Direrctor Xstream

Transcription

Direrctor Xstream

User Guide
Data Monitoring Switch
Doc. 800-0142-001 Rev A PUBDIRXU 2/10
PLEASE READ THESE LEGAL NOTICES CAREFULLY.
By using a Net Optics Director Xstream device you agree to the terms and conditions of usage set forth by Net Optics, Inc.
No licenses, express or implied, are granted with respect to any of the technology described in this manual. Net Optics retains all intellectual
property rights associated with the technology described in this manual. This manual is intended to assist with installing Net Optics products into
your network.
Trademarks and Copyrights
© 2008-2010 by Net Optics, Inc. Net Optics is a registered trademark of Net Optics, Inc. Director Xstream is a trademark of Net Optics, Inc.
Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.
Additional Information
Net Optics, Inc. reserves the right to make changes in specifications and other information contained in this document without prior notice. Every
effort has been made to ensure that the information in this document is accurate.
Director Xstream
Contents
Chapter 1
Introduction............................................................................................... 1
Key Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Director Xstream Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Monitoring Links In-line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Director Xstream Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Director Xstream Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 2
Installing Director Xstream..................................................................... 10
Plan the Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Installation in a Restricted Access Location in Finland and Norway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Unpack and Inspect the Director Xstream device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Install SFP+ and SFP transceiver modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Rack Mount the Director Xstream device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Connect Power to Director Xstream. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Warnings and Symbols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Connect the local CLI Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Connect the remote CLI Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Use the CLI Help Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configure Director Xstream using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Change the Director Xstream Login Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Assign a New Director Xstream IP Address, Netmask, and Gateway IP Address. . . . . . . . . . . . . . . . . . . 20
Disable a Port or Change Port Speed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Save and Load Director Xstream Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Use the CLI Command History Buffer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Understand the Commit Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Connect Span Ports to Director Xstream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Connect Director Xstream to the Network with In-line Taps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Connect Monitoring Tools to Director Xstream. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configure a Matrix Switch connection in Director Xstream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Check the Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Director Xstream
Chapter 3
Configuring Filters Using the CLI............................................................ 26
Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Copy Traffic From Any Network Port to Any Monitor Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Aggregate Traffic From Any Set of Network Ports to Any Monitor Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Regenerate Traffic to Any Set of Monitor Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Create Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Create Complex Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
View Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Understand Filter Interactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Exclusive filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Understand Pending and Active filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
User interactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Understand Filter Capacity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Appendix A
Director Xstream Specifications............................................................. 40
Appendix B
Command Line Interface......................................................................... 42
Director Xstream CLI Quick Reference.................................................. 43
Table of CLI Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Filter qualifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Appendix C
Protocol Numbers.................................................................................... 47
Director Xstream
Chapter 1
Introduction
Net Optics Director Xstream is a key component for building a comprehensive, consolidated 10 Gigabit monitoring
infrastructure for both network management and security. It extends the range of visibility for data monitoring across
converged data and digital voice networks, while eliminating monitoring port contention and minimizing the number
of tools needed to optimally manage the network.
A single Director Xstream device enables you to tap into multiple network links, and direct copies of their traffic to
multiple monitoring ports. It includes aggregation and regeneration functions, so the link-to-monitor-port mapping
can be one-to-one, one-to-many, many-to-one, or many-to-many. In addition, it provides filtering: Each monitor port
can be programmed to receive only traffic meeting user-defined filter criteria based on protocol, source and destination addresses, and other criteria. This filtering capability enables specific types of traffic such as voice over IP (VoIP)
to be directed to particular monitoring tools.
10Gbps
IDSRMON
Analyzer 1
Analyzer 2
Forensic
FTP
DHCP
UDP
HTTP
Tap
10Gbps
10Gbps
10Gbps
10Gbps
Management
10Gbps
Figure 1: Director Xstream in a typical application
1
10Gbps
Port
Aggregator
10Gbps
Director Xstream
Matrix switching, aggregation, and regeneration
Each Director Xstream chassis supports twenty 10-Gigabit or 1-Gigabit network links using external in-line taps or Span
ports. Four ports are provided for attaching monitoring tools, .Network and Span ports can be aggregated and regenerated
to output ports in almost any combination. In fact, any port can be used for either a network input or a monitor output—or
both at the same time if you split the TX and RX fibers in your cable.
Modular design
Director Xstream is modular to provide configuration flexibility. All 24 ports are SFP+ based, and accommodate either
10-Gigabit SFP+ transceiver modules or 1-Gigabit SFP modules. 10-Gigabit and 1-Gigabit modules can be used in any
mix, and Director Xstream will perform any necessary data rate conversions.
Monitor port-based filtering
Director Xstream avoids the confusion of pre-filtering versus post-filtering by strictly tying filtering to the monitor
ports. Each monitor port can be configured to have traffic from any number of network or Span ports directed to it, and
each monitor port can apply multiple protocol-, address-, and vlan-based filters to the traffic.
CRC Forwarding
Director Xstream forwards all packets to the monitoring data stream, even if they contain CRC errors, providing full
visibility of the network traffic.
Jumbo Packets
Director Xstream can be set to accept or reject jumbo packets, which are packets longer than the Ethernet standard
maximum length of 1,518 bytes. This feature can be turned on or off using the system set CLI command.
Director Xstream Management
Director Xstream is configured and managed using a command-line interface (CLI) that will be familiar to most
network administrators. The CLI can be accessed locally over and RS232 serial link, or remotely using a secure SSH
connection. GUI tools will be available soon.
Dual hot-swap power supplies
Director Xstream is powered by two redundant power supplies, with either universal AC or -48V DC input. Either
supply alone can power the device and the power supplies are hot-swappable, so you do not experience any monitoring
down time if you should need to replace a power supply.
Key Features
Ease of Use
•
•
•
•
10 Gigabit and 1 Gigabit aggregation, regeneration, matrix switch, and filter functions in a single device
19-inch rack frame, 1U high
Front-mounted connectors for quick and easy installation
LED indicators show Link, and Activity status
2
Director Xstream
• Modular design for configuration flexibility
• RMON statistics; data can be used to assemble XML-based end-user reports, or it can be exported to a third party
reporting tool such as a protocol analyzer
• Text-based command-line interface (CLI) available through RS232 serial port
• CLI also available remotely over secure SSH connection
• Field-upgradeable software
• RADIUS and TACACS+ authentication and authorization
• Compatible with all major manufacturers’ monitoring devices, including protocol analyzers, probes, data loss prevention,
database activity monitoring, Web application firewall, and intrusion detection and prevention systems
Filtering
• More than 1,000 filter elements per a chassis
• Exclusive (drop matched packets) and inclusive (pass matched packets) filters
• Filters based on
• Source and destination MAC addresses, or ranges of addresses
• Source and destination IP addresses, or ranges of addresses
• Source and destination ports, or ranges of ports
• IPv4 and IPv6 addressing
• VLAN
• All IP protocols such as ICMP, TCP, UDP, SCTP, and RDP
Passive, Secure Technology
•
•
•
•
•
•
Passive access at up to 10 Gbps
In-line links do not interfere with the data stream or introduce a point of failure
Optimized and tested for 1000Mbps copper and 1 and 10 Gbps fiber networks
Redundant power to maximize uptime
FCC, CE, VCCI, and C-Tick certified
Fully RoHS and WEEE compliant
Unsurpassed Support
• Net Optics offers technical support throughout the lifetime of your purchase. Our technical support team is available from
8:00 to 17:00 Pacific Time, Monday through Friday at +1 (408) 737-7777 and via e-mail at ts-support@netoptics.com.
FAQs are also available on Net Optics Web site at www.netoptics.com.
About this Guide
Please read this entire guide before installing Director Xstream. This guide applies to the following part numbers:
Chassis Part Number
Description
DIR-2400X
Director Xstream Main Chassis with 24 SFP+ ports
DIR-2400X-DC
Director Xstream Main Chassis with 24 SFP+ ports, -48VDC
3
Director Xstream
Director Xstream Architecture
The following diagram shows a schematic view of the internal architecture of the Director Xstream device. It is
modelled as a matrix switch with filtering. The black dots indicate aggregating matrix switch connections on the input
ports and regenerating matrix switch connections on the output ports.
1
4 SFP+ Monitor ports,
receive side
(inputs)
2
3
4
5
6
7
Aggregation
plane
8
9
20 SFP+ Network ports,
receive side
(inputs)
10
11
12
13
14
...
Aggregate the traffic
being received at
network ports 4, 7, 8
Logical-OR
filters 5, 6, & 7
24
Filters
Priority 1
2
3
4
5
6
7
8
9
10
11
12
13
14
...
1
2
Regenerate the traffic
to monitor ports 2, 4
3
4
4 SFP+ Monitor ports,
transmit side
(outputs)
5
Regeneration
plane
6
7
8
9
10
11
12
13
...
14
24
Figure 2: Director Xstream internal architecture
4
20 SFP+ Network ports,
transmit side
(outputs)
Director Xstream
Director Xstream can be viewed as a matrix switch with 24 inputs and 24 outputs. For convenience, four ports are
labelled monitor ports on the front bezel and twenty ports are labelled network ports, but all 24 ports are logically
equivalent: The input side and the output side of any port can be used in a filter, and they can even be used simultaneously
and independently if you split the transmit and receive fibers in your cable.
to Director Xstream port
Light travels
Light travels
Network connection –
from external Tap
or Span port
Monitor connection –
to monitoring device
Figure 3: Splitting a cable to use transmit and receive sides of a port independently
The upper half of the diagram is the aggregation plane. It enables the traffic from any set of input ports to be aggregated
and sent to a filter. For example, the three dots on the second vertical line in the aggregation plane indicate that the
traffic being received at network ports 8, 11, and 12 is being aggregated and sent to the filter at priority 2.
The lower half of the diagram is the regeneration plane. It enables the traffic leaving any filter to be replicated to any set
of output ports. For example, the two dots on the third vertical line in the regeneration plane indicate that the traffic out
of the filter at priority 3 is being regenerated to monitor ports 2 and 4.
The filters between the aggregation and regeneration planes represent the filter qualifiers such as protocol=TCP, IP
address=10.20.30.1. Each filter can also have several individual qualifiers logically AND'd together, such as port=80
AND VLAN=140. (A note on terminology: In the CLI, a filter definition includes the specifications of which ports
are inputs to and outputs from the filter. The set of filter qualifiers by itself may be referred to as a filter policy.) In
the Figure 2, the filters are arranged in priority order from left to right, where the left-most filter at priority 1 is the
highest priority, and the priority decreases moving to the right. The effect of the filter priorities is explained in the
Regeneration section of the list that follow this paragraph. A total of 128 IPv4 filters and 128 IPv6 filters can be created
simultaneously. Each filter can potentially have 10 or more qualifiers AND'd together, so the total number of filter
elements available in Director Xstream exceeds 2,560.
The connections (dots) shown in Figure 2 can be understood as follows:
• Matrix switch. Filter 1, on the first vertical line in the diagram, represents a 1-to-1 matrix switch type
connection, with the traffic from network port 2 being copied to monitor port 1. However, unlike a plain matrix
switch, filter qualifiers can also be applied to select particular traffic of interest to send to the monitor port.
• Aggregation. Filter 2 represents a many-to-one type connection, aggregating the traffic from three inputs,
network ports 8, 11, and 12, filtering it, and sending the traffic selected by the filter to monitor port 3.
• Regeneration. Filter 3 represents a one-to-many type connection, copying the traffic being received at network
port 8, filtering it, and sending copies of the traffic selected by the filter to two output ports, monitor ports 2 and 4.
Notice that the traffic from network port 12 is going into two filters, filters 2 and 3. Because filter 2 is higher
priority than filter 3, all of the traffic selected by filter 2 goes to its output port, monitor port 3. However, filter 3
only receives the traffic that was not selected by filter 2. The important point is that if traffic from the same input
port goes to more than one filter, the filters must be carefully constructed to make sure that each output receives
all of the desired traffic, that is, to be sure than higher priority filters do not "consume" traffic that is needed by
lower priority filters. This issue is discussed in more detail in Chapter 3.
5
Director Xstream
• Aggregation plus regeneration. Filter 4 represents a many-to-many type connection. Traffic from network
ports 9, 10, and 13 is aggregated, filtered, and regenerated to network ports 5, 7, 8, and 9. Notice that ports
labelled network on the front bezel are, in this case, being used as monitor outputs. In fact, network port 9 is
acting as both an input and an output simultaneously. The input traffic may be coming from an external Port
Aggregator Tap, and the output side of the port is connected to a monitoring device.
• Logical OR. It has already been mentioned that multiple filter qualifiers can be logically AND'd within one
filter policy. Figure 2 shows how to create a logical OR condition of different filter qualifiers. Traffic from
monitor port 2 (here being used as a network input) is directed to three filters, numbers 9, 10, and 11. The traffic
selected by the three filters is sent to network port 12 (here being used as a monitor output). A logical OR of the
qualifiers in filters 9, 10, and 11 has been created, because traffic selected by filter 5 OR selected by filter 6 OR
selected by filter 7 goes to network port 12. For example, the three filters could select traffic with three different
source IP addresses, and any traffic entering monitor port 2 originating from any of the three IP addresses will
be sent to network port 12.
• Complex filters. Filters 8 and 9 combine all of the above elements. Traffic from two input ports is aggregated;
the aggregated traffic is filtered by a logical OR of two sets of filter qualifiers; and the traffic selected by the
filters is regenerated to two output ports.
The CLI syntax for creating filters is explained in detail in Chapter 3. As an introduction, Figure 4 shows the CLI
commands that might be used to create the filters represented in Figure 2. Figure 5 shows how the filters would be
displayed in the CLI. Arbitrary filter qualifiers are included in the example for illustration purposes.
Net
Net
Net
Net
Net
Net
Net
Net
Net
Net
Net
Optics>
Optics>
Optics>
Optics>
Optics>
Optics>
Optics>
Optics>
Optics>
Optics>
Optics>
filter add
filter add
filter add
filter add
filter add
filter add
filter add
filter add
filter add
commit
in_ports=6 action=redir redir_ports=1
in_ports=8,11,12 ip_protocol=17 action=redir redir_ports=3
in_ports=8 vlan=120 action=redir redir_ports=2,4
in_ports=9-10,13 l4_src_port=80 l4_dst_port=80 action=redir redir_ports=5,7-9
in_ports=2 ip4_src=10.20.30.200 action=redir redir_ports=12
in_ports=3,4 ip4_src=10.20.4.0 ip4_dst=192.168.3.2 action=redir redir_ports=13-14
in_ports=3,4 ip4_src=192.168.3.2 ip4_dst=10.20.4.0 action=redir redir_ports=13-14
Figure 4: Creating the filters in Figure 2
6
Director Xstream
Net Optics> filter running
Filter #6
in_ports=2
mac_src=0:0:0:0:0:0/0:0:0:0:0:0
mac_dst=0:0:0:0:0:0/0:0:0:0:0:0
ip4_src=10.20.30.205/255.255.255.255
ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0
l4_src_port=0/0
l4_dst_port=0/0
vlan=0/0,action=redir
redir_ports=12
Filter #1
in_ports=6
mac_src=0:0:0:0:0:0/0:0:0:0:0:0
mac_dst=0:0:0:0:0:0/0:0:0:0:0:0
ip4_src=0.0.0.0/255.255.255.255
ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0
l4_src_port=0/0
l4_dst_port=0/0
redir_ports=1
Filter #7
in_ports=2
mac_src=0:0:0:0:0:0/0:0:0:0:0:0
mac_dst=0:0:0:0:0:0/0:0:0:0:0:0
ip4_src=10.20.30.16/255.255.255.255
ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0
l4_src_port=0/0
l4_dst_port=0/0
redir_ports=12
Filter #2
in_ports=8,11,12
mac_src=0:0:0:0:0:0/0:0:0:0:0:0
mac_dst=0:0:0:0:0:0/0:0:0:0:0:0
ip4_src=0.0.0.0/255.255.255.255
ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=17
l4_src_port=0/0
l4_dst_port=0/0
redir_ports=3
Filter #8
in_ports=3,4
mac_src=0:0:0:0:0:0/0:0:0:0:0:0
mac_dst=0:0:0:0:0:0/0:0:0:0:0:0
ip4_src=10.20.4.0/255.255.255.255
ip4_dst=192.168.3.2/255.255.255.255
ip_protocol=0
l4_src_port=0/0
l4_dst_port=0/0
redir_ports=13,14
Filter #3
in_ports=8
mac_src=0:0:0:0:0:0/0:0:0:0:0:0
mac_dst=0:0:0:0:0:0/0:0:0:0:0:0
ip4_src=0.0.0.0/255.255.255.255
ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0
l4_src_port=0/0
l4_dst_port=0/0
redir_ports=2,4
Filter #9
in_ports=3,4
mac_src=0:0:0:0:0:0/0:0:0:0:0:0
mac_dst=0:0:0:0:0:0/0:0:0:0:0:0
ip4_src=192.168.3.2/255.255.255.255
ip4_dst=10.20.4.0/255.255.255.255
ip_protocol=0
l4_src_port=0/0
l4_dst_port=0/0
redir_ports=13,14
Filter #4
in_ports=9,10,13
mac_src=0:0:0:0:0:0/0:0:0:0:0:0
mac_dst=0:0:0:0:0:0/0:0:0:0:0:0
ip4_src=0.0.0.0/255.255.255.255
ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0
l4_src_port=80/65535
l4_dst_port=80/65535
redir_ports=5,7,8,9
IPv4 filter resource utilization: 7%
Filter #5
in_ports=2
mac_src=0:0:0:0:0:0/0:0:0:0:0:0
mac_dst=0:0:0:0:0:0/0:0:0:0:0:0
ip4_src=10.20.30.200/255.255.255.255
ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0
l4_src_port=0/0
l4_dst_port=0/0
redir_ports=12
Net Optics>
Figure 5: Viewing the filters created in Figure 4
7
Director Xstream
Monitoring Links In-line
To tap a network link in-line, use an external network Tap. The Net Optics Fiber Tap HD is an ideal companion for
Director extreme. Fiber Tap HD packages eight fiber taps in a full-wide, 1/2-high chassis that does not require any
power or cooling.
Fiber Tap HD
1.5 U
Figure 6: Fiber Tap HD provides eight half-duplex breakout in-line taps in a half-height chassis
Director Xstream Front Panel
The features of the Director Xstream front panel are shown in the following diagram.
Port numbering
1
2
3
4
5
6
7
8
9
10
11
12
13
1
2
3
4
5
6
7
8
9
10
11
12
13
4 SFP+ Monitor Ports
14
15
16
17
18
19
20
21
22
14
15
16
17
18
19
20
21
22
23
23
24
24
20 SFP+ Network Ports
Figure 7: Director Xstream Front Panel
SFP+ Ports
The 24 SFP+ slots across the front panel accept either 10 Gbps SFP+ transceiver modules or 1 Gbps SFP transceiver
modules. Different speed transceiver modules can be populated in any mix and Director Xstream performs any
necessary data rate conversions. Unused ports can remain unpopulated.
All 24 ports are logically and electrically equivalent, and can be used as network inputs, monitor outputs, or both
simultaneously (using a split cable). The four ports on the left are labelled as monitor ports and the remaining ports are
labelled as network ports to suggest where you might attach equipment. The ports are numbered 1 through 24 from left
to right across the front panel.
Link and Activity LEDs
Each port has a Link LED and an Activity LED located above the port. The Link LED illuminates when the port has
established a good link. The Activity LED blinks when traffic is passing through the port.
8
Director Xstream
Director Xstream Rear Panel
The features of the Director Xstream rear panel are shown in the following diagram.
Management Port
Management
Port
Power Supply
Module
Power Supply
Module
1
0
1
0
Console
Port
AC Model
Console Port
Redundant Hot-swappable
Power Supplies
Management Port
Power Supply
Module
+
For use with -48V Only
-
-
Management
Port
Power Supply
Module
+
Console
Port
DC Model
Console Port
Redundant Hot-swappable
Power Supplies
Figure 8: Director Xstream Rear Panel
Near the middle of the rear panel are two RJ45 connectors. The top connector is the management port, a 10/100/1000
network port for the remote management interfaces and software updates. The CLI runs over an SSH connection through
this port. For maximum security you can connect the management port to an isolated management VLAN.
The bottom connector is the console port, an RS232 serial port for local access to the CLI.
At the right side of the rear panel are the dual redundant power supply modules. Director Xstream has two models,
one with AC power supplies (universal-input 100-240VAC, 47-63Hz) and one with -48V DC power supplies. In both
models, the power supply modules are hot-swappable and have integrated cooling fans. Any one power supply module
can power the unit independently; dual supplies provide redundancy to maximize uptime.
9
Director Xstream
Chapter 2
Installing Director Xstream
This chapter describes how to install and connect Director Xstream devices. The procedure for installing Director Xstream
follows these basic steps:
1. Plan the installation
2. Unpack and inspect the Director Xstream device
3. Install the SFP+ and SFP modules
4. Rack mount the Director Xstream device
5. Connect power to Director Xstream
6. Connect the command line interface (CLI) console port or management port
7. Log into the CLI
8. Use the CLI Help command
9. Configure Director Xstream parameters using the CLI
10.Connect Director Xstream to the network with Span ports and in-line links
11.Connect monitoring tools to Director Xstream
12.Configure a Matrix Switch connection in Director Xstream
13.Check the installation
Plan the Installation
Before you begin the installation of your Director Xstream device, determine the following:
• IP address of the Director Xstream device, or a range of IP addresses if you are deploying multiple Director
Xstream devices
• Net Mask and Gateway address for Director Xstream
• Port assignments and filters for the network and monitor port connections
Make sure you have a suitable location to install the Director Xstream device. For power redundancy, use two
independent power sources.
10
Director Xstream
Installation in a Restricted Access Location in Finland and Norway
Because of concerns about unreliable earthing in Finland and Norway, this equipment must be installed in a Restricted
Access Location (RAL) in these countries. An RAL is defined as an access that can be gained only by trained service
personnel who have been instructed about the reasons for the restricted access and any safety precautions that must be
taken. In these cases, the use of a tool (such as lock and key) or other means of security is required for access to this
equipment.
Unpack and Inspect the Director Xstream device
Carefully unpack the Director Xstream device, power supplies, and all cables that are provided. Director Xstream is
delivered with the following:
•
•
•
•
•
•
•
•
(1) Director Xstream device
(2) Power cords
(2) Cables, 3 Meter, RJ45, CAT 5e 4-Pair
(1) DB9-to-RJ45 RS232 adapter for use with the CLI
Screws and washers for mounting the device
Director Xstream Quick Install Guide
(1) CD containing the Director Xstream User Guide (this document) and CLI Command Reference manual
Extended Warranty if purchased
Check the packing slip against parts received. If any component is missing or damaged, contact Net Optics Customer
Service immediately at +1 (408) 737-7777. (Note: SFP+ and SFP modules are ordered and shipped separately.)
Install SFP+ and SFP transceiver modules
SFP+ and SFP transceiver modules are shipped separately. Install them as desired in the SFP+ slots in the front on the
chassis. For each module, remove the temporary plug from the SFP+ slot and insert the module until it clicks into place.
Unused ports do not need to be populated with transceiver modules.
Note:___________________________________________________________________________________________________
Net Optics warrants operation with SFP+ and SFP modules sold by Net Optics only.
________________________________________________________________________________________________________
Rack Mount the Director Xstream device
Director Xstream is designed for mounting in a 19-inch rack, occupying one rack unit of height. To mount the Director
Xstream device, simply slide it into the desired rack location and secure it using the supplied screws and washers at both
sides of the front panel. The chassis is not designed for rear mounts.
Connect Power to Director Xstream
Supply AC power to Director Xstream using the power cords that were included with the unit; for DC power, you must
supply your own cables. If you plan to use redundant power, make sure that you connect the power supplies to two
separate, independent power sources for maximum protection.
11
Director Xstream
Note:___________________________________________________________________________________________________
Each AC or DC power source should be independent of the other in order to have power redundancy. If you do not
require power redundancy, the unit can be operated with a single power cord connected to a single AC or DC power
source. In this case, either AC or DC power connector on the rear of the unit can be used for the connection.
________________________________________________________________________________________________________
Use the following procedures to safely connect AC or DC power to the unit.
Management
Port
1
0
1
0
Console
Port
AC Models
Independent Power Sources
Figure 9: Connecting redundant AC power supplies
-
-
+
+
Caution:_ ______________________________________________________________________________________________
Management
Port
Use the AC power cords supplied with the product. If you use other AC power cords, they should have a wire gauge of
at least 22 and a 230VAC 5A rating. Be sure to use a three-prong cords and connect them to sockets with good earth
DC Models
grounds.
Earth
________________________________________________________________________________________________________
Ground
Console
Port
Power Source 1
-48VDC
To connect AC input power on AC models:
Return
Power
Source
2 to one of the AC power connectors on the rear panel.
1. Connect one of the
AC power
cords
-48VDC
Return
2. Install a power supply clip over it to keep the AC power cord from accidently being unplugged from the AC power
connector.
3. Plug the other end of the cord into an AC power source.
4. Push the "1" side of the module's power switch to activate power.
The switch illuminates to indicate that power is active.
5. Repeat Steps 1 to 4 for the other AC power cord, connecting it to the remaining AC power connector on the rear
panel.
12
AC Models
Director Xstream
Independent Power Sources
+
-
-
Management
Port
+
Console
Port
DC Models
Earth
Ground
Power Source 1
Power Source 2
-48VDC
Return
-48VDC
Return
Figure 10: Connecting redundant DC power supplies
Caution:_ ______________________________________________________________________________________________
DC power cables should have a wire gauge of at least 16 and a 72VDC 4A rating.
Always connect the earth grounds first, and keep the earth grounds connected whenever you are working on the device.
When disconnecting the device from DC power, remove the earth ground connections last.
________________________________________________________________________________________________________
To connect DC input power on DC models:
1. If you have not already done so, unpack the Director Xstream and verify that you have appropriate DC power cables.
You also need a Phillips screwdriver to complete the installation.
2. If present, remove the protective covers from the DC power terminal blocks.
3. Connect an earth ground lead to the terminal labeled with the ground symbol ( ), which is the left-most terminal, on
both DC power terminal blocks on the rear of the chassis. Use the screwdriver to tighten the connections.
4. Connect one of the DC power cables to one of the DC power terminal blocks on the rear panel. Connect the
negative (-48VDC) side of the cable to the terminal labeled with the minus symbol (—) and the positive (0V)
side of the cable to the terminal labeled with the plus symbol (+). The minus terminal is in the center and the plus
terminal is on the right. Use the screwdriver to tighten the connections.
5. Repeat Step 4 for the other DC power cable, connecting it to the remaining DC power terminal block on the rear
panel.
6. Carefully connect the other ends of the DC power cables to two -48VDC power sources. If possible, turn off the
power to the power source while you are making these connections. Be sure to connect the positive sides of the
cables to the positive sides of the power sources, and the negative sides of the power cables to the negative sides
of the power sources.
13
Director Xstream
Warnings and Symbols
Warnings on product
WARNING: Warranty void if removed
Two of the labels illustrated above cover screws on the chassis top cover near the front corners. They prevent you
from taking the cover off without voiding your warranty. You should not take the cover off because there are no
user‑serviceable parts inside, and there is a danger of electrical shock.
Symbols on product
Indicates WEEE compliance
Indicates CE compliance
Indicates RoHS compliance
Indicates C-Tick compliance
Indicates VCCI compliance
Indicates MET compliance (U.S.A. safety)
Connect the local CLI Interface
All configuration options, filters, and status can be accessed using the Director Xstream Command Line Interface
(CLI). You can run the CLI locally over the RS232 serial port or remotely over the management port.
If you choose to run the CLI locally, connect a cable from the console RJ45 RS232 port on the back of the Director Xstream
chassis to your computer. You can use a standard CAT5 network cable such as the one supplied with the unit; an adapter
is provided to connect one end of the cable to a DB9 serial port on your computer. Alternately, you can obtain a USB
serial adapter from you local computer store, and use it to connect through a USB port on your computer.
The computer needs to have terminal emulation software such as HyperTerminal or minicom to access the
Director Xstream CLI.
14
Director Xstream
To connect the CLI for local use over the RS232 serial port:
1. Connect a PC with terminal emulation software such as HyperTerminal (or a Linux workstation running minicom)
to Director Xsrtream using a network cable and a DB9 or USB serial adapter.
Management
Port
1
0
1
0
Console
Port
RJ45 to DB9
adapter
Computer with terminal
emulation software
Figure 11: Connecting RS232 Cable to Director Xstream
2. Launch terminal emulation software and set the communication parameters to:
115200 baud
8 data bits
No parity
1 stop bit
No flow control
The Net Optics CLI banner and login prompt are displayed in the Terminal Emulation software.
***********************************************************
*
Net Optics Command Line Interface (CLI)
*
*
for Director
*
*
*
*
Copyright (c) 2008-2010 by Net Optics, Inc.
*
*
*
*
Restricted Rights Legend
*
*
*
* Use, duplication, or disclosure by the Government is *
* subject to restrictions as set forth in subparagraph *
* (c) of the Commercial Computer Software - Restricted *
* Rights clause at FAR sec. 52.227-19 and subparagraph *
* (c)(1)(ii) of the Rights in Technical Data and Computer *
* Software clause at DFARS sec. 252.227-7013.
*
*
*
*
Net Optics, Inc.
*
*
5303 Betsy Ross Drive
*
*
Santa Clara, California 95054
*
*
(408) 737-7777
*
*
e-mail: ts-support@netoptics.com
*
*
*
***********************************************************
user login:
Figure 12: CLI sign-on banner
3. Enter the user name. (The default user name is admin.) The Enter Password prompt is displayed.
15
Director Xstream
4. Enter the password. (The default password is netoptics.) For security, the password is not displayed as you type it.
The Help command is automatically executed and the CLI prompt is displayed.
login user: admin
password:
Net Optics> help
Director Xstream
Command
------------![#]
commit
del
filter
help
history
image
list
load
logout
ping
port
save
show
stats
sysip
system
upgrade
user
quit or exit
Main Help Menu
Description
--------------------------------------------------------- !number or up/down key for previous command
- activate pending configuration changes
- delete configuration file <filename>
- configure filters
- view CLI usage
- display command history list
- show and switch boot image
- list configuration files
- load configuration from <filename>
- exit current CLI session
- ping <ipaddr>
- configure ports
- save configuration to <filename>
- show configuration: ‘running', 'factory', or <filename>
- show or clear port statistics
- show and set system IP address
- show and set system parameters or restart system
- upgrade alternate boot image file
- manage user accounts
Net Optics>
Figure 13: Logging into the CLI
Tip!_ ___________________________________________________________________________________________________
If you leave the system password at its default value, your system will be vulnerable to unwanted intrusions. Be sure to
change it using the procedure Change the Director Xstream Login Password on page 20.
________________________________________________________________________________________________________
16
Director Xstream
Connect the remote CLI Interface
To run the CLI remotely, connect a network cable from a network switch to the management port on the back of the
Director Xstream chassis. Use any computer with an SSH client to access the CLI over the network.
Note:___________________________________________________________________________________________________
Before connecting to the remote CLI interface for the first time, you must connect to the CLI locally and use the
procedure on page 20 to assign Director Xstream an IP address that is available on your network.
________________________________________________________________________________________________________
Tip!_ ___________________________________________________________________________________________________
PuTTY is a freeware SSH client for Windows that can be downloaded from many sites on the Internet.
________________________________________________________________________________________________________
To connect the CLI for remote use over the Management port:
1. Connect the Director Xstream Management port to a network switch using a network cable.
2. Open Director Xstream from an SSH client on the network, using the IP address you assigned using the local CLI.
The SSH port is 22. Director Xstream displays the shell login prompt.
Note:___________________________________________________________________________________________________
Your SSH client might give you a security warning if the RSA key in Director Xstream is not known to the client, or
does not match the RSA key known to the client (because you have regenerated the RSA key in Director Xstream).
Different SSH clients can require different actions to enable them to accept the new RSA key. For example, in OS X
and many Linux/Unix SSH clients, you need to locate the file known_hosts in the hidden directory /.ssh/ and remove
the entry for the Director Xstream IP address, or simply delete the file.
________________________________________________________________________________________________________
3. Enter director to log into the shell. The shell asks for the password.
login as: director
director@10.60.4.180's password:
Figure 14: Shell login
Note: For some SSH clients, Steps 2 and 3 can be combined into a single command ssh director@10.60.1.180.
4. Enter netoptics as the password. For security, the password is not displayed as you type it. The Director Xstream
CLI runs and the CLI sign-on banner and help menu are displayed.
17
Director Xstream
login as: director
director@10.20.40.8's password:
Last login: Thu Sep 4 09:40:31 2008 from 10.30.10.2
***********************************************************
*
Net Optics Command Line Interface (CLI)
*
*
for Director
*
*
*
*
Copyright (c) 2008-2010 by Net Optics, Inc.
*
*
*
*
Restricted Rights Legend
*
*
*
* Use, duplication, or disclosure by the Government is *
* subject to restrictions as set forth in subparagraph *
* (c) of the Commercial Computer Software - Restricted *
* Rights clause at FAR sec. 52.227-19 and subparagraph *
* (c)(1)(ii) of the Rights in Technical Data and Computer *
* Software clause at DFARS sec. 252.227-7013.
*
*
*
*
Net Optics, Inc.
*
*
*
*
Santa Clara, California 95054
*
*
(408) 737-7777
*
*
e-mail: ts-support@netoptics.com
*
*
*
***********************************************************
Director Xstream
Command
------------![#]
commit
del
filter
help
history
image
list
load
logout
ping
port
save
show
stats
sysip
system
upgrade
user
quit or exit
Main Help Menu
Description
--------------------------------------------------------- !number or up/down key for previous command
- activate pending configuration changes
- delete configuration file <filename>
- configure filters
- view CLI usage
- display command history list
- show and switch boot image
- list configuration files
- load configuration from <filename>
- ping <ipaddr>
- configure ports
- save configuration to <filename>
- show configuration: ‘running', 'factory', or <filename>
- show or clear port statistics
- show and set system IP address
- show and set system parameters or restart system
- upgrade alternate boot image file
- manage user accounts
Net Optics>
Figure 15: Shell login as director (password "netoptics" is not displayed)
Use the CLI Help Command
To view CLI help information:
1. Enter Help (or ?) at the "Net Optics>" prompt. The Director Xstream Main Help Menu is displayed.
2. To view the syntax for changing Director Xstream filter parameters, enter help filter.
18
Director Xstream
3. Repeat Step 2 with the command of interest to view the syntax for any command available in the CLI.
For a complete description of all of the CLI commands, see Appendix B.
Tips!___________________________________________________________________________________________________
Help for an individual command is also displayed if the command is entered without the proper arguments.
The tab key or the space bar can be used to automatically complete words in the CLI. This function works for
commands as well as arguments. For example, typing the letter "i" followed by the tab key results in "image" being
entered in the command line. Likewise, "pi<tab>" auto-completes to the "ping" command. However, "p<tab>" does
not auto-complete, because it is ambiguous between the "ping" and "port" commands.
To display a list of sub-commands and arguments for any command, press the ? key after entering the command.
(A space is required between the command and the ?.) For example, type "filter add ?" to display a list of all the
arguments that can be used to complete the command.
________________________________________________________________________________________________________
Configure Director Xstream using the CLI
You should be logged into the Director Xstream CLI. The factory-set default values for Director Xstream are:
•
•
•
•
•
•
•
•
Username: admin
Password: netoptics
IP Address: 10.60.4.180 (address for remote CLI, and for Indigo manager software, when available)
Netmask: 255.0.0.0 (associated with IP Address)
Manager IP Address: 192.168.1.2 (address for SNMP traps)
Gateway IP Address: 10.0.0.1 (associated with Manager IP Address)
All ports enabled, full duplex, maximum speed, and autonegotiation on
Jumbo packets: Off
A complete list of CLI commands can be viewed by typing Help at the CLI prompt. It is also provided in Appendix B.
You will now use the CLI to:
•
•
•
•
•
•
Change the login password
Assign a new IP Address, Netmask, and Gateway IP Addresses
Disable a port or change port speed
Save and load Director Xstream configurations
Use the CLI command history buffer
Understand the commit commands
Your CLI screen should be displaying the "Net Optics>" prompt as shown here:
Net Optics>
If you do not see the "Net Optics>" prompt, try typing Help followed by the Enter key. If the prompt is still not
displayed, repeat the instructions in the preceding section Connect the local CLI Interface or Connect the
remote CLI Interface and log in again.
19
Director Xstream
Change the Director Xstream Login Password
It is strongly recommended that you change the login password from the default to provide security against
unauthorized access.
To change the login password:
1. Enter user mod name=admin pw=<new password> priv=1. The password is changed.
2. Record the new password in a secure location.
If you want to change the user name, use the user add command to create a new user account under that name. You can
use the user del command to delete a user account. (The admin account cannot be deleted unless another account with
admin privileges exists).
Assign a New Director Xstream IP Address, Netmask, and Gateway IP Address
Using the local RS232 serial interface to access the CLI, you need to configure the IP Address that will be used
to access the Director Xstream CLI over SSH, and also to communicate with Indigo management software, when
available. If Director Xstream must communicate through a Gateway to reach the network, then set the Gateway IP
Address for that Gateway.
If you are running the CLI remotely, you can change the IP Address, but when you do, you will lose your SSH
connection since it is talking to the old IP Address. In that case, initiate a new SSH session to the new IP address and
you can continue using the CLI remotely.
To assign a new IP Address, Netmask, and Gateway IP Address to Director Xstream:
1. Enter sysip show. The current IP Address, Netmask, and Gateway IP Address are displayed.
2. Enter sysip set ipaddr=<new ip address> mask=<new netmask> gw=<new gateway>. The IP Address, Netmask,
and Gateway IP Address are made pending.
3. Enter sysip show. Verify that the displayed "Pending Sysip Info" IP Address, Netmask, and Gateway IP Address are
the desired values.
4. Enter sysip commit to activate the new IP Address, Netmask, and Gateway IP Address.
Example:sysip set ipaddr=10.60.4.180 mask=255.0.0.0 gw=10.0.0.1
sysip commit
Note:___________________________________________________________________________________________________
The sysip set command requires that all three arguments are present.
The sysip changes must be committed using the sysip commit command. The simple commit command does not
commit sysip changes.
________________________________________________________________________________________________________
20
Director Xstream
Disable a Port or Change Port Speed
To disable a port, type port set ports=<n> admin=disable, where<n> is the number of the port you want to disable.
To enable a port, type port set ports=<n> admin=enable.
To view the current status of all of the ports, port show.
Tip!_ ___________________________________________________________________________________________________
You can change the modes of multiple ports in a single command by specifying the ports in the portlist. Use a comma
to separate items in the list, and use a dash (-) to indicate a range. For example, this portlist includes the first three
monitor ports and the first network port: ports=1-3,5
________________________________________________________________________________________________________
Note:___________________________________________________________________________________________________
By default, ports are disabled and the speed is 10000 (10G). To bring up all the ports, type port set ports=all
admin=enable speed=10000.
If you install 1G SFP transceivers in any ports, be sure to set their speed in the CLI to 1G by typing port set
ports=<n> speed=1000.
10/100/1000 SFP transceivers and 10 Mbps and 100 Mbps links are not currently supported.
________________________________________________________________________________________________________
Save and Load Director Xstream Configurations
The entire configuration of Director Xstream, including port configurations and filters, can be saved to and loaded
from files stored on Director Xstream's internal disk. When working with these files from within the CLI, specify only
a filename (up to 32 characters long) without an extension. The current configuration is kept in a file named running,
which is updated whenever a commit command is executed (but not filter commit—see Understand the Commit
Commands on page 22 ). This file is automatically loaded at power up or when the system is reset, so your configuration is persistent. However, you might want to save copies of various configurations that you use for different purposes.
For example, each person that uses the device can maintain a separate configuration.
To save the Director Xstream configuration:
• Enter save <filename> where <filename> is the name for this configuration. The configuration is saved.
To load a Director Xstream configuration:
• Enter load <filename> where <filename> is the name of a saved configuration. The configuration is loaded.
To view a list of all saved Director Xstream configurations:
• Enter list. A list of Director Xstream configurations is displayed.
To view a saved Director Xstream configuration:
• Enter show <filename> where <filename> is the name of a saved configuration. The configuration is displayed.
21
Director Xstream
Use the CLI Command History Buffer
You can save some typing by using the command history buffer maintained by the CLI. The up- and down-arrow keys
scroll forward and backward through the history buffer. To execute a command again, simply scroll to that command
and press enter. Alternately, you can scroll to a command and then edit it in-line before executing it. You can see a
history of all the buffered commands by entering the history command. Any command in the history buffer can be
accessed directly by entering ![#] where [#] is the number of the command in the buffer. Operation of the command
history buffer is illustrated in the following example.
Net Optics> show
show running - show running-configurations
show factory - show factory-configurations
show <filename> - show configurations in the file
Net Optics> list
Configuration Files
------------------test-1
test-3
Net Optics> help ping
ping <ipaddr> - ping specified IP address
Net Optics> sysip show
Active System IP Address
-----------------------IP addr: 10.60.4.178
IP mask: 255.0.0.0
Gateway: 10.0.0.1
Net Optics> history
1: show
2: list
3: help ping
4: sysip show
Net Optics> !3
Net Optics> help ping
ping <ipaddr> - ping specified IP address
Net Optics>
Figure 16: CLI command history buffer
Understand the Commit Commands
Many operations in Director Xstream follow a two-step process of first creating the changes you want, and then activating
them with some form of a commit command. Changes that have not been activated are called pending changes.
When changes are committed, they become active in Director Xstream and they become persistent, meaning that the
changes stay in effect even if Director Xstream is restarted or power-cycled. The only exception to this rule is that
the filter commit command makes pending filter changes active, but not persistent. filter commit can be used to try
out new filters, but the previous set of filter can be recovered by restarting Director Xstream. Filter changes become
persistent with a commit command, which can be executed with or without first executing a filter commit command.
The commit command is a global commit for all pending changes except for sysip changes.
22
Director Xstream
The following table lists all of the settings that use the pending/commit model, and tells you which commit commands
effect them.
Setting
Commit commands
filter add, delete, insert
commit
filter commit
Persistent?
yes
no
remote set
commit
remote commit
yes
yes
server add, del, mod
commit
server commit
yes
yes
snmp set, user_add, user_del, user_mod
commit
snmp commit
yes
yes
sysip set
sysip commit
(but not commit)
yes
system set
commit
yes
Connect Span Ports to Director Xstream
To connect Director Xstream to the network using Span ports, plug the appropriate cable into a Director Xstream port.
Plug the other end of the cable into the Span port of the switch. The Link LED for the port illuminates after a short
delay to indicate that a link has been established. If traffic is flowing from the switch Span port to the Director Xstream
port, the Activity LED blinks.
Repeat for all desired Span port connections.
1
2
3
4
5
6
7
8
9
10
11
12
13
Figure 17: Span port connections
23
14
15
16
17
18
19
20
21
22
23
24
Director Xstream
Connect Director Xstream to the Network with In-line Taps
To connect Director Xstream to the network using an in-line installation, use external taps or port aggregator taps. For
example, make an in-line connection using the Fiber Tap HD as shown in figure 18.
Full-duplex traffic
Fiber Tap HD
Half-duplex traffic x 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Figure 18: Making an in-line network connection using Fiber Tap HD
Note:___________________________________________________________________________________________________
If you cannot see data on a the monitor port of a fiber tap, you might have the TX and RX fibers reversed. Try
switching them to fix the problem. If the in-line link is passing data but you cannot see any monitoring data, try
reversing the TX and RX fibers on both of the link's network ports. In this case, you must reverse both of the ports
together in order to maintain the in-line link traffic.
________________________________________________________________________________________________________
Tip!_ ___________________________________________________________________________________________________
When using a half-duplex breakout tap (such as the Fiber Tap HD), the two half-duplex monitor data connectors can be
plugged into any of the Director Xstream ports. They do not have to be adjacent ports.
________________________________________________________________________________________________________
Connect Monitoring Tools to Director Xstream
To connect a monitoring tool to Director Xstream, simply plug the appropriate cable into the desired monitor port and
plug the other end into the monitoring tool. The Link LED for the port should illuminate after a short delay to indicate
that a link has been established. Repeat for all desired monitoring tool connections.
24
Director Xstream
Configure a Matrix Switch connection in Director Xstream
In order to monitor a network link, Director Xstream must be configured to copy the traffic from a network port to a
monitor port. A simple connection is described in this section, operating Director Xstream as a matrix switch. For more
complex switching and filtering, see Chapter 3.
To monitor the traffic being received on port 5 with the tool connected to port 2:
1. Enter filter add in_ports=5 action=redir redir_ports=2. The switch connection is pending.
2. Enter filter commit. The switch connection is activated.
3. Verify that traffic present on network port 1 is visible on monitor port 2.
Check the Installation
You have connected Director Xstream to the network, monitoring tools, and power. It should now be functioning
correctly. Check the status of the following:
• Check the link status LEDs located on the front panel to verify that the links are connected.
• Verify that traffic present on port 5 is visible on port 2.
25
Director Xstream
Chapter 3
Configuring Filters Using the CLI
This chapter describes how to use the CLI to determine which monitoring tools are connected to which network ports.
It also explains how to create filters to limit the amount of traffic copied to monitor ports, so the monitoring tools
receive only the traffic that is of interest to them.
In this chapter, you will learn to:
•
•
•
•
•
•
•
•
•
Copy traffic from any network port to any monitor port
Aggregate traffic from any set of network ports to any monitor port
Regenerate traffic from any aggregated set of network ports to any set of monitor ports
Create filters
Create complex filters
View filters
Understand filter interactions
Understand pending and active filters
Understand filter capacity
For a complete listing of filter commands in the CLI, see Appendix B.
Syntax
In the CLI, Director Xstream ports are numbered 1 through 24 going left to right across the front panel. The front panel
is labelled to show port numbers 1 through 4 as monitor ports, and 5 through 24 as network ports, but any port can be
included in a filter in_ports or redir_ports portlist. A portlist is a list of ports separated by commas; dashes can be used
to specify ranges; for example, 1,2,3 and 1-3 mean the same thing. Space characters are not allowed in portlists (do not
put a space after the comma).
When you define a filter, you specify an action to be taken when the filter conditions are met. The action can be either
drop or redir (meaning redirect). If the action is drop, then packets which meet the filter criteria are dropped, that is,
they are not copied to any monitor port. If the action is redir, then packets which meet the filter criteria are copied to all
monitor ports listed in the redir_ports=<portlist> argument.
Copy Traffic From Any Network Port to Any Monitor Port
Director Xstream can be used like a matrix switch to direct traffic from any network port to any monitor port. To create
a simple switch connection, use a filter add command without specifying any filter qualifiers. (Simple switches are still
referred to as filters, even if they don't perform any filtering action.)
The filter add command creates pending filters (including switch settings); they are not activated until a filter commit
command is executed. Any number of filter add commands can be issued prior to executing the filter commit command.
Other CLI commands can be executed between the filter add commands as well.
26
Director Xstream
Note:___________________________________________________________________________________________________
The filter commit command is similar to the commit command. However, filter commit activates the new filters
in a dynamic fashion; when Director Xstream is reset, the running configuration file is restored and the new filters
are lost. When a commit command is executed, the new filters are activated AND they are stored in the running
configuration file, so they survive a Director Xstream restart.
________________________________________________________________________________________________________
To monitor port 5 traffic on port 2, and port 7 traffic on port 1:
3. Enter filter commit. The switch connection is activated.
Port 5
Port 2
Port 7
Port 1
filter add in_ports=5 action=redir redir_ports=2
Figure 19: Matrix switch connections
Aggregate Traffic From Any Set of Network Ports to Any Monitor Port
Director Xstream can be used like a Port Aggregator or a Link Aggregator, copying traffic from multiple network ports
to any monitor port. The filter add command is again used to do this. The only difference from using the command to
connect a single network port to a single monitor port is that a list of network ports is specified.
To copy aggregated traffic from port 5 and port 24 to port 3:
1. Enter filter add in_ports=5,24 action=redir redir_ports=3. The aggregation connection is pending.
2. Enter filter commit. The aggregation connection activated.
Port 5
+
Port 3
Port 24
filter add in_ports=5,24 action=redir redir_ports=3
Figure 20: Traffic aggregation
27
Director Xstream
Regenerate Traffic to Any Set of Monitor Ports
Director Xstream can be used like a Regeneration Tap, copying traffic from a network port (or aggregated group of
network ports) to multiple monitor ports. The filter add command is used to do this. The only difference from using the
command to connect a single or multiple network ports to a single monitor port is that a list of monitor ports is specified.
To regenerate traffic from port 16 to ports 3, 4, and 5:
1. Enter filter add in_ports=16 action=redir redir_ports=3-5. The regeneration connection is pending.
2. Enter filter commit. The regeneration connection is activated.
Port 3
Port 16
Port 4
Port 5
filter add in_ports=16 action=redir redir_ports=3-5
Figure 21: Traffic regeneration
To aggregate traffic from ports 1 and 2 and regenerate the resulting stream to ports 9 and 10:
1. Enter filter add in_ports=1-2 action=redir redir_ports=9,10. The aggregation/regeneration connection is pending.
2. Enter filter commit. The aggregation/regeneration connection is activated.
Port 9
+
Port 10
Port 9
Port 10
filter add in_ports=1-2 action=redir redir_ports=9,10
Figure 22: Combined aggregation and regeneration
28
Director Xstream
Create Filters
Filters process a traffic stream by selecting packets based on criteria in the packet header. A filter is defined using a
filter add command, which also specifies the input (network) ports and output (monitor) ports the filter applies to.
The filter add command specifies the following behavior:
• Traffic is aggregated from all the listed input ports
• The aggregated traffic is compared to the filter qualifiers
• Packets which match all of the specified filter qualifiers are copied to all of the listed output ports, assuming the
action=redir
• If the action=drop, the matching packets are not copied to any output port; this mechanism is used to create
exclusive filters (see Exclusive filters on page 34)
To send port 1 a copy of all traffic received at port 5 from IP addresses 192.168.10.0 to 192.168.10.15:
1. Enter filter add in_ports=5 ip4_src=192.168.10.0 ip4_src_mask= 255.255.255.240 action=redir redir_ports=1.
A filter has been defined to select all IPv4 packets from port 5 with a source IP addresses of 192.168.10.0 and the
lowest four address bits masked out (ignored); packets matching the filter are copied to port 1.
2. Enter filter commit. The filter is activated.
Port 5
Source IP =
192.168.10.0
through
192.168.10.15
Port 1
filter add in_ports=5 ip4_src=192.168.10.0 ip4_src_mask= 255.255.255.240 action=redir redir_ports=1
Figure 23: Simple IP address filter with a mask
To create a filter that selects IPv4 packets by protocol:
1. Enter filter add in_ports=3 ip_protocol=6 action=redir redir_ports=6,8.
A filter has been defined to select all IPv4 packets received at network port 3 that use the TCP protocol and copy
them to monitor port 6 and monitor port 8. (Protocols are designated by an industry-standard numbering system. See
Appendix C for details.)
Port 3
Protocol =
TCP
Port 6
Port 8
filter add in_ports=3 ip_protocol=6 action=redir redir_ports=6,8
Figure 24: Simple IPv4 protocol filter (with regeneration)
29
Director Xstream
Available filter qualifiers are listed in Appendix B and include:
•
•
•
•
•
•
•
•
•
•
ip_protocol
ip4_src, ip4_src_mask
ip4_dst, ip4_dst_mask
ip6_src, ip6_src_mask
ip6_dst, ip6_dst_mask
l4_src_port, l4_src_port_mask
l4_dst_port, l4_dst_port_mask
mac_src, mac_src_mask
mac_dst, mac_dst_mask
vlan, vlan_mask
IP protocol
IPv4 source address and mask
IPv4 destination address and mask
IPv6 source address and mask
IPv6 destination address and mask
Layer 4 source port and mask
Layer 4 destination port and mask
Source MAC address and mask
Destination MAC address and mask
VLAN number
Create Complex Filters
Multiple filter qualifiers can be specified in a single filter add command. Packets must satisfy all of the filter qualifiers
to be selected; in other words, the filter qualifiers have a logical AND connection.
To select all TCP traffic arriving from IP address 192.186.10.0:
1. Enter filter add in_ports=5 ip4_src=192.186.10.0 ip_protocol=6 action=redir redir_ports=1.
A filter has been defined to select all TCP packets from network port 5 with a source IP address of 192.186.10.0;
packets matching the filter are copied to monitor port 1.
Port 5
Source IP =
192.186.10.0
Protocol =
TCP
Port 1
filter add in_ports=5 ip4_src=192.186.10.0 ip_protocol=6 action=redir redir_ports=1
Figure 25: Logical AND filter connection
A logical OR connection can be made between filters by specifying multiple filters with the same network and monitor
port lists.
To select all packets which are either TCP or UDP protocol:
1. Enter filter add in_ports=5 ip_protocol=6 action=redir redir_ports=1.
A filter has been defined to select all TCP packets from port 5 and copy them to port 1.
2. Enter filter add in_ports=5 ip_protocol=17 action=redir redir_ports=1.
Another filter has been defined to select all UDP packets from port 5 and copy them to port 1.
3. Enter filter commit. The filters are activated.
30
Director Xstream
Protocol =
TCP
Port 5
+
Port 1
Protocol =
UDP
filter add in_ports=5 ip_protocol=6 action=redir redir_ports=1
Figure 26: Logical OR filter connection
View Filters
To view a list of all pending filters, enter filter list. To view the active filters, enter filter running.
Net Optics> filter list
Filter #1
in_ports=5
mac_src=00:00:00:00:00:00/00:00:00:00:00:00
mac_dst=00:00:00:00:00:00/00:00:00:00:00:00
ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0006
l4_src_port=0000/0000,l4_dst_port=0000/0000,vlan=0000/0000,action=redir
redir_ports=1
Filter #2
in_ports=5
mac_src=00:00:00:00:00:00/00:00:00:00:00:00
mac_dst=00:00:00:00:00:00/00:00:00:00:00:00
ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0017
redir_ports=1
IPv4 filter resource utilization:
Net Optics>
1%
Figure 27: Filter list command
Tip!_ ___________________________________________________________________________________________________
The ID number (Filter #) shown above each filter in the filter list is the ID that applies for filter del id=<id> and
filter ins id=<id> commands, because all three commands act on the pending filter list. Do not use the IDs in a
filter running list as the reference for filter del or filter ins commands.
________________________________________________________________________________________________________
31
Director Xstream
Understand Filter Interactions
It is important to understand that Director Xstream uses Content Addressable Memory (CAM) technology to implement
filters. As each filter is defined, it is stored in the next available entry in the CAM. Each packet header is compared
in the CAM, and the CAM returns the index of the first filter that the packet header matches. That filter, and only that
filter, controls which monitoring ports receive a copy of the packet. Other filters are not executed for that packet. Therefore, filters are not completely independent; one filter can affect the operation of another.
Let's walk through an example of a filter interaction that might be unexpected.
First, we will set up a filter for an IP address:
filter add in_ports=5 ip4_src=192.186.10.0 action=redir redir_ports=1
filter commit
CAM
Port 5
Source IP =
192.168.10.0
Address
Port 1
1
Filter
port 5 → ip4_src=192.186.10.0 → port 1
Figure 28: A simple IP address filter, shown with CAM
All traffic from port 5 that comes from IP address 192.186.10.0 matches the first CAM entry and therefore is copied to
port 1.
Next, suppose we want another monitoring tool to see all the TCP traffic from port 5, so we set up this filter:
filter commit
CAM
Source IP =
192.186.10.0
Address
Port 1
Filter interactions
are not shown!
Port 5
Protocol =
TCP
Filter
1
port 5 → ip4_src=192.186.10.0 → port 1
2
port 5 → ip_protocol=TCP → port 2
Port 2
Figure 29: Incorrect flow diagram of two filters; filter interaction in CAM is neglected
Have we achieved our goal of sending all the TCP traffic to port 2? Not quite. When a TCP packet arrives from
192.186.10.0, it should go to both port 1 and port 2. What actually happens is that the packet matches the filter at CAM
address 1, so it is copied to port 1. But that is all that happens; it does not go to port 2. The flow is shown correctly in
the following diagram.
32
Director Xstream
CAM
Source IP =
192.186.10.0
Network Port 5
match
Monitor Port 1
Address
no match
Protocol =
TCP
Filter
1
port 5 → ip4_src=192.186.10.0 → port 1
2
Monitor Port 2
Figure 30: Correct flow diagram for two interacting filters
To achieve the desired result of sending all TCP traffic to monitor port 2, insert an additional filter at the top of the CAM to
sends traffic meeting both criteria to both monitor ports, by entering:
filter ins id=1 in_ports=5 ip4_src=192.186.10.0 ip_protocol=6 action=redir redir_ports=1,2
filter commit
The flow diagram now looks as follows.
CAM
Port 5
Source IP =
192.186.10.0
&
Protocol=
TCP
+
Address
Port 1
1
+
Port 2
no match
Source IP =
192.186.10.0
Filter
port 5 → ip4_src=192.186.10.0
ip_protocol=TCP → port 1, port 2
2
port 5 → ip4_src=192.186.10.0 → port 1
3
match
no match
Protocol =
TCP
filter ins id=1 in_ports=5 ip4_src=192.186.10.0 ip_protocol=6 action=redir redir_ports=1,2
Figure 31: Correct way to send all TCP traffic to monitor port 2
Now, packets that match both the IP address and protocol conditions are copied to both monitor ports, while packets
that match only one of the conditions are directed to the desired monitor port.
33
Director Xstream
Note:___________________________________________________________________________________________________
Instead of filter add, you can use a filter ins command to define filters. The only difference is that filter ins
allows you to specify the filter's ID, which is its position in the pending filter list. (Use filter list so see the IDs of
all pending filters.) When you use a filter ins command, include an argument id=<id> where <id> is a decimal
number in the range 1 to 999. For example: filter ins id=2 in_ports=1 out_ports=2 defines a filter that sends all
the traffic from port 1 to port 2 and places this filter in the second location in the pending filter list.
________________________________________________________________________________________________________
Tip!_ ___________________________________________________________________________________________________
The filter del command can be used to delete a filter from the pending filter list. The syntax is a filter del id=<id>
where <id> is a decimal number in the range 1 to 999 corresponding to the position in the pending filter list. Use
the filter list command so see the IDs of all pending filters.
________________________________________________________________________________________________________
Exclusive filters
Filters can be specified using action=drop in order to create exclusive filters. (An exclusive filter excludes packets rather
an including them.) For example, suppose you would like to monitor all traffic on a link except for the UDP traffic. To
specify this filter, use the following commands. Note that the drop filter must come first so it is earlier in the CAM.
filter add in_ports=5 ip_protocol=17 action=drop
filter commit
CAM
Port 5
Protocol =
UDP
match
Address
(drop)
no match
All
Filter
1
port 5 → ip_protocol=UDP action=drop
2
port 5 → port 1
Port 1
filter add in_ports=5 ip_protocol=17 action=drop
Figure 32: Creating an exclusive filter
Tip!_ ___________________________________________________________________________________________________
Filters that use exclusive sets of network ports (in other words, each network port is included in only a single filter)
do not interact. For example,
filter add in_ports=1-5 <filter_parameter_list> <monitor_port_list>
does not interact with
filter add in_ports=6-10 <filter_parameter_list> <monitor_port_list>
________________________________________________________________________________________________________
34
Director Xstream
Understand Pending and Active filters
To understand the actions of filter commands such as filter commit, filter discard, and filter delete, it is helpful to
visualize the pending filter list and the CAM that holds the active filters.
The previous section explained how the active filters are stored in a CAM, which can be thought of as list of active
filters. These filters, which are actively running in the device, can be referred to as active, running, or committed.
Pending filters, that is, filters that have been defined using filter add and filter ins commands but not yet committed,
are kept in a pending filter list that shadows the CAM. These filters can be referred to as pending or uncommitted. The
following table shows which filter commands affect the pending filter list and which affect the CAM. Commands apply to
Pending filter list
CAM
filter add
filter del
filter discard
filter ins
filter list
filter sync
commit
filter commit
filter running
As can be seen from the table, most of the time you work with the contents of the pending filter list. When you have the
filters set up the way you want them in the pending filter list, a commit or filter commit command transfers the contents
of the pending filter list to the CAM, activating that filter set-up. (Remember that commit also changes Director Xstream's
running configuration file—the file that is loaded when the system is reset—but filter commit does not.)
A common workflow for changing the Director Xstream filter configuration might be as follows.
To change the Director Xstream filter configuration:
CAM
Pending filter list
Address
Filter
Address
2
port 5 → port 1
Figure 33: Starting state
1. Enter filter running to view the currently active filters in the CAM.
35
Filter
1
Director Xstream
Filter #1
in_ports=5
mac_src=00:00:00:00:00:00/00:00:00:00:00:00
mac_dst=00:00:00:00:00:00/00:00:00:00:00:00
ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0017
l4_src_port=0000/0000,l4_dst_port=0000/0000,vlan=0000/0000,action=drop
Filter #2
in_ports=5
mac_src=00:00:00:00:00:00/00:00:00:00:00:00
mac_dst=00:00:00:00:00:00/00:00:00:00:00:00
ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0000
redir_ports=1
Net Optics>
0%
Figure 34: Filter running command
2. Enter filter sync. The contents of the CAM are copied to the pending filter list.
CAM
Pending filter list
Address
Filter
Address
Filter
1
1
2
port 5 → port 1
2
port 5 → port 1
Figure 35: After filter sync
3. Use filter add, filter ins, and filter del commands to change filters as desired.
CAM
Pending filter list
Address
Filter
Address
Filter
1
port 5 → ip_protocol=TCP action=drop
1
2
port 5 → port 1
2
port 5 → port 1
3
port 6 → port 2
Figure 36: Filter 1 has been changed and filter 3 has been added
36
Director Xstream
4. Enter filter list to view the pending filter list.
Filter #1
in_ports=5
mac_src=00:00:00:00:00:00/00:00:00:00:00:00
mac_dst=00:00:00:00:00:00/00:00:00:00:00:00
ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0017
l4_src_port=0000/0000,l4_dst_port=0000/0000,vlan=0000/0000,action=drop
Filter #2
in_ports=5
mac_src=00:00:00:00:00:00/00:00:00:00:00:00
mac_dst=00:00:00:00:00:00/00:00:00:00:00:00
ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0000
redir_ports=1
Filter #3
in_ports=6
mac_src=00:00:00:00:00:00/00:00:00:00:00:00
mac_dst=00:00:00:00:00:00/00:00:00:00:00:00
ip4_src=0.0.0.0/255.255.255.255,ip4_dst=0.0.0.0/255.255.255.255
ip_protocol=0000
redir_ports=2
Net Optics>
2%
Figure 37: Filter list command
6. Repeat steps 3 and 4 until the pending filter list is consistent with the desired filter configuration.
7. Enter filter commit. The contents of the pending filter list are copied to the CAM, activating the new filter
configuration.
CAM
Pending filter list
Address
Filter
Address
Filter
1
1
2
port 5 → port 1
2
port 5 → port 1
3
port 6 → port 2
3
port 6 → port 2
Figure 38: After filter commit
37
Director Xstream
Be aware of these similar pairs of similar commands:
• filter list shows the pending filter list, while filter running shows the CAM
• filter commit copies the pending filter list to the CAM, while filter sync copies the CAM to the pending filter list
CAM
Pending filter list
Address
Filter
1
2
filter commit
→
Address
Filter
1
2
filter sync
←
filter list to view contents
filter running to view contents
Figure 39: Pairs of similar filter commands
Tip!_ ___________________________________________________________________________________________________
To clear the CAM so no filters are actively running, enter filter discard followed by filter commit. (After this command
sequence, no data will be seen on any of the monitor ports because filters are required to direct data to them.)
________________________________________________________________________________________________________
Warning!_______________________________________________________________________________________________
User interactions
When multiple users are logged into Director Xstream at the same time, each user has a separate pending filter list in
which to create filter configurations. However, there is only one CAM, so any time a user executes a commit or filter
commit command, the CAM takes on the filter configuration from that user's pending filter list, and those become the
active filters on Director Xstream. In order to ensure that filters which you don't touch remain unaffected after you
commit, use a filter sync command to get the current contents of the CAM before adding or modifying filters.
Also be aware that, any time the filters are updated, all monitoring in progress can be momentarily disrupted as the
new filters are loaded—even if the filters for a particular monitoring port are not affected by the update. Therefore
configuration changes should always be coordinated between everyone who is using the system.
________________________________________________________________________________________________________
38
Director Xstream
Understand Filter Capacity
The capacity of Director Xstream's filtering function is more than 2,000 filter elements per chassis, where a filter
element is a port list or a filter parameter. For example, filter add in_ports=11-17 ip_protocol=6 vlan=100
action=redir redir_ports=1-3,10 creates a filter with four elements:
1.in_ports=11-17
2.ip_protocol=6
3.vlan=100
4.redir_ports=1-3,10
Counting filter elements is only a rough gauge of filter utilization, and is not recommended. Instead, examine the
pending filter list or CAM contents with filter list and filter running commands. The filter resource utilization is
displayed after the filter list.
There are actually two separate CAMs, one for IPv4 filters and one for IPv6 filters. Each CAM has 128 locations, so the
maximum number of IPv4 filters is 128 and the maximum number of IPv6 filters is 128, where a filter is created by a filter
add or filter ins command. In other words, if you create a logical OR condition by adding two filters with the same input
ports and output ports, it takes two CAM locations.
Tip!_ ___________________________________________________________________________________________________
To create a filter in the IPv6 CAM instead of the IPv4 CAM, use the argument ipv6=y in the filter add or filter ins
command when you create the filter.
__________________________________________________________________________________________________________
39
Director Xstream
Appendix A
Director Xstream Specifications
Specifications
Environmental
Operating Temperature: 0˚C to 40˚C
Storage Temperature: -10˚C to 70˚C
Relative Humidity: 10% min, 95% max, non-condensing
Mechanical
Dimensions: 1.75” high x 17” wide x 17.5” deep
Mounting: Surface or 19” rack mount (1U)
Weight: 8 lbs (3.7 kg)
Connectors
SFP+ slots: 24, with 4 labelled as monitor ports and 20 labelled as network ports
Management Port: (1) RJ45 10/100/1000 Copper Network
Console Port: (1) RJ45 RS232
Power: (2) AC universal or (2) -48V DC depending on model
Electrical Interface
AC Input: 100-240VAC, 4.5A, 47-63Hz (Japan: 100‑125VAC, ~300 VA, 50-60Hz)
DC Input: -48VDC nominal. -36 to -72VDC, 4.0A
DC Receptacle: Terminal peak, 12-14 gauge wire
Indicators
Each port has a Link LED and an Activity LED
The AC power supply modules have power on indicators integrated in the on/off switches
Performance
Hardware throughput: 240 Gbps; no packets dropped as long as monitor traffic does not exceed monitor port
bandwidth
Port mapping: Aggregation, any number of ports in; regeneration, any number of ports out; any-to-any, any-to-many,
many-to-any, and many-to-many; any port can be used as an input, an output, or both simultaneously—monitor ports
can be used as additional network ports, and network ports can be used as additional monitor ports
TapFlow: Filter by IP source address, IP destination address, MAC source address, MAC destination address, source
port, destination port, protocol, network port or port group, VLAN, utilization threshold
Static Load Balancing: By IP addresses, MAC addresses, ports, VLANs, or other header field (implement with filters)
RMON statistics: Current utilization, total packets, total bytes, CRC errors
Device management: Remote software upgrades; RADIUS and TACACS+ supported, three servers each
Indigo™ Management Software
CLI—local RS232 and remote SSH, compatible with Director CLI
Net Optics Web Manager—compatible with all major Web browsers (availability TBD)
Net Optics System Manager—compatible with Windows XP, Windows 2000, and Windows 98 (availability TBD)
Certifications
FCC, CE, VCCI, and C-Tick certified
Fully RoHS and WEEE compliant
40
Director Xstream
Available Models
Director Xstream
DIR-2400X DIR-2400X-DC Director Xstream Main Chassis with 24 SFP+ ports
Director Xstream Main Chassis with 24 SFP+ ports, -48VDC
SFP+ kits
SFP+KT-SR
SFP+KT-LR SFP+KT-50SR Fiber SR SFP+ Transceiver
Fiber LR SFP+ Transceiver
Fiber SR 50um SFP+ Transceiver
SFP kits
SFPKT-SX SFPKT-50SX SFPKT-LX SFPKT-GCU SFPKT-CU3 GigaBit Fiber SX SFP with cable
GigaBit Fiber SX SFP with cable 50μm
GigaBit Fiber LX SFP with cable
GigaBit Copper SFP with cable
10/100/1000 Copper SFP with cable [not currently supported on Director Xstream]
41
Director Xstream
Appendix B
Command Line Interface
The CLI is not case sensitive; commands can be entered in upper or lower case. However, certain items such as user-defined
text strings, user names, and passwords can be entered in upper, lower, or mixed case, and are case-sensitive.
The tab key or the space bar can be used to automatically complete words in the CLI. This function works for
commands as well as arguments. For example, typing the letter "i" followed by the tab key results in "image" being
entered in the command line. Likewise, "pi<tab>" auto-completes to the "ping" command. However, "p<tab>" does
not auto-complete, because it is ambiguous between the "ping" and "port" commands.
To display a list of sub-commands and arguments for any command, press the ? key after entering the command. (A
space is required between the command and the ?.) For example, type "filter add ?" to display a list of all the arguments
that can be used to complete the command.
Ports are numbered 1 through 24 going left to right across the front panel. Port numbers 1 through 4 are labelled as
monitor ports on the front panel, and 5 through 24 are labelled as network ports. However, the ports are symmetric
and any port can be included in a filter in_ports or redir_ports portlist. A portlist is a list of ports separated by commas;
dashes can be used to specify ranges; for example, 1,2,3 and 1-3 mean the same thing. Space characters are not allowed
in portlists (do not put a space after the comma).
Privilege levels
User accounts are assigned one of three privilege levels:
• admin (level 1) – access to all CLI commands; only the admin level can use the user and port set commands
• user (level 2) – access to all CLI commands except user and port set
• view (level 3) – can access only these CLI read-only commands: help, history, list, ping, show, exit, logout, quit
All accounts are authorized to use the user mod command to change their own passwords.
Table key
The table uses alternate row shading to distinguish commands and subcommands, as indicated in the following example.
Command
Arguments
Example
command1 subcommand1
for command1
Sub-Command
arguments for
subcommand1
an example of how to use command1 subcommand1
for command2
arguments for
subcommand1
subcommand2
for command2
arguments for
subcommand2
subcommand3
for command2
arguments for
subcommand3
for command3
arguments for
subcommand1
subcommand2
for command3
arguments for
subcommand2
42
Director Xstream
Director Xstream CLI Quick Reference
Table of CLI Commands
Command
Sub-Command
!
Arguments
Example
<number>
Net Optics> !3
commit
Net Optics> commit
del
<filename>
Net Optics> del my_config
exit
filter
Net Optics> exit
add
[ipv6=<y|yes>]
Net Optics> filter add in_ports=1-3 ip4_src=10.1.1.1
in_ports=<network_portlist> action=redir redir_ports=3,9
[<qual>=<value>]
action=<redir|drop>
[redir_ports=<monitor_portlist>]
commit
del
Net Optics> filter commit
id=<id>
[ipv6=<y|yes>]
Net Optics> filter del id=3
discard
ins
Net Optics> filter discard
Net Optics> filter ins id=2 in_ports=1-3
id=<id>
[ipv6=<y|yes>]
ip4_src=10.1.1.1 action=drop
in_ports=<network_portlist>
[<qual>=<value>]
action=<redir|drop>
[redir_ports=<monitor_portlist>]
list
[ipv6=<y|yes>]
running
[ipv6=<y|yes>]
sync
help
Net Optics> filter sync
[<command>]
Net Optics> help filter
history
Net Optics> history
clear
image
Net Optics> history clear
<1|2>
Net Optics> image 2
show
Net Optics> image show
list
load
Net Optics> list
running|factory|<filename>
logout
ping
Net Optics> load my_config
Net Optics> logout
<address>
Net Optics> ping 10.1.1.4
43
Director Xstream
Command
Sub-Command
Arguments
Example
port
set
ports=<all|portlist>
[admin=<enable|disable>]
[speed=<1000|10000>]
Net Optics> port set ports=1-3 admin=disable
show
Net Optics> port show
quit
Net Optics> quit
save
<filename>
Net Optics> save my_config
show
running|factory|<filename>
Net Optics> show my_config
clear
[ports=<all|portlist>]
Net Optics> stats clear ports=all
show
ports=<all|portlist>
Net Optics> stats show ports=m.2,n1.4
stats
sysip
commit
Net Optics> sysip commit
discard
Net Optics> sysip discard
set
system
ipaddr=<address>
mask=<netmask>
gw=<gateway>
Net Optics> sysip set ipaddr=100.6.4.15
mask=255.255.0.0 gw=10.0.0.1
show
Net Optics> sysip show
restart
Net Optics> system restart
set
[jumbo=<on|off>]
Net Optics> system set jumbo=on
show
upgrade
user
Net Optics> system show
srvip=<srvip>
user=<username>
pw=<password>
file=<filename>
Net Optics> upgrade srvip=168.192.20.2 user=bob
pw=bobpw file=image021108
add
name=<username>
pw=<password>
priv=<level>
Net Optics> user add name=bob pw=bob-pw priv=3
del
name=<username>
Net Optics> user del name=bill
mod
name=<username>
pw=<password>
priv=<level>
Net Optics> user mod name=bill pw=netbillpw priv=2
show
Net Optics> user show
44
Director Xstream
Filter qualifiers
Switches and filters are defined using the filter add and filter ins commands. The filter add command syntax is:
filter ipv6=y add in_ports=<portlist> <filter_qualifier_list> action=<redir|drop> redir_ports=<portlist>
The <filter_qualifier_list> is a sequence of zero or more of the filter qualifiers as listed in the following table.
If the <filter_qualifier_list> is empty, the filter add command specifies an aggregation of the traffic received on all of
the in_ports. If the action=redir, the aggregated traffic stream is regenerated to all of the redir_ports.
If the <filter_qualifier_list> contains qualifiers, aggregation and regeneration take place as described in the previous
paragraph. However, the filter qualifiers are applied to the aggregated traffic stream before it is copied to the monitor
ports. If multiple filter qualifiers are specified, a packet must satisfy all of the filter qualifiers in order to be copied to the
monitor ports. In other words, the filter qualifiers are combined with a logical AND condition. A logical OR condition
can be created by using multiple filter add commands with identical port lists.
The filter add and filter ins commands define filters but do not activate them. A subsequent filter commit or commit
command must be executed to activate the filters. This mechanism enables an interrelated group of filters to be activated
simultaneously. It also allows you to double-check your filter definitions before you activate them. The commit command
also rewrites the running Director Xstream configuration file (the configuration file that is loaded when the system is
reset), while filter commit does not.
Note that IPv6 and IPv4 filters are maintained separately. It is important to include the argument ipv6=y when dealing
with IPv6 filters, and omit it when dealing with IPv4 filters.
It is also important to note that packets are filtered using a Content Addressable Memory or CAM. Each filter is a CAM
entry, and the CAM is filled in the order that the filter add commands are entered. filter ins commands create filters
in specific locations in the CAM. When a packet is processed, the first filter in the CAM that matches the packet is the
only filter that is activated. Each packet can activate exactly zero or one filters. See Understand filter interactions
near the end of Chapter 3 for examples.
All supported filter qualifiers are shown in the following table.
Director Xstream Filter Qualifiers
<qual>
<value>
Range
Example
Description
ip_protocol
0 to 255
No
ip_protocol=6
Layer 4 IP protocol
ip4_src
d.d.d.d
Yes
ip4_src=168.10.4.1
IPv4 source address
ip4_src_mask
d.d.d.d
No
ip4_src_mask=255.255.255.0
Mask for IPv4 source address
ip4_dst
d.d.d.d
Yes
ip4_dst=168.10.4.2
IPv4 destination address
ip4_dst_mask
d.d.d.d
No
ip4_dst_mask=255.255.255.0
Mask for IPv4 destination
address
ip6_src
xxxx:xxxx:xxxx:xxxx:
xxxx:xxxx:xxxx:xxxx
No
ip6_src=1234:5678:9abc:def0
:1234:5678:9abc:def0
IPv6 source address
ip6_src_mask
xxxx:xxxx:xxxx:xxxx
No
ip6_src_mask=
ffff:ffff:ffff:ffff:ffff:ffff:ffff:fffe
Mask for IPv6 source address
45
Director Xstream
<qual>
<value>
Range
Example
Description
ip6_dst
xxxx:xxxx:xxxx:xxxx
No
ip6_dst=1234:5678:9abc:def0
:1234:5678:9abc:def0
IPv6 destination address
ip6_dst_mask
xxxx:xxxx:xxxx:xxxx
No
ip6_dst_mask=
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffc0
Mask for IPv6 destination
address
l4_src_port
0 to 65535
Yes
l4_src_port=80
Layer 4 source port
l4_src_port_mask
0 to 65535
No
l4_src_port_mask=65535
Mask for Layer 4 source port
l4_dst_port
0 to 65535
Yes
l4_dst_port=80
Layer 4 destination port
l4_dst_port_mask
0 to 65535
No
l4_dst_port_mask=65520
Mask for Layer 4 destination
port
mac_src
xx:xx:xx:xx:xx:xx
No
mac_src=01:23:45:67:89:ab
MAC source address
mac_src_mask
xx:xx:xx:xx:xx:xx
No
mac_src_mask=ff:ff:ff:ff:ff:fc
Mask for MAC source address
mac_dst
xx:xx:xx:xx:xx:xx
No
mac_dst=11:22:33:44:55:66
MAC destination address
mac_dst_mask
xx:xx:xx:xx:xx:xx
No
mac_dst_mask=ff:ff:ff:ff:ff:00
Mask for MAC destination
address
vlan
2 to 4094
Yes
vlan=3820
VLAN number
vlan_mask
0 to 4095
No
vlan_mask=4080
Mask for VLAN number
Key:x = a hex digit, 0 to f
d = a decimal number, 0 to 255
For qualifiers that accept Ranges for the <value>, the actual range implemented in the filter is a superset of the requested range
filter list displays the actual filter range as implemented.
* See Appendix C for a complete list of protocol numbers. Some common protocols include:
Number
Keyword
Protocol
1
ICMP
Internet Control Message Protocol
2
IGMP
Internet Group Message Protocol
6
TCP
Transmission Control Protocol
17
UDP
User Datagram Protocol
80
ISO-IP
ISO Internet Protocol
89
OSPF
Open Shortest Path First
132
SCTP
Stream Control Transmission Protocol
46
Director Xstream
Appendix C
Protocol Numbers
The official Assigned Internet Protocol Numbers list is maintained by the Internet Assigned Numbers Authority and
can be found at http://www.iana.org/assignments/protocol-numbers. The list as of April 18, 2008 is reproduced in the
following table (without references).
Num
Keyword
Protocol
0
HOPOPT
IPv6 Hop-by-Hop Option
1
ICMP
Internet Control Message
2
IGMP
Internet Group Management
3
GGP
Gateway-to-Gateway
4
IP
IP in IP (encapsulation)
5
ST
Stream
6
TCP
7
Keyword
Protocol
30
NETBLT
Bulk Data Transfer Protocol
31
MFE-NSP
MFE Network Services
Protocol
32
MERITINP
MERIT Internodal Protocol
33
DCCP
Datagram Congestion Control
Protocol
Transmission Control
34
3PC
Third Party Connect Protocol
CBT
CBT
35
IDPR
8
EGP
Exterior Gateway Protocol
Inter-Domain Policy Routing
Protocol
9
IGP
any private interior gateway
(used by Cisco for their
IGRP)
36
XTP
XTP
37
DDP
Datagram Delivery Protocol
38
IDPRCMTP
IDPR Control Message
Transport Proto
39
TP++
TP++ Transport Protocol
40
IL
IL Transport Protocol
41
IPv6
Ipv6
42
SDRP
Source Demand Routing
Protocol
43
IPv6Route
Routing Header for IPv6
10
BBNRCCMON
Num
BBN RCC Monitoring
11
NVP-II
Network Voice Protocol
12
PUP
PUP
13
ARGUS
ARGUS
14
EMCON
EMCON
15
XNET
Cross Net Debugger
16
CHAOS
Chaos
44
IPv6-Frag
Fragment Header for IPv6
17
UDP
User Datagram
45
IDRP
18
MUX
Multiplexing
Inter-Domain Routing Protocol
19
DCNMEAS
DCN Measurement Subsystems
46
RSVP
Reservation Protocol
47
GRE
20
HMP
Host Monitoring
General Routing Encapsulation
21
PRM
Packet Radio Measurement
48
DSR
Dynamic Source Routing
Protocol
49
BNA
BNA
50
ESP
Encap Security Payload
51
AH
Authentication Header
52
I-NLSP
Integrated Net Layer Security
TUBA
22
XNS-IDP
XEROX NS IDP
23
TurnK-1
Turnk-1
24
TurnK-2
Turnk-2
25
LEAF-1
Leaf-1
26
LEAF-2
Leaf-2
27
RDP
Reliable Data Protocol
53
SWIPE
IP with Encryption
28
IRTP
Internet Reliable Transaction
54
NARP
29
ISO-TP4
ISO Transport Protocol Class 4
NBMA Address Resolution
Protocol
47
Director Xstream
Num
Keyword
Protocol
Num
Keyword
Protocol
55
MOBILE
IP Mobility
85
NSFNET-IGP
56
TLSP
Transport Layer Security
Protocol using Kryptonet key
management
NSFNETIGP
86
DGP
Dissimilar Gateway Protocol
87
TCF
TCF
88
EIGRP
EIGRP
89
OSPFIGP
OSPFIGP
90
SpriteRPC
Sprite RPC Protocol
91
LARP
Locus Address Resolution
Protocol
92
MTP
Multicast Transport Protocol
57
SKIP
SKIP
58
IPv6ICMP
ICMP for IPv6
59
IPv6NoNxt
No Next Header for IPv6
60
IPv6-Opts
Destination Options for IPv6
61
62
any host internal protocol
CFTP
63
CFTP
any local network
93
AX.25
AX.25 Frames
94
IPIP
IP-within-IP Encapsulation
Protocol
95
MICP
Mobile Internetworking Control Pro.
96
SCC-SP
Semaphore Communications
Sec. Pro.
97
ETHERIP
Ethernet-within-IP Encapsulation
ENCAP
Encapsulation Header
64
SATEXPAK
SATNET and Backroom
EXPAK
65
KRYPTOLAN
Kryptolan
66
RVD
MIT Remote Virtual Disk
Protocol
67
IPPC
Internet Pluribus Packet Core
any distributed file system
98
69
SAT-MON
SATNET Monitoring
99
68
70
VISA
VISA Protocol
71
IPCV
Internet Packet Core Utility
72
CPNX
Computer Protocol Network
Executive
73
CPHB
Computer Protocol Heart
Beat
74
WSN
Wang Span Network
75
PVP
Packet Video Protocol
any private encryption
scheme
100
GMTP
GMTP
101
IFMP
Ipsilon Flow Management
Protocol
102
PNNI
PNNI over IP
103
PIM
Protocol Independent Multicast
104
ARIS
ARIS
105
SCPS
SCPS
106
QNX
QNX
107
A/N
Active Networks
108
IPComp
IP Payload Compression
Protocol
109
SNP
Sitara Networks Protocol
110
CompaqPeer
Compaq Peer Protocol
76
BR-SATMON
Backroom SATNET Monitoring
77
SUN-ND
SUN ND PROTOCOL-Temporary
78
WB-MON
WIDEBAND Monitoring
79
WBEXPAK
WIDEBAND EXPAK
80
HTTP
Hypertext Tranfer Protocol
81
VMTP
VMTP
111
IPX-in-IP
IPX in IP
82
SECUREVMTP
SECURE-VMTP
112
VRRP
Virtual Router Redundancy
Protocol
83
VINES
VINES
113
PGM
84
TTP
TTP
PGM Reliable Transport
Protocol
114
48
any 0-hop protocol
Director Xstream
Num
Keyword
Protocol
Num
Keyword
115
L2TP
Layer Two Tunneling Protocol
134
116
DDX
D-II Data Exchange (DDX)
117
IATP
Interactive Agent Transfer
Protocol
RSVPE2EIGNORE
135
Mobility
Header
136
UDPLite
137
MPLSin-IP
Protocol
118
STP
Schedule Transfer Protocol
119
SRP
SpectraLink Radio Protocol
120
UTI
UTI
121
SMP
Simple Message Protocol
138
manet
MANET Protocols
122
SM
SM
139
HIP
Host Identity Protocol
123
PTP
Performance Transparency
Protocol
124
ISIS over
IPv4
140
to
252
125
FIRE
110
CRTP
Combat Radio Transport
Protocol
127
CRUDP
Combat Radio User Datagram
128
SSCOPMCE
129
IPLT
130
SPS
Secure Packet Shield
131
PIPE
Private IP Encapsulation
within IP
132
SCTP
Stream Control Transmission
Protocol
133
FC
Fibre Channel
Unassigned
Use for experimentation and
testing
253
254
255
49
Use for experimentation and
testing
Reserved
Director Xstream
Limitations on Warranty and Liability
Net Optics offers a limited warranty for all its products. IN NO EVENT SHALL NET OPTICS, INC. BE LIABLE FOR ANY
DAMAGES INCURRED BY THE USE OF THE PRODUCTS (INCLUDING BOTH HARDWARE AND SOFTWARE) DESCRIBED IN THIS MANUAL, OR BY ANY DEFECT OR INACCURACY IN THIS MANUAL ITSELF. THIS INCLUDES
BUT IS NOT LIMITED TO LOST PROFITS, LOST SAVINGS, AND ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING FROM THE USE OR INABILITY TO USE THIS PRODUCT, even if Net Optics has been advised of the possibility of
such damages. Some states do not allow the exclusion or limitation of implied warranties or liability for incidental or consequential
damages, so the above limitation or exclusion may not apply to you.
Net Optics, Inc. warrants this Tap to be in good working order for a period of ONE YEAR from the date of purchase from Net
Optics or an authorized Net Optics reseller.
Should the unit fail anytime during the said ONE YEAR period, Net Optics will, at its discretion, repair or replace the product. This
warranty is limited to defects in workmanship and materials and does not cover damage from accident, disaster, misuse, abuse or
unauthorized modifications.
If you have a problem and require service, please call the number listed at the end of this section and speak with our technical service personnel. They may provide you with an RMA number, which must accompany any returned product. Return the product in
its original shipping container (or equivalent) insured and with proof of purchase.
Additional Information
Net Optics, Inc. reserves the right to make changes in specifications and other information contained in this document without prior
notice. Every effort has been made to ensure that the information in this document is accurate. Net Optics is not responsible for
typographical errors.
THE WARRANTY AND REMEDIES SET FORTH ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHERS, EXPRESS
OR IMPLIED. No Net Optics reseller, agent, or employee is authorized to make any modification, extension, or addition to this
warranty.
Net Optics is always open to any comments or suggestions you may have about its products and/or this manual.
Send correspondence to
Net Optics, Inc.
Santa Clara, CA 95054 USA
Telephone: +1 (408) 737-7777
Fax: +1 (408) 745-7719
E-mail: info@Net Optics.com / Internet: www.NetOptics.com
All Rights Reserved. Printed in the U.S.A. No part of this publication may be reproduced, transmitted, transcribed, stored in a
retrieval system, or translated into any language or computer language, in any form, by any means, without prior written consent
of Net Optics, Inc., with the following exceptions: Any person is authorized to store documentation on a single computer for
personal use only and that the documentation contains Net Optics’ copyright notice.
50
www.netoptics.com
© 2008-2010 by Net Optics, Inc. All Rights Reserved.

Direrctor Xstream

Transcription

Similar documents

Greater Cincinnati Water Works Filter Distribution

Director xStream Pro - Ixia Visibility Products

570-491 EZflex:Layout 1.qxd

VX550 - Lpc Uk

SEMView – An 8K SEM Image Control System

HYDROCYCLE AQUAPONICS SYSTEMS PRODUCE

#104 300 Klahanie Drive • Port Moody

user manual - Analogue Haven

Kubota Service