Iris Packet Broker (IPB) Software User Guide

(1)

Software User Guide

Powered by VSS Monitoring

(2)

and TEK are registered trademarks of Tektronix, Inc. The GeoProbe system uses the SmartHeap product for memory management. SmartHeap is a product of Compuware Corporation,

Tektronix Communications

3033 W President George Bush Highway Plano, Texas 75075

+1 469-330-4000 (voice) www.tekcomms.com Web site

[email protected] (Technical Publications email)

Plano, Texas USA - serves North America, South America, Latin America +1 469-330-4581 (Customer Support voice)

[email protected] (Customer Support USA email)

London, England UK - serves Northern Europe, Middle East, and Africa +44-1344-767-100 (Customer Support voice)

[email protected] (Customer Support UK email)

Frankfurt, Germany DE - serves Central Europe and Middle East +49-6196-9519-250 (Customer Support voice)

[email protected] (Customer Support DE email) Padova, Italy IT - serves Southern Europe and Middle East +39-049-762-3832 (Customer Support voice)

[email protected] (Customer Support IT email) Melbourne, Australia - serves Australia

+61 396 330 400 (Customer Support voice)

[email protected] (Customer Support Australia and APAC email) Singapore - serves Asia and the Pacific Rim

+65 6356 3900 (Customer Support voice)

[email protected] (Customer Support APAC and Australia email) Tektronix Communications, Inc. Proprietary Information

992-0501-08-001-140228

The products and specifications, configurations, and other technical information regarding the services described or referenced in this document are subject to change without notice. All statements, technical information, and recommendations contained in this document are believed to be accurate and reliable but are presented “as is” without warranty of any kind, express or implied. Users must take full responsibility for their application of any products specified in this document. Tektronix, Inc. makes no implied warranties of merchantability or fitness for a purpose as a result of this document or the information described or referenced within, and all other warranties, express or implied, are excluded.

Except where otherwise indicated, the information contained in this document represents the planned capabilities and intended functionality offered by the product and version number identified on the front of this document. Screen images depicted in this document are

representative and intended to serve as example images only. Wherever possible, actual screen images are included.

(3)

What’s New in IPB Software User Guide Version 7.13.2? ... 6

Chapter 1 Introduction... 7

Overview ... 7

IPB Packet Broker Overview ... 8

IPB Features per Model ... 9

Accessing IPB System Management Web GUI ... 10

Accessing IPB Web GUI From IrisView ... 10

Accessing IPB Web GUI from Web Browser ... 11

Chapter 2 IPB Port Configuration Guidelines... 1

Overview ... 1

IPB220s Connecting to G10 Standalone, G10 Media Probe, or G10 Control Plane Probe... 2

IPB220 INGRESS Port Settings ... 2

IPB220 EGRESS Port Settings to a G10... 3

G10 Configuration in Iris Admin (G10s Connected to IPB220s) ... 3

IPB420s Connecting to G10 Standalone or G10 Media Probe ... 3

IPB420 EGRESS Port Settings ... 4

Configuration in Iris Admin (G10s Connected to IPB420s)... 4

IPB420s Connecting to G10 Control Plane Probe... 5

IPB420 Ingress Port Settings ... 5

IPB420 Egress Port Settings... 6

Configuration in Iris Admin (G10 Control Plane Probe Connected to IPB420s) ... 6

IPBs Connecting to TD140s or SpIprobes ... 6

IPB Ingress Port Settings ... 7

IPB Egress Port Settings... 7

TD140 Port Settings ... 7

SpIprobe Port Settings ... 7

IPB Backhaul Scenario ... 8

Iris Packet Brokers (IPBs) enable you to more effectively utilize your existing Tektronix Communications monitoring solutions, simplify operational complexity, and realize a higher ROI from additional cost savings and service quality improvements. IPB intelligent stacking technology, vMesh, enables traffic capture devices to be deployed in a redundant, low-latency mesh for total, dynamic, fault-tolerant visibility.

Figure 1.1 - Iris Packet Brokers

With the visionary vMesh approach to architecture, you get the flexibility and modularity to deploy just the appliances you need and when, with the ability to scale link-layer visibility and data access to a system- level architecture with up to 256 ports globally. The business benefits include more flexible capital requirements, high tool utilization and ROI, and lower operating costs.

Designed specifically to address high bandwidth interfaces and data center applications, the NEBS compliant Iris Packet Broker (IPB) features a scalable, modular architecture that bridges the gap between 1 GigE, 10 GigE, and 40 GigE networks. They also provide all of the intelligent network packet functionality on a large scale. Each model supports a maximum of four SFP+ modules that support different features, port densities, and port speeds up to a maximum line rate throughput of 240 Gbps for the IPB220 series and 640 Gbps for the IPB420. Additionally, ports and features are enabled as they are needed by license key. Any port can be designated as an ingress/input or an egress/output port.

Hardware-based filtering allows traffic to be distinguished according to source and destination MAC/IP address as well as by specific protocols, such as HTTP, VoIP, GTP, and LTE. A custom filter offers more granular specification for filtering within the packet payload. Filters can be ingress, egress, and

overlapping.

All IPB models support symmetrical L2 to L4 load balancing. Session aware load balancing is provided by TD140. Select IPB models have optional features including port stamping, time stamping, and microburst protection. To feed third party tools, select IPB models have optional features including protocol/tag stripping (GTP, VLAN, MPLS) and conditional packet slicing.

IPB220

IPB420

(11)

All IPB models support a connection between multiple units which enables up to 256 ports at a single site. In addition, IPB can be deployed in a redundant, low-latency mesh for total, dynamic fault-tolerant visibility. Select IPB models have an option to support inter-connected IPBs over a LAN or WAN using TCP which enables backhaul of traffic from remote sites to a central monitoring location. To protect against data attacks during backhaul, secure data encryption (AES) is supported. Redundant hot- swappable power supplies, fans, and air filters allow seamless transitions between power systems and ensure uptime.

IPBs are an add-on to TD140 deployments; they do not replace TD140s.

IPB F EATURES PER M ODEL

Tektronix Communications offers the following Iris Packet Broker (IPB) models:

 IPB220 Base

 IPB220 Advanced

 IPB420

Table 1.1 shows the features available for each IPB model

Table 1.1 - IPB Feature Support per Model

Feature IPB Model

IPB220 Base

IPB220 Advanced

IPB420

Selective Port Aggregation and/or Replication   

Layer 2 to Layer 4 Filtering   

Symmetrical L2 to L4 Load Balancing   

NTP or PTP timing   

vMesh Direct Connect (connected by cable)   

Integrated with IrisView Alarms and System Health visibility

  

Maximum ports 24 24, up to 16

ports have advanced features

64 1G/10G or 16 40G

Integration with GeoProbe platform family G10 only

1G or 10G Ethernet port   

40G Ethernet port 

Time & Port Stamping  

Option to disable time and port stamping on egress 

Within a GTP tunnel, L3 and L4 Filtering, 10G 

(12)

A CCESSING IPB S YSTEM M ANAGEMENT W EB GUI

Refer to one of the following sections for access information:

 Accessing IPB Web GUI From IrisView

 Accessing IPB Web GUI from Web Browser

Accessing IPB Web GUI From IrisView

Perform the following to access the IPB System Management Web GUI from within IrisView.

Tektronix Communications service personnel must initially setup the IPB to enable IrisView to access its configuration GUI. Contact Tektronix Communications for details.

Step Action

1. Log into IrisView.

2. Select System Config from the Admin menu. The Probes tab appears.

3. Select an IPB (“I” icon) in the Probe List (Figure 1.1). The right pane displays the IPBs Ports tab, Details tab, and IPB Configuration tab.

Microburst Protection (High Data Burst Buffer) ^

Protocol/Tag Stripping (GTP, VLAN, MPLS) ^

vMesh over IP (Interconnect IPB over TCP/IP) ^

Table 1.1 - IPB Feature Support per Model (Continued)

Feature IPB Model

IPB220 Base

IPB220 Advanced

IPB420

(13)

4. Select the IPB Configuration tab to access the IPB System Management Web GUI (Figure 1.2).

Figure 1.2 - IrisView IPB Configuration Tab

Some pages on the IPB System Management Web GUI are not accessible via IrisView, such as Access Control and SNMP Settings. You can only access them from the GUI directly from the Web browser.

The main System Status page appears (Figure 1.2). This page consists of two panes:

 Menu Pane, which allows selection of other pages, such as System settings and Port settings.

 Port Status pane, which appears on the right (refer to System Status Page for details).

Refer to the the remaining chapters in this guide for details about configuring the IPB using this GUI.

Accessing IPB Web GUI from Web Browser

Tektronix Communications recommends the following Web browsers for use with IBP devices:

 Apple Safari 5.0 (or later)

 Google Chrome 17.0 (or later)

 Microsoft Internet Explorer 7.0 (or later)

 Mozilla Firefox 3.6 (or later)

With all browsers, ensure Cookies are enabled. If using Internet Explorer, also ensure the Compatibility View is disabled. Adobe Flash Player is also required to be able to view the graphical dials and sliders in the Network Activity screens.

(14)

Perform the following to access IPB system management via a Web browser.

Step Action

1. Connect a CAT 3 (or higher) Ethernet cable between the IPB’s management port and a PC or server.

2. Power on the unit. You should see the Link Status LED illuminate on the connected management Ethernet port.

3. Connect to the device by entering the IP address of the device into the Web browser’s URL address box. Depending on your browser, you may need to include “http://” in the IP address.

4. You will see the login security popup appear. Enter your user name and your password.

The main System Status page appears (Figure 1.3). This page consists of two panes:

 Menu Pane, which allows selection of other pages, such as System settings, SNMP settings, and Access control settings.

 Port Status pane, which appears on the right (refer to System Status Page for details).

Figure 1.3 - System Status Page

(15)

IPB Port Configuration Guidelines

O VERVIEW

Once the IPB unit is physically installed, the system is configured with the IP address it needs to establish communications to the Iris Server for configuration and maintenance. You must properly configure IPB port settings to ensure correct time stamping.

Port configuration settings differ depending on what monitoring equipment you connect to the IPB. Refer to the following sections for details:

 IPB220s Connecting to G10 Standalone, G10 Media Probe, or G10 Control Plane Probe

 IPB420s Connecting to G10 Standalone or G10 Media Probe

 IPB420s Connecting to G10 Control Plane Probe

 IPBs Connecting to TD140s or SpIprobes

 IPB Backhaul Scenario

(16)

IPB220 S C ONNECTING TO G10 S TANDALONE , G10 M EDIA P ROBE ,

OR G10 C ONTROL P LANE P ROBE

Figure 2.1 shows IPB220s connecting from the network element to a G10 (Standalone, Media, or Control Plane). These settings apply when connecting to a standalone G10, a Control Plane probe, or a Media probe. This scenario does not require any G10 configuration in Iris Admin; the G10s are not bound to the IPB220 in this scenario.

Figure 2.1 - IPB220 Connecting to G10 Standalone, G10 Media Probe, or G10 Control Plane Probe

IPB220 INGRESS Port Settings

Table 2.1 shows the IPB220 Ingress port settings you configure on the Port Settings Page in the IPB system software.

Table 2.1 - IPB220 INGRESS Port Settings

Port Setting Set to:

Port Class Span

Link State Auto

Monitor Output Timestamping Disabled

Monitor Output Portstamping Disabled

GTP Decapsulation (if applicable) Disabled

(17)

IPB220 EGRESS Port Settings to a G10

Table 2.2 shows the IPB220 Egress port settings you configure on the Port Settings Page in the IPB system software.

G10 Configuration in Iris Admin (G10s Connected to IPB220s)

In Iris Admin, create a physical link for the G10 connecting to the IPB220. G10s are not bound to IPB220s.

IPB420 S C ONNECTING TO G10 S TANDALONE OR G10 M EDIA P ROBE

Figure 2.2 shows IPB420s connecting from the network element to a standalone G10 or G10 Media Probe. These settings apply when connecting to a standalone G10, a Control Plane probe, or a Media probe. This scenario requires additional configuration for the G10 in Iris Admin.

Figure 2.2 - IPB420 Connecting to G10 Standalone or G10 Media Probe Table 2.2 - IPB220 EGRESS Port Settings

Port Class Monitor

Link State Auto

Egress timestamping N/A

Monitor Port VLAN Tagging Disabled

TekComms Encapsulation N/A

Encapsulate using Tektronix-format timestamp/portstamp (appears when TekComms Encapsulation is Enabled)

N/A

(18)

IPB420 INGRESS Port Settings

Table 2.3 shows the IPB420 Ingress port settings you configure on the Port Settings Page in the IPB System Software.

IPB420 EGRESS Port Settings

Table 2.4 shows the IPB Egress port settings you configure on the Port Settings Page in the IPB System Software.

Configuration in Iris Admin (G10s Connected to IPB420s)

In Iris Admin, perform the following to complete configuration of this scenario:

 Bind the G10 to the IPB420.

 Create a physical link for the IPB420 ingress ports.

 Set the following G10 physical device port settings on the Probe Details pane in Iris Admin System Config. Refer to the Iris Admin online help for details.

- Set Enabled column to True for all ports that are physically connected to IPB; set Enabled column to False for all ports not connected to the IPB.

Port Settings Set To:

Port Class Span

Link State Auto

Monitor Output Timestamping Enabled

Monitor Output Portstamping Enabled

GTP Decapsulation N/A

Table 2.4 - EGRESS Port Settings

Port Class Monitor

Link State Auto

Egress timestamping Disabled¹

1. DO NOT enable this option; this option must be Disabled.

TekComms Encapsulation Enable

Enable

(19)

IPB420 S C ONNECTING TO G10 C ONTROL P LANE P ROBE

Figure 2.4 shows IPBs connecting from the network element to a G10 Control Plane Probe. G10 Control Plane probes do not bind to IPB420s.

Figure 2.3 - IPB420 Connecting to G10 Control Plane Probe

IPB420 Ingress Port Settings

Table 2.7 shows the IPB Ingress port settings you configure on the Port Settings Page in the IPB System Software.

Port Class Span

Link State Auto

Monitor Output Timestamping Disabled

Monitor Output Portstamping Disabled

GTP Decapsulation N/A

(20)

IPB420 Egress Port Settings

Configuration in Iris Admin (G10 Control Plane Probe Connected to IPB420s)

- Set Op Mode to Negotiate for enabled G10 ports

- The Direction setting (TX, RX, Span) is ignored by the G10 probe when it is connected to a IPB.

IPB S C ONNECTING TO TD140 S OR S P I PROBES

Figure 2.4 shows IPBs connecting from the network element to a TD140 or SpIprobe 3U/14U. TD140s and SpIprobes do not bind to IPB420s.

Table 2.6 - IPB420 EGRESS Port Settings

Port Settings IPB420

Port Class Monitor

Link State Auto

TekComms Encapsulation Enabled

Strip timestamp/portstamp Enabled

(21)

IPB Ingress Port Settings

Table 2.7 shows the IPB Ingress port settings you configure on the Port Settings Page in the IPB System Software.

IPB Egress Port Settings

TD140 Port Settings

Refer to TD140 documentation for details.

SpIprobe Port Settings

Refer to GeoProbe Network Configuration Guide for details about SpIprobe port configuration.

Table 2.7 - INGRESS Port Settings

Port Settings IPB420 IPB220

Port Class Span Span

Link State Auto Auto

Monitor Output Timestamping Disabled Disabled

Monitor Output Portstamping Disabled Disabled

GTP Decapsulation N/A Disabled

Port Settings IPB420 IPB220

Port Class Monitor Monitor

Link State Auto Auto

Egress timestamping Disabled¹ N/A

Monitor Port VLAN Tagging Disabled Disabled

TekComms Encapsulation Enabled N/A

Strip timestamp/portstamp Enabled N/A

(22)

IPB B ACKHAUL S CENARIO

Traffic from multiple, remote locations can be backhauled to a central monitoring location (Figure 2.5).

Figure 2.5 - Backhaul Scenario with IPB220s and IPB420s

IPB220 INGRESS Port Settings

Table 2.9 shows the IPB220 Ingress port settings you configure on the Port Settings Page in the IPB system software.

Port Class Span

Link State Auto

Monitor Output Timestamping Enabled

Monitor Output Portstamping Enabled

GTP Decapsulation (if applicable) Disabled

(23)

IPB vMesh (vStack+) Port Settings

Table 2.10 shows the IPB220 vMesh (vStack+) port settings you configure on the Port Settings Page in the IPB system software.

IPB420 EGRESS Port Settings to a G10

Table 2.11 shows the IPB420 Egress port settings you configure on the Port Settings Page in the IPB System Software.

Configuration in Iris Admin (G10s Connected to IPB420s)

 Bind the G10 to the IPB420.

- Set Op Mode to Negotiate for enabled G10 ports

- The Direction setting (TX, RX, Span) is ignored by the G10 probe when it is connected to a IPB.

Table 2.10 - IPB220 EGRESS Port Settings

Port Class vStack+

Transport Type vStack+ over TCP or

vStack+ over Ethernet

Link State Auto

Port Settings IPB420

Port Class Monitor

Link State Auto

TekComms Encapsulation Enable

Enable

(24)

IPB System Configuration

O VERVIEW

This chapter provides GUI descriptions for the IPB system software. Refer to the following sections for details:

 System Status Page

 Chassis Module Information Page

 System Settings Page

 Port Settings Page

 SNMP Settings Page

 Access Control

 Save and Load Configurations

 Software Upgrading

(25)

S YSTEM S TATUS P AGE

Figure 3.1 shows the overall system status page which displays when you access the IPB using a Web browser.

Figure 3.1 - System Status Page Table 3.1 - System Status Page Elements

Page Element Description

System Status area View the following information:

 Current date and time, as set in the unit’s real-time clock.

 Date/time when last booted, how long the system has been running, and the date/time of the last configuration change.

 System Name (MIB2 SysName), System Location (MIB2 SysLocation), System and Contact (MIB2 SysContact).

 Status of the two internal power supplies and Monitor buffer, and the current internal temperature.

 System warning or error messages, if any.

Port Column  Port designation is [chassis module position]/[port], such as 1/1 (see Figure 3.2) Name Column  Name for port, if configured.

 Port name is a convenience in being able to easily identify the devices or network segments which are connected to the unit.

(26)

Link Column  Up - device or network segment is connected to the port and a link has been fully established.

 Down - device is disconnected; a link is not established for this port.

Speed Column  If link is Up

- Displays current actual speed and duplex state of the port

 If a link is Down:

- Port auto-negotiation ON: Speed and Duplex fields are blank

- Port auto-negotiation OFF: Speed and Duplex fields indicate the forced speed and duplex settings that have been configured for the port.

 For Fiber-only systems, the Duplex column may not be present.

Duplex Column

Negotiate Column  Auto - auto-negotiation is enabled

 Off (Forced) - auto-negotiation is disabled

 Blank - auto-negotiation is not applicable MDI Column This column appears only if copper SFPs are installed.

 Auto - the port is configured for auto- MDIX.

 MDI - auto-MDIX is disabled and the port is set to a fixed MDI mode.

 MDIX - auto-MDIX is disabled and the port is set to a fixed MDIX mode.

Class Column  Monitor - egress port

 Tap - IPB does not support this class.

 Span - ingress port

Applications Displays the installed applications for this port:

 AIA=Aggregation to Inline Applications

 CAP=vCapacity

 DD=Deduplicator

 DF=Defragmenter

 DPI=DPI Finder

 EF=Encapsulation Filtering

 ELB=Extended Load Balancing

 EOF=Email ObjectFinder

 GD=GTP De-encapsulation

 GIMSLB=GTP IMSI Balancing (Not Supported)

 HDB=High DataBurst Buffer

 IOF=IP ObjectFinder

 MOT=Monitor over TCP

 MVS=MPLS/VLAN Stripping

 PO=Packet Optimization (PTS+MVS+GD+SLC)

 PT=Packet Transport

 PTS=Port/Time Stamping

 SLC=vSlice

 SOF=Spool over FTP (not supported)

 SOT=Span over TCP

 VOT=vMesh over TCP/IP Monitor Column The currently-configured network-to-monitor port mapping for the port.

 Network port - indicates which monitor ports have been mapped to it.

 Monitor port - indicates which network ports have been mapped to it.

Table 3.1 - System Status Page Elements (Continued)

(27)

C HASSIS M ODULE I NFORMATION P AGE

The Chassis Module Information page (Figure 3.2) displays detailed hardware information on both the chassis system, as well as all installed hardware modules and their applications.

Figure 3.2 - Chassis Module (Hardware) Information Page Available chassis information includes:

 Base board type, ID, serial number

 Manufacturing part numbers

 Number of installed hardware modules

 Environment status, including temperature, fan and filter Status Column Port’s current state.

 OK - link is up

 -- - means it is down

 No module - module is not present for ports that are activated Optical Power (Tx/Rx)

Column

 Shows both the transmit (Tx) and receive (Rx) power levels for ports that have supported SFP or SFP+ modules inserted.

 Column does not appear if supported SFP/SFP+ modules are not installed

Setup Access the Port Settings page for the selected port by clicking the associated Setup button.

See Port Settings Page for details.

Table 3.1 - System Status Page Elements (Continued)

(28)

 The ports on which the hardware module is installed

 Module type, ID, serial number

 Manufacturing part numbers

 Applications installed on the hardware module

 Hardware module revision number

Installed applications can also be viewed per port on the System Status window and on the individual Port Settings windows.

(29)

S YSTEM S ETTINGS P AGE

Figure 3.3 shows an example System Settings page.

Figure 3.3 - System Settings Page Table 3.2 - System Settings Page Elements

System Settings View and define:

 System name

 System location

 System contact

(30)

Network Settings View and define:

 IPB IP address (IPv4 or IPv6)

 Net/subnet mask

 Default gateway/router address

 DNS server address

 Syslog server addresses or URL.

- Info such as port up/down, temperature, and voltage status changes are sent to syslog server addresses if defined.

System (Timestamping) Clock Local Clock Settings

 View and define local date and time

 Set the date and time from the local computer’s clock by clicking the down- arrow.

System (Timestamping) Clock NTP Configuration

 Define NTP servers to provide a timing reference for the IPB system clock

 Displays status of the connection and synchronization as well as the Deviation of the system clock from the NTP source

System (Timestamping) Clock GPS Configuration

 Define the length of the cable from the IPB to the GPS receiver to achieve the expected accuracy.

 View status of GPS signal and number of satellites.

System (Timestamping) Clock PTP Configuration

 Enable PTP and/or 1PPS

 Define IP address and subnet mask of PTP server

 Configure the following parameters:

- DHCP: Enable/disable

- Transport method: TCP or Ethernet

- 1PPS source: GPS Port, PTP, 1PPS Connector - Port type: TCP or Ethernet

- Delay mechanism: End-to-end, peer-to-peer

Information about the PTP sync network is also available via the details button.

If GPS is used as a sync source, and PTP is enabled, then the PTP port can be used as a Master Clock to synchronize other IPBs.

PTP/1PPS Configuration Configure PTP/1PPS Settings. Refer to Time Stamping Synchronization for details.

Advanced Settings  Timestamp adjustment: Enable Include UTC leap seconds in packet timestamp. Default is disabled.

 Voltage Error indicators: Enable option to ignore errors related to power supplies. This will disable the System Status error message and also any Syslog or SNMP traps for this. This option may only be useful if one power supply is to be used.

 Automatic logoff timeout: Define a timeout value for any login session by a user. If the user has been inactive for the specified timeout, the session will be logged off. A value of 0 disables the time-out.

Table 3.2 - System Settings Page Elements (Continued)

(31)

Monitor Port VLAN Tagging Define how VLAN tags may be defined (only visible if vMesh [vStack+] ports are defined). Refer to VLAN Tagging section for application:

 TPID (EType) drop-down list for 0x88A8 (default), 0x8100, or 0x9100

 Starting VID value: Specifies the first VLAN ID to be used when numbering VLANs on this IPB; the default value is 1. When using VLAN tags for port stamping, the IPB starts counting at the far left and uppermost hardware port and then proceeds consecutively, top to bottom and left to right. Click the information icon to view a table of port IDs and corresponding VIDs for this IPB.

Note: On IPBs with one or more vStack+ ports configured, the Starting VID field does not display and cannot be changed from its default value of 1.

Table 3.2 - System Settings Page Elements (Continued)

(32)

P ORT S ETTINGS P AGE

You can access the Port Settings page from the main menu, or by clicking the Setup button for a desired port on the System Status Page. Figure 3.4 shows examples Port Settings page. The fields on this page vary depending on the selected port class.

Figure 3.4 - Port Settings Pages

(33)

Table 3.3 - Port Settings Page Elements

Class options Select the port class:

 Tap: IPB does not support this class.

 Span: configure Ingress ports from the monitored network with this setting

 Monitor: configure Egress ports to monitoring equipment with this setting (G10 probes, TD140s, and SpIprobes)

 Service: configures a port as an intermediate point for providing additional capabilities such as user-independent and ingress/service/egress filter maps. Once set, this port functions as an internal port and will not show any link LED, speed, etc.

 vMesh (vStack+): configures the port as a vMesh interconnection link to another IPB.

Port Name field Enter a name to identify the port. The port name is a convenience in being able to easily identify the devices or network segments which are connected to the unit. A maximum of 20 characters can be used for each port name.

Type field Lists the physical type of this port, such as “10Base-T/100Base-TX/1000Base-T RJ45” for 10/100/1000 copper ports.

For the SFP, SFP+, and XFP ports, this field will be blank until an SFP/SFP+/XFP module is inserted, at which time this field will show identification information from the module itself, e.g. the manufacturer, model, and network capabilities.

Auto Negotiate This field is only present for copper 10/100/1000 ports.

Enable or disable auto-negotiation;

 Enabled: an “Auto Negotiation Advertisements” section appears, allowing you to select any or all speed, duplex and pause settings which will be “advertised” by this port as part of the auto-negotiation protocol.

 Disabled: a table appears, allowing you to select forced speed, duplex, timing and MDI/

MDIX settings.

Link state  Auto: normal operation

 Force down/up: force the link to an up or down state.

 Force down (copper ports only)

 Force up (fiber ports only): can be used to force a monitor port to establish a link, even if nothing is plugged into the port. This option is intended for use with fiber-optic ports, including SFP+ and XFP, which normally will not acknowledge a link unless something is plugged into the Rx side of the transceiver. Forcing the port to link will allow the port to output data from the Tx side of the fiber-optic port, even if nothing is plugged into the Rx side of the port. Currently, this capability is not available on SFP- only ports.

Egress Timestamping This option only appears for Monitor port class (IPB Egress ports) on the IPB420. DO NOT enable this option; it is not used by the IPB.

Monitor Output Timestamping

These options only appear for Span port class (IPB Ingress ports). Enabling these options depends on the IPB model and the type of monitoring equipment you are connecting to the IPB. Refer to IPB Port Configuration Guidelines for details.

Refer to Port Stamping and Time Stamping for feature details.

Monitor Output Portstamping

(34)

SNMP S ETTINGS P AGE

Figure 3.5 shows examples of the SNMP Settings page for v1, v2, or v3. You can specify SNMP version and the IP address of the SNMP client (trap manager), or disable SNMP.

Figure 3.5 - SNMP Settings Pages TekComms

Encapsulation

This setting only appears for the IPB420 for Monitor (Egress) ports. Enabling these options depends on the IPB model and the type of monitoring equipment you are connecting to the IPB. Refer to IPB Port Configuration Guidelines for details.

When you enable this feature, three options appear.

 Strip timestamp/portstamp: Egress packets have no timestamp and port tag (egress packets are the same as received at ingress port)

 Include VSS timestamp/portstamp: Egress packets have timestamp and/or port tag appended to end of packet

 Encapsulate using Tektronix-format timestamp/portstamp: Egress packets have TekComms metadata header containing timestamp, port tag, and other information Table 3.3 - Port Settings Page Elements (Continued)

(35)

A CCESS C ONTROL

The Access Control tab provides the following areas to help provide security in the management of the unit.

 Authorized Users

 Authentication with RADIUS and TACACS+

 Management Interface Access

Authorized Users

An administrator can create and delete user accounts, and set passwords and access privileges. Each user has a unique screen view, allowing visibility only to their assigned network and monitor ports with the ability to change settings allowed by their administrator.

A maximum of 10 different user accounts can be created per single IPB.

Table 3.4 - SNMP Versions

SNMP Version Description

SNMPv1 and v2 SNMP v1 and v2 access is controlled by industry-standard Community Strings, a form of password access control:

 Get Community String: used when performing an SNMP GET function (to read an object from the IPB MIB for display on the host SNMP management station).

 Set Community String: used when performing an SNMP SET function (to write/

change an object from the IPB MIB).

These Community Strings must be configured identically to the corresponding values configured in the host application program. However, the Community String for Get functions need to be different to the Community String for Set functions, otherwise Set functions will not take.

 For SNMP v1, you can specify the community strings.

 For SNMP v2, in addition to community strings, you can specify whether Event notifications are set to Notify or Inform.

SNMP v3 Specify the following:

 Encryption protocol: AES, DES

 Authentication protocol: SHA, MD5

 Username

 Authentication passphrase

 Privacy passphrase

(36)

Figure 3.6 shows the Authorized Users area where you can add, modify, and delete users and configure access permissions and port access for each user.

Figure 3.6 - Access Control Page - Authorized Users

Authentication with RADIUS and TACACS+

All IPBs support both RADIUS and TACACS+ centralized authentication, with up to two authentication servers of each type. The order of authentication realms can be specified separately for serial port access and all other access, such as through the IPB Web UI.

To enable RADIUS or TACACS+ authentication in the IPB UI:

1. Select the applicable authentication order from the drop-down list available in the Access Control page:

 Local authorized users only.

 Local authorized users, then RADIUS.

 Local authorized users, than TACACS.

RADIUS, then local authorized users.

Table 3.5 - Access Control Page Elements

User  Provide a user name or ID for each authorized user. User names can contain spaces.

 Click the +Add User to create a new blank row

 Click the -Delete button to delete a user

 Click the Submit button to submit user updates.

Password  Admin User

- Do not rename or delete the admin user account.

 Enter a password in the Password and Confirm fields; typing carefully to ensure they match.

 Password changes also affect the SSH/Telnet and serial port console.

Confirm

Access Permissions  Select the areas of the system for the user to have access Accessible Ports  Select the ports the user can access.

(37)

 RADIUS only (available on all interfaces except serial port).

 TACACS only (available on all interfaces except serial port).

2. Click Radius 1, Radius 2, TACACS 1, or TACACS 2 to configure settings for the specified authentication server.

3. For RADIUS servers, enter the server IP address and secret, and click OK.

4. For TACACS+ servers, enter the server IP address, secret, service, and up to five alternate prompts for password entry that can be expected from the access control server, and click OK. The default prompt expected by the IPB is Password.

5. To enable accounting records for authentication to be generated, select On in the Accounting section.

6. Click Submit at the bottom of the page.

Figure 3.7 shows examples of configuring authentication realms.

Figure 3.7 - Access Control Page - Authentication

About IPB Parameters on External AAA Servers

When you configure an IPB to perform authentication on an external RADIUS or TACACS+ server, all of the authentication and authorization information for that user is stored remotely on the authentication, authorization, and accounting (AAA) server, not on the IPB. This means that you cannot use the IPB Web UI to set permissions for these users.

Instead, you must specify authorization and authentication fields in the configuration of the external server. Sometimes this is done in a different graphical user interface specific to that server; other times, you must edit plaintext configuration files that reside on the server.

Regardless of which type of external configuration you need to perform, you must specify a certain set of authorization rules for the IPB.

(38)

On a RADIUS server, these authorization rules are usually stored as a Filter ID; on a TACACS+ server, they usually are configured as part of an access control list. The authorization rules have the form:

Ports=portlist;Access=accesslist

where portlist is a comma-separated list of ports to which the user will be granted access, and accesslist is a comma-separated list of functions which the user will be allowed to perform on the NPB. Either list can be replaced by an asterisk to indicate all ports or all permissions.

Table 3.6 lists valid values for accesslist and their corresponding selections in the IPB Web UI:

For example, these are two valid authorization rules:

Ports=*;Access=*

Ports=1/1,1/2,1/3,1/4,1,2;Access=SystemSettings,Filters,FilterMaps

The details of configuring external AAA servers are beyond the scope of this manual. For more information, refer to the documentation for specific servers.

Management Interface Access

Each of the unit’s management interfaces may be individually enabled or disabled. You can control the following interfaces (Figure 3.8):

 Serial (RS-232) Console

 Telnet Console

 SSH (secure/encrypted)

 Web browser HTTP (non-encrypted)

 Web browser HTTPS (secure/encrypted)

Table 3.6 - accesslist Valid Values

Parameter Corresponding selection in IPB Web UI

FilterMaps Map Settings

Filters Libraries

MonitorPorts Monitor Port Settings

NetworkPorts Network Port Settings

SystemSettings System Settings

(39)

For maximum security, configure the IPB to allow only Serial, SSH, HTTPS and LCD/Front Panel interfaces.

Figure 3.8 - Access Control Page - Management Interface Access Settings

Access Override

Because the unit has multiple management interfaces and is multi-user, there is the possibility of multiple users attempting to control the unit at the same time. The device has an access control override feature to facilitate management of the unit in an orderly fashion. This override feature allows you to make temporary changes to the access control settings, either for a fixed time period or indefinitely (until the override is canceled).

The use of access control overrides allows the setting of conservative (very limited) normal access control settings, with more liberal temporary settings whenever greater access is needed. For example, for greater security, it might be desirable to normally limit access to only the serial/RS-232 console, but when remote access is required, a temporary access control override can be set to allow the use of other interfaces (e.g. the web browser).

Override options include:

 Temporary Access Override - for an indefinite override

 Timed Access Override - for a time-limited override

The override CLI command also provides a temporary access override.

 Specified with a numeric parameter, this sets a time-limited override, such as to enable all management interfaces for 60 seconds

 Specified without any numeric parameter sets an indefinite override (not time-limited). To cancel any access control override, use the “override off” command.

(40)

S AVE AND L OAD C ONFIGURATIONS

Save Settings

Figure 3.9 shows how to save the current applied configuration out to a file on the local PC or a network drive associated with the local PC. The user right-clicks on the IPB’s Configuration hyperlink, and then uses the Save As function to save the configuration to the desired directory and filename. The .vss extension is the default.

Figure 3.9 - Save Configuration Page

Load Settings

Figure 3.10 shows how to upload a previously saved configuration from a file located either on the local PC or a network drive associated with the local PC. The file is accessed by clicking the Browse button, selecting the appropriate file (.vss is the default extension), and then clicking the Load Settings button to upload the configuration.

Figure 3.10 - Load Configuration Page

(41)

S OFTWARE U PGRADING

It is recommended to upgrade the IPBs by creating software campaigns in Iris Admin. Refer to the IPB Hardware Installation and Maintenance Guide for details about IPB upgrade campaigns.

However, in case of communication issues between the IrisView server and IPBs, refer to this procedure.

Figure 3.11 shows that the System Software screen provides two ways for upgrading your system software:

 Add New Option Key

 Update Software to New Release

Figure 3.11 - Add New Option Key and Load New Software Fields

Add New Option Key

Perform the following to access the add a new option key.

Step Action

1. Locate the MAC address (visible in the top left side of the lower right frame) and the unit’s serial number (located on the back of the unit, if not in the top left side of the lower right frame).

2. Send a request, via phone or email, to Customer Support to obtain a license for the new feature (which should have been purchased already).

(42)

3. Once the license key has been received, type or copy & paste the key into the “To add a new option, enter the Option Key” field.

4. Click on the Add Option button. The new software option should now appear on the screen, under “Installed Option.”

Update Software to New Release

Please also consult Customer Support before installing this software update on your product to ensure compatibility.

For the update, please follow these steps:

Step Action

1. Save the xxx_REL-xxxxxxxxxx-x.x.xxx software files to an easily accessible location (such as your Desktop).

2. Log into the web interface of the VSS device that will be receiving the update.

3. Save the current configuration to a local machine, prior to the next step.

4. Click on the System Software link on the left side of the interface.

5. Click on the “Browse…” button under the “Software Update” tab, and locate and double click on the software update file xxx_REL- xxxxxxxxxx-x.x.xxx.

6. Click the Begin Software Upload button. The “Loading…” message will appear while it uploads. It is important that this process is NOT interrupted. Typically it takes less than two minutes to load the software file.

7. Wait until you receive the message “System software version xxx_REL- xxxxxxxxxx- x.x.xx has already been loaded and will be installed on the next system restart”. Only after this message is displayed is it safe to restart the device.

8. Restart the system by clicking the “Restart Now” button at the bottom of the screen.

Confirm the system restart by clicking “OK” on the subsequent popup warning. The software is updated during the restart cycle which takes approximately two minutes to complete. The network is only interrupted at most for a few seconds during this process, while auto-negotiation restarts.

9. Log into the unit and confirm the updated software version number now appears on the left side of the screen under the “System Software” link.

Software Rollback Procedure

For IPB products, software rollback to an earlier version is simply done by loading the desired software version.

(43)

IPB Base Feature Set

O VERVIEW

This chapter provides detailed descriptions for the IPB system software features. Refer to the following sections for details:

 Filtering

 Triggers

 vMesh

 VLAN Tagging

Refer to IPB Features per Model for a summary of features supported on each IPB model.

F ILTERING

The ability to filter traffic before directing it to monitoring and analysis tools is a key feature of IPBs. By providing a way for tools to see multiple network access points simultaneously, aggregation of traffic helps to increase network visibility for monitoring, security, and acceleration tools. However, this benefit can quickly become problematic for IT and security professionals as bandwidth increases on the aggregate pipes. Removing superfluous packets with filtering at the point of access mitigates these issues.

By default, IPBs copy all traffic received on the network input port(s) and forward it to the monitor output port(s) as defined by the user through selective aggregation monitor settings. By adding a filter (or filters) to that traffic, users can define which packets are passed to the monitor port(s) based on packet content.

(44)

With filtering disabled (the default) all network port packets are copied to the appropriate monitor and/or service ports. With filtering enabled, only selected packets are copied to the monitor or service ports, based upon user-selected packet filtering conditions. In either case, only the monitor and/or service port output is affected; the data passing from one network port to another (when configured as inline TAP ports) is always unaffected and is passed through completely transparently.

Each of the network ports can be configured with its own set of filters. As a configuration convenience, the IPB can be configured with a single set of filters which applies to all network ports (or to both ports of a Tap pair). Using filtering, it is possible to configure the IPB to select a desired subset of network traffic for monitoring, and to further direct specific packet types to the desired monitor and/or service ports. See Figure 4.1.

Figure 4.1 - Filtering Overview

Each filter is defined as a set of user-specified data values which will be compared to the first 128 bytes of data in each packet.

These comparison values are specified for one or several standard packet fields (e.g. the MAC

destination address field). Packets which contain the specified data values in the specified packet fields result in a filter “match” (“true”). Packets which do not contain the specified data values are a “non-match”

(“false”).

Each filter can be configured so that only matching packets are copied (in order to monitor only the specified type of packet), or so that all packets except matching packets are copied (in order to monitor all except the specified type of packet). Matching packets can be defined by complex expressions.

Filtering and Latency

Filtering is implemented in hardware, requiring no software or CPU processing. Thus, it operates in real time, introducing virtually no latency from the network inputs to the monitor outputs.

(45)

Basic Filtering Workflow

To enable filtering, these general steps must be performed:

 Decide how your traffic should be filtered.

 Create appropriate filter conditions in the filter library.

 Create port mappings that use the filter conditions you created.

Creating a filter library does not by itself cause filtering to occur. Instead, the expressions in the filter library must be applied to one or more monitor port mappings on the Monitor Settings page.

About the Filter Library

User-defined filters are stored within a Filter Library. A collection of many filters can be predefined by the user, and then specific filters called upon as the need arises. Once a filter has been defined in the library, that filter can then be used repeatedly on multiple ports at any time without the need to re-define the entire filter each time.

Filters are identified by user-defined symbolic names. There is currently a limitation of 950 characters that can be entered to define a particular filter. This is a separate limitation to those described for applying filters.

Creating and Editing Filters

The top-left of the Filter Library page displays a list of the currently-defined filters. To view an existing filter, simply click once on the name of the filter.

To add a new filter to the Filter Library, click once on “+ Add new filter”. In the entry box labeled “Filter Name”, type the desired symbolic name for the new filter; enter the new filter specifications in the fields below, then click the “Save Filter” button to add the new filter to the library.

To change an existing filter, first select the filter by clicking once on its name, and then enter the new filter specifications in the fields below; finally click the “Save Filter” button. Note that changing an existing filter will automatically update the filter on all ports to which the filter has already been applied.

To remove an existing filter, first select the filter by clicking once on its name, and then click the “Delete Filter” button. A pop-up dialog box will ask for confirmation before deleting the filter.

Below the filter list is a text input field showing the text of the selected filter conditional expression. You can enter a conditional expression directly into the input field if desired. Alternatively, below the

conditional expression are three tabs labeled Quick, Detailed, and Advanced. Each of these represents a different way to configure the filters, although all result in a single conditional expression which becomes a part of the Filter Library.

The Quick tab and the Detailed tab both provide a template framework to create a filter. The Advanced tab lists the command structure that you can use to manually create more complex conditions.

(46)

Using the Quick Tab

In most cases, the Quick tab is the easiest way to configure filters, and is recommended and appropriate for most filtering situations. This tab allows easy specification of MAC address, IP address, and/or protocol.

Figure 4.2 - Creating a Filter in the Quick Tab of the Filter Library

Using the Detailed Tab

The Detailed tab allows more advanced configuration of the individual conditions. This tab allows configuration of parameters not available under the Quick tab, including VLAN ID and IP Type of Service (TOS).

The Detailed tab contains input fields to configure all of the possible fields for which to compare against received packets. To change a setting, simply click within the field and enter the desired value. To remove (disable) a setting (to make it “don’t care” or “any value”), simply click within the field and delete the field value (making it empty or blank). Fields for which settings have been made (non-blank fields) will be highlighted on the screen for emphasis; blank fields are not highlighted.

(47)

Using the Advanced Tab

The Advanced tab facilitates direct entry of the text of a conditional expression. Directly entering the conditional expression allows for complex combinations of ANDing and ORing, which would not be available from the other tabs. This tab displays a help screen showing the available packet fields and their associated expression keywords. To directly enter an expression, click in the “Condition” input box and type the desired expression.

Switching Filter Tabs

Be aware that all three of the tabs create a single conditional expression (each is just a different method of creating an expression). Entering something on one tab will create new text (visible in the “Condition”

text box) that will overwrite anything that might have been previously entered using a different tab., i.e., if you create a filter in the Advanced tab, the filter settings will be overwritten if you then use the Quick tab to modify these settings.

Figure 4.4 - Creating a Filter in the Advanced Tab of the Filter Library

If you go from less advanced to more, you retain the settings. If you go from more to less, you lose the settings.

Special filters: Unfiltered and Nonmatch

Two built-in filters cannot be deleted or modified:

 (Unfiltered): Sends traffic completely unfiltered from the selected network input port(s) to the selected monitor output port(s).

 (Nonmatch): Sends traffic that does not match the Monitor Settings above it from the selected network input port(s) to the selected monitor output port(s).

(48)

As you add rows when applying several filters to the same input ports, you are applying the filtering to traffic that was a “non-match” to the filter in the row above it.

In this manner, you can sequentially apply filters to the same traffic, whittling it down to smaller and smaller amounts of “non-match” traffic. This technique can be used to apply an “is not” filter in that you would apply a filter that has no Monitor output and create the next row with a “non-match” filter condition that is mapped to the desired output port.

Filter Condition Comparison Fields

The packet fields can be compared within any filter:

A filter condition <expression> is specified with packet field names, and values to be compared against the packet field:

packet field [=] value

Multiples of such comparisons may be joined using the keywords “and” or “or”. Compound expressions (using “and”/”or”) are evaluated left-to-right, but an explicit evaluation order may be specified using “(“and

“)”. For example:

mac source = 00AA00112233 Ethernet source 00AA00112233

or Ethernet destination 00AA00112233 (destination IP address 1.2.3.4 or source IP address 1.2.3.4) and IP port=6

Table 4.1 - Filter Condition Comparison Fields

MAC Source Address Ethernet (IEEE 802.3 - layer 2) source address.

MAC Destination Address Ethernet (IEEE 802.3 - layer 2) destination address

Etype Ethernet Type

VLAN ID IEEE 802.1q VLAN ID (if a tagged packet)

Priority IEEE 802.1p/q Priority (if a tagged IEEE 802.1p/q Priority (if a tagged packet) IP Source Address IP (layer 3) source

address

IP (layer 3) source address (if an IP packet)

IP Destination Address IP (layer 3) destination address (if an IP packet) IPv4 Type of Service IP Type of Service field (if an IPv4 packet) IPv6 Traffic Class IP Traffic Class field (if an IPv6 packet)

IPv6 Flow IP Flow IP Flow field (if an IPv6 packet)

IPv4 Protocol IP Protocol field (if an IPv4 packet)

IPv6 Next Header IP Next Header field (if an IPv6 packet)

TCP/UDP Source Port TCP or UDP Source Port field (if a TCP/UDP packet) TCP/UDP Destination Port TCP or UDP Destination Port field (if a TCP/UDP packet)

Custom User-specified

(49)

Offset Filters

Offset (custom) filtering allows the user to create a byte filter window, beginning at the MAC, IP, TCP, or UDP header, for comparison with all packets that pass through the filter. Within the “window”, the user specifies an offset from the beginning of the “window” and the desired hexadecimal data pattern to be compared to receive packets.

For example, offset 6 (MAC header plus 6 bytes) against the pattern “00dd00112233”.

As another example, IP offset 15 = 02 specifies a comparison of the last byte of the IPv4 Source field (IP header plus 15 bytes) against the single-byte pattern “02”.

Masking

A “mask” command is a qualifier for the data pattern entered in bits. This will cause the value specified to be “ANDed” with the packet data. The result will be compared with the comparison data entered and if this data equates, the filter will see a match.

This masking feature allows the user to isolate single bits or groups of bits as desired (for filtering on partial bytes). For example, to filter only packets where the low-order bit of the IPv4 Source address is a 1, specify IP offset 15 = 01 mask 01.

Packet Fields

The following packet field names can be used in a condition <expression>:

Table 4.2 - Filtering Packet Fields Packet

Fields

Alternate Forms v2 v3 Comparison Value

mac source mac source address, Ethernet source [address], source

<mac|ethernet>

[address]

48-bit Ethernet address, entered as 12 hexadecimal digits, with optional embedded space, ‘-‘ or ‘:’

characters for readability, e.g.: 00dd00 112233.

mac destination

<mac|ethernet>

dest[ination]

[address], dest[ination]

<mac|ethernet>

[address]

[same as mac source].

etype [mac|ethernet]

etype

16-bit hexadecimal value (four hexadecimal digits).

Iris Packet Broker (IPB) Software User Guide

Software User Guide

Powered by VSS Monitoring

Table of Contents

Introduction

O VERVIEW

IPB P ACKET B ROKER O VERVIEW

IPB F EATURES PER M ODEL

A CCESSING IPB S YSTEM M ANAGEMENT W EB GUI

Accessing IPB Web GUI From IrisView

Accessing IPB Web GUI from Web Browser

IPB Port Configuration Guidelines

O VERVIEW

IPB220 S C ONNECTING TO G10 S TANDALONE , G10 M EDIA P ROBE ,

OR G10 C ONTROL P LANE P ROBE

IPB220 INGRESS Port Settings

IPB220 EGRESS Port Settings to a G10

G10 Configuration in Iris Admin (G10s Connected to IPB220s)

IPB420 S C ONNECTING TO G10 S TANDALONE OR G10 M EDIA P ROBE

IPB420 INGRESS Port Settings

IPB420 EGRESS Port Settings

Configuration in Iris Admin (G10s Connected to IPB420s)

IPB420 S C ONNECTING TO G10 C ONTROL P LANE P ROBE

IPB420 Ingress Port Settings

IPB420 Egress Port Settings

Configuration in Iris Admin (G10 Control Plane Probe Connected to IPB420s)

IPB S C ONNECTING TO TD140 S OR S P I PROBES

IPB Ingress Port Settings

IPB Egress Port Settings

TD140 Port Settings

SpIprobe Port Settings

IPB B ACKHAUL S CENARIO

IPB220 INGRESS Port Settings

IPB vMesh (vStack+) Port Settings

IPB420 EGRESS Port Settings to a G10

Configuration in Iris Admin (G10s Connected to IPB420s)

IPB System Configuration

O VERVIEW

S YSTEM S TATUS P AGE

C HASSIS M ODULE I NFORMATION P AGE

S YSTEM S ETTINGS P AGE

P ORT S ETTINGS P AGE

SNMP S ETTINGS P AGE

A CCESS C ONTROL

Authorized Users

Authentication with RADIUS and TACACS+

About IPB Parameters on External AAA Servers

Management Interface Access

Access Override

S AVE AND L OAD C ONFIGURATIONS

Save Settings

Load Settings

S OFTWARE U PGRADING

Add New Option Key

Update Software to New Release

Software Rollback Procedure

IPB Base Feature Set

O VERVIEW

F ILTERING

Filtering and Latency

Basic Filtering Workflow

About the Filter Library

Creating and Editing Filters

Using the Quick Tab

Using the Detailed Tab

Using the Advanced Tab

Switching Filter Tabs

Special filters: Unfiltered and Nonmatch

Filter Condition Comparison Fields

Offset Filters

Masking

Packet Fields