Gigavue 420

GigaVUE-420
User’s Guide
Software Version 4.0
COPYRIGHT
© 2006-2008 Gigamon Systems LLC. All Rights Reserved. No part of this publication may be reproduced,
transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any
means without the written permission of Gigamon Systems, LLC.
TRADEMARK ATTRIBUTIONS
Gigamon, Gigamon Systems, GigaVUE-420, and GigaVUE-MP are registered trademarks or trademarks of
Gigamon Systems, LLC. All other registered and unregistered trademarks herein are the sole property of their
respective owners.
Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Audience of this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
How To Use This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Conventions Used in this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Product Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
GigaVUE-420 Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Other Sources of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Contacting Sales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 1 Introducing GigaVUE-420 4.0 . . . . . . . . . . . . . . . 21

GigaVUE-420 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
GigaVUE-420 Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
GigaVUE-420 Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
GigaVUE-420 Chassis – Front View (Copper and Optical). . . . . . . . . . . 26
GigaVUE-420 Chassis – Rear View (AC and DC). . . . . . . . . . . . . . . . . . . 26
GigaVUE-420 vs. the GigaVUE-MP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Differences in Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
GigaVUE-420 – Front View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
GigaVUE-MP – Front View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
GigaVUE-420 – Rear View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3
GigaVUE-MP – Rear View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Differences in Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Differences in Maps and Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Differences in Restrictions on Legacy Commands . . . . . . . . . . . . . . . . . . 34
Differences in Stacking Commands for 10 Gb Ports . . . . . . . . . . . . . . . . 35
Differences in Port-Stat Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Differences in Mgmt Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
New Features in GigaVUE-420 v4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
System Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Filter and Map-Rule Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Traffic Distribution Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
GigaVUE-420 Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
GigaVUE-420 Physical Dimensions and Weight . . . . . . . . . . . . . . . . . . . . . . . . 42
Power Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Environmental Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 2 Updating the GigaVUE-420 . . . . . . . . . . . . . . . . . 45
Chapter 3 Getting Started with GigaVUE-420: A Roadmap . 47

First Steps – Getting Connected and into the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Chapter 4 Rack-Mounting the GigaVUE-420 . . . . . . . . . . . . 51

Unpacking GigaVUE-420 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Rack-Mounting the GigaVUE-420 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Safety Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Rack Mounting Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Four-Point Mounting in Four-Post Racks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Center-Mounting in Two-Post Racks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Chapter 5 Connecting the GigaVUE-420 . . . . . . . . . . . . . . . 59

Basic GigaVUE-420 Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Connecting -48 V DC Power Supplies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
GigaVUE-420 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
GigaMGMT Four-Port Base Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
GigaPORT Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
GigaPORT Port Numbering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4 Contents
GigaTAP-Sx/GigaTAP-Lx/GigaTAP-Zx Modules . . . . . . . . . . . . . . . . . . . . . . 67
GigaTAP-Tx Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Passive Mode vs. Active Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Configuring Tap Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
GigaLINK Modules (CU and XR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Using Modules – Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Traffic Distribution and Replacing Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Chapter 6 Getting Started in the Command Line Interface . . 79

Establishing a Configuration Session with GigaVUE-420 . . . . . . . . . . . . . . . . . . . . . . 79
Local Connections to the Console Port using the Console Cable . . . . . . . . . . 80
Remote Connections to the Mgmt Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configuring the Mgmt Port’s Network Settings. . . . . . . . . . . . . . . . . . . . 82
SSH2 vs. Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Command Line Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
The CLI Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Getting Help in the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Command Line Syntax – Entering Commands . . . . . . . . . . . . . . . . . . . . . . . . . 92
Command Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
The Basic Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Completing the Initial GigaVUE-420 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Initial User Account Configuration (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Configuring the GigaVUE-420 Name and Date . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configuring GigaVUE-420 Time Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Setting Time Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Setting Time from an SNTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Using Automatic Daylight Savings Time Adjustments. . . . . . . . . . . . . 100
Using a Custom Login Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Saving Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Chapter 7 Stacking GigaVUE-420 Boxes . . . . . . . . . . . . . . 105

About Cross-Box Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
About GigaVUE-420 10 Gb Stacking Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Creating Cross-Box Stacks: A Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Stacking Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Planning the Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Identifying Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Contents 5
Create the Stack Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Create the Configuration Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configuring a Box’s Stacking Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Assigning Box IDs: config system bid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Designating Stacking Ports: config port-type . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Specifying Neighbor Boxes: config system x1_bid/x2_bid . . . . . . . . . . . . . . 117
Sample Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Configuring Cable Lengths (GigaLINK-CU Stacking Ports) . . . . . . . . . . . . . 118
Activating Stacking Ports: config system active_link . . . . . . . . . . . . . . . . . . . 119
Stack Examples: CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Example: Two-Box Cross-Box Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Example: Cross-Box Stack with Four Systems . . . . . . . . . . . . . . . . . . . . 121
Making Physical Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Verifying a Cross-Box Stack’s Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Check the show diag Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Set Up Cross-Box Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Configuring Cross-Box Packet Distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Troubleshooting Cross-Box Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Making Changes to an Existing Cross-Box Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Adding a Box to the Edge of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Remove a Box from the Edge of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Adding a Box to the Middle of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Disconnect a Box in the Middle of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Power Loss Considerations for Cross-Box Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Power Loss on Box in the Middle of a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Power Loss and Power Restore to the Entire Stack . . . . . . . . . . . . . . . . . . . . . 131
Chapter 8 Configuring GigaVUE-420 Security Options . . . 133

About GigaVUE-420 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Configuring Users and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Changing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Maximum Simultaneous Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring Lock Levels and Port Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Syntax for the config system lock-level Command . . . . . . . . . . . . . . . . . . . . . 141
Syntax for the config port-owner Command . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6 Contents
Configuring Authentication (AAA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Syntax for the config system aaa Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Using GigaVUE-420 with an External
Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Specifying TACACS+ Servers in GigaVUE-420 . . . . . . . . . . . . . . . . . . . 149
Specifying RADIUS Servers in GigaVUE-420 . . . . . . . . . . . . . . . . . . . . . 152
Setting up GigaVUE-420 Users in an
External Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Differences in Commands for External and Local Users . . . . . . . . . . . . . . . . 164
Chapter 9 Using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Configuring SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Adding a Destination for SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Example – Adding SNMP Trap Destinations . . . . . . . . . . . . . . . . . . . . . 167
Enabling GigaVUE-420 Events for SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . 169
Example – All Trap Events Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Receiving Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Enabling GigaVUE-420’s SNMP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Chapter 10 Using Configuration Files . . . . . . . . . . . . . . . . 175

What’s Saved In a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Saving a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Viewing the Contents of a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Storing Configuration Files on a TFTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Uploading a Configuration File to a TFP Server . . . . . . . . . . . . . . . . . . . . . . . 179
Downloading a Configuration File from a TFTP Server . . . . . . . . . . . . . . . . . 180
Applying Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Applying a Configuration File from Flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Setting a Configuration File to Boot Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Restoring Configuration Files in a Cross-Box Stack . . . . . . . . . . . . . . . . . . . . 183
Chapter 11 Configuring Logging . . . . . . . . . . . . . . . . . . . 185

Configuring Logging – A Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Specifying Which Events Are Logged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
About syslog.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Contents 7
Specifying an External Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Packet Format for Syslog Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Viewing Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Uploading Log Files for Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Example – Saving a Log File to a Spreadsheet . . . . . . . . . . . . . . . . . . . . . . . . . 192
Chapter 12 Introducing Packet Distribution . . . . . . . . . . . 197

About Packet Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
About Network and Tool Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Designating a Port’s port-type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Packet Distribution Illustrated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
About Single-Box and Cross-Box Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Cross-Box Commands: Enter All Commands on All Boxes . . . . . . . . . . . . . . 202
Getting Started with Packet Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Example – Designating and Connecting Tool Ports . . . . . . . . . . . . . . . . . . . . 205
Connecting vs. Mapping – The Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
About Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Connection Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
About Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Map Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Combining Pass-All with Connections and Maps . . . . . . . . . . . . . . . . . . . . . . 213
Sharing Network and Tool Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Chapter 13 Connections, Filters, and Pass-Alls . . . . . . . . . 215

Cross-Box Config: Enter Commands on All Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Connecting Network Ports to Tool Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Connection Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Showing Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Deleting Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Using Filters with Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Using Filters – Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Pre-Filters vs. Post-Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Example: When to Use Pre-Filters and Post-Filters . . . . . . . . . . . . . . . . 220
IPv4/IPv6 and Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Config Filter Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Setting Filters for TCP Control Bits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Using Bit Count Subnet Netmasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
8 Contents
Combining Filters and Filter Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Examples of Filter Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Working with User-Defined Pattern Match Filters . . . . . . . . . . . . . . . . . . . . . 237
User-Defined Pattern Match Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
User-Defined Pattern Match Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
User-Defined Pattern Match Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Mixing Allow and Deny Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Showing Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Deleting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Filter Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Filtering on RTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
MAC Address Filter Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Example 1 – Deny Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Example 2 – Allow Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Example 3 – Deny Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Example 4 – Denying Odd-Numbered MAC Addresses . . . . . . . . . . . 248
Example 5 – Allowing Odd-Numbered MAC Addresses . . . . . . . . . . . 249
Using the Pass-All Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Syntax for config pass-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Rules for config pass-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Maximum Number of Pass-All Destinations . . . . . . . . . . . . . . . . . . . . . 252
Pass-All Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Filters and the config pass-all Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Examples for config pass-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Illustration of Pass-Alls in the Show Connect Screen . . . . . . . . . . . . . . 260
Chapter 14 Working with Maps (Single-Box and Cross-Box) . . .

263
Cross-Box Config: Enter Commands on All Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Mapping Network Ports to Tool Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Creating Maps: config map/config xbmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Single-Tool Maps vs. Multi-Tool Maps . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Syntax for the config map / config xbmap Commands . . . . . . . . . . . . 270
Creating Map-Rules: config map-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
How GigaVUE-420 Processes Map-Rules . . . . . . . . . . . . . . . . . . . . . . . . 271
Syntax for the config map-rule Command . . . . . . . . . . . . . . . . . . . . . . . 271
Binding Maps to Ports:
config mapping / config xbmapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Contents 9
Syntax for config mapping /config xbmapping . . . . . . . . . . . . . . . . . . . 273
Showing Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Changing Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Adding Map-Rules to Single-Box/Cross-Box Maps . . . . . . . . . . . . . . . 277
Deleting a Map-Rule from Single-Box/Cross-Box Maps . . . . . . . . . . . 278
Deleting a Single-Box Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Deleting a Single-Box/Cross-Box Map . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Combining Pass-All with Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Map-Rule Priority and Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Map Creation Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Map Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Map Example – Selectively Forwarding VLAN Ranges . . . . . . . . . . . . . . . . . 282
What this Map Will Do. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Commands to Create this Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Showing the Map in the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Map Illustration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Map Example – Single-Tool vs. Multi-Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Single-Tool Map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Multi-Tool Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Command Line Reference . . . . . . . . . . . . . . . . . . . . . . . . . 295

config commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
config connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
config file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
config filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
config map command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
config map-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
config mapping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
config pass-all command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
config password command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
config port-alias command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
config port-filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
config port-owner command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
config port-pair command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
config port-pair and GigaTAP-Tx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
config port-params commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
config port-type command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
config rad_server command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
10 Contents
config restore command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
config save command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
config snmp_server commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
config snmp_trap commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
config sntp_server command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
config syslog_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
config system commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
config tac_server command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
config uda command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
config user command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
config xbconnect command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
config xbmap command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
config xbmapping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
config xbport-filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
delete commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
exit command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
help command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
history command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
install commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
logout command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
reset commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
show commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
upload command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
CLI Parameter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Lock-Level Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

About Lock-Levels and Port Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Abbreviations in this Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Login Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Delete Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Config Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Install Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Reset Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Contents 11
Port Statistics Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Console Cable Pinouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

DB9 Pinouts – Figure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
RJ45 Pinouts – Figure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
DB9 to RJ45 Pinouts – Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
12 Contents
About This Guide
This guide describes how to install, connect, configure, and operate

the GigaVUE-420™ data access switch.
Audience of this Guide

This guide assumes that you are familiar with basic networking
concepts and are comfortable configuring network equipment such
as switches and routers in a command-line interface.
13
How To Use This Guide
This User’s Guide is divided into several main sections. Each section
corresponds to a different stage of GigaVUE-420 operations, as
summarized below.
Section Chapter
Welcome to GigaVUE-420 4.0 Chapter 1, Introducing GigaVUE-420 4.0
These chapters introduce you to the
GigaVUE-420 and orient
GigaVUE-MP customers to the new
product. They also describe how to Chapter 2, Updating the GigaVUE-420
upgrade the system once new
versions are available.
Chapter 3, Getting Started with GigaVUE-420: A Roadmap
Chapter 4, Rack-Mounting the GigaVUE-420

Initial Configuration
Chapter 5, Connecting the GigaVUE-420
These chapters describe how to
perform the initial system Chapter 6, Getting Started in the Command Line Interface
configuration of the GigaVUE-420
4.0. Chapter 7, Stacking GigaVUE-420 Boxes
After working through these Chapter 8, Configuring GigaVUE-420 Security Options
chapters, your unit will be up and
running. You will most likely only Chapter 9, Using SNMP
need to read these chapters once.
Chapter 10, Using Configuration Files
Chapter 11, Configuring Logging

Configuring Packet Chapter 12, Introducing Packet Distribution
Distribution
Chapter 13, Connections, Filters, and Pass-Alls
This chapter describes the core
features of GigaVUE-420 4.0 – how
to configure the distribution of traffic
arriving at network ports to
destination tool ports. Chapter 14, Working with Maps (Single-Box and Cross-Box)
You will likely return to these
chapters frequently as you use the
product.
14
Section Chapter
Appendixes Appendix A, Command Line Reference
These chapters provide useful Appendix B, CLI Parameter Limits
reference information. You will likely
return to these chapters as you have Appendix C, Lock-Level Reference
specific questions about
GigaVUE-420 features. Appendix D, Port Statistics Counters
Appendix E, Console Cable Pinouts
About This Guide 15

Conventions Used in this Guide
The following notational conventions are used in this guide.
Bold face Bold is used for GigaVUE-420 CLI commands within
text. For example:
Use the config connect command to connect a

network port to a tool port.
Bold Sans-Serif Bold, sans-serif font is used for GigaVUE-420 CLI
commands when standing by themselves (for
example, where the only text on a line is a CLI
command, or within a table cell).
Italic Italic font is used in two different ways:
- the first time a new term or concept is introduced,
- in cross references to headings or chapters. For
example:
See About Tool Ports on page 44.
Product Naming Conventions

This guide refers to GigaVUE-420 components by the names used in
the command-line reference. Occasionally, these names may be
slightly different than those used by Gigamon sales literature. The
following table shows how the names used in this manual
correspond to those used by sales literature.
Engineering Product Sales Product Name Description

Name
GigaLINK-CU GigaLINK-CU Optional 10 Gb copper interface for stacking,
network or tool port use.
16
Engineering Product Sales Product Name Description
Name
GigaLINK-SR Optional 10 Gb optical Short Range interface for
stacking, network or tool port use.
GigaLINK-LR Optional 10 Gb optical Long Range interface for

GigaLINK-XR
stacking, network or tool port use.
GigaLINK-ER Optional 10 Gb optical Extended Range interface

for stacking, network or tool port use.
GigaTAP-Tx GigaTAP-Tx Dual Copper Tap Module
GigaTAP-Sx GigaTAP-Sx Dual Multi Mode 850 nm Optical Tap Module
GigaTAP-Lx GigaTAP-Lx Dual Single Mode 1310 nm Optical Tap Module
GigaTAP-Zx GigaTAP-Zx Dual Single Mode 1550 Optical Tap Module
GigaPORT GigaPORT 4 port Copper/Optical SFP Expansion Module
GigaVUE-420 Models
There are four basic GigaVUE-420 models available:
Sales Product Name Description

GVS-421 • Copper GigaMGMT Module
• AC Power
GVS-422 • Optical GigaMGMT Module
• AC Power
GVS-423 • Copper GigaMGMT Module
• DC Power
GVS-424 • Optical GigaMGMT Module
• DC Power
About This Guide 17

Other Sources of Information
GigaVUE-420 provides other sources of information that can help
you get up to speed with the equipment, including an online help
system. There are several ways to use online help:
• Whenever you are working with the command-line interface, you
can type either ? or help to see basic description of GigaVUE-420
commands.
• Command Completion. If you have partially typed a command,
you can press Tab and the CLI will attempt to complete the
command for you based on what’s been entered so far. If it is
unable to complete the command, the CLI will simply redraw the
line with the cursor at the end of the line.
• Word Help. When you are typing a command and are not sure
how to spell the word you are working on, type a ? mark
immediately following the partially-typed word (for example,
config x?). The CLI will show you a list of all possible words
using the word entered so far.
• Command Help. When you are typing a command and have
finished a word but are not sure what the rest of the syntax is, you
can type a space after the word and then a ?. The CLI will list all
possible commands using the words you have entered so far. For
example, if you type config system ?, the CLI will return all
possible config system commands.
18
Contacting Customer Support
Contact Gigamon Systems LLC’s Support department with product
questions using the information in Table i. The Customer Service
department’s hours of operation are from 7:30 AM to 5:30 PM Pacific
Time, Monday through Friday.
Table i: Customer Support Contact Information

Telephone (408) 263-2022
Fax (408) 263-2023
E-Mail support@gigamon.com
Web http://www.gigamon.com
Mail 736 South Hillview Drive

Milpitas, CA 95035
About This Guide 19

Contacting Sales
Table ii shows how to reach the Sales Department at Gigamon
Systems.
Table ii: Sales Contact Information

Telephone (408) 263-2022
Sales info@gigamon.com
20
Chapter 1
Introducing GigaVUE-420 4.0
This section introduces the GigaVUE-420 4.0 data access switch,

describes its features and functions, and provides an orientation to
the physical layout of the box. It includes the following major
sections:
• GigaVUE-420 Overview on page 21
• GigaVUE-420 Chassis on page 25
• GigaVUE-420 vs. the GigaVUE-MP on page 28
• New Features in GigaVUE-420 v4.0 on page 37
• GigaVUE-420 Specifications on page 42
GigaVUE-420 Overview
GigaVUE-420 is an out-of-band data access switch for enterprise
networks. It provides dynamic connectivity for 10 Gb and 1 Gb
Ethernet network monitor, compliance, and archival tools, including:
• Intrusion Detection Systems
• Protocol Analyzers
• VoIP Analyzers
21
• Application Performance Monitors
• Stream-to-Disk Data Recorders
GigaVUE-420 Features and Benefits

GigaVUE-420 unobtrusively acquires and maps relevant traffic from
multiple data sources to multiple tools, including the following
common scenarios:
Filtering and Mapping Direct traffic from any network port to any tool
(Any-to-Any) port. Use filters to focus on particular traffic types.
Use map-rules to send different types of traffic to
different tool ports.
Aggregation Aggregate traffic from multiple links to deliver a

(Many-to-Any) “big pipe” view to any tool. Merge Tx and Rx traffic
into a single tool interface.
Multicasting Multiplex filtered or unfiltered, singular or

(Any-to-Many) aggregated traffic to multiple tools.
Figure 1-1 summarizes these features:
22 Chapter 1
Figure 1-1: GigaVUE-420 Features
Introducing GigaVUE-420 4.0 23

The table below lists GigaVUE-420’s major features and benefits.
Benefit Descriptions
Share SPAN Ports Connect a SPAN port to a network port on the GigaVUE-420. Then, use
GigaVUE-420’s command-line interface to multicast that traffic to multiple
different tool ports, giving multiple different tools access to the same data.
You can apply different filters to individual tool ports to ensure that each tool
sees the data that best suits its individual strengths.
Aggregate Links Send the data from multiple different network ports to one or more tool ports,
allowing you to combine traffic from multiple access points into a single
stream for analysis.
Filter Packets Set both pre-filters and post-filters, allowing or denying traffic that meets
specified criteria, including IP address and port ranges, VLAN IDs, protocols,
and so on.
• Pre-filters are filters applied on a network port.
• Post-filters are filters applied on a tool port.
Remote Management Configure GigaVUE-420’s operations from an intuitive command-line

interface:
• Local access over the serial Console port.
• Remote network access using Telnet or SSH2 over the 10/100/1000
Ethernet Management port.
• Secure access to the CLI, either through local authentication or optional
RADIUS/TACACS+ support.
Fault Tolerant Taps GigaTAP modules protect production links at all times (for copper, relay
closes if power fails; for fiber, optical link maintains connection).
Modularized Design Install once and never touch any links again. You can move, add, and
reconfigure tools at will without affecting production networks.
10 Gb Support • Support for up to four separate 10 Gb ports, allowing for a full tap of both
sides of two full-duplex 10 Gb links.
• Aggregate multiple 1 Gb network ports to 10 Gb tool port.
• Split out 10 Gb network port to multiple 1 Gb tool ports.
• 10 Gb ports in x1/x2 slots can be used for stacking multiple GigaVUE-420
systems.
24 Chapter 1
GigaVUE-420 Chassis
Each GigaVUE-420 unit consists of a 1U, rack-mountable, 19”-wide
chassis. The chassis comes equipped with a 4-port base unit
(GigaMGMT) permanently installed on the front side, available with
either copper or optical ports. Figure 1-2 shows front and rear views
of the GigaVUE-420:

GigaVUE-420 Chassis – Front View (Copper and Optical)
Base Ports – Optional Front Module Slots
Copper Version
Base Ports –
Optional Front Module Slots
Optical Version
GigaVUE-420 Chassis – Rear View (AC and DC)

Power Supplies – AC Optional Rear 10 Gb Module Slots
Power supply audible alarm reset button Fan 1 Fan 2
Power Supplies – DC Optional Rear 10 Gb Module Slots

(Populated)
Figure 1-2: The GigaVUE-420 Chassis
26 Chapter 1
Chassis Front – 10/100/1000 Modules
As shown in Figure 1-2, the front of the GigaVUE-420 chassis accepts

up to four hot-swappable, 4-port, 10/100/1000 modules for a total of
20 ports. The following modules are available for the chassis front:
• GigaPORT Module (Four-port UTP or SFP)
• GigaTAP-Sx /GigaTAP-Lx/GigaTAP-Zx Module
• GigaTAP-Tx Module
NOTE: See GigaVUE-420 Modules on page 63 for more information on
the base unit and optional modules.
Chassis Rear – 10 Gb Modules
You can install up to four hot-swappable 10 Gb modules on the rear

side of the chassis. Slots for 10 Gb modules are numbered x1 – x4.
This same terminology is used when working with the 10 Gb ports in
the GigaVUE CLI.
Both copper (GigaLINK-CU) and optical (GigaLINK-XR) 10 Gb

modules are available for the x1 – x4 slots.
Total Available Ports in a Maximally Sized Stack
You can stack up to 10 GigaVUE-420 systems for a total of 222

potential network/tool ports. There would be 240 total ports in such
a stack (24 x 10). Of the total potential 240 ports, eighteen would be
used as stack ports – two apiece for each of the 8 middle systems and
one on each of the stack endpoints.

GigaVUE-420 vs. the GigaVUE-MP
The GigaVUE-420 is the next generation of Gigamon Systems’
award-winning GigaVUE-MP data access switch. This section lists
and describes the major differences between the two products.
Differences in Hardware Features

The GigaVUE-420 takes the power built into the GigaVUE-MP and
increases its 10 Gb support. Users familiar with the GigaVUE-MP will
notice some key differences in the GigaVUE systems shown in
Figure 1-3 and Figure 1-4 right away:
• More 10 Gb Ports – Instead of the two possible 10 Gb ports
provided by the GigaVUE-MP, you can now have up to four
separate 10 Gb ports. In contrast to the GigaVUE-MP’s front and
rear-mounted 10 Gb ports, 10 Gb ports on the GigaVUE-420 are
all rear-mounted in individual module slots numbered from x1 to
x4). You can use any combination of fiber-optical (GigaLINK-XR)
or copper (GigaLINK-CU) 10 Gb modules.
• More Front Module Slots – You still get a maximum of 20
separate 10/100/1000 ports on the front of the GigaVUE, but now
those ports are distributed across the four ports in the base
GigaMGMT unit (available with copper or optical ports) and four
optional module slots. In contrast, the GigaVUE-MP used an
8-port base module (the GigaMUX) and included three optional
module slots.
The types of optional modules available for the GigaVUE-420 are
still the same as those available with the GigaVUE-MP:
• GigaPORT Module (Four-port UTP or SFP)
• GigaTAP-Sx /GigaTAP-Lx/GigaTAP-Zx Module
• GigaTAP-Tx Module
NOTE: The modules listed above are interchangeable. If you have
existing versions from the GigaVUE-MP, you can use them in the
GigaVUE-420.
28 Chapter 1
GigaVUE-420 – Front View
The GV-420’s base module Both systems accept the same optional
includes four ports (copper module types (GigaPORT and GigaTAP) and
or optical) instead of eight, support a maximum of 20 ports on the front
giving you more slots for side. However, the GV-420 has four optional
different module types. module slots instead of three.
GigaVUE-MP – Front View

Figure 1-3: GigaVUE-420 vs. GigaVUE-MP – The Front Side

GigaVUE-420 – Rear View
Both systems use the same The GigaVUE-420 supports up to four

power supplies. DC power separate copper or optical 10 Gb modules. In
supplies are also available. contrast, the GigaVUE-MP supported a
maximum of two (one in the front and one in
the rear).
GigaVUE-MP – Rear View
Figure 1-4: GigaVUE-420 vs. GigaVUE-MP – The Back Side
30 Chapter 1
Differences in Software Features
GigaVUE-MP users will have no trouble adjusting to the
GigaVUE-420 – the new system’s CLI works much the same as the
old system. However, there are some key differences, as summarized
in the tables below.
Differences in Maps and Filters

Many of the limitations regarding maps and filters have been relaxed
on the GigaVUE-420, as summarized below:
Feature GigaVUE-MP 3.5 GigaVUE-420 4.0

Maximum Number of Localized Cross-Box, 4 10
Multi-Tool Maps
A multi-tool cross-box map is considered localized
when it is mapped to at least one network port on
the local box.
Maximum Number of Filter Entries in Database 200 4,000
Maximum Number of Tool Ports with Filters 4 23

Bound
Maximum Number of Filters Bound to Tool Ports 480 100

per Box
(tool port-filters)
Maximum Number of Network Port Filters and 2520 network port-filters 2048
Single-Tool Map-Rules Bound per Box 3600 map-rules
Maximum Number of Multi-Tool Map-Rules 1680 512

Bound per Box

Supports 4-byte patterns. Supports 16-byte patterns.
Supports offsets at 4-byte boundaries Supports offsets at 4-byte

from 0-80 bytes. boundaries from 2-126 bytes.
Offsets configured within config filter Offsets configured separately from

command. patterns using the config uda
command.
User-Defined Pattern Patterns configured using config filter Patterns configured using config
Match Filters [offsetx <1-byte-hex>] [datax filter [udax_data <16-byte-hex>]
<4-byte-hex>] [maskx <4-byte-hex>] [udax_mask <16-byte-hex>]
command command.
User-defined pattern match filters User-defined pattern match filters
available in multi-tool maps and tool not available in multi-tool maps and
port filters. tool port filters. Use single-tool
maps or network port-filters for
user-defined pattern matches.
Filtered Tool Port Sharing Filtered tool ports cannot be shared Filtered tool ports can be shared
with a map-rule. with a connect, map-rule,
xbconnect, or xbmap-rule.
Applying Filters to Filters can only be applied to tool ports Filters can now be applied to tool
Unconnected Tool Ports with a connection in place. ports without a connection in place.
NOTE: You still cannot apply a
filter to a network port without a
connection in place.
Overlapping Map-Rule Overlapping ranges in map-rules only Overlapping ranges in map-rules

Ranges allowed when other arguments in allowed regardless of whether
map-rule are different. other arguments in map-rule are
different.
32 Chapter 1
Matches all fragments for all Can be combined with IP Address
conversations. Intended to be used in and Port filters to focus on
a single map-rule with no other fragments associated with specific
attributes. traffic.
Only available in map-rules. Available in both filters and

map-rules
Filters/Map-Rules for Filter either fragments or no Filter on different types of

IP Fragments fragments. fragments, including:
• Unfragmented packets
• Fragment in IP header
• Unfragmented or fragment in IP
header
• Fragment but not in IP header
• All fragments
Choosing Map Types in the GigaVUE-420

As with the GigaVUE-MP, the GigaVUE-420 supports both
single-tool and multi-tool maps. However, when working with the
GigaVUE-420, it’s important to understand the trade-offs that
accompany these map types. In general:
Single-Tool Maps
Use single-tool maps if you want to use user-defined pattern match

filters. The trade-off is that you will have fewer port-pair and pass-all
resources for ports in single-tool maps. Single-tool maps consume
system resources needed to construct pass-alls and port-pairs.
Single-Tool Maps
Plus Minus
Fewer Port-Pairs (2 instead of 12)
Support Pattern
Match Filters Fewer Pass-All Destination Ports for Ports in the
Map (4 instead of 23)

Multi-Tool Maps
Multi-tool maps can consist entirely of map-rules that only send

traffic to a single tool port. There is no requirement that a multi-tool
map have at least one multi-tool rule.
This is important to keep in mind when deciding which type of map

to use – you can use a multi-tool map if you want to maximize the
number of pass-alls and port-pairs available for ports in the map. The
trade-off is that you will not be able to use user-defined pattern
matches in multi-tool map-rules.
Multi-Tool Maps
Plus Minus
More Port-Pairs (12 instead of 2)
No User-Defined Pattern
More Pass-All Destination Ports for Ports in the Match Map-Rules
Differences in Restrictions on Legacy Commands
Command GigaVUE-MP 3.5 GigaVUE-420 4.0

• Can only be established between ports • Can be established between any
in the same module. ports on the same GigaVUE-420.
• Can only be established between ports • Can be established between ports
running at the same speed. using different speeds (for example,
Port-Pair
from a 1 Gb port to a 10 Gb port).
• No support for link status propagation. • Supports link status propagation –
when one port goes down, the other
port goes down (and vice-versa).
• Can only be established within the • Can be established between any
GigaMGMT (ports 1-8) or within ports ports on the GigaVUE-420.
Pass-All 9-20.
• Can only be established to a single tool • Can be established to multiple tool
port destination. port destinations.
Cross-Box Maps • Not allowed over optical stacking ports. • Allowed over optical stacking ports.
34 Chapter 1
Differences in Stacking Commands for 10 Gb Ports
Many of the arguments for the stacking commands in the
GigaVUE-MP used “front” and “back” designators for the 10 Gb
ports. Because the GigaVUE-420’s 10 Gb ports are all on the back of
the unit now, the arguments for these commands have changed to
use x1 and x2 instead. The table below summarizes the differences.
Command GigaVUE-MP 3.5 GigaVUE-420 4.0

config system active_link config system active_link config system active_link
<front | back | both | none> <x1 | x2 | both | none>
Specifies which stacking ports
are in use on the GigaVUE-420.
Specifying Stack Neighbors config system front_bid <1-10> config system x1_bid <1-10>
These commands inform the config system back_bid <1-10> config system x2_bid <1-10>
local GigaVUE-420 of the boxes
reachable from its stacking ports.
These commands are renamed
so that they no longer use the
“front” and “back” designators.
Configuring Cable Lengths config system config port-params <port-id>

front_glink_cable_len ib_cable_len
You must specify the cable
length for any copper stacking config system
back_glink_cable_len
port connections. These
commands are renamed and Changes to cable length settings Changes to cable length settings
have moved from config system saved immediately. must be saved manually using
to config port-params. config save.
Differences in Port-Stat Counters

Some of the port statistics shown by the show port-stats command
are counted differently on the GigaVUE-420. See Appendix D, Port
Statistics Counters for full description of the available port statistics.
Statistic GigaVUE-MP 3.5 GigaVUE-420 4.0

IfInOctets Includes undersize frames. Excludes undersize frames.
IfInUcastPkts Includes packets with FCS/CRC Excludes packets with FCS/CRC

errors. errors.

Statistic GigaVUE-MP 3.5 GigaVUE-420 4.0
IfInDiscards Discards due to oversubscription Discards due to oversubscription
counted only on Tool ports in a counted on Tool port in ALL
pass-all configuration. configurations.
IfOutDiscards Not supported in GigaVUE-MP Supported in GigaVUE-420

This counter increments when a
packet is discarded at a tool port
due to a tool port filter.
IfInError Includes oversize packets Excludes oversize packets

without FCS/CRC. without FCS/CRC.
Differences in Mgmt Port

You can configure speed and duplex options for the GigaVUE-420’s
Mgmt port:

Mgmt Port Speed Unconfigurable. Maximum speed Configurable.
of 100 Mbps. The maximum configurable
speed is 100 Mbps. However,
with autonegotiation enabled, the
Mgmt port can negotiate a 1 Gb
speed.
Mgmt Port Duplex Unconfigurable. Configurable for 10/100 Mbps.

To achieve 1 Gb speed,
autonegotiation must be
enabled.
36 Chapter 1
New Features in GigaVUE-420 v4.0
This section summarizes the major features in GigaVUE-420 v4.0,
including the changes relative to the GigaVUE-MP 3.5 release.
Features are grouped into the following major categories:
• System Management Features on page 37
• Filter and Map-Rule Features on page 39
• Traffic Distribution Features on page 41
System Management Features
Feature Description
Logging GigaVUE-420 introduces comprehensive logging capabilities to
keep track of events on the unit. Logged events are always written
to the local syslog.log file. In addition, you can optionally specify
an external syslog server as a destination for GigaVUE-420’s
logging output.
First, check the log-level to make sure the events you’re interested
in will be logged (the default log-level is Info, but you can change
it). Then, use the show log command to view available log files and
log file contents. You can filter the show log output by priority, type,
and date range. You can also use the tail argument to show only
the last x entries in the log.
See Configuring Logging on page 185 for information on working
with logging.
Upload Log Files You can use the upload -log command to upload saved log files to
a TFTP server. This can be useful for troubleshooting issues with
Support staff. If you used the delim option to display the log file in
comma-delimited format, you can easily import the file into a
spreadsheet application.
See Uploading Log Files for Troubleshooting on page 192 for
details.

Feature Description
History GigaVUE-420 includes a new History command that lets you see
the last 50 commands you’ve issued during the current session.
After issuing the History command, you can repeat any of the
commands by typing !<command number>. For example, to
repeat command number 6 in the list, you would type !6 and press
Enter. This makes it easy to reuse a command that you’ve already
entered in the CLI.
The History command is particularly useful when trying to construct
complex map-rules or filters – long commands with exact syntax.
Occasionally, you may try to construct a complex map-rule before
its destination port is set up as a tool port, causing GigaVUE to
reject the rule. In a case like this, you could configure the
destination port as a tool port and then use the History command
to reuse the previously rejected config map-rule command. With
the destination port properly configured as a tool port, GigaVUE will
no longer reject the rule.
See history command on page 333 for details.
GigaVUE-420 adds new powerchange and fanchange SNMP trap

events.
The powerchange trap is generated when:
• One of the two power supplies is powered on or off.
• Power is lost or restored to one of the two power supplies.
SNMP Traps The fanchange trap is generated when the speed of one of the two
fans on the GigaVUE-420 drops below 4,800 RPM.
See Enabling GigaVUE-420 Events for SNMP Traps on page 169
for details.
Gigamon’s MIB has been updated to support both the

GigaVUE-420 and the GigaVUE-MP.
Save Adds “Next Boot” Flag The config save command now includes a new nb (“next boot”)
argument, allowing you to specify that a newly saved configuration
file should be loaded at the next system boot. In previous GigaVUE
products, you could only enable the next boot flag for a
configuration file using the config file command
See Setting a Configuration File to Boot Next on page 182 for
details.
38 Chapter 1
Filter and Map-Rule Features
Feature Description
IPv6 Filters GigaVUE-420 adds several new filter options for IPv6:
• Allow or deny traffic from specific IPv6 source or destination
addresses.
• Allow or deny IPv6 packets matching a particular IPv6 Flow
Label.
• Allow or deny traffic based on IP version (IPv4 or IPv6).
See Config Filter Syntax on page 225 for details on these options.
Improved Pattern Match Filters GigaVUE-420 significantly enhances the user-defined pattern
match filters available in the GigaVUE-MP 3.5 product:
• You can now use 16-byte patterns instead of the 4-byte patterns
available in the GigaVUE-MP 3.5.
• Offsets can now be set at 4-byte boundaries from offsets of
2-126 bytes instead of the 0-80 byte range supported in the
GigaVUE-MP 3.5.
• You now set offsets for user-defined pattern matches separately
from the patterns themselves.
See Working with User-Defined Pattern Match Filters on page 237
for details.
Filters for TCP Control Bits GigaVUE-420 adds built-in filter support for any of the eight
standard control bits (“flags”) in the TCP header (ACK, SYN, FIN,
and so on).
See Config Filter Syntax on page 225 for details.
Filters for TTL/Hop Limit Values GigaVUE-420 adds the ability to filter on Time To Live (TTL; IPv4)
or Hop Limit (IPv6) values. These fields perform the same function,
specifying the maximum number of hops a packet can cross before
it reaches its destination.

Feature Description
Improved IP Fragment Filters GigaVUE-420 significantly enhances the IPv4 fragment filters
available in the GigaVUE-MP 3.5 product:
• Available in both filters and map-rules (only available in
map-rules on the GigaVUE-MP 3.5).
• Can be used with other filters/map-rules instead of standalone.
Previously intended to be used in a single map-rule with no other
attributes.
• Previous versions only let you match either fragments or no
fragments. This release lets you filter on different types of
fragments, including:
• Unfragmented packets
• Fragment in IP header
• Unfragmented or fragment in IP header
• Fragment but not in IP header
• All fragments
Protocol Filters GigaVUE-420 adds support for one-byte user-defined pattern

matches in protocol filters. This way, you can specify a particular
pattern to be matched against the Protocol (IPv4) or Next Header
(IPv6) field in the IP header.
40 Chapter 1
Traffic Distribution Features
Feature Description
Config Pass-All Enhancements The GigaVUE-420 relaxes some of the restrictions on the config
pass-all command from the GigaVUE-MP 3.5:
• You can set up pass-alls between any of the ports on each
GigaVUE-420 chassis, including the 10 Gb ports. In contrast, the
GigaVUE-MP requires that pass-alls be established either
between Ports 1-8 (the GigaMGMT base unit) or Ports 9-20 (the
optional module slots).
• You can set up pass-alls to multiple tool port destinations instead
of just a single tool port.
See Using the Pass-All Command on page 250 for details.
Tool Port Sharing A filtered tool port can now be shared among multiple connection
types (for example, an xbconnect and a map-rule).

GigaVUE-420 Specifications
This section provides the physical specifications and power
requirements for the GigaVUE-420 unit.
GigaVUE-420 Physical Dimensions and Weight

The GigaVUE-420 is housed in a 1U high rack-mountable chassis. The
table below summarizes its dimensions:
Specification Value
Width • 17.31 inches (without mounting ears)
• 19.0 inches including the front mounting
ears
Height 1.75 inches (1U)
Depth 23.50 inches
Weight (Fully Populated) 30.8 lbs/14.0 kg (approximately)
Shipping Weight 45 lbs/20.5 kg (approximately)
Power Requirements
The GigaVUE-420 is powered by dual redundant, load-sharing,
hot-swappable power supplies. The GigaVUE-420 can be ordered
with either dual 100-240V 50-60Hz AC power supplies, or dual -48V
DC power supplies. The table below summarizes the electrical
characteristics of the unit:
Power Supply Type Requirement

Heat/Power Dissipation For a fully populated system (24 ports) with all
ports at 100% traffic load: nominally 160Watts/
546 BTU/hour
42 Chapter 1
Power Supply Type Requirement
AC Power Supplies 100 to 240V AC, 50-60 Hz
Nominal current requirement: 1.45A @ 110

VAC
Frequency: 50/60 Hz
DC Power Supplies -36 to –72V
Optional external fuse rating: 6A Slow-Blo
Nominal current requirement: 3.33A @ -48 VDC
NOTE: See Connecting -48 V DC Power Supplies on page 62 for

instructions on how to connect DC power supplies.
Environmental Specifications
The following table summarizes the GigaVUE-420’s environmental
specifications:
Specification Value
Operating Temperature 32ºF to 104ºF (0ºC to 40ºC)
Operating Relative Humidity 20% to 80%, non-condensing
Non-Operating Temperature -4ºF to 158ºF (-20ºC to 70ºC)
Non-Operating Relative Humidity 15% to 85%, non-condensing
Altitude Up to 15,000ft. (4.6km)

44 Chapter 1
Chapter 2
Updating the GigaVUE-420
This section describes how to update the GigaVUE-420’s software

with a new release. To update the GigaVUE-420, you will need the
following items:
Item Description
Updated GigaVUE-420 This is the image file containing the updated v4.0
Image software (gvb4003).
You can obtain this image by contacting Technical
Support via either e-mail or telephone:
• E-mail: support@gigamon.com
• Telephone: (408) 263-2022
TFTP Server You will need to copy the GigaVUE-420 4.0

software image onto this TFTP server. The
GigaVUE-420 unit will need the TFTP server’s IP
address so that it can connect to the server and
download the image.
NOTE: There are freeware TFTP servers
available on the Internet for a variety of operating
systems.
45
Update Procedure
1. Copy the new GigaVUE-420 installation file to your TFTP server.
2. Log in to the system to be updated as a super user.
NOTE: Normal users do not have the necessary privileges to
update the GigaVUE-420 software.
3. Use the config save command to save your configuration to flash
memory for version migration.
4. Use the following command to install the GigaVUE-420 software:
install image_name TFTP-server-ipaddr
For example, to install the GigaVUE-420 4.0 installation file

named gv.bin.4.0.xx from a TFTP server running on IP address
192.168.1.102, you would use the following command:
install gv.bin.4.0.xx 192.168.1.102
5. The system may warn you that another image file already exists
in the system. Press y to confirm that you want to install the new
image.
The system will erase the existing image and install the new one.
Wait for this process to complete. The system will inform you that
the image was installed successfully.
6. When the system prompt reappears, reset the system with the
reset system command.
7. When the login prompt appears, log in and use the config save
command to save your configuration in the new v4.0 format.
46 Chapter 2
Chapter 3
Getting Started with

GigaVUE-420: A Roadmap
This chapter provides a flow chart of the major steps you need to
perform to get GigaVUE-420 up and running on your network. It also
describes what you should do once you have completed the initial
setup of the unit.
• First Steps – Getting Connected and into the CLI on page 48
• Next Steps on page 49
47
First Steps – Getting Connected and into the CLI
You’ve received your GigaVUE-420 unit and now you’re ready to get
up and running. Figure 3-1 shows the major steps you need to
perform to get the GigaVUE-420 out of the box, into a rack, plugged
in, and running on your network:
1 Rack-Mount Step 1: Rack-Mount GigaVUE-420

GigaVUE-420 See Rack-Mounting the GigaVUE-420 on page 51.
Step 2: Connect GigaVUE-420

2 Make GigaVUE-420
See Connecting the GigaVUE-420 on page 59.
Connections
Step 3: Access the Command-Line Interface

3 Access the Command See Getting Started in the Command Line Interface on page 79.
Line Interface
Step 4: Configure Essential CLI Options:

4 Configure Basic CLI
Options • Get familiar with the CLI
• Configure System Options
• Configure Users and Passwords
• Set the Name, Date, and Time
See the sections beginning with Command Line Basics on page 91.
Step 5: Configure Cross-Box Stacks. If you are connecting multiple

5 Configure Cross-Box GigaVUE-420 systems together in a cross-box stack, this chapter
Stacks describes how to make the physical connections and use the correct
configuration commands.
See Stacking GigaVUE-420 Boxes on page 105.
6 Set Security Options Step 6: Set Security Options.

See Configuring GigaVUE-420 Security Options on page 133.
Figure 3-1: Getting Started Roadmap
48 Chapter 3
Next Steps
Once you’ve performed the initial configuration of the GigaVUE-420
unit, installing, connecting, and configuring the unit, you’re ready to
get started mapping traffic between network and tool ports.
See Introducing Packet Distribution on page 197 for information on

these day-to-day GigaVUE-420 tasks.
Getting Started with GigaVUE-420: A Roadmap 49

50 Chapter 3
Chapter 4
Rack-Mounting the
GigaVUE-420
This section describes how to unpack and rack-mount the
GigaVUE-420 chassis. The section covers the following major topics:
• Unpacking GigaVUE-420 on page 51
• Rack-Mounting the GigaVUE-420 on page 52
Unpacking GigaVUE-420
Unpack GigaVUE-420 and inspect the box it was shipped in. If the
carton was damaged, please file a claim with the carrier who
delivered it. Next, select a suitable location for the rack unit that will
hold the GigaVUE-420.
Choose a location that is clean, dust free, and well ventilated. You
will need access to a grounded power outlet. Avoid areas where heat,
electrical wire, and electromagnetic fields are generated.
Plan for enough clearance in front of a rack so you can open the front
door completely (approximately 25 inches) and enough clearance in
the back of the rack to allow sufficient airflow and easy access for
servicing the 10 Gb connections.
51
Rack-Mounting the GigaVUE-420
This section describes how to rack-mount the GigaVUE-420 in a
standard 1U rack space using the hardware provided with the
chassis. You can install the GigaVUE-420 in racks with a minimum
width of 17.75”.
See the following sections:

• Safety Precautions on page 52
• Rack Mounting Hardware on page 53
• Four-Point Mounting in Four-Post Racks on page 54
• Center-Mounting in Two-Post Racks on page 56
Safety Precautions
There are a wide variety of racks available on the market. Make sure
you consult the instructions provided by your rack vendor for
detailed mounting instructions before installing the GigaVUE-420
chassis.
NOTE: Before rack-mounting the GigaVUE-420, make sure you have
read the following safety precautions:
• The GigaVUE-420 chassis weighs approximately 31 pounds when
fully populated. Make sure you install any stabilizers provided
for the rack before installing the chassis. Unsecured racks can tip
over.
• Make sure you install boxes in the rack from the bottom up with
the heaviest boxes at the bottom.
• Make sure you provide adequate ventilation to the systems
installed in the rack.
52 Chapter 4
Rack Mounting Hardware
Figure 4-1 shows the rack mount hardware included with the
GigaVUE-420. You use this hardware together with the supplied
screws to rack mount the system in either a four-post or two-post
rack.
Slide Assemblies Rack Ears

Use the slide assemblies together with Use the rack ears either by themselves for
the orange rack ears for four-point center-mounting in a two-post rack or
mounting in a four-post rack. together with the slide assemblies for
four-point mounting in a four-post rack.
Figure 4-1: Rack Mount Hardware Kit
Rack-Mounting the GigaVUE-420 53

Four-Point Mounting in Four-Post Racks
To mount the GigaVUE-420 in a four-post rack, you use both the
orange rack ears and the slide assemblies. The rack ears attach at the
front of the unit and the slide assemblies at the rear.
The slide assemblies make it easy to adjust the mount points to fit
racks of varying widths:
• The unit can slide forward and backward on the slide assembly to
fit the width of the rack.
• There are two attachment points on the side of the GigaVUE-420
for the slide assemblies, making it easy to adjust the width to fit
the rack (Figure 4-2).
Slide Assembly Attached in Front Position

In this picture, the slide assembly is attached in the front position.
Slide Assembly Attached in Rear Position

In this picture, the slide assembly is attached in the rear position.
Figure 4-2: Attachment Points for Slide Assemblies
54 Chapter 4
To mount the GigaVUE-420 chassis in a four-post rack:
1. Attach the orange rack ears to the front of the unit using the
supplied screws.
2. As shown in Figure 4-1 on page 53, the slide assemblies consist of
two parts – a flat tab with a beveled edge and a sliding bracket
that fits over the tab. Attach the flat tabs to the GigaVUE-420 at
one of the two rear positions (see Figure 4-2). Select the position
that best fits the width of your rack.
3. Attach the bracket portions of the slide assembly to the rear posts
of the rack with the supplied screws.
4. Slide the chassis into the rack space occupied by the brackets,
making sure that the tabs fit into the brackets.
5. Slide the unit in until the orange rack ears are flush with the front
rack posts.
6. Attach the orange rack ears to the front posts of the rack with the
supplied screws.

Center-Mounting in Two-Post Racks
To center-mount the GigaVUE-420 in a two-post rack, you attach the
orange rack ears to the middle of the unit. As shown in Figure 4-3,
you can attach the rack ears facing either forward or backward to best
fit your rack.
Forward-Facing Rack Ears

In this picture, the rack ears are attached at the center-mount position facing towards the front of the chassis.
Rear-Facing Rack Ears

In this picture, the rack ears are attached at the center-mount position facing towards the rear of the chassis.
Figure 4-3: Attaching Rack Ears for Center-Mounting
56 Chapter 4
To center-mount the GigaVUE-420 chassis in a two-post rack:
1. Attach the orange rack ears to the middle of the unit using the
supplied screws.
As shown in Figure 4-3, you can attach the rack ears facing
towards either the front or the rear of the chassis. Select the
orientation that best fits your rack. For example, one position may
provide better clearance for rack doors at the front of the chassis.
2. While one person supports the weight of the unit with the rack
ears flush to the chassis, a second person can attach the ears to the
rack with the supplied screws.

58 Chapter 4
Chapter 5
Connecting the GigaVUE-420
This section explains how to make the basic GigaVUE-420

connections necessary to get the box powered up and communicating
with a connected PC in the command-line interface. It includes the
following major sections:
• Basic GigaVUE-420 Connections on page 59
• Connecting -48 V DC Power Supplies on page 62
• GigaVUE-420 Modules on page 63
• Using Modules – Best Practices on page 74
• Traffic Distribution and Replacing Modules on page 75
Basic GigaVUE-420 Connections

To make basic GigaVUE-420 connections:
1. Gigamon Systems provides the GigaVUE-420 with a DB9-to-RJ45
serial cable used to connect a PC’s COM port to the Console port
on the GigaVUE-420. This cable is called a Console cable.
Connect the RJ45 end of the Console cable to the GigaVUE-420’s
Console port.
59
NOTE: See Appendix E, Console Cable Pinouts for details on the
connectors on this cable.
DB9-to-RJ45 Console
Cable (RJ45 End)
Figure 5-1: Connecting the GigaVUE-420’s Console Port
2. Connect the DB9 end of the Console cable to a PC’s COM port.
3. Make sure the power supply switches are both in the off position.
Then, plug power cables into each of the GigaVUE-420’s dual
power supplies (Figure 5-2).
NOTE: For information on connecting the optional DC power
supplies, see Connecting -48 V DC Power Supplies on page 62.
Figure 5-2: Plugging in the Power Supplies
60 Chapter 5
4. Plug the other end of the power cables into a power source that
can supply adequate power. For optimal power protection, plug
the power supplies into separate circuits.
For information on GigaVUE-420 power requirements, see Power
Requirements on page 42.
5. Turn on the power switches for each of the dual power supplies
(Figure 5-3).
6. See Establishing a Configuration Session with GigaVUE-420 on
page 79 for information on how to connect to the GigaVUE-420’s
command-line interface.
Power switches Power supply alarm

cancel button.
Figure 5-3: Turning on the Power Switches
Connecting the GigaVUE-420 61

Connecting -48 V DC Power Supplies
The GigaVUE-420 is available with DC power supplies (Figure 5-4).
instead of the standard AC power supplies provided with most
systems. This section provides instructions for connecting a -48 V DC
power source to the DC power supplies.
Ground terminal
0V Return Terminal
-48V Terminal
Figure 5-4: DC Power Supply with Screw Terminals
To connect a -48 V DC input to the screw terminal DC power

supply:
1. Remove the safety cover from the power terminals.
2. Connect the power supply ground terminal ( ) to earth ground
(Figure 5-4).
3. Connect the positive and negative power cables to the screw
terminals using a Phillips screwdriver. See Figure 5-4 for the
locations of the terminals:
• The top connector on the DC power supply is the 0V
connector.
• The bottom connector on the DC power supply is the -48V
return connector.
4. Replace the safety cover over the power terminals.
62 Chapter 5
5. Connect the neutral and negative power cables to the DC power
source:
• Connect the neutral wire to the 0V (RTN) connector on the DC
power source.
• Connect the negative wire to the -48v connector on the DC
power source.
6. Repeat Step 2 through Step 5 for the second DC power supply in
the GigaVUE-420.
7. Once you have connected the DC power connections, switch the
power buttons for each of the power supplies to the ON position.
GigaVUE-420 Modules
This section describes each of the GigaVUE-420 modules. All
GigaVUE-420 systems are shipped with the 4-port GigaMGMT
(page 64) base unit with either copper or optical Ethernet ports. Then,
you can use the following modules in the front and rear slots:
Modules for Front Slots The four front slots in the GigaVUE-420 chassis can be filled with
any combination of the following optional modules:
• GigaPORT Module (page 65)
• GigaTAP-Sx/Lx/Zx Module (page 67)
• GigaTAP-Tx Module (page 68)
NOTE: The modules listed above are interchangeable between the
GigaVUE-MP and the GigaVUE-420. If you have existing versions
from the GigaVUE-MP, you can use them in the GigaVUE-420.
Modules for Rear Slots The four rear slots in the GigaVUE-420 chassis can be filled with
any combination of the following optional 10 Gb modules:
• GigaLINK-CU (page 73)
• GigaLINK-XR (page 73)

GigaMGMT Four-Port Base Module
All GigaVUE-420 systems include a 4-port GigaMGMT base module
(Figure 5-5) at the far left of the chassis. The GigaMGMT base
includes Mgmt and Console ports for administrative connections, as
well as four network/tool ports. The GigaMGMT is available with
either copper or optical network/tool ports. Both are shown in
Figure 5-5.
GigaMGMT - Copper Ports 10/100/1000 Ethernet

network/tool ports.
Link (green) and Activity

(yellow) LEDs for Mgmt port.
Note that the LEDs for the

Console port are not
enabled.
Mgmt port for 10/100/1000

Ethernet configuration.
Console port for Fiber-optical Gigabit
GigaMGMT - Optical Ports serial configuration. Ethernet network/tool ports.
Figure 5-5: The GigaMGMT Four-Port Base Module
The table below lists and describes the connectors on the GigaMGMT
base module:
64 Chapter 5
Table 5-1: GigaMGMT Base Module Connectors
Connector Description
Mgmt Use the Mgmt port for remote configuration of the GigaVUE-420 over a 10/100/
1000 Ethernet network. See Remote Connections to the Mgmt Port on page 82
for information on establishing a Telnet or SSH configuration session with the
GigaVUE-420.
Console Use the Console port for local configuration of the GigaVUE-420 over a serial
connection. See Local Connections to the Console Port using the Console Cable
on page 80 for information on establishing a serial configuration session with the
GigaVUE-420 in a terminal window.
Tool/Network Ports Ports 1-4 can be used as either network (input) or tool (output) ports. There are
(1-4) separate copper and optical models available:
• Copper 10/100/1000 UTP Ethernet ports.
• Fiber-optical Gigabit Ethernet ports.
GigaPORT Module
The GigaPORT module provides flexible connectivity to a total of
four copper and/or fiber-optical Gigabit Ethernet network ports –
there are four ports for each.
Although there are a total of eight connectors on the GigaPORT, you

can only use four at a time. An easy way to visualize this is to think of
the GigaPORT as having four ports, each with an electrical and an
optical interface. Enabling one interface for a given port disables the
other (for example, if the RJ45 electrical interface is enabled on Port 9,
the optical SFP interface for Port 9 is disabled).
You use the config port-params <port-id> medium <electrical |

optical> command to specify whether the RJ45 10/100/1000 Ethernet
interface or the fiber-optical SFP interface is enabled for a given port.
NOTE: You can always tell whether the copper or optical port is
enabled by typing the show connect command in the GigaVUE-420
CLI. Ports listed in parentheses use an electrical/RJ45 interface. Ports
listed without parentheses use an optical SFP/LC interface.

NOTE: 850 nm multi-mode or 1310 nm single-mode SFP transceivers
are available as standard options. Zx 1550 nm single-mode SFP
transceivers are available as a special order.
Copper UTP Fiber-Optical 1

10/100/1000 Gb Ports
Ethernet Ports
Figure 5-6: The GigaPORT Module
GigaPORT Port Numbering

Ports on the GigaPORT module are numbered from top to bottom,
left to right. Figure 5-7 illustrates how the ports would be numbered
if this GigaPORT module was installed in the Ports 9-12 slot in the
GigaVUE-420 chassis.
9 11 9 11
10 12 10 12
GigaPORT
Figure 5-7: Sample Port Numbering – GigaPORT Module
66 Chapter 5
GigaTAP-Sx/GigaTAP-Lx/GigaTAP-Zx Modules
GigaTAP-Sx and Lx modules provide the ability to tap fiber-optical
Gigabit Ethernet links (1000BASE-Sx, 1000BASE-Lx, or 1000BASE-Zx,
respectively). The GigaTAP-Sx/Lx/Zx modules use a fiber-optic
splitter to tap the signal flowing through the module for distribution
to GigaVUE-420 tool ports. There are two pairs of LC ports for
tapping two different links.
NOTE: GigaTAP-Sx/Lx/Zx ports can only be used as network ports.
They cannot be used as tool ports.
The optical GigaTAP modules protect production links during a

power outage by using an optical switch.
Optical tap
port pair.
Optical tap
port pair.
Figure 5-8: The GigaTAP-Sx Module

GigaTAP-Tx Module
The GigaTAP-Tx module provides the ability to tap a copper Gigabit
Ethernet link, copying traffic to specified tool ports as it flows
through the tap. There are two pairs of RJ45 connectors for tapping
two different links.
NOTE: GigaTAP-Tx ports can be used as either network or tool ports.
RJ45 tap RJ45 tap

port pair. port pair.
Figure 5-9: The GigaTAP-Tx Module
Passive Mode vs. Active Mode

By default, the ports in the GigaTAP-Tx module operate in passive
mode instead of active mode:
• In passive mode, the relays in the GigaTAP-Tx module are
closed. This means that traffic received on one port is repeated
out the other port in the pair but is never seen by the
GigaVUE-420 – it simply flows between the two ports.
Passive mode protects production links in case of power failure.
The tap will always revert to passive mode in the event of power
loss.
• In active mode, the relays in the GigaTAP-Tx module are open.
Traffic received on one port is actively regenerated out the other
port in the port-pair. In addition, it flows through the
GigaVUE-420, making it available to tool ports.
68 Chapter 5
Configuring Tap Connections
There are two main configuration steps when tapping a link with the
GigaTAP-Tx:
• Set up the Port-Pair on page 69
• Verify End Node Status and Open the Relays on page 70
Set up the Port-Pair

A port-pair is a bidirectional connection in which traffic arriving on
one port in the pair is actively regenerated out the other (and
vice-versa) as a passthrough tap. Without a port-pair in place, traffic
arriving on one port will not be regenerated out the other. So, the first
step in tapping a link is to set up the port-pair with the config
port-pair command:
config port-pair <port-alias1|pid1> <port-alias2|pid2> alias <string>
Notes on Port-Pairs
• Port-pairs can be established between any ports on the same
GigaVUE-420.
• Port-pairs support link status propagation – when one port goes
down, the other port goes down (and vice-versa).
• Port-pairs between GigaMGMT or GigaPORT ports can be used
as an electronic tap for RJ45 or fiber-optical links, although
without the fail-over protection provided by the GigaTAP-Tx and
GigaTAP-Sx/Lx/Zx.
• Port-pairs can be established between ports using different
speeds (for example, from a 1 Gb port to a 10 Gb port).
NOTE: Depending on traffic volume, port-pairs between ports
using different speeds can cause packet loss when going from a
faster port to a slower port (for example, from 1 Gb to 100 Mbps,
from 10 Gb to 1 Gb, and so on).

Verify End Node Status and Open the Relays
The next step is to open the relays for the ports used to tap the link.
Before doing so, however, check the link status LEDs on both end
nodes connected to the port-pair ports to verify that they are
operating correctly. The links must be good for failover protection to
function properly.
If the link status on the end nodes is not good (LEDs are not green),
check the following:
• Verify that the combined cable length is less than 100 meters.
• Verify that autonegotiation settings match. If autonegotiation is
not enabled on one of the endpoints, you must manually
configure the port-params of the connected tap ports to match,
followed by a config save. See config port-params commands on
page 309 for details.
• Most newer Ethernet interfaces support autosensing (Auto-MDI/
MDI-X; part of the 1000BASE-T standard). However, if your
equipment does not support this feature (or it is disabled), you
may need to use a crossover cable.
8. Open the relays for the ports used to tap the link in the
GigaTAP-Tx using the config port-params <port-id> taptx active
command. Once you have opened the relays, verify that the green
link LEDs for both ports in the port-pair have illuminated.
Set up Connections/Maps for Both Ports

Once you have set up a port-pair, make sure to logically connect both
ports in the port-pair connection to tool ports. Only the receive traffic
is forwarded through the connections, so it’s important to connect
both sides of the port-pair to tool ports to see both sides of the traffic.
70 Chapter 5
Example:
For example, consider the tap scenario shown in Figure 5-10:
Switch B
Switch A
13 14 15 16
GigaTAP-Tx
Figure 5-10: Example – Tapping a Link with the GigaTAP-Tx
• The GigaTAP-Tx is installed in the Port 13 - 16 slot in the

GigaVUE-420.
• The tap is set up between ports 13 and 14.
To set up this tap scenario, you would issue the following commands
in the GigaVUE-420 CLI:
Command Description
config port-pair 13 14 alias switch-tap This command sets up the port
pair between ports 13 and 14 so
that traffic received on 13 is
repeated out 14 (and vice-versa).
In this example, we’ve given our
port-pair the alias switch-tap.
config port-params 13 taptx active This command opens the relays
on port 13 and the adjacent port
(14).
Once you have set up the tap, it’s always a good idea to do a show
connect in the GigaVUE-420 CLI to review the settings in place.
Figure 5-11 shows the results of a show connect once this example
has been set up.

The show connect
command illustrates the
tap in place.
The plus signs (+) in front

of 13 and 14 indicate that
the relays are open.
The port-pair is shown at

the end of the ports list
with an illustration of the
traffic flow.
Figure 5-11: Setting up a Tap with the GigaTAP-Tx
72 Chapter 5
GigaLINK Modules (CU and XR)
GigaLINK modules provide high-speed connectivity to 10 Gb links
and can be used as network, tool, or stacking ports. GigaLINK
modules can be installed in the x1, x2, x3, and x4 slots at the rear of
the unit. However, only the x1 and x2 slots can be used as stacking
ports.
GigaLINK modules are available in both copper (GigaLINK-CU) and

optical (GigaLINK-XR) versions, as summarized in the table below:
Module Description
GigaLINK-CU
10 Gb copper module. Accepts 1/5/10/15 meter
CX4 copper cable (InfiniBand).
GigaLINK-XR
10 Gb optical module. Available with the
following XFP optical transceivers:
• SR – 850nm (300 meter)
• LR – 1310nm (2m - 10km)
• ER – 1550 nm (40km)
See the table below for details on each of these
transceivers.

Using Modules – Best Practices
Transceiver Description Cabling/Distances
SR XFP Ports Maximum distance
Supports 10 • One 10-Gigabit Ethernet port • 62.5 μm multimode cable @ 160 MHz/km =
Gb SR 850nm (IEEE 802.3ae Type 2-26 meters
fiber standard. 10Gbase-SR 850nm serial • 62.5 μm multimode cable @ 200 MHz/km =
optics) 2-33 meters
Supports
standard 50 μ • Duplex: full • 50 μm multimode cable @ 400 MHz/km = 2-66
and 62.5 μ • Connectors: LC meters
MMF up to 300 • 50 μm multimode cable @ 500 MHz/km = 2-82
meters. meters
Optical characteristics (dBm)
• Tx power: >-4.3 (*1) • 50 μm multimode cable @ 2000 MHz/km =
(*2 2-300 meters
• Rx sensitivity: -7.5 )
Notes
(*1) OMA (*2) Stressed Rx
• 62.5 μm (core/cladding) diameter or 50 μm,
sensitivity in OMA.
850 nm, low metal content, multimode
fiber-optic, complying with the ITU-T G.652 and
ISO/IEC 793-2 Type B1 standards
LR XFP Ports Cabling
Supports 10 One 10-Gigabit Ethernet port (IEEE • Low metal content, single-mode fiber-optic,
Gb LR 802.3ae Type 10Gbase-LR 1310nm complying with ITU-T G.652 and ISO/IEC 793-2
1310nm serial optics) Type B1
distance of Duplex: full
<10 km. Maximum distance
Connectors: LC
• 9/125 μm single-mode cable = 2 m-10 km
Optical characteristics (dBm)
• Tx power: >-5.2 to +0.5 (*1)
• Rx sensitivity: -10.3 to +0.5 (*2)
sensitivity in OMA.
74 Chapter 5
Transceiver Description Cabling/Distances
ER XFP Ports Cabling
Supports 10 • One 10-Gigabit Ethernet port Low metal content, single-mode fiber-optic,
Gb ER (IEEE 802.3ae Type complying with ITU-T G.652 and ISO/IEC 793-2
1550nm 10Gbase-ER 1550nm serial Type B1
distance of up optics)
to 80 km. • Duplex: full Maximum distance
• Connectors: LC 9/125 μm single-mode cable = 2 m to 40 km; 80
km extra long reach 10 Gb XFP available by
Optical characteristics (dBm) special order.
• Tx power: -1 to +2
• Rx sensitivity : -11.3 to -1 (*2)
sensitivity in OMA.
When working with GigaVUE-420 modules, it’s generally best to use

each module for its intended purpose:
• Use GigaTAP modules to tap into network links.
• Use GigaMGMT and GigaPORT modules for end station or
SPAN port connections.
For example, although it is possible to create a passthrough tap

between GigaPORT/GigaMGMT ports using the config port-pair
command, you will not have the power failure protection afforded by
the GigaTAP-Tx module (see Passive Mode vs. Active Mode on
page 68).
Traffic Distribution and Replacing Modules

The following table summarizes the effects of removing and
replacing GigaVUE-420 modules on connections, cross-box
connections, maps, cross-box maps, port-pairs, and pass-alls. Two
cases are covered:
• Replacing a GigaVUE-420 module with another module of the
same type.
• Replacing a GigaVUE-420 module with a different type module.

NOTE: You can use GigaVUE’s config save filename.cfg and config
restore commands to create configuration files corresponding to
different physical configurations. This way, you can swap different
types of modules in and out of the system and quickly restore all
settings associated with a particular physical configuration.
Remove and Reinsert Same

Remove and Insert Different Module Type
Connection Module Type
Types show connect show connect show connect
show connect after reinsert
after removal after reinsert after removal
Connections to the swapped

Connections Connections ports are deleted and must be
Local persist. Connections persist. manually recreated.
Connections Missing ports restored. Missing ports After recreating the
marked ?. marked ?. connections, use the config
save filename.cfg command.
Connections to the swapped

Connections Connections ports are deleted and must be
persist. Connections persist. manually recreated.
Local Maps
Missing ports restored. Missing ports After recreating the
marked ?. marked ?. connections, use the config
The xbconnections on affected

ports are deleted but other
xbconnections remain. You
Connections Connections must delete and reapply the
Cross-Box persist. Connections persist. affected xbconnections on all
Connections Missing ports restored. Missing ports boxes in the stack.
marked ?. marked ?.
After recreating the
xbconnections, use the config
The xbmap connections on

affected ports are deleted but
other xbmaps remain. You
Connections Connections must delete and reapply the
Cross-Box persist. Connections persist. affected xbmaps on all
Maps Missing ports restored. Missing ports systems in the stack.
marked ?. marked ?.
After recreating the xbmaps,
use the config save
filename.cfg command.
76 Chapter 5
Remove and Reinsert Same
Remove and Insert Different Module Type
Connection Module Type
Types show connect show connect show connect
show connect after reinsert
after removal after reinsert after removal
Connections Connections
Connections on affected ports
persist. Connections persist.
Port-Pair deleted; other connections
Missing ports restored. Missing ports
remain.
marked ?. marked ?.
Connections Connections
Connections on affected ports
persist. Connections persist.
Pass All deleted; other connections
Missing ports restored. Missing ports
remain.
marked ?. marked ?.
Connections
No Connections Connections No changes.
persist. No No changes. No action
or Maps Using persist. No local No action
local ports needed.
Removed Ports ports missing. needed.
missing.

78 Chapter 5
Chapter 6
Getting Started in the

Command Line Interface
This chapter describes how to establish a configuration session with
the GigaVUE-420, provides you with an orientation to the
GigaVUE-420’s command-line management software, and describes
how to set the basic initial configuration options necessary to get you
up and running.
The chapter includes the following sections:

• Establishing a Configuration Session with GigaVUE-420 on page 79
• Command Line Basics on page 91
• The Basic Commands on page 94
• Completing the Initial GigaVUE-420 Setup on page 95
Establishing a Configuration Session with GigaVUE-420

You use GigaVUE-420’s command-line interface to configure the
unit’s operations, including system settings, user accounts, port
configuration, and packet distribution from network ports to tool
ports.
There are two ways to access GigaVUE-420’s command-line interface:
79
• Locally, via a serial connection to the Console port.
See Local Connections to the Console Port using the Console Cable on
page 80.
• Remotely, via a Telnet or SSH2 connection to the Mgmt port.
See Remote Connections to the Mgmt Port on page 82
NOTE: The same commands are available in the command-line
interface regardless of how you connect.
Local Connections to the Console Port using the

Console Cable
This section describes how to access the command-line interface
using a local terminal emulation connection to the Console port.
NOTE: The following procedure explains how to connect to
GigaVUE-420 using the HyperTerminal application provided with
MS-Windows. If you use another terminal emulation application,
consult that application’s documentation for information on
establishing a terminal session. The GigaVUE-420 configuration
commands all work the same once the terminal session is established.
To access the command-line interface over the Console port:

1. Make the basic power and Console cable connections described in
Basic GigaVUE-420 Connections on page 59 and power on
GigaVUE-420.
2. Start HyperTerminal on the PC. Under most circumstances, this
program is located under Start > Programs > Accessories >
Communications.
3. Supply a name for the connection in the Connection Description
dialog box and click OK. For example, GigaVUE Config.
4. Select the COM port connected to the Console cable from the
Connect using dropdown list and click OK. For example, COM1.
5. Configure the port settings for the Console connection as follows
(Figure 6-1):
• Bits per second – 115,200
80 Chapter 6
NOTE: Users with super privileges can change the baud rate
for the Console port.
• Data bits – 8
• Parity – None
• Stop bits – 1
• Flow control – None
Figure 6-1: Setting COM Port Properties for the Console Connection
6. Click OK.
7. The terminal session begins. You may need to press Enter a few
times before you see the login: prompt from GigaVUE-420.
8. Log in to the command-line interface with the following default
user account and password:
User root
Password root123
The GigaVUE> prompt appears, giving you access to the built-in

command-line interface. See Command Line Basics on page 91 for
information on getting started with the CLI.
Getting Started in the Command Line Interface 81

Remote Connections to the Mgmt Port
This section describes how to access the command-line interface
remotely using either a Telnet or SSH2 connection to the Mgmt port.
The Mgmt port is a standard RJ45 10/100/1000 Ethernet port located
in the upper left corner of the GigaMGMT base module (Figure 6-2).
Mgmt port for 10/

100/1000 Ethernet
configuration.
Figure 6-2: The GigaMGMT Module
NOTE: The Mgmt port supports Auto MDI-X. There is no need to use
a crossover cable.
Configuring the Mgmt Port’s Network Settings

Before you can connect remotely to the Mgmt port, you must
configure its IP settings.
You can also configure the Mgmt port’s physical settings. By default,
the Mgmt port is configured to autonegotiate its configuration with
the connected equipment. If required by the connected equipment,
you can disable this setting and set specific values for speed, duplex,
and MTU. See Mgmt Port Configuration Procedure on page 84 for the
procedure.
NOTE: Per the 802.3 specification, the Mgmt port can only achieve 1
Gb speeds if autonegotiation is enabled. Although autonegotiation is
optional for most Ethernet variants, it is mandatory for Gigabit
copper (1000BASE-T).
82 Chapter 6
About IPv4/IPv6 for the Mgmt Port
IPv4 is always active and available on the GigaVUE-420, regardless of
whether IPv6 is also enabled. You can set up the Mgmt port with
either a static or dynamic IPv4 address.
NOTE: If you configure the Mgmt port to use DHCP, it will obtain a
new IPv4 address from a DHCP4 server each time it reboots. After
each reboot, you will need to learn this address in order to connect
via SSH2/Telnet
Configuring IPv6 Network Properties
You can also enable IPv6 on the GigaVUE-420 with the following
command, followed by a reboot:
config system ipv6 1
When IPv6 is enabled, GigaVUE-420 will operate with support for

both IPv4 and IPv6.
GigaVUE-420 obtains an IPv6 address in one of the following ways:

• IPv6 router advertisements. GigaVUE-420 listens for a valid IPv6
header and then uses this to construct its IPv6 address.
• Router-solicited IPv6 address. GigaVUE can send out router
solicitation packets and use the responses to generate an IPv6
address.
• Self-generated IPv6 address using an IPv6 header and the Mgmt
port’s MAC address.
These are the only methods supported for IPv6 address generation.
GigaVUE-420 does not support either static IPv6 addresses or
DHCP6 for IPv6 address assignment. The show system command
will inform you of the unit’s IPv6 address.
The table below summarizes which applications GigaVUE-420

supports over IPv4 and IPv6. Note that IPv6 support is only provided
for listed applications when IPv6 is actually turned on in the CLI
(config system ipv6 1).

Application Supported over IPv4? Supported over IPv6?
SSH2
Telnet
TACACS+
RADIUS
TFTP
SNTP
SNMP
DHCP
NOTE: You can still use
DHCP4 for the unit’s IPv4
address when IPv6 is
enabled.
Mgmt Port Configuration Procedure

Use the following procedure to configure the Mgmt port’s network
settings:
To configure the Mgmt port’s settings:

1. Connect locally to the GigaVUE-420 command-line interface over
the Console port using the instructions in Local Connections to the
Console Port using the Console Cable on page 80 and log in as a
super user (by default, root with the password root123).
2. Use the config system mgmt_port command to configure
autonegotiation, speed, duplex, and MTU settings for the Mgmt
port.
In most cases, the defaults for these settings will work just fine.
However, depending on the type of port to which you are
connecting the Mgmt port, you may need to adjust these settings
(for example, to avoid a duplex mismatch):
• Autonegotiation – By default, autonegotiation is enabled.
You can disable/enable it with the following command:
84 Chapter 6
config system mgmt_port autoneg <1 | 0>]
NOTE: Per the 802.3 specification, autonegotiation is

mandatory for 1 Gb speeds over copper (1000BASE-T).
• Speed – By default, speed is set to whatever the
autonegotiation process negotiates. After disabling
autonegotiation, you can change speeds manually with the
following command:
config system mgmt_port speed <100 | 10>
• Duplex – By default, duplex is set to whatever the

autonegotiation process negotiates. After disabling
autonegotiation, you can change duplex settings with the
following command:
config system mgmt_port duplex <half | full>
• MTU – By default, this is set to 1518 bytes, the largest

standard Ethernet packet size. However, you can configure
the size to between 320~1518 bytes using the following
command:
config system mgmt_port mtu <320~1518>] (bytes)
NOTE: GigaVUE-420’s Mgmt port supports RFC 1191 Path

MTU Discovery and can automatically adjust MTU
downwards if it discovers that the specified MTU is too large.
3. Use the config system command’s dhcp, ipaddr, subnetmask,
and gateway arguments to set up the IPv4 network properties for
the Mgmt port. Use the following syntax:
config system [dhcp <1 | 0> ipaddr <addr> subnetmask <xxx.xxx.xxx.xx>]
config system gateway <xxx.xxx.xxx.xx>]
Where:
• dhcp specifies whether GigaVUE-420 will obtain an IPv4
address for its Mgmt port from a DHCP4 server (1) or use a
static address (0). If you set dhcp to 1, do not supply values
for ipaddr, subnetmask, or gateway.
NOTE: If you enable DHCP, you can also use the config
system dhcp_timeout <4 | 10 | 30 | 60 | 100> command to
specify the number of seconds GigaVUE-420 will wait for a
response from a DHCP server after querying for an address.
• ipaddr specifies the static IPv4 address to use.

• subnetmask specifies the subnet mask to be used for the IPv4
address.
• gateway specifies the default gateway to which the Mgmt
port should direct its traffic.
For example, to configure a static IP address of 192.168.1.20 with a
standard Class C subnet mask (255.255.255.0) and a default
gateway of 192.168.1.1, you would type the following command
followed by <Enter>.
config system dhcp 0 ipaddr 192.168.1.20 subnetmask 255.255.255.0 gateway
192.168.1.1
NOTE: This command combines two commands into a single line

in order to minimize reboots. These commands could also be
issued separately, but you would receive two separate reboot
requests if you did it this way:
config system dhcp 0 ipaddr 192.168.1.20 subnetmask 255.255.255.0
config system gateway 192.168.1.1
NOTE: When DHCP is disabled, the system must reboot before

implementing changes to the Mgmt port’s network settings. The
CLI will prompt you to reboot the system if necessary.
4. By default, only IPv4 is enabled on the GigaVUE-420. You can
also enable IPv6 with the following command, followed by a
reboot:
config system ipv6 1
Enabling IPv6 lets you use IPv6 addresses for SSH2, Telnet,
TACACS+, RADIUS, SNTP, and TFTP. See Configuring IPv6
Network Properties on page 83 for more information.
SSH2 vs. Telnet

You can use either Telnet or SSH2 for remote connections to
GigaVUE-420’s Mgmt port, but not both.
By default, Telnet is enabled. You use the config system ssh2 <1 | 0>
command to specify which remote protocol you would like to use.
For example, to enable SSH2, you would use the following command:
config system ssh2 1
86 Chapter 6
Once SSH2 is enabled, Telnet connections are no longer accepted
(and vice-versa – SSH2 connections are not available when Telnet is
enabled).
TIP: If you generate new public host keys before enabling SSH, you
will save an extra reboot of the unit. See Changing Public Host Keys on
page 89.

Advantages of SSH2
SSH2 is a more secure choice for remote connections than Telnet,
providing an encrypted channel instead of relying on clear text. It
also provides stronger user authentication capabilities, including the
use of a public host key. Host keys uniquely identify a server, helping
guarantee that the server you’re connecting to is the server you think
it is.
GigaVUE-420 includes default RSA and DSA-encrypted public host

keys (SSH2 supports both RSA and DSS encryption algorithms). The
first time you connect to GigaVUE-420 with an SSH2 client, the client
will warn you that the host keys are not in your local cache and show
you the actual host key presented by GigaVUE-420. Your client will
most likely give you the option of trusting the key, adding it to your
local cache. Once you’ve trusted the key, your client will alert you
during connection if a different key is presented.
Verifying GigaVUE-420’s Host Key During Connection
To verify that the host key presented during an SSH2 connection is in

fact GigaVUE-420’s, you can connect over the Console port (see Local
Connections to the Console Port using the Console Cable on page 80) and
use the show hostkeys command to see GigaVUE-420’s current
public host keys and fingerprints. Write these down and keep them
nearby when you connect via SSH2 the first time. This way, you’ll be
able to compare the actual host key to what your SSH2 client says is
being presented. Once you’ve verified that they are the same, you can
choose to trust the host key, allowing future connections to take place
seamlessly.
88 Chapter 6
Changing Public Host Keys
You can use the config system hostkey command to change the
default host keys provided with GigaVUE-420. The command has the
following syntax:
config system hostkey <dss | rsa> [<768~2048> (bits)]
Acceptable bit values for the host keys are multiples of 8 between 768
- 2048 (for example, 768, 776, 784, and so on). If you do not specify a
key length, GigaVUE-420 defaults to 1024 bits.
For example, to configure a new RSA-encryption hostkey, you could

use the following command:
config system hostkey rsa 768
Connecting to GigaVUE-420 Using SSH2

When SSH2 is enabled, you can use any compliant SSH2 client to
connect to the command-line interface remotely. For example, to
connect using the popular SSH2 client, PuTTY:
1. Start PuTTY and enter GigaVUE-420’s IP address in the Host
Name field.
2. Click the SSH protocol radio button.
3. Click Open to open a connection.
4. If this is your first connection PuTTY warns you that the host key
presented by GigaVUE-420 is not in your cache. You can add the
key, connect without adding the key, or cancel the connection.
See Verifying GigaVUE-420’s Host Key During Connection on
page 88 for information on how to verify that the host key shown
is the correct one.
5. Type root in the User name field followed by the root password
(root123 is the default).

Connecting to GigaVUE-420 Using Telnet
When Telnet is enabled, you can use any compliant Telnet client to
connect to the command-line interface remotely. For example, to
connect using the Telnet client provided with Microsoft Windows:
1. Open a command prompt window and type Telnet.
2. Type open <Mgmt Port IP Address>.
3. Log in with acceptable GigaVUE-420 credentials (by default, user
root with the password root123).
90 Chapter 6
Command Line Basics
This section provides a quick orientation to the GigaVUE-420
command-line interface – how to get help, how to enter commands,
and so on.
The CLI Prompt

By default, the GigaVUE-420 command-line interface appears with
the GigaVUE> prompt.
NOTE: If you are working simultaneously with multiple
GigaVUE-420 boxes, you may find it handy to change the prompts on
individual boxes to make it easy to identify separate terminal
sessions. Super users can do this with the config system prompt
<string> command. This is particularly helpful when working with
cross-box configurations where the same command often needs to be
entered on each box in the stack.
Getting Help in the Command Line Interface

When working with the command-line interface, you can always get
help on the available commands by typing either ? or help followed
by <Enter>.
NOTE: Typing ? accesses the help system immediately – you do not
need to press <Enter>.
In addition, there are several other ways to get help – Command

Completion, Word Help, and Command Help:
Command Completion
If you have partially typed a command, you can press Tab and the
CLI will attempt to complete the command for you based on what’s
been entered so far. If it is unable to complete the command, the CLI
will simply redraw the line with the cursor at the end of the line.

Word Help
When you are typing a command and are not sure how to spell the
word you are working on, type a ? mark immediately following the
partially-typed word. The CLI will show you a list of all possible
words using the word entered so far.
For example, if you typed config x?, the CLI would return the
following possible commands based on what you’ve entered so far:
xbconnect xbmap xbmapping xbport-filter
Command Help
When you are typing a command and have finished a word but are
not sure what the rest of the syntax is, you can type a space after the
word and then a ?. The CLI will list all possible commands using the
words you have entered so far. For example, if you type config
system ?, the CLI will return all possible config system commands.
Command Line Syntax – Entering Commands

You enter all configuration commands for the GigaVUE-420 in the
command-line interface. Enter commands by typing them to the
prompt and pressing <Enter>.
When entering commands, keep in mind the following rules:

• All commands are case-sensitive and entered in lower case.
• Alias strings must consist entirely of alphanumeric characters
with no spaces. The only exceptions are the underscore (_) and
hyphen (-) characters. Those are allowed.
For example, config port-alias 3 My_Alias is legal, but config
port-alias 3 My Alias is not.
• Description strings can contain spaces and non-alphanumeric
characters and are entered between quotation marks.
The CLI will inform you which sort of string you are entering. For
example, when you set up a system name, you can enter both a
name-string without spaces and a description within quotation
marks that can contain spaces. If you type config system ?, the
92 Chapter 6
CLI informs you that the syntax for the name argument is as
follows:
config system [name name-string] [description “string”]
So, for example:

config system name GigaVUE-420 description “My GigaVUE-420 Box”
Command Structure
In general, GigaVUE-420 commands are structured as follows:
<verb> <object> <arguments>
You can loosely interpret this as Do this (verb) to this (object) like
this (argument). The following table summarizes this:
Verb Do this... Verbs are commands like config,

show, delete, and so on.
Object ...to this Objects are items like the system, a

filter, a map-rule, a port-type, and so
on.
Argument ...like this. Arguments can be port numbers,

strings, or other values to be set in the
GigaVUE-420’s flash memory.
So, for example:

config port-type 8 tool
This command sets port number 8 to be a tool port. The verb, object,
and argument are as follows:
Verb Object Argument

config port-type 8 tool

The Basic Commands
The table below lists each of the top level commands for the
GigaVUE-420 CLI. As described in the table, most of these commands
have multiple supported objects and arguments. You can see the
exact objects and arguments for a command by typing it into the CLI
followed by ?.
In general, the commands you will use most frequently are config,
show, and delete.
Command Description
? Display help.
config Set up system settings, users, filters, maps,

connections, port settings, port pairs, port filters,
and so on.
delete Delete defined users, connections, port pairs,

port-filter associations, filters and so on.
exit Exit the current CLI session.
help Display help.
history Lists the most recent 50 commands issued during

the current session.
install Install an image, config file, or banner file via

TFTP.
logout Exit the current CLI session or log out another

user.
reset You can use the reset command to:

• Reboot the system and apply the configuration
file with nb (next boot) set (reset system).
• Reset port statistics (reset port-stats [all |
port-alias | pid-list])
• Reset the system’s configuration file settings to
the factory defaults (reset system
factory-default).
show Display users, system, ports, connectivity, filters,

and diagnosis information.
94 Chapter 6
Command Description
upload Upload a configuration or log file to a TFTP server.
Completing the Initial GigaVUE-420 Setup

At this point, you have logged in to the command-line interface using
the default root super user account, configured the Mgmt port’s
network properties for Telnet or SSH access, and have explored the
command-line interface structure
There are a few more steps you should perform to complete the initial
configuration before you get to the fun stuff – setting up network
ports, tool ports, and mapping traffic. These tasks include:
• Configure some basic user accounts (optional).
See Initial User Account Configuration (Optional) on page 96.
• Configure the GigaVUE-420 name and date.
See Configuring the GigaVUE-420 Name and Date on page 98.
• Configure the GigaVUE-420 time options.
See Configuring GigaVUE-420 Time Options on page 99.
• Configure a custom login banner.
See Using a Custom Login Banner on page 102.
• Save your changes!
See Saving Changes on page 104.

Initial User Account Configuration (Optional)
Before you start mapping traffic, it’s a good idea to change the factory
password supplied with the default root super user account and add
a few other accounts for use by different level users.
Change the Password for the root Account

1. First, change the password for the default root account. Use the
following command:
config password user root <newpassword> <newpassword>
Acceptable passwords include between 6-30 alphanumeric

characters. At least one of the characters must be a numeral.
NOTE: The system will not let you delete the root account.
However, as a security measure, you can disable it using the
config system rootdis 1 command. Before doing so, however, you
must have added at least one other active account with super
privileges.
Set Up Some Basic Accounts

1. Next, you will probably want to set a few user accounts with
different access levels.
GigaVUE-420 provides an interlocking set of options that let you
create a comprehensive security strategy for the unit. These
options include the authentication method (local, TACACS+, or
RADIUS), different account access levels (super, normal, and
audit), port ownership (assigning access to different ports to
different users), and the overall security level in place on the box
(referred to as the lock-level).
These options are described in detail in Chapter 8, Configuring
GigaVUE-420 Security Options on page 133. For now, however, it’s
easiest to simply create a few basic user accounts – one of each
level. In general, user privileges are as follows:
• Super users have access to all ports on the box regardless of
the lock-level in place. They can also perform all configuration
commands.
96 Chapter 6
• Normal users have access to different ports depending on the
lock-level in place. They cannot perform most system
configuration commands.
• Audit users do not have access to any ports. Their access
consists mainly of the ability to use the show command to see
what basic settings are in place on the box.
NOTE: Figure 6-3 shows the port ownership for each of these
account types when system lock-level is set to none.
NOTE: Lock-Level Reference on page 347 provides full details on the
different privileges for each user level depending on the
lock-level in place.
The following config user commands create a new super user,
normal user, and audit user:
Command Comments
config user MySuperUser 1password 1password level super Creates a new account named
description “New Super User Account” MySuperUser with the password
1password and the description “New
Super User Account.”
config user MyNormalUser 2password 2password level normal Creates a new account named
description “New Normal User Account” MyNormalUser with the password
Normal User Account.”
config user MyAuditUser 3password 3password level audit Creates a new account named
description “New Audit User Account” MyAuditUser with the password
Audit User Account.”
2. Once you have configured these basic user accounts, use the
show user all command to review your settings. Figure 6-3 shows
the results of a show user all after adding the users in the table
above.

Note the designated
port ownership for
each user:
Super users always

own all ports,
regardless of the
system lock-level in
place.
Normal users own

different ports
depending on the
lock-level and port
ownership assigned
by a super user.
Audit users never

own any ports.
Figure 6-3: Reviewing the User List
Configuring the GigaVUE-420 Name and Date

It’s generally a good idea to configure the GigaVUE-420’s name and
date, and time as part of your initial configuration. The following
commands show how to set the system name and date. See
Configuring GigaVUE-420 Time Options on page 99 for information on
setting options related to time.
Setting the System Name

1. Use the following command to specify the system name:
config system [name name-string] [description “string”]
So, for example:

config system name GigaVUE-420 description “My GigaVUE-420 Box”
Setting the Date

1. Use the following command to set the system date:
config system [date <mm-dd-yy>]
NOTE: After entering the name and date, you may want to do a show
system to verify your settings.
98 Chapter 6
Configuring GigaVUE-420 Time Options
GigaVUE-420 includes a variety of features for setting the time,
including:
• Time can be set either manually or using an SNTP server.
• Time can optionally adjust automatically for daylight savings
time start and end.
• Timezone options for adjustment of UTC time received from an
SNTP server.
GigaVUE-420’s built-in clock is not subject to noticeable drift and is

sufficiently accurate for the needs of most users. Most of
GigaVUE-420’s features are not particularly time-sensitive and do not
require the accuracy of an SNTP time server. However, if you have
enabled the forwarding of SNMP traps, you may want to use an
SNTP server so that the timestamps shown in SNMP server are
extremely accurate.
Setting Time Manually

The easiest way to set GigaVUE-420’s time is manually with the
config system time command. For example:
config system time 03:45:12
NOTE: Even if you are using SNTP, it’s a good idea to configure time
manually as well. GigaVUE-420 will automatically fall back to the
manual time setting if it is unable to synchronize with the specified
SNTP server.
A show system will reveal whether SNTP is enabled, as well as the

current GigaVUE-420 time.
Setting Time from an SNTP Server

GigaVUE-420 can optionally use a Simple Network Time Protocol
(SNTP) server for its time setting. Configuring GigaVUE-420 to use
an SNTP server as follows:

1. Specify the address of the SNTP server with the config
sntp_server command. For example, if the SNTP server is on
config sntp_server 204.123.2.72
NOTE: There are many public SNTP servers available on the

Internet.
2. Turn on SNTP with the following command:
config system sntp 1
GigaVUE-420 will inform you that it must reboot to enable the

use of an SNTP server. You will be provided with the option of
saving any provisional configuration changes before the reboot
takes place.
Once the system reboots, it will connect to the specified SNTP
server and synchronize to its time. If connection to the specified
SNTP server is not successful, GigaVUE-420 informs you of the
error and automatically falls back to the manual time setting.
3. SNTP reports times in UTC. Because of this, it’s a good idea to
specify the GigaVUE-420’s timezone so that UTC can be
converted to the local timezone.
You specify the timezone in terms of the offset from UTC (either
plus or minus). For example, to set the timezone for a
GigaVUE-420 in the United States Pacific Standard Timezone,
you would use the following command:
config system timezone UTC-08:00
Using Automatic Daylight Savings Time Adjustments

When using SNTP, you can configure GigaVUE-420 to automatically
adjust its time setting for daylight savings time by specifying both the
start and end dates for daylight savings time. Then, you turn on
automatic adjustments with the config system dst command.
NOTE: Automatic daylight savings time adjustments are only used
when SNTP is enabled and there is a successful connection to a
running SNTP server.
100 Chapter 6
NOTE: Start and end dates for Daylight Savings Time change every
year in some countries. If you decide to use automatic adjustments,
make sure you change the onset and offset every year.
Command Comments
config system dst_onset 03-11-02:00 Specifies that Daylight Savings Time starts on March
11th at 02:00 AM.
config system dst_offset 11-04-02:00 Specifies that Daylight Savings Time ends on November
4th at 02:00 AM.
config system dst 1 Turns on the use of automatic Daylight Savings Time
adjustments.

Using a Custom Login Banner
GigaVUE-420 can display a customizable text banner at system
startup and whenever a user logs in. The text banner displays the
contents of a special banner_file.txt on the GigaVUE-420. This file
must be a text file of no more than 4096 bytes.
Configuring GigaVUE-420 to display a text banner consists of the

following steps:
1. Use a text editor to create the banner_file.txt file. The file must
consist of raw text and be no larger than 4096 bytes.
2. Download banner_file.txt to GigaVUE-420 from a TFTP server.
For example, to install from a TFTP server running on
install -ban banner_file.txt 192.168.1.102
3. Turn on the display of text banners with the following command:

config system banner 1
The next time you log in to the GigaVUE-420, you will see the
customizable banner (Figure 6-4).
Replacing the Custom Banner
To replace the current custom banner with a different one, create

another banner_file.txt and download to the GigaVUE-420. The next
time you log in, the new banner will be shown.
Disabling the Banner Display
To disable the custom banner, use the following command:

102 Chapter 6
Figure 6-4: Customizable Login Banner

Saving Changes
The changes made in this chapter were all config system changes.
These changes are added to the active configuration right away and
automatically saved in a different location than the configuration files
– there is no need to perform a config save filename.cfg to save them.
However, it’s a good idea to get into the habit of using the config
save filename.cfg command. Later on, when you start setting up
packet distribution with connections and maps, your changes will
added to the active configuration right away but won’t be saved
across a system reboot unless you use the config save filename.cfg
command to write your changes to flash.
NOTE: The name of the factory-provided configuration file in v4.0 is
gigavue.cfg. You can see the name of the most recently booted
configuration file by using the show file command and looking for
the file with Last restored set to Yes. In Figure 6-5, you can tell that
GigaVUE-420 is currently operating with the factory-provided
gigavue.cfg configuration file and that this is also the configuration
file that will be booted next (Next boot file = Yes).
See Using Configuration Files on page 175 for details on using

configuration files.
Figure 6-5: Showing Configuration Files
104 Chapter 6
Chapter 7
Stacking GigaVUE-420 Boxes
This section describes how to connect multiple GigaVUE-420 systems

in a cross-box stack so that data arriving at a network port on one
GigaVUE-420 box can be forwarded to a tool port on another
GigaVUE-420 box.
IMPORTANT: You cannot stack GigaVUE-420 systems with

GigaVUE-MP systems in this release – stacks must consist entirely of
one system type or the other. In a future release, you will be able to
create mixed stacks.
It includes the following major topics:

• About Cross-Box Configurations on page 106
• Creating Cross-Box Stacks: A Roadmap on page 109
• Stacking Rules on page 110
• Planning the Stack on page 110
• Configuring a Box’s Stacking Information on page 114
• Making Physical Connections on page 122
• Verifying a Cross-Box Stack’s Connectivity on page 122
• Configuring Cross-Box Packet Distribution on page 125
105
• Troubleshooting Cross-Box Stacks on page 125
• Making Changes to an Existing Cross-Box Stack on page 127
• Power Loss Considerations for Cross-Box Stacks on page 131
About Cross-Box Configurations

Cross-box stacks consists of two or more GigaVUE-420 systems
connected via their x1/x2 10 Gb ports. Cross-box stacks can be as
simple as two systems connected via their x1 ports, or as complex as a
chain of ten separate systems. For example, Figure 7-1 shows a
sample cross-box stack of four GigaVUE-420 systems.
NOTE: The x3 and x4 ports can not be used as stack ports. The CLI
will not let you set their port-type to stack.
106 Chapter 7
x1 x2
x1 x2
x1 x2
x1 x2
Figure 7-1: Stacking Four GigaVUE-420 Boxes
You create cross-box stacks by performing a series of configuration

commands that identify each box in the stack, as well as its upstream
and downstream neighbors. You perform these configuration
commands on each of the boxes in the stack.
NOTE: You must be logged in with super user account privileges to
complete the stack configuration commands in this chapter.
Stacking GigaVUE-420 Boxes 107

About GigaVUE-420 10 Gb Stacking Ports
Cross-box stacks are set up by connecting multiple systems using the
x1 and/or x2 10 Gb ports on the rear of the GigaVUE-420 and
configuring their port-type as stack.
NOTE: The GigaVUE-420 can have up to four 10 Gb modules installed
in slots x1-x4. However, you can only use the 10 Gb modules installed
in slots x1 and x2 as stacking ports. The CLI will not let you set the x3
or x4 module’s port-type to stack.
You can stack two systems together with only a single 10 Gb module
installed in each unit’s x1 slot. However, to stack three or more
GigaVUE-420 boxes, the middle systems must have an additional 10
Gb module installed in the x2 slot.
There are two main types 10 Gb modules. Either can be used as a

stacking port in the x1/x2 slots:
• 10 Gb GigaLINK-CU with a copper CX-4 connector.
NOTE: The maximum length of the cable run between
GigaLINK-CU stacking ports is 15 meters. You must specify the
distance of the cable run using the config port-params <port-id>
ib_cable_len command. See Configuring Cable Lengths
(GigaLINK-CU Stacking Ports) on page 118 for details.
• 10 Gb GigaLINK-XR with a fiber-optical XFP connector (SR, LR,
or ER XFPs are all available).
NOTE: You can only connect optical-to-optical stacking ports
using the same XFP type. In addition, make sure the XFP you are
using is supported by the length of your cable run, as follows:
• SR: 300 meter
• LR: 2m - 10km
• ER: 40km
See GigaLINK Modules (CU and XR) on page 73 for details on the
cable lengths supported by each GigaLINK-XR XFP type.
108 Chapter 7
Creating Cross-Box Stacks: A Roadmap
Setting up a cross-box stack consists of the major steps shown in
Creating Cross-Box Stacks: Major Steps on page 109.
1 Plan the Stack Step 1: Identify Requirements, Create a Map, and Write a
Per-Box Configuration Plan
Cross-box stacks can quickly become quite complex. It’s a good

idea to plan your configuration. Start by identifying the number of
boxes in your stack, the stacking port configuration of each box, the
length of each copper cable run, and so on. Then, draw a stack map
that positions each of your boxes in the stack. Finally, create a
per-box configuration plan with the CLI commands to be issued on
each box in the stack. See Planning the Stack on page 110 for
details.
Step 2: Configure bid, port-type, active_link, x1_bid, x2_bid, and

2 Configure Each Box in
Cable Length (copper modules) Settings for Each Box in the Stack
the Stack
Use the Configuration Plan you created in Step 1 to configure each box
in the stack. Once you have finished configuring the boxes, save
changes with a config save and then turn them off. See Configuring a
Box’s Stacking Information on page 114 for details.
3 Make Physical Step 3: Connect the Boxes According to the Stack Map
Connections
See Making Physical Connections on page 122 for details.
Step 4: Power On Systems and Verify Connectivity

4 Power on and Verify
Connectivity Turn on all the systems and wait for them to complete booting. Then,
verify the stack path by setting up an end-to-end xbconnection (that is,
an xbconnection that starts at a network port on one end of the stack
and terminates at a tool port on the other end of the stack). Issue the
exact same xbconnect command on each box in the stack. Then, send
traffic across this xbconnection to verify connectivity. See Verifying a
Cross-Box Stack’s Connectivity on page 122 for details.
5 Configure Cross-Box Step 5: Configure Cross-Box Packet Distribution

Packet Distribution
See Configuring Cross-Box Packet Distribution on page 125
Figure 7-2: Creating Cross-Box Stacks: Major Steps

Stacking Rules
Cross-box stacks must adhere to the following rules:
Rule Description
Rule 1 All GigaVUE-420 systems in a cross-box stack must run the same
version of software.
Rule 2 GigaVUE-420 systems can NOT be stacked with GigaVUE-MP

systems.
Rule 3 Only the x1 and x2 10 Gb ports can be used as stacking ports. The
x3 and x4 10 Gb ports can not be used as stacking ports.
Rule 4 Each GigaVUE-420 system in a cross-box command must have its

own unique Box ID (bid).
Rule 5 All commands for cross-box connections and cross-box maps must
be applied to all boxes in exact same order.
Rule 6 You can only connect copper-to-copper and optical-to-optical

stacking ports. In addition, optical-to-optical connections must use
the same XFP type (SR, LR, or ER).
Planning the Stack

Cross-box stacks larger than two or three boxes can quickly become
quite complex to manage and configure. It’s essential that you
identify your requirements and then create an accurate stack map
reflecting those requirements.
Identifying Requirements
When identifying your requirements, ask the following questions:
• How many boxes will be stacked? Are they all running the same
version of software?
• Will I be connecting copper-to-copper or optical-to-optical
stacking ports?
• Are my optical-to-optical connections using the same XFP type?
110 Chapter 7
• How long will my cable runs be?
• Copper cable runs are limited to a maximum length of 15
meters.
• Fiber cable runs are limited by the XFP type.
SR: 300 meter
LR: 2m - 10km
ER: 40km
See GigaLINK Modules (CU and XR) on page 73 for details on the
cable lengths supported by each GigaLINK-XR XFP type.
• How can I minimize the number of boxes data will need to cross
from input network ports to destination tool ports?
Create the Stack Map

The stack map should identify:
• Each box in the stack along with its stacking port types and Box
ID.
• Stacking link cable routing between the boxes.
Draw a simple picture showing each of the boxes in the stack along
with their Box IDs and how they will be connected (x1, x2, or both). A
simple diagram will make it much easier to connect the cables and
perform the system configuration commands correctly. For example,
you could draw a simple picture like the one shown in Figure 7-3.
In addition, you may want to label each box so that you can match up
the individual boxes with your diagram. Something as simple as a
post-it with a Box ID and IP address attached to the top of each unit
may save you unnecessary confusion later on.

Box ID 3
Box ID 1
192.168.1.50
192.168.1.1
x1 CU
x1 CU Stacking Port
Stacking Port
Box ID 2 10 meters
cable
5 meters 192.168.1.25
cable
x1 CU x2 CU
Stacking Port Stacking Port
Figure 7-3: Planning a Cross-Box Configuration

Keep in mind the following points as you plan your configuration:
• You will need to specify the cable length in use for any
connections between the copper GigaLINK-CU stacking ports.
This is described in Configuring Cable Lengths (GigaLINK-CU
Stacking Ports) on page 118.
• You cannot mix stacking port types. You can only connect
copper-to-copper or optical-to-optical stacking ports. In addition,
you can only connect optical-to-optical with the same XFP type
(LR, SR, or ER).
112 Chapter 7
Create the Configuration Plans
Once you have drawn your stack map, it’s easy to write up
configuration plans for each box in the stack showing the values for
the configuration commands you will need to issue. For example, the
plans for the stack map in Figure 7-3 could look like this:
Configuration Plan for 192.168.1.1 (Box ID 1)

bid 1
port-type x1 stack
active_link x1
x1_bid 23
x2_bid n/a
config port-params x1 ib_cable_len 5

bid 2
port-type x1 x2 stack
active_link both
x1_bid 1
x2_bid 3
config port_params x1 ib_cable_len 5

bid 3
port-type x1 stack
active_link x1

x1_bid 21
x2_bid n/a
Configuring a Box’s Stacking Information

This section describes how to perform the CLI configuration
commands for a cross-box stack. You must set these options for each
of the systems in the stack. You do this before you physically
connect the systems.
GigaVUE-420 distributes traffic through a cross-box stack using Box

IDs. Box IDs uniquely identify each GigaVUE-420 systems in a
cross-box stack.
In order for traffic to flow correctly up and down a cross-box stack,

you execute a number of commands on each GigaVUE-420 box in the
stack specifying both the unique Box ID of the local GigaVUE-420 as
well as the Box IDs of each GigaVUE-420 system accessible via the x1
and x2 stacking port(s). Figure 7-4 summarizes this procedure:
NOTE: You must be logged in with super user account privileges to
complete the stack configuration commands in this section.
114 Chapter 7
1 Assign the Unique Step 1: Use the config system bid command to assign a unique
Box ID Box ID to the GigaVUE-420.
Box IDs are used to uniquely identify each system in a cross-box

stack. When you set up packet distribution between systems, you
will use the Box ID to identify a particular port in a cross-box stack.
The format is typically bid-pid (Box ID-Port ID).
See Assigning Box IDs: config system bid on page 116 for
information on assigning a Box ID.
Step 2: Use the config port-type command to designate the x1 and/or x2

2 Designate the Stacking ports as stacking ports, followed by a config save to save your changes.
Ports
See Designating Stacking Ports: config port-type on page 116 for
information on specifying the Box IDs for neighbor boxes.
Step 3: Use the config system x1_bid and config system x2_bid
3 Specify the Box ID(s) commands to specify Box IDs for all systems accessible through the x1
Connected to the and x2 stacking ports, respectively.
Stacking Port(s)
See Specifying Neighbor Boxes: config system x1_bid/x2_bid on
page 117 for information on specifying the Box IDs for neighbor boxes.
Step 4: Use the config port-params <port-id> ib_cable_len command

4 Specify Copper Cable to specify the cable lengths for any GigaLINK-CU modules used as
Lengths stacking ports in the x1/x2 slots, followed by a config save to save your
changes.
See Configuring Cable Lengths (GigaLINK-CU Stacking Ports) on

page 118 for information on specifying cable lengths.
Activate the Stacking Step 5: Use the config system active_link command to activate the
5 stacking ports on the GigaVUE-420.
Port(s)
You can specify x1, x2, or both. You can only enable active_link for x1
and x2 10 Gb modules that are actually installed in the chassis.
See Activating Stacking Ports: config system active_link on page 119 for
information on setting the active_link option.
Step 6: Repeat the stack configuration commands in Step 1 - Step 5 for

6 Repeat
each box in the cross-box stack.
Figure 7-4: CLI Cross-Box Configuration Commands

Assigning Box IDs: config system bid
You use the config system bid command to assign a unique Box ID to
a GigaVUE-420 system. This Box ID is used to distribute traffic across
a cross-box stack.
The syntax for the command is as follows:
config system bid <1~10>
You can stack as many as 10 boxes in this release. Because of this, you
can select Box ID values from 1-10, inclusive. The default Box ID is 1.
NOTE: You must reboot the system to apply changes made to the Box
ID.
Designating Stacking Ports: config port-type

You use the config port-type command to designate the the x1 and/
or x2 ports as stacking ports. You must designate the 10 Gb ports you
plan to use as stacking ports.
The config port-type command has the following syntax:

config port-type <port-alias | pid-list | pid-x..pid-y> [network | tool | stack]
For example, when configuring a middle system in a three-box stack,

you could use the following command to designate both the x1 and
x2 ports as stacking ports:
config port-type x1 x2 stack
NOTE: The CLI will not let you set port-type to stack for any ports
other than x1 and x2.
Save Changes!
Make sure you perform a config save to save your port-type changes
to flash.
116 Chapter 7
Specifying Neighbor Boxes: config system x1_bid/
x2_bid
You use the config system x1_bid and config system x2_bid
commands to inform the local GigaVUE-420 of the boxes reachable
from its x1 and x2 stacking ports, respectively. GigaVUE-420 uses this
information to distribute traffic up and down the stack correctly.
You must specify the Box IDs of all boxes reachable from the x1 and
x2 stacking ports – not just the immediately adjacent box.
The syntax for these commands is as follows:

config system x1_bid <1-10>
config system x2_bid <1-10>
You can specify multiple Box IDs separated by spaces.
Sample Commands
So, for example, consider our earlier example from Figure 7-3 on
page 112. The first system in this stack (Box ID 1) has only its x1
stacking port connected. Both of the other boxes (2 and 3) are
reachable from this connector. So, the configuration command for
this box is:
config system x1_bid 2 3
However, the second system (Box ID 2) uses both its x1 and x2

connectors. It can access Box ID 1 from its x1 stacking port and Box
ID 3 from its x2 stacking port. So, the configuration commands for
this box are:
config system x1_bid 1
NOTE: To minimize reboots, you could combine the stack

configuration commands for Box ID 2 into a single command, as
follows:
config system bid 2 x1_bid 1 x2_bid 3 active_link both

Configuring Cable Lengths (GigaLINK-CU Stacking
Ports)
For any copper stacking port connections (GigaLINK-CU), you must
use the config port-params <port-id> ib_cable_len command to
specify the length of the InfiniBand cable (in meters).
For example, if the x2 stacking port is connected using a 10 meter

cable, you would use the following command:
Similarly, if a GigaLINK-CU was installed in x1 and connected to a 5

meter cable, you would use the following command:
You can select 1, 5, 10, or 15 meters for ib_cable_len. The default

value is 5.
NOTE: Five meter cables can be ordered as the standard length. Other
lengths are available as a special order.
Save Changes!
Make sure you perform a config save to save any changes to the cable
length settings.
118 Chapter 7
Activating Stacking Ports: config system active_link
You use the config system active_link command to activate the x1/
x2 stacking ports on a GigaVUE-420 system. You must activate the 10
Gb ports you plan to use as stacking ports.
The config system active_link command has the following syntax:

config system active_link <x1 | x2 | both | none>
For example, when configuring a middle system in a three-box stack,

you would use the following command to activate both the x1 and x2
stacking ports:
config system active_link both
Stack Examples: CLI Commands

The following sections provide some sample cross-box
configurations, along with the necessary stack configuration
commands to set them up.
• Example: Two-Box Cross-Box Stack on page 120
• Example: Cross-Box Stack with Four Systems on page 121

Example: Two-Box Cross-Box Stack
Figure 7-5 shows a simple two-box stack. This is the simplest stack
available and requires only a single 10 Gb module on each box in the
stack. Notice in Figure 7-5 that the x2 - x4 slots are unpopulated in
each of the systems – only x1 is populated.
GigaVUE-420 Box ID 1
config system bid 1
config port-type x1 stack
x1
config system active_link x1
config save
config system bid 2 x1
config save
Figure 7-5: Two-Box Stack
120 Chapter 7
Example: Cross-Box Stack with Four Systems
Figure 7-6 shows a more complex stack with four GigaVUE-420’s
connected in a chain. The endpoints of the stack only have a single 10
Gb module installed in slot x1 – the other slots are unpopulated. The
middle systems, however, have all four 10 Gb slots populated and are
using x1 and x2 as stacking ports.
config system bid 1
config port-type x1 stack x1
config system x1_bid 2 3 4
config save
config system bid 2
config system x1_bid 1 x1 x2
config system x2_bid 3 4
config save
config system bid 3
config system x1_bid 1 2 x1 x2
config save
config system bid 4
config system x1_bid 1 2 3
config save
x1
Figure 7-6: Stacking Four GigaVUE-420 Boxes

Making Physical Connections
Once you have finished configuring the cross-box stacking
commands for each of the systems in the stack, turn off all the
systems and make the physical connections shown in your stack map.
Then, power on all the systems and wait for them to complete
booting before verifying the stack’s connectivity.
Verifying a Cross-Box Stack’s Connectivity

You can verify a cross-box stack’s connectivity using the techniques
in this section:
• Check the show diag Output on page 122
• Set Up Cross-Box Connections on page 124
Check the show diag Output

The easiest way to verify end-to-end stack connectivity is to use the
show diag command on the first box in the stack. Then scroll down to
the section listing slot configuration for adjacent boxes. If the system
is able to detect the slot configuration of each of the downstream
boxes in the stack, the stack connectivity is good.
For example, if you issued the show diag command on Box ID 1 in

Figure 7-6 on page 121, the output shown below would indicate that
the stack has been set up correctly. Note the following:
• You can see that slot status has been detected for each of the four
boxes in the stack. Also, the Active_link setting for each is correct,
as well.
• Boxes 5-10 are not present in this stack. Slot status is shown as
Unknown for all slots in each of these boxes.
122 Chapter 7
Box 1 HW=2 Active_link=x1
GigaMgmt-CU GigaPORT GigaPORT (slots 1, 2, 3)
GigaPORT GigaPORT GigaLINK-CU (slots 4, 5,x1)
Unknown Unknown Unknown (slots x2,x3,x4)
Box 2 HW=2 Active_link=both

GigaLINK-CU GigaLINK-CU GigaLINK-CU (slots x2,x3,x4)
Box 3 HW=2 Active_link=both

GigaLINK-CU GigaLINK-CU GigaLINK-CU (slots x2,x3,x4)
Box 4 HW=2 Active_link=x1

Box 5 HW=0 Active_link=none

Unknown Unknown Unknown (slots 1, 2, 3)
Unknown Unknown Unknown (slots 4, 5,x1)





Set Up Cross-Box Connections

You can also verify stack connectivity by setting up a simple
cross-box connection between a network port on one end of the stack
and a tool port on the other end of the stack.
So, for example, you could issue the following command on each of
the boxes shown in Figure 7-6 on page 121.
config xbconnect 1-2 to 4-2 alias stacktest
Issue the exact same xbconnect command on each box in the stack.
Then, send traffic across this xbconnection to verify connectivity.
NOTE: If data does not appear, see Troubleshooting Cross-Box Stacks on
page 125 for tips on resolving the problem.
NOTE: You may want to set up a second cross-box connection in the
opposite direction to verify connectivity in both directions (for
example, from 4-3 to 1-3).
124 Chapter 7
Configuring Cross-Box Packet Distribution
When configuring cross-box packet distribution, keep in mind that
many of the standard single-box commands have cross-box
equivalents. The table below summarizes these commands.
Cross-box commands start with the letters “xb” (for “cross-box”). In

contrast to single-box packet distribution commands, cross-box
commands will typically expect port numbers to be specified in the
format bid-pid (Box ID-Port ID) instead of just pid (Port ID).
Both single-box and cross-box packet distribution commands are

discussed in detail in Introducing Packet Distribution on page 197.
Single-Box Command Cross-Box Equivalent

config port-filter config xbport-filter
config connect config xbconnect
config map config xbmap
config mapping config xbmapping
Troubleshooting Cross-Box Stacks

If cross-box traffic is not flowing across the stacked boxes as expected,
there are a number of steps you should follow:
1. Use the following commands on each box in the system to verify
all configured stacking information is correct and matches what’s
entered in your stack map.
• Use the show system command to verify that Box_ID,
x1_bid, x2_bid, and active_link settings are configured
correctly for all systems.
• Use the show connect command to verify that port-type is
configured correctly for all stacking ports.

• Use the show port-params command to verify that cable
length is configured correctly for any GigaLINK-CU stacking
ports.
Correct any mistakes and see if this resolves the problem
2. If you are certain that stacking information has been correctly
entered for each box and traffic is still not flowing correctly,
verify that the active stacking ports on each box have their link
status set to 1, indicating that the link is up. You can do this with
the show port-params x1 and show port-params x2 commands.
The output from these commands give the link status of the x1
and x2 ports, respectively. Verify that linkstatus = 1 for all active
x1/x2 stacking ports in the stack. If it is not, make sure your
cables are good and that the connectors are securely fastened.
3. If the link status for all active stacking ports in the stack is 1, the
next step is to verify that packets can traverse the stack from one
end to the other. If you have not already done so, create a simple
xbconnect using a network port on the first box of the stack and
send traffic to a tool port on the end box in the stack (see Verifying
a Cross-Box Stack’s Connectivity on page 122 for details on how to
do this).
If the packets now can pass through from one edge of the stack to
the other edge, then the problem was likely in the original flow
configuration commands (for example, xbconnect, xbmap, or
xbmapping) and/or how they were applied to all the boxes.
Check the Stacking Rules on page 110 for any violations.
4. If packets still do not pass through using the simple xbconnect,
then try the show port-params command for x1 and x2 again and
verify that linkstatus = 1 for active x1 and x2 stacking ports as
you did in Step 2. All active stacking ports must show a
linkstatus = 1 to indicate the stack links are up.
If linkstatus =0 on an active stacking port, disconnect and
reconnect the cable at both ends and check the link status again. If
the links are now up then resend the traffic across the simple
xbconnect.
5. If packets still don’t pass, check the path from the first box to the
last box and every box in between.
126 Chapter 7
Do so by creating an xbconnect from 1-1 to 1-4, 2-4, 3-4, 4-4, and
so on until the n-4 in the last box. Continue to send traffic into 1-1
and monitor for packets coming out at 2-4, 3-4, 4-4, and so on.
Record which ports do not have traffic coming out. The link
between the last box with traffic coming out and the one without
traffic coming out is likely where the link is configured
improperly. In addition, Link Status must be 1 for each of the
ports in the xbconnection. You can check the Link Status for a
port by using a show port-params command on its system.
Making Changes to an Existing Cross-Box Stack

This section describes how to make changes to an existing cross-box
stack already in place. The following common scenarios are covered:
• Adding a Box to the Edge of a Stack on page 127
• Remove a Box from the Edge of a Stack on page 128
• Adding a Box to the Middle of a Stack on page 128
• Disconnect a Box in the Middle of a Stack on page 129
NOTE: In general, for any changes to a cross-box stack, you should
make a new stack map and completely specify all details before
making any changes.
Adding a Box to the Edge of a Stack

To add a new box to the stack at its edge, do the following:
1. Configure the new box using the steps in Configuring a Box’s
Stacking Information on page 114.
2. Check the x1_bid and x2_bid lists for all the other boxes in the
stack and modify them as necessary to include this added box
(using the config system x1_bid and config system x2_bid
commands).
3. The active_link option on the original edge box of the stack will
need to be changed to both if it was set to only x1 or x2 before.
4. Boot the new box and log in as a super user.

5. Delete all existing xbconnect and xbmaps on each system.
6. Verify that traffic can flow to the new box using the procedure in
Verifying a Cross-Box Stack’s Connectivity on page 122.
Remove a Box from the Edge of a Stack

Whenever you remove a box from a cross-box stack, you should
update your stack map with all the new configuration information
before making any changes.
Use the following procedure to remove a box located at the edge of a

stack:
1. Power off the box to be removed and disconnect its stacking
cable.
2. Use the new stack map to verify and correct the x1_bid and
x2_bid lists for all the other boxes in the stack
3. Once the new stack is complete and all boxes have been
configured correctly, remove all xbconnects and xbmaps and
apply the new xbconnect and xbmaps to each box in exactly the
same sequence. Since this is only a removal and no new stack
path is added, a stack path verification is not needed if there were
no problems with the path before.
Adding a Box to the Middle of a Stack

Whenever you make a change to a cross-box stack, you should
update your stack map with all the new configuration information
before making any changes.
To add a new box to the middle of the stack, do the following:

1. Configure the new box using the steps in Configuring a Box’s
Stacking Information on page 114.
2. Power off the box.
3. Insert the new box at the desired point in the stack by breaking
the stacking connection between the two boxes located there now.
128 Chapter 7
Then, connect the new box's stacking ports to each of its
neighbors according to the updated stack map.
4. Power on the new box and log on as a super user.
5. Check the x1_bid and x2_bid lists for all the other boxes in the
stack and modify them as necessary to include this added box
(using the config system x1_bid and config system x2_bid
commands).
6. Boot the new box and log in as a super user.
7. Delete all existing xbconnect and xbmaps on each system in the
stack.
Disconnect a Box in the Middle of a Stack

There are two ways to disconnect a box in the middle of a cross-box
stack:
• Case 1: Create Two Separate Stacks on page 129
• Case 2: Recreate Stack with One Fewer Box on page 130
Case 1: Create Two Separate Stacks
In this case, you remove the box and create two new stacks from the
previous larger stack. For each new stack:
1. Create a new stack map.
2. Reconfigure the x1_bid and x2_bid lists for all the boxes in the
stack.
3. Reconfigure the active_link settings for the boxes that are newly
located at the edge of the stack, if necessary.
stack.
5. If there were no problems with the cross box traffic flow before,
you probably do not need to perform the stack verification
procedure in Verifying a Cross-Box Stack’s Connectivity on
page 122, unless the stack links between the boxes have been

rearranged. In that case, a stack path check should be performed
before the new xbconnect and xbmaps are applied to each of the
boxes.
Case 2: Recreate Stack with One Fewer Box

1. Create a new stack map since this is essentially a new stack.
2. Reconfigure the x1_bid and x2_bid lists for all the boxes in the
stack.
stack.
130 Chapter 7
Power Loss Considerations for Cross-Box Stacks
This section provides some considerations for power loss to boxes in
a cross-box stack:
• Power Loss on Box in the Middle of a Stack on page 131
• Power Loss and Power Restore to the Entire Stack on page 131
Power Loss on Box in the Middle of a Stack

If you expect the power outage to be temporary, it’s generally best to
take no action at all – simply wait for the stack to restore itself once
the box is powered up again.
Any changes to the stack (for example, bypassing the non-functional

box) will require a new map configuration. Depending on the
complexity of your maps and your stack, it could take more time to
do this than it would to just wait for power to be restored (plus the
time required to change back to the initial configuration once power
is back).
Power Loss and Power Restore to the Entire Stack

Once power has been restored, the original stack will resume
operation, assuming all the boxes have their configuration saved in
flash. This is a good reason to perform a config save filename.cfg
after setting up cross-box packet distribution.

132 Chapter 7
Chapter 8
Configuring GigaVUE-420
Security Options
This chapter describes how to set GigaVUE-420 options relating to
security – which users can log into the box, how users are
authenticated, who owns which ports, and the security level
currently in place.
Previous chapters provided you with the basic information needed to

get you up and running with user accounts of different levels
authenticating locally to the box. This chapter focuses on security in
the broader context of an overarching security strategy.
The chapter includes the following sections:

• About GigaVUE-420 Security on page 134
• Configuring Users and Passwords on page 135
• Configuring Lock Levels and Port Ownership on page 139
• Configuring Authentication (AAA) on page 143
133
About GigaVUE-420 Security
GigaVUE-420 provides an interlocking set of options that let you
create a comprehensive security strategy for the unit. These options
are summarized in the table below:
Security Tools Description

Account Levels GigaVUE-420 uses three different account levels – super, normal, and audit. Each
account level has a different set of privileges. For normal users, these privileges
change depending on the overall lock-level in place on the unit (none, medium, or
high).
Super users can set up accounts using the config user command. See Configuring
Users and Passwords on page 135 for details.
Port Ownership GigaVUE-420 can provide selective port access to different users. Super users can
assign port ownership to normal users using the config port-owner command.
Port privileges change for normal users depending on the overall lock-level in place
on the unit.
See Configuring Lock Levels and Port Ownership on page 139 for details.
Lock-Level GigaVUE-420 provides three different overall security levels (called lock-levels) for
the unit – none, medium, or high. Privileges for normal users change depending on
the lock-level in place.
Super users can change the lock-level using the config system lock-level command.
See Configuring Lock Levels and Port Ownership on page 139 for details.
Authentication GigaVUE-420 can authenticate users against a local user database or against the
database stored on an external TACACS+ or RADIUS server.
Super users can specify different authentication methods for the Console (serial)
port and the Ethernet (SSH2/Telnet) port using the config system aaa command.
See Configuring Authentication (AAA) on page 143 for details.
NOTE: The serial Console port must always retain local authentication as a fallback
option to prevent unintended lockouts.
134 Chapter 8
Configuring Users and Passwords
You use the config user command to set up local user accounts on the
GigaVUE-420 unit. You can set up different user account levels –
super, normal, and audit – so that each user has rights that are
appropriate for the type of work they will be doing with the
GigaVUE-420.
The config user command has the following syntax:

config user <name-string> <password> <password-again>
[level <audit | normal | super>]
[description "string"]
The table below describes the arguments for the config user
command:
Argument Description
<name-string> The name used for this user account. Names must consist of 5-30
alphanumeric characters.
<password> <password-again> The password for this user account.

Acceptable passwords include between 6-30 alphanumeric characters. At
least one of the characters must be a numeral.
Configuring GigaVUE-420 Security Options 135

level <audit | normal | user> Specifies the account privileges for this user account. There are three
types of user accounts ranging from the most privileges to the least –
super, normal, and audit.
• Super users have access to all ports on the box regardless of the
lock-level in place. They can also perform all configuration commands.
lock-level in place. They cannot perform system configuration
commands.
• When lock-level = none, normal users have access to all network
and tool ports.
• When lock-level = medium, normal users have access to all
network ports. However, they can only set up connections, filters,
and maps for tool ports they own. Super users can assign port
ownership to normal users using the config port-owner command.
• When lock-level = high, normal users can only configure
connections, filters, and maps for network and tool ports they own.
NOTE: Appendix C, Lock-Level Reference provides full details on the
different policies in place at each lock-level.
• Audit users do not have access to any ports. Their access consists
mainly of the ability to use the show command to see what basic
settings are in place on the box.
description “string” The description string may contain spaces and other characters, but must
be contained in quotation marks (for example, “IT User”). The maximum
number of characters in a description string is 125 alphanumeric
characters.
Description strings appear in the CLI display when performing a show
user command.
136 Chapter 8
Examples
The following config user commands create a new super user,
normal user, and audit user:
Command Comments
config user MySuperUser 1password 1password level super Creates a new account named
description “New Super User Account” MySuperUser with the password
Super User Account.”
config user MyNormalUser 2password 2password level normal Creates a new account named
description “New Normal User Account” MyNormalUser with the password
Normal User Account.”
config user MyAuditUser 3password 3password level audit Creates a new account named
description “New Audit User Account” MyAuditUser with the password
Audit User Account.”
Changing Passwords
Super users can change passwords for all other users with the config
password command. The syntax for this command is as follows:
config password [user <name-string> <new-password> <new-password-again>]
So, for example, to change the password of the MyNormalUser

created in the previous example to 25password, a super user would
config password user MyNormalUser 25password 25password

Maximum Simultaneous Sessions
The following table summarizes GigaVUE-420’s support for
simultaneous sessions:
Session Type Maximum Simultaneous Sessions

Telnet 20 Telnet Sessions
1 Serial Session
SSH2 10 SSH2 Sessions

1 Serial Session
138 Chapter 8
Configuring Lock Levels and Port Ownership
The config system lock-level and config port-owner commands
work together to specify what rights different accounts have on the
GigaVUE-420 unit.
The lock-level in force on the GigaVUE-420 can be none, medium, or

high. In general, as the lock-level increases, normal users have fewer
rights on the box, except for those ports to which they have been
assigned ownership using the config port-owner command.
Figure 8-1 summarizes this.
NOTE: The lock-level in place changes more than just port
availability. Complete details on the CLI rights available to each
account level (super, normal, and audit) at each lock-level (none,
medium, or high) are provided in Appendix C, Lock-Level Reference.

A normal user who
s
owns the Green o wn
ports and does not do
es
own the Red ports. n’t
ow
n
Lock-Level = None Lock-Level = Medium Lock-Level = High
Network Ports Tool Ports Network Ports Tool Ports Network Ports Tool Ports
1 4 1 4 1 4
2 5 2 5 2 5
3 6 3 6 3 6
When lock-level is set to When lock-level = medium, When lock-level = high,

none, normal users have normal users have access to normal users can only
access to all Network and all Network ports. However, configure connections, filters,
Tool ports. Port ownership they can only set up and maps for Network and
cannot be assigned when connections, filters, and maps Tool ports they own.
the lock-level is none. for Tool ports they own.
Figure 8-1: How lock-level works with port-owner
140 Chapter 8
Syntax for the config system lock-level Command
You use the config system lock-level command to specify the
lock-level in place on the GigaVUE-420 unit. The three levels are
none, medium, and high, as summarized below:
config system lock-level <none | medium | high>
For example, to set the lock-level to high, a super user would use the
following command
config system lock-level high
Changing lock-level to none

You can only assign port ownership when the lock-level in place on
the GigaVUE-420 is either medium or high. Because of this, when
you change the lock-level from either medium or high to none, all
existing port-ownership assignments will be cleared. The
assignments will not be restored if you change the lock-level back to
medium or high.
Syntax for the config port-owner Command

Super users use the config port-owner command to assign port
ownership to local users.
NOTE: You can only assign port ownership when the lock-level in
place on the GigaVUE-420 is either medium or high. All users have
access to all ports when the lock-level is none.
NOTE: You assign port-ownership to TACACS+/RADIUS users
within the TACACS+/RADIUS server itself using an access control
list. See Setting up GigaVUE-420 Users in an External Authentication
Server on page 156 for details.
The config port-owner command has the following syntax:

config port-owner <port-alias | pid-list | pid-x..pid-y> owner <name-string>
The table below describes the arguments for the config port-owner
command:

<port-alias | pid-list | pid-x..pid-y> Specifies the ports to which the named user will be granted ownership.
You can grant ownership to a single port (either by alias or number), a
list of ports, or a contiguous series of ports.
owner <name-string> The name of the account being granted port ownership.
Examples
The following config port-owner commands illustrate different
ways to assign port ownership:
Command Comments
config port-owner 1..6 owner MyNormalUser Grants ownership to ports 1-6 to the user named
MyNormalUser.
config port-owner ToolPort owner User2000 Grants ownership to the port with the alias ToolPort to
the user named User2000.
config port-owner 3 6 12 owner User3000 Grants ownership to ports 3, 6, and 12 to the user
named User3000.
142 Chapter 8
Configuring Authentication (AAA)
You use the config system aaa option to specify whether
GigaVUE-420 logins are authenticated against either a local user
database or the database in an external authentication server
(TACACS+ or RADIUS) You can also use an external authentication
server as your primary authentication method with local
authentication as a fallback (Figure 8-2). The fallback is used when an
authentication server is unreachable.
Separate User Databases for Local and External Users
The local and RADIUS/TACACS+ user databases are completely

separate. Users authenticating with RADIUS/TACACS+ do not need
to have duplicate accounts created in the local user database. They
only need to appear in the RADIUS/TACACS+ database. See Using
GigaVUE-420 with an External Authentication Server on page 148 for
details on how to assign rights to GigaVUE-420 users within the
RADIUS or TACACS+ server.
Local vs. External Authentication

When using external authentication
(RADIUS or TACACS+), logins are
External
verified against accounts stored Users
remotely on the external server.
Local
Users
When using local authentication,

logins are verified against accounts
stored locally on the GigaVUE-420.
Figure 8-2: Local vs. External Authentication

Authentication Options
The config system aaa command provides flexible options for
authentication:
• You can set the config system aaa option differently for logins
made via SSH2/Telnet over the Ethernet port and local logins
made over the Console (serial) port. For example, you could
specify that SSH2/Telnet logins be authenticated using RADIUS
or TACACS+ while local logins could rely on the local user
database.
• You can set fallback options for both the Mgmt port and the
Console port. You do this by enabling both external (either
RADIUS and/or TACACS+) and local authentication. When you
do this, GigaVUE-420 will authenticate users using the methods
in the same order you specify them in the config system aaa
command.
For example, the following command specifies that users logging
in via SSH2/Telnet to the Mgmt port should first be
authenticated using the TACACS+ server(s) specified by the
config tac_server command. If those servers are unavailable,
authentication can then fall back to the local user database.
config system aaa ethernet tacacs+ local
The same command for a RADIUS server set up with config

rad_server would look like this:
config system aaa ethernet radius local
• You can even use both RADIUS and TACACS+ for the same port
– GigaVUE-420 will try the methods in the same order in which
they are specified. For example:
config system aaa ethernet radius tacacs+ local
If the RADIUS servers are down, GigaVUE-420 uses the

TACACS+ servers. If the TACACS+ servers are down,
GigaVUE-420 falls back to local authentication.
Console Port Always Retains Local Authentication!
To prevent accidental lockouts, GigaVUE-420 always preserves local

authentication for the Console (serial) port. This way, if an external
144 Chapter 8
authentication server goes down, you can still gain access to the box
through the local Console port.
For example, after issuing the following command, the system would
automatically add local authentication to the Console port. It would
not let you leave the Console port with only TACACS+
authentication.
config system aaa serial tacacs+

Syntax for the config system aaa Command
Super users use the config system aaa command to specify how users
will be authenticated on both the Ethernet (SSH2/Telnet) and
Console (serial) port.
The config system aaa command has the following syntax:

config system aaa <serial | ethernet> <[tacacs+] [radius] [local]>
The table below describes the arguments for the config system aaa
command:
<serial | ethernet> Specifies which GigaVUE-420 port you are configuring authentication
for:
• serial – Console port.
• ethernet – Mgmt port.
<[tacacs+] [radius] [local]> Specifies which authentication methods should be used for the
specified port and the order in which they should be used.
You can enable all authentication methods for either port. If you
enable more than one method, GigaVUE-420 uses the methods in the
same order in which they are specified, falling back as necessary. If
the first method fails, it will fall back to the secondary method, and so
on.
If you enable radius or tacacs+, you must also:
• Configure the RADIUS or TACACS+ server using the
corresponding config rad_server or config tac_server command.
• Set up GigaVUE-420 users within the RADIUS/TACACS+ server
itself.
These two steps are described in Using GigaVUE-420 with an
External Authentication Server on page 148
NOTE: GigaVUE-420 always preserves local authentication for the
Console (serial) port to prevent accidental lockouts.
146 Chapter 8
Examples
The following config system aaa commands demonstrate
different ways to set up authentication:
Command Comments
config system aaa ethernet local Specifies that SSH2/Telnet logins made over the Mgmt port will be
authenticated solely using the local user database created with the
config user command.
config system aaa ethernet tacacs+ Two examples of external authentication, one using a TACACS+
local server and the other using a RADIUS server.
Both commands specify that SSH2/Telnet logins made over the
config system aaa ethernet radius Mgmt port will be authenticated using the external servers set up
local with the config tac_server or config rad_server command.
You can specify as many as five external authentication servers of
each type – if the first server experiences a failure, GigaVUE-420
will try the next until all of the named servers have been tried.
Servers are used in the same order they were specified.
If authentication fails with all of the named external servers, these
commands specify that GigaVUE-420 will then fall back to local
authentication.
config system aaa serial tacacs+ Specifies that local logins made over the Console port will be
authenticated using the TACACS+ servers set up with the config
tac_server command.
If you use this command, GigaVUE-420 will automatically add local
authentication to prevent you from accidentally locking yourself out
of the box should the TACACS+ servers fail.

Using GigaVUE-420 with an External
Authentication Server
If you enable either RADIUS or TACACS+ authentication with the
config system aaa command, you must also perform some additional
configuration tasks, both within GigaVUE-420 and the external server
itself:
1 Configure Step 1: Once you have enabled RADIUS or TACACS+ authentication

GigaVUE-420 using the config system aaa command described in Configuring
Authentication (AAA) on page 143, specify the RADIUS or TACACS+
servers to be used for authentication.
See Specifying TACACS+ Servers in GigaVUE-420 on page 149 and

Specifying RADIUS Servers in GigaVUE-420 on page 152.
Step 2: Configure the external authentication Server by creating accounts

2 Configure the for GigaVUE-420 users within the server itself, specifying both the account
Authentication Server level and port ownership privileges.
See Setting up GigaVUE-420 Users in an External Authentication Server

on page 156.
Figure 8-3: Steps to Use GigaVUE-420 with a TACACS+ Server
Separate User Databases for Local and RADIUS/TACACS+
The local and RADIUS/TACACS+ databases are completely

separate. Users authenticating with RADIUS or TACACS+ do not
need to have duplicate accounts created in the local user database.
They only need to appear in the RADIUS/TACACS+ database.
When a RADIUS/TACACS+ user logs in successfully, GigaVUE-420

creates user account information dynamically in RAM. When the
session is terminated, GigaVUE-420 removes the account
information.
148 Chapter 8
Specifying TACACS+ Servers in GigaVUE-420
Super users use the config tac_server command to specify the
TACACS+ servers to be used for authentication. You can specify as
many as five different TACACS+ servers. Servers are used as
fallbacks in the same order they are specified – if the first server fails,
the second is tried, and so on, until all named servers have been used.
NOTE: Once a connection is made to a particular TACACS+ server,
the system will continue to connect to this TACACS+ server first until
the system is rebooted. Because of this, it is important to configure
the primary TACACS+ server as the first server and then configure
the backup TACACS+ servers as the second, third, fourth, or fifth.
Syntax for the config tac_server Command

The syntax for the config tac_server command is as follows:
config tac_server host <ipaddr>
key "string"
[port <value>]
[timeout <1~90>] (seconds)
[single_connection <1 | 0>]
[priv_lvl_check <1 | 0>]
[super_priv_lvl <2~15>]
[normal_priv_lvl <1~14>]
[audit_priv_lvl <0~13>]
[alias <alias-string>]
The table below describes the arguments for the config tac_server
command:
host <ipaddr> Specifies the IP address of the TACACS+ server.
key "string" Specifies a string to be used for encryption of authentication packets

sent between GigaVUE-420 and the TACACS+ server.
An empty key string (“”) indicates that no key will be used. Without a
key, there will be no encryption of the packets between the TACACS+
server and the GigaVUE-420 system.
[port <value>] Specifies the port to be used on the TACACS+ server. If you do not
specify a value, GigaVUE-420 will default to the standard TACACS+
port number of 49.

[timeout <1~90>] (seconds) Specifies how long GigaVUE-420 should wait for a response from the
TACACS+ server to an authentication request before declaring a
timeout failure. The default value is three seconds.
[single_connection <1 | 0>] Specifies whether GigaVUE-420 should use the same connection for
multiple TACACS+ transactions (authentication, accounting, and so
on), or open a new connection for each transaction:
• 1 – TACACS+ transactions will use the same session with the
server. The socket will remain open after it is first opened.
• 0 – Each TACACS+ transaction opens a new socket. The socket is
closed when the session is done.
The default is disabled (0).
[priv_lvl_check <1 | 0>] These options specify how privilege level checks are performed for
[super_priv_lvl <2~15>] TACACS+ servers.
• priv_lvl_check specifies how GigaVUE-420 should assign user
rights for TACACS+ users.
• If this option is enabled (the default), the three _priv_lvl options
below it are used to map privilege levels for the corresponding
user types (Audit, Normal, and Super).
• If this option is not enabled, all TACACS+ users log in with
Super user rights.
• super_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Super user level when priv_lvl_check
is enabled.
• normal_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Normal user level when priv_lvl_check
is enabled.
• audit_priv_lvl specifies the TACACS+ privilege level that will be
mapped to GigaVUE-420’s Audit user level when priv_lvl_check
is enabled.
NOTE: If no values are specified for the three _priv_lvl options and
privilege level checks are enabled, GigaVUE-420 uses 0, 1, and 2
(Audit, Normal, and Super, respectively).
NOTE: GigaVUE-420 will not let you enter out-of-order privilege
levels. The value specified for super must be higher than that
specified for normal, and so on.
[alias <alias-string>] Specifies an alphanumeric alias for this TACACS+ server to be used in
show tac_server displays.
150 Chapter 8
Examples
The following config tac_server commands demonstrate different

ways to specify a TACACS+ server:
Command Comments
config tac_server host 192.168.1.225 key "gv" Specifies that:
priv_lvl_check 1 super_priv_lvl 10 normal_priv_lvl 5
• Users logging in via TACACS+ will be
audit_priv_lvl 0 alias TAC1
authenticated against the TACACS+ server at
192.168.1.225.
• Authentication packets will be encrypted using
the string gv.
• Default values will be used for the port,
timeout, and single_connection arguments.
• GigaVUE-420 will map the full 0-15 range of
TACACS+ user levels to its own levels.
TACACS+ users with privilege levels of 10 will
receive Super user privileges, 5 will receive
Normal, and 0 will receive Audit.
• The alias for this TACACS+ server is TAC1.
config tac_server host 192.168.1.12 key “mykey” port 234 Specifies that:
alias TAC2
• Users logging in via TACACS+ will be
authenticated against the TACACS+ server at
192.168.1.12.
the string mykey.
• The non-standard port 234 will be used instead
of 49.
• Default values will be used for the timeout and
single_connection arguments.
• Standard 0-2 privilege level mappings will be
used.
• The alias for this TACACS+ server is TAC2.
NOTE: If this command was used after the
command in the previous row, this server would
be the backup TACACS+ server for the
previously-specified server.

Figure 8-4 shows the results of a show tac_server command for the
servers set up in the previous examples:
Figure 8-4: Results of a show tac_server Command
Specifying RADIUS Servers in GigaVUE-420

Super users use the config rad_server command to specify the
RADIUS servers to be used for authentication. You can specify as
many as five different RADIUS servers. Servers are used as fallbacks
in the same order they are specified – if the first server fails, the
second is tried, and so on, until all named servers have been used.
NOTE: Once a connection is made to a particular RADIUS server, the
system will continue to connect to this RADIUS server first until the
system is rebooted. Because of this, it is important to configure the
primary RADIUS server as the first server and then configure the
backup RADIUS servers as the second, third, fourth, or fifth.
152 Chapter 8
Syntax for the config rad_server Command
The syntax for the config rad_server command is as follows:
config rad_server host <ipaddr>
key "string"
[authen_port <1~65535>]
[account_port <1~65535>]
[max_tries <1~10>]
The table below describes the arguments for the config rad_server
command:
host <ipaddr> Specifies the IP address of the RADIUS server.

sent between GigaVUE-420 and the RADIUS server.
key, there will be no encryption of the packets between the RADIUS
[authen_port <1~65535>] Specifies the authentication port to be used on the RADIUS server. If
you do not specify a value, GigaVUE-420 will default to the standard
RADIUS authentication port number of 1812.
[account_port <1~65535>] Specifies the accounting port to be used on the RADIUS server. If you
do not specify a value, GigaVUE-420 will default to the standard
RADIUS accounting port number of 1813.
RADIUS server to an authentication request before declaring a
[max_tries <1~10>] Specifies the maximum number of times GigaVUE-420 will retry a
failed connection to this RADIUS server before falling back to the next
authentication method specified by the config system aaa command
currently in place. The default value is three tries.

[super_priv_lvl <2~15>] RADIUS servers.
rights for RADIUS users.
• If this option is not enabled, all RADIUS users log in with Super
user rights.
• super_priv_lvl specifies the RADIUS privilege level that will be
is enabled.
• normal_priv_lvl specifies the RADIUS privilege level that will be
is enabled.
• audit_priv_lvl specifies the RADIUS privilege level that will be
is enabled.
[alias <alias-string>] Specifies an alphanumeric alias for this RADIUS server to be used in
show rad_server displays.
154 Chapter 8
Examples
The following config rad_server commands demonstrate different

ways to specify a RADIUS server:
Command Comments
config rad_server host 192.168.1.72 key "gvmp" Specifies that:
priv_lvl_check 1 super_priv_lvl 15 normal_priv_lvl 10
• Users logging in via RADIUS will be
audit_priv_lvl 5 alias RAD1
authenticated against the RADIUS server at
192.168.1.72.
the string gvmp.
• Default values will be used for the
authentication port, accounting port,
timeout, and max_tries arguments.
• GigaVUE-420 will map the full 0-15 range of
RADIUS user levels to its own levels. RADIUS
users with privilege levels of 15 will receive
Super user privileges, 10 will receive Normal,
and 5 will receive Audit.
• The alias for this RADIUS server is RAD1.
config rad_server host 192.168.1.76 key “lowkey” Specifies that:

authen_port 2500 account_port 2501 alias RAD2
• Users logging in via RADIUS will be
authenticated against the RADIUS server at
192.168.1.76.
the string lowkey.
• Non-standard authentication and accounting
ports will be used.
• Default values will be used for the timeout and
max_tries arguments.
• Standard 0-2 privilege level mappings will be
used.
• The alias for this RADIUS server is RAD2.
NOTE: If this command was used after the
command in the previous row, this server would
be the backup RADIUS server for the
previously-specified server.

Figure 8-4 shows the results of a show rad_server command for the
servers set up in the previous examples:
Figure 8-5: Results of a show rad_server Command
Setting up GigaVUE-420 Users in an

External Authentication Server
Each user logging into the GigaVUE-420 via an external
authentication server (either TACACS+ or RADIUS) must have an
account entry on the server. Accounts in the external server for
GigaVUE-420 users must conform to the following rules:
• GigaVUE-420 accounts must have a password assigned.
• GigaVUE-420 accounts must have the Shell (exec) setting enabled.
• GigaVUE-420 accounts must be assigned a privilege level.
• If the priv_lvl_check option is enabled (the default),
GigaVUE-420 users can be assigned any account level from
0-15. The account levels specified in the TACACS+/RADIUS
server will be mapped to the GigaVUE-420 levels using the
settings specified for super_priv_lvl, normal_priv_lvl, and
audit_user_lvl.
156 Chapter 8
• If the priv_lvl_check option is disabled, GigaVUE-420 users
will all log in with Super user privileges.
• GigaVUE-420 accounts must have an Access Control List value
specified. You construct the ACL string in the same way
regardless of whether you are using RADIUS or TACACS+.
However, Cisco ACS provides different fields for each security
protocol:
• RADIUS users include the ACL as part of the Class field.
• TACACS+ users include the ACL in the supplied ACL field.
See the following sections for details:
• See Granting Port Ownership with an Access Control List on
page 157 for information on how to construct an ACS string.
• See Configuring RADIUS Users in Cisco Access Control Server on
page 159 for information on where to supply the ACS string
for RADIUS.
• See Configuring TACACS+ Users in Cisco Access Control Server
on page 162 for information on where to supply the ACS
string for TACACS+
Granting Port Ownership with an Access Control List

As described in Configuring Lock Levels and Port Ownership on
page 139, the lock-level in force on the GigaVUE-420 specifies what
rights normal accounts have on the GigaVUE-420 unit. As the
lock-level increases to either medium or high, normal users have
fewer rights on the box, except for those ports to which they have
been assigned ownership.
Local users are designated port ownership using the config

port-owner command. However, to assign port ownership to
externally authenticated users, you must create an access control list
(ACL) for the user and supply it in the appropriate location in the
RADIUS/TACACS+ server (see Configuring RADIUS Users in Cisco
Access Control Server on page 159 and Configuring TACACS+ Users in
Cisco Access Control Server on page 162).
NOTE: Privilege level and ACL values are separate entries in the
external authentication server configuration.

The ACL is a 32-bit word representing the GigaVUE-420 ports that
assigns port ownership to the user. The bits in the ACL are mapped
as follows:
Bits Description
1-20 Ports 1-20 on the GigaVUE-420 system.
21-24 10 Gb ports (x1-x4) when configured as network or tool ports.
0, 25-31 Ignored.
You assign port ownership by filling in hex values for the bits in the
ACL:
• Bits set to true (1) indicate that the user owns this port.
• Bits set to false (0) indicate that the user does not own the port.
NOTE: The values shown in the Binary and Hex rows below would
provide a normal user ownership of ports 1, 3, 8, 13, 20, and x2 (the x2
10 Gb port configured as either a network or tool port) with the ACL
of 0x0050210a.
Bits 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16
Ports n/a n/a n/a n/a n/a n/a n/a x4 x3 x2 x1 20 19 18 17 16
Binary 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0
Hex 0 0 5 0
Bits 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Ports 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 n/a
Binary 0 0 1 0 0 0 0 1 0 0 0 0 1 0 1 0
Hex 2 1 0 a
158 Chapter 8
Examples
The following examples illustrate how to fill out the ACL:
ACL Value Meaning

0x005ffffe Assigns a normal user ownership of all ports on
the GigaVUE-420.
0x0050210a Assigns a normal user ownership of ports 1, 3, 8,

13, 20 and x2 (the x2 10 Gb port configured as
either a network or tool port)
Configuring RADIUS Users in Cisco Access Control Server

You can use Cisco’s Secure Access Control Server (ACS) to perform
external authentication of GigaVUE-420 users. Use the following
steps to configure the ACS to perform RADIUS authentication of
GigaVUE-420 users.
1. First, configure a RADIUS AAA client in ACS. Open Network
Configuration and change the AAA server type to RADIUS.
Make sure traffic is set to inbound/outbound.
2. In the Network Configuration panel, set the following options:
• Set Authenticate Using to RADIUS (IETF).
• Check the Log Update/Watchdog Packets from this AAA
Client box.
3. In the System Configuration: Logging panel, set the following
options:
a. Enable Log to CVS RADIUS Accounting.
b. Set the following fields as Logged Attributes:
• NAS-IP-Address
• Calling-Station-Id
• User-Name
• Description
• Account-Status-Type
• Account-Session-Id

• Acct-Terminate-Cause
4. Create a RADIUS user group with no TACACS+ settings.
5. Uncheck every box in the RADIUS settings for the group except
the Class box. For the Class box, use a string that specifies the
privilege level and port ownership for users in the group.
• The priv-lvl=x portion of the string specifies the privilege
level to be used for users in this group.
If the priv_lvl_check option is enabled in the GigaVUE-420
CLI (the default) and you did not specify a custom
normal_priv_lvl, use 1 for normal users. If you did assign a
custom value to normal_priv_lvl, use that value here.
• The acl=0xXXXXXXXX portion of the string is the Access
Control List. As described in Granting Port Ownership with an
Access Control List on page 157, the ACL is a 32-bit word
representing the GigaVUE-420 ports that assigns port
ownership to the user.
So, for example, the following string in the Class box specifies
that normal users have a priv-lvl of 1 and grants ownership to all
normal users:
priv-lvl =1, acl=0x005ffffe
6. Associate users with this RADIUS group.
Figure 8-6 shows the ACL field in Cisco ACS for a RADIUS user.
160 Chapter 8
Supply the priv-lvl and
ACL in the Class field.
Figure 8-6: Supplying the ACL in the Class Field for RADIUS

Configuring TACACS+ Users in Cisco Access Control Server
You can use Cisco’s Secure Access Control Server (ACS) to perform
external authentication of GigaVUE-420 users. Use the following
steps to configure the ACS to perform TACACS+ authentication of
GigaVUE-420 users.
1. First, configure a TACACS+ AAA client in ACS.
2. Create a TACACS+ user group with no TACACS+ settings.
3. In the TACACS+ Settings page:
a. Check the Shell (exec) option.
b. Check the Access control list box and supply an ACL value in
the adjacent field to grant port ownership to users in this
group. See Granting Port Ownership with an Access Control List
on page 157 for information on how to construct an Access
Control List.
c. Check the Privilege level box and supply a value. This value
specifies the privilege level to be used for users in this group.
If the priv_lvl_check option is enabled on the GigaVUE-420
CLI (the default) and you did not specify a custom
normal_priv_lvl, use 1 for normal users. If you did assign a
custom value to normal_priv_lvl, use that value here.
4. Associate users with this TACACS+ group.
Figure 8-7 shows the ACL field in Cisco ACS for a TACACS+ user.
162 Chapter 8
Supply the ACL in the
corresponding field.
Supply the privilege

level in the
corresponding field.
Figure 8-7: Supplying the ACL in the Class Field for TACACS+

Differences in Commands for External and Local Users
Some common GigaVUE-420 commands work differently depending
on whether a user is logged in using an external authentication server
or the local user database:
Command Description
show user all This command now has a “single world view” and will
return different results depending on whether the user
authenticated locally or using an external server:
• A show user all from a local user will return only the
users defined in the local database,
• A show user all from an externally authenticated user
will return only the users currently logged in through the
external server.
show whoison This command provides a “dual world view.” It will return
all users currently logged in and will display whether each
user has been authenticated locally or through an external
authentication server.
logout This command also has a single world view:

• Local users can only log out other local users.
• Externally authenticated users can only log out other
externally authenticated users of the same type
(RADIUS or TACACS+).
As always, a user must have sufficient account privileges
to log out another user.
164 Chapter 8
Chapter 9
Using SNMP
This section describes how to use GigaVUE-420’s SNMP features. It

includes the following major sections:
• Configuring SNMP Traps on page 166
• Adding a Destination for SNMP Traps on page 167
• Enabling GigaVUE-420 Events for SNMP Traps on page 169
• Receiving Traps on page 172
• Enabling GigaVUE-420’s SNMP Server on page 172
165
Configuring SNMP Traps
GigaVUE-420 can send SNMP v1/v2 traps to up to five destinations
based on a variety of events on the box. Configuring SNMP traps
consists of the following major steps:
1 Configure Trap Step 1: Use the config snmp_trap host options to specify the IP
Destinations addresses of up to five destinations for SNMP traps. For each
destination, you can also specify the community string, port, trap
version, and an alias.
See Adding a Destination for SNMP Traps on page 167 for

information on setting up trap destinations.
Step 2: The config snmp_trap command includes switches to enable/

2 Specify Trap Events
disable each of the events available for trapping. You can also use the
[all | none] switch to quickly enable/disable all of the available events at
once.
When GigaVUE-420 detects an enabled event, it forwards the

corresponding trap to each of the defined trap destinations.
See Enabling GigaVUE-420 Events for SNMP Traps on page 169 for
information on the events available for trapping..
Figure 9-1: Configuring SNMP Traps

NOTE: This release does not support SNMP v3.
166 Chapter 9
Adding a Destination for SNMP Traps
GigaVUE-420 can forward SNMP traps to up to five destinations.
Specify the destinations for SNMP traps with the config snmp_trap
host command. The config snmp_trap command has the following
syntax when adding hosts:
config snmp_trap
[host <ipaddr>] [community <string>]
[port <value>] [ver <1|2>]
The only required value for an SNMP trap destination is the IP

address. If you configure a trap destination and do not specify values
for the other parameters, they will take the default values shown in
the table below. Naturally, however, you can change each of the
defaults to your own values with the corresponding command-line
setting.
Parameter Description Default Value if None Specified

community Community String public
port Port 162 (well-known receiving port for SNMP traps)
ver Version v2
Example – Adding SNMP Trap Destinations

This example illustrates how to add several trap destinations, some
using the defaults and others with custom overrides.
Comments Command
First, let’s set up our Trap Management station on config snmp_trap host 192.168.1.101 alias Trap_Mgmt
192.168.1.101 as a trap destination. This
destination accepts all of the default settings, so
we’ll just add it with its IP address and an alias.
Next, we’ll add secondary management station on config snmp_trap host 192.168.1.25 community private
192.168.1.25. This station runs on a non-standard port 501 ver 1 alias jackstraw
port with a private community string.
Using SNMP 167

Comments Command
That’s enough destinations for now. Let’s do a show snmp
show snmp command to see what we’ve
configured so far. See Figure 9-2 for the results.
SNMP Server Status
GigaVUE-420’s SNMP Server is not

currently enabled. We’ll enable it later.
Trap Destinations
Current trap
destinations are
listed in the middle
of the show snmp
display.
Trap List
None of the events available for trapping are

currently enabled. We’ll enable them in the next
section.
Figure 9-2: SNMP Trap Destinations Configured
168 Chapter 9
Enabling GigaVUE-420 Events for SNMP Traps
The config snmp_trap command includes switches to enable/disable
each of the events available for trapping. The table below lists the
attributes for the config snmp_trap command that are related to
enabling traps.
Parameter Description
[all | none] Use this attribute to toggle all available trap events on or off. For
example, config snmp_trap all turns on all available trap events.
[configsave <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time the config save filename.cfg
command is used.
[fanchange 0|1] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when the speed of either of the system fans
drops below 4,800 RPM.
[firmwarechange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it boots and detects that its firmware has
been updated from the previous boot.
[modulechange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects a change in module type from
the last polling interval. This typically happens when a module is pulled
from a slot or inserted in an empty slot.
[powerchange 0|1] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects either of the following events:
[portlinkchange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a port’s link status changes from up
to down or vice-versa. This includes ports 1-20 as well as the 10
Gigabit ports (x1 and x2).
NOTE: The portlinkchange trap is not sent when the Management
port’s link status changes.
[pktdrop <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it detects that packets have been
dropped on a data port.
Using SNMP 169

[rxtxerror <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it receives one of the following
physical errors on a data port:
• Undersize error
• Fragment
• Jabber
• CRC or Alignment errors
• Unknown errors.
[systemreset <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it starts up, either as a result of
cycling the power or a soft reset initiated by the reset system
command.
[taptxchange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a GigaTAP-Tx’s relays switch from
active to passive or passive to active as a result of the config
port-params taptx command.
[userauthfail <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a user login fails.
170 Chapter 9
Example – All Trap Events Enabled
Figure 9-2 shows the results of a config snmp_trap all command
enabling all of the available trap events.
Trap List
All of the events available for trapping are now enabled.
Figure 9-3: SNMP Trap Events Configured
Using SNMP 171

Receiving Traps
GigaVUE-420’s MIB is available for download from the company’s
standard FTP site. The MIB supports both the GigaVUE-420 and the
GigaVUE-MP. Contact Customer Support for details.
Once you have received a copy of the MIB, you can compile it into
your SNMP Management software to view intelligible descriptions of
the OIDs included in the traps.
Enabling GigaVUE-420’s SNMP Server

You can enable GigaVUE-420’s SNMP server so that management
stations can poll the GigaVUE-420 remotely using Get and GetNext
commands. GigaVUE-420 supports MIB polling using the MIB-II
System and Interface OIDs for the Mgmt port only.
You enable GigaVUE-420’s SNMP server with the config

snmp_server command. It has the following syntax:
config snmp_server
[enable <0|1>]
[community <string>]
[ver <1 | 1_2>]
[port <value>]
The only required parameter to turn on the SNMP server is enable 1.

If you turn on the SNMP Server and do not specify values for the
other parameters, they will take the default values shown in the table
below. Naturally, however, you can change each of the defaults to
your own values with the corresponding command-line setting.

port Port 162
ver Version v1
172 Chapter 9
For example, to enable the SNMP server with its default settings, you
would use the following command:
config snmp_server enable 1
To enable the SNMP server with both v1 and v2 support, you would
config snmp_server enable 1 ver 1_2
Figure 9-4 shows the results of a show snmp command after enabling
the SNMP server with both v1 and v2 support.
SNMP Server
Local SNMP
Server is now
enabled.
Figure 9-4: SNMP Server Enabled
Once you have enabled the SNMP server, management stations will
be able to poll the MIB using standard Get and GetNext SNMP
commands. Most management stations have intuitive interfaces for
this.
Using SNMP 173

174 Chapter 9
Chapter 10
Using Configuration Files
GigaVUE-420 provides the ability to save and restore different sets of

connection information using configuration files. This section describes
how to use configuration files, including the following major topics:
• What’s Saved In a Configuration File on page 176
• Saving a Configuration File on page 177
• Viewing the Contents of a Configuration File on page 179
• Storing Configuration Files on a TFTP Server on page 179
• Applying Configuration Files on page 180
• Applying a Configuration File from Flash on page 181
• Setting a Configuration File to Boot Next on page 182
• Restoring Configuration Files in a Cross-Box Stack on page 183
GigaVUE-420 can maintain up to five configuration files stored in

flash memory. You can use the upload command to transfer
additional configuration files to a TFTP server for storage.
Configuration files can be downloaded from the TFTP server to
GigaVUE-420 using the install -cfg command and subsequently
restored using the config restore [filename] command.
175
You can set a particular configuration file to boot next either by using
the config file command’s nb attribute, or by using config save with
the nb attribute. For example:
config file gigavue.cfg nb
config save myconfig.cfg nb
NOTE: Configuration files include the Box ID of the unit saving the
file. You can only restore configuration files to a GigaVUE-420 unit
with the same Box ID.
What’s Saved In a Configuration File

Configuration files store all of the connection information in place on
the GigaVUE-420 when the file was saved. This includes:
• Filters and port-filter associations (local and cross-box).
• Connections (local and cross-box).
• Map-rules, maps, and mappings (local and cross-box).
• Port parameters (config port-params settings), including duplex,
medium, speed, cable length, taptx, nd so on.
• Port-pair settings.
• Pass-all settings.
• Port-type settings.
• Printout of the show connect command at the time the file was
saved.
What’s Saved Separately
The settings listed below are saved in a different area of flash and are
not affected by either the config save filename.cfg or the reset system
commands. These include:
• All settings shown by the show system command.
• SNMP server/trap settings.
• TACACS servers.
• RADIUS servers.
176 Chapter 10
• SNTP servers.
Saving a Configuration File

You use the config save filename.cfg command to save a
configuration file. Configuration files must have a .cfg extension.
Use GigaVUE-420’s command completion feature to see a list of

available configuration files. For example, typing config save ? will
show you a list of the available configuration files.
You can also use the show file command to see which configuration
file was most recently restored as well as which configuration file is
set to load the next time the unit is rebooted. For example, in
Figure 10-1:
• The factory-provided gigavue.cfg configuration file was restored
last – it has Last restored set to Yes.
• The gigavue.cfg configuration file is also scheduled to load at the
next boot – it has Next boot file set to Yes. You can change the file
scheduled to boot next by using the nb option with either the
config save or config file commands. See Setting a Configuration
File to Boot Next on page 182.
NOTE: When you use the show file command without a filename, you
see the summary information shown in Figure 10-1. You can also use
the command with a filename to see detailed file information, as
described in Viewing the Contents of a Configuration File on page 179.
Using Configuration Files 177

Figure 10-1: Showing Configuration Files
178 Chapter 10
Viewing the Contents of a Configuration File
Restoring a configuration file to GigaVUE-420 overwrites the existing
connection information in place on the box with the connection
information stored in the configuration file. Because of this, it’s a
good idea to check the contents of the file before you apply it.
You can easily see the details of what’s been saved in a configuration
file by using the show file [filename] command. This will show a
detailed view of the configuration file’s contents, including the
printout of a show connect command for the file. This way, you can
see what’s in the file without having to restore it.
NOTE: The detailed output for the show file [filename.cfg] command
shows the connections (local and cross-box) and maps (local and
cross-box) but does not show the filters, port-filter, xbport-filters and
map-rules contained in the configuration file.
For example, to view the detailed contents of the default gigavue.cfg

file, you would use the following command:
show file gigavue.cfg
Storing Configuration Files on a TFTP Server

If you want to keep more than the five configuration files allowed on
the GigaVUE-420 at one time, you can use a TFTP server for storage.
Configuration files can be stored on a TFTP server using the upload
-cfg command. Then, you can download a configuration file from the
TFTP server using the install -cfg command.
Uploading a Configuration File to a TFP Server

For example, to store the configuration file named multi-map.cfg on
a TFTP server at 192.168.1.102, you would use the following
command:
upload -cfg multi-map.cfg 192.168.1.102

Downloading a Configuration File from a TFTP Server
You can download configuration files from a TFTP server using the
install -cfg command. GigaVUE-420 will download the specified file
and store it in flash. If there are already five configuration files stored
in flash, you will need to use the delete file command to free up a slot
before a new file can be successfully downloaded and stored.
For example, to download multi-map.cfg from a TFTP server at

install -cfg multi-map.cfg 192.168.1.102
NOTE: Using the install -cfg command does not actually apply the
configuration file – it just downloads it from the TFTP server and
stores it in flash. You still have to apply the configuration file using
one of the methods in Applying Configuration Files on page 180.
Applying Configuration Files

You can apply configuration files to GigaVUE-420 in the following
ways:
• Use the config restore command to apply the file immediately.
See Applying a Configuration File from Flash on page 181
• Enable the nb (next boot) option for a configuration file and
reboot the unit.
See Setting a Configuration File to Boot Next on page 182.
See also:
• Restoring Configuration Files in a Cross-Box Stack on page 183
Sharing Configuration Files with other GigaVUE-420 Systems

In general, it’s not recommended to share configuration files with
other GigaVUE-420 systems. For a configuration file to work on
another unit, all of the following must be true:
• Box ID must be identical for source and target systems.
180 Chapter 10
• Module configuration must be identical for source and target
systems.
If you have purchased multiple systems with the same configuration

and are using them as standalone systems, all of these conditions may
be true. However, be sure to verify these items before restoring a
configuration file on a unit other than the one where it was saved to
prevent a situation where the default configuration is restored
inadvertently.
Caution: Configuration Files and the delete stack_info command
IMPORTANT: Using the delete stack_info command on a GigaVUE-420

unit with a Box ID other than 1 results in a complete reset to factory
defaults of all packet distribution settings.
This happens because the delete stack_info command resets the

unit’s Box ID to 1. When the unit reboots after the delete stack_info
command, it discovers that the Box ID in its configuration file is
different than its new Box ID of 1 and resets all configuration file
settings to factory defaults.
Applying a Configuration File from Flash

You use the config restore [filename] command to apply a
configuration file stored in flash immediately. For example, to apply
multi-map.cfg, you would use the following command:
config restore multi-map.cfg
NOTE: When you restore a new configuration file and also want it to
load the next time the system is booted, use the show file command
to verify that the file has the nb attribute enabled.

Setting a Configuration File to Boot Next
You can specify a configuration file to be used the next time the
GigaVUE-420 is booted by setting its nb option.
Enabling the nb option for a configuration file makes it the active

configuration file the next time the unit is booted. It will continue to
be used at each boot until the nb option is applied to a different
configuration file. There can be only one file with nb enabled at a
time.
NOTE: You cannot delete a configuration file with nb enabled. You
must enable nb for another configuration file before you can delete it.
NOTE: GigaVUE-420 will not let you delete all configuration files –
there will always be at least one configuration file with nb enabled.
Setting the nb Option
You set the nb option with either the config file command or the
config save command. These commands have the following syntax:
config file <filename> [nb] [description “string”]
config save <filename> [nb]
For example, to specify that multi-map.cfg be booted the next time

GigaVUE-420 starts, you could use the following command:
config file multi-map.cfg nb description “all maps enabled”
Alternatively, you can save a new configuration file and set it to boot
next with one command:
config save mynewconfigfile.cfg nb
Verifying the ‘Next Boot’ Configuration File
You can see which configuration file is set to boot next with the show
file command. Figure 10-2 shows the results of a show file command
after we set multi-map.cfg to boot next.
182 Chapter 10
Next Boot File
This configuration file

is set to boot next.
Figure 10-2: Configuration File with Boot Next Enabled
Restoring Configuration Files in a Cross-Box Stack

Packet distribution for cross-box stacks requires careful configuration
– it’s a good idea to back up configuration files for each of the boxes
in the stack so that it can be restored. Use the following procedure.
To save and restore configuration files for a cross-box stack:

1. Once your cross-box stack is up and running with successful
cross-box packet distribution commands, save configuration files
for each of the boxes in the stack.
Use filenames that clearly correspond to each of the boxes in the
stack. For example, the following format includes the Box ID:
file_name_A_bid_1.cfg
file_name_A_bid_2.cfg
Once you are finished, you should have a separate configuration

file for each box in the stack.
2. When restoring a stack to a previous configuration, restore each
box’s corresponding configuration file so that the settings for all
boxes in the stack are synchronized to the time when the files

were saved. This way, packet distribution will work the same
way it did when the configuration files were saved.
184 Chapter 10
Chapter 11
Configuring Logging
GigaVUE-420 provides comprehensive logging capabilities to keep

track of system events. Logging is particularly useful for
troubleshooting system issues, as well as maintaining an audit trail.
You can specify what types of events are logged, view logged events
by priority, date, or name, and upload log files to a TFTP server for
troubleshooting.
Events are recorded in a local syslog.log file with date and

timestamps indicating exactly when each event took place and can
optionally be sent to a specified syslog server as well.
The syslog.log file itself is maintained in non-volatile memory on the

GigaVUE-420, allowing access to log files even in the event the
system’s flash memory is reset.
This chapter includes the following major topics:

• Configuring Logging – A Roadmap on page 186
• Specifying Which Events Are Logged on page 186
• Viewing Log Files on page 190
• Uploading Log Files for Troubleshooting on page 192
185
Configuring Logging – A Roadmap
Configuring logging consists of the following major steps:
1. Use the config system log-level command to specify which types
of events are logged.
See Specifying Which Events Are Logged, below.
2. Optional: Use the config syslog_server command to specify an
external syslog server as a destination for logged events.
See Specifying an External Syslog Server on page 188 for details.
3. Use the show log [logfile] command to view events in the logfile.
See Viewing Log Files on page 190 for details.
Specifying Which Events Are Logged

Use the config system log-level command to specify the log-level in
force on the GigaVUE-420. The log-level controls which events are
stored in the log file. Only events greater than or equal to the current
log-level are stored in the log file. The available log-levels are as
follows:
Log-Level Description
Critical The log-level with the least logging. Only Critical
events are written to the log file.
Error Error and Critical events are written to the log file.
Info Info, Error, and Critical events are written to the

log file. This is the default log-level.
Verbose The log-level with the most logging. All available

186 Chapter 11
About syslog.log
Logged events are recorded in the syslog.log file in non-volatile
memory on the GigaVUE-420. The maximum size of the syslog.log
file is 1 MB. When syslog.log reaches its maximum size, it “rolls
over” into syslog1.log and new events are written to a now empty
syslog.log file.
In addition to the active syslog.log file, GigaVUE-420 can maintain

up to seven additional syslogx.log files for a total of 8MB of potential
log file storage space. When the maximum of seven syslogx.log files
is reached, the oldest file is deleted and the newer files roll down in
name (syslog.log becomes syslog1.log, syslog1.log becomes
syslog2.log, and so on).
Listing Available Log Files
When used without any additional arguments, the show log

command lists all the available log files on the unit. For example,
Figure 11-1 shows the log files listed from oldest to newest. When the
current syslog.log reaches its maximum size, it will roll over to
become syslog1.log and each of the existing entries will roll down
one increment. The oldest log file, syslog7.log, will be deleted.
Log files are named sequentially and

roll over when the active syslog.log
reaches its maximum size of 1MB.
Figure 11-1: Listing Available Log Files
Configuring Logging 187

Specifying an External Syslog Server
Logged events are always written to the local syslog.log file. In
addition, you can optionally specify an external syslog server as a
destination for GigaVUE-420’s logging output. When an external
syslog server is specified, GigaVUE will send logged events via UDP
to the specified destination.
You can configure a maximum of one external syslog server. To

change the active syslog server, you delete the existing syslog server
and then add a new one.
Use the config syslog_server command to specify an external syslog

server. The command has the following syntax:
config syslog_server
host <ipaddr>
[port <value>]
host The IP address of the external syslog server in
standard dotted-quad format.
port The port number used by the syslog server. If you

do not specify a port, the default port of 514 is
used.
Note that if you do specify a non-standard port,
the syslog server must also be configured to listen
on the same port.
alias An alias used to identify the syslog server.
Examples
The following example shows how to specify a syslog server at the IP

address of 192.168.1.75 with an alias of MySyslogServer:
config syslog_server host 192.168.1.75 alias MySyslogServer
This command specifies a syslog server at the IP address of

192.168.1.222 on the non-standard port of 4444:
config syslog_server host 192.168.1.222 port 4444 alias MySyslogServer
188 Chapter 11
Packet Format for Syslog Output
Syslog packets sent by the GigaVUE-420 to an external syslog server
conform to the format recommended by RFC 3164:
Keep in mind the following about this packet format:

• Severity indications in the packet’s PRI field are derived from
corresponding event levels on the GigaVUE-420.
• Timestamps are provided in Mmm dd hh:mm:ss format, where
Mmm is the standard English language abbreviation of the month
(for example, Jan, Feb, Mar, and so on).
• Syslog packets include the system name defined for the
GigaVUE-420 using config system name. If no system name has
been configured, the IP address of the Mgmt port is used (IPv4 or
IPv6).

Viewing Log Files
You use the show log command to view:
• A list of available log files.
• A specified log file’s contents.
The show log command includes a variety of arguments that let you
filter the display of the log file, focusing on events matching a
specified priority, time/date, or name. The syntax for the show log
command is as follows:
[logfile]
[pri <verbose | info | error | critical>]
[type <system | periodic | stack | userif | notif | login>]
[start <mm-dd-yy>] [end <mm-dd-yy>] [delim] [tail <1~255>]
The table below lists and describes the arguments for the show log
commands.
NOTE: As described in Listing Available Log Files on page 187, you can
use the show log command without any additional arguments to see
a list of the log files available on the system.
[logfile] Specifies the name of the log file to be displayed. You
can use the show log command by itself to see a list
of available log files.
The show log [logfile] command with no additional
arguments will display all of the entries in the specified
log file. You can use Ctrl-C to interrupt the output
display of the show log command.
[pri <verbose | info | error | critical>] Filters the log file display by event priority. Only events
greater than or equal to the specified priority will be
displayed.
190 Chapter 11
[type <system | periodic | stack | userif | notif | login>] Filters the display by event type. Only events
matching the specified type will be displayed:
• System – Includes system messages useful for
troubleshooting with Technical Support personnel.
• Periodic – Includes syslog.log rollover events.
• Stack – Stacking related events.
• Userif – User interface messages, including the
command line history.
• Notif – Asynchronous events, including SNMP trap
information, packet drop events, port link status
changes, system resets, configuration saves, and
so on.
• Login – Shows each time a user logged in locally,
via RADIUS, and via TACACS+
[start <mm-dd-yy>] [end <mm-dd-yy>] Filters the display by date. Only events within the
specified date range will be displayed.
You can use the start and end arguments together or
by themselves. If you use start or end by itself,
GigaVUE implicitly uses the opposite end of the file as
the other end of the date range. For example, if you
use start by itself, matching events from the specified
start date to the end of the file will be displayed.
[delim] Displays log file data in semicolon-delimited format,

suitable for importing into a spreadsheet or table.
To get the delimited data into a spreadsheet or table,
you can either cut and paste (many terminal
implementations support cut-and-paste functionality)
or configure the terminal used to access GigaVUE to
save the session to a file.
See Example – Saving a Log File to a Spreadsheet on
[tail <1~255>] Shows only the last n lines of the log file. For
example, setting tail to 100 will show the last 100 lines
of the log file.

Example – Displaying Events in the Log File
You can combine the arguments for the show log command to see
exactly the information you want. For example, the following
command shows all Critical messages in syslog.log between October
25th, 2007 and October 27th 2007:
show log syslog.log pri critical start 10-25-07 end 10-27-07
This command shows events in syslog.log with a priority of Error or

higher from the last 200 lines in the log file:
show log syslog.log pri error tail 200
Uploading Log Files for Troubleshooting

You can upload log files to a TFTP server to help in troubleshooting.
Gigamon Technical Support personnel may ask you to do this to
assist in solving problems. You can upload log files using the upload
-log command. The command has the following syntax:
upload -log log_filename TFTP-server-ipaddr
For example, to upload syslog1.log to the TFTP server at 192.168.1.25,

upload -log syslog1.log 192.168.1.25
Example – Saving a Log File to a Spreadsheet

In this example, we’ll use the show log command’s delim attribute to
save a log file to comma-delimited format and import it into
Microsoft® Excel® .
To save a delimited log file into a spreadsheet:

1. Connect to the GigaVUE-420.
2. Most terminal implementations provide the ability to save a
session to a file. In this example, we’ll use Tera TermTM’s Log
feature to save GigaVUE’s show log output to a file.
192 Chapter 11
a. Use Tera Term’s File > Log command to specify the
destination file . As shown in Figure 11-2, we’ve specified that
output will be saved to the GV420_delimited text file. Click
Open when you have finished.
Figure 11-2: Saving Terminal Output to a Text File
b. Use the show log command with the delim attribute to

display the events that interest you in delimited format. In
this example, we’ll display the entire contents of the current
logfile (syslog.log; see Figure 11-3). The command is as
follows:
show log syslog.log delim

Figure 11-3: Using the Show Log Command with delim
c. Logfile entries are displayed on the screen. Depending on the
size of the logfile, this may take a few seconds. Once the
output stops, stop the terminal’s logging feature so that the
saved file only includes the output from the show log
command.
3. In Microsoft Excel, go to File > Open. In the dialog box that
appears, set Files of Type to All Files, navigate to the file saved
by your terminal, and open it.
4. Microsoft Excel displays a series of dialog boxes that let you
decide how to import the text file. The most important thing you
need to specify is the delimiter used in the text file. GigaVUE uses
semicolons to delimit fields; Figure 11-4 shows the import wizard
with semicolons specified as the delimiter.
194 Chapter 11
\
Figure 11-4: Specifying the Delimiter
5. Once you finish the Import Wizard, Microsoft Excel displays the
log file in standard spreadsheet format. You can sort and search
all fields, in addition to other standard spreadsheet tasks.

196 Chapter 11
Chapter 12
Introducing Packet
Distribution
This section introduces GigaVUE-420 packet distribution – what it is,
how you set it up, and the differences between connections and
maps. Once you’ve read this section, turn to Chapter 13, Connections,
Filters, and Pass-Alls and Chapter 14, Working with Maps (Single-Box
and Cross-Box) for detailed information on each.
The section includes the following major topics:

• About Packet Distribution on page 198
• About Single-Box and Cross-Box Distribution on page 201
• Getting Started with Packet Distribution on page 203
• Connecting vs. Mapping – The Differences on page 208
• Sharing Network and Tool Ports on page 214
197
About Packet Distribution
Packet distribution is where GigaVUE-420’s real power is on display
– it’s where you decide how traffic arriving on network ports should
be sent to tool ports. You’ll decide which traffic should be forwarded,
where it should be sent, and how it should be handled once it arrives.
About Network and Tool Ports

GigaVUE-420 packet distribution starts with network ports and ends
with tool ports:
Network Ports Defined

• Network ports are where you connect data sources for
GigaVUE-420.
For example, you could connect a switch’s SPAN port, tap a link
using a GigaTAP module, connect an external tap, or simply
connect an open port on a hub to an open port on the GigaPORT
module. Regardless, the idea is the same – network ports are
where data arrives at the GigaVUE-420.
NOTE: In their standard configuration, network ports only accept
data input – no data output is allowed. The exception to this is
when a network port is configured as part of a port-pair; for
example as part of an active tap using the GigaTAP-Tx module.
See GigaTAP-Tx Module on page 68 for details on this
configuration.
Tool Ports Defined

• Tool ports are where you connect destinations for the data
arriving on network ports.
For example, you may connect an intrusion detection system on
one tool port, a forensic data recorder on another, and a
traditional protocol analyzer on a third. Regardless, the idea is the
same – tool ports are where you send the data arriving on
network ports.
NOTE: Tool ports only allow data output to a connected tool. Any
data arriving at the tool port from an external source will be
198 Chapter 12
discarded. In addition, a tool port’s link status must be 1 (“up”)
for packets to be sent out of the port. You can check a port’s link
status with the show port-params command.
Designating a Port’s port-type

In general, Ports 1-20 and x1 - x4 on the GigaVUE-420 can all be either
network ports or tool ports. You designate a port’s type using the
config port-type command.
NOTE: The exceptions are GigaTAP-Sx/Lx/Zx ports. These ports can
only be configured as network ports.
In addition, you can use the x1/x2 10 Gb fiber-optical ports as

network, tool, or stack ports. The x1/x2 ports are the only ports on
the GigaVUE-420 that can be used as stack ports.
Introducing Packet Distribution 199

Packet Distribution Illustrated
Figure 12-1 illustrates the concept of data flows between network
and tool ports. Data arrives from different sources at the network
ports on the left and is forwarded to different tools connected to
the tool ports on the right.
Figure 12-1: GigaVUE-420 Packet Distribution
Concepts Illustrated in Figure 12-1

Figure 12-1 illustrates a number of important points about setting up
packet distribution:
• Traffic arriving at a single network port can be sent to multiple
destination tool ports.
Notice in Figure 12-1 that both Input B and Input C are sent to
three different tool ports.
• Filters can be applied to both network ports and tool ports:
• Filters applied to network ports are called pre-filters. Pre-filters
are useful when you want to filter traffic as it arrives and
before it is sent to network ports.
200 Chapter 12
• Filters applied to tool ports are called post-filters. Post-filters
are useful if you want to send the same traffic to multiple tool
ports and have each one allow or deny different packets based
on specified criteria.
Notice in Figure 12-1 that post-filters are set to focus on different
parts of the data stream – traffic on a single VLAN, a single
subnet, and so on.
About Single-Box and Cross-Box Distribution

GigaVUE-420 supports both single-box and cross-box configurations:
• In a single-box configuration, only a single GigaVUE-420 system
is used. You can forward traffic from network ports to tool ports
within the system.
• In a cross-box configuration, as many as ten GigaVUE-420
systems are connected to one another using their 10 Gb stacking
ports. You can forward traffic arriving at a network port on one
GigaVUE-420 system to a tool port on another GigaVUE-420
system in the same cross-box stack.
NOTE: Chapter 7, Stacking GigaVUE-420 Boxes describes how to
connect and configure a cross-box stack.
The procedures for setting up packet distribution are conceptually

the same regardless of whether you’re working with a single-box
configuration or a cross-box stack. However, the commands you will
use are slightly different. Chapter 13, Connections, Filters, and Pass-Alls
and Chapter 14, Working with Maps (Single-Box and Cross-Box) provide
details on all packet distribution configuration commands, both
single-box and cross-box.
In general, the standard single-box commands all have cross-box

equivalents starting with the letters “xb” (for “cross-box”), as
summarized in the table below. Additionally, cross-box commands
will typically expect port numbers to be specified in the format
bid-pid (Box ID-Port ID) instead of just pid (Port ID) as they are in
single-box configurations.

Single-Box Command Cross-Box Equivalent
config port-filter config xbport-filter
config connect config xbconnect
config map config xbmap
config mapping config xbmapping
config map-rule config map-rule
Cross-Box Commands: Enter All Commands on All

Boxes
When you are entering cross-box configuration commands, you must
enter all commands in the same order on each box in the stack.
When setting up cross-box packet distribution, it’s often easiest to
create your commands in a text file and then paste the contents of the
text file into the CLI of each box in the stack.
202 Chapter 12
Getting Started with Packet Distribution
You manage packet distribution in the GigaVUE-420 command-line
interface. From there, you perform all packet distribution tasks –
designating ports as network or tool ports, setting up filters, mapping
network ports to tool ports, and so on.
As a starting point, it’s a good idea to use the show connect

command to see how the command-line interface visually represents
port configuration, filters, maps, and so on.
Figure 12-2 shows the results of the show connect command for an
out-of-the box GigaVUE-420. At this point, no connections have been
set up and no filters have been defined. Additionally, all of the ports
are set up as network ports – they appear in the Network Port list at
the left of the display.

Tool Port list
Once you change a port’s port-type to

tool, it appears in the Tool Port list.
Network Port list
Ports in parentheses
are RJ45 ports.
Ports without
parentheses are optical
ports (LC or SFP).
GigaTAP-Tx ports are

listed with +/- signs to
indicate whether the
relays are currently
open (+) or closed (-).
Stacking Port Information (GigaLINK) Filter Lists (FID)
The lists at the bottom of the show connect display provide The FID columns show the pre- and
information on the current configuration of the x1/x2 10 Gb post-filters currently in place on each
GigaLINK stack ports. port. The left FID column shows
pre-filters (filters bound to network
For cross-box configurations, the Connected Box ID list will show ports) and the right FID column shows
the Box ID(s) of the box(es) connected to x1, x2, or both. post filters (filters bound to tool ports)
Figure 12-2: Viewing Packet Distribution Configuration in the CLI
204 Chapter 12
Example – Designating and Connecting Tool Ports
In general, GigaVUE-420 ports can be either a network port or a tool
port. 1 Ports 1-20 and x3/x4 are all network ports by default.
However, as you decide which tools to use with the GigaVUE-420,
you will use the config port-type command to set some of the ports
as tool ports.
As an example, let’s set up some tool ports, filters, connections, and

maps to see how the command-line interface illustrates the packet
distribution in place on the box.
The table below lists and describes some basic packet distribution
commands. Don’t worry about the command specifics for now – this
is meant simply to provide you with a feeling for how the CLI
represents packet distribution. Following the table, Figure 12-3 shows
the results of a show connect command for the settings made in the
table.
Comments Command
First, let’s designate Port 2 as a tool port. config port-type 2 tool
Next, we’ll connect Port 1 (a network port) to Port 2 (a tool config connect 1 to 2
port). This means that the traffic arriving on Port 1 will be
forwarded to Port 2.
Now, we’ll create a filter. Let’s create a filter that accepts all config filter allow vlan 100 alias VLAN100
traffic on VLAN 100. We’ll call it VLAN100
Now that we’ve defined a filter, we can bind it to a port. Let’s config port-filter 2 VLAN100
bind it to our tool port so that it will only accept traffic tagged
with VLAN 100.
Note that filters are reusable – we could bind this same
VLAN100 filter to other ports, as we needed it.
1. The exceptions are GigaTAP ports already configured with a

port-pair and GigaTAP-Sx\Lx\Zx ports. These ports can only be
used as network ports. In addition, only x1 and x2 can be stacking
ports (although they can also be network or tool ports).

Comments Command
Next, we’ll set up a tap on the GigaTAP-Sx module (Ports 13 n/a
- 16 in our example). Ports in optical tap modules (Sx, Lx, or
Zx) are always set up as taps – there is no additional
configuration to perform.
Now that we’ve connected the tap, we need to send the config connect 13 14 to 2
traffic somewhere. Let’s connect the tap ports to the same
tool port we designated in the first step – Port 2.
We’ll be sending traffic from three different sources to the
same destination. However, because we have a post-filter
set up on the tool port, only traffic tagged with VLAN 100 will
be seen by the connected tool.
Figure 12-3 displays the results of a show connect command after

making the configuration commands in the previous table:
206 Chapter 12
Connections between Filters in place are shown
network and tool ports are with their numerical
shown with arrows. identifier. Use the show
filter command to match a
numerical filter identifier
with a filter alias.
Figure 12-3: Sample Packet Distribution Configuration

Connecting vs. Mapping – The Differences
GigaVUE-420 provides two different ways to set up packet
distribution between network ports and tool ports – connections and
maps. Both are described below.
About Connections
Connections are simple one-to-one flows between a network port
and a tool port. You can set up filters on either end of a connection
(pre-filter or post-filter), set up multiple connections on a single
network port, or simply send all the data arriving on a network port
to a designated tool port.
When To Use Connections Instead of Maps
It’s generally best to use a connection when you’re trying to achieve

fairly simple packet distribution. If you find yourself setting up
multiple connections on a single network port with both pre- and
post-filters applied, you’ll usually be able to achieve the same results
more efficiently by using a map.
Connection Examples
Figure 12-4 illustrates some simple connections – an unfiltered
connection between network port 1 and tool port 5 as well as a
network port (3) with connections to two different post-filtered tool
ports (7 and 8).
The sample commands below could create these connections:
Command Comments
config port-type 5 7 8 tool Sets ports 5, 7, and 8 as Tool Ports.
config connect 1 to 5 Connects Network Port 1 to Tool Port 5.
config connect 3 to 7 8 Connects Network Port 3 to Tool Ports 7 and 8.
208 Chapter 12
Command Comments
config port-filter 7 VLAN100 Binds the filter named VLAN100 to Tool Ports 7 and 8.
config port-filter 8 VLAN100
Network Ports Tool Ports
1 5
2 6
Post
3 Filter 7
4 Post 8
Filter
Figure 12-4: Sample Connections
About Maps
Maps provide more robust capabilities for directing traffic than
connections do. Maps consist of one or more map-rules, each
directing traffic to one or more tool ports based on different packet
criteria. Map-rules function internally as pre-filters when used to
distribute traffic. You can combine many different rules in a logical
order to achieve exactly the packet distribution you would like.
IMPORTANT: Map-rules also have the advantage of not counting

against the limit of 100 tool port filters for the GigaVUE-420. When
possible, try to use maps instead of connections to preserve tool port
filter resources.

When To Use Maps
It’s generally best to use maps when you’re trying to set up a

multi-pronged packet distribution strategy. Maps are great for
distributing traffic to different ports based on different criteria. This is
particularly useful in the following situations:
• Reduce Tool Port Packet Loss without Eliminating Traffic.
Sorting traffic at an input network port and forwarding it to
different tool ports can help reduce packet loss for your analysis
tools. You can reduce the load on each destination tool port and
still ensure that all traffic is seen (as opposed to pre-filters, which
can perform the same task by discarding matching traffic at the
input port).
• Effective Analysis of Asynchronously Routed Environments.
Many networks use asynchronous routing of packets, where
requests and responses follow different routes between a client
and server. This sort of scenario is a challenge for traditional
packet analysis tools. With only a single point of connection to the
network, they can potentially see only one half of a given
conversation.
With GigaVUE-420, you can make physical connections between
multiple network ports on the GigaVUE-420 and SPAN ports for
the possible routes in your network. Then, you can set up a map
with rules that forward matching traffic to a tool port. For
example, you can set up rules that forward all traffic to and from
a particular server on a particular port, all traffic with a particular
range of application ports, and so on. This way, you can see the
packets you want to see, regardless of the path they took.
• More Flexibility than Connections. With maps, you can set up
map-rules that use a combination of the virtual drop port, the
collector, and effective map-rules to meet a variety of traffic
distribution scenarios.
Differences Between Maps and Connections
Maps offer some important concepts that connections do not:

• Virtual Drop Port – The virtual drop port is sort of like the Great
Packet Graveyard in the Sky. It’s where you send packets that
210 Chapter 12
don’t interest you. You can set up map-rules that look for packets
matching specific criteria and immediately discard them.
For example, you could set up a map-rule that sends all traffic
from a particular source IP address to the virtual drop port.
• Collector – The collector, on the other hand, is the “Everything
Else” Bucket. It’s where you send packets that don’t match the
criteria specified by any of the other map-rules in a map.
For example, suppose you set up a map called VLAN-Map with
map-rules that send traffic from VLAN 101 to Tool Port 6, and
VLAN 102 to Tool Port 7. Now, you’re still interested in traffic
that doesn’t match either of those particular VLANs, but you
need a place to send it. Enter the collector. You can set up a final
map-rule that sends all packets not matching the other rules to a
designated collector port.
NOTE: If you do not specify a map-rule for the collector, any
traffic not matching the map-rules in a map will be silently
discarded.
Map Example
Figure 12-5 illustrates the map described above. This example shows
the map called VLAN-Map bound to Network Port 1. You bind maps
to network ports using the config mapping command.
Note that this is a single-tool map – each of the map-rules sends

traffic to only a single destination. See Single-Tool Maps vs. Multi-Tool
Maps on page 267 for a discussion of the differences between these
two map types, along with guidelines for when to use each.

VLAN-Map
1 5
Map-Rule 1: Drop everything
from IP address 192.168.1.25.
Map-Rule 2: Send VLAN101 6

to Tool Port 6.
Map-Rule 3: Send VLAN102 7

to Tool Port 7.
Map-Rule 4: Send Everything Else

to the Collector on Tool Port 8.
8
Figure 12-5: Sample Map with Map-Rules
212 Chapter 12
Combining Pass-All with Connections and Maps
In addition to connections and maps, GigaVUE-420 also includes a
special config pass-all packet distribution command. The pass-all
command can be used to send all packets on a network or tool port to
another tool port, irrespective of the connections, xbconnections,
maps, or xbmaps already in place for the ports.
The pass-all command is particularly useful in the following

situations:
• Redirecting all traffic to IDS monitors regardless of any filters
applied to network ports.
• Temporary troubleshooting situations where you want to see all
traffic on a port without disturbing any of the connections,
cross-box connections, maps, or cross-box maps already in place
for the port.
See Using the Pass-All Command on page 250 for details on using the
config pass-all command.

Sharing Network and Tool Ports
GigaVUE-420 has four essential commands for packet distribution –
connect, xbconnect, map, and xbmap. The rules for port sharing
among these commands are summarized below:
Connect commands can share network ports with other connect

commands regardless of any applied filters.
Network ports cannot be shared by an xbconnect, map, or xbmap.

For example, a single network port could not have both a connect
command and a map bound to it. However, it could have two
connect commands bound, regardless of the filters in place.
This is illustrated in Figure 12-6.
Network Ports
Tool Ports
Two connect commands
sharing a network port. Connection
1 5
Co
2 nn 6
ect
ion
3 7
4 8
Figure 12-6: Network Port with Shared Connect Commands
Tool ports can be shared, regardless of the filters in place.
In contrast to the GigaVUE-MP, filtered tool ports on the

GigaVUE-420 can be shared with a connect, map-rule, xbconnect, or
xbmap-rule.
214 Chapter 12
Chapter 13
Connections, Filters, and

Pass-Alls
This section describes how to set up GigaVUE-420 connections and
filters, as well as how to use pass-alls. The section describes both
single-box and cross-box connections.
NOTE: Be sure to read Chapter 12, Introducing Packet Distribution for
an understanding of the differences between connections and maps
(and when to use each).

• Cross-Box Config: Enter Commands on All Boxes on page 216
• Connecting Network Ports to Tool Ports on page 216
• Using Filters with Connections on page 219
• Filter Examples on page 245
• Filtering on RTP Traffic on page 245
• MAC Address Filter Examples on page 246
• Using the Pass-All Command on page 250
215
Cross-Box Config: Enter Commands on All Boxes
Keep in mind that when you are entering cross-box configuration
commands (for example, the xbconnect and xbport-filter commands
described in this chapter), you must enter all commands in the same
order on each box in the stack. When setting up cross-box packet
distribution, it’s often easiest to create your commands in a text file
and then paste the contents of the text file into the CLI of each box in
the stack.
Connecting Network Ports to Tool Ports

You use the config connect (single-box) or config xbconnect
(cross-box stacks) command to connect network ports to tool ports.
However, before you can connect a network port to a tool port, you
need to make sure you have actually set up the destination port as a
tool port. The basic procedure for connecting ports is as follows:
1. Use the config port-type command to configure the destination
port as a tool port.
2. Use the config connect / config xbconnect command to connect
the network port to the tool port.
3. Optional. Configure filters using the config filter command and
bind them to ports using the config port-filter / config
xbport-filter command.
Connection Syntax
You set up connections with the following command syntax:
Configuration Command Syntax

Single-Box config connect <network-port-alias | pid-list | pid-x..pid-y> to
<tool-port-alias | pid-list | pid-x..pid-y>
Cross-Box Stack config xbconnect <bid-pid_list> to <bid-pid_list> alias <string>
216 Chapter 13
Notice that you can connect multiple network ports or tool ports with
a single command:
• The pid-list (port id list) and bid-pid_list (box id-port id)
arguments let you select multiple non-contiguous ports. To enter
port IDs in a list, simply put a space between each port ID in the
list.
• The pid-x..pid-y argument lets you select a series of adjacent
ports (for example, 2..5 selects ports 2, 3, 4, and 5).
For example:
Configuration Command Comments

Single-Box config connect 1 to 2..4 This command connects network port 1 to tool
ports 2, 3, and 4.
Cross-Box Stack config xbconnect 1-2 1-3 1-4 to 3-1 This command connects network ports 1-2,
alias MyXBConnect 1-3, and 1-4 to the cross-box tool port 3-1 and
names the connection MyXBConnect.
Showing Connections
Any time you make changes to the packet distribution configuration
in place on the GigaVUE-420, it’s a good idea to do a show connect to
verify your results. Figure 13-1 shows the results of a show connect
command for the config connect command in the previous example.
Connections, Filters, and Pass-Alls 217

Figure 13-1: Checking Connections with show connect Command
Deleting Connections
You can delete connections with the following command syntax:
Configuration Command Syntax

Single-Box delete connect [all | <port-alias | pid-list | pid-x..pid-y> to
<port-alias | pid-list | pid-x..pid-y>]
Cross-Box Stack delete xbconnect [all | xbconnect-alias-list]
The delete command uses port ID lists in the same way as the config
connect command. So, for example to delete the entire connection set
up in the previous example, you would use the following command:
delete connect 1 to 2..4
Alternatively, you could just delete one of the connections. For

example, to delete just the connection to port 2:
delete connect 1 to 2
218 Chapter 13
Deleting Cross-Box Connections
You delete cross-box connections by specifying their aliases. For

example, to delete the cross-box connection set up in the previous
example, you would use the following command:
delete xbconnect MyXBConnect
NOTE: As with all cross-box commands, you must issue this

command in the CLI of all systems in the cross-box stack.
Using Filters with Connections

You use filters to include or exclude traffic on connections. You can
include or exclude traffic based on DSCP assured forwarding values,
MAC addresses, IPv4/IPv6 addresses, application port numbers,
ethertypes, VLAN IDs, protocols, TOS values, and so on.
GigaVUE-420 filters are hardware-based, performing pattern
matching at predefined offsets.
NOTE: Map-rules are similar to filters. The concept is the same, but
map-rules offer some different configuration options. See Mapping
Network Ports to Tool Ports on page 264 for details.

• Using Filters – Procedure on page 220
• Pre-Filters vs. Post-Filters on page 220
• IPv4/IPv6 and Filters on page 223
• Config Filter Syntax on page 225
• Combining Filters and Filter Logic on page 235
• Working with User-Defined Pattern Match Filters on page 237
• Mixing Allow and Deny Filters on page 242
• Showing Filters on page 243
• Deleting Filters on page 244

Using Filters – Procedure
The basic procedure for setting up filters is as follows:
1. Use the config filter command to set up the filter.
2. Use the config port-filter (single-box) or config xbport-filter
(cross-box stacks) command to apply the filter to a port. You can
reuse the same filter with multiple different ports.
NOTE: You can only apply filters to network ports that are part of
a connection. If you try to apply a filter to a network port that is
not part of a connection, you will receive an error message.
However, you can apply filters to tool ports before they are part
of a connection.
Pre-Filters vs. Post-Filters

You can apply filters to both network ports and tool ports:
• Filters applied to a network port are called pre-filters because they
allow or deny traffic before it is forwarded to tool ports.
• Filters applied to a tool port are called post-filters because they
allow or deny traffic after is has been forwarded from a network
port.
Example: When to Use Pre-Filters and Post-Filters

When deciding whether to use a pre-filter or a post-filter, it’s
important to keep in mind that the GigaVUE-420 lets you use more
pre-filters than post-filters. The maximum number of post-filters
allowed on a single GigaVUE-420 box is 100. In contrast, a single
GigaVUE-420 can have 2048 network port-filters and single-tool
map-rules.
NOTE: See CLI Parameter Limits on page 341 for complete information
on the CLI limits related to filters.
220 Chapter 13
When to Use Post-Filters
Post-filters are useful when you are multicasting the same traffic to
multiple different tool ports. You can use post-filters to focus each
tool port on a different portion of the overall data stream.
With the limit of 100 post-filters in mind, however, you can use
post-filters when a network port has connections to more than one
tool port and you want each of the connected tool ports to focus on
different parts of the overall data stream. For example, in Figure 13-2,
Network Port 3 has separate connections to Tool Port 7 and Tool
Port 8. In this case, you would use post-filters to provide different
data to Tool Ports 7 and 8.
When to Use Pre-Filters
Pre-filters are useful for overcoming tool port oversubscription when

aggregating traffic from multiple network ports. For example, if you
have two 1 Gb connections sending traffic to a single 1 Gb tool port,
there are likely to be situations where the tool port would be
oversubscribed and drop packets. You can address this with
pre-filters, removing the parts of the overall data stream that do not
interest you.
NOTE: Because pre-filters use fewer resources than post-filters, you
should try to use them whenever possible.
In Figure 13-2 Port 1 and Port 2 are both connected to Tool Port 5. In
order to prevent oversubscription of this tool port, both Port 1 and
Port 2 use pre-filters.

Pre
1 Filter 5
Pre
2 Filter
6
Post
3 Filter 7
4 Post 8
Filter
Figure 13-2: Filter Points
222 Chapter 13
IPv4/IPv6 and Filters
GigaVUE-420 provides a variety of filters specific to IPv6 traffic,
including:
IPv6 Entity Argument

IPv6 Source/Destination Addresses ip6src/ip6dst
IPv6 Flow Labels ip6fl
IPv6 Traffic ipver 6
In addition to the explicit IPv6 filters listed above, you can use the
ipver argument to change how some of the other attributes are
interpreted.
When ipver is used by itself in a filter, it returns all traffic matching

the specified IP version, 4 or 6. However, when ipver is set to 6,
several of the other arguments are interpreted differently when used
in the same filter , as summarized below:
argument ipver set to 4 (or not specified) ipver set to 6

Matches all IPv4 traffic on the specified Matches all IPv6 traffic on the specified
port number. port number.
NOTE: Because of this, if you wanted to match all IPv4 and IPv6 traffic on a
portdst/portsrc particular destination port (say, 500), you would need to construct two filters – one
for IPv4 and one for IPv6. For example:
config filter allow portdst 500 alias ipv4_500
config filter allow ipver 6 portdst 500 alias ipv6_500
When used with the <1-byte-hex> When used with the <1-byte-hex>
argument, matches against the argument, matches against the Next
protocol field in the standard IPv4 Header field in the standard IPv6
header. header.
protocol
NOTE: These fields perform essentially the same service in both versions,
specifying what the next layer of protocol is. However, they have different names
and are found at different locations in the header. See Protocol Filters and IPv6 on
page 229 for a list of useful values for the <1-byte-hex> field.

argument ipver set to 4 (or not specified) ipver set to 6
Matches against the standard TTL Matches against the standard Hop Limit
(time-to-live) field in the IPv4 header. field in the IPv6 header.
ttl
NOTE: These fields perform essentially the same service in both versions,
specifying how long a datagram can exist.
NOTE: The ipver argument is implicitly set to 4 – if you configure a

filter without ipver specified, GigaVUE-420 assumes that the IP
version is 4.
Examples
The following examples illustrate the points made in the table above:
Command Description
config filter allow ipver 6 alias six_only Creates a filter that accepts all IPv6 traffic.
config filter allow ipver 6 protocol 0x3a alias ICMPv6 Creates a filter that matches against the value for
ICMP (IPv6) against the IPv6 Next Header field.
NOTE: See Config Filter Syntax on page 225 for a
list of standard values for the Next Header field in
IPv6.
config filter allow ttl 35 alias ttlfilter Creates a filter that matches values of 35 in the
TTL field of an IPv4 packet.
224 Chapter 13
Config Filter Syntax
The table below lists and describes the arguments for the config filter
command:
[allow | deny] Specifies whether the filter should include (allow) or
exclude (deny) traffic meeting the criteria specified
by the rest of the config filter command.
You can mix allow and deny filters on a single port.
[dscp <assured-forwarding-value>] Creates a filter pattern for a particular decimal

(af11~af13, af21~af23, af31~33, af41~43, ef) DSCP value. You can choose any value within the
four Assured Forwarding class ranges or ef for
Expedited Forwarding (the highest priority in the
DSCP model).
The valid DSCP values by Assured Forwarding
Class are as follows:
• Class 1 – 11, 12, 13
• Class 2 – 21, 22, 23
• Class 3 – 31, 32, 33
• Class 4 – 41, 42, 43
• Expedited Forwarding – ef
For example, config filter allow dscp ef will match
all traffic with expedited forwarding assigned.
[ethertype <2-byte-hex>] Creates a filter pattern for the Ethertype value in a

packet (for example, config filter allow ethertype
0x86DD will match all traffic with an IPv6 Ethertype.
NOTE: To filter for VLANs use the predefined
VLAN filter element type instead of the 8100
Ethertype.

[ipfrag <0|1|2|3|4>] Creates a filter for different types of IPv4 fragments:
• 0 – Matches unfragmented packets.
• 1 – Matches the first fragment of a packet.
• 2 – Matches unfragmented packets or the first
fragment of a packet.
• 3 – Matches all fragments except the first
fragment in a packet.
• 4 – Matches any fragment.
For example, config filter allow ipfrag 1 alias
headerfrags creates a filter named headerfrags
that matches the first fragment in a packet.
NOTE: The ipfrag argument only matches IPv4
fragments. To create a filter for IPv6 fragments, set
ipver to 6 and use the protocol argument with a
<1-byte-hex> value of 0x2c. This has the same
effect as option number 4 for IPv4 – it matches all
IPv6 fragments. For example:
config filter allow ipver 6 protocol 0x2c alias six_frags
[ipdst <dstaddr>] [ipdstmask <xxx.xxx.xxx.xxx | /nn>] Creates a filter for either a source or destination
[ipsrc <srcaddr>] [ipsrcmask <xxx.xxx.xxx.xxx | /nn>] IPv4 address or subnet.
Use subnet masks to match traffic from a range of
IP addresses. You can enter subnet masks using
either dotted-quad notation (<xxx.xxx.xxx.xxx>) or
in the bit count format (see Using Bit Count Subnet
Netmasks on page 233).
[ip6src <srcaddr>] [ip6srcmask <xxxx::xxxx | /nn>] Creates a filter for either a source or destination
[ip6dst <dstaddr>] [ip6dstmask <xxxx::xxxx | /nn>] IPv6 address or subnet. Enter IPv6 addresses as
eight 16-bit hexadecimal blocks separated by
colons. For example:
2001:0db8:3c4d:0015:0000:0000:abcd:ef12
IP addresses. You can enter subnet masks either in
16-bit hexadecimal blocks separated by colons or in
the bit count format (see Using Bit Count Subnet
226 Chapter 13
[ip6fl <3-byte-hex>] Creates a filter for the 20-bit Flow Label field in an
IPv6 packet. Packets with the same Flow Label,
source address, and destination address are
classified as belonging to the same flow. IPv6
networks can implement flow-based QoS using this
approach.
Specify the flow label as a 3-byte hexadecimal
pattern. Note, however, that only the last 20 bits are
used – the first four bits must be zeroes (specified
as a single hexadecimal zero in the CLI). For
example, to match all packets without flow labels,
you could use the following filter:
config filter allow ip6fl 0x000000 alias no_flow
Alternatively, to match the flow label of 0x12345,
you could use the following:
config filter allow ip6fl 0x012345 alias flow12345
[ipver <4|6>] When used by itself, the ipver argument creates a

filter to match either all IPv4 or all IPv6 traffic.
You can also set ipver to 6 and use it together with
other arguments to change their meaning. See
IPv4/IPv6 and Filters on page 223 for more
information on ipver.
NOTE: The ipver argument is implicitly set to 4 – if
you configure a filter without ipver specified,
GigaVUE-420 assumes that the IP version is 4.
[macdst <macaddr>] [macdstmask <6-byte-hex>] Creates a filter pattern for either a source or
[macsrc <macaddr>] [macsrcmask <6-byte-hex>] destination MAC address.
Use the optional macsrcmask or macdstmask
argument to create a range of MAC addresses that
will satisfy the filter pattern.
NOTE: You can enter hexadecimal MAC
addresses in either 0xffffffffffff or ffffffffffff format.
See Examples of MAC Address Filters on page 175
for examples of how to use MAC address masks.

[portdst <single-port-number> | <x..y>] [even | odd] Creates a filter for a source or destination
[portsrc <single-port-number> | <x..y>] [even | odd] application port. You can also specify:
• A range of ports. For example config filter allow
portsrc 5000..5100 will match all source ports
from 5000 to 5100, inclusive.
• Either odd or even port numbers. The even |
odd arguments are useful when setting up filters
for VoIP traffic. Most VoIP implementations send
RTP traffic on even port numbers and RTCP
traffic on odd port numbers.
For example, config filter allow portsrc
5000..5100 odd will match all odd source ports
between 5000 and 5100.
228 Chapter 13
[protocol <gre|icmp|igmp|ipv4ov4|ipv6ov4|rsvp|tcp| Creates a filter for a particular protocol. In this
udp|<1-byte-hex>>] release, you can create protocol filters for gre,
icmp, igmp, IPv4 over IPv4 (ipv4ov4), IPv6 over
IPv4 (ipv6ov4), rsvp, tcp, udp, and one-byte hex
values (<1-byte-hex>).
For example, config filter deny protocol gre will
create a filter that excludes all GRE traffic.
Protocol Filters and IPv6

The predefined protocol filters available for IPv4
(GRE, RSVP, and so on) are not allowed when
ipver is set to 6. This is because with the next
header approach used by IPv6, the next layer of
protocol data is not always at a fixed offset as it is in
IPv4.
To address this, GigaVUE-420 provides the
<1-byte-hex> option to match against the standard
hex values for these protocols in the Next Header
field. Here are standard 1-byte-hex values for both
IPv4 and IPv6:
0x00: Hop-By-Hop Option (v6 only)
0x01: ICMP (v4 only)
0x02: IGMP
0x04: IP over IP
0x06: TCP
0x11: UDP
0x29: IPv6 over IPv4
0x2b: Routing Option (v6 only)
0x2c: Fragment (v6 only)
0x2E: RSVP (v4 only)
0x2F: GRE (v4 only)
0x32: Encapsulation Security Payload (ESP)
Header (v6 only)
0x33: Authentication (v6 only)
0x3a: ICMP (v6 only)
0x3b: No Next Header (v6 only)
0x3c: Destination Option (v6 only)

[tcpctl <1-byte-hex>] [tcpctlmask <1-byte-hex>] Creates a one-byte pattern match filter for the
standard TCP control bits (URG, SYN, FIN, ACK,
and so on). You can use the tcpctlmask argument
to specify which bits should be considered when
matching packets.
See Setting Filters for TCP Control Bits on
page 232 for a list of the hexadecimal patterns for
each of the eight TCP flags, along with some
examples.
[tosval <1-byte-hex>] Creates a filter pattern for the Type of Service

(TOS) value in an IPv4 header. The TOS value is
how some legacy IPv4 equipment implements
quality of service traffic engineering. The standard
values are:
• Minimize-Delay: Hex 0x10 or 10
• Maximize-Throughput: Hex 0x08 or 08
• Maximize-Reliability: Hex 0x04 or 04
• Minimize-Cost: Hex 0x02 or 02
• Normal-Service: Hex 0000 or 00
NOTE: Most network equipment now uses DSCP
to interpret the TOS byte instead of the IP
precedence and TOS value fields.
[ttl <0~255> | <x..y>] (valid range 0..255) Creates a filter for the Time to Live (TTL – IPv4) or
Hop Limit (IPv6) value in an IP packet.
• If there is no ipver argument included in the filter
(or if it is set to 4), GigaVUE-420 matches the
value against the TTL field in IPv4 packets.
• If ipver is set to 6 in the filter, GigaVUE-420
matches the value against the Hop Limit field in
IPv6 packets.
The TTL and Hop Limit fields perform the same
function, specifying the maximum number of hops a
packet can cross before it reaches its destination.
230 Chapter 13
[uda1_data <16-byte-hex>] [uda1_mask <16-byte-hex>] Creates up to two user-defined, 16-byte pattern
[uda2_data <16-byte-hex>] [uda2_mask <16-byte-hex>] matches in a filter. A pattern is a particular
sequence of bits at a specific offset from the start of
a frame.
Setting a user-defined pattern match in
GigaVUE-420 consists of the following major steps:
• Specify the two global offsets to be used for
user-defined pattern matches using the config
uda command (uda1_offset and uda2_offset)
• Specify the data pattern and mask using the
config filter command with the
[udax_data][udax_mask] arguments. You use
the mask to specify which bits in the pattern must
match to satisfy the filter.
A single filter can contain up to two user-defined
pattern matches.
NOTE: Always use the predefined filter elements
instead of user-defined pattern matches when
possible.
See Working with User-Defined Pattern Match
Filters on page 237 for details.
[vlan <vlan id (1-4094)> | <x..y>] [odd | even] Creates a filter pattern for a VLAN ID or range of
VLAN IDs. You can also use the odd | even
argument to match alternating VLAN IDs. For
example, config filter allow vlan 200..300 even
will match all even VLAN IDs between 200 and 300.
[alias <string>] Use the alias argument to associate a textual alias

with a filter.
Aliases are optional. GigaVUE-420 automatically
creates a Filter ID for every filter you configure. You
can manage filters either by the automatically
generated numerical Filter ID or by the optional
alias.
NOTE: The easiest way to discover the
automatically generated Filter ID for a given filter is
to do a show filter command in the CLI. Each filter
will be shown along with its numerical ID.

Setting Filters for TCP Control Bits
As described in the table above, you can use the tcpctl argument to
set one-byte pattern filters for the standard TCP control bits. The
table below summarizes the bit positions of each of the flags, along
with their corresponding hexadecimal patterns.
Flag Bit Position Pattern

Congestion Window X... .... 0x80
Reduced
ECN Echo .X.. .... 0x40
Urgent Pointer ..X. .... 0x20
Acknowledgment ...X .... 0x10
Push .... X... 0x08
Reset .... .X.. 0x04
SYN .... ..X. 0x02
FIN .... ...X 0x01
Examples
The following filter matches packets with only the SYN bit set:
config filter allow tcpctl 0x02 tcpctlmask 0x3f alias syns_only
Many packets will have some combination of these bits set rather
than just one. So, for example, the following filter matches all packets
with both the ACK and SYN bits set:
config filter allow tcpctl 0x12 tcpctlmask 0x3f alias syns_acks
232 Chapter 13
Using Bit Count Subnet Netmasks
The table below summarizes the bit count subnet mask value for
standard dotted-quad IPv4 subnet masks. As described in Config
Filter Syntax on page 225, you can enter IP subnet masks in the bit
count format by using the /nn argument.
Bit count subnet masks are easier to visualize for IPv6 addresses,
specifying which portion of the total 128 bits in the address
correspond to the network address. So, for example, a subnet mask of
/64 indicates that the first 64 bits of the address are the network
address and that the remaining 64 bits are the host address. This
corresponds to the following hexadecimal subnet mask:
ffff:ffff:ffff:ffff:0000:0000:0000
Standard Bit Count

Subnet Mask Subnet Mask
255.255.255.255 /32
255.255.255.254 /31
255.255.255.252 /30
255.255.255.248 /29
255.255.255.240 /28
255.255.255.224 /27
255.255.255.192 /26
255.255.255.128 /25
255.255.255.0 /24
255.255.254.0 /23
255.255.252.0 /22
255.255.248.0 /21
255.255.240.0 /20
255.255.224.0 /19
255.255.192.0 /18
255.255.128.0 /17

Standard Bit Count
Subnet Mask Subnet Mask
255.255.0.0 /16
255.254.0.0 /15
255.252.0.0 /14
255.248.0.0 /13
255.240.0.0 /12
255.224.0.0 /11
255.192.0.0 /10
255.128.0.0 /9
255.0.0.0 /8
254.0.0.0 /7
252.0.0.0 /6
248.0.0.0 /5
240.0.0.0 /4
224.0.0.0 /3
192.0.0.0 /2
128.0.0.0 /1
0.0.0.0 /0
234 Chapter 13
Combining Filters and Filter Logic
When working with filters, you can easily combine multiple criteria
into a single filter rule by combining them in the CLI command. You
can also bind multiple filters to a single network port. GigaVUE-420
processes filter definitions as follows:
• Within a single filter, filter criteria are joined with a logical AND.
A packet must match each of the specified criteria to satisfy the
filter.
• Multiple filters bound to a single port are joined with a logical
OR. A packet must match at least ONE of the filters to be allowed
or denied.
NOTE: When used in a filter with multiple criteria, the ipver
argument changes the interpretation of some filter arguments. See
IPv4/IPv6 and Filters on page 223 for details.
Examples of Filter Logic

For example, the filters shown in the table below are both set up with
filter criteria for vlan 100 and portsrc 23.
• The first example combines the two criteria into a single filter and
binds it to a port. This joins the criteria with a logical AND.
• The second example creates two separate filters – one for each of
the criteria – and binds them both to the same port. This joins the
criteria with a logical OR.

CLI Commands Description
config filter allow vlan 100 portsrc 23 alias combofilter Creates single filter called
combofilter with two criteria –
Multiple Filter VLAN ID 100 and source port
Criteria Joined 23.
with AND
config port-filter 3 combofilter Applies the filter named
combofilter to Port 3.
config filter allow vlan 100 alias vlanfilter Creates filter called vlanfilter
with one criterion – VLAN ID
100.
config filter allow portsrc 23 alias portfilter Creates filter called portfilter
with one criterion – source port
23.
config port-filter 3 vlanfilter portfilter Applies the filters named

Multiple Filters
vlanfilter and portfilter to Port
Joined with OR 3.
Because vlanfilter and
portfilter are separate filters,
they will be joined with a logical
OR. This means that a packet
can match either vlanfilter or
portfilter to be allowed on Port
3.
236 Chapter 13
Working with User-Defined Pattern Match Filters
The GigaVUE-420 lets you configure up to two user-defined, 16-byte
pattern matches in a filter or map-rule. A pattern is a particular
sequence of bits at a specific location in a frame.
NOTE: GigaVUE-420’s CLI refers to a pattern as a UDA
(“user-defined attribute”).
The major steps in setting up a user-defined pattern match are as

follows:
1 Configure Step 1: Use the config uda command to set up GigaVUE-420’s

Global Offsets global offsets for user-defined pattern matches.
You can set the two offsets at 4-byte boundaries from 2-126 bytes.
The offsets can not overlap. There are only two offsets in place on
the system at any one time (uda1_offset and uda2_offset) – the
same offsets are used by all pattern-based filters and map-rules.
See Specifying Offsets – config uda on page 238 for details.
Step 2: .Use the uda1_data/uda1_mask and uda2_data/uda2_mask

2 Configure Patterns and
arguments for the config filter and config map-rule commands to set
Masks
up the actual patterns and masks.
See Specifying Patterns and Masks – config udax_data/udax_mask on

Figure 13-3: Configuring User-Defined Pattern Matches

User-Defined Pattern Match Syntax
This section describes the syntax for the commands used to set up
user-defined pattern match filters and map-rules:
• Specifying Offsets – config uda on page 238
• Specifying Patterns and Masks – config udax_data/udax_mask on
page 239
Specifying Offsets – config uda

You use the config uda command to specify the two global offsets to
be used for user-defined pattern matches. This command has the
following syntax:
config uda [uda1_offset <2~110>] [uda2_offset <2~110>]
GigaVUE-420 accepts offsets at four-byte boundaries ranging from

byte 2 to byte 110. This means that there are 27 valid offset positions
ranging from 0x01 (an offset of 2 bytes) to 0x6d (an offset of 110
bytes). Offsets are always frame-relative, not data-relative.
In many cases, you will be looking for patterns that do not start
exactly on a four-byte boundary. To search in these position, you
would set an offset at the nearest four-byte boundary and adjust the
pattern and mask accordingly.
Default Offsets
The default offsets are listed below. You can always see the current
offset values by using the show uda command.
Offset Default Value

uda1_offset 14 (decimal); E (hexadecimal)
uda2_offset 30 (decimal); 1E (hexadecimal)
238 Chapter 13
Specifying Patterns and Masks – config udax_data/udax_mask
The user-defined pattern match syntax is identical for filters and
map-rules:
[uda1_data <16-byte-hex>] [uda1_mask1 <16-byte-hex>]
[uda2_data <16-byte-hex>] [uda2_mask2 <16-byte-hex>]
• Both the udax_data and udax_mask arguments are specified as

sixteen-byte hexadecimal sequences. Specify the pattern in four
four-byte segments separated by hyphens. For example:
0x01234567-89abcdef-01234567-89abcdef
• Masks specify which bits in the pattern must match. The mask
lets you set certain bits in the pattern as wild cards – any values in
the masked bit positions will be accepted.
• Bits masked with binary 1s must match the specified pattern.
• Bits masked with binary 0s are ignored.
User-Defined Pattern Match Rules

Keep in mind the following rules when creating user-defined pattern
matches:
• Offsets are specified in decimal; patterns and masks are specified
in hexadecimal.
• All hexadecimal values must be fully defined, including leading
zeroes. For example, to specify 0xff as a 16-byte value, you must
enter 00000000-00000000-00000000-000000ff.
• You can use user-defined pattern matches as either standalone
filters/map-rules or in tandem with the other available
predefined criteria for filters/map-rules (for example, port
numbers, IP addresses, VLAN IDs, and so on).
• You can use up to two separate user-defined pattern matches in a
single filter or map-rule. When two user-defined pattern matches
appear in the same filter/map-rule, they are joined with a logical
AND. However, note that the two patterns cannot use the same
offset.
• You can not apply user-defined pattern match filters to a tool
port.

• You can only use user-defined pattern match filters in multi-tool
maps – they are not allowed in single-tool maps. Note, however,
that a multi-tool map can consist entirely of map-rules
forwarding packets to a single tool port.
• User-defined pattern matches are combined in filters using the
same logic described in Combining Filters and Filter Logic on
page 235.
• User-defined pattern matches used in maps are subject to the
same conflict and priority rules described in Map-Rule Priority and
Guidelines on page 280.
• Avoid using user-defined pattern matches to filter for elements
that are available as predefined filters (for example, IP addresses,
MAC addresses, and so on).
240 Chapter 13
User-Defined Pattern Match Examples
Suppose you want to set up a filter that matches all traffic with a
particular MPLS label (0x00017). To do this, you can use a filter that
combines an ethertype filter for the MPLS ethertype (8847) with a
user-defined pattern match for the label itself.
The ethertype filter for MPLS does two things:

• Ensures that the filter matches MPLS traffic.
• Assures us that all traffic accepted by the filter will have an MPLS
label stack starting at an offset of 14 bytes (right after the DLC
header).
We’ll put the ethertype argument in the same filter with the
user-defined pattern match to make sure they’re joined with a logical
AND. The following example explains how to construct this filter.
Figure 13-4, below, shows the filter in the GigaVUE-420 CLI.
Description Command
First, set the offset for the first user-defined config uda uda1_offset 14
pattern match.
We know that MPLS label stacks start at an offset
of 14 bytes, right after the DLC header, so let’s set
that up.
Next, set up the filter itself. The filter will have two config filter allow ethertype 0x8847 uda1_data
parts – the ethertype filter and the user-defined 0x00017000-00000000-00000000-00000000 uda1_mask
pattern match itself. 0xfffff000-00000000-00000000-00000000 alias
MPLS_label
• The ethertype for MPLS is 0x8847.
• We’re searching for the MPLS label of
0x00017. Fortunately, the offset of 14 is on a
four-byte boundary when counting from the
start of the valid range (2~110; so, 2, 6, 10, 14).
This makes it easy to supply the pattern – we
can start with the actual MPLS label and then
mask the rest with binary zeroes.

Figure 13-4: Sample User-Defined Pattern Match Filter
Mixing Allow and Deny Filters

GigaVUE-420 lets you mix allow and deny filters on a single port.
Mixing allow and deny filters can be useful in a variety of situations.
The following example shows an allow filter set up to include all
traffic matching a particular source port range combined with a deny
filter configured to exclude ICMP traffic.
Description CLI Commands

Create a filter called portfilter config filter allow portsrc 20..66 alias portfilter
with one criterion – a source
port range.
Create a filter called config filter deny protocol icmp alias deny_icmp
deny_icmp with one criterion
– protocol icmp.
Apply the two filters to Port 3. config port-filter 3 portfilter deny_icmp
242 Chapter 13
Showing Filters
Any time you make changes to the filters in place on the
GigaVUE-420, it’s a good idea to verify your changes with a show
filter command. The show filter command provides you with the
filter definitions in place, as well as the ports to which they are
bound.
Figure 13-1 shows the results of a show filter command for the
config filter commands in the previous example. In this example,
vlanfilter and portfilter are both bound to Port 3. However,
combofilter is not.
Figure 13-5: Checking Filters with show filter Command

Deleting Filters
Delete filters by using the delete filter command. If the filter you
want to delete is currently applied to a port, you must remove it from
the port first by using the delete port-filter (single-box) or delete
xbport-filter (cross-box stacks) command.
• The delete port-filter command has the following syntax:
delete port-filter [all | <port-alias | pid> [all | filter-alias | fid-list]
• The delete xbport-filter command has the following syntax:

delete xbport-filter [all | <bid-pid> [all | filter-alias | fid-list]]
• The delete filter command has the following syntax:

delete filter [all | <filter-alias | fid-list]
For example, to delete the filter named vlanfilter bound to Port 3 in

the previous example, you would use the following commands:
Command Comments
delete port-filter 3 vlanfilter This command removes the filter named
vlanfilter from Port 3.
delete filter vlanfilter This command deletes the filter named

vlanfilter.
244 Chapter 13
Filter Examples
This section provides some examples of filters:
• Filtering on RTP Traffic on page 245
• MAC Address Filter Examples on page 246
Filtering on RTP Traffic

You can use GigaVUE-420’s ability to filter on even or odd port
numbers to focus on different aspects of VoIP traffic.
VoIP implementations typically send RTP on even port numbers and

RTCP on the next available odd port number. The following example
constructs several filters designed to block RTP on the
even-numbered ports in its common ranges and binds them to
network ports 7 and 8.
Table 13-1: Blocking RTP Traffic on Common Ports

Command Description
config port-type 1 tool Sets Port 1 as a tool port.
config connect 7 8 to 1 Connects Network Ports 7 and 8 to

Tool Port 1.
config filter deny portsrc 5004 alias deny_src_5004 Constructs a filter named
deny_src_5004 to deny traffic with a
source port of 5004.
config filter deny portdst 5004 alias deny_dst_5004 Constructs a filter named
deny_dst_5004 to deny traffic with a
destination port of 5004.
config filter deny portsrc 16384..16624 even alias deny_src_cisco_rtp Constructs a filter named
deny_src_cisco_rtp to deny traffic
with an even-numbered source port in
the range of 16384..16624. This is a
standard RTP port range used by
Cisco equipment.

Table 13-1: Blocking RTP Traffic on Common Ports
Command Description
config filter deny portdst 16384..16624 even alias deny_dst_cisco_rtp Constructs a filter named
deny_dst_cisco_rtp to deny traffic
with an even-numbered source port in
the range of 16384..16624.
config port-filter 7 deny_src_5004
config port-filter 7 deny_dst_5004 These commands bind the four

config port-filter 7 deny_src_cisco_rtp RTP-blocking filters to Network Port 7.
config port-filter 7 deny_dst_cisco_rtp
config port-filter 8 deny_src_5004
config port-filter 8 deny_dst_5004 These commands bind the four

config port-filter 8 deny_src_cisco_rtp RTP-blocking filters to Network Port 8.
config port-filter 8 deny_dst_cisco_rtp
config save gigavue.cfg Saves changes to the gigavue.cfg

configuration file.
MAC Address Filter Examples

This section provides several examples of how to use MAC address
filters with an address mask.
Example 1 – Deny Filter

In this example, we’ll set up a filter that denies packets with a source
MAC address matching that specified in the filter. The filter will use
the following values for macsrc and macsrcmask:
Field in config filter Value

Command
macsrc 00 00 00 00 00 03
macsrcmask FF FF FF FF FF FE
246 Chapter 13
Command:
config filter deny macsrc 000000000003 macsrcmask fffffffffffe alias macfilter
Result:
Packets with the following two MAC source addresses are denied:
• 00 00 00 00 00 02
• 00 00 00 00 00 03
All other MAC addresses will pass this filter.
Example 2 – Allow Filter

In this example, we will change the filter action we set up in Example
1 – Deny Filter from deny to allow.
Command:
config filter allow macsrc 000000000003 macsrcmask fffffffffffe alias macfilter
Result:
Only packets with the following two MAC source addresses are
accepted:
• 00 00 00 00 00 02
• 00 00 00 00 00 03
All other MAC addresses are denied.
Example 3 – Deny Filter


Command
macsrc 00 00 00 00 00 03

Command
macsrcmask FF FF FF FF FF F1
Command:
config filter deny macsrc 000000000003 macsrcmask fffffffffff1 alias macfilter
Result:
Packets with the following eight MAC source addresses are denied:
• 00 00 00 00 00 01
• 00 00 00 00 00 03
• 00 00 00 00 00 05
• 00 00 00 00 00 07
• 00 00 00 00 00 09
• 00 00 00 00 00 0b
• 00 00 00 00 00 0d
• 00 00 00 00 00 0f
All other MAC addresses will pass this filter.
Example 4 – Denying Odd-Numbered MAC Addresses


Command
macsrc 00 00 00 00 00 03
macsrcmask 00 00 00 00 00 01
Command:
config filter deny macsrc 000000000003 macsrcmask 00000000001 alias macfilter
248 Chapter 13
Result:
All odd-numbered MAC source addresses are denied:

• 00 00 00 00 00 01
• 00 00 00 00 00 03
• ff ff ff ff ff fb
• ff ff ff ff ff fd
• ff ff ff ff ff ff
Only packets from even-numbered MAC source addresses will pass

through this filter. All the odd-numbered MAC source addresses are
denied.
Example 5 – Allowing Odd-Numbered MAC Addresses

In this example, we will change the filter action we set up in Example
4 – Denying Odd-Numbered MAC Addresses from deny to allow.
Command:
config filter allow macsrc 000000000003 macsrcmask 00000000001 alias macfilter
Result:
Only packets from odd-numbered MAC source addresses will pass

through this filter. All the even-numbered MAC source addresses are
denied.

Using the Pass-All Command
In addition to connections and maps, GigaVUE-420 also includes a
special config pass-all packet distribution command. The pass-all
command can be used to send all packets on a network or tool port to
another tool port (or multiple tool ports) on the same box,
irrespective of the connections, xbconnections, maps, or xbmaps
already in place for the ports.
This section includes the following topics for the config pass-all
command
• Syntax for config pass-all on page 250
• Rules for config pass-all on page 252
• Maximum Number of Pass-All Destinations on page 252
• Pass-All Matrix on page 253
• Filters and the config pass-all Command on page 254
• Examples for config pass-all on page 256
• Illustration of Pass-Alls in the Show Connect Screen on page 260
Syntax for config pass-all

The config pass-all command has the following syntax:
config pass-all <network/tool-port-alias | pid-list | pid-x..pid-y>
to <tool-port-alias | pid-list | pid-x..pid-y>
Notice that you can connect multiple ports with a single command:
• The pid-list (port id list) argument let you select multiple
non-contiguous ports. To enter port IDs in a list, simply put a
space between each port ID in the list.
For example:
250 Chapter 13
Command Comments
config pass-all 1..4 to 5 This command sets up pass-alls from 1-4 to
tool port 5.
config pass-all 1 to 2..5 This command sets up pass-alls from 1 to

2-5.
Showing the Pass-Alls in Place

Use the standard show connect command to see the pass-alls in place
on the GigaVUE-420. The show connect display uses angle brackets
(>>) to indicate that a pass-all is in place. Figure 13-12 on page 261
shows the show connect display for a set of pass-alls.
Deleting a Pass-All
You can delete an existing pass-all with the delete pass-all command.
The command has the following syntax:
delete pass-all [all | <port-alias | pid-list | pid-x..pid-y>
to all | <port-alias | pid-list | pid-x..pid-y>]
For example, to delete the pass-all set up by the first command in the
table above, you could use the following command:
delete pass-all 1..4 to 5
You could also delete just a portion of the pass-all. For example, to
delete the pass-all from 3 to 5:
delete pass-all 3 to 5

Rules for config pass-all
Keep in mind the following rules for the config pass-all command:
• You can set up a config pass-all from:
• Network Port(s) to Tool Port(s)
• Tool Port to Tool Port(s)
NOTE: The destination for a pass-all must always be a tool port.
• You cannot set up a config pass-all from network port to network
port.
• Pass-alls are only supported within a single GigaVUE-420 box.
Within the box, you can set up pass-alls from any installed port to
any other port, including the rear GigaLINK ports (x1-x4).
• A config pass-all cannot duplicate both endpoints of a connection
or map that’s already in place. For example, if Network Port 1 is
connected to Tool Port 2, you can’t set up a config pass-all 1 to 2,
too.
• A config pass-all cannot be used with a port that is part of a
port-pair.
Maximum Number of Pass-All Destinations

The number of pass-all destinations available for a given source port
depends on whether it’s part of a single-tool map, a multi-tool map,
or no map at all:
• Ports in Single-Tool Maps – Maximum of four destination ports
per system.
• Ports in Multi-Tool Maps/Unmapped Ports – Maximum of 23
destination ports per system.
For example, consider a GigaVUE-420 with a single-tool map on

network ports 1-4. In this case, the total destinations for any pass-alls
from ports 1-4 cannot exceed four. The number of pass-alls available
to the remaining 20 ports in the system (5-20; x1-x4) is limited only by
the number of tool ports defined on the system – it could be as many
as 19 (20 minus a single port to be used as the source for the pass-all).
252 Chapter 13
By contrast, if network port 1 is part of a multi-tool map, you could
set up pass-alls between network port 1 and the other 23 ports on a
fully-populated system (so long as the other 23 were configured as
tool ports).
Pass-All Matrix
The table below summarizes the supported scenarios for sending
data with the config pass-all command.
Source Destination Supported? Comments

Single Network Port
Multiple Network Ports
Single Tool Port Single Tool Port
Multiple Tool Ports
Network Port in a Port-Pair
Single Network Port
Multiple Network Ports
Single Tool Port Multiple Tool Ports
Multiple Tool Ports
Network Port in a Port-Pair
Single Network Port
Multiple Network Ports Single or Multiple Network ports can never be the
Single Tool Port Network Ports destination for a pass-all.
Multiple Tool Ports

Filters and the config pass-all Command
When you set up a config pass-all, it interacts with filters differently
depending on whether it is passing traffic from a network port or a
tool port:
• When you set up a pass-all from a network port to a tool port, the
traffic is passed to the destination tool port before any network
port filters are applied.
This points out one of the best use-cases for a pass-all – a way to
see all traffic arriving on a network port without taking down any
existing filters or map-rules.
• When you set up a pass-all from a tool port to another tool port,
the traffic is passed to the destination tool port after any tool port
filters are applied. This means that the pass-all will send the
filtered traffic to the destination tool port.
Potential for Duplicate Packets on Destination Port
There are certain situations where using a pass-all to send packets to

the same destination as a connection or map can cause duplicate
packets. For example, consider the following scenario:
• Network Port 1 is connected to Tool Port 7 and Tool Port 8.
• Tool Port 7 has a post-filter set to allow only packets with a VLAN
ID of 100.
• Tool Port 7 has a pass-all to Tool Port 8
In this situation, all packets with a VLAN ID of 100 will be duplicated

on Tool Port 8:
• One copy will arrive because of the connection from Network
Port 1 to Tool Port 8.
• A second copy will arrive because of the pass-all sending the
filtered VLAN 100 traffic from Tool Port 7 to Tool Port 8.
Figure 13-6 illustrates this.
254 Chapter 13
1 5
Filter
VLAN 7
100 pass-all
Figure 13-6: Potential for Duplicate Packets

Examples for config pass-all
Sending Unfiltered Traffic to an IDS
Intrusion Detection Systems need to see unfiltered traffic to work

effectively. However, you may want to use filters or maps to send
different portions of the same traffic source to different destinations.
This is the perfect place to use a pass-all. Figure 13-7 illustrates this:
map
1 5
mapping map-rule
map-rule 6
map-rule
7
IDS
Figure 13-7: Unfiltered Traffic to IDS
256 Chapter 13
Temporary Troubleshooting Situations
Under certain circumstances, you may want to see all of the traffic on
a particular port without disturbing any of the packet distribution
commands already in place for the port. The pass-all gives you a way
to do this. For example, suppose you have an existing map sending
traffic from Network Port 1 to Tool Ports 5..7 based on different
map-rule criteria (Figure 13-8).
map
1 5
mapping map-rule
map-rule 6
map-rule
7
Figure 13-8: Existing Map on Network Port 1

Complaints of slow response times on the network monitored by
Network Port 1 lead you to want to see all of the traffic rather than
just the portions broken out by your map. Because mapped network
ports can’t be shared, you can’t just connect the port to another tool
port. However, you also don’t want to take down your existing map.
In a situation like this, you could set up a pass-all for the mapped
network port and send the full set of traffic arriving at the network
port to another tool port. For example:
config pass-all 1 to 8
Now, the unfiltered set of traffic arriving on Network Port 1 is both

passed to Tool Port 8 and also distributed to Network Ports 5-7 based
on the existing map-rules (Figure 13-9).

map
1 5
mapping map-rule
map-rule 6
map-rule
7
8
pass-all
Figure 13-9: Adding a Pass-All for Temporary Troubleshooting
258 Chapter 13
Sending Unfiltered Traffic to Multiple Destinations
You can also use the config pass-all command to see the same
tool-port-filtered data on multiple tool ports.
Consider the following scenario:

• Network Ports 1-3 are connected to Tool Port 5.
• Tool Port 5 has a port-filter set up to allow only VLAN IDs
100-500.
Figure 13-10 illustrates this scenario.
Post
1 Filter 5
2 6
3 7
Three Connections to
Post-Filtered Tool Port
4 8
Figure 13-10: Adding a Pass-All for Temporary Troubleshooting

If you wanted different tools to analyze the same tool-port-filtered
data, you could set up a pass-all to multiple tool ports so that they
could all see the same data. For example:
config pass-all 5 to 6..8
With this configuration (Figure 13-11), Tool Ports 5-8 all see the same
tool-port-filtered data.

Post
1 Filter 5
config pass-all 5 to 6..8
2 6
3 7
4 8
Figure 13-11: Adding Pass-Alls to Multiple Tool Ports
Illustration of Pass-Alls in the Show Connect Screen

When you use the show connect command to display the connections
in place on the GigaVUE-420, the system uses right angle brackets
(>>) to indicate that a pass-all is in place:
• Pass-alls from a network port to a tool port are shown with a
series of angle brackets linking the network port and tool port.
For example:
( 4) >>>>>>>>>>> ( 6)
• Pass-alls from a tool port to a tool port are shown with a pair of
angle brackets linking the two tool ports. For example:
( 6)>> ( 7)
Figure 13-12 shows the show connect display for the pass-all set up
to multiple tool ports in the previous section.
260 Chapter 13
Angle brackets
indicate pass-alls in
place between tool
ports.
Figure 13-12: Show Connect with Pass-All to Multiple Tool Ports

262 Chapter 13
Chapter 14
Working with Maps

(Single-Box and Cross-Box)
This section describes how to set up GigaVUE-420 maps. You
configure maps by mapping data from network ports to tool ports.
The chapter describes both single-box and cross-box maps.
NOTE: Be sure to read Chapter 12, Introducing Packet Distribution for
an understanding of the differences between connections and maps
(and when to use each).

• Cross-Box Config: Enter Commands on All Boxes on page 264
• Mapping Network Ports to Tool Ports on page 264
• Creating Maps: config map/config xbmap on page 266
• Creating Map-Rules: config map-rule on page 271
• Binding Maps to Ports: config mapping / config xbmapping on
page 273
• Map-Rule Priority and Guidelines on page 280
• Map Examples on page 282
263
Cross-Box Config: Enter Commands on All Boxes
Keep in mind that when you are entering cross-box configuration
commands (for example, the xbmap and xbmapping commands
described in this chapter), you must enter all commands in the same
order on each box in the stack. When setting up cross-box packet
distribution, it’s often easiest to create your commands in a text file
the stack.
Mapping Network Ports to Tool Ports

You use maps to direct traffic arriving on network ports to tool ports
based on different criteria:
• Single-box maps direct traffic from network ports to tool ports on
the same GigaVUE-420 system.
• Cross-box maps direct traffic from a network port on one
GigaVUE-420 system to tool ports on other GigaVUE-420 systems
connected in a cross-box stack via their stacking ports. See
Stacking GigaVUE-420 Boxes on page 105 for information on how
to connect and configure a cross-box stack.
NOTE: For information on the differences between maps and
connections (and when you should use each), see Connecting vs.
Mapping – The Differences on page 208.
Figure 14-1 shows the major steps in creating a map. Figure 14-2
provides a conceptual illustration of the map components set up in
Figure 14-1.
264 Chapter 14
1 Step 1: Use the config map (single-box) or config xbmap
Create the Map (cross-box stacks) command to create a map. These commands
create a map “container” for the map-rules you define in the next
step.
When you create a map, you give it a name (an alias) and specify
whether it is a single-tool or multi-tool map. See Creating Maps:
config map/config xbmap on page 266 for information on creating
the map.
Step 2: Use the config map-rule command to create map-rules for the
2 Create Map-Rules for
map. Map-rules direct traffic based on different packet criteria – MAC/IP
the Map
addresses, port numbers, VLAN IDs, protocols, and so on.
You can set up map-rules that direct packets to different tool ports,
map-rules that delete some packets right away (send them to the
“virtual drop port”), and map-rules that direct all traffic that doesn’t
match any of the other rules in the map to a designated “collector” port.
See Creating Map-Rules: config map-rule on page 271 for information

on creating map-rules.
Step 3: Use the config mapping (single-box) or config xbmapping

3 Apply the Map to (cross-box stacks) command to bind the map to one or more network
Network Ports ports. Binding the map to a network port applies all of its rules to traffic
arriving on the port. Traffic will be forwarded according to the rules in the
map.
See Binding Maps to Ports: config mapping / config xbmapping on

page 273 for information on binding maps to network ports.
Figure 14-1: Setting up a Map
Working with Maps (Single-Box and Cross-Box) 265

map
1 5
mapping map-rule
map-rule 6
map-rule
7
Figure 14-2: Map Components
Creating Maps: config map/config xbmap

The first step in setting up a map is using the config map (single-box)
or config xbmap (cross-box stacks) command to create a map
container. This container will hold all of your map-rules. You will
eventually bind the container to one or more network ports using the
config mapping or config xbmapping command.
When you create the map container, you must supply the following
information:
• Whether the map is a single-tool map or a multi-tool map.
• The name (alias) of the map.
266 Chapter 14
Single-Tool Maps vs. Multi-Tool Maps
There are two types of maps – single-tool and multi-tool. You use the
type [st | mt] argument to specify the map’s type as part of the
config map / config xbmap command (see Syntax for the config map /
config xbmap Commands on page 270) for details
• Single-tool maps must consist entirely of map-rules that send
matching packets to a single tool port.
• Multi-tool maps can have map-rules that send matching packets
to multiple tool port destinations. However, it is not a
requirement that they have at least one such rule.
For example, the map-rule config map-rule MT-Map rule ipdst
192.168.1.25 tool 4 5 sends all traffic with a destination IP address
of 192.168.1.25 to both tool ports 4 and 5. This rule could only be
part of a multi-tool map (a map with its type set to mt).
NOTE: Single-tool maps can still send traffic to multiple destinations –

it’s just that each individual rule within the map can only send traffic
to a single destination. So, a single-tool map could still have one rule
that sends traffic to tool port 4 and another rule that sends traffic to
tool port 5. However, a single-tool map could not have a single rule
that sent traffic to both tool port 4 and 5. Only a multi-tool map can
do that.
NOTE: See Map Example – Single-Tool vs. Multi-Tool on page 287 for
examples of each map type, along with the differences in the
commands used to create them.

Map Types and Other GigaVUE-420 Features
It’s important to understand how the choice between a single-tool
and multi-tool map affects the availability of other GigaVUE-420
features:
Single-Tool Maps
Use single-tool maps if you want to use user-defined pattern match

filters. The trade-off is that you will have fewer port-pair and pass-all
resources for ports in single-tool maps. Single-tool maps consume
system resources needed to construct pass-alls and port-pairs.
Single-Tool Maps
Plus Minus
Fewer Port-Pairs (2 instead of 12)
Support Pattern
Match Filters Fewer Pass-All Destination Ports for Ports in the
Multi-Tool Maps
Multi-tool maps can consist entirely of map-rules that only send

traffic to a single tool port. There is no requirement that a multi-tool
map have at least one multi-tool rule.
This is important to keep in mind when deciding which type of map

to use – you can use a multi-tool map if you want to maximize the
number of pass-alls and port-pairs available for ports in the map. The
trade-off is that you will not be able to use user-defined pattern
matches in multi-tool map-rules.
Multi-Tool Maps
Plus Minus
More Port-Pairs (12 instead of 2)
No User-Defined Pattern
More Pass-All Destination Ports for Ports in the Match Map-Rules
268 Chapter 14
Supported Map Maximums
When creating maps on the GigaVUE-420, keep in mind the
following supported maximums:
Map Type Maximum

Local maps (single-tool and multi-tool combined) per system 10
Cross-box single-tool maps per system 10
Cross-box multi-tool maps per system 10
Cross-box maps are counted separately for single-tool and multi-tool.

For example, a single GigaVUE-420 box could have:
• 10 single-tool cross-box maps.
• 10 multi-tool cross-box maps
• 5 local single-tool maps.
• 5 local multi-tool maps.

Syntax for the config map / config xbmap Commands
The config map and config xbmap commands have the same syntax:
config map type [st | mt] alias <string>
config xbmap type [st | mt] alias <string>
The table below lists and describes the arguments for these
commands:
[mt | st] Specifies whether the map is a multi-tool (mt) or
single-tool (st) map.
See Single-Tool Maps vs. Multi-Tool Maps on
page 267 for more information.
alias Creates a textual alias for this map. Aliases can

consist of a maximum of 30 alphanumeric characters.
You can also use hyphens (-) and the underscore (_)
character.
270 Chapter 14
Creating Map-Rules: config map-rule
The config map-rule command creates a map filter that directs
matching traffic to tool ports, cross-box tool ports, or a virtual drop
port. You can set map-rules that direct traffic based on MAC
addresses, IP addresses, application port numbers, ethertypes, VLAN
IDs, protocols, and TOS values.
Map-rules must be bound to an existing map. Whenever you set up a

new map-rule, you must specify the map to which it belongs with the
<map-alias> argument.
How GigaVUE-420 Processes Map-Rules

See Map-Rule Priority and Guidelines on page 280for details on how
GigaVUE-420 processes map-rules in a map.
Syntax for the config map-rule Command

The syntax for the config-map rule command is as follows:
config map-rule <map-alias>
rule [collector]
[dscp <assured-forwarding-value>]
(af11~af13, af21~af23, af31~af33, af41~af43, ef)
[ethertype <2-byte-hex>]
[ipfrag <0|1|2|3|4>] [ipver <4|6>]
(0:no frag, 1:1st frag, 2:no frag or 1st frag, 3:frag but not 1st, 4:all frag)
[ipdst <dstaddr>] [ipdstmask <xxx.xxx.xxx.xxx | /nn>]
[ipsrc <srcaddr>] [ipsrcmask <xxx.xxx.xxx.xxx | /nn>]
[ip6src <srcaddr>] [ip6srcmask <xxxx::xxxx | /nn>]
[ip6dst <dstaddr>] [ip6dstmask <xxxx::xxxx | /nn>]
[ip6fl <3-byte-hex>]
[ipver <4|6>]
[macdst <macaddr>] [macdstmask <6-byte-hex>]
[macsrc <macaddr>] [macsrcmask <6-byte-hex>]
[portdst <single-port-number | <x..y>] [even | odd]
[portsrc <single-port-number | <x..y>] [even | odd]
[protocol <gre|icmp|igmp|ipv4ov4|ipv6ov4|rsvp|tcp|udp|<1-byte-hex>>]
[tcpctl <1-byte-hex>] [tcpctlmask <1-byte-hex>]
[tosval <1-byte-hex>]
[ttl <0~255> | <x..y>] (valid range 0..255)
[uda1_data <16-byte-hex>] [uda1_mask <16-byte-hex>]
[vlan <1~4094> | <x..y>] [even | odd]
tool <port-alias | pid | pid_list | bid-pid | bid-pid-list | drop>

A map-rule consists of the following major components:
• The name of the map to which the map-rule will belong
(<map-alias>).
• The criteria for the rule itself. This consists of all the values
specified for the rule argument (MAC/IP addresses, application
ports, VLAN IDs, and so on).
• The destination for traffic matching the rule argument. This
consists of the values specified for the tool argument. You can
send matching traffic to a tool port, a cross-box tool port, or a
virtual drop port.
Note: For local map-rules you specify the destination by its pid.
For cross-box map-rules, you specify the destination by bid-pid
(Box ID-Port ID; for example, 3-2).
Map-Rule Arguments Described

The arguments for the map-rule command are exactly the same as
those for the config filter command. See the following sections
describing filter arguments:
• Using Filters with Connections on page 219
• IPv4/IPv6 and Filters on page 223
• Config Filter Syntax on page 225
• Combining Filters and Filter Logic on page 235
• Working with User-Defined Pattern Match Filters on page 237
• Filter Examples on page 245
272 Chapter 14
Binding Maps to Ports:
config mapping / config xbmapping
The config mapping (single-box) and config xbmapping (cross-box
stacks) commands bind a map to one or more network ports (up to 23
network ports for single-box maps; up to 40 network ports for
cross-box maps). You can bind maps to a single port, a list of ports, or
a contiguous series of ports (single-box maps only).
Binding a map to a port is the last step in setting up the map. Once
you have completed the config mapping / config xbmapping
command, the map begins directing traffic on the mapped network
ports to the destinations specified by the map-rules in the map.
Syntax for config mapping /config xbmapping

The syntax for the config mapping command is as follows:
config mapping net <network-port-alias | network-port-id-list |
network-pid-x..network-pid-y>
map <map-alias>
The syntax for the config xbmapping command is as follows:

config xbmapping net <bid-pid_list> map <map-alias>
The table below lists and describes the arguments for the config
mapping and config xbmapping commands. Both single-box and
cross-box mappings consist of the following components:
• The network ports to which the map is bound. This is specified by
the net argument.
• The name of the map you are binding. This is specified by the
map argument.

net
Single-Box Maps (config mapping) Specifies the network ports to
<network-port-alias | network-port-id-list | network-pid-x..network-pid-y> which the named map will be
bound. You can bind maps to a
single port, a list of ports, or a
contiguous series of ports (up to 20
in all).
For example, config mapping net
MyPort map MyMap binds the
map named MyMap to the port
named MyPort. Similarly, config
mapping net 4..8 map MyMap
binds the map with the alias
MyMap to network ports 4 through
8.
Cross-Box Maps (config xbmapping) Specifies the network ports to

<bid-pid_list> which the named map will be
bound. You can bind maps to a
single port or a list of ports (up to
40, in all).
For example, config xbmapping
net 2-3 map MyXBMap binds the
map named MyXBMap to Port 3 on
Box ID 2.
map
<map-alias> Specifies the map to be bound to
the named network ports.
If you don’t know the alias for a
map, use the show map-rule
command to display all maps
currently configured on the box.
274 Chapter 14
Showing Maps
Any time you make changes to the packet distribution configuration
in place on the GigaVUE-420, it’s a good idea to verify your results
with a show command. When working with maps, there are two
helpful show commands:
Show Command Description

show map-rule [all | map-alias] This command provides a detailed description of the requested
maps, regardless of whether the maps have been bound to a
network port. This command is useful in the following situations:
• When you want to see detailed information on a map’s
map-rules.
• When you want to see information on a map that has not yet
been bound to a network port.
show connect This command provides a summary of all the packet distribution
configuration on the box, including a Mapping section that
summarizes the maps currently bound to network ports.
Figure 14-3 shows the results of a show map-rule command for the
VLAN-Map set up with the commands in the table below.
Description CLI Command

First, create the VLAN-Map container using the config map type st alias VLAN-Map
config map command. Because this map will consist
entirely of rules sending traffic to only a single
destination, we will set type to st (single-tool).
Next, we will create the map-rules for the VLAN-Map config map-rule VLAN-Map rule ipsrc 192.168.1.25
using the config map-rule command. The first rule ipsrcmask /32 tool drop
drops all traffic from the IP address 192.168.1.25.
We need map-rules that forward different VLAN IDs to config map-rule VLAN-Map rule vlan 101 tool 6
different ports. This map-rule for VLAN-Map sends
VLAN 101 to Tool Port 6.
This map-rule for VLAN-Map sends VLAN 102 to Tool config map-rule VLAN-Map rule vlan 102 tool 7
Port 7.
This map-rule sends all traffic not matching any other config map-rule VLAN-Map rule collector tool 8
rules in the map to Tool Port 8.

Finally, we bind the map to Network Port 1 with the config mapping net 1 map VLAN-Map
config mapping command.
Figure 14-3: Checking Maps with show map-rule Command
276 Chapter 14
Changing Maps
You make changes to maps differently depending on whether you
are working with a single-box map or a cross-box map:
Map Type Editing/Deleting

Single-Box Map You can make the following changes at any time, regardless of whether the map
has been bound to a network port using the config mapping command:
• Add or delete map-rules to/from a map regardless of whether it is currently
bound to a network port.
• Delete a mapping, removing the map from network port(s).
• Delete a map in its entirety, including mappings and map-rules.
Cross-Box Map You can make the following changes at any time, regardless of whether the
xbmap has been bound to a network port using the config xbmapping
command:
• Add or delete map-rules to/from a xbmap regardless of whether it is currently
bound to a network port.
• Delete an xbmap in its entirety, including mappings and map-rules.
You cannot, however, delete a cross-box mapping once the map has been
bound. This is the difference in delete functionality between single-box and
cross-box maps.
NOTE: You must delete the cross-box map on all boxes in the cross-box stack.
Similarly, to use an updated version of the map, you must make the changes on
all boxes in the stack.
Adding Map-Rules to Single-Box/Cross-Box Maps

You can add a map-rule to a single-box or cross-box map at any time
by using the config map-rule command described in Creating
Map-Rules: config map-rule on page 271.
For example, the following command adds a new destination port

map-rule to the VLAN-MAP example shown in Figure 14-3 on
page 276:
config map-rule VLAN-MAP rule portdst 23 tool 2

Deleting a Map-Rule from Single-Box/Cross-Box Maps
You can delete a map-rule from a single-box or cross-box map at any
time by using the delete map-rule command. You can delete:
• All but one of the map-rules from a map (you must use delete
map to remove the final map-rule along with the map).
• Map-rules sending data to a particular range of tool ports.
• Specific Rule IDs.
NOTE: Use the show map-rule command to see the Rule ID
corresponding to a particular rule.
Delete Map-Rule Syntax
The syntax for the delete map-rule command is as follows:

delete map-rule <map-alias> [tool <port-id-list> | rule <rule-id-list>]]
For example, the following command deletes the rule we added to

VLAN-MAP in the previous row by specifying its Rule ID:
delete map-rule VLAN-MAP rule 5
Because this map-rule was the only map-rule bound to Tool Port 2,
we could also have deleted it by specifying its tool port, as follows:
delete map-rule VLAN-MAP tool 2
Deleting a Single-Box Mapping

You can delete a single-box map’s mapping by using the delete
mapping command. You can delete either all mappings on the box or
a specific mapping by specifying the name of the map.
IMPORTANT: You cannot delete mappings with cross-box maps.

NOTE: Deleting a mapping does not delete the map itself. It only
removes it from the network port(s) to which it is bound. Once you
delete a mapping you can reuse the map with other network ports by
using the config mapping command.
278 Chapter 14
Delete Mapping Syntax
The delete mapping command has the following syntax:

delete mapping [all | map-alias]
For example, to delete VLAN-MAP’s mapping, you would use the

following command:
delete mapping VLAN-MAP
Once the mapping for VLAN-MAP is deleted, you can rebind it using
the config mapping command.
Deleting a Single-Box/Cross-Box Map

You can delete a single-box or cross-box map in its entirety by using
the delete map/delete xbmap command. You can delete either all
maps on the box or a specific map by specifying the name of the map
The delete map command deletes all of the configuration associated

with the specified map(s) on the local GigaVUE-420, including:
• Any mapping in place.
• All map-rules for the map.
• The map container itself.
NOTE: Note that the delete xbmap command must be issued on each
of the boxes in a cross-box stack to completely remove the xbmap.
Delete Map Syntax
The delete map command has the following syntax:

delete map [all | map-alias]
For example, to delete VLAN-MAP in its entirety, you would use the
following command:
delete map VLAN-MAP

Combining Pass-All with Maps
You can use GigaVUE-420’s special config pass-all packet
distribution command in combination with maps and cross-box
maps.
The pass-all command is particularly useful when you want to send

all the traffic from filtered or mapped network ports to a security tool
that needs to see unfiltered traffic. It’s also useful in temporary
troubleshooting situations where you want to see all traffic on a port
without disturbing any of the maps or cross-box maps already in
place for the port.
See Using the Pass-All Command on page 250 for details on using the
config pass-all command.
Map-Rule Priority and Guidelines

GigaVUE-420 assigns priority to map-rules in a map in the same
order in which they are specified, with later matches taking priority
over earlier matches. This means that a packet matching multiple
rules in the same map will be forwarded to the destination specified
by the last map-rule it matches.
If you find that a particular packet is not forwarded to the destination

you expect because it matches multiple map-rules, you can adjust the
order of the map-rules in the map. Start by using the show map-rule
command to see the existing sequence of rules. Then, delete and
re-add the map-rule you want to match the packet. Re-adding the
map-rule adds it as the last rule in the map, thereby giving it the
highest priority.
280 Chapter 14
Map Creation Guidelines
Keep the following simple guidelines in mind when creating maps:
Apply Complicated Filters/Map-Rules First
Always apply the more complicated filters/map-rules first.

Complicated filters/map-rules include:
• Filters/Map-Rules with value ranges (for example, a range of
port-numbers).
• Filters/Map-Rules with multiple attributes.
• User-Defined Pattern Matches.
Apply Collector Map-Rules Last
If your map includes a collector map-rule, it should always be the

last map-rule in the map. You can see examples of this in Map
Examples on page 282.
Resolving “No Resource for Operation” Errors
If you receive a No resource for operation error message when

adding map-rules or filters, do a config save followed by a config
restore and then try applying the map-rules or filters again.

Map Examples
This section provides some sample maps along with the commands
used to create them.
• Map Example – Selectively Forwarding VLAN Ranges on
page 282
• Map Example – Single-Tool vs. Multi-Tool on page 287
Map Example – Selectively Forwarding VLAN Ranges

In this example, we will create a map that forwards different ranges
of VLAN IDs to different tool ports, including one cross-box
destination. Figure 14-4 illustrates our starting configuration:
• The GigaVUE-420 with the Box ID of 1 has ports 1-4 set up as
network ports and ports 5-8 set up as tool ports.
• The GigaVUE-420 with the Box ID of 2 also has ports 1-4 set up as
network ports and ports 5-8 set up as tool ports.
• Box 1 and Box 2 are connected back-to-back in a cross-box stack
using the x1 stacking ports.
282 Chapter 14
Network Ports Tool Ports Network Ports Tool Ports
1 5 1 5
GigaVUE-420 GigaVUE-420
2 Box ID 1 6 2 Box ID 2 6
3 7 3 7
4 8 4 8
x1 x1
Stacking Port Stacking Port
Figure 14-4: Starting Configuration: Back-to-Back Cross-Box Connection
What this Map Will Do

We want to create a map called VLAN-Map and bind it to Network
Port 1 on GigaVUE-420 Box ID 1. This map will do the following:
• Send traffic with VLAN IDs 1-99 to local Tool Port 5.
• Send traffic with VLAN IDs 300-399 to the cross-box destination
of Tool Port 5 on GigaVUE-420 Box ID 2.
• Send all other traffic to local Tool Port 8 using the collector rule.

Commands to Create this Map
The table below lists and describes the commands used to create this
map.

First, create the VLAN-Map container using the config xbmap type st alias VLAN-Map
config xbmap command. Because this map will
consist entirely of rules sending traffic to only a single
destination, we will set type to st (single-tool).
Next, we will create the map-rules for the VLAN-Map config map-rule VLAN-Map rule vlan 1..99 tool 1-5
using the config map-rule command. We need
map-rules that forward different VLAN ranges to
different ports. The first command forwards VLANs
1-99 to Tool Port 5 on Box ID 1.
This map-rule for VLAN-Map sends VLANs 100-199 config map-rule VLAN-Map rule vlan 100..199 tool 1-6
to Tool Port 6 on Box ID 1.
This map-rule sends all traffic not matching any other config map-rule VLAN-Map rule collector tool 1-8
rules in the map to Tool Port 8 on Box ID 1.
Finally, bind the map to Network Port 1 on Box ID 1 config xbmapping net 1-1 map VLAN-Map
with the config xbmapping command.
Execute Cross-Box Commands on All Boxes in Stack!
For the cross-box map created in the table above to work correctly,
you would need to execute all of the commands in the table in the
same order on all boxes in the stack (Box ID 1 and Box ID 2 in this
example).
The easiest way to do this is to create a text file with these commands
the stack.
284 Chapter 14
Showing the Map in the CLI
Once you have created the map using the commands in Commands to
Create this Map on page 284, it’s a good idea to use the show map-rule
command to verify that the map has been set up the way you
expected. Figure 14-5 shows the results of a show map-rule for this
map example.
This section shows that this is a

cross-box (Stacking), single-tool This section shows the
map with the name VLAN-Map It rules (1-5) configured
also shows that the map has been for this map.
applied to Network Port 1-1.
Figure 14-5: Results of a show map-rule for VLAN-Map

Map Illustration
Figure 14-6 shows conceptually how VLAN-Map is implemented.
VLAN-Map
1-1 Map-Rule 1: Send VLANs

1-5
1-99 to Tool Port 1-5.
1-2 Map-Rule 2: Send VLANs 1-6

Map-Rule 3: Send VLANs

1-3 1-7
Map-Rule 4: Send VLANs 300-399 to

1-4 cross-box Tool Port 2-5. 1-8
to the Collector on Tool Port 1-8.

Notice that the same
config xbmap, config GigaVUE-420 Box ID 2
map-rule, and config
xbmapping commands VLAN-Map
are executed on both
boxes in the stack.
2-1 Map-Rule 1: Send VLANs 2-5
However, the map is
only bound to Network Map-Rule 2: Send VLANs
Port 1-1. 2-2 2-6
Map-Rule 3: Send VLANs

2-3 200-299 to Tool Port 1-7. 2-7
Map-Rule 4: Send VLANs 300-399 to
2-4 cross-box Tool Port 2-5. 2-8
to the Collector on Tool Port 1-8.
Figure 14-6: VLAN-Map as Implemented
286 Chapter 14
Map Example – Single-Tool vs. Multi-Tool
As described in Single-Tool Maps vs. Multi-Tool Maps on page 267,
single-tool and multi-tool maps have the following differences:
• Single-tool maps must consist entirely of map-rules that send
matching packets to a single tool port.
• Multi-tool maps can have map-rules that send matching packets
to multiple tool port destinations. However, it is not a
requirement that they have at least one such rule.
This section contrasts a single-tool map with a multi-tool map so you

can see the differences in how they are constructed.
Single-Tool Map
In this example, we will create a single-tool map called uda_map and
bind it to Network Port 1. Our starting configuration is as follows:
• Ports 1-4 are set up as network ports.
• Ports 5-8 are set up as tool ports.
Because this is a single-tool map, we will use a user-defined pattern

match (uda) as one of the map-rules. Recall from Map Types and Other
GigaVUE-420 Features on page 268 that multi-tool maps cannot use
user-defined pattern match map-rules.
This map will do the following:

• Send packets on even source ports to local Tool Port 5.
• Send packets matching a user-defined pattern match for a
particular MPLS label to local Tool Port 6.
• Discard all traffic from the IP address 192.168.1.25.

map. Note the order in which the commands are specified in this map
– the more complicated rules (those including large attribute ranges
or UDAs) are specified first. In addition, the collector rule is specified
last, as it always should be. See Map Creation Guidelines on page 281
for a discussion of map creation guidelines.

First, create the uda_map container using the config config map type st alias uda_map
map command. Because this map will consist entirely
of rules sending traffic to only a single destination, we
will set type to st (single-tool).
Next, we will create the map-rules for uda_map using config map-rule uda_map rule portsrc 16384..16624
the config map-rule command. even tool 5
The first map-rule sends all traffic on even source

ports in the standard Cisco RTP range to Tool Port 5
(VoIP implementations typically send RTP on even
port numbers and RTCP on the next available odd port
number).
The next rule uses a user-defined pattern match to match traffic from a particular MPLS label (0x00017) and
send it to Tool Port 6. Because this is a single-tool map, we can include up to two user-defined pattern
matches in the rules. As shown below, creating a pattern-match rule consists of two steps – setting the offset
and setting the pattern.
First, set the offset for the user-defined pattern match. config uda uda1_offset 14
We know that MPLS label stacks start at an offset of
14 bytes, right after the DLC header, so let’s set that
up.
Next, set up the map-rule itself. The map-rule will have config map-rule uda_map rule ethertype 0x8847
two parts – an ethertype match for MPLS and the uda1_data 0x00017000-00000000-00000000-00000000
user-defined pattern match itself. uda1_mask 0xfffff000-00000000-00000000-00000000
tool 6
• The ethertype for MPLS is 0x8847.
• We’re searching for the MPLS label of 0x00017.
Fortunately, the offset of 14 is on a four-byte
boundary when counting from the start of the valid
range (2~110; so, 2, 6, 10, 14). This makes it easy
to supply the pattern – we can start with the actual
MPLS label and then mask the rest with binary
zeroes.
288 Chapter 14
This map-rule discards all traffic from the IP address config map-rule uda_map rule ipsrc 192.168.1.25
192.168.1.25. ipsrcmask /32 tool drop
This map-rule sends all traffic not matching any other config map-rule uda_map rule collector tool 8
rules in the map to Tool Port 8.
Finally, bind the map to Network Port 1 with the config mapping net 1 map uda_map
Figure 14-7 shows conceptually how uda_map is implemented.
Single-Tool Map with User-Defined Pattern Match
uda_map
1 Map-Rule 1: Send packets on 5
even source ports to Tool Port
Map-Rule 2: Send packets

6
matching user-defined pattern
match to Tool Port 6.
Map-Rule 3: Drop everything 7

from IP address 192.168.1.25.
Map-Rule 4: Send everything else
8
Figure 14-7: Single-Tool Map with User-Defined Pattern Match (UDA)

Once you have created the map, it’s a good idea to use the show
map-rule command to verify that the map is set up the way you
expected. Figure 14-5 shows the results of a show map-rule for this
map example.

single-tool map with the name
uda_map It also shows that the This section shows the
map has been applied to Network rules (1-4) configured
Port 1. for this map.
Figure 14-8: Results of a show map-rule for uda_map
290 Chapter 14
Multi-Tool Map
In this example, we will create a multi-tool map called mt_map and
bind it to Network Port 1. Our starting configuration is the same as
the single-tool map in the previous section:
• Ports 1-4 are set up as network ports.
• Ports 5-8 are set up as tool ports.
Multi-Tool vs. Single-Tool Maps
In contrast to single-tool maps, multi-tool maps can include

map-rules that send matching traffic to multiple tool ports. The
tradeoff is that multi-tool maps cannot include user-defined pattern
matches in map-rules.
NOTE: See Map Types and Other GigaVUE-420 Features on page 268 for
a summary of the tradeoffs when deciding between single-tool and
multi-tool maps. In general, unless you need user-defined pattern
matches, it’s a good idea to use multi-tool maps to make the best use
of the GigaVUE-420’s resources.
Map Summary
This map will do the following:

• Send all traffic from IP address 192.168.1.50 to Tool Ports 5, 6, and
7. This is a multi-tool map-rule – it sends matching traffic to
multiple tool ports.
• Send all IPv6 traffic to local Tool Port 7.

map.

First, create the mt_map container using the config config map type mt alias mt_map
map command. Because this map includes a
multi-tool map-rule, we will set type to mt (multi-tool).
Recall from Single-Tool Maps vs. Multi-Tool Maps on
page 267 that multi-tool maps can have map-rules that
send matching packets to multiple tool port
destinations. However, it is not a requirement that they
have at least one such rule.
The first map-rule sends all traffic to and from IP config map-rule mt_map rule
address 192.168.1.50 to Tool Ports 5, 6, and 7. A rule ipsrc 192.168.1.50 ipsrcmask /32
like this is useful when you want multiple tools to focus ipdst 192.168.1.50 ipdstmask /32 tool 5 6 7
on traffic from a specific critical node (for example, a
database server).
The next map-rule sends all IPv6 traffic to Tool Port 7. config map-rule mt_map rule ipver 6 tool 7
The final map-rule sends all traffic not matching any config map-rule mt_map rule collector tool 8
other rules in the map to Tool Port 8.
Finally, bind the map to Network Port 1 with the config mapping net 1 map mt_map
Figure 14-9 shows conceptually how mt_map is implemented
292 Chapter 14
Multi-Tool Map
mt_map
1 Map-Rule 1: Send everything 5
from IP address 192.168.1.50
to Tool Ports 5, 6, and 7.
6
Map-Rule 2: Send all IPv6 traffic 7

to Tool Port 7.
Map-Rule 3: Send everything else

8
Figure 14-9: Multi-Tool Map Example
Figure 14-5 shows this map in the show map-rule output.

single-tool map with the name
mt_map It also shows that the map This section shows the
has been applied to Network Port 1. rules (1-3) configured
for this map.
Figure 14-10: Results of a show map-rule for mt_map
294 Chapter 14
Appendix A
Command Line Reference
This section describes all GigaVUE-420 commands. Commands are

organized in the same order in which they are found in the CLI itself.
See the sections for top-level commands as follows:
• config commands on page 296
• delete commands on page 331
• exit command on page 332
• help command on page 333
• history command on page 333
• install commands on page 334
• logout command on page 336
• reset commands on page 336
• show commands on page 337
• upload command on page 340
295
config commands
Config commands let you configure operating parameters on the
GigaVUE-420 unit.
Config commands are always available to super users and never

available to audit users. Normal users have varying access to config
commands depending on the lock-level in place on the box – see
Appendix C, Lock-Level Reference for details..
config connect
You use the config connect command to connect network ports to
tool ports on the same box. All well-formed packets arriving on the
network ports are forwarded to the tool ports, except those removed
by any filters in place.
You set up connections with the following command syntax:

config connect <network-port-alias | pid-list | pid-x..pid-y> to
<tool-port-alias | pid-list | pid-x..pid-y>
Notice that you can connect multiple network ports or tool ports with
a single command:
• The pid-list (port id list) and bid-pid_list (box id-port id)
arguments let you select multiple non-contiguous ports. To enter
port IDs in a list, simply put a space between each port ID in the
list.
config file
You use the config file nb command to set a configuration file as the
file to be used the next time the GigaVUE-420 is booted. The syntax is
as follows:
config file <filename> [nb] [description “string”]
296 Appendix A
Enabling the nb option for a configuration file marks it for loading
the next time the unit is booted. It will continue to be used at each
boot until the nb option is applied to a different configuration file.
There can be only one file with nb enabled at a time.
NOTE: You cannot delete a configuration file with nb enabled. You
must enable nb for another configuration file before you can delete it.
NOTE: GigaVUE-420 will not let you delete all configuration files –
there will always be at least one configuration file with nb enabled.
See Setting a Configuration File to Boot Next on page 182 for details.
config filter command

Use this command to define filter rules. Once defined, you can apply
filters to a port with the config port-filter command.
GigaVUE-420 filters are hardware-based, performing pattern

matching at predefined offsets. You can specify one argument per
filter rule or combine multiple arguments. Multiple arguments in a
single filter are joined with a logical and. Multiple filters bound to a
port are processed with a logical or.
NOTE: Filters are for use with connections only. Maps use map-rules
instead of filters. The concept is the same, but map-rules offer some
different configuration options. See Mapping Network Ports to Tool
Ports on page 264 for details.
The table below lists and describes the arguments for the config filter
command:
[allow | deny] Specifies whether the filter should include (allow) or
exclude (deny) traffic meeting the criteria specified
by the rest of the config filter command.
You can mix allow and deny filters on a single port.
Command Line Reference 297

[dscp <assured-forwarding-value>] Creates a filter pattern for a particular decimal
(af11~af13, af21~af23, af31~33, af41~43, ef) DSCP value. You can choose any value within the
four Assured Forwarding class ranges or ef for
Expedited Forwarding (the highest priority in the
DSCP model).
The valid DSCP values by Assured Forwarding
Class are as follows:
• Class 1 – 11, 12, 13
• Class 2 – 21, 22, 23
• Class 3 – 31, 32, 33
• Class 4 – 41, 42, 43
• Expedited Forwarding – ef
For example, config filter allow dscp ef will match
all traffic with expedited forwarding assigned.
[ethertype <2-byte-hex>] Creates a filter pattern for the Ethertype value in a

packet (for example, config filter allow ethertype
0x86DD will match all traffic with an IPv6 Ethertype.
NOTE: To filter for VLANs use the predefined
VLAN filter element type instead of the 8100
Ethertype.
[ipfrag <0|1|2|3|4>] Creates a filter for different types of IPv4 fragments:

• 0 – Matches unfragmented packets.
• 1 – Matches the first fragment of a packet.
• 2 – Matches unfragmented packets or the first
fragment of a packet.
• 3 – Matches all fragments except the first
fragment in a packet.
• 4 – Matches any fragment.
For example, config filter allow ipfrag 1 alias
headerfrags creates a filter named headerfrags
that matches the first fragment in a packet.
NOTE: The ipfrag argument only matches IPv4
fragments. To create a filter for IPv6 fragments, set
ipver to 6 and use the protocol argument with a
<1-byte-hex> value of 0x2c. This has the same
effect as option number 4 for IPv4 – it matches all
IPv6 fragments. For example:
config filter allow ipver 6 protocol 0x2c alias six_frags
298 Appendix A
[ipdst <dstaddr>] [ipdstmask <xxx.xxx.xxx.xxx | /nn>] Creates a filter for either a source or destination
[ipsrc <srcaddr>] [ipsrcmask <xxx.xxx.xxx.xxx | /nn>] IPv4 address or subnet.
IP addresses. You can enter subnet masks using
either dotted-quad notation (<xxx.xxx.xxx.xxx>) or
in the bit count format (see Using Bit Count Subnet
[ip6src <srcaddr>] [ip6srcmask <xxxx::xxxx | /nn>] Creates a filter for either a source or destination
[ip6dst <dstaddr>] [ip6dstmask <xxxx::xxxx | /nn>] IPv6 address or subnet. Enter IPv6 addresses as
eight 16-bit hexadecimal blocks separated by
colons. For example:
2001:0db8:3c4d:0015:0000:0000:abcd:ef12
IP addresses. You can enter subnet masks either in
16-bit hexadecimal blocks separated by colons or in
the bit count format (see Using Bit Count Subnet
[ip6fl <3-byte-hex>] Creates a filter for the 20-bit Flow Label field in an
IPv6 packet. Packets with the same Flow Label,
source address, and destination address are
classified as belonging to the same flow. IPv6
networks can implement flow-based QoS using this
approach.
Specify the flow label as a 3-byte hexadecimal
pattern. Note, however, that only the last 20 bits are
used – the first four bits must be zeroes (specified
as a single hexadecimal zero in the CLI). For
example, to match all packets without flow labels,
you could use the following filter:
config filter allow ip6fl 0x000000 alias no_flow
Alternatively, to match the flow label of 0x12345,
you could use the following:
config filter allow ip6fl 0x012345 alias flow12345

[ipver <4|6>] When used by itself, the ipver argument creates a
filter to match either all IPv4 or all IPv6 traffic.
You can also set ipver to 6 and use it together with
other arguments to change their meaning. See
IPv4/IPv6 and Filters on page 223 for more
information on ipver.
NOTE: The ipver argument is implicitly set to 4 – if
you configure a filter without ipver specified,
GigaVUE-420 assumes that the IP version is 4.
[macdst <macaddr>] [macdstmask <6-byte-hex>] Creates a filter pattern for either a source or
[macsrc <macaddr>] [macsrcmask <6-byte-hex>] destination MAC address.
Use the optional macsrcmask or macdstmask
argument to create a range of MAC addresses that
will satisfy the filter pattern.
NOTE: You can enter hexadecimal MAC addresses
in either 0xffffffffffff or ffffffffffff format.
See Examples of MAC Address Filters on page 175
for examples of how to use MAC address masks.
[portdst <single-port-number> | <x..y>] [even | odd] Creates a filter for a source or destination
[portsrc <single-port-number> | <x..y>] [even | odd] application port. You can also specify:
• A range of ports. For example config filter allow
portsrc 5000..5100 will match all source ports
from 5000 to 5100, inclusive.
• Either odd or even port numbers. The even |
odd arguments are useful when setting up filters
for VoIP traffic. Most VoIP implementations send
RTP traffic on even port numbers and RTCP
traffic on odd port numbers.
For example, config filter allow portsrc
5000..5100 odd will match all odd source ports
between 5000 and 5100.
300 Appendix A
[protocol <gre|icmp|igmp|ipv4ov4|ipv6ov4|rsvp|tcp| Creates a filter for a particular protocol. In this
udp|<1-byte-hex>>] release, you can create protocol filters for gre,
icmp, igmp, IPv4 over IPv4 (ipv4ov4), IPv6 over
IPv4 (ipv6ov4), rsvp, tcp, udp, and one-byte hex
values (<1-byte-hex>).
For example, config filter deny protocol gre will
create a filter that excludes all GRE traffic.
Protocol Filters and IPv6

The predefined protocol filters available for IPv4
(GRE, RSVP, and so on) are not allowed when
ipver is set to 6. This is because with the next
header approach used by IPv6, the next layer of
protocol data is not always at a fixed offset as it is in
IPv4.
To address this, GigaVUE-420 provides the
<1-byte-hex> option to match against the standard
hex values for these protocols in the Next Header
field. Here are standard 1-byte-hex values for both
IPv4 and IPv6:
0x00: Hop-By-Hop Option (v6 only)
0x01: ICMP (v4 only)
0x02: IGMP
0x04: IP over IP
0x06: TCP
0x11: UDP
0x29: IPv6 over IPv4
0x2b: Routing Option (v6 only)
0x2c: Fragment (v6 only)
0x2E: RSVP (v4 only)
0x2F: GRE (v4 only)
0x32: Encapsulation Security Payload (ESP)
Header (v6 only)
0x33: Authentication (v6 only)
0x3a: ICMP (v6 only)
0x3b: No Next Header (v6 only)
0x3c: Destination Option (v6 only)

[tcpctl <1-byte-hex>] [tcpctlmask <1-byte-hex>] Creates a one-byte pattern match filter for the
standard TCP control bits (URG, SYN, FIN, ACK,
and so on). You can use the tcpctlmask argument
to specify which bits should be considered when
matching packets.
See Setting Filters for TCP Control Bits on
page 232 for a list of the hexadecimal patterns for
each of the eight TCP flags, along with some
examples.
[tosval <1-byte-hex>] Creates a filter pattern for the Type of Service (TOS)
value in an IPv4 header. The TOS value is how
some legacy IPv4 equipment implements quality of
service traffic engineering. The standard values are:
• Minimize-Delay: Hex 0x10 or 10
• Maximize-Throughput: Hex 0x08 or 08
• Maximize-Reliability: Hex 0x04 or 04
• Minimize-Cost: Hex 0x02 or 02
• Normal-Service: Hex 0000 or 00
NOTE: Most network equipment now uses DSCP
to interpret the TOS byte instead of the IP
precedence and TOS value fields.
[ttl <0~255> | <x..y>] (valid range 0..255) Creates a filter for the Time to Live (TTL – IPv4) or
Hop Limit (IPv6) value in an IP packet.
• If there is no ipver argument included in the filter
(or if it is set to 4), GigaVUE-420 matches the
value against the TTL field in IPv4 packets.
• If ipver is set to 6 in the filter, GigaVUE-420
matches the value against the Hop Limit field in
IPv6 packets.
The TTL and Hop Limit fields perform the same
function, specifying the maximum number of hops a
packet can cross before it reaches its destination.
302 Appendix A
[uda1_data <16-byte-hex>] [uda1_mask <16-byte-hex>] Creates up to two user-defined, 16-byte pattern
[uda2_data <16-byte-hex>] [uda2_mask <16-byte-hex>] matches in a filter. A pattern is a particular
sequence of bits at a specific offset from the start of
a frame.
Setting a user-defined pattern match in
GigaVUE-420 consists of the following major steps:
• Specify the two global offsets to be used for
user-defined pattern matches using the config
uda command (uda1_offset and uda2_offset)
• Specify the data pattern and mask using the
config filter command with the
[udax_data][udax_mask] arguments. You use
the mask to specify which bits in the pattern must
match to satisfy the filter.
A single filter can contain up to two user-defined
pattern matches.
NOTE: Always use the predefined filter elements
instead of user-defined pattern matches when
possible.
[vlan <vlan id (1-4094)> | <x..y>] [odd | even] Creates a filter pattern for a VLAN ID or range of
VLAN IDs. You can also use the odd | even
argument to match alternating VLAN IDs. For
example, config filter allow vlan 200..300 even
will match all even VLAN IDs between 200 and 300.
[alias <string>] Use the alias argument to associate a textual alias

with a filter.
Aliases are optional. GigaVUE-420 automatically
creates a Filter ID for every filter you configure. You
can manage filters either by the automatically
generated numerical Filter ID or by the optional
alias.
NOTE: The easiest way to discover the
automatically generated Filter ID for a given filter is
to do a show filter command in the CLI. Each filter
will be shown along with its numerical ID.

config map command
You use the config map command to create a map container to hold
your map-rules. You will eventually bind the container to one or
more network ports using the config mapping command.
information:
• Whether the map is a single-tool map or a multi-tool map (see
Single-Tool Maps vs. Multi-Tool Maps on page 267 for details).
• The name (alias) of the map
The config map command has the following syntax:

config map type [st | mt] alias <string>
The table below lists and describes the arguments for this command:
type [mt | st] Specifies whether the map is a multi-tool (mt) or

character.
304 Appendix A
config map-rule
The config map-rule command creates a map filter that directs
matching traffic to tool ports, cross-box tool ports, or a virtual drop
port. You can set map-rules that direct traffic based on MAC
addresses, IP addresses, ports, ethertypes, VLAN IDs, protocols, and
TOS values.
Map-rules must be bound to an existing map. Whenever you set up a

new map-rule, you must specify the map to which it belongs with the
<map-alias> argument.
The syntax for the config-map rule command is as follows:

config map-rule <map-alias>
rule [collector]
[dscp <assured-forwarding-value>]
(af11~af13, af21~af23, af31~af33, af41~af43, ef)
[ethertype <2-byte-hex>]
[ipfrag <0|1|2|3|4>] [ipver <4|6>]
(0:no frag, 1:1st frag, 2:no frag or 1st frag, 3:frag but not 1st, 4:all frag)
[ipdst <dstaddr>] [ipdstmask <xxx.xxx.xxx.xxx | /nn>]
[ipsrc <srcaddr>] [ipsrcmask <xxx.xxx.xxx.xxx | /nn>]
[ip6src <srcaddr>] [ip6srcmask <xxxx::xxxx | /nn>]
[ip6dst <dstaddr>] [ip6dstmask <xxxx::xxxx | /nn>]
[ip6fl <3-byte-hex>]
[ipver <4|6>]
[macdst <macaddr>] [macdstmask <6-byte-hex>]
[macsrc <macaddr>] [macsrcmask <6-byte-hex>]
[portdst <single-port-number | <x..y>] [even | odd]
[portsrc <single-port-number | <x..y>] [even | odd]
[protocol <gre|icmp|igmp|ipv4ov4|ipv6ov4|rsvp|tcp|udp|<1-byte-hex>>]
[tcpctl <1-byte-hex>] [tcpctlmask <1-byte-hex>]
[tosval <1-byte-hex>]
[ttl <0~255> | <x..y>] (valid range 0..255)
[vlan <1~4094> | <x..y>] [even | odd]
tool <port-alias | pid | pid_list | bid-pid | bid-pid-list | drop>
The table below lists and describes the arguments for the config
map-rule command. A map-rule consists of the following major
components:
• The name of the map to which the map-rule will belong
(<map-alias>).

• The criteria for the rule itself. This consists of all the values
specified for the rule argument (MAC/IP addresses, application
ports, VLAN IDs, and so on).
• The destination for traffic matching the rule argument. This
consists of the values specified for the tool argument. You can
send matching traffic to a tool port, a cross-box tool port, or a
virtual drop port.
Map-Rule Arguments Described
The arguments for the map-rule command are exactly the same as
those for the config filter command. See config filter command on
page 297 for a description of each of the arguments.
config mapping command

The config mapping command binds a single-box map to one or
more network ports (up to 20 network ports). You can bind
single-box maps to a single port, a list of ports, or a contiguous series
of ports (single-box maps only).
config mapping net <network-port-alias | network-port-id-list |
network-pid-x..network-pid-y> map <map-alias>
• The net argument specifies the network ports to which the map is
bound.
• The map argument specifies the name of the map you are
binding.
config pass-all command

The config pass-all command can be used to send all packets on a
network or tool port to one or more tool ports, irrespective of the
connections, xbconnections, maps, or xbmaps already in place for the
ports.
The config pass-all command has the following syntax:

pass-all <network/tool-port-alias | pid-list | pid-x..pid-y>
to <tool-port-alias | pid-list | pid-x..pid-y>
306 Appendix A
Pass-alls are only supported within a single GigaVUE-420 box. In
contrast to the GigaVUE-MP, you can now set up pass-alls between
any ports on the GigaVUE-420. See Using the Pass-All Command on
page 250 for detailed information on using the pass-all command.
config password command

Super users can change passwords for all other users with the config
password command. The syntax for this command is as follows:
config password [user <name-string> <new-password> <new-password-again>]
If no user is specified, this command changes the password of the

user issuing the command.
Acceptable passwords include between 6-30 alphanumeric

characters. At least one of the characters must be a numeral.
config port-alias command

Use this command to give a convenient alias to a port. Port aliases
are limited to a maximum of 30 alphanumeric characters and must
include at least one alphabetical character to avoid confusion with
port numbers.
config port-alias [<port-id> <alias-string>]
config port-filter command

Use this command to apply specified filter(s) to a port. The syntax is
as follows:
config port-filter <port-id | port-alias> <filter-alias | fid-list>
config port-owner command

Super users use the config port-owner command to assign port
ownership to local users.

NOTE: You can only assign port ownership when the lock-level in
place on the GigaVUE-420 is either medium or high. All users have
access to all ports when the lock-level is none.
NOTE: You assign port-ownership to TACACS+ users within the
TACACS+ server itself using an access control list. See Setting up
GigaVUE-420 Users in an External Authentication Server on page 156 for
details.
The config port-owner command has the following syntax:

config port-owner <port-alias | pid-list | pid-x..pid-y> owner <name-string>
The table below describes the arguments for the config port-owner
command:
<port-alias | pid-list | pid-x..pid-y> Specifies the ports to which the named user will be granted ownership.
You can grant ownership to a single port (either by alias or number), a
list of ports, or a contiguous series of ports.
owner <name-string> The name of the account being granted port ownership.
config port-pair command

Use this command to set up a port-pair on a pair of network ports
within the same GigaVUE-420 module. A port-pair is a bidirectional
connection in which traffic arriving on one port in the pair is
transmitted out the other (and vice-versa) as a passthrough tap.
A port-pair between ports of a GigaPORT module can be used as an

electronic tap for RJ45 or fiber-optical links, although without the
fail-over protection provided by GigaTAP-Sx/Lx/Zx and
GigaTAP-Tx. Ports in the GigaMGMT can be paired to form an
electronic tap for RJ45 links (again, without the GigaTAP-Tx’s
fail-over protection).
You must supply an alias for a port-pair. This alias is limited to 30

alphanumeric characters and must include at least one alphabetical
character to avoid confusion with port numbers.
308 Appendix A
Notes on Port-Pairs
• Can be established between any ports on the same GigaVUE-420.
• Can be established between ports using different speeds (for
example, from a 1 Gb port to a 10 Gb port).
NOTE: Depending on traffic volume, port-pairs between ports
using different speeds can cause packet loss when going from a
faster port to a slower port (for example, from 1 Gb to 100 Mbps,
from 10 Gb to 1 Gb, and so on).
• Supports link status propagation – when one port goes down, the
other port goes down (and vice-versa).
config port-pair and GigaTAP-Tx

See Configuring Tap Connections on page 69 for information on using
the config port-pair command with a GigaTAP-Tx module.
config port-params commands

You use config port-params commands to specify the low-level
operating characteristics of GigaVUE-420 ports. The syntax is as
follows:
port-params <port-id>
[autoneg <0 | 1>]
[duplex <half | full>]
[forcelinkup <0 | 1>]
[medium <electrical | optical>]
[mtu <1518..9600>]
[speed 10 | 100 | 1000]
[taptx <active | passive>]
[ib_cable_len <1 | 5 | 10 | 15>] (meters)
The following table summarizes these options:

[autoneg <0|1>] Enables and disables autonegotiation for a port. When autonegotiation is
enabled, duplex and speed settings are ignored (they are set via
autonegotiation).
The default is on, except for GigaTAP-Sx/Lx/Zx modules. For GigaTAP-Sx/Lx/
Zx modules, autonegotiation is always off and speed is always set to 1000.
NOTE: For 1 Gb speeds over copper, autonegotiation must be enabled, per
the IEEE 802.3 specification.
[duplex <half | full>] Sets ports to be half or full duplex if autonegotiation is off (10/100 Mbps
operation only).
[forcelinkup <0 | 1> Forces connection on an optical port (optical ports only). Use this option when
an optical GigaPORT tool port is connected to a legacy optical tool that does
not support autonegotiation.
[medium <electrical | Specifies whether a GigaPORT module’s port should use the optical or RJ45
optical>] port.
[mtu <1518..9600>] Sets the maximum size of packets which are accepted on a port. Factory
default is 9600 bytes.
[speed <10 | 100 | 1000>] Sets the port speed in Mb/s if autonegotiation is off.
[taptx <active | passive>] Specifies whether the relays in the GigaTAP-Tx are open (active mode) or
closed (passive mode).
• In passive mode, the relays in the GigaTAP-Tx module are closed. This
means that traffic received on one port is repeated out the other port in the
pair but is never seen by the GigaVUE-420 – it simply flows between the
two ports.
Passive mode protects production links in case of power failure. The tap
will always revert to passive mode in the event of power loss.
• In active mode, the relays in the GigaTAP-Tx module are open. Traffic
received on one port is still repeated out the other port in the pair, but it
flows through the GigaVUE-420 as well, making it available to tool ports.
[ib_cable_len <1 | 5 | 10 | Specifies the length of the InfiniBand copper cable attached to a
15>] (meters) GigaLINK-CU port.
config port-type command

Use this command to designate a port’s type – network, tool, or
stack. The syntax is as follows:
310 Appendix A
config port-type <port-alias | pid-list | pid-x..pid-y> [network | tool | stack]
In general, Ports 1-20 on the GigaVUE-420 can all be either network

ports or tool ports. The exceptions are GigaTAP-Sx/Lx/Zx ports.
These ports can only be configured as network ports.
The x1 - x4 10 Gb ports on the GigaVUE-420 can all be used as either

network or tool ports. However, only the x1 and x2 10 Gb ports can
be used as stack ports.
config rad_server command

Use the config rad_server command to identify RADIUS servers
used for authentication. The arguments are described below. See
Using GigaVUE-420 with an External Authentication Server on page 148
for details on using GigaVUE-420 with a RADIUS server.
The syntax for the config rad_server command is as follows:

config rad_server host <ipaddr>
key "string"
[authen_port <1~65535>]
[account_port <1~65535>]
[max_tries <1~10>]
The table below describes the arguments for the config rad_server
command:
host <ipaddr> Specifies the IP address of the RADIUS server.

sent between GigaVUE-420 and the RADIUS server.
key, there will be no encryption of the packets between the RADIUS

[authen_port <1~65535>] Specifies the authentication port to be used on the RADIUS server. If
you do not specify a value, GigaVUE-420 will default to the standard
RADIUS authentication port number of 1812.
[account_port <1~65535>] Specifies the accounting port to be used on the RADIUS server. If you
do not specify a value, GigaVUE-420 will default to the standard
RADIUS accounting port number of 1813.
RADIUS server to an authentication request before declaring a
[max_tries <1~10>] Specifies the maximum number of times GigaVUE-420 will retry a
failed connection to this RADIUS server before falling back to the next
authentication method specified by the config system aaa command
currently in place. The default value is three tries.
[super_priv_lvl <2~15>] RADIUS servers.
rights for RADIUS users.
• If this option is not enabled, all RADIUS users log in with Super
user rights.
• super_priv_lvl specifies the RADIUS privilege level that will be
is enabled.
• normal_priv_lvl specifies the RADIUS privilege level that will be
is enabled.
• audit_priv_lvl specifies the RADIUS privilege level that will be
is enabled.
[alias <alias-string>] Specifies an alphanumeric alias for this RADIUS server to be used in
show rad_server displays.
312 Appendix A
config restore command
Use the config restore [filename] command to apply a configuration
file stored in flash immediately. For example, to apply gigavue.cfg,
config restore gigavue.cfg
NOTE: This will affect connectivity. All connections are deleted before
they are restored.
NOTE: The Box ID stored in the configuration file must match the Box
ID of the target system for a successful restore using a config file. In
addition, the file must have a .cfg extension.
config save command

Use the config save filename.cfg command to save the currently
configured GigaVUE-420 packet distribution settings to a
configuration file. Configuration files must have a .cfg extension.
You can include the nb (“next boot”) flag to specify that the saved
configuration file be loaded the next time the GigaVUE-420 unit
reboots. For example, to save a new configuration file named
myconfig.cfg and set it to boot next, you would use the following
command:
config save myconfig.cfg nb
Use GigaVUE-420’s command completion feature to see a list of

available configuration files. For example, typing config save ? will
show you a list of the available configuration files.
NOTE: System settings are automatically saved in a separate area of
flash when they are made. They are not part of the configuration file.
See Using Configuration Files on page 175 for details on working with
configuration files.

config snmp_server commands
Use the config snmp_server command to enable and configure
GigaVUE-420’s SNMP server so that management stations can poll
the GigaVUE-420 MIB using Get and GetNext commands.
GigaVUE-420 supports MIB polling using the MIB-II System and
Interface OIDs for the Mgmt port only.
The config snmp_server command has the following syntax:

config snmp_server
[enable <0|1>]
[community <string>]
[ver <1 | 1_2>]
[port <value>]
The only required parameter to turn on the SNMP server is enable 1.

If you turn on the SNMP Server and do not specify values for the
other parameters, they will take the default values shown in the table
below. Naturally, however, you can change each of the defaults to
your own values with the corresponding command-line setting.

port Port 162
ver Version v1
For example, to enable the SNMP server with its default settings, you
would use the following command:
config snmp_server enable 1
config snmp_trap commands

GigaVUE-420 can forward SNMP traps to up to five destinations.
Specify trap events and destinations with the config snmp_trap host
command. The config snmp_trap command has the following
syntax:
314 Appendix A
snmp_trap [all|none]
[configsave <0|1>] [fanchange <0|1>]
[firmwarechange <0|1>] [modulechange <0|1>]
[portlinkchange <0|1>] [powerchange <0|1>]
[pktdrop <0|1>] [rxtxerror <0|1>]
[systemreset <0|1>] [taptxchange <0|1>
[userauthfail <0|1>]
[host <ipaddr>] [community <string>]
[port <value>] [ver <1|2>]
The table below summarizes the arguments for the config snmp_trap
command. See Using SNMP on page 165 for details on working with
all GigaVUE-420 SNMP options.
[all | none] Use this attribute to toggle all available trap events on or off. For
example, config snmp_trap all turns on all available trap events.
[configsave <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time the config save filename.cfg
command is used.
[fanchange 0|1] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when the speed of either of the system fans
drops below 4,800 RPM.
[firmwarechange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it boots and detects that its firmware has
been updated from the previous boot.
[modulechange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects a change in module type from
the last polling interval. This typically happens when a module is pulled
from a slot or inserted in an empty slot.
[powerchange 0|1] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations when it detects either of the following events:

[portlinkchange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a port’s link status changes from up
to down or vice-versa. This includes ports 1-20 as well as the 10
Gigabit ports (x1 and x2).
NOTE: The portlinkchange trap is not sent when the Management
port’s link status changes.
[pktdrop <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it detects that packets have been
dropped on a data port.
[rxtxerror <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it receives one of the following
physical errors on a data port:
• Undersize error
• Fragment
• Jabber
• CRC or Alignment errors
• Unknown errors.
[systemreset <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time it starts up, either as a result of
cycling the power or a soft reset initiated by the reset system
command.
[taptxchange <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a GigaTAP-Tx’s relays switch from
active to passive or passive to active as a result of the config
port-params taptx command.
[userauthfail <0|1>] When this option is enabled, GigaVUE-420 sends a trap to all
configured destinations each time a user login fails.
config sntp_server command

Use this command to specify the IP address of an SNTP server to be
used for time synchronization. Once you have specified the IP
address of the SNTP server, you enable the use of SNTP with the
config system sntp 1 command.
See Setting Time from an SNTP Server on page 99 for details on setting
up SNTP.
316 Appendix A
Use this command to specify an external syslog server as a
destination for GigaVUE-420’s logging output. You can configure a
maximum of one syslog server.
Specifying a syslog server is optional. Logged events are written to

the local syslog.log file regardless of whether an external syslog
server is specified.
The config syslog_server command has the following syntax:

host <ipaddr>
[port <value>]
NOTE: If you do not specify a port, the default port of 514 is used.
The following example shows how to specify a syslog server at the IP

address of 192.168.1.75 with an alias of MySyslogServer:
config syslog_server host 192.168.1.75 alias MySyslogServer

config system commands
Config system commands are only available to super users,
regardless of the lock level in place on the box. The following table
summarizes the available config system commands and their syntax.
Config System Commands Description

config system [name name-string] [description Use this command to supply a system name and
“string”] description for identification purposes.
• Names are limited to 30 alphanumeric characters
with no spaces.
• Descriptions must use quotation marks. They are
limited to 125 alphanumeric characters. Spaces
are allowed.
config system [prompt <string>] Use this command to create individualized prompts
for each GigaVUE-420. This makes it easy to open
CLI sessions with multiple GigaVUE systems and
always know which unit you are configuring.
Maximum of 20 alphanumeric characters. No spaces
allowed.
config system banner [<1 | 0>] Use this command to specify that GigaVUE-420
display a customizable text banner when a user logs
in.
You must have first created and installed the
banner_file.txt file using the install -ban
banner_file.txt [TFTP-server-ipaddr] command.
See Using a Custom Login Banner on page 102 for
details
config system [date <mm-dd-yy>] Use this command to set the system date.
config system [time <hh:mm:ss>] Use this command to set the system time.
config system timezone <UTC | UTC+hh:mm | Use this command to set the system’s timezone as
UTC-hh:mm> an offset from coordinated universal time (UTC). The
timezone is used to convert the UTC time received
from an SNTP server to local time.
318 Appendix A
config system dst <1 | 0> Use this command to enable/disable the use of
automatic daylight savings time adjustments.
NOTE: You can only enable this option if you have
specified onset and offset values for Daylight
Savings Time. In addition, the option is only
functional if SNTP is enabled and there is a valid
connection to an SNTP server.
config system [dst_onset <mm-dd-hh:mm>] Specifies the date and time at which Daylight
Savings Time begins.
NOTE: DST starts and ends on a different day every
year – be sure to set this option correspondingly at
the start of every year.
config system [dst_offset <mm-dd-hh:mm>] Specifies the date and time at which Daylight
Savings Time ends.
NOTE: DST starts and ends on a different day every
year – be sure to set this option correspondingly at
the start of every year.
config system [rootdis <1 | 0>] Use this command to disable the root account. This
is handy if you suspect that the root account has
been compromised.
NOTE: This command is disabled if no other super
user other than the root user has been defined.
config system [sntp <1 | 0>] Use this command to enable/disable the use of the
SNTP server specified with the config sntp_server
command for time synchronization.
See Configuring GigaVUE-420 Time Options on
page 99 for details on using an SNTP server.
config system [ssh2 <1 | 0>] Use this command to toggle the supported protocol
for remote connections to the GigaVUE-420’s Mgmt
port between Telnet and SSH2. When SSH2 is
enabled, Telnet is disabled and vice-versa.
See SSH2 vs. Telnet on page 86 for details.

config system hostkey <dss | rsa> [<768~2048> (bits)] Use this command to change the default host keys
provided with GigaVUE-420. Acceptable bit values
for the host keys are multiples of 8 between 768 -
2048 (for example, 768, 776, 784, and so on). If you
do not specify a key length, GigaVUE-420 defaults
to 1024 bits.
See Changing Public Host Keys on page 89 for
details.
config system [console_baud <9600 | 14400 | 19200 | Use this command to change the baud rate setting of
38400 | 57600 | 115200 >] the Console port. The default is 115200.
config system [console_width <32~1024] (characters) Use this command to specify the width (in
characters) of the serial port’s CLI display. Use this
together with the width setting for your terminal
software to optimize line wrapping.
config system [mgmt_port <autoneg | duplex | speed | Use these commands to configure the GigaVUE-420
mtu>] Mgmt port’s autonegotiation, duplex, speed, and
autoneg <1 | 0> MTU settings.
duplex <half | full>
By default, autonegotiation is enabled and MTU is
speed <100 | 10>
mtu <320~1518>
set to 1518 bytes (the largest standard Ethernet
packet size). With autonegotiation enabled, the
Mgmt port will configure its duplex and speed
settings to whatever it is able to negotiate with the
connected port.
NOTE: GigaVUE-420’s Mgmt port supports RFC
1191 Path MTU Discovery and can automatically
decrease its MTU if it receives an
ICMP_Needs_Fragmentation packet.
NOTE: Per the 802.3 specification, autonegotiation
is mandatory for 1 Gb speeds over copper
(1000BASE-T).
config system [remote_timeout <x>] Specifies how long GigaVUE-420 will wait before
timing out an inactive SSH2/Telnet session.
Valid values range from 10 to 86400 seconds. The
default is 300 seconds.
config system [dhcp_timeout <x>] Specifies how long GigaVUE-420 will wait for a
response from a DHCP server before timing out the
attempt and reporting a failure.
Valid values are 4, 10, 30, 60, or 100 seconds. The
default is 10.
320 Appendix A
config system [dhcp <1|0>] [ipaddr <xxx.xxx.xxx.xxx>] Set up the network properties for the Mgmt port:
[subnetmask <xxx.xxx.xxx.xxx>]
• dhcp specifies whether GigaVUE-420 will obtain
an IP address for its Mgmt port from a DHCP
server (1) or use a static address (0). If you set
dhcp to 1, do not supply values for ipaddr,
subnetmask, or gateway.
NOTE: If you enable DHCP, you can also use the
config system dhcp_timeout <4 | 10 | 30 | 60 |
100> command to specify the number of seconds
GigaVUE-420 will wait for a response from a
DHCP server after querying for an address.
• ipaddr specifies the static IP address to use.
• subnetmask specifies the subnet mask to be
used for the IP address.
The system must reboot to apply changes to the
dhcp setting.
config system [ipv6 <1 | 0>] Specifies whether IPv6 is enabled for the
GigaVUE-420 Mgmt port. When IPv6 is enabled,
GigaVUE-420 will operate with support for both IPv4
and IPv6. You can use IPv6 addresses for SSH2,
Telnet, TACACS+, RADIUS, SNTP, and TFTP
applications.
See Configuring IPv6 Network Properties on
page 83.
config system [gateway <xxx.xxx.xxx.xxx>] Specifies the default gateway to which

GigaVUE-420’s Mgmt port should direct its traffic. It
is not required.
config system [bid <1~10>] Specifies the local GigaVUE-420’s Box ID. The Box
ID is used when creating cross-box stacks.
config system [x1_bid <bid-list>] Specifies the Box IDs of the GigaVUE-420 systems
accessible from the local box’s x1 port when used as
a stacking port.
config system [x2_bid <bid-list>] Specifies the Box IDs of the GigaVUE-420 systems
accessible from the local box’s x2 port when used as
a stacking port.
config system [active_link <x1 | x2 | both | none>] Activates the x1 and/or x2 stacking ports on a
GigaVUE-420 system. You must activate the 10 Gb
ports you plan to use as stacking ports.

config system [lock-level <none | medium | high >] Sets the lock-level in force on the GigaVUE-420 to
none, medium, or high. In general, as the lock-level
increases, normal users have fewer rights on the
box, except for those ports to which they have been
assigned ownership using the config port-owner
command.
• When lock-level = none, normal users have
access to all network and tool ports.
• When lock-level = medium, normal users have
access to all network ports. However, they can
only set up connections, filters, and maps for tool
ports they own. Super users can assign port
ownership to normal users using the config
port-owner command.
• When lock-level = high, normal users can only
configure connections, filters, and maps for
network and tool ports they own.
NOTE: Appendix C, Lock-Level Reference provides
full details on the different policies in place at each
lock-level.
322 Appendix A
config system [aaa <serial | ethernet> < tacacs+ | Specifies how users will be authenticated on both
local>] the Ethernet (SSH2/Telnet) and Console (serial)
port.
<serial | ethernet>
Specifies which GigaVUE-420 port you are
configuring authentication for:
• serial – Console port.
• ethernet – Mgmt port.
<tacacs+ | radius | local>

Specifies which authentication methods should be
used for the specified port and the order in which
they should be used.
You can enable all authentication methods for either
port. If you enable more than one method,
GigaVUE-420 uses the methods in the same order
in which they are specified, falling back as
necessary. If the first method fails, it will fall back to
the secondary method, and so on.
If you enable radius or tacacs+, you must also:
• Configure the RADIUS or TACACS+ server using
the corresponding config rad_server or config
tac_server command.
• Set up GigaVUE-420 users within the RADIUS/
TACACS+ server itself.
These two steps are described in Using
GigaVUE-420 with an External Authentication
Server on page 148
NOTE: GigaVUE-420 always preserves local
authentication for the Console (serial) port to prevent
accidental lockouts.
config system [log-level <critical | error | info | Specifies the log-level in force on the GigaVUE-420.
verbose>] The log-level with the least logging is critical – only
critical errors are written to the log file. In contrast,
the log-level with the most logging is verbose – all
See Configuring Logging on page 185 for details on
working with the GigaVUE-420’s logging features.

config tac_server command
Use the config tac_server command to identify TACACS+ servers
used for authentication. The arguments are described below. See
Using GigaVUE-420 with an External Authentication Server on page 148
for details on using GigaVUE-420 with a TACACS+ server.
The syntax for the config tac_server command is as follows:

config tac_server host <ipaddr>
key "string"
[port <value>]
[single_connection <1 | 0>]
The table below describes the arguments for the config tac_server
command:
host <ipaddr> Specifies the IP address of the TACACS+ server.

sent between GigaVUE-420 and the TACACS+ server.
key, there will be no encryption of the packets between the TACACS+
[port <value>] Specifies the port to be used on the TACACS+ server. If you do not
specify a value, GigaVUE-420 will default to the standard TACACS+
port number of 49.
TACACS+ server to an authentication request before declaring a
324 Appendix A
[single_connection <1 | 0>] Specifies whether GigaVUE-420 should use the same connection for
multiple TACACS+ transactions (authentication, accounting, and so
on), or open a new connection for each transaction:
• 1 – TACACS+ transactions will use the same session with the
server. The socket will remain open after it is first opened.
• 0 – Each TACACS+ transaction opens a new socket. The socket is
closed when the session is done.
The default is disabled (0).
[super_priv_lvl <2~15>] TACACS+ servers.
rights for TACACS+ users.
• If this option is not enabled, all TACACS+ users log in with
Super user rights.
• super_priv_lvl specifies the TACACS+ privilege level that will be
is enabled.
• normal_priv_lvl specifies the TACACS+ privilege level that will be
is enabled.
• audit_priv_lvl specifies the TACACS+ privilege level that will be
is enabled.
[alias <alias-string>] Specifies an alphanumeric alias for this TACACS+ server to be used in
show tac_server displays.

config uda command
You use the config uda command to specify the two global offsets to
be used for user-defined pattern matches. This command has the
following syntax:
config uda [uda1_offset <2~110>] [uda2_offset <2~110>]
GigaVUE-420 accepts offsets at four-byte boundaries ranging from

byte 2 to byte 110. This means that there are 27 valid offset positions
ranging from 0x01 (an offset of 2 bytes) to 0x6d (an offset of 110
bytes). Offsets are always frame-relative, not data-relative.
In many cases, you will be looking for patterns that do not start
exactly on a four-byte boundary. To search in these position, you
would set an offset at the nearest four-byte boundary and adjust the
pattern and mask accordingly.
See Working with User-Defined Pattern Match Filters on page 237 for
details on how to set up user-defined pattern match filters/
map-rules.
326 Appendix A
config user command
Use the config user command to create user accounts. Name strings
have a maximum of 30 alphanumeric characters.
The config user command has the following syntax:

config user <name-string> <password> <password-again>
[level <audit | normal | super>]
[description "string"]
The table below describes the arguments for the config user
command:
<name-string> The name used for this user account. Names must consist of 5-30
alphanumeric characters.
NOTE: You can create a maximum of 40 user accounts on the
GigaVUE-420 box. A maximum of 20 users can be logged into the
GigaVUE-420 unit simultaneously.
<password> <password-again> The password for this user account.

Acceptable passwords include between 6-30 alphanumeric characters. At
least one of the characters must be a numeral.

level <audit | normal | user> Specifies the account privileges for this user account. There are three
types of user accounts ranging from the most privileges to the least –
super, normal, and user.
• Super users have access to all ports on the box regardless of the
lock-level in place. They can also perform all configuration commands.
lock-level in place. They cannot perform system configuration
commands.
and tool ports.
and maps for tool ports they own. Super users can assign port
ownership to normal users using the config port-owner command.
connections, filters, and maps for network and tool ports they own.
NOTE: Appendix C, Lock-Level Reference provides full details on the
different policies in place at each lock-level.
• Audit users do not have access to any ports. Their access consists
mainly of the ability to use the show command to see what basic
settings are in place on the box.
description “string” The description string may contain spaces and other characters, but must
be contained in quotation marks (for example, “IT User”). The maximum
number of characters in a description string is 125 alphanumeric
characters.
Description strings appear in the CLI display when performing a show
user command.
config xbconnect command

Use this command to create cross-box connections between network
and tool ports on different boxes. All well-formed packets (subject to
filtering) appearing on the network port(s) will be forwarded to the
tool port(s).
config xbconnect <bid-pid_list> to <bid-pid_list> alias <string>
A unique alias is required for each instance of this command. All

xbconnect commands must be applied in exactly the same way on all
stacked systems.
328 Appendix A
config xbmap command
You use the config xbmap command to create a cross-box map
container to hold map-rules that send traffic to cross-box
destinations. You will eventually bind the container to one or more
network ports using the config xbmapping command.
information:
• Whether the map is a single-tool map or a multi-tool map (see
Single-Tool Maps vs. Multi-Tool Maps on page 267 for details).
• The name (alias) of the map
The config xbmap command has the following syntax:

config xbmap type [st | mt] alias <string>
The table below lists and describes the arguments for this command:
type [mt | st] Specifies whether the map is a multi-tool (mt) or

character.

config xbmapping command
The config xbmapping command binds a cross-box map to one or
more network ports (up to 40 network ports). You can bind cross-box
maps to a single port or a list of ports. The syntax is as follows:
config xbmapping net <bid-pid_list> map <map-alias>
• The net argument specifies the network ports to which the map is
bound.
• The map argument specifies the name of the map you are
binding.
config xbport-filter command

Use this command to apply specified filter(s) to a cross-box port. The
syntax is as follows:
config xbport-filter <bid-pid> <filter-alias| fid-list>
330 Appendix A
delete commands
You use delete commands to delete various configured entities on the
GigaVUE-420. Delete commands are always available to super users,
regardless of the lock-level in place. Normal users have varying
access to delete commands depending on the lock-level. See
Appendix C, Lock-Level Reference for details.
The table below summarizes the items you can delete:
Delete Commands Description

delete all This command erases all configured values for
connections, maps, filters, and port-types. However, it
retains system and user account definitions. Also
port-alias and prompt settings are NOT deleted. A
confirmation prompt will appear when you use this
command.
delete connect [all | <port-alias | pid-list | Deletes the specified connections.

pid-x..pid-y> to <port-alias | pid-list | pid-x..pid-y>]
delete file [filename] Deletes the specified configuration file(s).
delete filter [all | filter-alias | fid-list] Deletes the specified filters. You cannot delete filters
that are currently bound to a port.
delete log [filename] Deletes the specified log file.
delete pass-all [all | <port-alias | pid-list | Deletes the specified pass-alls.

pid-x..pid-y> to all | <port-alias | pid-list |
pid-x..pid-y>]
delete port-alias [all | port-alias | pid-list] Deletes a port’s alias.
delete port-pair [all | port-pair-alias] Deletes a port-pairing, disabling packet repeating

between the ports.
delete port-filter [all | <port-alias | pid> [all | Removes filters from ports. If a filter is bound to more
filter-alias | fid-list] than one port, you can remove it selectively from only
one of the ports to which it is bound.
delete port-owner [all | <port-alias | pid-list | Removes port-ownership from a particular owner to
pid-x..pid-y> owner <user-name>] one or more ports.
delete map [all | map-alias] Deletes one or more maps entirely. You can delete
maps that are currently bound to network ports.

Delete Commands Description
delete mapping [all | map-alias] Deletes a mapping between a map and network ports.
delete map-rule <map-alias> [tool <port-id-list> | rule Deletes a map-rule from a map. Delete one or more
<rule-id-list>] rules by tool port or rule id.
delete rad_server [all | server-alias | server-id] Deletes the specified RADIUS servers.
delete snmp_trap [all | host-alias-list | host-id-list] Deletes the specified SNMP trap destination(s)
delete sntp_server [all | server-alias | server-id] Deletes the specified SNTP server(s).
delete stack_info Resets the values for the bid, x1_bid, back_bid, and
active_link options to their default values. Note that
this will affect all existing xbconnections, xbport-filters,
and xbmaps. You must restart the system after using
this command.
delete syslog_server Deletes the active syslog server. The GigaVUE-420

allows a maximum of one syslog server. You must
delete the existing syslog server before you can add a
new one using the config syslog_server command.
delete tac_server [all | server-alias | server-id] Deletes a configured TACACS+ server.
delete user [all | user-name-list] Deletes a user account The factory default super user
“root” is not deletable, but its password (root123) can
be changed by a super user or the root user.
delete xbconnect [all | xbconnect-alias-list] Deletes the specified cross-box connections.
delete xbmap [all | xbmap-alias-list] Deletes a cross-box map on the local box or the
cross-box map reference to a map on a remote box.
delete xbport-filter [all | <bid-pid> [all | filter-alias | Deletes the reference to a filter on a remote box.
fid-list]]
exit command
Use this command to exit the current CLI session.
332 Appendix A
help command
Provides online help. Note that the GigaVUE-420 CLI provides a
variety of different types of online help. See Getting Help in the
Command Line Interface on page 91 for details.
history command
Use the history command to display the last 50 commands you’ve
issued during the current session.
After issuing the History command, you can repeat any of the
commands by typing !<command number>. For example, to repeat
command number 6 in the list, you would type !6 and press Enter.
This makes it easy to reuse a command that you’ve already entered in
the CLI.
The History command is particularly useful when trying to construct

complex map-rules or filters – long commands with exact syntax.
Occasionally, you may try to construct a complex map-rule before its
destination port is set up as a tool port, causing GigaVUE to reject the
rule. In a case like this, you could configure the destination port as a
tool port and then use the History command to reuse the previously
rejected config map-rule command. With the destination port
properly configured as a tool port, GigaVUE will no longer reject the
rule.

install commands
Super users can use the install command to install new GigaVUE or
redboot images, new config files, and a customizable text banner file.
The commands are summarized in the table below:
install command Description

install image_name TFTP-server-ipaddr Installs a new GigaVUE-420 software image.
For example, to install the GigaVUE-420 4.0
installation file named gv.bin.4.0.xx from a
TFTP server running on IP address
192.168.1.102, you would use the following
command:
install gv.bin.4.0.xx 192.168.1.102
The system will erase the existing image and
install the new one. Wait for this process to
complete. The system will inform you that the
image was installed successfully. When the
system prompt reappears, reset the system with
the reset system command.
install -ban banner_file.txt TFTP-server-ipaddr Uploads the banner_file.txt file from the
specified TFTP server. For example:
install -ban banner_file.txt 192.168.254.5
Once banner_file.txt has been uploaded using
this command, its contents can be displayed as
a banner when a user logs in with the following
command:
See Using a Custom Login Banner on page 102
for details on how to set up a custom banner.
install -cfg config_file.cfg TFTP-server-ipaddr You can use this option to download a new
configuration file for the GigaVUE-420 from a
TFTP server. GigaVUE-420 can store up to five
configuration files in flash. If you want to use
more than five configuration files, you can
upload/download the files to/from a TFTP
server. For example:
install -cfg gigavue.cfg 192.168.254.5
334 Appendix A
install command Description
install [-rb] redboot_image_name TFTP-server-ipaddr The -rb option is used to install a new redboot
image. For example:
install -rb rbgvs420_1.bin 192.168.254.5
See Chapter 2, Updating the GigaVUE-420 for details on using the

install command to update the GigaVUE-420.

logout command
All users can use this command to log out from the current CLI
session. Super users can also use this command to log out a lower
level user. The syntax is as follows:
logout [user <name-string>]
This command works differently for local and RADIUS/TACACS+

users:
• Local users can only log out other local users.
• RADIUS/TACACS+ users can only log out other RADIUS/
TACACS+ users.
As always, a user must have sufficient account privileges to log out

another user.
reset commands
Super users can use reset commands to reset either port statistics or
the system configuration. The commands are summarized in the
table below:
Reset Command Description

reset port-stats [all | port-alias | pid-list] Resets MAC layer packet statistics for the specified ports to zero.
reset system [factory-default] You can use the reset command without any arguments to reboot
the system.
If you use the reset system factory-default command, all settings
are returned to their factory defaults. Connections, filters, maps,
map-rules, port-params, port-types, and system settings are all
erased.
336 Appendix A
show commands
You use show commands to display the currently configured
parameters of various GigaVUE-420 options.
With the exception of the show diag command, show commands are
available to all users regardless of the lock-level in force on the box.
The show diag command is never available to normal users, but is
always available to audit and super users. See Appendix C, Lock-Level
Reference for detail.s
The table below lists and describes the available show commands.
Show Commands Description

show connect [network | tool] Displays connection circuits sorted by network or
tool ports, whichever is specified. Shows port-type
and alias for all ports, filter assignments by port,
port-pairs and port-pair aliases.
show diag Displays all system configuration information for

the GigaVUE-420. You can save this information
to a file to ease field data collection for
troubleshooting.
show file [filename] Displays information on configuration files

currently stored on the GigaVUE-420:
• If you use the command without a filename,
GigaVUE-420 returns a summary of all
configuration files stored on the unit, including
the status of nb flags, last restored, and so on.
• If you use the command with a filename,
GigaVUE-420 returns a detailed printout of the
configuration information stored in the
specified file.
show filter [all | filter-alias | fid-list] | Displays configured filters with full descriptions
[group <apport|dscp|ethertype|ip6fl|ipaddr|ipfrag| and which ports they are applied to, if any. Filters
mac|multi|uda|protocol|tos|vlan|ttl|tcpctl>] can be displayed as a group of filter types using
the available arguments.
show hostkeys Shows the DSS and RSA Public Keys installed on
the GigaVUE-420.

show log [logfile] You use the show log command to view:
[pri <verbose | info | error | fatal>]
• A list of available log files (when used with no
[type <system | periodic | stack | userif | notif | login>]
[start <mm-dd-yy>] [end <mm-dd-yy>] [delim] [tail
logfile specified).
<1..255>] • A specified log file’s contents (when used with
a specified logfile).
Use the type, start/end, and tail arguments to
specify which logfile events are displayed.
Use the delim argument if you would like events
displayed in comma delimited format for export to
a spreadsheet.
See Viewing Log Files on page 190 for details on
these arguments.
show map-rule [all | map-alias] Shows the map rule(s) of a specified map or list of
maps.
show port-filter [all | port-alias | pid-list | pid-x..pid-y] Shows the active filters by port.
show port-params [all | port-alias | pid-list | pid-x..pid-y] Shows the status of the specified port(s),
including network or tool port-type, link up or
down, half or full duplex, speed, MTU size, and
autonegotiation settings.
Changes to port parameter values will not appear
if the port link state is down. However, changes
will go into effect once the port is up.
show port-stats [all | port-alias | pid-list | pid-x..pid-y | full] Shows the MAC layer packet statistics for the
specified ports. The default is to display a
condensed list of statistics. However, an optional
full list of statistics is available.
See Appendix D, Port Statistics Counters for
description of the port statistics.
show port-owner [all | port-alias | pid-list | pid-x..pid-y] Displays the port-owners configured by super
[owner <user-name-list>] users. You can display all port-owners, the
port-owners for a particular set of ports, or all
ports owned by a specific set of users.
show rad_server Shows the settings for all currently configured

RADIUS servers, in the order they were
configured. RADIUS servers are used in the same
order they are specified in case fallback
authentication is needed. You can specify as
many as five.
338 Appendix A
show snmp Displays the current config snmp_server and
config snmp_trap settings in place on the unit.
show sntp_server Displays the current config sntp_server settings

in place on the unit.
show syslog_server Displays the current config syslog_server

settings in place on the unit.
show system Shows the current config system settings in

place on the box, including name, description,
version, date, time, and DHCP/IP address
settings.
show symbols Provides description of symbols used in

GigaVUE-420 CLI. Use this information to
interpret the CLI displays.
show tac_server Shows the settings for all currently configured

TACACS+ servers, in the order they were
configured. TACACS+ servers are used in the
same order they are specified in case fallback
authentication is needed. You can specify as
many as five.
show uda Shows the two global offsets currently configured

for UDA user-defined pattern match filters/
map-rules.
show user [all | audit | normal | super] Shows the user accounts at or below your level
for this system.
NOTE: This command works differently for local
and TACACS+ users. See Differences in
Commands for External and Local Users on
show whoison Shows the users currently logged into the system.
NOTE: This command works differently for local
and TACACS+ users. See Differences in
Commands for External and Local Users on

upload command
Use the upload command to transfer a configuration file or log file to
a TFTP server.
GigaVUE-420 can store up to five configuration files in flash. You can

use the upload and install commands to move configuration files on
and off a TFTP server for additional storage.
You can also use the upload command to transfer a log file off the
GigaVUE-420 for use in troubleshooting.
The upload command has the following syntax:

upload [-cfg] config_filename TFTP-server-ipaddr
upload [-log] log_filename TFTP-server-ipaddr
340 Appendix A
Appendix B
CLI Parameter Limits
This section provides information on supported configurations for

GigaVUE-420, including:
• Supported ranges and default values for each of the parameters in
the GigaVUE-420 command line interface.
• Supported stacking configurations
• Supported configurations for 10 Gb ports
Details are provided in the table below.

NOTE: Default values are indicated in bold in the table below.
Parameter Value in GigaVUE-420 v4.0.xx

Maximum Characters per line in CLI: 1024
System Parameters
system name 30
(maximum alphanumeric characters)
system description 125

341
system prompt 20
remote_timeout 10 - 86400
Default is 300.
dhcp timeout 4 10 30 60 100
dhcp ipaddr x.x.x.x

subnetmask format
console_baud 9600 11400 19200 38400 57600 115200
console_width 32 - 1024
Default is 80.
lock-levels none med high
Maximum number of TACACS+ Servers per GigaVUE-420 5

Unit
Maximum number of RADIUS Servers per GigaVUE-420 5

Unit
Maximum number of SNMP Trap Destinations per 5

GigaVUE-420 Unit
Maximum number of SNTP Servers per GigaVUE-420 Unit 3
Supported Configurations for 10 Gb Ports (Stack, Network, Tool)

x1 Stack, Tool, or Network
x2 Stack, Tool, or Network
x3 Tool or Network
x4 Tool or Network
active_link x1, x2, both, or none
Supported Configurations for Cross-Box Stacks

Maximum number of boxes in a cross-box stack 10
Maximum number of neighbors in a cross-box stack 9
Maximum number of ports per owner 222

in a cross-box stack
342 Appendix B
User Parameters
Maximum number of users per box 40.
Of these 40 user accounts, a maximum of
20 (Telnet) or 10 (SSH2) can be logged
into the GigaVUE-420 unit simultaneously.
user name 30
password 6 - 30
(minimum and maximum alphanumeric characters)
user levels • audit (au)

• normal (nu)
• super (su)
user description 60
Filter Parameters
AND filtering Parameters in a single filter are joined with
a logical AND.
OR filtering Multiple filters are joined with a logical OR.
Maximum parameters per filter entry 7
Maximum filters per network port (1 Gb or 10 Gb) 120
Maximum filters per tool port (1 Gb or 10 Gb) 100 (see the next line; if you have 100 tool
port filters on a single port, you cannot
have any other ports with tool port filters).
Maximum filters bound to tool ports per box 100

(tool port-filters)
Maximum tool ports with filters bound 23
Maximum number of filter entries in database 4,000
Maximum network port filters and single-tool map-rules 2048

bound per box
vlan filter range 1 - 4094.

Can also specify odd or even.
CLI Parameter Limits 343

port filter range 0 - 65,535
Can also specify odd or even.
Maximum Connections – Single-Box Configurations

Maximum number of connections per 1 Gb port 23
Maximum number of connections per 10 Gb port 23
Maximums for xbconnections

Maximum number of cross-box connections 20
per 1 Gb port
Maximum number of cross-box connections 20

per 10 Gb port
Maximum number of network ports 40

per cross-box command
Maximum number of tool ports per cross-box command 40
Map Parameters – Single-Box Maps

Maximum number of parameter ranges per map-rule 1
map alias 30
Maximum number of local maps per box 10

(single-tool and multi-tool combined)
Maximum map-rules per map 120
Maximum parameters per map-rule 7
Maximum network ports per mapping 20
Maximum tool ports per map-rule 10
Maximum tool ports per map 23
Maximum multi-tool map-rules bound per box 512
Maximum network port filters and single-tool map-rules 2048

bound per box
Minimum/Maximum tool ports per multi-tool map rule 1 (minimum)

10 (maximum)
344 Appendix B
Maximum collector destinations per map-rule 1 only
Map Parameters – Cross-Box Maps

Maximum number of parameter ranges per map-rule 1
xbmap alias 30
Maximum number of cross-box maps per box 20 (10 single-tool cross-box maps and 10
multi-tool cross-box maps)
Maximum map-rules per cross-box map 120
Maximum parameters per map-rule 7
Maximum network ports per cross-box mapping 40
Maximum tool ports per cross-box map 221
Minimum/Maximum tool ports per multi-tool map-rule 1, 10
Maximum collector destinations per map-rule 1 only
Port Parameters
mtu size range 1518 - 9600
port-alias 30
port-pair alias 30
Maximum port-owners per box 40
Maximum number of ports a normal user can own 24
SSH2/Telnet Parameters
Maximum number of simultaneous Telnet sessions to 20 (in addition to one serial connection)
one box
Maximum number of simultaneous SSH2 sessions to one 10 (in addition to one serial connection)
box
CLI Parameter Limits 345

346 Appendix B
Appendix C
Lock-Level Reference
This chapter summarizes the various options available to different

user account types depending on the current lock-level in place on
the GigaVUE-420 box. Commands are listed in the following sections:
• About Lock-Levels and Port Ownership on page 347
• Abbreviations in this Section on page 348
• Login Command on page 349
• Show Commands on page 349
• Delete Commands on page 351
• Config Commands on page 353
• Install Command on page 355
• Reset Commands on page 356
About Lock-Levels and Port Ownership

The lock-level in force on the GigaVUE-420 can be none, medium, or
high. In general, as the lock-level increases, audit and normal users
have fewer rights on the box, except for those ports to which they
have been assigned ownership:
347
and tool ports.
and maps for tool ports they own.
connections, filters, and maps for network and tool ports they
own.
Chapter 8, Configuring GigaVUE-420 Security Options describes how

to set up lock-levels and port ownership. This chapter provides the
details on who can do what at each of the supported lock-levels.
NOTE: This chapter doesn’t provide details on how to use CLI
commands. For that information, see Appendix A, Command Line
Reference or the corresponding sections in the rest of this document.
Abbreviations in this Section

The tables in this section use the following abbreviations:
• au = Audit User
• nu = Normal User
• su = Super User
• NP = Network Port(s)
• TP = Tool Port(s)
• = The corresponding account level has full rights for this
command at the indicated lock-level.
• = The corresponding account level does not have rights for
this command at the indicated lock-level.
348 Appendix C
Login Command
The following table lists which account levels can log into
GigaVUE-420 at each supported lock-level.
Lock/ None Medium High

User
Audit Normal Super Audit Normal Super Audit Normal Super
Level User User User User User User User User User
Must own at
login least one
port.
Show Commands
The following table lists which show commands are available to
different account levels at each supported lock-level.

User
show
Owned TP Owned NP/
connect
and all NP. TP only.
diag
file
filter
hostkeys
log
Owned TP Owned NP/

map-rule
Owned TP Owned NP/

port-filter
Lock-Level Reference 349

User
port- Owned TP Owned NP/

params and all NP. TP only.
Owned TP Owned NP/

port-stats
Shows all
normal
Owned TP users
port-owner
and all NP. sharing NP/
TP owned
by issuer.
rad_server
snmp
sntp_
server
system
symbols
tac_server
uda
user
Shows all Show all

logged in logged in
whoison
normal normal
users only. users only.
350 Appendix C
Delete Commands
The following table lists which delete commands are available to

User
delete
all
Owned TP Owned NP/

connect
file
filter
log
Owned TP Owned NP/

pass-all
All NP Owned NP/

port-pair
(TP: n/a) TP only.
Owned TP Owned NP/

port-alias
Owned TP Owned NP/

port-filter
port-owner
Owned TP Owned NP/

map
Owned TP Owned NP/

mapping
Owned TP Owned NP/

map-rule
rad_server
snmp_trap

User
sntp_
server
stack_info
tac_server
user
Owned TP Owned NP/

xbconnect
Owned TP Owned NP/

xbmap
Owned TP Owned NP/

xbport-filter
352 Appendix C
Config Commands
The following table lists which config commands are available to
Lock/User None Medium High

Level
User User User User User User User User User
config
Owned TP Owned
connect and all NP. NP/TP
only.
file
filter
Owned TP Owned
map and all NP. NP/TP
only.
Owned TP Owned
map-rule and all NP. NP/TP
only.
Owned TP Owned
mapping and all NP. NP/TP
only.
Owned TP Owned
pass-all and all NP. NP/TP
only.
password Own Own Own

account account account
only. only. only.
Owned TP Owned
port-alias and all NP. NP/TP
only.
Owned TP Owned
port-filter and all NP. NP/TP
only.

Level
1
port-owner
All NP. Owned

port-pair NP/TP
only.
Owned TP Owned
port-params and all NP. NP/TP
only.
Owned TP Owned
port-type and all NP. NP/TP
only.
rad_server
restore
save
snmp_server
snmp_trap
sntp_server
system
tac_server
uda
user
Owned TP Owned
xbconnect and all NP. NP/TP
only.
Owned Owned
2 4 4 4
xbmap cross-box cross-box
TP.4 TP.
Owned Owned
3 4 4 4
xbmapping cross-box cross-box
TP.4 TP.
354 Appendix C
Level
Owned Owned
4 4 4 4
xbport-filter cross-box cross-box
TP.4 TP.
1. Command does not apply at this lock-level.

2. Cross-box tool ports only. Cannot be applied to local tool ports.
Install Command
Only super users can install a new image on the GigaVUE-420,
regardless of the lock-level in place.

Level
install

Reset Commands
The following table lists which reset commands are available to

Level
reset
Owned TP Owned NP/
port-stats
port-stats all
system/
factory
default
356 Appendix C
Appendix D
Port Statistics Counters
This appendix describes the counters displayed by the show

port-params command. It also describes the differences in how the
counters are tabulated between the GigaVUE-420 and the
GigaVUE-MP:
Counter Definition GigaVUE-420 GigaVUE-MP

Total Received Bytes. Excludes undersize Includes undersize
IfInOctets Includes all valid and error frames frames. frames.
with the exceptions noted in the
adjacent columns.
Total Received Packets Excludes packets Includes packets with

IfInUcastPkts Excludes multicast packets, with FCS/CRC FCS/CRC errors.
broadcast packets, packets with errors.
FCS/CRC errors, MTU exceeded
errors, oversize packets, and pause
packets.
Total Received Broadcast and

IfInNUcastPkts Multicast packets
357
Counter Definition GigaVUE-420 GigaVUE-MP
Total Discarded Packets Oversubscription/ Oversubscription/
IfInDiscards Discards are counted in the following bandwidth exceeded bandwidth exceeded
cases: on Tool port in ALL only on Tool ports in a
configurations. pass-all
• Traffic in on a Network port with no configuration.
logical connection
• Filters/map-rules applied on a
Network port.
• In packets on a Tool port.
• Pause frames.
• Bandwidth exceeded on a Tool
port due to oversubscription. See
the adjacent columns for
differences in how discards are
counted due to oversubscription.
Total Received Error Packets Excludes oversize Includes oversize

IfInErrors Error packets include undersize, packets without FCS/ packets without FCS/
FCS/CRC, MTU exceeded, and CRC. CRC.
oversize packets.
Total Transmitted Bytes

IfOutOctets Error packets are not transmitted, so
they are not counted here.
Total Transmitted Packets

IfOutUcastPkts Error packets are not transmitted, so
they are not counted here. In
addition, multicast and broadcast
packets are not counted here.
Total Transmitted Broadcast and

IfOutNUcastPkts Multicast Packets
Transmitted Packets Discarded Supported in Not supported in

IfOutDiscards This counter increments when a GigaVUE-420 GigaVUE-MP
packet is discarded at a tool port due
to a tool port filter.
Error packets seen on GigaVUE input

IfOutErrors port are not transmitted to a Tool port.
358 Appendix D
Appendix E
Console Cable Pinouts
This appendix provides the DB9 and RJ45 pinouts for the serial cable
provided with the GigaVUE-420 unit for connections to the Console
port.
The figures below show the pin numbers for both the DB9 and the
RJ45 ends of the cable. Following the figures, the table shows how the
pins connect on either end of the cable.
DB9 Pinouts – Figure
Figure 5-1: Console Cable: DB9 Pinouts
359
RJ45 Pinouts – Figure
The RJ45-RJ45 cable uses straight-through wiring.
Figure 5-2: Console Cable: RJ45 Pinouts
DB9 to RJ45 Pinouts – Table
Pin Number Pin Number on Cable Color

on DB9 RJ45
1 No Connection No Connection
2 6 Yellow
3 3 Black
4 2 Orange
5 4,5 Red and Green (Ground)
6 7 Brown
7 1 Blue
8 8 White
9 No Connection No Connection
360 Appendix E
Index
Numerics allowing odd MAC addresses

10GbE example 249
stacking port options 108 audience 13
-48 V DC authentication
power supplies 62 and console port 144
-48V power supplies 62 configuring 143
authentication (aaa) 144
autonegotiation
A
and 1 Gb speeds 82
aaa
configuring 143
access control list B
and port ownership 157 back_bid
accounts config system 321
configuring 135 back-to-back cross-box stack
active example 120
vs. passive 68 banner
active_link config system 318
config system 321 custom display 102
configuring 119 bit count subnet masks 233
alarm cancel button 61 box IDs
allow config system bid 116, 321
mixing with deny 242
allow filter 247
361
C map-rule 305
cable lengths mgmt_port_mtu 85
configuring 118 mtu 310
chassis pass-all 306
GigaVUE-420 25 password 307
CLI port-alias 307
basics 91 port-filter 307
default password 81 port-owner 307
getting started 79 port-pair 308
parameter limits 341 port-params 309, 310
reference 295 port-params (autoneg) 310
starting session 79 port-params duplex 310
structure of commands 93 port-params speed 310
syntax 92 port-params taptx 310
combining filters 235 port-type 310
command completion 91 restore 313
command help 92 save 313
command line snmp_server 314
basics 91 sntp 319
connecting 79 sntp_server 316
getting started 79 ssh2 319
reference 295 syslog_server 317
syntax 92 system 318, 323
commands system active_link 321
external vs. local 164 system back_bid 321
box IDs 116, 321 system description 318
connect 296 system dhcp 321
console_baud 320 system dhcp_timeout 320
console_width 320 system gateway 321
date 318 system lock-level 322
dst 319 system log-level 323
dst_offset 319 system prompt 318
dst_onset 319 system rootdis 319
file 296 system x1_bid 321
filter 297 tac_server 324
filter syntax 225 uda 326
hostkey 320 user 327
map type 304 xbconnect 328
mapping 306 xbmap type 329
362
xbmapping 330 connecting systems (cross-box) 109
xbport-filter 330 connections 59, 208
config map command 270 deleting 218
config mapping 273 deleting cross-box 219
config mapping command 273 differences with maps 210
config map-rule command 271 examples 208
config port-owner command 141 GigaVUE-420 59
config rad_server command 153 introduced 208
config system showing 217
ipv6 321 syntax 216
config system aaa command 146 using filters with 219
config system lock-level command 141 connections and filters
config tac_server command 149 using 215
config user command 327 console cable
config xbmap command 270 pinouts 359
config xbmapping 273 Console port
config xbmapping command 273 connections 80
configuration console port
planning 110 and local authentication 144
configuration files console port settings 80
and delete stack_info 181 console_baud
and the ‘nb’ option 182 config 320
applying 180 console_width
applying from flash 181 config 320
contents 179 contacting sales 20
from TFTP Server 180 contacting support 19
restoring in cross-box stack 183 conventions
saved items 176 documentation 16
saving 177 conventions, notational 16
sharing 180
creating
storing on TFTP server 179
cross-box maps 266
map-rules 271
uploading to TFTP server 179
maps 266
using 175, 185
cross box commands
connect
delete 331 executing on all systems 202, 216, 264
cross-box
connecting
to GigaVUE-420 CLI 79 configuring 125
cross-box commands
via telnet 90
executing on all systems 284
vs. mapping 208
cross-box configurations
connecting ports 216
introduced 106
363
cross-box connections port-owner 331
deleting 219 port-pair 331
cross-box distribution rad_server 332
compared to single-box 201 snmp_trap 332
cross-box maps sntp_server 332
creating 266 tac_server 332
cross-box stack user 332
configuring 114 xbconnect 332
connecting systems 109 xbmap 332
planning 110 xbport-filter 332
restoring config files 183 delete all command 331
cross-box stack (4 systems) delete commands 331
example 121 and lock-level 351
cross-box stacks
delete map
troubleshooting 125 syntax 279
customer support
delete mapping
contacting 19 syntax 279
delete map-rule
D syntax 278
date delete stack_info
config 318 and config files 181
configuring 98 stack_info
daylight savings time deleting 332
automatic adjustments 100 delete syslog_server 332
DB9 pinouts 359 deleting
DC power supplies 62 connections 218
DC powered GigaVUE-420 62 filters 244
default password 81 deny
default user 81 mixing with allow 242
delete deny filter 247
connect 331 denying odd MAC addresses
file 331 example 248
filter 331 description
log 331 config system 318
map 331
designating and connecting tool ports
mapping 332
example 205
dhcp
map-rule 332
config system 321
pass-all 331
dhcp_timeout
port-alias 331
config system 320
port-filter 331
dimensions
364
GigaVUE-420 42 procedure for using 220
documentation syntax 225
conventions 16 using with connection 219
using 14 filter logic 235
DSS host keys 89 examples 235
DST filters
automatic adjustment 100 combining 235
dst deleting 244
config 319 mixing allow and deny 242
dst_offset post-filters defined 201
config 319 pre vs. post 220
dst_onset pre-filters defined 200
config 319 showing 243
duplex firmwarechange
config port-params 310 SNMP trap 169, 315
fragments
E IPv6 226, 298
example
allow filter 247 G
allowing odd MAC addresses 249 gateway
back-to-back cross-box stack 120 config system 321
cross-box stack (4 systems) 121 Getting Started with Packet
deny filter 247 Distribution 203
denying odd MAC addresses 248 GigaLINK-ER
designating and connecting tool and GigaLINK-XR 17
ports 205 GigaLINK-LR
filter logic 235 and GigaLINK-FO 17
MAC address filters 246 GigaLINK-SR
exit command 332 and GigaLINK-FO 17
GigaMUX module (base unit) 29, 30, 64
F GigaPORT module 65
fanchange port numbering 66
SNMP trap 169, 315 GigaTAP-Lx
file network ports only 199, 311
delete 331 GigaTAP-SX
filter network ports only 199, 311
delete 331 GigaTAP-SX/GigaTAP-LX modules 67
example of allow 247 GigaTAP-TX module 68
example of deny 247 GigaVUE-420 59
logic 235 10GbE stacking ports 108
365
and TACACS+/Radius 148 and IPv4 83
chassis 25 configuring 83
connections 59 enabling 83
features and benefits 22 fragments 226, 298
getting started 47 supported applications 83
initial setup 95 ipv6
modules 63 config system 321
overview 21
physical dimensions and weight 42 L
product naming conventions 16 link status propagation
rack-mounting 52 and port-pair 69, 309
replacing modules 75 local
security 133, 134 separate from TACACS+/Radius 148
specifications 42 local users
stacking 105 command differences vs. external 164
guide lock-level
how to use 14 changing 141
config system 322
H reference 347, 357, 359
help 91 lock-levels
command 92
and port ownership 347
configuring 139
command completion 91
log
word 92
history
delete 331
login command
command 333
host keys
and lock-level 349
log-level
configuring 89
hostkey
config system 323
logout command 336
config 320
hostkeys
show 337 M
MAC address filters
I examples 246
map
ib_cable_len 310
config type 304
IDS
delete 331
and config pass-all 256
install command 334
deleting single-box 279
IPv4 examples 211, 280
and IPv6 83 illustrations 286
IPv6 mapping 198
366
config 306 multi-tool maps
delete 332 vs. single-tool 267
deleting single-box 278
vs. connecting 208 N
map-rule name
config 305 configuring 98
delete 332 names
deleting from single-box map 278 modules 16
map-rules nb option 182
adding to maps (single-box) 277 setting 182
creating 271 network ports
how processed 271 connecting to tool ports 216
priority with a map 271 defined 198
maps introduced 198
adding map-rules (single-box) 277 sharing 214
binding to ports 273 notational conventions 16
creating 266
differences with connections 210
O
introduced 209
offsets
modifying 277
default 238
showing 275
online help 91
single-tool vs. multi-tool 267
overview
vs. connections 208
GigaVUE-420 21
maximums
CLI settings 341
Mgmt Port P
configuring network settings 82 packet distribution
mgmt_port_mtu described 197
config 85 getting started 203
modulechange pass-all
SNMP trap 169, 315 and filters 254
modules config 306
effects of replacing 75 delete 331
GigaVUE-420 63 deleting 251
replacing 75 in show connect screen 260
special considerations 74 matrix 253
MTU rules 252
automatic adjustment 85 showing 251
for Mgmt port 85 using 250
mtu with connections and maps 213
config 310 passive
367
vs. active 68 ports
password and maps 273
config 307 sharing 214
default 81, 96 port-stats
root account 96 reset 336
passwords port-type
changing 137 config 310
configuring 135 setting 199
pattern matches post-filters
examples 241 defined 201
rules 239 vs. pre-filters 220
syntax 238 when to use 221
pinouts power
console cable 359 DC 62
pktdrop power requirements 42
SNMP trap 169, 316 power supplies
planning configuration 110 DC 62
port numbering power supply
GigaPORT module 66 alarm cancel button 61
port ownership powerchange
and lock-levels 347 SNMP trap 169, 315
configuring 139 preface 13
port-alias pre-filters
config 307 defined 200
delete 331 vs. post-filters 220
port-filter when to use 221
config 307 product names 16
delete 331 prompt
portlinkchange config system 318
SNMP trap 169, 316
port-owner R
config 307 rack-mounting
delete 331 GigaVUE-420 52
port-pair rad_server
and link status propagation 69, 309 delete 332
config 308 syntax 153
delete 331 RADIUS
port-params adding server to GigaVUE-420 152
config 309, 310 configuring users in ACS 159
port-params (autoneg) Radius
configuring 310 configuring servers in GigaVUE-420 152
368
separate from local 148 sharing
radius network ports 214
command differences vs. local 164 tool ports 214
replacing modules 75 show
reset hostkeys 337
port-stats 336 show command 337
system 336 and lock-level 349
reset command 336 show connect 337
and lock-level 356 show diag 337
restore show file 337
config 313 show filter 337
RJ45 pinouts 359 show log 338
root account show map-rule 338
password 96 show port-filter 338
rootdis show port-owner 338
config system 319 show port-params 338
RSA host keys 89 show port-stats 338
RTP show rad_server 338
filter example 245 show snmp 339
rxtxerror show sntp_server 339
SNMP trap 170, 316 show symbols 339
show syslog_server 339
S show system 339
safety 52 show tac_server 339
Sales show uda 339
contacting 20 show user 339
sales show whoison 339
contacting 20 showing
save connections 217
config 313 filters 243
saving maps 275
config files 177 simultaneous sessions 138
saving changes 104 single-box distribution
security compared to cross-box 201
configuring 133 single-tool maps
GigaVUE-420 134 vs. multi-tool 267
serial settings 80 SNMP
sessions adding trap destinations 167
simultaneous 138 configuring traps 166
setup enabling GigaVUE-420’s server 172
initial 95
369
receiving traps 172 and cable length 118
trap events 169 specifying 119
using 165 stacks
SNMP trap troubleshooting 125
fanchange 169, 315 startup
firmwarechange 169, 315 custom banner 102
modulechange 169, 315 subnet masks
pktdrop 169, 316 bit count 233
portlinkchange 169, 316 support
powerchange 169, 315 contacting 19
rxtxerror 170, 316 syntax
systemreset 170, 316 CLI 92
taptxchange 170, 316
syslog_server
config 317
userauthfail 170, 316
snmp_server deleting 332
config 314 system
snmp_trap config 318, 323
delete 332 reset 336
SNTP systemreset
using for time 99 SNMP trap 170, 316
sntp
config 319 T
sntp_server tac_server
config 316 config 324
delete 332 delete 332
software TACACS+
updating 45 adding server to GigaVUE-420 149
specifications configuring port ownership for users 157
GigaVUE-420 42 configuring servers in GigaVUE-420 149
speed configuring users 156
config port-params 310 configuring users in ACS 162
SSH2 138 separate from local 148
advantages 88 tacacs+
and host keys 89 command differences vs. local 164
enabling 86 TACACS+ server settings 156
vs. Telnet 86 tap connections
ssh2 configuring 69
config 319 taptx
stacking config port-params 310
examples 119 taptxchange
stacking ports SNMP trap 170, 316
370
technical support configuring 135
contacting 19 separate for local vs. external 148
telnet using documentation 14
establishing connection 90
simultaneous sessions 138 V
TFTP
VLANs
storing config files 179
selectively forwarding 282
uploading config files 179
vs. maps 208
time
configuring 98
tool ports W
connecting to network ports 216 weight
defined 198 GigaVUE-420 42
introduced 198 word help 92
sharing 214 working with maps 263
traffic mapping 198
traps X
adding destinations 167 x1_bid
configuring 166 config system 321
GigaVUE-420 events 169 setting 117
receiving 172 x2_bid
troubleshooting setting 117
cross-box stacks 125 xbconnect
config 328
U delete 332
uda xbmap
config 326 config type 329
default offsets 238 delete 332
unpacking GigaVUE-420 51 xbmapping
updating GigaVUE-420 45 config 330
upload 340 xbox
uploading configuring 125
configuration files 179 xbox stack
user configuring 114
config 327
xbport-filter
default 81
config 330
delete 332
userauthfail
SNMP trap 170, 316
users
371

Gigavue 420

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gigavue 420

Uploaded by

Copyright:

Available Formats

GigaVUE-420

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 1 Introducing GigaVUE-420 4.0 . . . . . . . . . . . . . . . 21

Chapter 2 Updating the GigaVUE-420 . . . . . . . . . . . . . . . . . 45

Chapter 3 Getting Started with GigaVUE-420: A Roadmap . 47

Chapter 4 Rack-Mounting the GigaVUE-420 . . . . . . . . . . . . 51

Chapter 5 Connecting the GigaVUE-420 . . . . . . . . . . . . . . . 59

Chapter 6 Getting Started in the Command Line Interface . . 79

Chapter 7 Stacking GigaVUE-420 Boxes . . . . . . . . . . . . . . 105

Chapter 8 Configuring GigaVUE-420 Security Options . . . 133

Chapter 9 Using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Chapter 10 Using Configuration Files . . . . . . . . . . . . . . . . 175

Chapter 11 Configuring Logging . . . . . . . . . . . . . . . . . . . 185

Chapter 12 Introducing Packet Distribution . . . . . . . . . . . 197

Chapter 13 Connections, Filters, and Pass-Alls . . . . . . . . . 215

Chapter 14 Working with Maps (Single-Box and Cross-Box) . . .

Command Line Reference . . . . . . . . . . . . . . . . . . . . . . . . . 295

CLI Parameter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Lock-Level Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Console Cable Pinouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

This guide describes how to install, connect, configure, and operate

Audience of this Guide

Chapter 4, Rack-Mounting the GigaVUE-420

Chapter 11, Configuring Logging

Appendix E, Console Cable Pinouts

About This Guide 15

Use the config connect command to connect a

See About Tool Ports on page 44.

Product Naming Conventions

Engineering Product Sales Product Name Description

GigaLINK-LR Optional 10 Gb optical Long Range interface for

GigaLINK-ER Optional 10 Gb optical Extended Range interface

GigaTAP-Tx GigaTAP-Tx Dual Copper Tap Module

GigaTAP-Sx GigaTAP-Sx Dual Multi Mode 850 nm Optical Tap Module

GigaTAP-Lx GigaTAP-Lx Dual Single Mode 1310 nm Optical Tap Module

GigaTAP-Zx GigaTAP-Zx Dual Single Mode 1550 Optical Tap Module

GigaPORT GigaPORT 4 port Copper/Optical SFP Expansion Module

Sales Product Name Description

About This Guide 17

Table i: Customer Support Contact Information

Fax (408) 263-2023

Mail 736 South Hillview Drive

About This Guide 19

Table ii: Sales Contact Information

Introducing GigaVUE-420 4.0

This section introduces the GigaVUE-420 4.0 data access switch,

GigaVUE-420 Features and Benefits

Aggregation Aggregate traffic from multiple links to deliver a

Multicasting Multiplex filtered or unfiltered, singular or

Figure 1-1 summarizes these features:

Introducing GigaVUE-420 4.0 23

Remote Management Configure GigaVUE-420’s operations from an intuitive command-line

Introducing GigaVUE-420 4.0 25

GigaVUE-420 Chassis – Rear View (AC and DC)

Power supply audible alarm reset button Fan 1 Fan 2

Power Supplies – DC Optional Rear 10 Gb Module Slots

Figure 1-2: The GigaVUE-420 Chassis

As shown in Figure 1-2, the front of the GigaVUE-420 chassis accepts

Chassis Rear – 10 Gb Modules

You can install up to four hot-swappable 10 Gb modules on the rear

Both copper (GigaLINK-CU) and optical (GigaLINK-XR) 10 Gb

Total Available Ports in a Maximally Sized Stack

You can stack up to 10 GigaVUE-420 systems for a total of 222