power supply
GigaPORT module 66 alarm cancel button 61
port ownership powerchange
and lock-levels 347 SNMP trap 169, 315
configuring 139 preface 13
port-alias pre-filters
config 307 defined 200
delete 331 vs. post-filters 220
port-filter when to use 221
config 307 product names 16
delete 331 prompt
portlinkchange config system 318
SNMP trap 169, 316
port-owner R
config 307 rack-mounting
delete 331 GigaVUE-420 52
port-pair rad_server
and link status propagation 69, 309 delete 332
config 308 syntax 153
delete 331 RADIUS
port-params adding server to GigaVUE-420 152
config 309, 310 configuring users in ACS 159
port-params (autoneg) Radius
configuring 310 configuring servers in GigaVUE-420 152
368
separate from local 148 sharing
radius network ports 214
command differences vs. local 164 tool ports 214
replacing modules 75 show
reset hostkeys 337
port-stats 336 show command 337
system 336 and lock-level 349
reset command 336 show connect 337
and lock-level 356 show diag 337
restore show file 337
config 313 show filter 337
RJ45 pinouts 359 show log 338
root account show map-rule 338
password 96 show port-filter 338
rootdis show port-owner 338
config system 319 show port-params 338
RSA host keys 89 show port-stats 338
RTP show rad_server 338
filter example 245 show snmp 339
rxtxerror show sntp_server 339
SNMP trap 170, 316 show symbols 339
show syslog_server 339
S show system 339
safety 52 show tac_server 339
Sales show uda 339
contacting 20 show user 339
sales show whoison 339
contacting 20 showing
save connections 217
config 313 filters 243
saving maps 275
config files 177 simultaneous sessions 138
saving changes 104 single-box distribution
security compared to cross-box 201
configuring 133 single-tool maps
GigaVUE-420 134 vs. multi-tool 267
serial settings 80 SNMP
sessions adding trap destinations 167
simultaneous 138 configuring traps 166
setup enabling GigaVUE-420’s server 172
initial 95
369
receiving traps 172 and cable length 118
trap events 169 specifying 119
using 165 stacks
SNMP trap troubleshooting 125
fanchange 169, 315 startup
firmwarechange 169, 315 custom banner 102
modulechange 169, 315 subnet masks
pktdrop 169, 316 bit count 233
portlinkchange 169, 316 support
powerchange 169, 315 contacting 19
rxtxerror 170, 316 syntax
systemreset 170, 316 CLI 92
taptxchange 170, 316
syslog_server
config 317
userauthfail 170, 316
snmp_server deleting 332
config 314 system
snmp_trap config 318, 323
delete 332 reset 336
SNTP systemreset
using for time 99 SNMP trap 170, 316
sntp
config 319 T
sntp_server tac_server
config 316 config 324
delete 332 delete 332
software TACACS+
updating 45 adding server to GigaVUE-420 149
specifications configuring port ownership for users 157
GigaVUE-420 42 configuring servers in GigaVUE-420 149
speed configuring users 156
config port-params 310 configuring users in ACS 162
SSH2 138 separate from local 148
advantages 88 tacacs+
and host keys 89 command differences vs. local 164
enabling 86 TACACS+ server settings 156
vs. Telnet 86 tap connections
ssh2 configuring 69
config 319 taptx
stacking config port-params 310
examples 119 taptxchange
stacking ports SNMP trap 170, 316
370
technical support configuring 135
contacting 19 separate for local vs. external 148
telnet using documentation 14
establishing connection 90
simultaneous sessions 138 V
TFTP
VLANs
storing config files 179
selectively forwarding 282
uploading config files 179
vs. maps 208
time
configuring 98
tool ports W
connecting to network ports 216 weight
defined 198 GigaVUE-420 42
introduced 198 word help 92
sharing 214 working with maps 263
traffic mapping 198
traps X
adding destinations 167 x1_bid
configuring 166 config system 321
GigaVUE-420 events 169 setting 117
receiving 172 x2_bid
troubleshooting setting 117
cross-box stacks 125 xbconnect
config 328
U delete 332
uda xbmap
config 326 config type 329
default offsets 238 delete 332
unpacking GigaVUE-420 51 xbmapping
updating GigaVUE-420 45 config 330
upload 340 xbox
uploading configuring 125
configuration files 179 xbox stack
user configuring 114
config 327
xbport-filter
default 81
config 330
delete 332
userauthfail
SNMP trap 170, 316
users
371