100% found this document useful (3 votes)

3K views

Ixia Vision E40 E100 User Guide v5.0.0

Uploaded by

pham hai van

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (3 votes)

3K views

Ixia Vision E40 E100 User Guide v5.0.0

Uploaded by

pham hai van

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 526

Ixia Vision Edge 40/100

VOS

User Guide

Release 5.0.0

913-2398-01 Rev A
acquires commercial computer software
Notices under the same terms by which the
software is customarily provided to the
Copyright Notice public. Accordingly, Keysight provides the
© Keysight Technologies 2017–2018 Software to U.S. government customers
under its standard commercial license,
No part of this document may be
which is embodied in its End User License
reproduced in any form or by any means
Agreement (EULA), a copy of which can
(including electronic storage and retrieval
be found at
or translation into a foreign language)
http://www.keysight.com/find/sweula or
without prior agreement and written
https://support.ixiacom.com/support-
consent from Keysight Technologies, Inc.
services/warranty-license-agreements.
as governed by United States and
The license set forth in the EULA
international copyright laws.
represents the exclusive authority by
which the U.S. government may use,
Warranty modify, distribute, or disclose the
The material contained in this document Software. The EULA and the license set
is provided “as is,” and is subject to being forth therein, does not require or permit,
changed, without notice, in future among other things, that Keysight: (1)
editions. Further, to the maximum extent Furnish technical information related to
permitted by applicable law, Keysight commercial computer software or
disclaims all warranties, either express or commercial computer software
implied, with regard to this manual and documentation that is not customarily
any information contained herein, provided to the public; or (2) Relinquish
including but not limited to the implied to, or otherwise provide, the government
warranties of merchantability and fitness rights in excess of these rights
for a particular purpose. Keysight shall not customarily provided to the public to use,
be liable for errors or for incidental or modify, reproduce, release, perform,
consequential damages in connection display, or disclose commercial computer
with the furnishing, use, or performance software or commercial computer
of this document or of any information software documentation. No additional
contained herein. Should Keysight and the government requirements beyond those
user have a separate written agreement set forth in the EULA shall apply, except to
with warranty terms covering the the extent that those terms, rights, or
material in this document that conflict licenses are explicitly required from all
with these terms, the warranty terms in providers of commercial computer
the separate agreement shall control. software pursuant to the FAR and the
DFARS and are set forth specifically in
Technology Licenses writing elsewhere in the EULA. Keysight
The hardware and/or software described shall be under no obligation to update,
in this document are furnished under a revise or otherwise modify the Software.
license and may be used or copied only in With respect to any technical data as
accordance with the terms of such defined by FAR 2.101, pursuant to FAR
license. 12.211 and 27.404.2 and DFARS 227.7102,
the U.S. government acquires no greater
U.S. Government Rights than Limited Rights as defined in FAR
27.401 or DFAR 227.7103-5 (c), as
The Software is "commercial computer
applicable in any technical data. 52.227-
software," as defined by Federal
14 (June 1987) or DFAR 252.227-7015 (b)
Acquisition Regulation ("FAR") 2.101.
(2) (November 1995), as applicable in any
Pursuant to FAR 12.212 and 27.405-3 and
technical data.
Department of Defense FAR Supplement
("DFARS") 227.7202, the U.S. government

– ii – 913-2398-01 Rev A
Contact Us
Ixia headquarters
26601 West Agoura Road
Calabasas, California 91302
+1 877 367 4942 – Toll-free North America
+1 818 871 1800 – Outside North America
+1.818.871.1805 – Fax
www.ixiacom.com/contact/info

Support

Global Support +1 818 595 2599 [email protected]

APAC Support +91 80 4939 6410 [email protected]

EMEA Support +40 21 301 5699 [email protected]

Greater China Region +400 898 0598 [email protected]

India Office +91 80 4939 6410 [email protected]

Japan Head Office +81 3 5326 1980 [email protected]

Korea Office +82 2 3461 0095 [email protected]

Singapore Office +656 494 8910 [email protected]

– iii – 913-2398-01 Rev A

About this Document i

Audience i

Document Conventions ii
CONTENTS

Typographic ii

Additional Documentation iv

Technical Support v

System and Browser Requirements vi

Chapter 1 Vision Edge Overview 1

Interacting with the Vision Edge System 2

Filter Overview 3

Filter Criteria Options 5

Supported Packet Sizes 7

Chapter 2 Connecting via the Craft Port Interface 8

Power Up the System 9

Craft Port Connection 10

Craft Port Main Menu 11

Reboot System 12

IP Configuration 13

Management Port Configuration 14

Reset Administrator Password 15

Run POST Tests 16

– iv – 913-2398-01 Rev A
Get POST Results 17

Chapter 3 Configuring the Management Port IP Address 18

Configuring the Management Port IP Address 18

Chapter 4 Navigating the Web Console 21

Introduction 21

Diagram View 21

Navigator View 22

Objects Menu 23

Statistics Menu Views 30

System Menu Views 36

Quick Access Pane 38

Help Menu 38

Features Common to All Views 39

Right-click Menu 40

Modify Access Control List Dialog 42

Chapter 5 Exporting and Importing a Configuration 44

Export Types 45

Import Behavior and Characteristics 46

Exporting a Configuration 48

Importing a Configuration 50

Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram
View 53

Diagram View 53

Network Ports 53

Dynamic Filters 53

Tool Ports 54

Introduction to Creating Objects 54

913-2398-01 Rev A –v–

Configuring Ports 54

Port Mode Compatibility Guidelines 54

Configuring Network and Tool Ports 55

Creating Simplex Ports 60

Bidirectional Ports 62

Loopback Ports 63

Convert 10G or 40G Ports 64

Creating Port Groups 65

Interconnect Port Groups 65

Create Bidirectional Interconnect Port Group 71

Simplex Port Group Restrictions 71

Load Balance Port Groups 72

Adding and Removing Ports to/from Connected Port Groups 75

Creating and Configuring Dynamic Filters 75

Dynamic Filter - General Tab 75

Dynamic Filter - Filter Criteria Tab 75

Dynamic Filter - Connections Tab 76

Dynamic Filter - Access Control Tab 76

Creating Catch-All Dynamic Filters 76

Copying Configurations for Ports and Dynamic Filters 79

Linking Ports, Port Groups, and Dynamic Filters 81

Further Actions 82

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters 84

Intersection versus Priority Filtering 85

Port Filters - Network and Tool 85

Dynamic Filters - Intersection and Priority Modes 86

Filter Mode Section 88

– vi – 913-2398-01 Rev A
Intersection Filter Build Mode 88

Priority Filter Build Mode 89

Available Fields Section 90

Criteria Fields Descriptions 91

Selected Fields Section 116

SNMP Tag Section 118

Library Section 119

Port, Port Group, and Dynamic Filter Symbols and Indicators 120

Filter Indicators 121

Filter Criteria Indicators 123

Packet Drop Indicator 124

Link Down Indicator 125

Chapter 8 Priority Filtering 126

Prioritize Dynamic Filters connected to Network Ports 126

Prioritize Service Chains connected to Bypass Port Pairs 127

Use Cases 128

Change to Priority Filtering Mode 131

Available Filter Criteria for Priority Mode 132

IPv4 Filter Criteria Options 133

IPv6 Filter Criteria Option 133

Priority "P" Indicator on Ports and Port Groups 134

Optionally Show/Hide Priority Numbers 134

New Priority Filtering Modes 136

Connecting Out-Of-Band Egress Ports and Port Groups in Priority Mode 137

PacketStack Resources , Fan-Out, and Fan-In Supported in Priority Mode 138

Priority Filtering Restrictions 138

913-2398-01 Rev A – vii –

Priority Filter Memory Allocation Considerations 140

Inline and HA Inline 141

IPv6, Custom Fields, and MAC 141

Priority Filter Memory Meters 142

Statistics for Priority Filtering 144

View Priority Filtering Statistics in the Web Console 144

Get Priority Filtering Statistics with the Web API 144

Chapter 9 Filter Memory Allocation 146

Changing Filter Memory Allocation 148

Network Port Filters 149

Dynamic Filters Tab 150

Tool Port Filters Tab 152

Chapter 10 Custom Dynamic Filtering 153

Introduction 153

Field Sets 154

Raw Custom Fields 154

Workflow for Defining Custom Fields 155

Allocating Memory for Field Sets 157

Configuring Custom Offset Fields 160

Considerations for GTP-U and MPLS Field Types 160

Configuring MPLS Custom Offset Fields 161

Configuring GTP Custom Offset Fields 163

Configuring VxLAN Custom Offset Fields 165

Configuring Raw Custom Offset Fields 166

Quick Example: GTP-U Custom Filtering Field 167

Using Custom Fields in Dynamic Filters 172

Custom Dynamic Filters Compatibility Criteria 173

– viii – 913-2398-01 Rev A

Single Dynamic Match All (AND) Filter 173

Single Dynamic Match Any (OR) Filter 174

Multiple Dynamic Filters 175

Custom Filter Portion of Available Filter Memory 177

Chapter 11 Navigator View 178

Navigator View Information 180

Modifying Object Properties in the Navigator View 181

Chapter 12 Displaying Object Information - Objects View 183

Ports View 184

Modifying Port Details from the Ports View 184

Searching for a Port or Port Detail in the Ports View 185

Port Groups View 186

Modifying Port Group Details from the Port Groups View 186

Searching for a Port Group or Port Group Detail in the Port Groups View 187

Dynamic Filters View 188

Modifying Dynamic Filter Details from the Dynamic Filters View 188

Searching for a Dynamic Filter or Dynamic Filter Detail in the Dynamic Filters View 188

Users View 189

Modifying Users Details from the Users View 189

Searching for a User or User Detail in the Users View 190

User Groups View 191

Modifying User Groups Details from the User Groups View 191

Searching for a User Group or User Group Detail in the User Groups View 191

Monitors View 192

Modifying Monitor Details from the Monitors View 192

Searching for a Monitor or Monitor Detail in the Monitors View 192

Chapter 13 Use IFC Cluster to Manage Multiple Systems 193

913-2398-01 Rev A – ix –
IFC Cluster Member Limit 193

Security Fabric 194

Clustering View 195

Create an IFC Cluster 197

Create an IFC Cluster Interconnect Port Group 201

System States and Possible State Transitions 203

Remove Member from Cluster 208

Disband Cluster 209

Diagram View 210

View Statistics for IFC Cluster Objects 211

Cluster Import, Export, and Clear Configuration Actions 212

IFC Cluster Limitations 214

Clustering License 215

Authentication and Authorization in an IFC Cluster 216

Users and User Groups in an IFC Cluster 217

Upgrading Systems in an IFC Cluster 219

Chapter 14 Link Layer Discovery Protocol Overview 221

Configuring LLDP 222

Enable LLDP Receive and Transmit 224

Limitations 226

Chapter 15 Using the System with Inline Tools 227

System Support for Inline Tools - Concepts 228

Inline Diagram View 231

Configure a Service Chain 233

Define the Bypass Port Pair 234

Add an Inline Tool Resource 237

Adding Heartbeats 240

–x– 913-2398-01 Rev A

Build the Service Chain 243

Bypass and Inline Tool Ports in Diagram View 254

Dynamic Filters Created for Service Chains 256

Traffic Balancing for a Group of Inline Tools 257

Service Chain Tool Sharing Limitations 258

Inline High Availability Mode Overview 259

Configure a System in the Inline HA Mode 261

SNMP Inline-Specific Traps 264

Chapter 16 Viewing and Changing System Settings 265

Viewing System Status 266

Viewing and Modifying System Settings 268

General Section 269

Filter Memory Allocation Settings 276

Remote Services Settings 277

Tool Port Group Load Balance Settings 279

Viewing and Managing System Licenses 281

System Software Version View 283

Viewing System Hardware Information 284

Chapter 17 Settings > User Options (Settings) 285

View Settings 286

Refresh Settings 287

Confirmation Settings 288

Time Settings 289

Search Settings 289

Chapter 18 Viewing System Statistics 291

Statistics Menu Views 292

Reset Statistics 292

913-2398-01 Rev A – xi –
Viewing Statistics Panels 294

Invalid Packets Passed/Dropped 295

Network Port Panel Statistics - Standard Tab 298

Tool Port Statistics - Standard Tab 301

Counts 301

Drops 301

Rates/Percentages 302

Refresh 302

Reset 303

Dynamic Filter Panel Statistics - Standard Tab 304

Packet Processing Statistics 306

All Statistics Panels - Graph Tab 307

Enabling and Viewing Tool Management View 308

Features Common to All Statistics Pages 309

Refresh 309

Reset 309

Chapter 19 Managing Users 310

Users View 311

Modifying Users Details from the Users View 311

Searching for a User or User Detail in the Users View 312

Add Users 313

User Groups View 314

Modifying User Groups Details from the User Groups View 314

Searching for a User Group or User Group Detail in the User Groups View 314

Add User Groups 315

Chapter 20 Defining Access Control Policies 316

Access Control Settings for Ports 317

– xii – 913-2398-01 Rev A

Defining Access Control Settings for Ports 317

Access Control Settings for Port Groups 319

Defining Access Control Settings for Port Groups 322

Access Control for Dynamic Filters 324

Defining Access Control for Dynamic Filters 324

Access Control Settings for Inline Tools 325

Defining Access Control Settings for Bypass Port Pairs 327

Defining Access Control Settings for Inline Tool Resources 328

Defining Access Control Settings for Service Chains 330

Chapter 21 Authentication, Authorization, and Accounting (AAA) 332

Comparing Authentication Modes 333

Configuring Remote Authentication 336

Effects of Authentication Mode Changes on Users and Groups 337

Configuring TACACS+ 338

Custom Authorization Settings 340

TACACS+ Access Control Group Settings 342

TACACS+ Servers 343

Adding a TACACS+ Server 345

Configuring TACACS+ Accounting 347

TACACS+ Configuration Examples 349

Configuring RADIUS 359

RADIUS Custom Authorization Settings 360

RADIUS Servers 362

Adding a RADIUS Server 363

RADIUS Accounting 365

Configuring the Microsoft Network Policy Server 366

Chapter 22 Monitors View 374

913-2398-01 Rev A – xiii –

Modifying Monitor Details from the Monitors View 374

Searching for a Monitor or Monitor Detail in the Monitors View 374

Operational Concepts and Actions 376

Managing Event Monitors 378

Enabling Per-Port Link Up/Down Traps 382

Sample Monitor Configuration 384

Create an Event Monitor 385

Chapter 23 Object Selection Window 388

Chapter 24 SNMP 390

SNMP 391

Supporting MIBs 392

Configuring SNMP 393

Configuring SNMP IPv6 396

Testing SNMP Traps 399

Enabling Per-Port Link Up/Down Traps 401

Chapter 25 About Local Syslog Viewer 403

Local Syslog Viewer Window 404

Chapter 26 Syslog Support 411

Adding or Modifying External Syslog Servers 413

Confirming Connections to External Syslog Servers 418

Chapter 27 CLI Command Line Interface Introduction 419

CLI Architecture 421

Communication with the Stack 422

Communication with the Client 423

CLI Client Context 424

CLI Navigation 424

CLI Commands 430

– xiv – 913-2398-01 Rev A

CLI Limitations 459

Appendix A Packet Processing Features 1

Port Tagging 2

VLAN Stripping 5

The VLAN Tag Protocol Identifier (TPID) 6

Appendix B Customizing the Diagram View 7

Displaying or Hiding Objects 8

Setting View Filters 11

Appendix C Software Upgrade/Downgrade and Cold Spare Upgrade Procedures 13

Upgrade Procedures 14

Cold Spare Upgrade 15

Software Upgrade 16

Software Downgrade 18

Downgrade Using the Web GUI 19

How to Clear the Java Cache 20

Appendix D Safety Guidelines 22

English 23

SAFETY: General Safety 23

SAFETY: Battery Disposal 24

SAFETY: Risk of Electrical Shock 25

SAFETY: Equipment with Laser Devices 25

Protecting Against Electrostatic Discharge 25

French 27

SÉCURITÉ : Sécurité générale 27

SÉCURITÉ : Élimination des piles 29

SÉCURITÉ : Risque de choc électrique 29

SÉCURITÉ : Équipement doté de dispositifs laser 29

913-2398-01 Rev A – xv –
Protection contre les décharges électrostatiques 30

Appendix E Firewall Ports to Open 31

Appendix F Syslog Messages 33

Syslog Message Format 34

– xvi – 913-2398-01 Rev A

About this Document
This document provides detailed information about the Ixia Vision Edge series E40 and E100, as well
as the procedures necessary to use the Vision E40 and E100 to manage your network. For information
about installing the Ixia Vision E40 or E100, refer to the model-specific Installation Guide for your
system.

Audience
This document is intended for Ixia customers who use the Ixia Vision Edge systems to manage a
network. Readers should be familiar with networking concepts.

–i– 913-2398-01 Rev A

About this Document

Document Conventions
Typographic
The following table describes the typographic conventions used in this document.

Convention Description Example

ABCdef Identifies book titles, emphasized You must log in as root. C:\>cd
words or words that appear in the directory_name
glossary, and command variables.
ABCdef Identifies commands and Click the OK button.
graphical user interface items with
which you interact.
ABCdef Identifies a hyperlink or URL. https://www.ixiacom.com/
ABCdef Identifies computer-generated package require anuento
output, API elements, and code
samples.
?? Indicates optional parameters ?login_id?
within a syntax description. This
convention applies to scripting
documentation only.
| Separates items in a list of
choices; used with braces (??) in a
syntax description. This
convention applies to scripting
documentation only.

Notational

The following table describes the notational conventions used in this document.

Type Icon Description

Tip Provides information that might
help you use the product more
efficiently.
Note Note: Provides information that
emphasizes the main text.
CAUTION Provides information of critical
importance that is required to
ensure your own personal safety
and to help protect your
equipment and working
environment from potential
damage.

913-2398-01 Rev A – ii –
About this Document

Type Icon Description

Indicates an electrical/laser light
hazard. This convention applies to
hardware-related material only.
Indicates that the material should
not be discarded with ordinary
waste. This convention applies to
hardware-related material only.
Indicates a dual power supply.
This convention applies to
hardware-related material only.

– iii – 913-2398-01 Rev A

About this Document

Additional Documentation
The following table lists additional documentation associated with the Vision Edge systems.

Resource Description
Ixia Vision E40/E100 Installation Guide Provides instructions for installing Ixia Vision E40 and E100
systems.
Ixia Vision E40 Web API User Guide Provide detailed information about the Ixia Vision E40 and
and Ixia Vision E100 Web API User E100 Automation Scripting capabilities through the Web API
Guide interface.

913-2398-01 Rev A – iv –
About this Document

Technical Support
For technical support, contact Ixia Network Visibility Solutions.

Email: [email protected]

– Phone:

l Direct: (512) 600-7200

l Toll Free (US & Canada only)
1-877-268-3269 (Select option 2 from the phone menu.)
l Asia
+852 2824 8850
l EMEA (Europe, Middle East, Africa)
+44 (0) 1189 076 204

The Ixia Customer Support Portal (https://support.ixiacom.com/) is also available. The customer
support portal allows customers to open support tickets, search for solutions and download
documentation. All customers with a current support contract have an employee that has been
designated as their Customer Administrator. Contact your Customer Administrator for details on how to
request an Ixia Customer Support Portal password and login account.

Optional service and maintenance contracts are available for each of Ixia’s products and may be
purchased separately. Contact Ixia at [email protected] for details.

–v– 913-2398-01 Rev A

System and Browser Requirements
Web Console System Requirements
Windows 7 (32-bit and 64-bit) and Windows 8 (32-bit and 64-bit) have been tested and are
recommended.

Web Console Browser Requirements

On Windows, Chrome version 57.x and higher is the recommended browser. Firefox v54.0.1 and
higher is supported. Internet Explorer (any version) is unsupported.

Browser Support Summary

l Chrome v57.x or higher is the recommended browser.
l Firefox v54.0.1 and higher is supported.
l Internet Explorer (IE) is unsupported.
English Language Browser Support
The Web Console only supports English (US) as the language for the browser.

Closing Persistent Tooltips

In your browser, if a tooltip does not go away during cursor movement, click on the tooltip itself to
make it disappear.

Enabling Access to Web API Documentation in Chrome

To enable access to Web API Documentation in Chrome:

1. Enable regedit, Windows Key enter "regedit.exe".

2. Navigate to HKEY_CURRENT_USER/Software/Policies/Google/Chrome.
3. Edit "AuthSchemes" to be "basic,digest,ntlm,negotiate".
4. Restart Chrome.

Deleting Text in Firefox - Backspace Key

In the Firefox browser, the Backspace key on the keyboard does not delete text.

To delete text in Firefox:

1. Select the text you wish to delete.

2. Press the Delete key on your keyboard.

– vi – 913-2398-01 Rev A
System and Browser Requirements

Firefox Settings to Support Touchscreen Laptops

Using Web Console on a laptop with a touchscreen requires a change from the default Firefox settings.
With default Firefox settings, none of the Web Console’s top navigation works, which means none of
the click events work on the top menu button (Diagram, Navigator, etc.).

To work around this issue: In your browser address field, type about:config, accept the risk on the
window that appears, search for dom.w3c_touch_events.enabled, and change the value to 0 if it is
not. This is supposed to be 0 on your desktop. The Web Console top menu bar should start working.

913-2398-01 Rev A – vii –

CHAPTER 1 Vision Edge Overview
Ixia’s Vision Edge systems are standalone, small form factor network packet brokers. Two Vision Edge
systems are available, the Edge 40 (E40) and the Edge 100 (E100), with a different number of ports
and speeds.

The E40 systems have 48, 1G/10G SFP+ data ports and six (6) 40G QSFP+ data ports. With breakout
cables, each of the 40G ports can be broken out into four (4) 1G/10G SFP+ ports, making a total of 72,
1G/10G SFP+ ports available.

The E100 systems have 32 QSFP28 data ports with the following speed options:

l 100G x 1 port
l 40G x 1 port
l 10G x 4 ports (with breakout cables)

–1– 913-2398-01 Rev A

Chapter 1 Vision Edge Overview

Interacting with the Vision Edge System

To configure and use a Vision Edge system, you can interact with it in any of the following ways:

l An HTML-based graphical user interface (GUI), the Web Console, that enables you to configure
ports, filters, and port groups. The GUI shows the port mappings visually, in an easy-to-grasp and
intuitive mode.
l A RESTful API (Web API)
l A direct connection to the Console (craft) port on the front right of the chassis, an RJ45 connector.
l A Command Line Interface (CLI) which enables the user to quickly issue simple commands so as
to get information about a Vision Edge system.

913-2398-01 Rev A –2–

Chapter 1 Vision Edge Overview

Filter Overview
This section provides an overview of the filter types that are available on the Vision Edge system.

Note: Several technical notes on advanced filtering subjects can also be downloaded from the
Ixia Customer Portal – https://support.ixiacom.com/. See Technical Support for information on
how to access the Ixia Customer Portal.

Dynamic Filters
Dynamic filters are the primary method used to filter traffic on the Vision Edge system. These are the
filters that appear in the middle of the Vision Edge system's Diagram view. They are optimized for
topologies that require both aggregating traffic from multiple network ports to a single tool, as well as
sharing traffic from a network port with multiple tools. Dynamic filters are recommended as the default
filtering approach because nearly all users have both of these topology requirements.

The following dynamic filter types are supported:

l Pass All
l Pass by Criteria (PBC)
l Deny All
l Deny by Criteria (DBC)
l PBC Unmatched
l DBC Matched

In addition to the dynamic filters, two other filter types are available: ingress filters (located in the
Network Ports column in the Diagram view) and egress filters (located in the Tool Ports column). All of
the filter types can be used in combination with each other.

Ingress Filters
Ingress filters are configured at the network port. Ingress filtering occurs immediately upon traffic
entering a network port, upstream from other filter types. One ingress filter can be applied to each
network port. Any traffic that is filtered out (that is, removed) at ingress is no longer available to any
downstream filters or tools; therefore, care should be used when applying ingress filters.

Ingress filters are typically used in conjunction with dynamic filters to remove traffic that is not needed
by the tools that are connected, or plan to be connected to a network port.

By filtering at ingress, traffic that is not needed is removed from the beginning and the overall filtering
capacity of the system is improved.

The following filter types are supported by ingress filters:

l Pass All
l Pass by Criteria (PBC)
l Deny All
l Deny by Criteria (DBC)

–3– 913-2398-01 Rev A

Chapter 1 Vision Edge Overview

Egress Filters
Egress filters are configured at the tool port. Egress filtering occurs downstream from ingress and
Dynamic filters. This filter type is typically used to optimize filtering in combination with the Dynamic
filters. Using a Deny-type filter to remove traffic that is not required by tools can also improve tool
performance.

The following filter types are supported by egress filters:

l Pass All
l Pass by Criteria (PBC)
l Deny All
l Deny by Criteria (DBC)

913-2398-01 Rev A –4–

Chapter 1 Vision Edge Overview

Filter Criteria Options

Filter Criteria Options Dynamic filters, Network ports (ingress filters) and Tool ports (egress filters) all
have filter criteria settings that enable you to define the type of traffic that passes through a filter, or
that is dropped (denied from passing) through a filter.

l Dynamic filters (which display in the center of the Diagram area) allow traffic to pass through or
to be dropped based on the defined criteria. The filters can also be configured to Pass All or Deny
All traffic.
l Two special catch-all Dynamic Filter types, PBC Unmatched and DBC Matched , support the
creation of powerful filter criteria with reduced configuration effort. Both of these filter types
complement and are intended to be used only conjointly with other filters, the PBC Unmatched
with one or more Pass By Criteria filters, and the DBC Matched with one or more Deny By Criteria
filters. These catch-all dynamic filters allow you to accumulate the traffic that would have been
filtered out and to route it to network analysis tools in order to be analyzed.
l Network ports and Tool ports can pass or deny traffic from passing through based on the defined
criteria. The port filters can also be configured to Pass All or Deny All traffic.

The following filter criteria options are available. Note that the available filter criteria options may vary
based on the object type (port or dynamic filter) and/or filter mode (Pass All or Deny All), and the Filter
Memory Allocation settings from the Diagram view > Settings > Filter Memory Allocation page.

Layer 2
l MAC Address
l Ethertype
l VLAN Tags

Layer 3 IPv4/IPv6
For Layer 3 filtering, the available options differ depending on the following filter memory allocation
settings:

IPv4 only Allocated

l DSCP/ECN
l IP Protocol
l IPv4 Address

IPv6 only Allocated

l Traffic Class
l Next Header
l IPv6 Address

IPv4 and IPv6 Allocated

l DSCP/Traffic Class
l L4 Protocol

–5– 913-2398-01 Rev A

Chapter 1 Vision Edge Overview

l IPv4 Address
l IPv6 Address

Layers3 & 4
l IPv4 Session (with IPv4 only or IPv4 and IPv6 allocated)
l IPv6 Session (with IPv6 only or IPv4 and IPv6 allocated)

Layer 4
l L4 Port (TCP/UDP Port)
l TCP Control

VxLAN
Several criteria options can be selected per filter and can be aggregated using AND or OR logical
operators. In addition to the predefined Layer 2, Layer 3, and Layer 4 fields, using the Custom
Dynamic Filtering (CDF) functionality you can also define non-IP fields such as MPLS, VxLAN, GTP-C,
and GTP-U as filter criteria.

913-2398-01 Rev A –6–

Chapter 1 Vision Edge Overview

Supported Packet Sizes

The Vision Edge systems support packet sizes from 64 bytes to 16K bytes (jumbo packets) at all line
rates.

The following information provides details about how different packets sizes are defined and handled
by the Vision Edge systems:

l Runt packets: Runt packets are packets that are less than 64 bytes. Runt packets are dropped
at the ingress of the system.
l Standard packets: Packets that are between 64 and 1,518 bytes (1522 with VLAN) are
considered standard packets. Standard packets are supported.
l Jumbo packets: Packets that are between 1,519 and 16360 bytes are considered jumbo
packets. Jumbo packets are supported on the system.

–7– 913-2398-01 Rev A

CHAPTER 2 Connecting via the Craft Port
Interface
This chapter describes the IP configuration using the craft/serial port interface, which is the preferred
initial IP configuration method. After the initial IP config, system administrators can change the IP
config through the Control Panel GUI, using the first management port (the active port).

–8– 913-2398-01 Rev A

Chapter 2 Connecting via the Craft Port Interface

Power Up the System

The Vision E40/E100 automatically powers up and installs the software the first time that power is
supplied to the chassis after the power cord is connected.

For installation instructions, see the Ixia Vision E40/E100 Installation Guide.

After the initial power up, it is best to use the graphical user interface (GUI) to power down or restart
the system. For example, if a restart is required, it is best to do it from the GUI (Actions > Restart).
Second best is to use the craft port interface Reboot System command.

Note: Although the E100 has a power button, it does nothing. The E40 has no power button.

913-2398-01 Rev A –9–

Chapter 2 Connecting via the Craft Port Interface

Craft Port Connection

You can use the craft port to configure an initial IP address with the procedure in the this section. Once
configured, use the system's Ethernet management port (MGMT) to log in to the Control Panel GUI,
install the license, and begin operating the system.

To set the initial IP address using the RJ45 CRAFT port located on the back of the unit:

1. Connect the included RS-232 (DB9) serial cable between the craft port and the serial port of a
computer running a terminal utility (on the serial port). If necessary, connect the RS-232 serial
cable and the supplied RJ45-to-DB9 adapter between the craft port and an Ethernet port of a
computer running a terminal utility (on the Ethernet port).
2. The settings of the COM port terminal utility must be set to 115200 baud, 8 data bits, 1 stop bit,
and no parity.

You can configure the system for IPv4 and IPv6.

– 10 – 913-2398-01 Rev A
Chapter 2 Connecting via the Craft Port Interface

Craft Port Main Menu

After connecting to the unit craft port, the following unit status information is displayed at the top of
the menu.

l The system IP address is displayed.

l The System Name is displayed if this feature is configured.
l System Type displays the model number.
l The System Status displays the alarm state of the system. When the System Status is “Not
ready”, the System Type will not be shown and only the Reboot System menu option will be
available.

The main Menu options are displayed below the system status information.

Main Menu options are displayed below the system status information.

Welcome to Ixia
<IP Address (IPv4 and IPv6 if it is also enabled.)>
<System Name>
<System Type: System Status>
Hit Enter to refresh status
Main Menu:
1. Reboot System
2. Shutdown System
3. IPv4 Config
4. IPv6 Config
5. Management Port Config
6. Reset Admin Password
7. Run POST tests
8. Get POST results
9. Reset Authentication Mode
Enter command number:
Tip: If 1. Reboot System is the only system menu item displayed, then Java has not finished
loading. Press the <Enter/Return> key on your PC keyboard to get Java to finish loading.

Note: Option 9. Reset Authentication Mode – resets the authentication mode to the default,
local authentication.

913-2398-01 Rev A – 11 –
Chapter 2 Connecting via the Craft Port Interface

Reboot System
From the Main menu type 1 to reboot the system and then press the Enter key on the keyboard.

A reboot verification message will be received. Type “yes” to begin the system reboot.

– 12 – 913-2398-01 Rev A
Chapter 2 Connecting via the Craft Port Interface

IP Configuration
1. From the Main menu, type 2 and then press the Enter key on the keyboard.
The following menu displays. Notice that the current settings are displayed next to each menu
item.
IP Config:
1. Set IP Address (192.168.41.99)
2. Set Netmask (255.255.255.0)
3. Set Gateway Address (192.168.41.1)
4. Commit changes
5. Cancel/Return to Main Menu
2. Enter the command number for the IP setting you wish to change (1, 2, or 3).
For this example, we select menu option 1 (Set IP Address).
The following prompt displays.
Enter new IP Address:
3. Type 192.168.162.12, and then press the Enter key on the keyboard.
A confirmation message displays.
Value entered: 192.168.162.12
Correct? Enter Y or N
4. Type y or Y, and then press the Enter key on the keyboard.
5. The IP Config menu displays the modified IP address along with the other settings and options.
Note that the modification will not take effect on the system until the changes have been
committed—menu option 4 Commit changes.
IP Config:
1. Set IP Address (192.168.162.12)
2. Set Netmask (255.255.255.0)
3. Set Gateway Address (192.168.162.1)
4. Commit changes
5. Cancel/Return to Main Menu
Select option 1, 2 or 3 to continue modifying the current IP settings using the procedure described
above.

Select option 4 to commit changes (there is another verification prompt before changes are
actually applied).
Select option 5 to cancel all changes that have not been committed.
Note: The System Status displayed on the main menu may indicate “Not ready” until the
management port configuration changes have been completed. Once the configuration changes
have completed, the full main menu displays.

913-2398-01 Rev A – 13 –
Chapter 2 Connecting via the Craft Port Interface

Management Port Configuration

The duplex mode of the Ethernet management port is set to Auto-negotiate by default.

The example below shows how to configure the Ethernet management port.

1. From the Main Menu, type 3 and then press the Enter key on the keyboard.
The following menu displays. Note that “(current)” is displayed next to the currently configured
duplex mode.
Management Port Config
1. Auto (current)
2. 1G Full
3. Return to Main Menu
2. Type a command number to select the speed/duplex mode for the management port, or type 7 if
you wish to return to main menu.
For this example, we type 2 (1G Full), and then press the Enter key on the keyboard.
A confirmation message displays.
Changing management port to 1G Full.
Type “yes” to accept, anything else to cancel:
3. To accept the change, type yes and then press the Enter key on the keyboard.
To cancel the changes, type any key on the keyboard and then press the Enter key.

– 14 – 913-2398-01 Rev A
Chapter 2 Connecting via the Craft Port Interface

Reset Administrator Password

From the Main Menu, type 4, the Reset Admin Password menu will display.

Enter the last 8 digits of the unit serial number. For example, serial number 5288- 00000003 will be
entered as “00000003.” The unit serial number is located on a pull-out tab on the front of the unit.

Welcome to Ixia
<IP Address (IPv4 and IPv6 if it is also enabled.)>
<System Name>
<System Type: System Status>
Hit Enter to refresh status
Main Menu:
1. Reboot System
2. IPv4 Config
3. Management Port Config
4. Reset Admin Password
5. Run POST tests
6. Get POST results
Enter command number:
4
Enter the key to reset the admin pasword:
00000003
Value entered: 00000003
Type "yes" to accept, anything else to cancel:
yes
The password has been reset to default.

913-2398-01 Rev A – 15 –
Chapter 2 Connecting via the Craft Port Interface

Run POST Tests

From the Main menu, type 5 to initiate the Power-On diagnostic Self-Test (POST). This will cause the
system to restart. Note that running POST adds several minutes to system startup.

The system continues to run POST every time you restart it until you disable it in the Control Panel
GUI, on the System > Settings tab, to the right of the Power-on self-test (POST) field. Disable POST
and confirm the change to stop automatically running the power-on self-test (POST) when the system
is restarted.

Welcome to Ixia
IP address: 192.168.162.33
Anue 5288: Status: Normal
Hit Enter to refresh status
Main Menu:
1. Reboot System
2. IP Config
3. Management Port Config
4. Reset Admin Password
5. Run POST tests
6. Get POST results
7. Install Software on a Line Card or Secondary Supervisor
Enter command number:
5
Run Power On Self Tests
Type "yes" to accept, anything else to cancel:
yes
The NPB is being restarted. The power-on self-test will run during restart.

– 16 – 913-2398-01 Rev A
Chapter 2 Connecting via the Craft Port Interface

Get POST Results

From the Main menu, type 6 to retrieve the results of the last POST run. This command cannot be run
while the system is restarting.

Important! If the POST fails, contact Ixia Technical Support for assistance.

Welcome to Ixia
IP address: 192.168.162.33
Main Menu:
1. Reboot System
2. IP Config
3. Management Port Config
4. Reset Admin Password
5. Run POST tests
6. Get POST results
7. Install Software on a Line Card or Secondary Supervisor
Enter command number:
6
Get Power On Self Tests results
Type "yes" to accept, anything else to cancel:
yes
Results: Passed

913-2398-01 Rev A – 17 –
CHAPTER 3 Configuring the Management Port
IP Address
This chapter describes the basic setup procedure and other related information required to quickly get
an Ixia Vision Edge system up and running.

Connect and Configure Ethernet Management Ports

This section covers information about connecting and configuring a Vision Edge system's Ethernet
Management Ports. Topics include:

l Port Locations and Labels

l Rules and Practices

Port Location and Label

Vision Edge 40 has one Ethernet management port and one RJ-45 serial craft port located on the front
of the chassis.

Vision Edge 100 has one Ethernet management port and one RJ-45 serial craft port located on the front
of the chassis.

Note: In the event of management port failover, the system will issue gratuitous self ARPs to
cause the remote nodes to update their ARP tables. As a consequence, you should verify that
the routers in your network have gratuitous ARPs enabled. If gratuitous ARPS are not enabled on
remote nodes, management port switchover may take longer to complete.

Configuring the Management Port IP Address

This procedure describes how to configure the management port IP address using the GUI.

For information on how to configure the management port IP address using the craft (serial) port, see
Craft Port Connection.

Important! Changing the IPv4 address, subnet mask, default gateway, IPv6 address, or
network prefix settings will restart the system and force all users off the system. The user
performing the IP address change will lose connection to the system from the Control Panel GUI
after saving the modification. To regain access to the system, log in using the new IP address. If
the newly assigned IP address values are not correct, users will not be able to access the
system remotely.

– 18 – 913-2398-01 Rev A
Chapter 3 Configuring the Management Port IP Address

1. Log in to the Web GUI using an account that has system administrator privileges.
2. Click System > Settings. The information on this tab differs depending on your system's model.

3. Click the hyperlink to the right of either IPxx configuration: field.

4. Configure the desired IP address, subnet mask and gateway in the Set IP Configuration window.
Click OK to save the changes.

913-2398-01 Rev A – 19 –
Chapter 3 Configuring the Management Port IP Address

The system supports dual stack IPv4/IPv6 management. IPv4 is always enabled and available for
static assignment. IPv6 can optionally be enabled for dual stack operation and a static IPv6
management address can be assigned. IPv6 addresses may be entered using preferred format
(for example 2001:0:0:0:0:80:21AF:3DAB) or compressed format (for example
2001::80:21AF:3DAB where ‘::’ collapses consecutive groups of zeros.
The default gateway for the system’s IPv6 management interface is automatically determined by
periodic router advertisements received on the interface.

– 20 – 913-2398-01 Rev A
CHAPTER 4 Navigating the Web Console
This section explains how to navigate the Vision Edge Web console.

Introduction
The Vision Edge GUI comprises of the following main views:

l Diagram view: This view displays the ports, port groups, and dynamic filters laid out graphically.
l Navigator view: This is a table format view of all objects—ports, dynamic filters, port groups,
resources, and so on—defined on the system. For each object a summary of properties is
displayed. In this view you can both visualize and edit an object's properties.
l Objects menu views: This is a detailed table format view of all objects defined on the system. For
each object all object properties are displayed. In this view you can both visualize and edit an
object's properties.
l Statistics views: This are detailed table views for port, port group, and Dynamic Filter statistics.
Double-clicking an object entry opens the configuration dialog for that object.
l System views: These are detailed views that display system status information, license
information, hardware information, and provide access to the system configuration parameters.

Diagram View
The Diagram view displays the ports, port groups, and dynamic filters laid out graphically. This view
shows the packets flow through the Vision Edge system, from ingress through the Network ports on the
left, traversing the Dynamic Filters shown in the middle of the view, up to egress through the Tool ports
on the right that are connected to network tools.

Network Ports
Ports designated through software as Network Ports are used to connect network taps and SPAN ports
to the system.

Dynamic Filters
Dynamic Filters are the primary method used to filter traffic on the Vision Edge system. They are
optimized for topologies that require either aggregating traffic from multiple network ports to a single
tool, or sharing traffic from a Network port with multiple tools. Dynamic Filters are recommended as the
default filtering approach because nearly all users have one or both of these topology requirements.

– 21 – 913-2398-01 Rev A
Chapter 4 Navigating the Web Console

Tool Ports
Ports designated through software as Tool Ports are used to connect tools such as data recorders,
Intrusion Protection Systems (IPS) and VoIP monitors to the system.

Navigator View
The Navigator view is a hierarchical view of all objects configured on the system, in table format:

l Ports
l Port Groups
l Dynamic Filters
l Custom Icons
l Accounts (Users and Groups)
l Templates (Filters)

From within the Navigator view, you can view and perform actions on multiple objects at once. For
example, you can open the Ports drop-list, Ctrl + click several ports to select them, right-click
and create a Port Group, as shown in the figure below.

l Access for Connecting Disconnecting

l Std Port Tagging
l Std VLAN Stripping
l Modified
l Modified By

Modifying Port Details from the Ports View

Port details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding '...' button

l By right-clicking the respective detail

You can also modify the way the table presents the port data by selecting an option from the Detail
Mode.

Note: This is available in the Ports View, Port Groups View and Dynamic Filters view.

Note: DetailMode is applicable only to the Filter Criteria of Objects and is available only in
the Objects View for Ports, Port Groups and Dynamic Filters.

To access Detail Mode, go to View -> Detail Mode:

l Compact mode displays the filter criteria in a compressed view.

l Regular mode is the Default display of the filter criteria using the short hand format.
l Verbose mode displays the filter criteria in the long hand format and makes the column very wide
if the criteria contains a lot of information.

913-2398-01 Rev A – 24 –
Chapter 4 Navigating the Web Console

Note: You can mouse over the filter criteria cell to see the details as a tool-tip.

Note: The selected mode is kept until you change to any of the remaining two modes.

Searching for a Port or Port Detail in the Ports View

To search for a particular port or port detail in the Ports view, enter the concerned port or port detail in
the search field at the top of the view.

As you type the text, the valid matches are highlighted in the view.

Port Groups View

This view displays all port groups defined on the system in table format, providing details about them,
such as port group type, defined filters and filter criteria, ports within the group, media type, link
settings and status, port group to which they belong, access permissions, port tagging, VLAN stripping,
time and date the port groups were created and name of user who created them, time and date when
they were modified and name of user who modified them.

l Port Group Name

l Port Group Type
l Port Group Mode
l Port Group Status
l Filter Mode
l Filter Criteria
l Ports
l Link Status
l Keywords
l Description
l Media Type
l Transmit Light Status
l Force Link Up
l Pause Frames Status
l Dropped Packet Status
l Fail Over Mode
l Source Filters
l Destination Filters
l Access right for Modifying, Connecting/Disconnecting
l Std Port Tagging
l Std VLAN Stripping
l Created
l Created By
l Last Modified
l Modified By

– 25 – 913-2398-01 Rev A
Chapter 4 Navigating the Web Console

Modifying Port Group Details from the Port Groups View

Port group details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding '...' button

l By right-clicking the respective detail

Searching for a Port Group or Port Group Detail in the Port Groups View
To search for a particular port group or port group detail in the Port Groups view enter the concerned
port group name or port group detail in the search field at the top of the view.

As you type the text, the valid matches are highlighted in the view.

Dynamic Filters View

This view displays all dynamic filters defined on the system in table format, providing details about
them such as filter mode and criteria, network and tool port and port groups to which they are
connected, access permissions, time and date they were created and name of user who created them,
time and date they were modified and the name of the user who modified them.

The following details are available for each dynamic filter listed in the Dynamic Filters view:

l Name
l Filter Mode
l Filter Criteria
l Keywords
l Description
l Network Ports
l Network Port Groups
l Tool Ports
l Tool Port Groups
l Modification Access
l Network Port Access
l Tool Port Access
l Created
l Created By
l Last Modified
l Modified By

Modifying Dynamic Filter Details from the Dynamic Filters View

Dynamic filter details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding '...' button

913-2398-01 Rev A – 26 –
Chapter 4 Navigating the Web Console

l By right-clicking the respective detail

Searching for a Dynamic Filter or Dynamic Filter Detail in the Dynamic Filters
View
To search for a particular dynamic filter or detail in the Dynamic Filters view:

l In the search field at the top of the view, enter the concerned dynamic filter or detail.
As you type the text, the valid matches are highlighted in the view.

Users View
This view displays all users defined on the system in table format, providing details about them such
as login id, user role, full name, email address, telephone number, group ownership and membership,
time and date they were modified and name of user who modified them.

The following details are available for each user listed in the Users view:

l User Login Id—the ID assigned to a user

l Is System Admin—has system administrator privileges and capabilities, indicated by a check
mark (√)
l Full Name—the user's full name, first and last names
l Locked Status—indicates whether a user can log in; unlocked means they can, locked means
they cannot
l Session Count Details—indicates how many sessions the user has open, through the Java or
Web Console
l Email Address—lists the email address of the user
l Phone Number—lists the phone number of the user
l Owner of Groups—lists the groups where the user is an owner; right-click to add or remove
from as group owner
l Member of Groups—lists the groups where the user is a member; right-click to add or remove
from groups
l Last Modified Time—shows the date and time of the latest modifications
l Last Modified By—shows who modified information and privileges of the user
l Created Time—shows the date and time the user was created
l Created By—shows who created the user

For more information please see Add Users and Managing Users.

Modifying Users Details from the Users View

User details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding "..." button

l By right-clicking the respective detail

The right-click menu and "..." button options are:

– 27 – 913-2398-01 Rev A
Chapter 4 Navigating the Web Console

l Add to Group
l Remove from Group
l Delete
l Properties

Searching for a User or User Detail in the Users View

To search for a particular user or user detail in the Users view:

l In the search field at the top of the view, enter the concerned user or user detail.
As you type the text, the valid matches are highlighted in the view.

User Groups View

This view displays all user groups defined on the system in table format, providing details about them
such as log in id, user role, full name, email address, telephone number, group ownership and
membership, time and date they were modified and name of user who modified them.

The following details are available for each user group listed in the User Groups view:

l Group Name—the name given to the group by its creator

l Group ID—the number assigned to the group by the system
l Description—information entered into the description field for the group
l Group Members—lists the names of the members in the group
l Group Owners—lists the names of the owners of the group
l Used in Ports—indicates the ports where a group has been granted access by an administrator
l Created By—shows who (which administrator) or what (internal) created the group
l Created Time—shows the date and time the group was created
l Modified By—shows who last modified the group
l Modified Date—shows the date and time of the last modification

For more information please see Add User Groups and Managing Users.

Modifying User Groups Details from the User Groups View

User group details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding "..." button

l By right-clicking the respective detail

The right-click menu and "..." button options are:

l Add User(s)
l Remove User(s)
l Delete
l Properties

913-2398-01 Rev A – 28 –
Chapter 4 Navigating the Web Console

Searching for a User Group or User Group Detail in the User Groups View
To search for a particular user group or user group detail in the User Groups view:

l In the search field at the top of the view, enter the concerned user group or detail.
As you type the text, the valid matches are highlighted in the view.

Monitors View
Event monitors allow you to send SNMP traps or syslog messages when certain conditions or events
occur—for example, when invalid packets are received, utilization thresholds are exceeded, or packets
are dropped.

You can configure the event monitors in a flexible way such as to receive only a reasonable amount of
alert information, and you can also configure them to ignore transient events that would otherwise
generate a flood of messages.

This view displays all monitors defined on the system in table-like format, providing details about
them such as monitor name, description, trigger statistics, conditions and ports, SNMP traps actions,
syslog actions, time and date the monitors were created and name of user who created them, time and
date when they were modified and name of user who modified them.

l Monitor Name
l Description
l Trigger Statistics
l Trigger Condition
l Trigger Ports
l SNMP Trap Action
l Syslog Action
l Created By
l Created Time
l Modified By
l Modified Date

Modifying Monitor Details from the Monitors View

Monitors details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding '...' button

l By right-clicking the respective detail

Searching for a Monitor or Monitor Detail in the Monitors View

To search for a particular monitor or monitor detail in the Monitors view:

l In the search field at the top of the view, enter the concerned monitor name or detail.
As you type the text, the valid matches are highlighted in the view.

– 29 – 913-2398-01 Rev A
Chapter 4 Navigating the Web Console

Statistics Menu Views

This menu provides access to the following views:

l Port Stats
l Port Groups Stats
l Dynamic Filter Stats

Each of these views provides a tabular view of the statistics available for the specific object type. In
any of these views, you can double-click an object to display its Properties window which provides
access to all the object's configurations settings.

Port Stats
This view lists the statistics for all port types, in table format, providing details such as port name, port
mode, and the corresponding statistics.

Depending on the port type, the corresponding statistics columns are filled with actual values, while
statistics pertaining to other port types appear as 'n/a'. For example, for a network port, the statistics
characteristic of tool ports appear as 'n/a'.

In general, the following information is listed:

Stat Object: This field lists the object type.

Object Name: This field lists the name of the object. The field will list the default name if a unique
name has not been assigned to the port.

Ellipses (Button): Click this button to access the same options that are available when you right-
click a port. For example, port mode, disable, clear criteria, connect to, etc.

The terms below are used to describe the port statistics.

l Utilization: The percentage of available port bandwidth being used to transmit or receive traffic.
l Peak: A display of the largest value recorded in any single second since statistics were last reset
for the port. Please note that since statistics are sampled once per second, peaks that occur
between samples may be missed, and may be larger than what is actually reported.
l Since peak: The amount measured since the peak value was recorded.
l (Curr): Current -The rate measured within the last second.
l Passed: A count of the bits/bytes/packets that were passed by a filter.
l Inspected: A rate of inspected bits/bytes/packets. Inspected bits/bytes/packets reached a port
but may not have passed through the port due to filtering.
l (***/Sec): Per Second.
l (Avg): Average.

Specifically, the following statistics are available in the Ports Stats view:

l Rx/Tx Utilization (curr%)

l Rx/Tx Utilization (avg%)

913-2398-01 Rev A – 30 –
Chapter 4 Navigating the Web Console

l Rx/Tx Utilization (peak%)

l Rx/Tx Utilization (since peak)
l Passed Bytes (curr %)
l Passed Bytes (avg %)
l Passed Bytes (peak %)
l Passed Bytes (since peak)
l Passed Packets (curr %)
l Passed Packets (avg%)
l Passed Packets (peak%)
l Passed Packets (since peak)
l Inspected Bits/Sec (curr)
l Inspected Bits/Sec (avg)
l Inspected Bits/Sec (peak)
l Inspected Bits/Sec (since peak)
l Inspected Bytes
l Inspected Pkts
l Inspected Pkts/Sec (curr)
l Inspected Pkts/Sec (avg)
l Inspected Pkts/Sec (peak)
l Inspected Pkts/Sec (since peak)
l Passed Bytes (count)
l Passed Bits/Sec (curr)
l Passed Bits/Sec (avg)
l Passed Bits/Sec (peak)
l Passed Bits/Sec (since peak)
l Passed Packets (count)
l Passed Pkts/Sec (curr)
l Passed Pkts/Sec (avg)
l Passed Pkts/Sec (peak)
l Passed Pkts/Sec (since peak)
l Time Since Stats Reset
Modifying Statistic Details from the Port Stats View
Any of these statistics details can be modified using the right-click menu, which can be brought up
either:

l By clicking the corresponding '...' button

– 31 – 913-2398-01 Rev A
Chapter 4 Navigating the Web Console

l By right-clicking the respective statistic or statistic detail

Searching for a Statistic or Statistic Detail in the Port Stats View

To search for a particular statistic or statistic detail in the Port Stats view:

l In the search field at the top of the view, enter the concerned statistic name or detail.
As you type the text, the valid matches are highlighted in the view.

Combined Object Views

This section describes how to view objects (such as tool ports) based on object type. You can also view
different object types in the same table view using the following method:

1. On the Diagram panel, select objects that are of a different type (for example a network port, a
dynamic filter, and a tool port). The Diagram panel menu will display the number of objects
selected in the 'Selected #' format.
2. Click Selected # > Statistics > Statistics Grid.
Alternatively right-click one of the selected objects and click Statistics > Statistics Grid.
If you select Statistics Panel instead of Statistics Grid, the statistics for each object will
display in separate windows.

Port Groups Stats View

This view lists the statistics for all port group types, in table format, providing details such as object
name, port mode, and the corresponding statistics.

Depending on the port and port group type, the corresponding statistics columns are filled with actual
values, while statistics pertaining to other port and port group types appear as 'n/a'. For example, for a
network port group, the statistics characteristic of tool port groups appear as 'n/a'.

In general, the available Tool interconnect port group (ICPG) statistics are the same as the statistics
provided for tool ports except that the counts and rates/percentages values reported are for the
combined traffic of all ports within the port group and that Load Balance Distribution statistics are
provided. See also Port Stats.

Specifically, the following statistics are available in the Ports Groups Stats view:

l Rx/Tx Utilization (curr%)

l Rx/Tx Utilization (avg%)
l Rx/Tx Utilization (peak%)
l Rx/Tx Utilization (since peak)
l Passed Bytes (curr %)
l Passed Bytes (avg %)
l Passed Bytes (peak %)
l Passed Bytes (since peak)
l Passed Packets (curr %)
l Passed Packets (avg%)
l Passed Packets (peak%)

913-2398-01 Rev A – 32 –
Chapter 4 Navigating the Web Console

l Passed Packets (since peak)

l Inspected Bits/Sec (curr)
l Inspected Bits/Sec (avg)
l Inspected Bits/Sec (peak)
l Inspected Bits/Sec (since peak)
l Inspected Bytes
l Inspected Pkts
l Inspected Pkts/Sec (curr)
l Inspected Pkts/Sec (avg)
l Inspected Pkts/Sec (peak)
l Inspected Pkts/Sec (since peak)
l Passed Bytes (count)
l Passed Bits/Sec (curr)
l Passed Bits/Sec (avg)
l Passed Bits/Sec (peak)
l Passed Bits/Sec (since peak)
l Passed Packets (count)
l Passed Pkts/Sec (curr)
l Passed Pkts/Sec (avg)
l Passed Pkts/Sec (peak)
l Passed Pkts/Sec (since peak)
l Time Since Stats Reset
Modifying Statistic Details from the Port Groups Stats View
Any of these statistics details can be modified using the right-click menu, which can be brought up
either:

l By clicking the corresponding '...' button

l By right-clicking the respective statistic or statistic detail

Searching for a Statistic or Statistic Detail in the Port Groups Stats View
To search for a particular statistic or statistic detail in the Port Groups Stats view:

l In the search field at the top of the view, enter the statistic name or detail.
As you type the text, the valid matches are highlighted in the view.

Dynamic Filter Statistics View

This view lists the statistics for all dynamic filters defined on the system, in table format, providing
details such as object name, filter mode, and the corresponding statistics.

– 33 – 913-2398-01 Rev A
Chapter 4 Navigating the Web Console

The following information is listed:

Stat Object: This field lists the object type.

Object Name: This field lists the name of the object. The field will list the default name if a unique
name has not been assigned to the filter.

Ellipses (Button): Click this button to access the same options that are available when you right-
click a dynamic filter.

The terms below are used to describe the port statistics.

l Utilization: The percentage of available port bandwidth being used to transmit or receive traffic.
l Peak: A display of the largest value recorded in any single second since statistics were last reset
for the port. Please note that since statistics are sampled once per second, peaks that occur
between samples may be missed, and may be larger than what is actually reported.
l Since peak: The amount measured since the peak value was recorded.
l (Curr): The current rate is the rate measured within the last second.
l Passed: A count of the bits/bytes/packets that were passed by a filter.
l Denied: A count of the bits/bytes/packets that were blocked or denied by a filter.
l Inspected: A rate inspected bits/bytes/packets. Inspected packets reached a port but may not
have passed through the port due to filtering.
l (***/Sec): Per Second.
l (Avg): Average.

Specifically, the following statistics are available in the Dynamic Filter Stats view:

l Passed Bytes (curr %)

l Passed Bytes (avg %)
l Passed Bytes (peak %)
l Passed Bytes (since peak)
l Passed Packets (curr %)
l Passed Packets (avg%)
l Passed Packets (peak%)
l Passed Packets (since peak)
l Denied Bits/Sec (curr)
l Denied Bits/Sec (avg)
l Denied Bits/Sec (peak)
l Denied Bits/Sec (since peak)
l Denied Bytes
l Denied Bytes (curr%)
l Denied Bytes (avg%)
l Denied Bytes (peak%)
l Denied Bytes (since peak)

913-2398-01 Rev A – 34 –
Chapter 4 Navigating the Web Console

l Denied Packets (curr%)

l Denied Packets (avg%)
l Denied Packets (peak%)
l Denied Packets (since peak)
l Denied Packets (count)
l Denied Pkts/Sec (curr)
l Denied Pkts/Sec (avg)
l Denied Pkts/Sec (peak)
l Denied Pkts/Sec (since peak)
l Inspected Bits/Sec (curr)
l Inspected Bits/Sec (avg)
l Inspected Bits/Sec (peak)
l Inspected Bits/Sec (since peak)
l Inspected Bytes
l Inspected Pkts
l Inspected Pkts/Sec (curr)
l Inspected Pkts/Sec (avg)
l Inspected Pkts/Sec (peak)
l Inspected Pkts/Sec (since peak)
l Passed Bytes (count)
l Passed Bits/Sec (curr)
l Passed Bits/Sec (avg)
l Passed Bits/Sec (peak)
l Passed Bits/Sec (since peak)
l Passed Packets (count)
l Passed Pkts/Sec (curr)
l Passed Pkts/Sec (avg)
l Passed Pkts/Sec (peak)
l Passed Pkts/Sec (since peak)
l Time Since Stats Reset
Modifying Statistic Details from the Dynamic Filter Stats View
Any of these statistics details can be modified using the right-click menu, which can be brought up
either:

l By clicking the corresponding '...' button

l By right-clicking the respective statistic or statistic detail

– 35 – 913-2398-01 Rev A
Chapter 4 Navigating the Web Console

Searching for a Statistic or Statistic Detail in the Dynamic Filter Stats View
To search for a particular statistic or statistic detail in the Dynamic Filter Stats view:

l In the search field at the top of the view, enter the concerned statistic name or detail.
As you type the text, the valid matches are highlighted in the view.

System Menu Views

The System menu provides access to the following views:

l System Status
l System Settings
l System License
l System Hardware Information

System Status View

This view displays overall status of the system and its components, information such as uptime,
component temperatures, and event history. This information is organized into the following sections:

l System Time Status

l General
l System History
l Power Supplies
l Fan Modules
l Port Modules

See Viewing System Status.

System Settings View

Displays the current values of the system-wide configuration settings, and for system administrators,
provides a means to change the settings. Non-administrators can view the settings but cannot change
them.

System settings are organized into the following areas:

l General
l Remote Services
l Filter Memory Allocation
l Tool Port Group Load Balance Settings

System License View

Displays the current licenses installed in the system, organized into the following sections:

l Feature summary
l Port license assignments

913-2398-01 Rev A – 36 –
Chapter 4 Navigating the Web Console

l Unused floating port licenses

l System software

See Viewing and Managing Licenses.

System Hardware View

Provides hardware information about the System, System Components, and Modules. Part numbers,
serial numbers and other hardware information is provided.

– 37 – 913-2398-01 Rev A
Chapter 4 Navigating the Web Console

Quick Access Pane

The Quick Access pane lists the system resources available for you to attach to ports and filters.

From the Quick Access pane, you can assign a resource to a port or filter using drag and drop.

You can also select the Object Type Visibilities option.

Selected object types are displayed in the Quick Access panel, if you deselect an object type and
click -Done- the deselected object type disappears from the Quick Access panel.

Note: All object visibilities are reset to the default values after leaving the Diagram view.

Note: The above image is just an example and some Object types and elements may not show
exactly as above, depending on the product.

Help Menu
Access the following items:

913-2398-01 Rev A – 38 –
Chapter 4 Navigating the Web Console

l Context Help
l API Documentation
l Download Logs (from system)
l About (the Web Console)

Features Common to All Views

At the top of the browser window are features common to all views. These features are visible
regardless of the currently selected view.

Welcome: The user ID of the user currently logged in to the Web Console.

to: The location of the Web Console host where the current user is logged on.

Sessions: The number of sessions currently logged in to this location of the Web Console.

Version: The software version running on the Web Console.

Filters: The current filter memory allocation and percentage for the different object types.

To change how filter memory is allocated, see Filter Memory Allocation.

Alarms: The current status of hardware components that can show alarms.

– 39 – 913-2398-01 Rev A
Chapter 4 Navigating the Web Console

Last update: The latest Web Console update and refresh statistics.

Logout: The button for logging out of the current Web Console session.

Right-click Menu
Right-clicking an object in a Diagram view, Navigator view, or Objects view opens a drop-down list
with the following options:

Port Mode: Sets the highlighted port to one of the available port modes (Network, Tool,
Bidirectional, Loopback, or Simplex).

Port Mode: Sets the highlighted port to one of the available port modes (Network, Tool,
Bidirectional, or Loopback).

Disable: Disables the highlighted port.

Filter Mode: Sets the highlighted filter to one of the available filter modes.

Clear Criteria: Clears currently applied filter criteria.

Connect To: Allows you to select ports, port groups, and dynamic filters to which to connect a
particular object. The choices vary with the object type.

l Dynamic Filter(s)...
l Tool Port(s)...
l Tool Port Group(s)...

Permissions: Allows you to grant or take away privileges to view ports, port groups, or dynamic
filters, change port or filter configuration settings or either connect or disconnect various objects.

l Access Control List: Opens the Modify Access Control List Dialog on page 42, where you can
grant or take away privileges to view the selected object or change its configuration settings.

913-2398-01 Rev A – 40 –
Chapter 4 Navigating the Web Console

l For Viewing:
n Allow All : Allows all user types to view the selected object.
n Inherit (only for Dynamic Filters): View access settings are inherited from the port(s) to
which the filter is connected.
n Require Group Member: Only users who are part of specified user group(s) can view the
selected object.
n Require Admin: Only users with administrative privileges can view the selected object.
l For Modifying:
n Allow All : Allows all user types to make modifications to the selected object.
n Inherit (only for Dynamic Filters): Modify access settings are inherited from the port(s) to
which the filter is connected.
n Require Group Member: Allows only members of specified user group(s) to make
modifications to the selected object.
n Require Admin: Allows only users with administrative privileges to make modifications to
the selected object.
l For Out Connections (only for network ports):
n Allow All : Allows all user types to connect or disconnect various objects.
n Require Group Member: Allows only members of specified user group(s) to connect or
disconnect various objects.
n Require Admin: Allows only users with administrative privileges to connect or disconnect
various objects.
l For In Connections (only for tool ports):
n Allow All : Allows all user types to connect or disconnect various objects.
n Require Group Member : Allows only members of specified user group(s) to connect or
disconnect various objects.
n Require Admin: Allows only members of specified user group(s) to connect or disconnect
various objects.

Flag/Unflag: Once flagged, a particular object appears as such also when switching from the
current view (where it was flagged) to other views. It acts like a global selection. For example, if you
flag port PA04 in the Ports view, when switching to the Navigator view or the Diagram view, it
appears flagged in these views as well.

Create Interconnect Port Group: Allows you to create an interconnect port group using the
selected object.

l Network
l Bidirectional

Add to Interconnect Port Group: Allows you to add to an existing interconnect port group the
selected object.

Keywords...: Allows you to view the keywords applied to the selected object and add new ones to it.

Statistics: Allows you to perform various operations related to statistics.

– 41 – 913-2398-01 Rev A
Chapter 4 Navigating the Web Console

l View Statistics: Opens the Statistics view for the selected object.
l Reset Statistics: Resets the statistics for the selected object.
l View Statistics Graph...: Opens the Graph tab of the selected object's Statistics view.

Properties: The selected object's properties. For port properties, see Port Properties. For port
group properties, see Interconnect Port Group - Properties Tab. For dynamic filter properties, see
Dynamic Filter - Properties Tab.

Modify Access Control List Dialog

In the Modify Access Control List dialog you can grant or take away privileges to view or modify the
selected object (be it a port, port group, or dynamic filter).

The following settings are available in this dialog:

l My Access: Lists the current access setting for the current user. It depends on the access option
set in the New Setting column.
l Access Type: Lists the current access type for the current user (access for viewing or
modifying).
l Current Setting: Lists the currently applied access setting details. Options include:
n Allow All : Depending on the access type (view or modify), all user types can view and/or
modify the selected object.
n Inherit (for dynamic ports only): The access type is inherited from the port(s) to which the
filter is connected. See Access Control for Dynamic Filters on page 324 for details on access
policies for dynamic filters.
n Require Admin: Only users with administrative privileges can view and/or modify the
selected object.
n Require Group Member: Only members of specified user group(s) can view and/or modify
the selected object.
For example, for a dynamic filter ("F4"), for the 'View' access type, the following access details
are provided:
' Members of EVEN and ODD
Inherited from network and tool ports
n P05,P07: Require Group Member: EVEN
n P47: Require Group Member: ODD'
This means:
n Users u1, u3, u-all (making up ODD group) and u2, u4, u-all (making up EVEN group) are
already existing
n For example, dynamic filter F4 with 'Inherit' privileges is connected to network ports P05,
P07 (Require Group Member: EVEN)
n F4 is also connected to tool port P47 (Require Group Member: ODD)
n As u-all is the only user common to both EVEN and ODD groups, u-all can view P05, P07,
P47, and F4
l New Setting: Provides a drop-down box with options to modify the currently applied access
setting. For example, if the current access setting for viewing for the selected element ("P05") is

913-2398-01 Rev A – 42 –
Chapter 4 Navigating the Web Console

'Require Group Member' (only members of the EVEN user group can view it), you can set it, for
example, to Allow All so that all user types can view it.

– 43 – 913-2398-01 Rev A
CHAPTER 5 Exporting and Importing a
Configuration
The configuration can be exported and imported. There are options that allow pre-defined subsets of
the configuration to be exported/imported as well as options that allow for the customization of
exported/imported data.

Note that the configuration database (stored on the system server) is automatically backed up as
necessary on the unit itself. Importing and exporting can be used to perform manual backups, to save
and restore specific configurations, or to copy settings between units.

Note: Export/import issues may arise as the filter memory nears 100% in use (full).

The available filter memory is displayed at the top of the Web Console.

Click it to see how much filter memory is available.

Note: Both export and import operations can be performed only by a user having an admin role.

The export and import features allow the user to accomplish four (4) essential tasks:

l Make a full backup of the system configuration. This feature can be used to restore a unit to a
base configuration in the case of accidental data loss.
l Make identical copies of a “master” unit. The master configuration could be used as a starter
template when there is a need to deploy several units.
l Allow users to share partial information between units.
l Allow for easily changing the traffic configuration of a unit.

While importing a configuration, the progress of the import file upload and contents return is shown.
While applying it, all other operations are blocked and the status of the import is shown.

Likewise, while exporting a configuration, progress of the configuration processing and file download is
shown.

– 44 – 913-2398-01 Rev A
Chapter 5 Exporting and Importing a Configuration

Export Types
There are three (3) export types allowable for a system:

l Full Backup – This export is a copy of the entire configuration:

n All ports, port groups, dynamic filters, and custom port icons
n All system settings, including system load balance settings that port groups depend on
n All configuration settings
n Libraries
n Port licenses and allocations
l Traffic Configuration – This export saves the following configuration information:
n All ports, port groups, dynamic filters, and custom port icons
n System load balance settings that port groups depend on
n Port licenses and allocations
n System settings related to ports, port groups and filters, including filter memory allocation
settings, port group load balance settings (if applicable), etc.
l Custom – This export gives you the option to select the objects that will be saved to the
configuration file, including:
n The specific Library items you select to export – for example, filter templates and custom
icons
n The specific system settings you select to export
n Unlike 3.x, the current version of the software does NOT allow custom export of ports, port
groups, and dynamic filters
Note: Regardless of the export type, the default administrator account and the system IP
address settings (IP, Subnet Mask, Default Gateway) are never exported/imported.

Important! On export, all access control settings for bypass port pairs, inline tool resources,
and service chains are exported.

913-2398-01 Rev A – 45 –
Chapter 5 Exporting and Importing a Configuration

Import Behavior and Characteristics

When importing a configuration, the options and items available for import vary depending on the type
of the export file and depending on the unit into which the configuration is being imported. Some of the
factors affecting the items available for import are shown below:

l On systems, you can import only a configuration file that was exported from another system of
the same type.
l Users cannot be shared between units and can be imported only into the same unit from which
they were exported.
l If you import an older configuration that has a mix of multicast and non-multicast addresses,
those filter criteria are removed from the filter and the filter is set to Disable. The same thing
happens if you have a mix of multicast and non-multicast addresses and upgrade from an older
version to release 4.3 or higher.
l You cannot import filter criteria templates that include custom fields unless the import also
includes the custom dynamic filtering property. During import when custom dynamic filtering is
not included, filter criteria templates that contain custom fields will be removed from the import
and you will be informed of this.
l On import, access control settings are impacted as follows:
n User groups are preserved on the destination system
n Access control settings from the inline resources in the import file are used
n If access control policies for the imported BPPs, ITRs, and SCs involve non-existing groups,
new, empty groups with the same names are created on the destination system and the
importing user is provided with a list of these and the affected BPPs, ITRs, and SCs

These factors result in several different options being available during an import.

For example, when importing a full backup configuration into the same unit that it was exported
from, the user will be given the following import options:

l Full Import (from Backup)

l Traffic Configuration
l Custom

When importing a full backup configuration into a different unit, the user will given the following
import options:

l Full Copy (without users)

l Traffic Configuration
l Custom
n Supports Library, system, users (if configured), and groups (if configured)
n Does NOT support ports, port groups, and dynamic filters

When importing a traffic configuration into the same or a different unit, the full import options
will not be available, and the user will be given the following import options:

– 46 – 913-2398-01 Rev A
Chapter 5 Exporting and Importing a Configuration

l Traffic Configuration
l Custom

When importing a custom configuration, the full import and traffic configuration options will not
be available. Only the custom option will be available.

Note:
l In the current version of the Vision NPB software ports, port groups, and dynamic filters
cannot be imported using a Custom import.
l The user will be alerted if any of the requested items could not be imported.
l Importing a configuration that changes management port settings will result in the system
restarting.
l Importing a configuration that changes the authentication mode or the TACACS+ or RADIUS
configuration settings will result in all users being logged out of the system.

913-2398-01 Rev A – 47 –
Chapter 5 Exporting and Importing a Configuration

Exporting a Configuration
To export a configuration:

1. From the View Control Bar, select Actions > Export Config.
The Export Configuration window appears.

2. As an option, you can enter a description of the export configuration in the Description field to
describe the contents and purpose of the export file. The description will be visible later when
importing this file.

– 48 – 913-2398-01 Rev A
Chapter 5 Exporting and Importing a Configuration

3. Open the Export Type drop-list and select the type of export – Full Backup, Traffic
Configuration, or Custom.
The components of the configuration change depending on the type of export selected.
Note that only the Custom export allows you to select check boxes for components to include in
the export or clear check boxes for components to exclude from the export.
Hover the mouse over a component to show more information about that component displaying
as a pop-up tool tip. To view an example tool tip, see the previous figure.
4. Click the Export button.
The Confirm - Export Configuration dialog appears.
5. Click Yes to confirm the configuration export.
The Save As dialog appears.
6. Navigate to an existing directory or create a directory for the export file.
Note: Once you export a configuration, future exports default to the same directory.
7. Accept the default name for the file or enter a new name in the File name field.
Note: By default the NPB configuration files have an “.ata” file extension. The default file
name is ModelNumber_YYYYMMDD_ExportType.ata, where the export type can be FULL,
TRAFFIC, or CUSTOM.
8. Click Save.
The configuration file saves to the directory you selected or created.

913-2398-01 Rev A – 49 –
Chapter 5 Exporting and Importing a Configuration

Importing a Configuration
To import a configuration:

1. From the View Control Bar, select Actions > Import Config.
The Select Import Configuration File dialog appears.

2. Navigate to the directory where you saved the config file(s).

Note that the NPB configuration files have an “.ata” file extension by default.
3. Select the relevant configuration file and click Open.
The selected configuration file name appears in the Config File field.
4. Click OK.
The Import Configuration window appears.

– 50 – 913-2398-01 Rev A
Chapter 5 Exporting and Importing a Configuration

5. Open the Import Type drop-list and select the type of import – Full Restore, Full Restore
(No Users), Traffic Configuration, or Custom.
The components of the configuration change depending on the type of export selected.
Note that only the Custom import allows you to select check boxes for components to include in
the import or clear check boxes for components to exclude from the import.
Hover the mouse over a component to show more information about that component to display as
a pop-up tool tip.
6. Click the Import button.
The Import Configuration confirmation dialog appears.

913-2398-01 Rev A – 51 –
Chapter 5 Exporting and Importing a Configuration

7. Click Yes.
After importing the configuration, a Logout confirmation dialog appears.

8. Click OK.
The system shows a logout in progress indicator.

– 52 – 913-2398-01 Rev A
CHAPTER 6 Configuring Ports, Port Groups,
and Dynamic Filters in the Diagram View
This section provides information on creating, configuring, and linking ports, port groups, and dynamic
filters in the Diagram view of the Web Console application.

Generally, defining a packet flow that traverses the system and is then sent to network tools, such as
IDS, analyzers, and so on, entails the following operations:

l Creating and configuring a Network port for the ingress live traffic. Similar to a Dynamic Filter, a
Network port can also apply traffic filtering.
l Creating and configuring a Tool port for the egress traffic. Similar to a Dynamic Filter, a Tool port
can also apply traffic filtering.
l Connecting the ports using a Dynamic Filter that performs additional filtering using either static or
dynamic fields. .

Using a more advanced scenario, you can choose to receive the ingress traffic via an ingress Network
Interconnect Port Group that is connected to multiple Dynamic Filters. In a configuration where each
Dynamic Filter is connected to a different Tool port, you can define a number of non-overlapping
filtering criteria such that each connected Tool port receives different traffic flows.

Network Ports
Ports designated through software as Network Ports are used to connect network taps and SPAN ports
to the system.

– 53 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Tool Ports
Ports designated through software as Tool Ports are used to connect tools such as data recorders,
Intrusion Protection Systems (IPS) and VoIP monitors to the system.

Introduction to Creating Objects

Generally, defining a packet flow that traverses the system and is then sent to network tools, such as
IDS, analyzers, and so on, entails the following operations:

Configuring Ports
Before you configure traffic filtering on a Vision Edge E100Edge E40 system, you must decide how you
want the traffic to flow through it. You typically decide which are the Network (ingress) ports, which
dynamic filters these are connected to, and which Tool (egress) ports the filters are linked to.

As a reminder, Network ports are connected to network devices such as switches, routers, SPANs, and
taps, while Tool ports are used to connect the system to network tools such as protocol analyzers and
intrusion protection systems.

Based on this assessment, you can assign to each port a port mode that works best for the desired
traffic flow, as long as the port mode is available on that port type. Depending on the port type, the
following port modes are available on a Vision Edge E100Edge E40 system:

l Network
l Tool
l Bidirectional
l Simplex
l Loopback

To determine which port types support the port modes above on your system, see the Port Mode
Compatibility Guidelines.

Port Mode Compatibility Guidelines

All NPB ports support the following port modes:

913-2398-01 Rev A – 54 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

l Network
l Tool

Most NPB ports support the following port modes:

l Bidirectional (Bidi)
l Loopback

The following table shows which port types support and which do not support Bidi, Loopback, and
Simplex port modes on the Vision E40.

Port
Ports Type Bidi Loopback Simplex

48 SFP/SFP+ 1G/10G SFP/SFP+ √ √ √

6 QSFP+ 40G QSFP+ √ √ x

6 QSFP+ 40G with breakout cables converting a QSFP+ SFP+ √ √ x

port to 4 SFP+ ports

The following table shows which port types support and which do not support Bidi, Loopback, and
Simplex port modes on the Vision E100.

Ports Port Type Bidi Loopback Simplex

32 QSFP28 QSFP28 √ x x
100G

QSFP28 SFP+ √ x x
100G port
with
breakout
cables
converting
QSFP28 to
SFP+ ports

Configuring Network and Tool Ports

Any port can be configured as a Network or a Tool port. The configuration options for Network and Tool
ports are the same except where noted.

Port Properties
The Port Properties dialog has the following tabs which group the various configuration settings:

l General – Used to define a port name, port description and to configure link settings. For more
information, see General Tab.

– 55 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

l Filter Criteria– Used to specify the filtering criteria applied by the port. For more information,
see Filter Criteria Tab.
l Connections – Used to configure the port's connection(s) to Dynamic Filters. For more
information, see Connections Tab.
l Access Control – Used by system administrators to define the access policies for the port. For
more information, see Access Control Tab.
l Packet Processing – Used to select the standard Packet Processing functionality that is applied
by the port. For more information, see Packet Processing Tab.

To configure a port, click a port's icon or double-click the port icon.

General Tab
The General Tab options are the following:

l Name: This field allows a name to be assigned to the port. A default name, such as , will be used
if none is specified.
l Description: The description field provides a means to document detailed information about the
port. This information will display in the tooltip help of the port icon and in the Navigator and the
Objects > Ports view.
l Keywords: Enables you to assign keywords to the port. You can then search on these keywords
to find the port in the Diagram view and other views.
l Port Settings: This area contains media-related settings, such as media type, port mode, port
status, and so on. See Port Settings.
l Port Status: Displays the connectivity status of the port, one of the following:
n Link Up
n Link Down

A link down icon ( ) appears on the port icon when a port is enabled and link down.
Note: When Force Link Up is enabled on a Tool port, the Link Status field appears
as not applicable (N/A).

Port Settings

Port Icon: Enables you to assign the port an image that used to render the port in the Diagram view.

Media Type: The media type for the port connection. Possible values depend on licensing. If a port is
a 1G SFP/10G SFP+ port, you can license it for 1G only or for 1G/10G. When ports are licensed for
1G/10G, you can select which media type you want to use (1G SFP or 10G SFP+) for each port.

The E40 port media types can be one of the following:

l 1G SFP
l 10G SFP+
l 40G QSFP+ [There are six (6) of these ports on the E40.]

913-2398-01 Rev A – 56 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

l 10Gx4 (using 40G QSFP+ ports)

n The system creates four (4) 10G ports when you use breakout cables and change the QSFP
mode to 10G SFP+.
n After connecting breakout cables, right-click the 40G QSFP+ port and select Speed
configuration > 10G SFP+ .
n For more details, see Convert 10G or 40G Ports.

The E100 QSFP28 ports can be one of the following:

l 100G QSFP28 (the default speed)

l 40G QSFP+
l 10Gx4
n The system creates four (4) 10G ports when you use breakout cables and change the QSFP
mode to 10G SFP+.
n After connecting breakout cables, right-click the QSFP28 port and select Speed
Configuration > 10G SFP+ .

Port Mode: You can select the following modes:

l Network: Network ports are used to connect SPAN ports or taps to the NPB. Network ports
appear on the left side in the Diagram view.
l Tool : Tool ports are used to connect devices such as intrusion detection systems, VoIP
analyzers, and data storage devices to the NPB. Tool Ports will display on the right side of the
Diagram area.
l Bidirectional : Bidirectional mode ports are ports that have both a Network side (ingress) and a
Tool side (egress), both being shown in the Diagram view and other views. See Bidirectional
Ports.
l Loopback (E40 only): Loopback mode ports are another type of Bidirectional port that can
send egress traffic back around to the ingress side of the port, enabling the traffic to be processed
twice, on egress and on ingress. See Loopback Ports.
l Simplex (E40 only): A port in Simplex mode is a port whose Tx and Rx flows are independent
of each other and can be connected to different equipment. See Simplex Ports.
Note: E100 does not support Loopback and Simplex.

Pause Frames (Tool Ports Only): Enables you to accept or ignore the sending of pause frames. By
default, this port setting is set to Ignore.

A pause frame is a flow control mechanism defined by IEEE 802.3x that uses MAC Control frames to
carry pause commands. Pause commands are generated when a sending device is transmitting data
faster than a receiving device can receive it. The receiving device generates a pause frame that
indicates the amount of time it wants the sending device to "pause" sending traffic.

When the NPB accepts pause frames it will stop the transmission of data until Ethernet flow control
indicates that the device that sent the pause frame is ready to receive additional traffic.

When the NPB ignores pause frames it will continue to forward traffic to the connected device
regardless of the Ethernet flow control state of the device.

– 57 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Note: When accepting pause frames, the NPB will buffer a very small amount of data before
dropping packets. Configuring the NPB to ignore pause frames will prevent packets from being
dropped by the NPB, but the port of the connected device may drop packets due to
oversubscription.

Enabled State: Allows you to select either Enabled or Disabled. A port must be enabled in order to
pass traffic. Disabled ports appear as dimmed in the Diagram view and in the other views.

Link Settings: The available link settings depend on the port media type.

l For 10G SFP+ ports, the only supported link setting is 10G Full Duplex.
l For 1G SFP copper, the only supported link setting is Auto-Negotiate.
Note: Auto-negotiation should be used whenever an RJ-45 copper SFP is in use to have the link
state reported properly.

For 100G QSFP28 ports, you can select:

l 100G Full Duplex

l Auto-Negotiate

Link Up/Down Trap: When enabled, this setting allows you to send SNMP traps for both link up or
down conditions separately for each port.

1000Base-T Link Polling: This option is not available for the following NPB models:

l Vision E40
l Vision Edge OS 5812
l Vision E100 (It does not support 1G.)
l Vision Edge OS 7712 (It does not support 1G.)

Transmit Light (Network ports only): In order to minimize cabling mistakes, you can turn off the
transmit side of a Network port so that no light is sent. This applies only to fiber cables, not copper
cables, which do not transmit light.

IMPORTANT: When connecting standard bi-di (not Rx-only) transceivers to a bi-di tap, it is important
to set the transmit light to Off.

Force Link Up (1G/10G Tool ports/port groups only): When enabled, this setting allows a 1G or 10G
Tool port/port group (load balance or tool interconnect port group) to transmit data regardless of
whether the transceiver’s receive (Rx) is connected. This allows you to transmit to a unidirectional port
that can only receive data. For example, in video streaming, most traffic is sent as unacknowledged
unidirectional video broadcast streams. The Force Link Up setting is not supported on 40G Tool ports.

Note: For the SFP/SFP+ Tool ports/port groups, when the Force Link Up setting is enabled,
SNMP input statistics will increase.

Filtering Option (Network ports only): The Optimize IP Addresses check box appears in the Port
Settings section only if, on the Filter Memory Allocation window, you select the check box for Support
up to 8184 dynamic filter source IP addresses in the Mode section of the Network Port Filters
tab. See Increasing the IP Address Filtering Capacity in Dynamic Filters. The system reboots and

913-2398-01 Rev A – 58 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

adds the Optimize IP Addresses check box. It is selected by default so that the system creates the
smallest number of rules for all connected Dynamic Filters. It can be labor intensive if connected filters
have a large number of IP addresses. You can deselect this filtering option.

Filter Criteria Tab

Filter criteria are used to define the type of traffic that will be allowed to pass through an object or the
type of traffic that will be prevented from passing through an object.

See Filter Criteria for Ports, Port Groups, and Dynamic Filters for detailed information on the
supported criteria.

Connections Tab
For a Network port, the Connections tab displays the Dynamic Filters to which traffic is sent. For a Tool
port, this tab displays the Dynamic Filters from which traffic is received.

For both Network and Tool ports, this tab allows you to connect or disconnect a port to or from Dynamic
Filters.

To add a connection to a Dynamic Filter:

1. Click Add Dynamic Filter....

The Select Dynamic Filters window opens.
2. Select one or more Dynamic Filters to connect to the port. Use the SHIFT and CTRL keys to select
multiple filters.
For more information on dynamic filters, see Creating Dynamic Filters.
Note: Dynamic Filter additions and removals occur immediately after clicking OK and
connection modifications cannot be canceled using the Cancel button in the Port Properties
dialog.

Access Control Tab

The Access Control tab enables users with administrator privileges to specify which users or user
groups can view which port(s), modify the port settings, and connect the port(s) to Dynamic Filters.

For details about the access control settings, see Access Control Settings for Ports.

Packet Processing Tab

This tab enables you to select the standard and advanced packet processing features that are applied
by a Network or a Tool port.

For detailed descriptions of the packet processing features see Packet Processing Features.

Tunneling Tab (Network Ports Only)

This tab allows you to terminate L2GRE/NVGRE or ERSPAN tunnels on a system's Network port.

– 59 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

L2GRE/NVGRE tunnel termination consists in receiving L2GRE/NVGRE tunneled packets, stripping off
the L2GRE/NVGRE header, and passing on the L2 payload to the system switch.

ERSPAN tunnel termination consists in receiving GRE tunneled packets, stripping off the GRE headers,
and passing on the L2 payload to the system switch. Tunnel termination necessarily involves the
sending of gratuitous ARP messages by the Network port, in order to let other network hosts know
where to send the IP packets.

In addition to L2GRE/NVGRE and ERSPAN tunnel termination, ports and Dynamic Filters that have a
PacketStack resource attached to them also support the stripping of L2GRE/NVGRE or ERSPAN
headers. In the case of header stripping, the Network port, however, does not send gratuitous ARP
messages. For details on L2GRE/NVGRE and ERSPAN stripping, see Advanced Packet Processing
Features.

Each Network port that is selected for L2GRE/NVGRE or ERSPAN tunnel termination needs to be
assigned an IP address. The IP address can be interpreted as the destination tunnel IP, or simply the
gateway IP that leads to the final destination if the tunnel source and destination are on a different
subnet. An internally allocated MAC address is automatically filled into the adjoining field, and
gratuitous ARP will advertise the MAC to its connecting neighbor.

When you enable ERSPAN tunnel termination, an additional option, Assume ERSPAN header is 0
length, is displayed. Check this option whenever you have determined that your ingress traffic uses a
non-standard ERSPAN implementation with a zero ERSPAN header length, meaning that L2 frames are
encapsulated directly into the GRE payload.

The statistics computed by a system for the L2GRE/NVGRE or ERSPAN Tunnel Termination feature are
explained in the Tunnel Termination Statistics section.

Note: Tunnel termination cannot be configured on Port Groups or on ports that are part of Port
Groups.

Tunnel termination is mutually exclusive with the L2GRE/NVGRE, ERSPAN, VXLAN, MPLS, and GTP
stripping functionality.

Creating Simplex Ports

A port in Simplex mode is an SFP+ port whose Tx and Rx flows are independent of each other and can
be connected to different equipment. The resulting port has both a Network and a Tool side, both of
which are shown in the Diagram view and other table views of an Edge system.

Note: Simplex ports are similar to Bidirectional ports, in that the port shows up in the console
as both a Network and a Tool port.

The Simplex port mode is supported only on SFP+ 1G/10G ports.

A possible use case for Simplex operation is represented by companies which have regulatory
requirements, demanding that they prove that no traffic exits the Edge system and gets back into the
network. The easiest way to implement this requirement is to cable up only the system's Rx side and
have no Tx link at all.

913-2398-01 Rev A – 60 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Once a port is configured in Simplex mode, the two sides of the port work mostly independently, as
follows:

l Traffic filtering can be performed on both port sides.

l Connections to Dynamic Filters can be defined differently for each port side.
l Access control rights can be set differently for each port side.

However, the port properties which are tied directly to the hardware, such as the media type and the
link settings, must be the same on both sides of the port.

Simplex Statistics
Statistics for Simplex ports are displayed in different windows for the Network side and the Tool side.
For each side—ingress and egress—the Statistics window displays two tabs, Standard and Packet
Processing. The computed statistics are explained in Network Port Statistics, Tool Port Statistics, and
TBD Packet Processing Statistics.

Create a Simplex Mode Port

1. Right-click an SFP+port.
2. Select the Properties command from the port's context menu.
3. In the General tab change the Port Mode to Simplex.
Following this change, the port name will display as SSFP or SSFP+ , which stands for Simplex
SFP+. As the two port sides are created, the Network side retains the initial name (for example
PC15), while the other one is named using a "_t" suffix (for example PC15_t).
Note: Since Simplex ports do not support pause frames, the Pause Frames setting in the
General page is not available.
4. In the Filter Criteria tab, choose the specific traffic filtering settings for the Network side or the
Tool side. Note that Network and Tool sides can have different filter criteria, each based on the
filter memory allocation for that side.
Note: The current filtering criteria are removed when the filter traffic direction is changed.
5. In the Connections tab define the relevant connections for the side being edited, as follows:
l On the Network side you can add connections to destination Dynamic Filters.
l On the Tool side you can add connections to source Dynamic Filters.
6. In the Access Control tab define the users who can change port settings and connections to
Dynamic Filters. Access control rights can be configured individually for each side, as follows:
l On the Network side you can set connect or disconnect rights for the output (destination
filter).
l On the Tool side you can set connect or disconnect rights for the input (source filter).
When modify rights are set on one or both sides of a Simplex mode port, you must have access
rights to both sides, in order to modify any shared properties.
For example, let us assume that for a Simplex mode port, modification is restricted to system
administrators on the Tool side (PC01_t), while the Network side (PC01) has no restrictions. In
this case, the GUI would show the following:

– 61 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

l An administrator would see a dimmed lock icon on the Tool side.

l A non-administrator would see a lock icon on the Tool side (meaning he has no modify
access rights) and a partial lock icon on the Network side (since he cannot modify any
shared properties on the Network side).
7. In the Packet Processing tab choose the packet processing features to be applied. Note that,
while packet processing is available on both sides, VLAN stripping is available on both the
Network and the Tool side, while port tagging can be configured only on the Network side.

Bidirectional Ports
A port in Bidirectional mode has both a Network side (ingress) and a Tool side (egress), both being
shown in the Diagram view and in other views of the application. The following figure shows the two
sides of the Bidirectional port P37 linked by a Dynamic Filter.

Note: This functionality is very similar to that of ports in Bidirectional Port Groups. However,
while those ports exist only in port groups, a Bidirectional port can exist outside of Port Groups.

Note: If required, Bidirectional ports can be added to a Bidirectional Port Group.

Statistics for Bidirectional ports are displayed separately for the Network side and the Tool side. For
each side—ingress and egress—one tab (Standard) or two tabs (Standard and Packet Processing) are
displayed. The computed statistics are explained in Network Port Statistics, Tool Port Statistics, and
Packet Processing Statistics.

Create a Bidirectional Port

1. Click a port's button, or right-click the port.
2. Select the Properties command from the port's context menu.
3. In the General tab set the Port Mode to Bidirectional .
Ports will display a BSFP or BSFP+ label, which stands for Bidirectional SFP+.
4. In the Filter Criteria tab, choose if the traffic filtering is done on the Network side or the Tool side.
Although both filtering and packet processing can be done only on one side of a Bidirectional
port, its two sides share basic properties, such as name, icon, and keywords, similar to ports of a
bidirectional port group.
5. In the Packet Processing tab choose the standard and advanced processing features that are
applied for each port side, Network and Tool.
Note: Advanced packet processing features are available only if a PacketStack resource
was assigned to the port.

913-2398-01 Rev A – 62 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Loopback Ports
A port in Loopback mode sends egress traffic back around to the ingress side to flow again through the
port. This enables you to create a loopback without using external cables or an external loopback plug
or transceivers, effectively recirculating the traffic from the egress to the ingress side. It will be up to
the user to set the proper filter rules to process the looped back packets appropriately.

A port in Loopback mode has two sides, a Network and a Tool side, that are shown in the Diagram view
and other table views of the application, as illustrated in the following figure.

Loopback mode is supported by any SFP+ port which can be made bidirectional and which is not part of
a port group, as long as the loopback functionality is supported by the hardware. This allows the
egress traffic to circulate back to the ingress side.

For example, the E40 supports Loopback mode on QSFP+ 40G ports when they are in 4x10G SFP+
breakout mode. Each of the resulting 10G SFP+ ports can be put into Loopback mode independently of
the other ports.

Note: Note that ports in loopback mode can perform standard and advanced packet processing
on one side of the port only. The only exception is VLAN stripping, which can be done on both
the Network and the Tool side.

In Loopback mode, by default the packets will also be sent onto the wire in addition to looping back,
which may cause problems if the port is cabled to a span port or to a tap. If traffic should not egress
from the system, when configuring loopback via the console, make sure to either disconnect the cable
or to configure Transmit Light to Off before placing the port in Loopback mode.

Note: Loopback mode ports cannot be added to Port Groups.

Statistics for Loopback mode ports are displayed separately for the Network side and the Tool side. For
each side—ingress and egress—one tab (Standard) or two tabs (Standard and Packet Processing) are
displayed. The computed statistics are explained in Network Port Statistics, Tool Port Statistics, and
Packet Processing Statistics.

Create a Loopback Port

1. Click a port's button, or right-click the port.
2. Select the Properties command from the port's menu.
3. In the General tab configure the Port Mode to Loopback.
The Loopback port icon will display LSFP or LSFP+ , which stands for Loopback SFP+.
4. In the Packet Processing tab choose the standard and advanced processing features that are
applied for each port side, Network and Tool.

– 63 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Note: The advanced packet processing features are available only if a

PacketStack resource was assigned to the port.
Since a Loopback mode port continues to send traffic out the port, in addition to looping it back,
make sure to either disconnect the cable or to configure the Transmit Light setting as Off, if
traffic is not supposed to exit the port.

Convert 10G or 40G Ports

The Speed Configuration command can do two things:

l Convert 10G Ports to 40G Ports—Aggregate four (4) 10G SFP+ ports into one (1) 40G QSFP+
port
l Convert 40G Ports to 10G Ports—Breakout one (1) 40G QSFP+ port into four (4) 10G
SFP+ ports

Convert 10G Ports to 40G Ports

Using the Speed Configuration command from a port's right-click context menu, you can convert a
range of four (4) adjacent 10G ports into one (1) 40G port. The starting port range for aggregation is
the P01-P04 range, and all subsequent four ports (P05-P08, P09-P12, and so on) can be aggregated
into a higher speed port. Following aggregation, the four ports are named after the first port in the
range.

For example, if you right-click any port in the P05- P08 range and choose to aggregate the ports, the
ports are aggregated as P05, and the P06, P07, and P08 port denominations no longer appear in the
Diagram view.

To convert four (4) 10G ports to one (1) 40G port:

l Right-click one (1) 10G port and select Speed Configuration > 40G QSFP+ .

To use a 40G aggregated port, all four corresponding 10G ports that make it up must be licensed.

In the Settings > License page, the aggregated 40G port will be displayed as a 40G licensed port,
while the corresponding 10G ports will no longer be displayed. When aggregation is undone, the
reverse operation occurs, meaning that the 10G ports are displayed again, while the 40G port is
removed.

Convert 40G Ports to 10G Ports

Also using the Speed Configuration command from a port's right-click context menu, you can convert
one (1) 40G QSFP+ port into four (4) 10G SFP+ ports.

To convert one (1) 40G port to four (4) 10G ports:

1. On the hardware system, attach a breakout cable to the 40G port that has four 10G ports on the
other end.
2. In the software console, right-click the port and select Speed configuration > 10G SFP+ .
The port numbering changes. For example, P53 becomes P53-1, P53-2, P53-3, and P53-4.

913-2398-01 Rev A – 64 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Creating Port Groups

Port groups provide the ability to aggregate ports into higher bandwidth trunks for load balancing tool
traffic or for interconnecting Network Packet Broker (NPB) systems. Port groups also provide other
management features that are described later in this section.

Note: You can add up to the maximum number of ports available on a single card or chases.
Currently, load balancing across cards/chassis is unsupported.

supports the following types of port groups:

l Interconnect Port Groups: These are used for connecting systems on the Network or the Tool
side. In the Diagram view, this port group type is displayed by default using the

icon.
l Bidirectional Port Groups: This is a special type of Interconnect Port Group that can receive
and transmit traffic. As a consequence, this type has both a Network and a Tool side. In the
Diagram view, this port group type is displayed by default using the

icon.
l Load Balance Port Groups: These are used to load balance the traffic across multiple Tool
ports. In the Diagram view, this port group type is displayed by default using the

icon.
l Loopback Port Group: These aggregate several Loopback ports, which use an internal
connection to send the egress Tx data back to the ingress Rx side of the port. Similar to a
Bidirectional Port Group, a Loopback Port Group has two sides, a Network and a Tool side. In the
Diagram view, a Loopback Port Group is displayed on both sides of the Diagram area, using the

icon.

Interconnect Port Groups

Interconnect port groups (ICPG) support connections between system.

Physical cable connections must be made between the systems that share an interconnect port group.
Port connections must follow the standard rules related to port speed and duplex modes to ensure a
port “link up” status.

The information below describes the settings that are required to configure an Interconnect Port Group.

– 65 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

The following figure illustrates how port groups can be deployed in order to share tools between
different NPBs, as described in detail later in this section. The notation “4x10 G” indicates that an
interconnect port group (ICPG) contains four 10G ports.

Note that in all ICPG scenarios, it is required that an ICPG be created on both of the systems that share
the interconnect:

l NPB #1 has local tools. The ICPG connection to NPB #4 is unidirectional. The tools that are
directly connected to NPB #1 can only be shared by the SPAN and taps that are directly
connected to NPB #1. Those same SPANs and taps can access the tools on NPB #4 by way of the
interconnect port group.
l NPBs #2 and #3 can share their local tools with each other because of the bidirectional ICPG
between them. Both NPB #2 and NPB #3 have an unidirectional ICPG to NPB#4. SPANs and taps
that are directly connected to NPB #2 and NPB #3 can access the tools on NPB #4.
l NPB #4 has unidirectional network-side interconnects with NPBs #1, #2, and #3. The tools
connected to NPB #4 can be shared by all of the NPBs deployed at the site. NPB #4 has no
access to tools on the other NPBs.

913-2398-01 Rev A – 66 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Note: Although ports within an interconnect port group can be a combination of 1G and 10G
ports, caution should be taken when mixing port speeds within tool interconnect port groups. If
one of the ports within a tool interconnect port group goes down, its traffic will automatically be
diverted to the other ports in the group. Failover to in-service ports occurs regardless of port
speed. Failover from a 10G port to a 1G port could lead to traffic congestion and dropped
packets. Also, traffic will not balance well between the 10G and 1G ports, resulting in drops on
the 1G ports and/or under-use of the 10G ports. Because the load balancing algorithm cannot
weight the the ports load , the 10G ports would get 10 times the load of the 1G ports.

The tool side of an ICPG is always set to a Rebalance failover mode. In Rebalance mode, a port failure
will cause the port to be disabled and removed from the load balancing algorithm. Traffic that was
destined for the failed port will be transmitted out by an in-service port within the group. Once the
port's link status returns to link up, the port is re-added into the load balance algorithm.

Create Interconnect Port Groups

To create an Interconnect Port Group:

1. Select ports in the Diagram area.

2. Right-click one of the selected ports, or click a port's icon.
3. Select Create Interconnect Port Group -> Network, Tool , or Bidirectional from the menu.
The New Interconnect Port Group window appears.

You can also create an Interconnect Port Group by clicking Add > Port Group > Network, Tool , or
Bidirectional .

Interconnect Port Group - Properties Tab

This tab enables you to configure general port group properties, such as name, description, associated
keywords for search purposes, and so on.

Name: A name for the Interconnect Port Group.

Interconnected with: This is an optional setting that allows you to access and manage the remote
interconnected Network Packet Broker (NPB) system. See Specify Far-End System.

Description: You can enter a description of the Interconnect Port Group in this field, such that you
can tell at a glance the nature of this specific interconnect port group that you created and configured.

Keywords: You can enter one or more keywords to use with the Focus on feature in the Diagram view.
This feature allows you to reduce the objects displayed in the Diagram view for better visibility.

Interconnect Port Group Settings

Port Group Icon: Enables you to select an icon that is used to identify the Port Group in the Diagram
view.

Port Mode: The displayed port mode can be Network, Tool, or Bidirectional.

– 67 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Interconnect Port Group Status

Enabled Status: This field displays the number of enabled ports within the port group, followed by the
total number of ports in the port group.

Transmit Light Status (Network port only): In order to minimize cabling mistakes, you can turn off
the transmit side of a Network port so that no light is sent. This only applies to fiber cables, not copper
cables, which do not transmit light.

Enabled Port Status

Combined Speed: This field displays the combined speed of all the enabled ports within the port
group.

The word partial after the speed value indicates that 1 or more of the enabled ports within the port
group have a link down status. The reported combined speed does not include the port speed settings
of link-down ports.

Link Status: This field indicates the number of enabled ports within the port group that have a link up
status.

Select Far-End System

When you click the link next to the Interconnected with label in the Interconnect Port Group's
Properties tab, the following window appears, enabling you to specify a remote system.

The following options can be configured in this dialog box:

l Address: The IP Address or the DNS name of the far-end system. Click the History button to
select a far-end system from a list of NPB units that have been accessed during earlier sessions.
To use the Manage Other End feature and configure the Interconnected with setting, the
systems that share an Interconnect Port Group must be running the same software version.

913-2398-01 Rev A – 68 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

After selecting the address of the far-end system, a login prompt will be launched for that system.
You need to have a login account on the far-end system to complete the interconnection
operation.
l Interconnect Port Group: Displays the remote or far-end interconnect port group. Click the
Select button to choose an interconnect port group from the remote system.
l Clear: Click the Clear button to remove the current Far-End Interconnect Port Group settings.

Interconnect Port Group - Ports Tab

To add ports to an Interconnect Port Group:

1. Click Add Port.

2. Select the ports that you wish to add.

Ports may not be added or removed while the Port Group is connected to a Dynamic Filter. Ports that
are currently connected to Dynamic Filters cannot be added to a port group, but must first be
disconnected from all filters before being added.

To remove ports from an Interconnect Port Group:

1. In the Ports section, select the ports to be deleted.

2. Click the Remove button.

The following are the effects of adding additional ports to an Interconnect Port Group:

l When a port is added to a Port Group, its representation is no longer displayed in the Diagram
view. As a consequence, the port properties can then only be accessed from the Ports tab within
the Port Group.
l A port added to a Port Group maintains its media settings.
l A port added to a Port group inherits the filter criteria settings of the Port Group.
l Port Groups adopt the access control settings of the ports within the group that have the most
restrictive access control settings. For details, see Access Control for Port Groups.

Interconnect Port Group - Filter Criteria Tab

Filter criteria are used to define the type of traffic packets that are allowed to pass through a Port
Group. The filter criteria applied for the Port Group is used for all ports contained within the group.

See Filter Criteria for Ports, Port Groups, and Dynamic Filters for detailed information on the available
filter criteria.

Interconnect Port Group - Connections Tab

This tab enables you to connect a Port Group to the following objects:

l Destination Dynamic Filters for Network Port Groups.

l Source Dynamic Filters for Tool Port Groups.
l Both Source and Destination Dynamic Filters for Bidirectional Port Groups.

– 69 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Note: Adding and removing connections to filters are immediate operations, they are not
controlled by the OK or Cancel buttons at the bottom of the Edit Port Group window. If the
Dynamic Filters to be connected are configured to inherit their access control settings from their
connected ports, you might receive a warning message that a new connection to a filter might
cause some system users to lose access to that filter, if the new connections come with higher
access restrictions. In that case, you will be prompted to confirm a loss of access before the
connection is completed.

Interconnect Port Group - Access Control Tab

The Access Control tab displays information about the users who can modify the property and
connection settings of the Port Group. As a general rule, the access policies for a port group are
inherited from the contained ports.

Operation: Modify this Port Group: This section displays the access policy that is in effect and the
users which have modify rights.

Operation: Network Side Connect/Disconnect Filters to/From this Port Group: This section
displays the current access policy for connecting Dynamic Filters to the Network side of the Port Group
and the users which have access to this operation.

Operation: Tool Side Connect/Disconnect Filters to/From this Port Group: This section
displays the current access policy for connecting Dynamic Filters to the Tool side of the Port Group and
the users which have access to this operation.

Note: For a Tool or Network Interconnect Port Group a single category (Network or Tool side
connect/interconnect) is displayed, while for Bidirectional Interconnect Port Groups both
categories are displayed.

The Details buttons displays a window that provides detailed information about the specific users with
access rights and the mode in which the access settings were determined.

The Access Details Window

The Users section displays the users that can perform modify operations on the property settings of
the Port Group. Note that system administrators can always modify the property settings of a Port
Group.

The Ports sections displays a table that shows the ports that determine the Port Group's access rights
for modifying connections. A user must meet the access requirements for every port shown in order to
modify the Port Group connections.

Note: Systems administrators can modify a port's access control settings from the Ports tab by
clicking its icon.

Interconnect Port Group - Packet Processing Tab

This tab enables you to select the standard packet processing features that are applied by the Port
Group.

913-2398-01 Rev A – 70 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Note: Since you cannot attach a PacketStack resource to Port Groups, advanced (PacketStack)
packet processing functionality is not available for Port Groups.

For a detailed description of the standard packet processing features that are available for Port Groups
see Packet Processing Features.

Create Bidirectional Interconnect Port Group

A Bidirectional Interconnect Port Group is a special type of Interconnect Port Groups that can both
receive and send traffic. Similar to a Bidirectional Port Group, it has two sides, a Network and a Tool
side.

The icon for a Bidirectional Interconnect Port Group is displayed on both sides of the Diagram area, as
shown in the figure below. Notice that both sides have the same name, PG2 in the example below,
regardless of whether it is assigned automatically or user-defined.

Simplex Port Group Restrictions

The following restrictions apply to simplex ports used in port groups:

l Regular ports and ports licensed for PacketStack cannot be mixed within ports groups.
l Simplex ports are a special case when licensed for PacketStack. Because PacketStack only
applies to one side, the regular side can be in port groups with other regular ports, and the
PacketStack side can be in port groups with ports licensed for PacketStack.
n The PacketStack side is configurable (Network is the default).
n PacketStack must be configured to the appropriate side (Network or Tool) before adding it to
the port group.
n To change the PacketStack side, neither side can be in a port group.
n Simplex ports cannot be placed in a bidirectional port group.
l When a PacketStack license is applied to the system, if any of the affected ports are in regular
port groups, they will be automatically removed because they are no longer compatible.

Simplex Pipeline Details

l Defaults to Network
l Pipeline must be configured to the appropriate side prior to adding to PG
l To change pipeline direction, neither side can be in a PG

Changing Simplex SFP+/PacketStack License

For ports on an PacketStack module that are not licensed as PacketStack and exist in PGs, when you
apply the PacketStack license to the ports, they are automatically removed from the non-PacketStack
PGs. This also applies to release version 4.4 simplex with SFP+ license.

– 71 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Load Balance Port Groups

Load Balance Port Groups allow traffic to be dynamically distributed across multiple Tool ports while
keeping network conversations intact, so that each load-balanced tool sees a complete session (all
packets from a session are sent out of the same port). Load balancing can be used in conjunction with
all Tool port filtering capabilities.

Load balance port groups can be configured to use one of two different failover modes: Rebalance or
None.

In Rebalance mode, a port failure will cause the port to be removed from the port group. Traffic that
was destined for the failed port will be transmitted out via one or more of the other in-service ports
within the group.

In the None failover mode, a port failure will cause packets destined for the port to be dropped. When
the failed port returns to service, packets will resume transmission out the same port.

Although the ports within a Load Balance Port Group can be a combination of 1G and 10G ports, caution
should be taken when mixing port speeds within Load Balance Port Groups. If one of the ports within a
load balance port group goes down, its traffic can automatically be diverted to the other ports in the
group. Failover to in-service ports occurs regardless of port speed. Failover from a 10G to a 1G port
could lead to traffic congestion and dropped packets. To prevent that, you can disable the load balance
port group failover feature.

Also, traffic will not balance well between the 10G and 1G ports, resulting in drops on the 1G ports
and/or under-use of the 10G ports. The load balancing algorithm cannot weigh the ports such that the
10G ports would get 10 times the load of the 1G ports.

Create Load Balance Port Groups

To create a Load Balance Port Group:

1. Select one or more Tool ports in the Diagram area.

2. Right-click one of the selected ports or click a port's icon.
3. Choose Create Load Balance Group from the context menu.

You can also create a Load Balance Port Group by clicking Add > Port Group > Load Balance Port
Group.

Load Balance Port Group - General Tab

The following parameters can be configured:

Name: Enter a name for the Load Balance Port Group.

Description: Use this field to describe the purpose and use of this Port Group.

Load Balance Port Group Settings

Port Group Icon: Enables you to assign an icon that is used to identify a Load Balance Port Group in
the Diagram view.

913-2398-01 Rev A – 72 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Port Mode: This field displays the port mode which will always be “Tool.”

Port Pause Frames: This setting is always set to Ignore pause frames for Load Balance Port Groups.
The setting is applied to all contained ports.

When the system ignores pause frames, it will continue to forward traffic to the connected device
regardless of the Ethernet flow control state of the device.

Failover: In the event of port failure, the Rebalance option redistributes traffic amongst in-service
ports within the port group. Rebalance is the default setting. The None option disables the failover
feature.

Load Balance Status

Enabled Status: This field displays the number of ports within the port group and the number of ports
within the group that are enabled.

Enabled Port Status - Section

Combined Speed: This field displays the combined speed of all the enabled ports within the port
group.

The reported combined speed does not include the port speed settings of enabled link-down ports.

Link Status: This field indicates the number of enabled ports within the port group that have a link up
status.

Load Balance Port Group - Ports Tab

To add ports to the port group, click the Add button. Select the ports that are to be contained within
the port group. You can combine up to eight ports (1G and 10G) into a load balance port group.

Ports can be removed by selecting them in the port section and clicking the Remove button.

Although ports may be added or removed while the Port Group is connected to a Dynamic Filter, this
operation has some limitations, as described in Adding and Removing Ports to/from Connected Port
Groups.

The Effect of Adding Ports to a Load Balance Port Group

l When a port is added to a port group, its icon is removed from the Diagram Area. The individual
port properties can then only be accessed from the Ports tab within the port group.
l A port added to a port group maintains its media settings.
l A port added to a port group inherits the filter criteria settings of the port group.
l Port groups inherit the access control settings of the port within the group that has the most
restrictive access control settings.
l The load balance group will be assigned a “LBG-#” (load balance group number) label. The
number displayed indicates the number of ports in the load balance port group.

– 73 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Load Balance Port Group - Filter Criteria Tab

Filter criteria are used to define the type of traffic that will be allowed to pass through an object or will
be prevented from passing through an object.

See Filter Criteria for Ports, Port Groups, and Dynamic Filters for detailed information on the available
criteria.

Load Balance Port Group - Connections Tab

Click Add dynamic filter to add connections to a port group. Source Dynamic Filters can be
configured for load balance port groups.

Adding or removing filter connections are immediate operations, not controlled by clicking the OK or
Cancel buttons on the Connections tab.

Because Dynamic Filter access control may be determined by the connections, you will receive a
warning message before a connection to a Dynamic Filter is complete if the access control settings of
the port group will adversely affect users that can currently access the Dynamic Filter. You will be
prompted to confirm a loss of access before the connection is completed.

Load Balance Port Group - Access Control Tab

The Access Control tab displays information about the users who can modify the property settings and
the connection settings of the port group. The access policies for a port group are inherited from the
contained ports.

Operation: Modify this Port Group: This section displays the access policy that is in effect and the
users with access.

In order to modify the properties of a port group, a user must have Modify access on all ports within the
port group.

In order to add/remove ports to/from a port group, a user must have Connect access on the port group
(which requires Connect access on all the ports within the port group).

Operation: Connect/Disconnect Filters to/from this Port Group: This section displays the
access policy that is in effect and the users with access.

In order to connect/disconnect to/from a Port Group, a user must have Connect/Disconnect access on
all ports within the port group.

The Details buttons provide detailed information about the specific users with access rights and how
the access settings were determined.

Load Balance Port Group - Packet Processing Tab

This tab enables you to select the standard packet processing features that are applied by the Load
Balance Port Group.

Note: Advanced (PacketStack) packet processing functionality is not available for Port Groups.

For detailed descriptions of the packet processing features see Packet Processing Features.

913-2398-01 Rev A – 74 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Adding and Removing Ports to/from Connected Port Groups

You can add or remove ports to/from Port Groups while the Port Group is connected to a Dynamic Filter,
but with the following limitations:

l Adding and removing ports is allowed only for Network Port Groups, Tool Port Groups, and Load
Balance Interconnect Port Groups.
l When adding or removing ports to/from a Port Group connected to a Dynamic filter, the Port
Group cannot be transitioned to or from the empty state.
l When adding a port to a connected Port Group, the newly added port inherits the Filter Criteria of
the containing Port Group.
l Adding and removing ports is not allowed while simultaneously changing the Filter Criteria of the
Port Group.
l In the case of Tool Port Groups and Load Balance Port Groups, adding or removing ports to/from a
Port Group that is connected to a Dynamic Filter is allowed only if the configured Filter Criteria of
the Port Group is Pass All.

Creating and Configuring Dynamic Filters

The Dynamic Filter dialog has the following tabs that group the different categories of configuration
settings:

l General – Used to define a filter name and description.

l Filter Criteria – Used to specify the traffic filtering behavior.
l Connections – Used to add, remove, and view the current connections to Network and Tool ports.
l Access Control – Used by system administrators to define access policies for the filter.
l Packet Processing: Used to select the packet processing operations applied to the traffic that
passes through the filter.

Dynamic Filter - General Tab

The General Tab options are the following:

l Name: The name field allows a name to be assigned to the filter.

l Description: The description field provides an area to document detailed information about the
filter. Text entered in this field will display in the tooltip help of the Dynamic Filter icon and in
various table views that display dynamic filters.
l Keywords: This fields enables you to associate one or more keywords with a filter. In the
Diagram view you can search based on these keywords, in order to find specific filters.

Dynamic Filter - Filter Criteria Tab

Filter criteria are used to define the types of traffic packets that will be allowed to pass through a filter.
In addition to the Pass All, Deny All, Pass by Criteria, and Deny by Criteria filter types that are
supported by all object types, a Dynamic Filter also supports two special filters, the catch-all PBC
(Pass by Criteria) Unmatched and DBC (Deny by Criteria) Matched filters.

– 75 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

For detailed information on the criteria that are available for all six filter types see Filter Criteria for
Ports, Port Groups, and Dynamic Filters.

Dynamic Filter - Connections Tab

The Connections tab displays the Network and Tool ports that are connected to the Dynamic Filter.
Dynamic Filters receive traffic from Network ports and send traffic to Tool ports.

Using the functionality of this tab, you can add and remove connections to Network and Tool ports.

Dynamic Filter - Access Control Tab

The Access Control tab provides features that allow administrators to configure security policies that
specify which users or user groups can view which filters, modify the Dynamic Filter settings, and add
or remove connections to Network and Tool ports. For details on this, see Modify Access Control List
Dialog on page 42.

For a Dynamic Filter, you can configure access permissions for the following actions:

l View Filter: This setting defines which users can view the selected filter.
n Allow All : Allows all user types to view the selected filter.
Inherit (only for Dynamic Filters): View access settings are inherited from the port(s) to
which the filter is connected.
Require Group Member: Only users who are part of specified user group(s) can view the
selected filter.
n Require Admin: Only users with administrative privileges can view the selected filter.
l Modify Filter: This setting defines which users can edit filter properties. You can configure it
using any of the following options:
n Allow All : Any user can edit the filter settings.
n Inherit: Access permissions for editing filter settings are inherited from the ports to which
the filter is connected. Access Control for port operations is described in detail in the
Defining Access Control Policies on page 316 chapter.
n Require Admin: Only a user with an administrator role can edit the filter settings.
n Require Group Member: Allows only members of specified user group(s) to make
modifications to the selected filter.
l Connect/Disconnect Network Ports to/from this Filter: This setting defines which users
can connect the filter to Network ports. The available options are the same as those for modifying
a filter.
l Connect/Disconnect Tool Ports to/from this Filter: This setting defines which users can
connect the filter output to Tool ports. The available options are the same as those for modifying
a filter.

Creating Catch-All Dynamic Filters

In addition to the Pass All, Deny All, Pass by Criteria, and Deny By Criteria, you can use two special
catch-all Dynamic Filter types, PBC (Pass by Criteria) Unmatched and DBC (Deny by Criteria)

913-2398-01 Rev A – 76 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Matched, for easily creating powerful filter criteria with reduced configuration effort.

Both of these filter types complement and are intended to be used conjointly with other filters, the
PBD Unmatched with one or more Pass By Criteria filters, and the DBC Matched with one or more Deny
By Criteria filters. These catch-all dynamic filters allow you to accumulate the traffic that would have
been otherwise filtered out and to route it to analysis tools.

DBC Matched Dynamic Filters

A DBC (Deny by Criteria) Matched dynamic filter is a special type of filter that accumulates the traffic
that is denied by all the Deny By Criteria filters connected to the same Network port. This 'matched'
traffic is sent to its connected Tool port(s). Since a DBC Matched is paired with Deny By Criteria filters,
its purpose is to catch the traffic that does not pass any of its associated Deny By Criteria filters. It is
independent of all other dynamic filter modes, Pass All, Deny All, and Pass By Criteria.

In the Diagram view, a DBC Matched filter is displayed as shown in the following image.

If a DBC Matched dynamic filter is connected to a Network port with no Deny By Criteria filters
attached, the DBC Matched filter does not pass any traffic.

A Network port may only have a single DBC Matched filter connected to it.

A PBC Unmatched and a DBC Matched filter can be connected to the same Network port. Similar to
PBC Unmatched filters which have meaning only when associated with other Pass By Criteria filters,
DBC Matched filters only make sense when associated with Deny By Criteria filters.

The two filter types do not impact one another, in the sense that PBC Unmatched filters receive only
the traffic not passed by any associated Pass By Criteria filters, while DBC Matched filters receive only
the traffic denied by all associated Deny By Criteria filters.

The filtering result of a sample configuration containing two Deny By Criteria filters and an associated
DBC Matched filter is shown in the following image:

– 77 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

PBC Unmatched Dynamic Filters

PBC (Pass by Criteria) Unmatched dynamic filters catch (accumulate) all the traffic that does not
match any of the Pass By Criteria filters connected to the same Network ports. This 'unmatched' traffic
is sent to its connected Tool port(s). Since a single PBC Unmatched dynamic filter is used conjointly
with one or more Pass By Criteria filters, its purpose is collecting the traffic that did not match other
filters and sending it to a Tool port where the traffic can be analyzed.

PBC Unmatched filters can only be paired with Pass By Criteria and are independent of all other
dynamic filter modes—Pass All, Deny All, and Deny By Criteria— meaning that adding other filter types
to the same Network port does not impact what is sent to a PBC Unmatched filter.

A Network port can have a single PBC Unmatched filter connected to it.

The filtering effect of a sample configuration containing two Pass By Criteria filters and an associated
PBC Unmatched filter is shown in the following image:

913-2398-01 Rev A – 78 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Note: If a PBC Unmatched dynamic filter is connected to a Network port with no Pass By Criteria
filters attached, the PBC Unmatched filter will pass all traffic (equivalent to a Pass All filter).

Copying Configurations for Ports and Dynamic Filters

You can use the Copy & Paste functionality from several different menus:

l Object context menu - displayed when right-clicking on an object.

l On the Diagram View control bar, in the Edit, Selected or Flagged menus.

To copy and paste the configuration of an object to object(s) of the same type, either Ports or Dynamic
Filters:

1. Select the source object containing the configuration which you want to copy.
2. From the selected object menu, click Copy.
3. Select the target object(s) on which you want to copy the configuration from step 1.
4. From the selected object menu, click Paste.
The Properties Selector window opens and displays all the properties supported by the copied
object type.

– 79 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

5. From the list of properties, select those you want to apply to the target object.
You can use the to select all the properties, the to deselect all the properties, or the to
reverse the selection of the properties.
6. Click OK.
The Copy Object Data Result window opens. If the copy completes successfully, the window
displays the following confirmation message: The following items successfully received copied
data: <Object name>.
If the copy is not completed, the system returns messages that define the properties that are not
available or configurable on the target object.
Note: Because the copy fails to complete, none of the other properties are copied.
The following are some examples of potential error messages displayed:

913-2398-01 Rev A – 80 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

l Error copying data for <Object name>: <parameter> is a read-only property and cannot
be modified.
l Error copying data for <Object name>: is an unknown property or its value is invalid.
To solve this issue, select the Paste option again and make sure that on the Properties
Selector window, you deselect those properties that are not applicable on the target object.

Linking Ports, Port Groups, and Dynamic Filters

In the Diagram view you can define object connections in any of the following modes:

l One-to-One: In this configuration, the ingress traffic from a Network port is filtered by a Dynamic
Filter and is then sent out to an egress Tool port.
l One-to-Many: In this configuration, the ingress traffic from a Network port is filtered by a
Dynamic Filter and is then replicated across multiple egress Tool port. If instead of linking to
multiple Tool ports you link to a Load Balance Port Group, the traffic is load balanced across the
group's Tool ports.
l Many-to-One: In this configuration, the ingress traffic from multiple Network ports is aggregated,
filtered by a Dynamic Filter, and then sent out an egress Tool port.
l Many-to-Many: In this configuration, the ingress traffic from multiple Network ports is
aggregated, filtered by a Dynamic Filter, and then replicated across multiple Tool ports. If instead
of linking to multiple Tool ports you link to a Load Balance Port Group, the traffic is load balanced
across the group's Tool ports.

A sample configuration is shown in the following figure. In this case, the ingress traffic received by
three Network ports is fed into a Dynamic Filter and is then load balanced across the Tool ports of a
Load Balance Port Group. For each object, note the connector endpoints (blue circles on each side)
that represent a possible connection anchor to/from an object.

Link Objects from the Diagram View

To create a connection:

1. Click an object's connector endpoint.

2. While keeping the mouse button pressed, drag it to the connector endpoint of the object you want
to connect to.

– 81 – 913-2398-01 Rev A
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

Using this approach you can connect the following object types:

l Ports/Port Groups to Dynamic Filters

l Ports/Port Groups to ports/port groups: In this case, a Dynamic Filter is automatically inserted
between the Network side and the Tool side ports or port groups.

Link Objects from an Object's Properties Window

You can also link objects using the functionality provided by the object's Connection window.

For example, to link a Network port to a Dynamic Filter follow these steps:

1. Double-click the Network port.

2. In the Properties window click Add Dynamic Filter.
The standard object selection window appears.
3. Select the destination Dynamic Filter and click OK.
4. Click OK to close the Properties window.

Unlink Objects from the Diagram View

To delete a connection:

1. Select the connection between to objects.

2. Right-click the connection and click Delete.

Further Actions
The Diagram view can be customized in many ways so as to display additional information, enhance
the visibility of objects, or limit the displayed objects to a subset of all objects.

Display Memory Meters

In a Vision Edge system, filter memory is required to store filter criteria. Network ports, tool ports, and
dynamic filters have pools of memory allocated to store their filter criteria. The number of filter criteria
that can be defined is restricted by the amount of memory available in the system. The memory meters
displayed below the Diagram area indicate the approximate percentage of filter memory that is
currently used by Network ports, Tool ports, and Dynamic Filters.

You can show or hide the Available Filter Memory pane by clicking Action > Show Memory Meters
or pressing the F10 function key.

The current system memory allocation is displayed in a pane such as the following:

913-2398-01 Rev A – 82 –
Chapter 6 Configuring Ports, Port Groups, and Dynamic Filters in the Diagram View

The window displays the available filter criteria memory for Network ports, Tool ports, and Dynamic
Filters. For Dynamic Filters, information is displayed for both IP and non-IP (any criteria not related to
IP filtering) memory.

A memory meter value of “100%” indicates that approximately 100 percent of the filter criteria memory
is available to filters or ports. Note that all memory meter values are approximate.

For each item—Network port, Tool port, or Dynamic Filter—memory meters use colors to indicate the
following memory allocation status:

l Green: An amount of 81% to 100% of the configured memory is available

l Yellow: An amount of 80% of the configured memory has been used (<20% is available)
l Red: An amount of 95% of the configured memory has been used (<5% is available)

Modify the Object Display Size

To facilitate working in the Diagram view you have the option of displaying a larger or a smaller
number of objects by varying the object display size. You can adjust the display size by clicking Add
> Set Node Size.

The available values are:

l Small – Decreases the size of elements on the Diagram view to fit the smallest, yet easily visible
version of them. As a result, more items can appear on the Diagram view at a time.
l Medium – Sets the size of the elements on the Diagram view to an optimal one.
l Large – Increases the size of elements on the Diagram view to fit their largest most
accommodating version. As a result, fewer items can appear on the Diagram view at a time.
As a shortcut for this option, you can press the F9 function key. For example, if the view elements
are shown as small icons, pressing F9 changes them to medium-sized icons. Pressing F9 again
changes the size to Large, and so on.

– 83 – 913-2398-01 Rev A
CHAPTER 7 Filter Criteria for Ports, Port
Groups, and Dynamic Filters
Dynamic filters, network ports, tool ports, and port groups all have filter criteria settings, which are
used to define the types of traffic packets that will be allowed to pass through a filter or that will be
prevented from passing through a filter.

For a filter to be built, it must have a source and a destination.

Additional information that can help you take full advantage of Vision Edge filtering capabilities is
provided in the technical note 5200 - Advanced Filtering Concepts and Options. This document can be
downloaded from the Ixia Customer Portal. See Technical Support for information on how to access the
Ixia Customer Portal.

– 84 – 913-2398-01 Rev A
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Intersection versus Priority Filtering

Beginning in release 4.7.5, the Filter Modes you can select depend on whether you set the Filter
Memory Allocation to use Intersection or Priority filter build mode. Intersection is the default.

For a description of these two filter build modes and details about the Priority filter build mode, see:

l Priority Filtering
l Filter Memory Allocation
n Dynamic Filter Tab

Port Filters - Network and Tool

Network and Tool ports use the same Filter Modes, which are also the same for Intersection and
Priority filtering, shown in the following example.

Network Port Filters

913-2398-01 Rev A – 85 –
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Dynamic Filters - Intersection and Priority Modes

Dynamic Filters use different Filter Modes than Network and Tool ports, and they differ in Intersection
and Priority filter build modes, shown in the following two examples.

Intersection Dynamic Filters

– 86 – 913-2398-01 Rev A
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Priority Dynamic Filters

913-2398-01 Rev A – 87 –
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Filter Mode Section

The Filter Modes you can select depend on whether you set the Filter Memory Allocation to use
Intersection or Priority filter build mode.

Intersection Filter Build Mode

In Intersection filter build mode, Dynamic Filters can be placed in one of the following six Filter Modes:

l Pass All
l Disable
l Pass by Criteria (PBC)
l Deny by Criteria (DBC)
l PBC Unmatched
l DBC Matched
Note: Filters in Network and Tool ports do not support all six modes. And Dynamic Filters
include the Filter Mode Exclude by Criteria. Whereas, Network and Tool Ports include the
Filter Mode Deny by Criteria.

Pass All : This setting allows all traffic to pass through the filter.

Disable: This setting prevents all traffic from passing through the filter.

Pass by Criteria (PBC): This setting allows you to describe the characteristics of the packets that
should be allowed to pass through the filter.

Deny by Criteria (DBC): This setting allows you to describe the characteristics of the packets that
should be prevented from passing through the filter.

PBC Unmatched : This setting allows traffic NOT MATCHING all Pass By Criteria (PBC) filters
attached to a Network port to pass. In other words, traffic not passed by any pass-by-criteria filter
attached to a Network port will pass this filter. This filter type is available only on Dynamic Filters. For
detailed information see PBC Unmatched Dynamic Filters.

DBC Matched : This setting allows traffic MATCHING all Deny By Criteria (DBC) filters attached to a
Network port to pass. In other words, traffic denied by all of the Deny By Criteria filters attached to a
Network port will pass this filter. This filter type is available only on Dynamic Filters. For detailed
information see DBC Matched Dynamic Filters.

Intersection Filter Mode Options

System objects have different filter mode options. The following table displays the filter mode options
for each object type.

– 88 – 913-2398-01 Rev A
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

PBC DBC
Filter Type Pass All Pass By Criteria Deny All Deny By Criteria Unmatched Matched
Network √ √ √ √ - -
Port/Network
ICPG/Bidirectional
ICPG
Dynamic Filter √ √ √ √ √ √
Tool Port/Tool √ √ √ √ - -
ICPG/Load
Balance Port
Group

Priority Filter Build Mode

In Priority filter build mode, Dynamic Filters can be placed in one of the following four Filter Modes:

l Pass All
l Disable
l Pass by Criteria
l Exclude by Criteria
Note: Dynamic Filters include the Filter Mode Exclude by Criteria. Whereas, Network and
Tool Ports include the Filter Mode Deny by Criteria.

Pass All : This setting allows all traffic to pass through the filter.

Disable: This setting prevents all traffic from passing through the filter.

Pass by Criteria: This setting allows you to describe the characteristics of the packets that should
be allowed to pass through the filter.

Exclude by Criteria: This setting allows you to describe the characteristics of the packets that
should be prevented from passing through the filter.

913-2398-01 Rev A – 89 –
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Available Fields Section

When determining whether packets should be passed or dropped, the system has the ability to inspect
the Layer 2 Ethernet headers *or* the Layer 3 and Layer 4 headers of each packet. You may specify
which header fields to look at within each layer.

The following figure shows the available header fields for each layer.

You can add more available fields by changing the Filter Memory Allocation and adding Custom
Dynamic Filtering. If you add VxLAN fields, they appear below Layer 4 in the Available Fields for a
Dynamic Filter.

See Criteria Fields Descriptions for a detailed description of the criteria for each available field.

Note: The selection of available fields depends on the current configuration of the Filter
Memory Allocation functionality.

– 90 – 913-2398-01 Rev A
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Criteria Fields Descriptions

When you click an Available Fields criterion button, a criterion-specific dialog displays where you can
enter specific values for the header fields related to that criterion type. For example, when you select
the VLAN button, the Edit VLAN Filter Criterion dialog appears.

Note: For each dialog instructions are displayed that describe how to enter values or value
ranges. All criterion dialogs have similar instructions and/or tooltip help.

Although configuring filter criteria is intuitive and on-screen and tooltip help is provided, some features
that may need further description are described in the subsequent topics.

913-2398-01 Rev A – 91 –
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

VLAN - Available Fields

The system supports filtering on either outer VLAN (802.1Q) or inner VLAN tags (802.1 Q-in-Q double-
tagged packets) at the Network port, Dynamic filter, and Tool port.

Note: Traffic with an outer VLAN tag will match on packets with an outer Tag Protocol Identifier
(TPID) value of 0x8100. The TPID is a 16-bit field at the beginning of a VLAN tag that is used to
distinguish the VLAN tag from an Ethertype field.

Packets will be recognized as double-tagged only if the inner TPID value is 0x8100. Therefore,
an inner VLAN Id and priority will match only packets that have an inner TPID value of 0x8100.

When you click the VLAN button, the following dialog appears.

For both outer and inner VLAN tags you can specify a VLAN Id and a priority value to filter on.

Note: If you enter a Priority of 0, then you must also enter either a VLAN ID or a VLAN range to
avoid false matches. If you do not, then you receive an error message to remind you to do so.

When connecting trunk port taps or SPANs to system ports, trunk links are required to pass VLAN
information. System ports are configured for 802.1Q (dot1q) encapsulation by default, and
automatically belong to VLANs 1-4094. Packets with 802.1Q tags for VLANs 1- 4094 can be filtered
using the system's filter criteria. See Filtering on 802.1Q VLAN Tags for detailed information and an
example router configuration.

– 92 – 913-2398-01 Rev A
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Filtering on 802.1Q VLAN Tags

While network administrators can assign VLANs to a network switch, the assignment of these VLANs
effectively remains transparent to the end devices, such as servers, storage devices and end-user
stations who are generally assigned to access ports. 802.1Q VLAN tags are not delivered in the
datagrams sent to the devices connected to access ports. Only devices connected to trunk ports on
switches responsible for routing, bridging or channeling traffic between networking devices will have
visibility to VLAN tags in order for the devices to direct traffic on each end of the link.

Filtering on VLAN Id is one of the options for pass filters and tool port drop filters where users may
direct traffic based on 802.1Q VLAN headers. To use VLAN IDs as criteria for filtering, users must
ensure specific conditions are met to enable visibility of VLAN 802.1Q headers.

In summary, note the following points related to 802.1Q VLAN filtering:

l The system can filter on 802.1Q VLANs.

l For the system to filter on VLANs, the 802.1Q tags must be present. You must ensure that tapped
trunk connections are configured to send 802.1Q tags to the system.
l If connected via a SPAN/mirrored port, users must ensure the SPAN port is also set as a trunk
port. Most switches support this capability, but this should be confirmed by checking the switch
manufacturer’s documentation.

Providing VLAN information to the System

There are two ways to direct traffic to an incoming network port on a system:

l Mirrored ports (SPANs) - Port mirroring is used on a network switch to send a copy of all network
packets seen on one switch port (or an entire VLAN) to a network monitoring connection on
another switch port. This is commonly used for network tools that require a copy of what is
happening on a VLAN such as protocol analyzers or intrusion-detection system. Port mirroring on
a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN) but other
vendors may have other names for it, such as Roving Analysis Port (RAP) on 3Com switches.
Mirrored ports by default will be defined as access ports on switches.
l Trunk port taps - A tap (Test Access Point) is a passive splitting mechanism installed inline on a
trunk connection between switches or other network devices where the trunk link is terminated.
Taps transmit both the send and receive data streams simultaneously on separate dedicated
channels, ensuring all data arrives at the monitoring device in real time.

It is important to remember that when using taps, two network port connections are necessary for each
tap because their TX and RX traffic is sent on dedicated paths to the system. For a configuration
example, refer to the Installation Guide for your model. Taps will normally be connected to trunk ports
but can also be connected to access ports.

System ports are configured for 802.1Q (dot1q) encapsulation, and automatically belong to VLANs 1-
4094. Packets with 802.1Q tags for VLANs 1-4094 may be filtered using the system. Because mirrored
(SPAN) ports are configured as access ports by default, they will not receive, nor pass any 802.1Q
header information in the traffic coming from that interface. This means you may not create any Pass or
Deny filters on the system that use VLAN ID as a pass or drop criteria if the ingress network port
providing traffic to the filter is coming from a SPAN port configured as an access port.

913-2398-01 Rev A – 93 –
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Once taps or SPAN ports have been properly installed and configured to pass desired traffic to the
system, pass filters or tool port deny filters can then be created on any L2 or L3 criteria including VLAN
ID.

An example of a SPAN port configuration providing 802.1Q headers from a Cisco 4506 switch is
provided below.

SPAN Port Configuration Providing 802.1Q headers

The following configuration example displays the commands necessary to create a SPAN port on a
Cisco 4506 Catalyst Switch that will deliver traffic including 802.1Q VLAN header information to the
system network port:

DDCPHRCE1#

monitor session 1 source vlan 1 - 4094

monitor session 1 destination interface Gi4/13 encapsulation dot1q
interface GigabitEthernet4/13
description DDC-SPN-DSW1 G7
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
no cdp enable
Note:
l Not all switches support this function
l Check with manufacturers’ instructions to enable this feature
l The sequence commands are entered in may be important
l Specifying the 802.1Q encapsulation method may be necessary

– 94 – 913-2398-01 Rev A
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

MAC Address - Available Fields

A MAC filter criterion can match on either MAC Source, MAC Destination, and MAC Source or
Destination, Unidirectional Flows, or Bidirectional Flows.

This functionality is available for Network ports, Tool ports, and Dynamic Filters.

Important! For MAC criteria, a broadcast addresses cannot appear in the source. A source is
defined as a MAC source criterion, a MAC source-or-destination criterion, the “source” side of a
MAC unidirectional flow set, and either side (the “A” or “B” side) of a MAC bidirectional flow set.
This limitation applies to dynamic filters and port filters.

MAC Source, MAC Destination, and MAC Source or Destination

When matching a MAC address, users may choose to look for a value in the source address, a value in
the destination address, a value in the source *or* destination address, or a value in the source
address in combination with another value in the destination address. These are described in more
detail in the following sections.

The figure below shows the MAC Filter Criterion dialog when matching on the source address field.

The address may be specified as one or more actual addresses, with optional "don't care" parts, or by
the administration type. When more than one address is specified (using the "+" button), the filter will
match on address 1 *or* address 2, and so on. Multiple addresses here are always combined with an
"or", regardless of whether the containing filter is set to "Match All" (AND) or "Match Any" (OR).

The Administration options are:

913-2398-01 Rev A – 95 –
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

l Universal (Globally Unique)

l Local

A universally administered MAC address (globally unique) is assigned to a device by its manufacturer.

A locally administered MAC address is assigned to a device by a network administrator.

The figure below shows the MAC Filter Criterion dialog when matching on the destination address
header field.

Destination addresses are specified in the same manner as source addresses. Destination addresses,
however, support different attributes which can be matched as an alternative to the addresses.

The Administration drop-list options are:

l Don’t Care: The address can be Local or Universal (Globally Unique).

Note: Dynamic Filters can use the "Don’t Care" option in the middle of the MAC values.

l Universal (Globally Unique)

l Local

The Destination Address drop-list options are:

l Don’t Care: The address can be Individual (Unicast) or Group (Multicast/Broadcast).

Note: Dynamic Filters can use the "Don’t Care" option in the middle of the MAC values.

– 96 – 913-2398-01 Rev A
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

l Individual (Unicast)
l Group (Multicast/Broadcast)
Note: Both the Destination Address and Administration attributes cannot be set to "Don’t Care."
One of the options must be configured to a value other than "Don’t Care."

Unidirectional Flows
When you choose the Unidirectional Flow criterion type, a packet matches the filtering criteria if both
its source *and* destination MAC address match any of the specified address values.

For this criterion type, you can add multiple address sets, each possibly containing multiple source and
destination addresses. Whenever you define multiple address sets, the source/destinations are only
paired with the source/destinations in their set.

You can add or remove a MAC address set by clicking the "+" or "-" buttons on the far right of the filter
criterion window. Within a set's Source or Destination category, you can add or remove a MAC address
by clicking its adjacent "+" or "-" buttons respectively.

You can duplicate an existing address set if you hold the CTRL key pressed while clicking the "+"
button.

Note that for the Unidirectional Flow criterion type multiple MAC address sets are allowed. Whenever
multiple sets are used, in order to match the filtering criteria, a packet can match any of the defined
sets. For detailed information see Matching Criteria Example for Undirectional Flows.

Bidirectional Flows
When you choose the Bidirectional Flow criterion type, a packet matches the filtering criteria if its
source and destination address are either A *and* B, or B *and* A.

913-2398-01 Rev A – 97 –
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

More specifically, a packet matches if either of the following conditions is true:

l Source equals any address A and destination equals any address B in the same set.
l Source equals any address B and destination equals any address A in the same set.

For this criterion type, you can add multiple address sets, each possibly containing multiple addresses
in the A and B categories. Whenever you define multiple address sets, any A/B addresses from one set
are only paired with addresses in that set.

Note: You can add or remove an address set by clicking the "+" or "-" buttons on the far right of
the filter criterion window. Within a set's A or B category, you can add or remove an address by
clicking its adjacent "+" or "-" buttons respectively.

Note: You can duplicate an existing address set if you hold the CTRL key pressed while clicking
the "+" button.

Note: For the Bidirectional Flow criterion type, multiple MAC address sets are allowed.
Whenever multiple sets are used, in order to match the filtering criteria, a packet can match any
of the defined sets. For detailed information, see Matching Criteria Example for Bidirectional
Flows.

– 98 – 913-2398-01 Rev A
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

IPv4/IPv6 Address Filtering - Available Fields

Similar to the filtering by MAC addresses, you can filter on IP Source Address, IP Destination Address,
IP Source or Destination Address, Unidirectional Flow, or Bidirectional Flow.

This functionality is available for Network ports, Tool ports, and Dynamic Filters.

Note: Although this topic describes IPv4 address filtering and uses IPv4 examples, the
functionality is the same for IPv6 address filter criteria.

Session filtering supports multicast IPv4 addresses as source addresses, destination addresses, and as
part of flow definitions. The allowed IPv4 multicast range is 224.0.0.0 to 239.255.255.255 (inclusive).

However, if you import an older configuration that has a mix of multicast and non-multicast addresses,
those filter criteria are removed from the filter and the filter is set to Deny All . The same thing
happens if you have a mix of multicast and non-multicast addresses and you upgrade from an older
version to release 4.3 or higher.

Important! In the case of Dynamic Filters, multicast and non-multicast addresses cannot be
mixed in the destination. A destination is defined as an IPv4/IPv6 destination address, an
IPv4/IPv6 source-or-destination address, the "destination" side of an IPv4/IPv6 unidirectional
flow, and either side (the "A" or "B" side) of an IPv4/IPv6 bidirectional flow. Only multicast
addresses or only non-multicast addresses can be used, but addresses from both categories
cannot be used.

IP Source Address, IP Destination Address, IP Source or Destination Address

It is also sometimes useful to look for a particular value in either the source address *or* the
destination address. The IPv4 address dialog below shows the selection of Source or Destination as
the criterion type:

913-2398-01 Rev A – 99 –
Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

When the Source or Destination criterion type is configured, a packet matches if either the Source
or Destination matches any of the defined addresses. Note the instructions below the Mask type
section of the window explaining how to duplicate an address row (+) and the mask values range.

Unidirectional Flow
When you choose the Unidirectional Flow criterion type, a packet matches the filtering criteria if
both its source *and* destination IPv4 address match any of the specified address values.

For this criterion type, you can add multiple address sets, each possibly containing multiple source and
destination addresses. Whenever you define multiple address sets, the source/destination addresses
from one set are only paired with source/destinations in that set.

Note: You can add or remove an address set by clicking the "+" or "-" buttons on the far right of
the filter criterion window. Within a set's Source or Destination category, you can add or remove
an address by clicking its adjacent "+" or "-" buttons respectively.

Tip: You can duplicate an existing address if you hold the CTRL key pressed while clicking the
"+" button.

Important! For the Unidirectional Flow criterion type, multiple address sets are allowed.
Whenever multiple sets are used, in order to match the filtering criteria, a packet can match any
of the defined sets. For detailed information see Matching Criteria Example for Undirectional
.

– 100 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Bidirectional Flow
When you choose the Bidirectional Flow criterion type, a packet matches the filtering criteria if its
source and destination IPv4 address are either A *and* B, or B *and* A.

More specifically, a packet matches if either of the following conditions is true:

l Source equals any address A and destination equals any address B in the same address set.
l Source equals any address B and destination equals any address A in the same address set.

For this criterion type, you can add multiple address sets, each possibly containing multiple A and B
addresses. Whenever you define multiple address sets, any A/B addresses from one set are only
paired with addresses in that set.

Tip: You can duplicate an existing address set if you hold the CTRL key pressed while clicking
the "+" button.

Note: For the Bidirectional Flow criterion type multiple address sets are allowed. Whenever
multiple sets are used, in order to match the filtering criteria, a packet can match any of the
defined sets. For detailed information see Matching Criteria Example for Bidirectional Flows.

913-2398-01 Rev A – 101 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

IPv4/IPv6 Session Filtering - Available Fields

Session filtering enables you to filter the traffic by sessions, which in the system context represent an
IPv4/IPv6 address and a port. Session filters can be constructed by specifying either single source and
destination sessions, or session sets (source and destination).

Additionally, a system extends the session filtering capability to flows—which are pairs of sessions—
that can be either Unidirectional Flows (involve a source session and a destination session) or
Bidirectional Flows (any session is both a source and a destination session).

This functionality is available for Network ports, Tool ports, and Dynamic Filters.

Note: Although this topic describes IPv4 session filtering and uses IPv4 examples, the
functionality is the same for IPv6 filter criteria.

Session filtering supports multicast IPv4 addresses as part of source sessions, destination sessions,
and flows. The allowed IPv4 multicast range is 224.0.0.0 to 239.255.255.255 (inclusive).

Note, however, that if you import an older configuration that has a mix of multicast and non-multicast
addresses, those filter criteria are removed from the filter and the filter is set to Deny All . The same
thing happens if you have a mix of multicast and non-multicast addresses and upgrade from an older
version to release 4.3 or higher.

Important! For Dynamic Filters, multicast and non-multicast addresses cannot be mixed in
the destination. A destination is defined as an IPv4/IPv6 destination session, an IPv4/IPv6
source-or-destination session, the "destination" side of an IPv4/IPv6 unidirectional flow set, and
either side (the "A" or "B" side) of an IPv4/IPv6 bidirectional flow set. Note that you can use
either multicast addresses or non-multicast addresses, but not addresses from both of these two
groups.

Source
When you choose this criterion type, a packet matches the filtering criteria if its source IP address and
L4 port match the specified values.

You can specify the IP filter criteria using an IP address, an IP address and a netmask, or an IP value in
CIDR notation.

You can specify the L4 port filter criteria using a single value, an interval, or a combination of both.

Note: For Source, Destination, and Source or Destination criterion types, a single session
set is allowed.

Destination
When you choose this criterion type, a packet matches the filtering criteria if its destination IP address
and L4 port match the specified values.

– 102 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

You can specify the IP filter criteria using an IP address, an IP address and a netmask, or an IP value in
CIDR notation.

You can specify the L4 port filter criteria using a single value, an interval, or a combination of both.

Note: For Source, Destination, and Source or Destination criterion types, a single session
set is allowed.

Source or Destination
When you choose this criterion type, a packet matches the filtering criteria if either the source *or* the
destination session match the specified values.

Note: For Source, Destination, and Source or Destination criterion types, a single session
set is allowed.

Unidirectional Flow
When you choose this criterion type, a packet matches the filtering criteria if both the source *and*
the destination session match the specified values.

913-2398-01 Rev A – 103 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Note: You can add or remove a session set by clicking the "+" or "-" buttons on the far right of
the filter criterion window. Within a set's Source or Destination category, you can add or remove
a session by clicking its adjacent "+" or "-" buttons respectively.

Tip: You can duplicate an existing set if you hold the CTRL key pressed while clicking the "+"
button.

Note: Multiple session sets are allowed for the Unidirectional Flow criterion type. Whenever
multiple session sets are used, a packet can match any of the defined sets to match the filtering
criteria. For detailed information, see Matching Criteria Example for Undirectional Flows.

Bidirectional Flow
When you choose this criterion type, a packet matches the filtering criteria if its source and destination
sessions—IP address and port—are either A and B, or B and A.

This condition is equivalent to filtering by unidirectional flows, (source A & destination B) or (source B
& destination A), where any matching packet would match one of the unidirectional flows.

– 104 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Note: You can add or remove a session set by clicking the "+" or "-" buttons on the far right of
the filter criterion window. Within a set's A or B category, you can add or remove an sessions by
clicking its adjacent "+" or "-" buttons respectively.

Tip: You can duplicate an existing set if you hold the CTRL key pressed while clicking the "+"
button.

Note: For the Bidirectional Flow criterion type, multiple session sets are allowed. Whenever
multiple session sets are used, in order to match the filtering criteria, a packet can match any of
the defined sets. For detailed information, see Matching Criteria Example for Bidirectional
Flows.

Using Wildcards (Don't Care)

By using wildcards, you can create one filter to do the work of many filters. Using wildcards in sessions
and flows makes filters much more customizable, which saves you time creating them and saves you
the trouble of figuring out how to use multiple filters together to get the result you want. Instead, you
can create one filter that does it all. In this onestop shopping approach, wildcards also reduce the
number of rules and save memory. For example, you can wildcard the IP address or the port number in

913-2398-01 Rev A – 105 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

a session definition to set up a session filter from IP address 192.168.100.3 and any source session
port number to Amazon’s IP address on port 80.

For IP session filtering criteria, the IP address and L4 port filtering fields support a wildcard ("don't
care") functionality, where any address or port value matches the filter criteria defined using a specific
syntax of zeros or blanks. The following syntax is supported to specify a wildcard field:

l For IP addresses, use a zero CIDR value or an all-zero Netmask.

l For ports, use a blank L4 port value. (The L4 Port field comes after the colon in the address).
Supported values for a port are 1 to 65535 (inclusive).

Depending on the criterion type, the following syntax rules apply:

l For Source, Destination, and Source or Destination type criteria, either the CIDR/netmask
value may be zero, or the port may be blank, but not both. For example, (10.10.0.0/0: port 22)
and (10.10.0.0/0.0.0.0: port 22) are valid criteria, while (10.10.0.0/0: blank port value) is not a
valid criterion.
l For Unidirectional or Bidirectional Flow criteria, each session set may contain a single
source or destination session specified using both a zero CIDR/netmask value and a blank port
value ("filter none"). For example, a session set containing a criterion defined as
(10.10.0.0/0:blank port value) is valid. If multiple sets are configured, each set may contain one
"filter none" session, as shown in the red boxes in the following image:

– 106 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Passing L4 Port Traffic with Wildcard IPv4 and IPv6 Addresses

For Source, Destination, and Source or Destination, when you filter on an L4 port and make the
IP address a wildcard (zero CIDR or all zeros for Netmask), then the filter passes any traffic flowing
through the port, both IPv4 and IPv6. In the example below, the filter passes any traffic that traverses
port 60, regardless of the IP address, both IPv4 and IPv6, even if you filter only on IPv4 sessions.

913-2398-01 Rev A – 107 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

For Unidirectional Flow and Bidirectional Flow, when you filter on an L4 port and make the IP
address a wildcard (zero CIDR or all zeros for Netmask), the filter passes any traffic flowing through the
port, both IPv4 and IPv6. In the example below, the filter passes any traffic that is destined for Source
port 60 and Destination port 40, regardless of the IP address, both IPv4 and IPv6, even if you filter only
on IPv4 sessions.

– 108 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

L4 Port Filtering - Available Fields

Port filtering enables you to filter the traffic by L4 source port, destination port, and source *or*
destination ports.

Additionally, a system extends the port filtering capability to port flows, which can be either
unidirectional (this flow involves a source port and a destination port) or bidirectional (any port is both
a source and a destination port).

This functionality is available for Network ports, Tool ports, and Dynamic Filters.

Source
When you choose this criterion type, a packet matches the filtering criteria if its source L4 port match
the specified values. You can specify the L4 port filter criteria using a single value, an interval, or a
combination of both.

Destination
When you choose this criterion type, a packet matches the filtering criteria if its destination L4 port
matches the specified values.

You can specify the L4 port filter criteria using a single value, an interval, or a combination of both.

Unidirectional Flow
When you configure the Unidirectional Flow criterion type, a packet matches the filtering criteria if
both its source *and* destination L4 port match any of the specified port values.

913-2398-01 Rev A – 109 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

For an unidirectional flow criterion, you can add multiple port sets, containing a source and a
destination port. Whenever you have multiple port sets defined, a set's source/destinations are paired
only with the source/destinations in that set.

Note: You can add or remove a port set by clicking the "+" or "-" buttons on the far right of the
filter criterion window. Within a set's Source or Destination category, you can add or remove a
port by clicking its adjacent "+" or "-" buttons respectively.

Tip: You can duplicate an existing set if you hold the CTRL key pressed while clicking the "+"
button.

Note: Note that for the Unidirectional Flow criterion type, multiple port sets are allowed.
Whenever multiple port sets are used, to match the filtering criteria, a packet can match any of
the defined sets. For detailed information, see Matching Criteria Example for Undirectional
Flows.

Bidirectional Flow
When you configure the Bidirectional Flow criterion type, a packet matches the filtering criteria if its
source and destination address are either A *and* B, or B *and* A.

– 110 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

More specifically, a packet matches if either of the following conditions is true:

l Source equals port A and destination equals port B in the same set.
l Source equals port B and destination equals port A in the same set.

For a bidirectional flow criterion, you can add multiple port sets containing A/B ports.

Whenever you have multiple port sets defined, a set's A/B entries are paired only with the A/B entries
in their set.

Note: You can add or remove a port set by clicking the "+" or "-" buttons on the far right of the
filter criterion window.

Tip: You can duplicate an existing set if you hold the CTRL key pressed while clicking the "+"
button.

Note: Note that for the Bidirectional Flow criterion type, multiple port sets are allowed.
Whenever multiple sets are used, in order to match the filtering criteria, a packet can match any
of the defined sets. For detailed information, see Matching Criteria Example for Bidirectional
Flows.

913-2398-01 Rev A – 111 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Matching Criteria Example for Unidirectional Flows

When you choose the Unirectional Flow criterion type, a packet matches the filtering criteria if both
the source *and* the destination elements—MAC addresses, IPv4 addresses, IPv6 addresses, L4 ports,
or sessions (IP address and L4 port)— match the specified values.

Note that for the Unirectional Flow criterion type, you can define multiple sets, as shown as an
example in the following image for the case of address sets.

As an example illustrating the matching filtering conditions in the case of multiple sets, let us consider
the following unidirectional flow configuration that contains two sets, each having source addresses
named A and destination addresses named B, as shown in the following image. In this case, the
matching filter conditions are listed on the right of the image.

– 112 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

913-2398-01 Rev A – 113 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Matching Criteria Example for Bidirectional Flows

When you choose the Bidirectional Flow criterion type, a packet matches the filtering criteria if its
source and destination entities—MAC addresses, IPv4 addresses, IPv6 addresses, L4 ports, or sessions
(IP address and L4 port)—are either A and B, or B and A.

Note that for the Bidirectional Flow criterion type you can define multiple sets, as shown as an
example in the following image for the case of address sets.

Whenever multiple sets are used, in order to match the filtering criteria, a packet can match any of the
defined sets.

As an example illustrating the matching filtering conditions in the case of multiple sets, let us consider
the following bidirectional flow filter criteria that contains two sets, each one having address pairs
named A and B, as shown in the following image. In this case, the matching filter conditions—rendered
using different colors for each direction—are listed on the right of the image.

– 114 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

913-2398-01 Rev A – 115 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Selected Fields Section

Multiple criteria may be combined to create more complex filters by using the options shown in the
following figure.

Criteria may be combined as Match All (AND) or Match Any (OR). When using a Match All option,
each criterion may be used only once in a single filter. When using Match Any, each criterion may be
used more than once in the same filter. In a Match All filter, therefore, once a criterion is used, that
button appears grayed out to indicate that the criterion cannot be used again in that filter.

Filter criteria can also be retrieved from the filter template library.

The following are examples and additional options for working with the Selected Fields section.

Tool Port/Tool ICPG/Load Balance Port Group Options

AND: Deny packets that match ALL of the specified criteria.

OR: Deny packets that match ANY of the specified criteria.

The chosen filter criteria are displayed under the Field and Values columns.

To modify a criterion, choose either of the following methods:

l Highlight the criterion and click Modify.

l Double-click the criterion.

To remove a criterion, chose either of the following methods:

l Highlight the criterion and click Remove.

l Highlight the criterion and press the Delete key on the keyboard.

Select several criteria for deletion by holding down the Shift or Ctrl key while clicking.

Criteria can be augmented and replaced with filter criteria templates from the dedicated library. To do
this, highlight the existing criteria and then choose Replace or Merge.

– 116 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

The Replace option removes the current filter criteria from the destination filter and replaces them
with the filter criteria template you select from the Filter Template Collection.

The Merge option maintains the current filter criteria of the destination filter and adds the filter criteria
template you select from the Filter Template Collection.

913-2398-01 Rev A – 117 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

SNMP Tag Section

The SNMP tag field is a free-form text field that you may optionally configure for each filter. A user can
configure one or more keywords using comma, space, or colon as separators. An SNMP management
application can use the specified keywords to facilitate customized search, sort, and aggregation of
Anue MIB filter information.

SNMP tag: The filter is tagged with the defined text. The maximum length of this field is 255
characters.

– 118 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Library Section
Replace: Filter criteria can be changed by replacing the current filter criteria with criteria selected
from the Filter Template Collection.

Merge: Filter criteria can be augmented by merging the current filter criteria with criteria selected
from the Filter Template Library. This option maintains the currently defined criteria and adds criteria
from the Filter Template Library.

Save: Selected filter criteria can be saved to the Filter Template Library.

913-2398-01 Rev A – 119 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Port, Port Group, and Dynamic Filter Symbols and

Indicators
Ports and filters display several symbols that indicate their status and configuration.

A port number is preceded by the letter "P" followed by the port number. A filter number is preceded by
the letter "F" followed by the filter number. If a port or filter has been given a label by a user, the port
or filter number is displayed in parenthesis.

– 120 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Filter Indicators
Various symbols along the left side of the icon are used to summarize the filter settings.

Four green arrows passing through a gray panel indicate that a filter is configured to pass all
packets.

Three green arrows touching a black panel indicates that a filter is configured to deny all packets.

When a filter is set to Pass by Criteria or Deny by Criteria, several additional indicators are
displayed: "&" and "or", preceded by either "-> " or "->|" indicating the filter type (Pass or Deny):

The "->&" symbol indicates that the filter mode is Pass by Criteria and the defined filter criteria are
logically AND’d to allow traffic that matches all of the criteria. An "->or" symbol indicates that the
filter mode is Pass by Criteria and the defined filter criteria are logically OR’d to allow traffic that
matches any of the criteria.

The "->|&" symbol indicates that the filter mode is Deny by Criteria and the defined filter criteria
are logically AND’d to deny traffic that matches all of the criteria. The "->|or" symbol indicates that
the filter mode is Deny by Criteria and the defined filter criteria are logically OR’d to deny traffic that
matches any of the criteria.

913-2398-01 Rev A – 121 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

The text next to the symbols provides a quick overview of the configured filter criteria. For example,
"IP" indicates that an IP protocol filter criterion has been defined and "L4SPT" indicates that a Layer 4
source port filter criterion has been defined.

The text in the lower right corner describes the speed of the port, either of the following:

"SFP" displays when port speed is set to 1G

"SFP+ " displays when port speed is set to 10G

"QSFP+ " displays when port speed is set to 40G

"QSFP28" displays when port speed is set to 100G

The text adjacent to the port image indicates the link status. If the link is up, the text will indicate the
link speed. For example, the text "1G" indicates that port has successfully connected to a device at

1Gbps. If the link is down, the symbol is displayed.

– 122 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Filter Criteria Indicators

The following table provides a partial list of the filter indicators and a description of the corresponding
filter criteria.

Filter Indicator Filter Criteria

MACSA MAC Source Address
MACDA MAC Destination Address
VLAN VLAN ID
VLANID VLAN ID (packet must contain an IPv4 header)
ETYPE Ethertype
IP4DA IPv4 Destination Address
IP4SA IPv4 Source Address
PROTO More than one IP protocol is defined (when a single IP protocol is
defined, the indicator will represent that specific protocol)
DSCP DSCP/ECN
L4SPT Layer 4 Source Port
L4DPT Layer 4 Destination Port
TCP-C TCP Control

913-2398-01 Rev A – 123 –

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Packet Drop Indicator

When the incoming packet rate exceeds the configured rate of a tool port, packets may be dropped.
When that occurs, the symbol will be displayed on the tool port icon.

Cause: The most common cause for this condition is that several network ports have been aggregated
to the tool port (for example, three 1G network ports were aggregated to one 1G tool port). Traffic
burstiness may also be a factor with many-to-one connections.

Troubleshooting tips:

l In the tool port's Tool Management View look up which network port is sending the most traffic
and contributing the greatest amount of packets to the overflow condition. Re-configure as
necessary to prevent the alarm condition.
l Apply filter criteria to the filter to prevent unnecessary traffic from flowing to the tool port.
l Be aware that in some scenarios, overlapping filter criteria can cause packets to drop.
l Microbursts of traffic can occur that may also cause traffic to drop. Bursts of traffic with durations
shorter than 1 second are typically referred to as microbursts. Additional information about
microbursts can be found in the Understanding Traffic Burstiness technical note that can be
downloaded from the Ixia Customer Portal.

See Technical Support for information on how to access the Ixia Customer Portal.

– 124 – 913-2398-01 Rev A

Chapter 7 Filter Criteria for Ports, Port Groups, and Dynamic Filters

Link Down Indicator

Ports display the symbol to indicate that the link is down.

Port Groups display the same symbol if all ports in the group are link down.

Cause: The network or tool port could not negotiate speed and duplex (half, full) with the connected
device.

Troubleshooting tips:

l Verify the connectivity between the device and the system port (re-seat the cables and SFP/XFP
if applicable).
l Verify that the connectivity elements are chosen correctly and match,meaning multi-mode fiber
and 850 nm multi-mode SFP. For information about supported SFPs/XFPs, refer to the Installation
Guide for your system model.
l Check the port LED status. For more information, refer to the Installation Guide for your system
model.
l Change the system port speed to match the connection speed and duplex mode of the connected
device.

913-2398-01 Rev A – 125 –

CHAPTER 8 Priority Filtering
Beginning in release 4.7.5, you can choose one of the following filter build modes:

l Intersection – filtering mode for all network ports that ensures that all packets get to all
expected destinations. This is most useful for monitoring out-of-band traffic.
l Priority – filtering mode where higher priority filters take packets from lower priority filters.
Once a packet matches a filter, it is not seen by filters with lower priority. If all packets need to
get to all destinations, it is up to users to build the filters appropriately. If all packets need to be
sent somewhere, a low priority Pass All rule can be added to make sure no packets drop. This is
most useful for monitoring in-band traffic in your live network. Priority filtering avoids sending
duplicate packets into your live network.

By default, the system uses intersection filtering for:

l Network ports
l Dynamic filters
l Tools ports

You can set the system to use priority filtering to:

l Prioritize Dynamic Filters connected to Network ports

l Prioritize Service Chains connected to Bypass Port Pairs (for Inline packet processing of your live
network traffic)

Prioritize Dynamic Filters connected to Network Ports

To prioritize the Dynamic Filters connected to Network Ports, do either of the following:

l Drag-and-drop the entries in the priority list

l Click the Up and Down buttons

– 126 – 913-2398-01 Rev A

Chapter 8 Priority Filtering

Priorities shown in Diagram view connection lines:

Prioritize Service Chains connected to Bypass Port

Pairs
To prioritize the Service Chains connected to Bypass Port Pairs, do either of the following:

l Drag-and-drop the entries in the priority list

l Click the Up and Down buttons

913-2398-01 Rev A – 127 –

Chapter 8 Priority Filtering

Priorities shown in Inline view connection lines:

Use Cases
The following use cases indicate how priority filtering can be helpful.

– 128 – 913-2398-01 Rev A

Chapter 8 Priority Filtering

Use Case 1: Inline Tool Deployment

Traffic volume is very high, but the inline security tool is of limited processing power. You want to
perform strong filtering so all known traffic with no or minimum harm will bypass the inline tool, saving
precious bandwidth to process traffic of potentially high risk.

For example, you want to bypass traffic specified in the following criteria list:

l All UDP traffic

l All ICMP traffic
l All TCP Port 443 traffic
l All internal traffic with known IP addresses (113.200.0.0/15 and 123.138.0.0/15)
l All traffic to or from subnet 113.200.90.0/24
l All traffic to or from subnet 113.200.96.0/24
l All traffic to or from subnet 113.200.12.128/27
l All multicast and broadcast traffic

Use Case 2: Out-Of-Band Tool Deployment

You want to use Ixia to replace an existing switch that performs strong deny criteria to reject traffic.
Only traffic that has passed all deny statements will go to the security tool.

Use Case 3: Intersection vs. Priority for Three Tools

Priority Based Filtering (PBF) offers ACL-like logic to process traffic based on rule priority. Similar to
the logic of Access Control Lists (ACLs), PBF traffic that matches the first rule (VLAN=100-200) goes to
the first tool, the remaining traffic that matches the second rule (TCP L4=80) goes to the second tool,
the remaining traffic that matches the third rule (SSL) goes to the third tool, and so on in the
sequence, strictly based on rule priority.

The example below compares the traffic sent to each of three tools when configured with Intersection
Based Filtering vs. Priority Based Filtering.

913-2398-01 Rev A – 129 –

Chapter 8 Priority Filtering

– 130 – 913-2398-01 Rev A

Chapter 8 Priority Filtering

Change to Priority Filtering Mode

To change to priority filtering mode:

1. In any view except Inline or Clustering, open the Settings menu and select Filter Memory
Allocation > Dynamic Filters.
2. On the Network Port Filters tab, in the Criteria Types section, to the right of the Dynamic
IP address filter criteria types field, select only one of the following:
l IPv4 L3/4
l IPv6 L3 (If selected, then you cannot use Custom Offset fields nor MAC addresses for filtering
criteria.)
3. Click the Dynamic Filters tab.

913-2398-01 Rev A – 131 –

Chapter 8 Priority Filtering

4. In the Types section, specify the amount of custom offset fields sets that you want to use:
l None (no custom offset fields are used)
l 1 Field Set (unavailable for IPv6 L3)
5. In the Mixtures section, to the right of the Dynamic filter criteria field, open the drop-list
and select one of the following options:
l 100% L2/L3/L4 including MAC
l 4% L2/L3/L4 + 96% L2/L3/L4 excluding MAC (unavailable for IPv6 L3)
6. To the right of the Filter build mode field, open the drop-list and select Priority.
7. Click Apply or OK.

For more configuration details, see:

l Available Filter Criteria for Priority Mode

l Priority Filtering Restrictions

To more fully understand all the priority filtering features, restrictions, and considerations see the
chapter Priority Filtering.

Available Filter Criteria for Priority Mode

Priority mode supports filter criteria for:

– 132 – 913-2398-01 Rev A

Chapter 8 Priority Filtering

l IPv4 – two options

l IPv6 – one option

IPv4 Filter Criteria Options

You have two (2) filter memory options for IPv4:

l No custom offset field set (None), with the following available filter criteria:
n Src MAC
n Dest MAC
n Outer VLAN
n Inner VLAN
n Ethertype
n IpProtocol
n DSCP
n Src IPv4 Address
n Dest IPv4 Address
n Tcp Control
n L4 Src Port
n L4 Dest Port
l One (1) custom offset field set, with the following available filter criteria:
n Outer VLAN
n Inner VLAN
n Ethertype
n IpProtocol
n DSCP
n Src IPv4 Address
n Dest IPv4 Address
n Tcp Control
n L4 Src Port
n L4 Dest Port
n Custom Offset Field Set 1 (16 bytes)

IPv6 Filter Criteria Option

You have one (1) filter memory option for IPv6, with no Mac addresses and no custom offset field sets,
with the following filter criteria:

l Outer VLAN
l Inner VLAN
l Ethertype
l IpProtocol
l DSCP
l Src IPv6 Address

913-2398-01 Rev A – 133 –

Chapter 8 Priority Filtering

l Dest IPv6 Address

l Tcp Control
l L4 Src Port
l L4 Dest Port

Priority "P" Indicator on Ports and Port Groups

A green "P" on ports and port groups indicates they are in priority mode.

Optionally Show/Hide Priority Numbers

You can change the settings to show or hide priority numbers:

l Globally: In any view except Inline, select Settings > User Settings > View Settings,
open the Default Priority Numbering drop-list and select either Show Priority or Hide
Priority.

This removes the priority numbers from the connection lines between Network ports and Dynamic
Filters in the Diagram and Inline views.
l Per Port/Port Group: Right-click a Network Port or Network Port Group and select Hide
Priority in Connections.
The default is to show them.

– 134 – 913-2398-01 Rev A

Chapter 8 Priority Filtering

l Per Inline Bypass Port Pair (BPP): In the Inline view, right-click a BPP and select Hide
Priority in Connections.
The default is to show them.

913-2398-01 Rev A – 135 –

Chapter 8 Priority Filtering

New Priority Filtering Modes

Priority filtering adds the following filtering modes:

l Exclude by Criteria – similar to Deny by Criteria (DBC), except that no data is passed to
destinations. For this mode, if the specified criteria is matched, the matching packets are
dropped. This allows users to filter out some data from lower priority filters.
Even though no traffic is passed, Network ports still have to terminate at Tool ports for the
Dynamic Filters to build. You can use the terminating Tool port for other filters that pass traffic to
tools.
l Disable – similar to Deny All, allows a user to disable a priority filter without having to delete it
or remove the criteria. This allows users to temporarily disable a filter and then re-enable it in the
future without losing the information.

– 136 – 913-2398-01 Rev A

Chapter 8 Priority Filtering

Connecting Out-Of-Band Egress Ports and Port Groups in

Priority Mode
When the ingress ports from a BPP or ITR are in priority mode, sending traffic to the out-of-band (OOB)
filters is not possible because all data is handled by the inline filters, which leaves nothing for the OOB
filter.

In priority mode, the new approach is to connect the Inline filters to multiple OOB destinations. If the
filter criteria from the service chain is changed and there is an OOB connection between an Inline DF
related to that SC and an OOB destination, this connection will be maintained. There are a few
situations when connections to OOB destinations are deleted:

l If there is a connection between an Inline DF related to an ITR and an OOB destination, if that ITR
is deleted then the connection to that OOB destination will also be deleted.
l If there is a BPP connected to a service chain and we have a connection between an Inline DF
related to that SC and an OOB destination, if the BPP or the service chain is deleted then the
connection to that OOB destination will also be deleted.
l When Tool sharing or VSET is enabled/disabled on a service chain, if there is a connection
between an Inline DF related to that SC and an OOB destination, this connection will also be
deleted.
l When having two devices in HA manual sync mode, if a push/pull configuration is performed and
there is a connection between an Inline related DF and an OOB destination, this connection will
be deleted. This happens only for the peer which is receiving the configuration file.

PacketStack Resources , Fan-Out, and Fan-In Supported in Priority Mode

Priority filtering mode supports:

l PacketStack Resources: When a PacketStack Resource is attached to a Network port, the

internal PacketStack ports inherit the filter building mode of the Network port, Intersection or
Priority. If the filter building mode is changed, the PacketStack internal ports are updated.
l Fan-out: When entering fan-out mode, one port is removed and four new ports are created. The
new ports inherit the filter build mode setting of the port being replaced. When exiting fan-out
mode, the filter build mode of the first port is assigned to the newly created single port.
l Fan-in: When entering fan-in mode, four ports are removed and replaced by one newly created
port. The newly created port inherits the filter build mode of the first port in the group being
replaced. When exiting fan-in mode, all four newly created ports are assigned the filter build
mode of the port being replaced.

Connecting Out-Of-Band Egress Ports and Port Groups

in Priority Mode
When the ingress ports from a BPP or ITR are in priority mode, sending traffic to the out-of-band (OOB)
filters is not possible because all data is handled by the inline filters, which leaves nothing for the OOB
filter.

913-2398-01 Rev A – 137 –

Chapter 8 Priority Filtering

related to that SC and an OOB destination, this connection will be maintained. There are a few
situations when connections to OOB destinations are deleted:

PacketStack Resources , Fan-Out, and Fan-In

Supported in Priority Mode
Priority filtering mode supports:

l PacketStack Resources: When a PacketStack Resource is attached to a Network port, the

Priority Filtering Restrictions

Priority filtering has the following restrictions:

– 138 – 913-2398-01 Rev A

Chapter 8 Priority Filtering

l You can select either IPv4 or IPv6, but not both.

Note: In priority filtering mode, E100 only supports IPv4, not IPv6.
l None or one (1) custom field set, but not two (2).

l The following mix and amount of filter criteria options with IPv4:
n 100% L2/L3/L4 including MAC
n 100% L2/L3/L4 including MAC/Custom Fields
n 4% L2/L3/L4 + 96% L2/L3/L4 excluding MAC
l The following mix and amount of filter criteria options with IPv6:
n 100% L2/L3/L4 including MAC
l The following filtering modes are not available for priority filtering:
n Deny by Criteria (DBC) – replaced with Exclude by Criteria, the implementation of a
Deny by Criteria filter has been to deny the specified packets and pass all other packets to
the filter destinations. This will not work in the context of priority filtering because it would
leave no data for lower priority filters.
n Pass Unmatched PBC (Pass by Criteria) – passing all data not matched by the Pass by
Criteria filter to a destination, this mode is unnecessary with Priority filtering because using
a Pass All filter as the lowest priority filter will accomplish this. There is no need for a
specific filter mode to accomplish this.

913-2398-01 Rev A – 139 –

Chapter 8 Priority Filtering

n Pass Matched DBC – passes all data that matched (and would be dropped) by Deny by
Criteria filters. Because there are no priority Deny by Criteria filters, there is no purpose for
this mode. If a user wants to send the data from a new Exclude By Criteria filter to a
destination, they could just convert the filter into a Pass by Criteria and send traffic to the
destination.
n Deny All – replaced with Disable, Deny All passes no data (but takes nothing from other
filters). This allows a filter to be disabled without losing the set criteria. Deny All is not a
good concept for priority filtering because it would block all data to lower priority filters.
l Issues when Tool Sharing is NOT enabled - see description and screenshots below.

If more than one Service Chain (SC) uses the same Inline Tool Resource (ITR) and Tool Sharing is NOT
enabled in the SCs for the Bypass Port Pairs (BPPs) that use that ITR, then data will not transmit as
desired. The screenshot below shows a simple setup with the issue:

In the above case, BPP1 and BPP2 will send data to ITR2. When the data returns from ITR2, there is no
way to differentiate the packets from BPP1 from the packets from BPP2. In the Diagram view, the return
from the ITR looks like this:

The above filters will send all data to BPP2, and nothing to BPP1.

With priority filtering, these SCs are not prioritized relative to each other since they are attached to
different BPPs. SC2 ended up higher priority than SC1 on return from the tool, but this is not
configurable.

Solutions to this issue:

l Enable Tool Sharing, which will identify packets from each BPP.
l If the filters are mutually exclusive (not matching on the same packets), this will keep the data
separate.

Priority Filter Memory Allocation Considerations

Priority-Based Filtering affects filter memory allocation in ways you need to consider when you
configure your filters, including:

– 140 – 913-2398-01 Rev A

Chapter 8 Priority Filtering

l Inline and HA Inline

l IPv6, Custom Fields, and MAC

Inline and HA Inline

When heartbeat filters are required for Inline configurations (including HA), the dynamic filter memory
allocation should not be set to “4% L2/L3/L4 + 96% L2/L3/L4 excluding MAC” because MAC address
will not be available for heartbeat filters.

IPv6, Custom Fields, and MAC

There are special considerations when IPv6 and/or Custom Fields are needed.

IPv6
Dynamic Filter Memory Available Custom Fields
Allocation Web API Allocation Available

100% L2/L3/L4 including L2L3L4_100 Yes No

MAC

100% L2/L3/L4 including L2L3L4_100 (with one custom field No Yes

MAC/Custom fields configured – two not allowed)

4% L2/L3/L4 + 96% L2L3L4_04_L2L3L4_NOMAC_96 No No

L2/L3/L4 excluding MAC

When memory is configured to support IPv6 criteria or Custom Fields, it cannot also hold MAC criteria
in priority filtering mode. To ensure that inline heartbeat filters are supported, a small block of the
highest priority memory (heartbeats are always highest priority) is reserved by the system and
configured to support MAC criteria (heartbeats require MAC criteria). This memory can also support
most other criteria types, like IPv4 and VLAN, but it cannot support IPv6 criteria or custom fields. A
section of this block is available for use with heartbeats exclusively (whether Inline is configured or
not), but the remainder is available for use by dynamic filters.

Consider the following points, therefore, when configuring IPv6 or Custom Field support:

l Only a small amount of this specially configured memory is reserved. Once the part available to
dynamic filters has been used, any attempt to add more filters with MAC criteria will return an out
of memory error, even when memory meters report memory is available.
l Other criteria can also be placed in this reserved area. So even if no MAC criteria have been used
in the highest priority filters, if there are not IPv6 or Custom Fields used in those filters, their
criteria will use the reserved memory first. Once all the reserved memory has been exhausted, no
MAC criteria can be added.
l Once a dynamic filter is configured with criteria that cannot be placed in the reserved memory
(i.e., uses IPv6 or Custom Field criteria), no lower priority filters can add MAC criteria. This is
because the IPv6/Custom Field criteria need to be higher than the MAC criteria, but the MAC
criteria can only be placed in the reserved highest priority memory, which would give them a
priority higher than the IPv6/Custom Field criteria. In such cases an error is returned that the MAC
criteria could not be placed in existing memory at the requested priority.

913-2398-01 Rev A – 141 –

Chapter 8 Priority Filtering

Priority Filter Memory Meters

When in priority filtering mode, the system displays Filter Memory Availability similar to what is
shown below:

Dynamic Filter Forwarding Rules show the filter mode is set to Priority, with 100% IPv4, currently
using 5% of available memory, with 95% more memory available.

Network Port Filters memory allocation is set as follows:

l Dynamic IP address filter criteria types: IPv4 L3/4

l 100% IPv4 address

– 142 – 913-2398-01 Rev A

Chapter 8 Priority Filtering

In the case shown above, filter memory is allocated to Dynamic Filters with the following settings:

l Dynamic filter criteria: 100% L2/L3/L4 including MAC

l Filter build mode: Priority

913-2398-01 Rev A – 143 –

Chapter 8 Priority Filtering

Statistics for Priority Filtering

You can see priority filtering statistics in two ways:

l View Priority Filtering Statistics in the Web Console

l Get Priority Filtering Statistics with the Web API

View Priority Filtering Statistics in the Web Console

No data structures were changed when querying the Web API for statistics on priority filters. For
Exclude By Criteria filters (priority filters only), a packet that passes a filter’s criteria is excluded
(dropped). So all “passed” related statistics are actually “excluded’ statistics. To avoid confusion on
the Web Console, new columns were added to the statistics view for dynamic filters that include
“Excluded” in their title (for example, “Excluded Bytes”), and the columns with “Passed” in their title
display “N/A".

Get Priority Filtering Statistics with the Web API

For priority filters, a filter build mode of DISABLE forwards all traffic on the next highest priority filter,
so only the inspected statistics are displayed on the Web Console. When querying the Web API

– 144 – 913-2398-01 Rev A

Chapter 8 Priority Filtering

directly, the value of all other statistics should be ignored even if they are not zero.

913-2398-01 Rev A – 145 –

CHAPTER 9 Filter Memory Allocation
This feature allows system administrators to customize the Vision Edge system filter memory in a
manner that is specific to their needs. For example, if users need to filter traffic only based on L3/4
(layer 3 and layer 4) criteria, a system administrator can configure the settings to support L3/L4 filter
criteria to 100%, thus maximizing the filter capability.

An important use for Filter Memory Allocation is to enable the use of Custom Dynamic Filtering. You
must first enable Custom Dynamic Filtering through the Filter Memory Allocation settings. See
Changing Filter Memory Allocation, specifically the Dynamic Filters Tab.

Another common use for this feature is modifying memory allocation settings such as to be able to
complete a filter configuration despite a low filter memory state. For example, a system user attempts
to create an L3 filter and receives a notification message indicating that there is not enough available
L3 memory to create the filter. To resolve the problem, the system administrator can reduce the
amount of L2 memory—which results in the increase of the available L3 memory—and thus allow the
user to complete the task of creating the filter.

Note: Only users having an admin role are able to configure the filter memory allocation.

Important! Modifying the filter memory allocation settings may momentarily disrupt traffic
flow.

The following figure shows the five fields used to configure the filter memory allocation:

Click any of the five links to open the Set Filter Memory Allocation dialog, shown in the following
figure. The first three links open the Network Port Filters tab, where you can adjust the settings shown
for those links. The fourth link opens the Dynamic Filters tab. The fifth link opens the Tool Port Filters
tab.

– 146 – 913-2398-01 Rev A

Chapter 9 Filter Memory Allocation

On the Network Port Filters and Tool Port Filters tabs, you select the criteria that you want to filter on
and then choose the percentage of filter memory assigned to the selected criteria. The Dynamic Filters
tab is different in that you need to select its filter criteria on the Network Port Filters tab and then
configure the associated memory amounts on the Dynamic Filters tab.

See Changing Filter Memory Allocation.

913-2398-01 Rev A – 147 –

Chapter 9 Filter Memory Allocation

Changing Filter Memory Allocation

To change the filter memory allocation settings:

l Open the Settings menu and select Filter Memory Allocation.

The Filter Memory Allocation dialog appears with the following tabs:
n Network Port Filters
n Dynamic Filters
n Tool Port Filters

– 148 – 913-2398-01 Rev A

Chapter 9 Filter Memory Allocation

Network Port Filters

The Network Port Filters tab allows system administrators to set the filter memory mix for the following
fields under the Filter Memory Allocation section of the System Settings page.

You can allocate memory for network port filters and provide capacity for dynamic filter source IP
criteria as follows:

l Network port / Dynamic source IP address mix

l Dynamic source IP address filter mix (IPv4 / IPv6)
l Network port filter mix (L2 only/L2+IPv4/L2+IPv4+IPv6/L2+IPv6/IPv4/ IPv6/IPv4+IPv6)

To set the filter memory allocation for network port filters and provide capacity for dynamic filter
source IP criteria:

1. Select the combination of check boxes for the criteria types needed to filter traffic at network
ports – L2, IPv4 L3/4, and/or IPv6 L3/4.
Note: As you select and clear check boxes, the Mixture chart will update and provide a
preview of the configuration.
2. Select the combination of check boxes for the criteria types needed to filter traffic by source IP
address at dynamic filters – IPv4 L3, and/or IPv6 L3.
3. Specify the mixture of network port and dynamic source IP address filters by opening the drop-
down list and selecting one of the options.
Note: The check boxes you select or clear at the top of this tab determine the available
choices for the drop-down lists.
4. Specify the mixture of dynamic source IP address filter criteria by opening the drop-list and
selecting one of the options.
5. Specify the mixture of network port filter criteria by opening the drop-list and selecting one of the
options.
6. Click OK or Apply to apply the changes.

Increasing the IP Address Filtering Capacity in Dynamic Filters

When you select the Support up to 8184 dynamic filter source IP addresses, the IPv4 filter
criteria capacity for Dynamic Filters is increased to 8k source or destination addresses respectively.

In Dynamic Filters, this mode does not support filtering on IPv6 criteria and matching on IPv4 source
addresses in multi-cast packets.

Before you select or deselect this option, all ports and filters must be cleared. After you select or
deselect the option, the system is rebooted.

Note: After you export a configuration that has this option selected, you can import it only to
the system that has the same option selected, and conversely. Mismatches between the
configured setting and the imported setting are not supported.

913-2398-01 Rev A – 149 –

Chapter 9 Filter Memory Allocation

Dynamic Filters Tab

The Dynamic Filters tab allows you to do the following:

l Create one or two custom field sets and configure them

l Determine the mixture and amount of filtering available for the following packet headers:
n MAC address
n L2/L3/L4 header
l Set the filter build mode:
n Intersection filtering – mode for all network ports that ensures that all packets get to all
expected destinations. This is most useful for monitoring out of band traffic.
n Priority filtering – mode where higher priority filters take packets from lower priority
filters. Once a packet matches a filter, it is not seen by filters with lower priority. If all
packets need to get to all destinations, it is up to users to build the filters appropriately. If
all packets need to be sent somewhere, a low priority Pass All rule can be added to make
sure no packets drop. This is most useful for monitoring in-band traffic in your live network.
Priority filtering avoids sending duplicate packets into your live network.

To specify the mix and amount of filter criteria and set the optional custom field sets and filter build
mode:

1. Specify the amount of custom offset fields sets that you want to use: None (no custom offset
fields are used), 1 Custom Field Set, 2 Custom Field Sets.
Note: The Custom Offset Fields (COF)/Custom Dynamic Filtering (CDF) functionality relies
on user-created custom fields within Dynamic Filters, enabling you to match on portions of
the packet headers and of the payload that are not accessible otherwise. For detailed
information see Custom Dynamic Filtering.

2. Open the Filter build mode drop-list and select one of the following options:
l Intersection
l Priority
3. For Priority, open the Mixtures drop-down list and select one of the following options:
l 100% L2/L3/L4 including MAC
l 4% L2/L3/L4 + 96% L2/L3/L4 excluding MAC
4. For Intersection, open the Mixtures drop-down list and select one of the following options:
l 100% L2/L3/L4 including MAC
l 100% L2/L3/L4 excluding MAC
l 4% L2/L3/L4 + 96% L2/L3/L4 excluding MAC
l 11% L2/L3/L4 + 89% L2/L3/L4 excluding MAC
l 30% L2/L3/L4 + 70% L2/L3/L4 excluding MAC
l 58% L2/L3/L4 + 42% L2/L3/L4 excluding MAC
l 100% L2/L3/L4 including MAC/Custom fields
l 4% L2/L3/L4 including MAC/Custom fields + 96% L2/L3/L4 excluding MAC/Custom fields
l 11% L2/L3/L4 including MAC/Custom fields + 89% L2/L3/L4 excluding MAC/Custom fields

– 150 – 913-2398-01 Rev A

Chapter 9 Filter Memory Allocation

l 30% L2/L3/L4 including MAC/Custom fields + 70% L2/L3/L4 excluding MAC/Custom fields
l 58% L2/L3/L4 including MAC/Custom fields + 42% L2/L3/L4 excluding MAC/Custom fields
l 100% L2/L3/L4 including Custom fields
l 4% L2/L3/L4 including Custom fields + 96% L2/L3/L4 excluding Custom fields
l 11% L2/L3/L4 including Custom fields + 89% L2/L3/L4 excluding Custom fields
l 30% L2/L3/L4 including Custom fields + 70% L2/L3/L4 excluding Custom fields
l 58% L2/L3/L4 including Custom fields + 42% L2/L3/L4 excluding Custom fields
When you select an option from the drop-down list, the system shows you a preview of the effects
of that option in the Mixture Chart.
5. Click OK or Apply to apply the changes.
6. Click Configure Fields to configure the custom offset fields.
7. Click OK or Apply to apply the changes.

913-2398-01 Rev A – 151 –

Chapter 9 Filter Memory Allocation

Tool Port Filters Tab

Tool port filters allow you to filter out unwanted traffic to network devices that are attached to tool
ports. The tool port memory allocation is independent of network port and dynamic filter memory
allocation settings from the Network Port Filter and Dynamic Filters tabs.

Since L2 filtering is always available for tool port filters and cannot be de-activated, on the Tool Ports
tab you can configure the following filter memory options:

l The filter criteria types available on tool port filters:

n IPv4 L3/4
and/or
n IPv6 L3/4
l The percentage of memory (or mixture) available for each criteria type.

When you select or clear the check boxes for filter criteria types, the options change in the mixture
drop-down list.

To set the filter memory allocation for tool port filters:

1. Select the combination of check boxes for the criteria types needed to filter traffic at tool ports –
IPv4 L3/4 and/or IPv6 L3/4.
Note: As you select and clear check boxes, the Available Criteria and Unavailable Criteria
appear in the list at the bottom of this tab. These show the effect of your selections before
you commit them by clicking OK at the bottom of the Set Filter Memory Allocation dialog.
Before committing the changes by clicking OK, you can also make your selections on the
other two tabs, Dynamic Filters and Network Port Filters.
2. Specify the mixture of tool port filter criteria by opening the drop-list and selecting one of the
options.
3. Click OK to apply the changes.

– 152 – 913-2398-01 Rev A

CHAPTER 10 Custom Dynamic Filtering
This section provides detailed information about allocating, configuring, and filtering traffic with
Custom Offset Filters (COF). Since you can use Custom Offset Filters only in Dynamic Filters, they are
also known as Custom Dynamic Filters (CDF).

To use Custom Dynamic Filtering, you must first enable it through the Filter Memory Allocation
settings. See Changing Filter Memory Allocation, specifically the Dynamic Filters Tab.

Introduction
The system comes with several predefined fields for filtering traffic. Using those fields, you can specify
the types of network packets that are allowed or not allowed to pass through a filter. The predefined
filtering fields are available for Network ports, Tool ports, and Dynamic Filters. For a detailed
explanation of how to use the predefined fields, see Filter Criteria for Ports, Port Groups, and Dynamic
Filters.

Additionally, the custom dynamic filtering (CDF) functionality that uses custom fields within Dynamic
Filters enables you to match on portions of the packet headers and the payload that are not accessible
using the predefined fields.

l The system has built-in support for MPLS, GTP, VxLAN, and MAC (only in field set 2) custom
fields, providing access to specific named fields within those protocols, avoiding the need to
calculate the exact packet positions of the fields.
l In addition to the MPLS, GTP, VxLAN, and MAC custom fields, you can also define "Raw Custom
Fields on the next pagecustom fields, or "Custom" fields as they are referred to in the GUI. These
more generic fields allow you to specify the size of the field and its offset, starting from a location
in the packet, to the beginning of the field. Custom fields allow you to match on up to 16 fields,
each 2-bytes long, with 2-byte boundaries and sizes that are even multiples of 2, at up to 16
different offsets, up to 128 bytes deep into Ethernet packets.
By defining your own custom fields, you can filter on specific bit patterns and values that occur at
selected locations in a packet. This allows access to header and payload fields in a large number
of protocols, such as MPLS, GTP, VxLAN, GRE, HTTP, FCoE, FIP, iSCSI, L2TP, VoIP, RTP, and
more.
Important! Unlike the predefined fields, which you can use on Network ports and Tool ports,
you can use custom fields only in the Dynamic Filters that connect Network ports to Tool ports.

– 153 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

Field Sets
In the system, custom fields—both MPLS/GTP/VxLAN/MAC and Raw—are allocated using one or two
"field sets." Once these field sets are allocated and defined, they are available for use in all Dynamic
Filters.

Field sets require two steps before any fields in the sets can be used in a filter:

l Memory must be allocated for use by the field sets. Each field set is allocated 16 bytes of
memory, meaning that the byte cost of all the fields in a set must not exceed 16 bytes.
l Fields must be created within the allocated field set(s).

Allocating one field set can use up to 16 bytes of dynamic filter memory, while allocating two field sets
can use up to 32 bytes, depending on the number of created fields. As you chose the composition of
your custom fields, your choices use up memory in 2-byte increments.

However, not all fields in a field set use up memory, some are "free," meaning that they do not count
against the total memory used by a field set. These fields are generally fields located in the outer
headers of tunneled packets and server confirmation purposes. Whether a field is "free" or not depends
on which layers and protocols you select to filter.

Note: Confirmation fields are necessary to ensure that filtering based on a particular field is
applied only to packets containing the protocol the field is intended to filter. For example, if you
add a GTP-U tunneled IPv4 source address field to a field set, you are given the option to confirm
that the outer transport protocol is UDP, the outer UDP destination port is 2152, and the inner IP
version is IPv4. If you do not verify these confirmation fields, you might erroneously match
packets that are not GTP-U packets, but happen to have an IPv4 address (or even some
matching bits only) at the same location.

For example, MPLS is a Layer 2 tunneling protocol which is identified by a specific Ethertype value in
the L2 header. When you add a custom field of the MPLS type—for example a tunneled IPv4 source
address field—the Ethertype field is provided as a free outer header field and can be used for
confirmation.

As another example, GTP is a Layer 3 tunneling protocol which is identified by a specific UDP
destination port. When you add a GTP field—for example a tunneled IP L4 port field—the outer IP
protocol and outer L4 destination port are provided as free outer headers to be used for confirmation.

Raw Custom Fields

If none of the GTP, MPLS, VxLAN, or MAC custom fields suit your needs, you can define Raw custom
fields by specifying your own offsets and field sizes within a packet. You must specify a byte offset
relative to the start of the packet, which can be :

1) the start of the packet,

2) the end of the outer Layer 2 header,

913-2398-01 Rev A – 154 –

Chapter 10 Custom Dynamic Filtering

3) the start of the inner Layer 3 header (when two L3 headers are present) or the start of the Layer 4
header (when only one Layer 3 header is present).

In addition to the offset in the packet, you have to specify a byte length (or size), whereby both the
offset and length must be multiples of 2. By selecting the end of the Layer 2 header, you can avoid
having to account for any VLANs or variations in Ethernet frame formats (for example, Ethernet II,
802.2, LLC/SNAP, and so on).

Important! When you define a custom field, be sure to account for any optional headers
beyond the relative starting position.

Important! When you use the "Raw" custom fields, be aware that by looking for a byte match
at a certain offset, you can unintentionally match on random data at that offset. To avoid this,
you need to verify some other field, such as the IP protocol or TCP destination port, to confirm
that the packet is of the correct type. When you use the built-in MPLS, GTP, and/or VxLAN
protocols, the system automatically provides these confirmation fields for you.

You must also specify a field name, which is limited to 32 characters and which must be unique across
all custom fields. The specified name appear in the Dynamic Filter window, enabling you to use the
Raw custom field as a filter criterion.

Workflow for Defining Custom Fields

To use custom fields, you need to perform the following operations, explained in detail in the following
sections:

1. Allocate memory for one or two field sets.

2. Add pre-defined GTP-C, GTP-U, MPLS, VxLAN, or MAC custom fields or Raw custom fields and
their associated confirmation fields to the field sets.
3. Use the specified fields in the field sets in one or more Dynamic Filters, specifying the values to
be matched on these fields.

Once you allocate memory for one or two field sets, you can start adding custom fields to the set.
Although there is no limit to the number of fields in a field set, there is a limit to the amount of memory
that can be used by the fields. Each field set allocates 16 bytes of memory for use by the contained
fields. When you add a field, you are prompted for additional information, and you are also presented
with options about which confirmation fields to add, the number of optional header words, and so on.

Note: When editing fields in field sets, an existing field may be removed as long as it is not
either (a) in use in a Dynamic Filter or (b) saved in a filter template. If you want to remove it and
one of these conditions exists, an error message appears, detailing the problem. In such cases,
first remove the field from all Dynamic Filters and filter templates, then remove the field from the
field set.

In many cases, the protocols provide for optional fields in the headers. For example, IPv4, IPv6, TCP,
and GTP headers all include optional fields which may or may not be present in a particular packet. In
tunneled packets, the IP and TCP headers can appear both outside and inside the tunnel. In order to
filter on Raw custom fields, the system must know the exact offset from either 1) the start of the
packet, 2) the end of the outer Layer 2 header, or 3) the start of the inner Layer 3 header (when two L3

– 155 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

headers are present) or the start of the Layer 4 header (when only one Layer 3 header is present).
Therefore, if a custom field is located deeper in the packet than one of the headers with optional fields,
you must specify the size of those optional fields.

For example, assuming you want to add the pre-defined Tunneled IPv4 L4 Source Port field in a GTP-U
packet, you must specify the number of 32-bit words in the optional fields in the GTP-U header, plus
the number of 32-bit words in the optional fields in the inner IPv4 header. If you need to filter on
packets with different numbers of optional fields, you must add the pre-defined field multiple times,
once for each different size of the optional fields.

As another example, to filter on fields inside MPLS tunnels, you must specify the number of MPLS
labels you expect in the packets, the service type (L2 VPN or L3 VPN), whether the pseudowire code
word is present, and the number of VLAN tags in the tunneled frame.

Note: A network protocol analyzer tool such as Wireshark can help you determine the
information you need for creating relevant custom filters. Using a tool such as Wireshark, you
can examine some sample traffic to determine the following type of information for each
category:
l MPLS — How many MPLS labels are present
l VLAN — How many VLAN tags are present in the inner L2 header
l GTP-U — How many words are in the optional fields in your GTP-U headers
l Raw (Custom) — The byte size, that is the number of words in an optional field, such as, for
example, the values of the IPv4 header options

913-2398-01 Rev A – 156 –

Chapter 10 Custom Dynamic Filtering

Allocating Memory for Field Sets

To allocate memory for custom offset field sets:

1. In the System Settings view, in the Filter Memory Allocation section, click the link to the
right of the Dynamic filter mix field– for example, click 11/89/1 Field Set (16 Bytes), as
shown in the following figure.

Note: Once you change the memory allocation for either Dynamic Filters or Custom offset
fields, the link text changes to describe the new configuration.
The Filter Memory Allocation dialog appears with the Dynamic Filters tab selected, as
shown in the following figure.

– 157 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

2. Select either 1 Field Set (16 Bytes) or 2 Field Sets (32 Bytes).
The list of dynamic filter criteria change based on your selection.
When the custom memory allocation changes, the values in the Mixture Chart may change
automatically, depending on the original selection.

913-2398-01 Rev A – 158 –

Chapter 10 Custom Dynamic Filtering

3. Click Configure Fields to configure the custom offset fields, as shown in the following image.

For specific instructions for configuring MPLS, GTP, VxLAN, or Raw custom fields, see:

l Configuring MPLS Custom Fields

l Configuring GTP Custom Fields
l Configuring VxLAN Custom Fields
l Configuring Raw Custom Fields

– 159 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

Configuring Custom Offset Fields

This section provides details on the configuration of each custom offset field type.

Considerations for GTP-U and MPLS Field Types

When adding GTP-U or MPLS fields, some field types represent a combination of other field types:

l Tunneled IPv4 Address represents Tunneled IPv4 Src Address and Tunneled IPv4 Dst Address
l Tunneled IPv4 L4 Port represents Tunneled IPv4 L4 Src Port and Tunneled IPv4 L4 Dst Port
l Tunneled IPv6 Subnet represents Tunneled IPv6 Src Address and Tunneled IPv6 Dst Address
l Tunneled IPv6 L4 Port represents Tunneled IPv6 L4 Src Port and Tunneled IPv6 L4 Dst Port

In most cases it is best to select a combination field type, since it allows more options when adding
criteria to a filter. For example, if an IPv6 Subnet field is added to field set 1, then a Dynamic Filter
would be able to use an IPv6 address criterion type of source, destination, source or destination, or
address pair. By contrast, if an IPv6 Src Address field had been added to field set 1, then the only
available filter criterion based on the IPv6 custom field would be the field type of source. In conclusion,
use the individual field types only when it is known precisely what type will be needed.

913-2398-01 Rev A – 160 –

Chapter 10 Custom Dynamic Filtering

Configuring MPLS Custom Offset Fields

There are many options available for MPLS field types. Each type selected determines additional
options.

Note: The procedure below is an example based on selecting MPLS and Tunneled IPv4 L4
Src Port.

To configure MPLS custom fields:

1. In the Configure Custom Offset Fields dialog, in the Field Set 1section, click Add and
select MPLS.
A list of available options appears.
2. Select for example Tunneled IPv4 L4 Src Port.
A dialog appears based on your selection, in this case, the Add MPLS - Tunneled IPv4 L4 Src
Port Field dialog.
3. In the Outer L2 section, you can select Confirm outer Ethertype and select an Ethertype - for
example, Either unicast or multicast.
4. In the MPLS section, enter Number of labels present? - for example, 1.
Note: You can use a tool such as Wireshark to examine some sample traffic in order to
determine how many MPLS labels are present.
5. In the MPLS section, select What is the service type from the list – for example, L2 VPN
with pseudowire control words.
6. In the MPLS section, select VLAN tags in L2 header – for example, 1.
Note: You can use a tool such as Wireshark to examine some sample traffic to determine
how many VLAN tags are present in the inner L2 header.
7. In the Inner L3 section, select the confirmations you prefer – for example, Confirm IP version
and Confirm IP protocol , which, if you select, also implies selecting the protocol - for
example, TCP.
Note: Each of the IP protocol confirmations use 2 bytes from the total 16 bytes available.
8. In the Inner L3 section, enter How many 32-bit words are present in the inner IPv4
options - for example, 1.
9. In the Inner L4 section, either accept the default field name or change it.
The specified field name then appears as a new button on the Filter Criteria tab of the Edit
Dynamic Filter dialog after you finish defining this custom filter field.
10. Click OK.
The selections you made appear in the Field Set 1 section of the Configure Custom Offset
Fields dialog.
11. Click OK.
A confirmation dialog appears informing you that changing the custom dynamic filtering settings
will momentarily disrupt traffic flow to all Dynamic Filters that include custom fields.
12. Click OK.

– 161 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

The system applies the changes, closes the Configure Custom Offset Fields dialog, and
returns you to the Dynamic Filters tab of the Filter Memory Allocation dialog.
13. Click OK.
The allocated field set(s) appear as part of the link to the right of the Dynamic filter mix field
in the Filter Memory Allocation section of the System Settings view - for example, 1 Field
Set (16 Bytes).
Note: If you create a custom MPLS field of the Label type, the MPLS Label field value in the
in a Dynamic Filter can be a decimal input between 0 and 1,048,575 (220 - 1).

For information on using MPLS custom fields as filter criteria, see Using Custom Fields in Dynamic
Filters.

913-2398-01 Rev A – 162 –

Chapter 10 Custom Dynamic Filtering

Configuring GTP Custom Offset Fields

There are many options available for GTP field types. Each type selected determines additional
options.

Note: The procedure below is an example based on selecting GTP-U and Tunneled IPv4 Src
Address.

To configure GTP custom fields:

1. In the Configure Custom Offset Fields dialog, in the Field Set 1 section, click Add and
select GTP-U.
A list of available options appears.
2. Select for example Tunneled IPv4 Src Address.
A dialog appears based on your selection, in this case, the Add GTP-U - Tunneled IPv4 Src
Address Field dialog. Outer L3 and Outer L4 confirmations are automatically selected because
they do not consume any additional bytes.
3. In the GTP-U section, enter a value in the How many 32-bit words are present in the
optional fields in the GTP-U headers field- for example, 2.
Note: You can use a tool such as Wireshark to examine some sample optional fields in
your GTP-U headers in order to determine how many words you need to include in the
custom field.
4. In the Inner L3 section, if desired, select Confirm IP version.
This confirmation uses 4 of the total 16 bytes available for this custom field set.
5. For the field name, either accept the default field name or change it.
Note: The specified field name (in this example, Tunneled IPv4 Src Address) appears as a
new button on the Filter Criteria tab of the Dynamic Filter dialog.

6. Click OK.
The selections you made appear in the Field Set 1 section of the Configure Custom Offset
Fields dialog.
7. Click OK.
A confirmation dialog appears informing you that changing the custom dynamic filtering settings
will momentarily disrupt traffic flow to all Dynamic Filters that include custom fields.
8. Click OK.
The system applies the changes, closes the Configure Custom Offset Fields dialog, and
returns you to the Dynamic Filters tab of the Filter Memory Allocation dialog.
9. Click OK.
The allocated field set(s) appear as part of the link to the right of the Dynamic filter mix field
in the Filter Memory Allocation section of the System Settings view - for example, 1 Field
Set (16 Bytes).
Note: If you create a custom GTP-U field of the TEID type, the GTP TEID field value in a
Dynamic Filter can be a decimal input between 0 and 4,294,967,295 (232 - 1).

– 163 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

For information on using GTP custom fields as filter criteria, see Using Custom Fields in Dynamic
Filters.

913-2398-01 Rev A – 164 –

Chapter 10 Custom Dynamic Filtering

Configuring VxLAN Custom Offset Fields

There are many options available for VxLAN field types. Each type selected determines additional
options.

Note: The procedure below is an example based on selecting VxLAN and Tunneled IPv4 L4
Src Port.

To configure VxLAN custom fields:

1. In the Configure Custom Offset Fields dialog, in the Field Set 1section, click Add and
select VxLAN.
A list of available options appears.
2. Select, for example, Tunneled IPv4 L4 Src Port.
A dialog appears based on your selection, in this case, the Add VxLAN - Tunneled IPv4 L4
Src Port Field dialog.
3. In the Outer L4 section, select the outer L4 Vxlan destination port value - for example,
Standard VxLAN 4789.
4. In the Inner L3 section, select the confirmations you prefer – for example, Confirm IP version
and Confirm IP protocol , which, if you select, also implies selecting the protocol - for
example, TCP.
Note: Each of the IP protocol confirmations use 2 bytes from the total 16 bytes available.
5. Click OK.
The selections you made appear in the Field Set 1 section of the Configure Custom Offset
Fields dialog.
6. Click OK.
A confirmation dialog appears informing you that changing the custom dynamic filtering settings
will momentarily disrupt traffic flow to all Dynamic Filters that include custom fields.
7. Click OK.
The system applies the changes, closes the Configure Custom Offset Fields dialog, and
returns you to the Dynamic Filters tab of the Filter Memory Allocation dialog.
8. Click OK.
The allocated field set(s) appear as part of the link to the right of the Dynamic filter mix field
in the Filter Memory Allocation section of the System Settings view - for example, 1 Field
Set (16 Bytes).

For information on using VxLAN custom fields as filter criteria, see Using Custom Fields in Dynamic
Filters.

– 165 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

Configuring Raw Custom Offset Fields

To configure raw custom fields:

1. In the Configure Custom Offset Fields dialog, click Add and select Custom.
The Add Custom - Custom Field dialog appears.
2. In the Offset field, enter the number of bytes to offset and select the point where to begin the
offset - for example, 20 bytes offset from the end of Layer 2 (remember, even multiples of 2 are
required). You can determine the offset to start at either of the following packet locations:
l start of the packet
l start of L4 or inner L3
l end of Layer 2
Note: The offset byte value needs to be a multiple of 2. From the end of Layer 2, the
offsets are 0, 2, 4, and so on. From the start of the packet, offsets are 0, 2, 6, 10, 14, and
so on.
3. In the Size field, enter the number of bytes you want to match on for this custom filter field - for
example, 4.
Note: You can use a tool such as Wireshark to determine the size of bytes, that is, the
number of words in an optional field, such as, for example, the values of IPv4 header
options.
4. Enter a field name, in this example, IPv4 Header Options. This name appears as a new button
for the raw custom field on the Filter Criteria tab of the Edit Dynamic Filter dialog.
5. Click OK.
The selections you made appear in the Field Set 1 section of the Configure Custom Offset
Fields dialog.
6. Click OK.
A confirmation dialog appears informing you that changing the custom dynamic filtering settings
will momentarily disrupt traffic flow to all Dynamic Filters that include custom fields.
7. Click OK.
The system applies the changes, closes the Configure Custom Offset Fields dialog, and
returns you to the Dynamic Filters tab of the Set Filter Memory Allocation dialog.
8. Click OK.
The allocated field set(s) appear as part of the link to the right of the Dynamic filter mix field
in the Filter Memory Allocation section of the System Settings view - for example, 1 Field
Set (16 Bytes).

For information on using raw custom fields as filter criteria, see Using Custom Fields in Dynamic
Filters.

913-2398-01 Rev A – 166 –

Chapter 10 Custom Dynamic Filtering

Quick Example: GTP-U Custom Filtering Field

The following is a quick example of creating and using a custom filtering field, showing screenshots of
the process from start to finish. This example is for filtering on the Tunneled IPv4 source address
inside a GTP-U packet.

1. In the System Settings view, in the Filter Memory Allocation section, to the right of the
Dynamic filter mix field, click the hyperlink.

The Filter Memory Allocation dialog appears with the Dynamic Filters tab selected.

– 167 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

2. Select either 1 Field Set (16 Bytes) or 2 Field Sets (32 Bytes).
Notice that the list of Dynamic filter criteria may change based on your selection.
3. Click Configure Fields to configure the custom offset fields.
The Configure Custom Offset Fields dialog appears.

913-2398-01 Rev A – 168 –

Chapter 10 Custom Dynamic Filtering

4. Click Add.
A list of available options appears.
5. Select GTP-U from the list, then Tunneled IPv4 Dst Address.
The Add GTP-U - Tunneled IPv4 Dst Address Field dialog appears.

– 169 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

6. In the field for How many 32-bit words are present in the optional fields in the GTP-U
headers, type 2 (assuming that’s how many optional words your incoming packets will have).
Note: You can use a tool like Wireshark to examine some sample optional fields in your
GTP-U traffic to determine how many words you want to include in this custom dynamic
filtering field.

Note: When you are done configuring this custom offset field set, the Field Name text
"Tunneled IPv4 Dst Address" is the text for the button to appear on the Filter Criteria tab
of the Dynamic Filters dialog next to the GTP-U field. In this Add Tunneled IPv4 Dst
Address Field dialog, you can change the button text that will appear on the Filter
Criteria tab.
7. Click OK.
The selections you made in this dialog appear in the Field Set 1 section of the Configure
Custom Offset Fields dialog.

8. Click OK.
9. The system applies the changes, closes the Configure Custom Offset Fields dialog, and
returns you to the Dynamic Filters tab of the Filter Memory Allocation dialog.
10. Click OK.
11. The field set(s) you allocated appear as part of the link to the right of the Dynamic filter mix
field in the Filter Memory Allocation section of the System Settings view - for example, 1
Field Set (16 Bytes).

913-2398-01 Rev A – 170 –

Chapter 10 Custom Dynamic Filtering

12. Click the Diagram view tab.

13. Right-click a Dynamic Filter icon if one already exists or create a new Dynamic Filter (see
Creating and Configuring Dynamic Filters for details on this), select Properties.
The Edit Dynamic Filter dialog appears.
14. Click the Filter Criteria tab.
15. Select Pass by Criteria and click the button to the right of the GTP-U field. Unless you
changed it, the button text is Tunneled IPv4 Dst Address Field
The New Tunneled IPv4 Dst Address Filter Criterion dialog appears.

16. Enter a valid source address or range of addresses and click OK.
The IPv4 filter criterion appears in the Selected Fields section of the Filter Criteria tab.
17. Click OK.
A Confirm dialog appears.
18. Click OK.
The Confirm dialog closes, the Edit Dynamic Filter dialog closes, the Diagram view appears
your custom filter begins filtering traffic, and a dynamic filter badge indicates the kind of custom
field used to filter – GTP-U AND TIP4SA.

– 171 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

Using Custom Fields in Dynamic Filters

After you have allocated memory for custom MPLS, GTP, VxLAN, or Raw fields, you can use them as
filter criteria in all Dynamic Filters created in the Diagram view.

To use custom fields in Dynamic Filters:

1. In the Diagram view, right-click a Dynamic Filter icon, select Properties, and click the Filter
Criteria tab.
2. Select Pass by Criteria.
3. Click a custom field's associated button.
An Edit Custom Filter Criterion dialog appears.
4. Enter a value to match on by the filter criterion.
Note: If you created a custom MPLS field of Label type, the MPLS Label field value can be a
decimal input between 0 and 1,048,575 (220 - 1).
If you created a custom GTP-U field of TEID type, the GTP TEID field value can be a decimal
input between 0 and 4,294,967,295 (232 - 1).
5. Click OK.
The filter criterion appears in the Selected Fields section of the Filter Criteria tab.
6. Select either Match All (AND) or Match Any (OR).
Continue selecting and filling in filtering criteria until you have added all desired filtering criteria
in this Dynamic Filter.
7. Click OK.
A Confirm dialog appears, informing you that the changes you have made will cause the
statistics to be reset.
8. Click OK.
The Confirm dialog closes, the Edit Dynamic Filter dialog closes, the Diagram view appears,
and your custom filter begins filtering traffic. A badge displays on the Dynamic Filter, identifying
it as a Custom filter and its type – for example, Raw, as shown in the following figure.

913-2398-01 Rev A – 172 –

Chapter 10 Custom Dynamic Filtering

Custom Dynamic Filters Compatibility Criteria

The system software prevents mutually exclusive criteria from occurring, but these restrictions do not
prevent you from constructing a filter that can never pass traffic. This section explains the mutually
exclusive limitations, as well as the limitations you must keep in mind when creating "Raw" custom
filters, so that they do not overlap. This section indicates the fields allowed when connecting Custom
Dynamic Filters to Network ports and Tool ports:

l Single Match All (AND) Dynamic Filter

l Single Match Any (OR) Dynamic Filter
l Multiple Dynamic Filters

Single Dynamic Match All (AND) Filter

The following table shows which criteria can be used in a Match All Dynamic Filter when it is the only
filter connected to a Network port. For each row, if the square is:

l Green (Y) - The criterion can be included in the same Match All Dynamic Filter without limitations.
l Yellow (Same Var Cfg) - The criterion can be included in the same Match All Dynamic Filter as
long as the same variable configuration is used. For GTP-U, this includes optional GTP headers
and other inner optional headers/padding. For MPLS, this means that the same number of labels,
service type, and inner optional headers/padding must be specified.
l Orange (No RAW Overlap) - The criterion can be included in the same Match All Dynamic Filter as
long as the RAW custom fields do not overlap (custom field range is from base+offset to
base+offset+length). For instance, RawEL2 offset 16 length 4 would overlap with RawEL2 offset
18 length 4.
l Blank - The criterion in the column cannot be added in the same Match All Dynamic Filter.

– 173 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

Note: IPv4 and IPv6 address fields may not be used in the same Match All filter because they
are mutually exclusive. Note that the other L3 fields—DSCP/Traffic Class and L4 Protocol—will
match on either IPv4 or IPv6 packets. When an IPv4 address field is used, then the IPv6 address
button will be dimmed, and vice versa.

Single Dynamic Match Any (OR) Filter

The following table shows which criteria can be used in a Match Any Dynamic Filter when it is the only
filter connected to a network port. For each row, if the square color is:

l Green (Y) - The criterion can be included in the same Match Any Dynamic Filter without
limitations.

913-2398-01 Rev A – 174 –

Chapter 10 Custom Dynamic Filtering

l Yellow (Same Var Cfg) - The criterion can be included in the same Match Any Dynamic Filter as
long as the same variable configuration is used. For GTP-U, this includes optional GTP headers
and other inner optional headers/padding. For MPLS, this means that the same number of labels,
service type, and inner optional headers/padding must be specified.
l Orange (No RAW Overlap) - The criterion can be included in the same Match Any Dynamic Filter
as long as the RAW custom fields don't overlap (custom field range is from base+offset to
base+offset+length). For example, RawEL2 offset 16 length 4 overlaps with RawEL2 offset 18
length 4.
l Blank - The criterion in the column cannot be added in the same Match Any Dynamic Filter.

Multiple Dynamic Filters

When more than one Dynamic Filter is connected to the same Network Port, intersections are
calculated, and certain restrictions must be placed on how Custom Fields interact with both "standard"
outer fields and Custom Fields.

For each criteria, the following table shows the which criteria can be used across all Match All Dynamic
Filters connected to a Network port. This is in addition to the restrictions placed on a single Dynamic
Filter connected to a Network port. These restrictions are verified both when a connected filter is
modified and when a filter is connected/disconnected from a Network port.

For each row, if the square color is:

– 175 – 913-2398-01 Rev A

Chapter 10 Custom Dynamic Filtering

l Green (Y) - The criterion can be included in the same Match All Dynamic Filter without limitations.
l Yellow (Same Var Cfg) - The criterion can be included in the same Match All Dynamic Filter as
long as the same variable configuration is used. For GTP-U, this includes optional GTP headers
and other inner optional headers/padding. For MPLS, this means that the same number of labels,
service type, and inner optional headers/padding must be specified.
l Orange (No RAW Overlap) - The criterion can be included in the same Match All Dynamic Filter as
long as the RAW custom fields do not overlap (custom field range is from base+offset to
base+offset+length). For example, RawEL2 offset 16 length 4 overlaps with RawEL2 offset 18
length 4.
l Blank - The criterion in the column cannot be added in the same Match All Dynamic Filter.

913-2398-01 Rev A – 176 –

Chapter 10 Custom Dynamic Filtering

Custom Filter Portion of Available Filter Memory

Custom Dynamic Filters use up some of the available filter memory for Dynamic Filters. The percentage
they use is reflected in the Dynamic Filters IP portion of the Available Filter Memory meters that appear
in the top-right portion of the web-based interface when clicking the green Filters bar.

Note: You might have to use custom fields in Dynamic Filters connected to several Network and
Tool ports before the display registers an available percentage less than 100%.

– 177 – 913-2398-01 Rev A

CHAPTER 11 Navigator View
The Navigator view is a hierarchical view of all objects configured on the system, in table format:

l Ports
l Port Groups
l Dynamic Filters
l Custom Icons
l Accounts (Users and Groups)
l Templates (Filters)

– 178 – 913-2398-01 Rev A

Chapter 11 Navigator View

913-2398-01 Rev A – 179 –

Chapter 11 Navigator View

Navigator View Information

The following details are available for each object:

l Object Name: Name of port, port group, dynamic filter, user group, etc.
l Type
l Configuration: Details related to whatever is configured on the object.
l Status: Enabled or not, with or without link, etc.
l Description: Any additional details entered in the Description field when object was defined.
l Modifications: Date and time when the latest modifications to the object were operated.

When you hover the mouse over each of these columns, more detailed information displays.

For example, for the following port group, this information is available in the Navigator view:

'PGT1, Port Group, Tool, Pass All, Enabled-Link Down, 2016-01-18 1:55PM GTBST'

For example, on hovering, for example, over the Configuration column, reading 'Tool, Pass All', the
following details become available:

Name: PGT1

Mode: Tool

Internal Id: 47

Duplex: N/A

Speed: N/A

Ignore Pause Frame:

Failover Mode:

Filter Mode: Pass All

– 180 – 913-2398-01 Rev A

Chapter 11 Navigator View

Modifying Object Properties in the Navigator View

You can edit object details by using the right-click menu. To access the right-click menu, do either of
the following:

l Click the corresponding "..." button

l Right-click the respective property

913-2398-01 Rev A – 181 –

– 182 – 913-2398-01 Rev A
Chapter 12 Displaying Object Information - Objects View

CHAPTER 12 Displaying Object Information -

Objects View
The Objects view provides detailed information for all categories of system objects—ports, filters, port
groups, users, users groups, and monitors—in table format.

From this view you can both view and edit an object's properties.

913-2398-01 Rev A – 183 –

Chapter 12 Displaying Object Information - Objects View

The following details are available for each port listed in the Ports view:

Modifying Port Details from the Ports View

Port details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding '...' button

l By right-clicking the respective detail

You can also modify the way the table presents the port data by selecting an option from the Detail
Mode.

– 184 – 913-2398-01 Rev A

Chapter 12 Displaying Object Information - Objects View

Note: This is available in the Ports View, Port Groups View and Dynamic Filters view.

Note: DetailMode is applicable only to the Filter Criteria of Objects and is available only in
the Objects View for Ports, Port Groups and Dynamic Filters.

To access Detail Mode, go to View -> Detail Mode:

l Compact mode displays the filter criteria in a compressed view.

Note: The selected mode is kept until you change to any of the remaining two modes.

Searching for a Port or Port Detail in the Ports View

To search for a particular port or port detail in the Ports view, enter the concerned port or port detail in
the search field at the top of the view.

As you type the text, the valid matches are highlighted in the view.

913-2398-01 Rev A – 185 –

Chapter 12 Displaying Object Information - Objects View

Port Groups View

l Port Group Name

Modifying Port Group Details from the Port Groups View

Port group details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding '...' button

l By right-clicking the respective detail

– 186 – 913-2398-01 Rev A

Chapter 12 Displaying Object Information - Objects View

Searching for a Port Group or Port Group Detail in the Port

Groups View
To search for a particular port group or port group detail in the Port Groups view enter the concerned
port group name or port group detail in the search field at the top of the view.

As you type the text, the valid matches are highlighted in the view.

913-2398-01 Rev A – 187 –

Chapter 12 Displaying Object Information - Objects View

Dynamic Filters View

The following details are available for each dynamic filter listed in the Dynamic Filters view:

Modifying Dynamic Filter Details from the Dynamic Filters View

Dynamic filter details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding '...' button

l By right-clicking the respective detail

Searching for a Dynamic Filter or Dynamic Filter Detail in the

Dynamic Filters View
To search for a particular dynamic filter or detail in the Dynamic Filters view:

l In the search field at the top of the view, enter the concerned dynamic filter or detail.
As you type the text, the valid matches are highlighted in the view.

– 188 – 913-2398-01 Rev A

Chapter 12 Displaying Object Information - Objects View

The following details are available for each user listed in the Users view:

l User Login Id—the ID assigned to a user

For more information please see Add Users and Managing Users.

Modifying Users Details from the Users View

User details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding "..." button

l By right-clicking the respective detail

The right-click menu and "..." button options are:

l Add to Group
l Remove from Group
l Delete
l Properties

913-2398-01 Rev A – 189 –

Chapter 12 Displaying Object Information - Objects View

Searching for a User or User Detail in the Users View

To search for a particular user or user detail in the Users view:

l In the search field at the top of the view, enter the concerned user or user detail.
As you type the text, the valid matches are highlighted in the view.

– 190 – 913-2398-01 Rev A

Chapter 12 Displaying Object Information - Objects View

User Groups View

The following details are available for each user group listed in the User Groups view:

l Group Name—the name given to the group by its creator

For more information please see Add User Groups and Managing Users.

Modifying User Groups Details from the User Groups View

User group details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding "..." button

l By right-clicking the respective detail

The right-click menu and "..." button options are:

l Add User(s)
l Remove User(s)
l Delete
l Properties

Searching for a User Group or User Group Detail in the User

Groups View
To search for a particular user group or user group detail in the User Groups view:

l In the search field at the top of the view, enter the concerned user group or detail.
As you type the text, the valid matches are highlighted in the view.

913-2398-01 Rev A – 191 –

Chapter 12 Displaying Object Information - Objects View

l Monitor Name
l Description
l Trigger Statistics
l Trigger Condition
l Trigger Ports
l SNMP Trap Action
l Syslog Action
l Created By
l Created Time
l Modified By
l Modified Date

Modifying Monitor Details from the Monitors View

Monitors details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding '...' button

l By right-clicking the respective detail

Searching for a Monitor or Monitor Detail in the Monitors View

To search for a particular monitor or monitor detail in the Monitors view:

l In the search field at the top of the view, enter the concerned monitor name or detail.
As you type the text, the valid matches are highlighted in the view.

– 192 – 913-2398-01 Rev A

CHAPTER 13 Use IFC Cluster to Manage
Multiple Systems
Ixia Fabric Controller (IFC) Cluster represents the solution of interconnecting two or more directly
linked Vision Edge chassis, from one or multiple geographic locations, allowing traffic to be configured
so as to flow from the Network ports of one NPB chassis to the Tool ports of another NPB chassis.

By being able to redirect the data traffic from the ingress NPBs to the location where it is analyzed, this
approach allows you to concentrate the traffic monitoring tools into fewer locations.

You can also create an IFC Cluster that includes other Vision Network Packet Brokers (NPBs). So you
can connect, manage, and configure Vision E40s and E100s with Vision ONEs and Vision 7300s - all
through the Web Console interface of one of these systems.

An IFC Cluster is a group of Vision Network Packet Brokers connected with data links grouped in IFC
Cluster Interconnect Port Groups. All member systems are coequal for configuring the IFC Cluster and
having traffic flow among the members.

IFC Cluster is configured using the Clustering view. When connecting multiple Vision E40s/E100s in an
IFC Cluster, you can configure the data paths from the Diagram view which shows the ports, port
groups, and dynamic filters from all member systems.

You can also change port speeds through the IFC Cluster on any member system, with the following
exceptions:

l Vision ONE QSFP+ port speeds can only be changed from within each member system by
selecting Actions > Change QSFP Mode.
l Vision 7300 QSFP+ port speeds can only be changed from within each member system from the
Chassis view by right-clicking the QSFP+ line card and selecting Change QSFP Card Mode.
The following line cards and ports support this QSFP+ port speed change:
n The 16-port 40G QSFP+ line card (all data ports) - with breakout cables, supports up to 64
1G/10G ports
n The 4-port QSFP+Carrier line card (the four fixed QSFP+ ports in the center of the card) -
with breakout cables, supports up to 16 1G/10G ports

IFC Cluster Member Limit

IFC Clusters currently support up to 25 NPB members, including up to 9 Controller nodes.

This scalability is made possible by the introduction of cluster member roles. See IFC Cluster Member
Roles.

– 193 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Security Fabric
The security delivery platform formed by the Ixia Fabric Controller Cluster enables all member systems
to communicate securely with each other.

913-2398-01 Rev A – 194 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Clustering View
The Clustering view defines how to connect multiple Vision Network Packet Brokers with each other to
form an IFC Cluster. It also defines which physical ports are used by the connection between member
systems. You can also view stats on the interconnect port groups.

Although the IFC Cluster database is stored on the Controller nodes, the Clustering view on each IFC
member presents the same information and functionality. IFC Interconnect Port Groups and IFC
connections can be configured from the Clustering view of each member. The same applies for IFC
management, for example disbanding an IFC Cluster.

In the example IFC Cluster below, 12 systems are connected.

Systems with a blue outline are Controller nodes.

Systems with a gray outline are Fabric nodes.

No traffic is flowing, so the connecting lines show 0G for statistics.

As you can note from the image above, each system that is part of an IFC Cluster is identified by a
unique system identifier – for example, S1, S2, S3, and so on. This identifier is also used to prefix port
numbers in the Diagram view of IFC Cluster members in order to denote port membership. The
identifier is used in other places for the same reason – for example, when you right-click in the
Cluster view and select Manage Interconnect Port Groups to bring up that window, shown below:

The system identifier is used to identify each system for the Port Groups (PG) on the left and the ports
on the right.

– 195 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

The Clustering page is refreshed automatically at an interval (configurable from the Settings > User
Options page) that can be set individually by every user who logs in to the system.

913-2398-01 Rev A – 196 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Create an IFC Cluster

l Fabric (the default node role)

l Controller

See IFC Cluster Member Roles.

Note: Only users having an admin role are able to create an IFC Cluster.

To create an IFC Cluster:

1. Log in to one of the systems and select the Clustering tab.

The initial view of a system that is not yet part of a cluster has only the options of creating a new
cluster or joining an existing cluster.

2. In the Clustering view click Create Cluster.

The following window is displayed.

– 197 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Note: You can choose to provide a System ID for your cluster in the S7 or 7 formats. If you
do not specify a System ID, the cluster automatically receives the System ID S1.

3. For this very first IFC Cluster member, the system creates it as a Controller node.
Note: Best practice is to create two other IFC Cluster members as Controller nodes so that
you have three (3) Controllers for redundancy. If one or two go down for any reason and
become unreachable to the manage the IFC Cluster database, the third Controller remains
reachable to manage the database.
4. Log in to another system, click Join Cluster, and after you create three (3) Controller nodes
total for this cluster, allow additional cluster members to retain the default Fabric role.
Note: If you join a cluster with no specific System ID the cluster automatically receives the
first available System ID from the IFC cluster. For example, if you have an IFC cluster
consisting of three members: S1, S3 and S4, the System ID to join the cluster is S2. The
interval allowed for the System ID starts from 1 until 1000.

5. Input the IP address of one of the Controller nodes. The members in a cluster do not need to be in
the same network, but all members must be able to access each other through the management
network.
On joining the cluster, the current member is shown as a new member without any connection.

913-2398-01 Rev A – 198 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Important! If a firewall is located between the IFC Cluster members, it should allow
communication of the Vision Network Packet Broker management IP addresses on TCP
ports 4369, 8099, and 9001. Also, for being able to access the statistics of a remote
member, the firewall should allow a connection from the local member to the WebAPI port
configured on the remote system
6. Before you can connect systems, create the Interconnect Port Groups on each member by right-
clicking an empty canvas in the Clustering view and selecting Manage Interconnect Port
Groups. See Create an IFC Cluster Interconnect Port Group.
7. To connect systems, right-click a system, select Connect to, and select another system where
you want to connect it.
The Connect window appears:

8. Select an Interconnect Port Group on each system.

9. Click OK.
The cluster is created, and all ports of the member systems become globally visible and available
in the Diagram views of all IFC Cluster members.
Important! The join operation can take several minutes. Until the system member is
integrated and becomes ready, all user operations involving it will fail.

Important! When an IFC Cluster is formed, the configuration is cleared on all systems
within the cluster.

Note: When creating the cluster, Syslog messages related to the successful creation or deletion
of an IFC Cluster member are sent by the joining member to the configured Syslog server.

View Interconnect Port Group Link Information

In the Clustering view, on the link connecting members, link information displays — such as
aggregated bandwidth and possible error conditions, for example, packet drops or link down
conditions. Hover over the connecting line to see more details.

– 199 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

913-2398-01 Rev A – 200 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Create an IFC Cluster Interconnect Port Group

In order to configure a connection between two systems, you need to create an IFC Cluster
Interconnect Port Group on each member system. An IFC Cluster Interconnect Port Group is a
bidirectional Port Group that contains ports that are physically linked to ports from another system.

Note: Only an administrator is able to create, edit, or remove Interconnect Port Groups.

To create an IFC Cluster Interconnect Port Group:

1. In the Clustering view, right-click and select Manage Interconnect Port Groups.
The Manage Interconnect Port Groups window appears.

2. In the window click New. The Edit Interconnect Port Group window is displayed.

– 201 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

3. Optionally enter a Name, Description, and Keywords.

4. Select the Ports tab.
5. Select Add Port.
The Select Ports windows appears.
6. Select OK in the Select Ports window.
7. Select OK in the Bidirectional Interconnect Port Group window.
8. Select one or more ports.
Note: IFC Cluster Interconnect Port Groups support SFP+ 10G, QSFP 40G and QSFP28 10G ports
on the E100 unit and only SFP+ 10G and QSFP 40G ports on the E40 unit.

913-2398-01 Rev A – 202 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

System States and Possible State Transitions

A system can be in any of the following states with regard to an IFC Cluster:

Ready
The ready state means that the system is up and synchronized with the cluster members.

l All ports and Port Groups that belong to the system can be configured. Connections can be
configured only if the system on the other side of the connection is also in the Ready state. Filters
can be configured if all member systems are in the Ready state.
l A system can initiate object configuration changes and will receive any changes initiated by other
systems.
l All nodes can be removed from the cluster.
l A cluster disband operation can be initiated from this system. An operation initiated on another
cluster system is received and processed accordingly.

When the system is in this state, the following limitations exist:

l The system cannot be forcefully removed from the cluster.

When in this state, the system can transition to any of the following states:

l Unreachable:
n On power failure, all the systems that are still up in the cluster will see the ones that are
down as unreachable.
n On management failure, systems that cannot be connected to will be seen as unreachable.
This means that while a system might be seen as unreachable from a device, it can be seen
as ready from another one whose connection is not affected by the failure.
n If a clear system operation is performed on a system that is ready, it will become
Unreachable to the other devices. The local system will not be part of the cluster anymore
from its own point of view.
n To forcefully remove a system from a cluster you can either perform a Clear System locally
or make it Unreachable to the other systems, then forcefully remove it from the nodes that
are still up.
l Synchronizing:
n When a cluster member that was previously not reachable becomes again reachable, an
attempt is made to synchronize the local node with the cluster configuration, in order to
catch any changes that might have occurred when that device was not reachable.
l Shutting down:
n The node was requested by the user to shut down. This will be visible only for the duration of
the shutdown process, which usually is short.

Joining
In this state, the system is joining the cluster and is transferring cluster data. This is visible only from
systems that are already members of the cluster.

The following limitations exist in this state:

– 203 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

l No other information is known about the system other than its IP address.
l The system cannot perform a leave operation, and a disband operation will not clear the joining
system.
l The joining system does not receive any configuration updates.

When in this state, the system can transition to any of the following states:

l The device can transition into the Unreachable state if the joining system cannot be reached.
After restart, the device is likely to be found in the Error state.

Unreachable
An Unreachable system can be forcefully removed from the cluster by another system. This is the only
state that allows the node to be forcefully removed.

The following limitations exist in this state:

l While a node is unreachable, it cannot perform any cluster object configuration changes. All of its
ports and port groups cannot be configured. Connections that use it on any side cannot be
configured. Filters that have the device on the network side cannot be configured.
l An unreachable node will not allow any other node to leave the cluster.
l An unreachable node will not receive any disband operations initiated on other devices. If it ever
recovers from this state and gets up, it will not see the disband operation. Instead, it will see the
disbanded nodes as unreachable. Those systems will never recover from that state and should be
removed (disband or force-remove).
l Having an unreachable node might not allow new nodes to join the cluster. As a consequence it is
recommended to have all cluster nodes ready when adding new nodes.

When in this state, the system can transition to any of the following states:

l Synchronizing:
n A system that was powered down is back up. It will sync with the cluster data.
l Error:
n A system that was attempting to become a cluster node has failed in its attempt to be an
active part of the cluster. This can be either from invalid configurations or other issues. The
only way to recover the system is to perform a clear system operation.

Importing
The device starts importing a file generated by an Export Global Configuration command. During the
import operation, hardware matching between the imported file and the current cluster is performed.

While an import is performed, all the systems change their states to Importing.

When the operation ends, they become Ready.

All members in the current cluster are cleared, regardless if they are referred to in the imported file or
not.

When the system is in this state, the following limitations exist:

l All other changes of cluster objects are delayed until members become again Ready.

913-2398-01 Rev A – 204 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

When in this state, the system can transition to any of the following states:

l Synchronizing:
n Import information is synchronized on all cluster members;
l Ready:
n Import operation has failed unexpectedly and user is allowed to try re-importing or perform
other operations (for example clearing partially imported information).

Synchronizing
The device attempts to sync itself with the cluster data.

l All changes performed during this step will be available on this device at latest when the
synchronization has finished.
l If a disband is initiated on the local device or on a remote node, it will be performed on the node
that is synchronizing.

When the system is in this state, the following limitations exist:

l The objects that are related to this system cannot be configured (similar to the Unreachable
state).
l A system that is synchronizing cannot be forcefully removed from the cluster, or it can leave the
cluster via a leave operation.

When in this state, the system can transition to any of the following states:

l Ready:
n The synchronization has finished and the system is available for configuration operations.
l Unreachable:
n A power failure will set the system as Unreachable on other nodes.
n A management failure will set the device as Unreachable on nodes that cannot communicate
with it.
n Performing a clear system operation on a system that is in the synchronizing state will
remove it from the cluster. All other devices will see it as Unreachable and they will have to
forcefully remove the member to completely eliminate it. Once it enters the Unreachable
state, the system cannot be recovered, so a forceful removal is recommended.
l Shutting down:
n A shutdown has been requested by the user. All the synchronized data will be lost due to the
shutdown.

Leaving
The system is leaving the cluster based on a user request.

l The configuration will be updated properly to handle the missing ports and port groups of the
device. New configurations will not be propagated to other devices. While leaving, the device
cannot perform any new configurations. This is not considered as a limitation because the leaving
device has no use to still be usable and part of the cluster.

– 205 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

l A disband operations performed on the leaving device or on another device might reach the
leaving device or not, depending on how advanced the leave process is. The user performing the
device will be notified if the leaving device could not be reached.

When the system is in this state, the following limitations exist:

l A leave operation can be initiated only for a ready system, while all other systems are ready.

When in this state, the system can transition to any of the following states:

l Unreachable:
n The device can be seen as Unreachable by other nodes in case of a power or management
failure. A forceful removal can be used to remove it from the cluster.
n If a clear system operation is performed on a leaving system, it will be seen by other
systems as Unreachable.

Shutting down
The system is in the process of shutting down and you cannot perform any configurations on it.

When the system is in this state, the following limitations exist:

l A system that is shutting down can be removed forcefully only after it transitions to the
Unreachable state.

When in this state, the system can transition to any of the following states:

l Unreachable:
n The shut down operation has been completed. This state can be seen on nodes that are
ready and part of the cluster.

Error
A system that is in an error state and cannot be used anymore. Since a recovery is not possible, the
system should be removed from the cluster.

When the system is in an error state, a clear system operation can be performed. This will make it
transition to the Unreachable state from the point of view of other systems, and a forced removal can
be initiated from them.

When the system is in this state, the following limitations exist:

l The system is not usable in any way in the cluster. Related objects cannot be configured. It
cannot be forcefully removed and might not respond to disband requests. Leave cannot be
performed and join operations might fail due to this system.

When in this state, the system can transition to any of the following states:

l Unreachable:
n In case of a power failure or a management failure, other systems can see this node as
Unreachable.
n In case of a clear system operation, this system will be seen as Unreachable on other ready
devices.

913-2398-01 Rev A – 206 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

n Transition to this state is recommended (with a clear system operation) so it can be

removed forcefully from the cluster by other ready devices.
l Shutting down:
n If a shutdown is requested, the system will transition to this state. This transition will always
be seen from the system itself. Depending on the error, it can be seen from other nodes or
not.

Version Mismatch
The system’s version is not the same as that used by other cluster members, and thus it cannot
properly join the cluster.

When the system is in this state, the following limitations exist:

l Leave can be performed, but forceful removal is not possible. Disband operations are likely to fail
and have that device placed in an Error state.
l The system does not receive any configuration updates.
l To leave this state you need to remove the system from the cluster using a clear system or
removal operation.

When in this state, the system can transition to any of the following states:

l The system can transition into the Unreachable state if the system cannot be reached. After
restart, the device will go back to the Version Mismatch state.

Invalid license
Licensing has expired for all ports of that chassis and any operation that is prohibited on expired ports
will not be available (for example traffic will not be allowed to pass). Any other cluster-related
operations are allowed (for example all global configuration export operations).

When the system is in this state, the following limitations exist:

l The usage of ports is not possible.

– 207 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Remove Member from Cluster

You can remove any cluster member (such as, for example, an unreachable or a failed member) from
any system that is currently logged in.

To remove a cluster member:

1. Right-click a member.
2. Click Remove from Cluster.
A warning message is displayed in case the cluster member being removed has ports that are
configured for traffic flow. If you do not cancel the action, all the member's ports and port groups
are removed from the cluster.
Note: You can also delete a connection by right-clicking a link and choosing Delete from the
context menu that is displayed. When a connection between two systems is removed, a
confirmation message is displayed, warning you if there is traffic currently configured over this
connection.

913-2398-01 Rev A – 208 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Disband Cluster
A cluster disband operation disbands the local node and all the other member nodes that can be
reached. Disbanding also performs a machine restart and each member is set to its default state (all
ports are Network ports, no ports are enabled, no filters and no port groups exist).

Note: Only an administrator is able to disband a cluster.

To disband, right-click an empty area of the Cluster view and choose Disband Cluster . A notification
window is displayed, informing you about the members that could not be reached.

– 209 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Diagram View
For a cluster, the Diagram view shows the ports, Port Groups, and Dynamic Filters of all systems that
are part of the cluster. From each cluster member you can access each member's ports, Port Groups,
and Dynamic Filters visible in the Diagram view to configure data paths in the cluster.

Note: The Diagram view representation of cluster Network/Tool port(s) and Port Group(s) is the
same as that of standalone systems, except that the port names are prefixed with the member's
ID, such as, for example, S2-Pxxx.

Configuring ports and connecting them to Dynamic Filters works the same as for non-cluster ports.

Note: Since a Dynamic Filter is created on the member system(s) that receive the ingress traffic
via its (their) Network ports, multiple sets of statistics (one for each upstream member) may be
available for each filter. For details, see View Statistics for IFC Cluster Objects on the facing
page.

The common Diagram view search features—based on keywords and strings — work the same of for
non-cluster systems.

913-2398-01 Rev A – 210 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

View Statistics for IFC Cluster Objects

Note: Network and Tool port statistics can be viewed in the same way as those for non-
cluster configurations, by right-clicking a Network or a Tool port and selecting View Statistics
from the context menu that appears.

Given that a Dynamic Filter is created on the member system(s) that receive the ingress traffic via its
(their) Network ports, if any Dynamic Filter connected in the Diagram view to Network ports pertaining
to multiple members, you can view each upstream member's statistics.

To view Dynamic Filter statistics:

1. Right-click a filter and select View Statistics.

2. From the cascading menu select the desired member.
or
In case you want to display statistic windows for each upstream member, click All . This opens a
number of windows equal to the number of upstream members.

– 211 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Cluster Import, Export, and Clear Configuration Actions

The following import and export-related commands are available for IFC Clusters:

Import Global Config

When you import a IFC Cluster configuration while the current system is already part of an existing
cluster, the import operation overwrites the existing cluster. The following actions are taken:

l Imports members. The members that were part of the previous cluster and are also part of the
new one keep their previous state.
Note: They keep their current cluster roles, not the roles from the import.
If the import contains members that are not found locally, those members and their configurations
are ignored.
If some members of the previous cluster are not present in the new one, these members will
remain in the cluster but will lose their previous connections.
l Imports Interconnect Port Groups for each member. The import behavior is the same as for the
import of Port Groups for standalone systems.
l Imports system connections.
l Imports ports, port groups, filters, and the connections between them.

If ports are no longer found on the new members, they will be removed from the configuration and a
warning message will be displayed, similar to the case of a local import configuration.

At the end of the import operation, if some filters are no longer connected to any ports, these filters are
removed from the cluster configuration. A warning message is displayed before they are removed.

Export Global Config

When you export a configuration, the following information is exported to the configuration file:

l Cluster members
l Cluster Interconnect Port Group for each member
l Cluster connections between the members
l Cluster configuration consisting of ports and filters
Note: The export operation affects all configuration related-data, while any information that is
not related to the configuration, for example stats, are not exported.

Clear Global Config

When you clear the IFC Cluster configuration the following actions are taken:

l The entire cluster configuration is deleted, with the cluster filters being deleted permanently and
the cluster ports becoming local ports.
l All connections are removed.
l All cluster filters are removed.
l All cluster port groups are removed, including the Interconnect Port Groups.

913-2398-01 Rev A – 212 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

l All ports are reset to their initial state (set to Network mode and disabled).
l Any other object which is not shared via the cluster functionality—users, user groups, monitors,
filter templates, filter template collections, custom field sets—are not affected by the clearing of
the global configuration.
Note: Clearing the global configuration does not remove the members, only the connections
between them. It also does not change the cluster roles in any way. So to enable sending traffic
between members, you must restore the connections.

Clear Global Filters and Ports

When you clear the global filters and ports the following actions are taken:

l All filters are removed.

l All port groups are removed, excluding the IFC Cluster Interconnect Port Groups.
l All ports, excluding the ports belonging to the IFC Cluster Interconnect Port Groups, are reset to
their initial state (set to Network mode and disabled.
Note: Clearing filter and ports does not remove the IFC Cluster members and the connections
between them. It also does not change the cluster roles in any way.

– 213 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

IFC Cluster Limitations

The following limitations with regard to IFC Clusters exist in the current version of the application:

l For IFC Cluster NPB members, WebAPI auth token expiration should be set to a value of 30
minutes.
l SNMP support is not available for a cluster cluster as a whole, SNMP requests are generated
instead by each system that owns the physical ports.
l The E40 and E100 do not have Resources - PacketStack and AppStack.

913-2398-01 Rev A – 214 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Clustering License
A Clustering license can be used to operate the system as the following:

l As a member of an IFC Cluster, whereby the system connects to peer systems forming a cluster.
When a Clustering license is installed, the Clustering tab becomes visible, enabling you to create
a cluster or to join an existing cluster.

When no Clustering license is installed, you can use the system only as a standalone (Independent)
system.

An overview of the actions associated with system transitions from one configured role to another is
given in the following table.

Previous role New role Action

Independent IFC Cluster The system verifies that it has a valid
Clustering license and changes its role.
No system restart is required for this
transition.
IFC Cluster Independent This transition happens if you force a
system to leave the cluster. No system
restart is required for this transition.

When a Clustering license expires, depending on the role of the system, different actions are
performed:

l If the system is not part of a cluster (has an Independent role), the system will no longer be able
to create or join a cluster.
l If the system is part of a cluster (has an IFC Cluster role), its ports are set as Expired and they
will not be able to forward traffic. To preserve the traffic configuration for later use with an
installed valid license you can export the global configuration.
If you restart the system, it remains as part of the cluster, with INVALID_LICENSE status on its
ports, which remain expired. If you want, you can manually remove this system from the cluster
by selecting the Leave Cluster command.
When you install a valid license, its ports once again forward traffic.

– 215 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Authentication and Authorization in an IFC Cluster

In an IFC Cluster, there is no need to synchronize all users and all user groups on each system in the
cluster prior to setting the proper authorization rights for them. All users can log on to a single system
and, from there, use all traffic related objects (for example, ports, etc.) owned by any systems in the
cluster, not just those objects owned by a local system.

For controlling which users can modify properties and connect to/from ports and filters, a user with
admin privileges should log on to that system and create proper access policies for all available traffic-
related objects. On this system, all needed users and user groups should exist prior to using them in
access policies set on ports, port groups, and filters.

On all other systems, when the first local port is set with an access policy that requires group
membership for a user group that does not yet exist on that system, the user group is created on that
system, but without its users. Any time a user logs on to that system, they can use any object that has
proper access rights, independent of which system actually owns the object.

If the user logs on from another system, they still have the same access rights, as long as the system
identifies the user as part of the proper user groups. The following sections describe the required
configuration.

913-2398-01 Rev A – 216 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Users and User Groups in an IFC Cluster

In an IFC Cluster, the entire traffic configuration can be set and maintained by logging on to a single
system. There is no need to log on from multiple systems. But in case users want to log on from a
different system, a prior configuration step should be performed, depending on whether authentication
is set to Local or TACACS+/RADIUS.

l Local - manually add users and user groups to each system in the IFC Cluster.
l TACACS+/RADIUS - configure all member systems of the IFC Cluster to use the same
authentication method, TACACS+ or RADIUS, configure them all to use the same TACACS+ or
RADIUS server(s), but add user groups only to one member system of the IFC Cluster.

In an IFC Cluster, all user groups that are used in access policies for objects such as ports owned by
that system are also updated on that system. In case they are missing (for example, they have not
been used on that system yet), these user groups are created on the system that owns those objects.

– 217 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

TACACS+ and RADIUS Users and User Groups

To log on from a different system in a cluster, the same RADIUS/TACACS+ server configuration should
already be in place on that system. After a successful login of user on that system, the user groups
previously created on the IFC Cluster are updated by populating their list of users with the current user.
In case the user groups of a user were not used for objects from that system, user groups are created
like they are in standalone mode.

Example
To understand this better, let us consider an example. In an IFC Cluster with 5 systems (S1, S2, S3,
S4, and S5), all systems have set RADIUS as the authentication mode and are configured with the
same RADIUS server. On the RADIUS server, users Alice and Bob are part of the same user group -
Security. In the IFC Cluster, user group Security is used in access policies for ports from systems S1
and S2. Both users, Alice and Bob, usually log on from system S1. On the S1 system, the Security user
group has both users in its list of users. Prior to the first login of Alice or Bob on system S2, the user
group Security was created when the first port from S2 had access policies configured that used
Security. When Alice logs on to system S2, user Alice is added to the user group Security that already
exists on S2. When Bob logs on system S2, user Bob is added to the user group Security, which now
has both Alice and Bob in its list of users.

913-2398-01 Rev A – 218 –

Chapter 13 Use IFC Cluster to Manage Multiple Systems

Local Users and User Groups in an IFC Cluster

If the authentication mode is set to Local , users and user groups can be manually added on each
system in the IFC Cluster that might need to support users logging on from different systems. For
authorization purposes, only user groups should be identical, meaning that on a different system,
different users could have the same authorization rights if they are part of the same user group.

Example
Let us consider an example. User Alice from system S1 is a member of user group Security. On system
S2, user Bob is a member of the same user group - Security. Even though user Alice logs on to system
S1 and user Bob logs on to system S2, both users have same authorization rights to all objects in the
IFC Cluster.

Upgrading Systems in an IFC Cluster

You can upgrade the systems while they are part of an IFC Cluster. When you initiate an upgrade on
one or more member systems, it affects the availability of all devices, including both traffic flow and
management configuration. Only after the upgrade is complete on all devices will the cluster be back
to its usual functionality.

To initiate an upgrade:

1. All the devices must be in either READY or VERSION_MISMATCH state.

This can be done from any of the devices in the cluster, by uploading the new image as for a
standard standalone upgrade. This will move all READY members in the cluster in an UPGRADING
state.
2. The upgrade process on the first device needs to be completed before you can do any operations
on the other ones.
You must wait until the first device is marked as READY when viewed from its own GUI
connection. This includes the restart and post-restart initialization. Devices that have been
upgraded will not be seen as READY from the other devices, that are still marked as UPGRADING.
3. After the first device has finished its upgrade operation and is ready, you can upgrade on all other
devices in the cluster, which can be upgraded in parallel to save time.
The restriction about sequential upgrade only applies to the first device, which needs to be the
only one upgrading and which needs to be done before others can start their own upgrade
process. There are validations preventing other devices to start their upgrade while the first one
is not yet done. After all devices are upgraded (including restarts and post-restart initializations),
they will all be marked as ready, with the configuration cluster intact. This will mark the end of
the upgrade for the IFC Cluster.

Limitations
The following are limitations for upgrading systems while in an IFC Cluster:

l Restarting a member that is marked as UPGRADING when upgrading from a release previous to
4.7.2 will make this member enter into an ERROR state. The only way to fix this is to perform a
Clear System on the ERROR device, and then a force-remove from the members that have been
already upgraded. This issue is fixed once the member is upgraded to 4.7.2 or later.

– 219 – 913-2398-01 Rev A

Chapter 13 Use IFC Cluster to Manage Multiple Systems

l A Revert operation will not work. After performing a revert operation, the reverted device will not
enter back into the IFC Cluster and will lose all its configuration. The only way to revert an IFC
Cluster is by doing it in standalone mode (by disbanding the cluster first, then reverting each
device in standalone).
l While the devices are marked as UPGRADING, it's possible that their configuration can become
unchangeable. The only way to recover a device in this state is by performing a Clear System.
l Traffic might still flow for a while between two devices in the cluster as long as there are no
changes between them (neither has started its own upgrade process), but cannot be guaranteed
to flow again until both of the devices are READY after the upgrade.
l Upgrading with an upgrade file that has a version lower than the current one will also not work.
This must also be done in standalone mode as with the revert process.

913-2398-01 Rev A – 220 –

CHAPTER 14 Link Layer Discovery Protocol
Overview
This chapter provides information for the LLDP feature and other general settings explanations.

Important! Currently LLDP is supported only for the E40 and 5812 platforms.

Note: There are common LLDP settings that apply to all ports, they are enabled for snooping
and/or generating LLDP packets from that device.

Note: Starting or stopping LLDP receive and/or transmit is possible only by specifically enabling
them on individual ports.

Note: The NTO can be configured to keep registered neighbors after the records become expired
and even after the port is no longer enabled or used for LLDP Receive.

Configuring LLDP 222

Enable LLDP Receive and Transmit 224

Limitations 226

– 221 – 913-2398-01 Rev A

Chapter 14 Link Layer Discovery Protocol Overview

Configuring LLDP
You can configure LLDP further in System -> Settings -> LLDP Settings and clicking the Port ID
blue link.

You can configure LLDP Receive with the following option:

l The enable or disable option to keep expired neighbor records. If enabled, you can specify a time
period for keeping the expired records with values between 1 second and 30 days. The default
period is 1 day.

You can also configure LLDP Transmit with the following options:

l Change the retransmit interval with values betwee 1 second and 120 seconds, the default being a
5 second retransmit interval.
Note: After the timeout expires, the LLDP information is resent.

l The definition of TLVs that compose the sent LLDPDU packet are:

n Chassis ID: the MAC address of the management port is used. Because Chassis ID is a
mandatory TLV, you do not have the choice of disabling this option.
n Port ID: the default name of the port is used. Because Port ID is a mandatory TLV, you do
not have the choice of disabling this option.
n Time To Live: is a numeric edit field with an interval between 1 and 120 seconds where the
default value is set to 120 seconds. Because Time to Live is a mandatory TLV, you do not
have the choice of disabling this option.
n Port Description: a checkbox that is disabled by default. When enabled the TLV Port
description is sent with the description of the port if set, or its default name if no description
for that port was set. If the port is in simplex mode, the description from the tool side of port
is used instead.

913-2398-01 Rev A – 222 –

Chapter 14 Link Layer Discovery Protocol Overview

n System Name: a checkbox that is enabled by default. When enabled the system name is
used as defined in the System information setting. If no name for the system is set then the
TLV System name is not present in any generated LLDPDU packets.
n Management Address: is a checkbox that is disabled by default . A sub-list of 3 options
appear when enabledr:
o MAC address is a Checkbox, the default is set to disabled. When enabled it generates
one TLV with type Management address and subtype MAC address using the MAC
address of management port as value.
o IPv6 address is a Checkbox, the default is set to disabled. When enabled it generates
one TLV with type Management address and subtype IP address using the IPv6 address
of management port as value, if this IPv6 address was set.
o IPv4 address is a Checkbox, the default is set to disabled. When enabled it generates
one TLV with type Management address and subtype IP address using the IPv4 address
of management port as value.
Note: When you enable the Management Address option, make sure you have at least one sub-
option enabled, otherwise it generates an error.

Note: The Chassis ID and the Port ID values are concatenated to form a logical neighbor
identifier that is used by the recipient to identify the sending LLDP agent/port.

– 223 – 913-2398-01 Rev A

Chapter 14 Link Layer Discovery Protocol Overview

Enable LLDP Receive and Transmit

The following is a general information list on enabling TX and RX together with a list of supported
features.

l When you enable LLDP Receive and/or Transmit on a port, one MAC address is allocated for that
port and it is used as the source MAC address when generating LLDP packets.
l When a port enabled for LLDP (RX and/or TX) changes its mode to a mode that does not support
LLDP (e.g. Loopback), it disables LLDP and it deletes all neighbors recorded for that port.
l When a Tool port enabled for LLDP TX changes its mode to Network, it disables the LLDP TX, with
a warning, in order to prevent the insertion of LLDP packets into the network. This does not apply
when you manually change both mode Tool->Network and enable LLDP TX in the same change,
unless you explicity want these changes to go through.
l When a port enabled for LLDP (RX and/or TX) changes its speed configuration, it disables LLDP
and it deletes all neighbors recorded for that port.
l When a port enabled for LLDP RX is added into a port group, it disables the LLDP Receive and
deletes all neighbors recorded. LLDP TX is not affected if the port is added to a port group.
l When an E40 device is added to IFC – you will receive a warning and the LLDP RX and TX is
disabled and their neighbors are deleted.
Note: Enabling LLDP on BiDi ports gives the NTO a new way to originate a traffic storm with no
way to stop it other than turning off its features and flapping links. Ixia Vision Edge E40/E100
User Guidegenerates a warning when you enable LLDP TX on BiDi ports.

Important! Be careful when enabling LLDP TX on tapped links. There may be taps between the
NTO and your network that processes the LLDP.

Note: E40 only has a 63-MAC pool for TX or RX with more logical ports available. You can
enable LLDP only on maximum 63 logical ports at the same time.

LLDP RX (Receive) Features
l All network, tool, bidirectional and simplex ports are able to snoop LLDP to show the neighbors
in the User Interface. This option is turned off by default and it is configurable on a per port
basis.
Note: LLDP frames are not filtered by default, they are forwarded to the connected tools
unless you explicitly filter them on the NP, DF or TP level.

l The saved records expire after the amount defined in the TLV Time-To-Live (TTL) by the packet
sender, which can be set up to 120 seconds. By default the records disappear after expiry if
newer records are not received from the sender (connected port).
Note: You can however keep the expired records for a configurable amount of time
(seconds, minutes, hours, days).

l VLAN tagged LLDP frames are also processed.

913-2398-01 Rev A – 224 –

Chapter 14 Link Layer Discovery Protocol Overview

Important! LLDP RX is not supported on ports inside port groups and it cannot be
enabled. Ports inside port groups do not process LLDP frames and therefore cannot display
any neighbors. When a port that had LLDP RX enabled previously is added to a port group,
all neighbors learned on that port are deleted from the table and RX is disabled.

Important! On ports in loopback port groups neither LLDP TX or RX is supported.

LLDP TX (Transmit) Features
l All network, tool, bidirectional, and simplex ports generate LLDP packets to advertise their ports
to other connected ports. The LLDP Transmit feature is configurable on a per port basis.
l Once LLDP TX is enabled, the following fields are sent: Chassis ID, Port ID, Time to Live, Port
Description, System Name, and Management Address. For more information about each field,
please see Configuring LLDP on page 222.
l After you modify the System Name, the IPv4 or IPv6 address, or the description of any one port,
the following LLDP packets are sent with the new information, if the optional TLVs are enabled.
l Once LLDP TX is enabled the NTO generates untagged LLDP frames.
l LLDP TX is supported on ports inside Port Groups and is configurable on a per port basis. If a port
has TX already enabled then it can be added to a Port Group and it can continue to generate
frames.
Note: For Network Ports, TX works only if the TX light off option is disabled.

LLDP Port Types
LLDP is supported on Network, Tool, BiDi and Simplex port types.

In the case of LLDP RX you receive a warning when:

l you try to add a port with LLDP enabled to a Port Group.

l you try to enable LLDP in a Port Group.
l you add an E40 with LLDP enabled to the IFC.
Note: LLDP TX and RX on Loopback ports or ports with the TX light off option are not allowed.

If a port mode is changed from a supported mode to Loopback there is a validation message, if you
accept then LLDP will be disabled and the learned neighbors are deleted from the neighbors table.

Important! LLDP is not supported in IFC on any port. All enabled ports for LLDP discontinue
receiving and transmitting packets once an IFC is created.

Important! Changing the speed of a port deletes the learned LLDP neighbors from the
Neighbors table.

– 225 – 913-2398-01 Rev A

Chapter 14 Link Layer Discovery Protocol Overview

Limitations
l The number of neighbor records kept is limited to 1000 per system. When this limit is reached, in
the Statistics -> LLDP Neighbors view, On the bottom left of the window there is a display
with the number of neighbors. When it reaches 1000 it will be displayed with a red color and a
tool tip with a warning message.
l LLDP PDU packets that have only none, one or two VLANs are processed and the neighbors are
learned.
l For E40 only 63 ports can be enabled for LLDP at one time (RX/TX) from the pool of 64
MAC addresses allocated to the device.
l By default, auto-refresh is stopped. In case there are many neighbors learned with a lot of
information, it is recommended to set a longer auto-refresh interval or to keep auto-refresh
stopped and refresh manually when needed.

913-2398-01 Rev A – 226 –

CHAPTER 15 Using the System with Inline
Tools
The inline capability of the Vision Edge system provides a mechanism for feeding the live traffic to
inline tools that are connected to the system. After the traffic is being processed by the tools, it needs
to be returned back to the network via a Bypass Switch. The functionality also provides a failover
mechanism for the inline tools connected either in parallel for load balancing, or in serial for service
chaining. The failover mechanism is implemented by constant monitoring of the connected tools
through heartbeat messages sent by the system port pairs that are connected to a tool.

In the current version of the application, you can connect one or more inline tools to the Vision Edge
system and configure the inline flows through the connected tools.

– 227 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

System Support for Inline Tools - Concepts

When you connect an Inline Tool to the system, the physical topology typically looks like the one
shown in the following image:

The typical inline topology includes a bypass switch between the router and the Vision Edge.

The component parts of the topology are defined using a more simplified topology shown below as a
reference.

913-2398-01 Rev A – 228 –

Chapter 15 Using the System with Inline Tools

In this topology, you can identify the following physical and logical elements:

l Bypass ports: The system ports pair that receive and transmit the live network traffic from/to
an external bypass switch such as the Ixia’s iBypass series. In the figure above, these are ports
P17 (A) and P31 (B).
l Inline Tool : A network tool—such as an IPS or an IDS— that is connected inline to the system
(the live network traffic traverses both the system and the tool) via the Inline Tool ports.
l Inline Tool ports: The system ports that are connected to an Inline Tool. In most cases, these
are two bidirectional ports connected to a single Inline Tool. In the picture above, ports P24 and
P26 are Inline Tool ports.
l Inline Tool Resource: A collection of multiple Inline Tools of the same type, whereby each tool
is connected by a pair of Inline Tool ports. The inline traffic is automatically load-balanced across
these tools. The reason for defining these tools as a resource is that they can be shared by
multiple Service Chains (SC).
l Inline flow: This describes how the traffic flows between Bypass Port A and Bypass Port B, and
across one or multiple Inline Tools. The inline flow is configured as a Service Chain with attached
filtering criteria which specifies which traffic is directed to the Inline Tool(s) and which traffic
bypasses it (them).
The following are the types of inline flow supported:
n Unidirectional – The filter criteria of the flow is applied only on the traffic received on
Bypass Port A and directed to Bypass Port B or conversely.
n Bidirectional – The filter criteria of the flow is applied simultaneously on the traffic
received on both Bypass Port A and Bypass Port B.
Note: The bidirectional mode is the predominant mode for Inline Tools.

– 229 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

The system has the ability to constantly monitor any connected Inline Tool by periodically sending
specific heartbeat messages on one Inline Tool port, and listening to these messages on the other
port. In the case of the sample configuration illustrated above, in a normal operation mode, system-
generated heartbeat messages flow in both directions between P24 and P26, and through the
connected tool.

If a tool fails or experiences a down condition, and the heartbeat messages are no longer relayed to
the opposite Inline Tool port within a specified period of time, the system takes a failure action—
redirecting or rebalancing the traffic to/across other ports—as described in detail in Traffic Balancing
for a Group of Inline Tools on page 257. Currently, if one direction of a bidirectional flow fails, the
other direction will be down as well.

High Availability Mode

A Bypass Port Pair has a link fault detection functionality that monitors the link status of the ports in
the pair. If one of the ports goes down, the other port is forced to the same state. In the case of a port
error condition, this functionality enables switching the network traffic from one Vision Edge system
configured using the Inline High Availability (HA) mode to another HA system.

Support for Shared Tools

You can share a tool between multiple Service Chains that are connected to different Bypass Port
Pairs, as shown in the following image:

In this sample configuration, SC1, SC2, and SC3, all of them connected to BPP1, share the same ITR1
tool.

You can also use Pass by Criteria (PBC) Unmatched filters in Service Chains that share the same tool.

913-2398-01 Rev A – 230 –

Chapter 15 Using the System with Inline Tools

Inline Diagram View

The Inline Diagram view enables you to define how an inline flow traverses the system and any Inline
Tools that are attached to it. In this view, you create, connect, and configure the elements that an
inline flow traverses: Bypass ports, Inline Tool ports, and one or more Inline Tools that are configured
as part of a Service Chain.

The Inline Diagram view is composed of the following panes and elements:

l Main view: This view enables to define the inline flows by connecting Bypass Port Pairs and
Service Chains
l Resources: The left pane of this view is a container for the following object types:
n Inline Tool Resources: A resource is a collection of network tools of the same type,
whereby the traffic is load-balanced across them. A Tool Resource is being assigned to a
Service Chain, and it can be shared by multiple Service Chains. For example, in the figure
above, the ITR1 Tool Resource is assigned to both Service Chain 1 and Service Chain 2.
n Bypass Port Pair: A pair of system ports that are connected to ports on an external
bypass switch. The left (Bypass Side A) and the right side (Bypass Side B) represent Bypass
port groups, connected by unidirectional (A>B or B>A) or bidirectional (A<>B) Service
Chains. Each Service Chain can contain one or more Tool Resources, as illustrated in the
previous figure.
n Service Chains: The configured inline flow(s), with the Bypass port groups connected by
associated Service Chains.
n Heartbeats: These are predefined messages that are used to monitor the availability state
of inline tools. A heartbeat configured in the Properties dialog of an Inline Tool Resource is
used to send specific monitoring packets between each of the port pairs associated with the
resource.

Tool Resource State

The Inline Diagram view displays connectivity status information of tool resources that have been
assigned to Service Chains. The view is automatically updated when the system's heartbeat
mechanism (see Inline Tool Concepts) detects communication issues with any Inline Tool that is part
of a Service Chain, or when a port goes into the offline state. A tool's state is highlighted as follows:

l A tool connector is displayed in green if the connectivity with all the tools of the resource is error-
free.

– 231 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

l A tool connector is displayed in yellow if any (one or more, but not all) of the tools of the resource
has failed.

When the connectivity is re-established with the failed tool(s), the connector is displayed again
in green.
l A tool connector is displayed in red if all tools of the resource have failed.

913-2398-01 Rev A – 232 –

Chapter 15 Using the System with Inline Tools

Configure a Service Chain

A Service Chain specifies how an Inline Tool is connected to the system. It also specifies which traffic
flows through a connected Inline Tool and which traffic bypasses the Inline Tool.

For a unidirectional chain (say A>B), the live traffic received on the A Bypass port(s) and matching the
Dynamic Filter associated with a Service Chain is sent out to the Inline Tool(s) that are part of the
chain. Then it is sent back to the system, and finally, it is sent on to the B Bypass port(s).

For a bidirectional flow, the traffic matching a Service Chain's associated Dynamic Filter traverses
Bypass port A, the Inline Tool(s), and Bypass port B in both directions.

To configure a Service Chain, perform the following steps in the Inline Diagram view:

1. Define the Bypass Ports on the system.

2. Create an Inline Resource and configure its Inline Tool ports, which connect the system to the
Inline Tool(s).
3. Build the Service Chain by connecting the Bypass ports, assigning the Inline Tool(s) to the chain,
and defining a filter condition for the network traffic that is directed to the Inline Tool(s).

– 233 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

Define the Bypass Port Pair

To create a Bypass Port Pair:

1. In the Inline view click Add Bypass Port Pair.

The Add Bypass Port Pair dialog appears, with the General tab selected by default, as shown
in the following figure:

2. Enter a name for the Bypass Port Pair in the Name field and, optionally, a relevant description in

913-2398-01 Rev A – 234 –

Chapter 15 Using the System with Inline Tools

the Description field. If you do not enter a name, a default name such as BPP1 is used.
3. If Enable LFD (Link fault detection) is selected, a pair's failed port entails the failing of the
opposite port. If this option is not selected, a port's failure does not take down it's port pair (the
ports operate independently).
4. Click Select Port to add a Bypass port to side A. From the Select port windows that appears
select a port. Note that you can narrow down the number of port entries in the list by using the
window's filtering functionality, as described in Selection Window.
Each port is added to a port group.
5. Add a port to the right side of the pair (Side B) with the same procedure used for Side A.
6. Click the Heartbeats tab. This tab enables you to filter out specific external heartbeat
messages, in order to prevent them from reaching the connected Inline Tools. The filtered
messages are sent out the opposite Bypass port pair.
Note: This functionality can prove useful when the system is connected to an external
bypass switch that generates its own heartbeat messages that are not intended to flow
through the tool service chains. A common use case is during tool maintenance, when
heartbeat packets from an external bypass switch should bypass the system, including the
tools, to avoid being triggered on and raise unnecessary alarms.

– 235 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

7. Select Enable to Redirect Bypass Heartbeat to filter out specified external heartbeat
messages. Since the filtering functionality is similar to that of a Dynamic Filter, see Defining
Filter Criteria for detailed information on how to configure a filter.
8. Finally click OK.
Two Bypass Port Groups, one for each side, appear in the Inline view.

913-2398-01 Rev A – 236 –

Chapter 15 Using the System with Inline Tools

Add an Inline Tool Resource

An Inline Tool Resource is a service that is provided by one or multiple tools of the same type—
Intrusion Detection Systems, Analyzers, and so on.

To create an Inline Tool Resource, click Add Inline Tool Resource at the top of the Inline view.

The New Inline Resource window appears as shown in the following image:

– 237 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

General Tab
The General tab enables you to assign the inline tool resource a name and add a description.

You can also specify that the tool resource be monitored by a specific heartbeat message that is
transmitted between the two tool ports.

You can use the following heartbeat types:

l Regular heartbeat: For a regular heartbeat, when a tool works properly, the heartbeat sent by
one tool ports is relayed to the opposite port. Alternatively, when the device fails, the heartbeat
no longer reaches the opposite port.
l Negative heartbeat: A negative heartbeat operates differently, in that it is received by the
destination tool port only when the monitored tool fails, otherwise it is trapped by the tool.

The Resources > Heartbeats category includes some predefined heartbeats for some commonly-
used inline tools. These predefined heartbeats can be edited and you can also create more heartbeats
from scratch.

Note: For information on how to add heartbeat messages, see Adding Heartbeats.

Inline Tool Ports Pair

The Inline Tool Ports Pair tab enables you to define one or more inline tool ports for connecting inline
tools resources to the system. The ports are added as pairs, for example, side 1 and side 2 ports,
whereby a pair connects one tool.

A tool can be added as an active—it is traversed by inline traffic unless it fails—a standby, or an offline
resource. A standby tool automatically becomes active in the event that one of the active tools
experiences a heartbeat failure, a link failure, or becomes disabled.

To add an Inline Tool port pair:

1. For Side 1, click Select Port....

A port selection window appears. It displays only ports not already selected as Bypass ports in
the Inline Diagram view, or ports not used in the main Diagram view of the application.
2. Select a port for Side 1. Since ports must added in pairs, a single port can be added at a time.
3. Repeat steps 1 to 2 for selecting a Side 2 port.
4. Click Create Port Pair....
A port pair entry is created, containing the specified Side 1 and Side 2 ports.
5. (Optional) Specify a name for the Inline Tool.
6. Configure the role of the port pair as either of the following:
l Active: The connected tool actively processes traffic flows.
l Standby: The connected tool is meant to be a backup tool in case an active tool fails.
l Offline: The connected tool is not operational.
7. (Optional) Add more port pairs for additional Inline Tools of the same type.

913-2398-01 Rev A – 238 –

Chapter 15 Using the System with Inline Tools

In case you add multiple port pairs, multiple Inline Tools of the same type are connected as a tool
group that is capable of redistributing the flows from any failed tools within that group. For
information on this functionality, see Load Balancing for a Group of Inline Tools.
8. Click OK.
Note: Inline Tool ports added in the Inline Diagram view are also shown in the main Diagram
view using the following image. For additional information see Bypass Ports and Inline Tool
Ports Displayed in Diagram View.

– 239 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

Adding Heartbeats
To add a heartbeat message:

1. In the Resources pane of the Inline Diagram view, right-click the Heartbeats folder and
select Add Heartbeat.
Alternately, you can click the Add Heartbeat icon to the right of the Actions menu.
The Add Heartbeat dialog appears.
2. Open the Type drop-down list and select either Regular or Negative.
To determine whether to use Regular or Negative, see their descriptions under the General tab in
Add an Inline Tool Resource.
3. Enter a name for the added heartbeat in the Name field and optionally a relevant description for
it in the Description field.
4. In the Settings section, enter the desired values for Interval , Timeout, and Retry count. See
Heartbeat Dialog Fields for a description of these parameters.
5. In the VLAN section, define the VLAN properties as desired.
See Heartbeat Dialog Fields for a description of these parameters.
6. In the Address Set section, define the source and destination MAC address for the heartbeat
message.
7. In the Payload section, customize the payload of the heartbeat message.
8. Click OK.
The added heartbeat appears in list of heartbeats in the Heartbeats folder in the Resources
pane of the Inline Diagram view.

913-2398-01 Rev A – 240 –

Chapter 15 Using the System with Inline Tools

Heartbeat Dialog Fields

In the Heartbeats dialog you can set various details about the heartbeat messages sent by the inline
tool resource ports.

Settings

Type: Regular or Negative heartbeat

Interval : Defines how often a heartbeat message is sent from one tool port of the inline tool port pair
to the other. Default value is 5000ms.

Timeout: Defines the time period over which an attempt is made to retransmit a heartbeat message.
Default value is 500ms.

Retry count: Defines the number of times that an attempt is made to retransmit the heartbeat
message. Default value is 3.

VLAN

Untagged (check box): If selected, untagged VLAN is used in the heartbeat message.

VLAN id: VLAN identifier used in the heartbeat message.

Priority: VLAN priority used in the heartbeat message.

Address Set

Source: Source MAC address for the heartbeat message.

Destination: Destination MAC address for the heartbeat message.

Payload: Defines the payload of the heartbeat message.

See Adding Heartbeats.

– 241 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

Reversed MAC SRC / DST

When you enable this feature, the Inline Tool Pair port from the B side sends the Regular Tool
Heartbeat packets with reversed MAC addresses for SMAC and DMAC: the packet SMAC will have the
configured value of DMAC and the packet DMAC will have the Tool heartbeat configured value of SMAC.

913-2398-01 Rev A – 242 –

Chapter 15 Using the System with Inline Tools

Build the Service Chain

A Service Chain defines the traffic flow between a system's Bypass port pair that receive the live
network traffic and one or multiple Inline Tool resources (appliances), such as an IDS or and IPS.
Depending on whether the Service Chain is defined as unidirectional (A>B or B>A) or bidirectional (A<
> B), two or four Dynamic Filters are automatically created by the application for directing specific
traffic to the Inline Tool(s).

To create and configure a Service Chain:

1. In the Inline view, click Add Inline Service Chain at the top of the Inline view.
The Add Inline Service Chain window appears, as shown in the following figure:

2. On the General tab, specify a Service Chain name and configure it as unidirectional (A>B or
B>A) or bidirectional (A<>B).
3. Choose one or more Bypass ports pair for connecting the system to the live network traffic. If you
select multiple pairs, the Enable Tool Sharing option automatically becomes selected,

– 243 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

indicating that a tool is shared by multiple Bypass Port Pairs. To differentiate the traffic from
multiple port pairs, a VLAN tag is added automatically to each pair's traffic.
4. On the Criteria tab, define traffic filtering criteria.
The traffic matching the defined filter criteria is directed from the ingress Bypass port to the
chain's Inline Tool(s). The non-matching traffic is dropped.
5. On the Inline Tool Resource tab, specify the tool(s) to add to the Service Chain.
6. Click OK.
A new Service Chain is added in the Inline view. For example, the sample Service Chain shown in
the following figure connects the Bypass Port Groups PGIN1 and PGIN2 and is composed of a
single Inline Tool, ITR1.

Important! When you assign the same tool resource to multiple service chains, make sure you
avoid defining overlapping filtering criteria for the different service chains. Non-overlapping
filter criteria ensures that data is not replicated to the common inline tool resource.

913-2398-01 Rev A – 244 –

Chapter 15 Using the System with Inline Tools

Service Chain General Tab

This tab contains general information such as name, assigned keywords, and a description.

In this tab you can specify whether the Service Chain is bidirectional (A< >B) or unidirectional (A>B or
B>A) and define the Bypass port pair connected with the Service Chain.

To add a Bypass port pair, click Add and select an existing pair from the dialog that appears.

– 245 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

Note: Alternatively, you can configure first the Service Chain and then draw lines in the Inline
Diagram view between the Bypass port pairs and the Service Chain.

Clicking Enable Tool Sharing enables you to have a tool shared by multiple Bypass Port Pairs which
are attached to different network links. When you enable this option, the traffic pertaining to each
Bypass Port Pair identified by a VLAN Id that is automatically added by the system. To prevent
conflicts by the tool with other VLAN-tagged traffic from other Bypass Port Pairs, ensure to assign a
unique VLAN ID for each Bypass Port Pair.

Note: If you configure port tagging on a port in the main Diagram view and then you put that
port into a Bypass Port Pair and select Enable Tool Sharing, then the tool-sharing port tagging
configuration will silently replace the original port-tagging configuration.

Tip: For each Bypass Port Pair that uses tool sharing, the system automatically enables
VLAN tagging at ingress to the port pair and stripping of the tag at egress, both operations being
done transparently to system users.

Note: Tool sharing has a number of restrictions as described in Tool Sharing Restrictions.

The following figure illustrates the case of a tool that is shared by two Bypass Port Pairs, BPP1 and

BPP2. As shown in the figure, the Bypass Port Pair icon changes to , to denote the tool sharing
state.

913-2398-01 Rev A – 246 –

Chapter 15 Using the System with Inline Tools

Service Chain Filter Criteria Tab

This tab contains the standard Dynamic Filter functionality (see Creating Dynamic Filters and Creating
Catch-All Dynamic Filters). The traffic that matches the defined filter criteria is directed to the chain's
Inline Tool(s). The traffic that does not match the filter criteria for any service chains connected to a
given Bypass Port Pair is dropped.

– 247 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

The filter criteria configured in this tab is automatically applied to two (for unidirectional Service
Chains) or four (for bidirectional Service Chains) Dynamic Filters that are automatically created for
each chain in the main Diagram view. For detailed information on these special filters, see Dynamic
Filters Created for Service Chains.

Beginning in release 4.7.5, the Filter Modes you can select depend on whether you set the Filter
Memory Allocation to use Intersection or Priority filter build mode. Intersection is the default.

For a description of these two filter build modes and details about the Priority filter build mode, see:

l Priority Filtering
l Filter Memory Allocation
n Dynamic Filter Tab

913-2398-01 Rev A – 248 –

Chapter 15 Using the System with Inline Tools

Service Chain Inline Tool Resource

This tab enables you to assign one or more Inline Tools to a Service Chain and to specify an action that
is taken when a tool fails.

When a service chain has multiple tool resources assigned, these are traversed serially, in the order
specified in this tab.

– 249 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

When you assign multiple Inline Tools to the Service Chain, the processing order within the chain can
be set using the Move Up and Move Down arrows on the right of the dialog box.

For example, in a bidirectional Service Chain that contains two tools, ITR1 and ITR2 (configured in this
order), the A > B flow first traverses ITR1 and then ITR2, while the B > A flow first traverses ITR2 and
then ITR1.

For each assigned tool, in the case that the tool fails, you can also specify a traffic flow—related action
that is taken by the system:

l For the Fail Open option, the tool is skipped and the traffic flows to the next tool in the chain, or
flows out the system bypass port if there are no more tools in the chain.
l For the Fail Closed option, the traffic flow in both directions stops at the failed tool and is not
sent to the other bypass port.

Assign Inline Tools to the Service Chain

To assign Inline Tools:

1. Click Add and select the desired tool(s) from the list of available tools.
Note: Before assigning an Inline Tool to the Service Chain, the tool must be configured in
the Inline Diagram view, as described in Create an Inline Tool Resource.

2. For the newly-added tool, specify an action type for the case that the tool fails, Fail Open or
Fail Close.
3. In case you want to assign multiple tools, repeat the steps above for each additional tool.
4. (Optional) In case you have added multiple tools, configure their priority in the chain.

913-2398-01 Rev A – 250 –

Chapter 15 Using the System with Inline Tools

Service Chain VLAN Translation Tab

When a VLAN-tagged packet is received on either port of a Bypass Port Pair (BPP), this tab enables
you to swap the tag with a user-configured VLAN tag value. When the packet is sent out the opposite
BPP port, the initial value tag value is restored.

To define a VLAN translation mapping for a BPP, set the initial and replacement value and click Add.

– 251 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

Note: For the same Bypass Port Pair you can define multiple VLAN translations.

Important! You cannot use service chain VLAN translation and tool sharing at the same time.

Intersection versus Priority Build Mode - VLAN Behavior

For Inline VLAN translation, it is expected that all packets arriving at the BPP will have a VLAN defined
in the VLAN translation table.

In both Intersection and Priority build modes, the VLANs in the translation table are applied to all
Service Chains.

It is expected that all packets arriving at the BPP will meet the user defined VLAN requirements. In
Intersection build mode, a PUPBC (Pass Unmatched Pass-By-Criteria) filter is available to pass any
packets that violate the VLAN requirement. The PUPBC is not available in Priority build mode. In
Priority build mode, all packets with no VLAN or a VLAN not defined in the translation table will be
dropped.

In deployments where an iBypass device is connected on the Vision ONE BPP ports and the iBypass
device HB receives traffic through the Vision ONE, because the iBypass default HB is not VLAN-tagged,
it will be dropped the same way when changing to Priority-Based Filter (PBF) VSET topology. For these
deployments, it is best to configure Enable Redirect HB on BPP.

In deployments where an iBypass device is connected to the BPP ports of a Vision Network Packet
Broker (NPB), the iBypass device will insert its HB packets into the production traffic and send them to
the NPB. By default, the HB packets are not VLAN-tagged. For this reason, the HB packets will be
dropped in a Priority-Based Filter setup where VLAN Translation is invoked. For these deployments, it
is strongly recommend that you define an HB packet with VLAN present on the iBypass device. You will
need to treat the tagged HB as customer traffic that must have an entry in the VLAN translation table.
If for some reason it is not possible to define a VLAN-tagged HB packet, you should turn on Enable
Redirect HB on the BPP with matching MAC addresses of the HB packets, so they can be redirected
towards the other side of the BPP port without going through Service Chains (and tools).

Service Chain Access Control Tab

This tab enables users to change access control settings for an inline service chain.

913-2398-01 Rev A – 252 –

Chapter 15 Using the System with Inline Tools

Here you can modify the privileges required to perform the Service Chain modification and
(dis)connect operations. For either of these operations, the following options are available:

l Allow All : Allows all user types to make modifications to the selected service chain or
(dis)connect it to/from a bypass port pair.
l Inherit: The permissions to modify the service chain or (dis)connect it to/from a bypass port pair
are inherited from the connected bypass port pairs.
l Require Admin: Allows only users with administrative privileges to modify the selected service
chain or (dis)connect it to/from a bypass port pair.
l Require Group Member: Allows only members of specified user group(s) to make
modifications to the selected service chain or (dis)connect to/from a bypass port pair.

For details about how to change (dis)connect or modification access control privileges for inline tools,
see Access Control Settings for Inline Tools.

– 253 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

Bypass and Inline Tool Ports in Diagram View

When you configure an Inline Tool in the Inline view, elements of the configuration are also shown in
the main Diagram view—Bypass ports, Dynamic Filters, and Inline Tool ports.

The following table summarizes how elements configured in the Inline view are represented in the
Diagram view:

Representation in Diagram View Description

A system Bypass port.

A system Inline Tool port that is connected

to an Inline Tool Resource.

A Dynamic Filter that is created as part of a

Service Chain. To preserve the Service
Chain settings configured in the Inline view,
this special type of Dynamic Filter cannot be
edited in the main Diagram view.
For detailed information on these special
filters see Dynamic Filters Created for
Service Chains.

Important! When you configure an inline flow in the Inline view, the Port Groups and the
Dynamic Filters created are also displayed in the main Diagram view. However, to avoid
conflicting settings between the two views, port group and filter configuration options are limited
in the main Diagram view. For additional information on these limitations, see Dynamic Filters
Created for Service Chains.

The following example illustrates a Bypass port group (PGIN6) sending traffic into a Dynamic Filter
(F10) that is part of a Service Chain, and another Bypass port group (PGIN8) sending traffic into a
Dynamic Filter (F14) that is part of another Service Chain. Both Dynamic Filters are connected to an
Inline Tool bidirectional port group (PGIN4).

If the traffic from a Bypass port also needs to be monitored by an offline tool, you can connect the
Bypass port to a standard Tool port via a standard Dynamic Filter, as shown in the following figure. In
this example, the inline traffic from the PGIN1 Bypass Port Group is also sent to the P01-3 standard
Tool port via the F1 Dynamic Filter.

913-2398-01 Rev A – 254 –

Chapter 15 Using the System with Inline Tools

– 255 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

Dynamic Filters Created for Service Chains

For every Service Chain that you configure in the Inline view, multiple Dynamic Filters are created
automatically in the Diagram view. These special Dynamic Filters are configured automatically with the
filter criteria defined in the Service Chain's Criteria tab.

Depending on the type of the Service Chain, bidirectional or unidirectional, Dynamic Filters are created
as follows:

l For a bidirectional Service Chain, four Dynamic Filters are created automatically:
n Two filters are created for the link from the first Bypass port group to the first Inline Tool port
group.
n Two filters are created for the link from the second Bypass port group to the second Inline
Tool port group.
l For a unidirectional Service Chain, two Dynamic Filters are created automatically, one for each
link from a Bypass port group to an Inline Tool port group.
Important! The configuration options of these special Dynamic Filters displayed in the Diagram
view are limited, so as to avoid conflicting settings between the Inline and the main Diagram
views. For example, a special Dynamic Filter connecting Bypass ports and Inline Tool ports will
be visible in the main Diagram view, but you will not be allowed to delete it, change its filter
criteria, or disconnect it from any of the Inline Tool ports. Note that you also cannot connect a
special Dynamic Filter to a standard Tool port.

The following figure shows the four Dynamic Filters (F1, F2, F5, F6) created automatically for a
bidirectional Service Chain in the Diagram view. In this figure, F1 and F6 connect the Bypass and the
Inline Tool port groups PGIN1 and PGIN2, while F2 and F5 connect the Bypass and the Inline Tool port
groups PGIN5 and PGIN6.

If the Service Chain is unidirectional, say A>B, only two Dynamic Filters are created.

913-2398-01 Rev A – 256 –

Chapter 15 Using the System with Inline Tools

Traffic Balancing for a Group of Inline Tools

When you define an Inline Tool resource, you can assign it multiple tool port pairs, either active,
standby or offline, as described in Add an Inline Resource. In this case, multiple Inline Tools of the
same type are connected to the system as a group that is capable of load balancing the flows from any
failed tools.

When an active Inline Tool experiences either a link failure or a heartbeat failure, the flows from the
failed tool are redistributed to a standby tool (if configured) and traffic on working tools remain
unchanged. If at a later time the failed tool becomes functional again, its traffic flows revert to the
initial tool.

If no standby tool is configured, the flows from failed tools are redistributed to the active tools based
on the load balancing settings from the System > Settings page. Unlike standard system port trunks in
Out-of-Band cases, inline tool trunks will only redistribute flows from the failed links, such that active
tools will continue to receive their original flows. This is known as smart load rebalancing.

In the current version of the application, both ports of an inline port pair fail together. This operating
mode prevents sending traffic into one side of a tool, while the other side is down and cannot transmit
any traffic.

For example, let us consider that a tool group is connected to (A1, A2), (B1, B2), and
(C1,C2) respectively, and that no standby tool is configured. If port B1 fails, A1 and C1 continue to
receive the initial flows, plus a portion of the flows that had been initially sent to B1. Additionally, even
though B2 might be still up, its flows are redistributed to A2 and C2.

– 257 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

Service Chain Tool Sharing Limitations

The following restrictions exist with regard to the tool sharing functionality:

l If you change the VLAN tag attached to a Bypass Port Pair and the port pair is also connected to
another Service Chain, the automatically created filters for both chains will be changed in order to
reflect the changed VLAN tag values.
l When you enable tool sharing, you cannot use the service chain VLAN translation functionality at
the same time.
l When a Service Chain is connected to a Bypass Port Pair and you attempt to connect a second
Bypass Port Pair to the chain, you are prompted to enable tool sharing on the Service Chain,
otherwise the connection is not done.
l If a Service Chain is connected to multiple Bypass Port Pairs, the tool sharing functionality on the
chain cannot be disabled.
l If you have two Bypass Port Pairs connected to a Service Chain, when you want to connect a
second Service Chain to one of the Bypass Port Pairs, tool sharing will automatically get enabled
on the Service Chain you are connecting.
l When you enable tool sharing, you cannot select the outer VLAN as a filtering criterion on the
filters associated with the Service Chain.
l When Tool Sharing is enabled for a Service Chain, you can use only a Pass All, Pass by Criteria,
or Pass Unmatched Pass by Criteria filter setting on that Service Chain. Also, you cannot use
multiple filter conditions aggregated by a Match Any (OR) operator.

913-2398-01 Rev A – 258 –

Chapter 15 Using the System with Inline Tools

Inline High Availability Mode Overview

The Inline High Availability (HA) mode enables you to synchronize the Inline configuration of two
directly connected Vision Edge systems. Using this functionality, you can load balance the Inline
processing performed by the two systems.

While connected, the HA peers will keep the following configuration settings in sync:

l Inline Tool Connectors

l Inline Service Chains
l Inline Tool Resources
l Inline Bypass Connectors
l Heartbeats
l Bypass and Inline Tool Bidirectional Port Groups and contained ports
l Inline Filters
l System Filter Memory Allocation

The synchronization can be done automatically or manually. When it is done manually, you can do it
from either systems, via push (initiate sync) or pull (request sync) operations.

Important! Access control settings defined for bypass port pairs (BPPs), inline tool resources
(ITRs), and service chains (SCs) are synchronized between HA systems, except for users (on
the secondary device, user groups containing users not available on it are empty and the users
existing on the primary device must be manually added on the secondary). For details on
defining access control settings for BPPs, ITRs, and SCs, see Access Control Settings for Inline
Tools.

The following HA modes are supported:

l Standalone: When this mode is set, a system does not participate in HA. By default, a Vision
Edge chassis will have set the Standalone mode.
l Active – Active: When this mode is selected, the Primary device and the peer both process
traffic. In Active – Active mode the configuration is synchronized from one chassis to another.

The configuration sync mode defines how the configuration changes are propagated between the two
HA systems, either of the following:

l Manual sync – when this mode is selected, you need to make the sync manual by either:
n Pushing the configuration: the initiating peer pushes its Inline configuration to its HA peer.
The receiving peer will clear its entire configuration and will accept the changes that it
received.
n Pulling the configuration: the initiating peer requests the Inline configuration of its HA Peer
and applies it after having cleared its own configuration.
l Auto sync – when this mode is selected, the HA systems automatically synchronize the
configurations between them. Whenever you modify any of the settings that is subject to
synchronization, the change is propagated to the system's HA peer.

– 259 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

In this mode, tie conditions (both systems are attempting synchronization at the same time) are
resolved based on the systems' configured Primary or Secondary parameters.

Note:
The HA communication/synchronization is broken if any of the following occurs:

l If the port mode is changed from QSFP+ to SFP+, when the HA port is set to be one of the
QSFP ports (40 G) ports
l If the license allocated to the HA port is removed.

In an HA configuration, you can now know which Inline Tool Resource (ITR) failed first and which one
received the 'force fail' message.

For example, in an HA configuration involving two synced systems, with an Inline Tool Resource (ITR1
for instance) set to Active - Active mode, if the ITR on either of the systems fails, a badge appears

next to the ITR that has gone down, reading 'ORF' (that is, Originating Fail) in the Inline
Diagram view, while another badge appears next to the ITR on the peer system , reading 'RF' (that is,
Receiving Fail) and the peer receives a 'force fail' message.

The ITR failure may be due to port or (regular or negative) heartbeat failure.

The badges are refreshed in any of these cases:

l the ITR that is down goes back up

l the system is rebooted
l the ITR is deleted
l a new configuration import is performed
l a manual sync is performed

HA Port – supported HA Port speeds are 10G or 40G. The system makes this port a bidirectional
fabric port.

Note: An HA Port speed of 1G is not supported.

913-2398-01 Rev A – 260 –

Chapter 15 Using the System with Inline Tools

Configure a System in the Inline HA Mode

To configure a Vision Edge system in High Availability (HA) mode:

1. Ensure that Filter Memory Allocation (FMA) settings are manually synchronized on systems
having out-of-band configurations before proceeding to the next steps. To do this, perform a
custom export/import of the FMA settings from the primary E40 to the secondary E40:

This will prevent situations where the filter memory settings are incompatible and the HA systems
remain not synchronized after restart.
2. Select System > Settings.

– 261 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

3. In the General section, click the Standalone link to the right of the HA configuration field.
The HA Configuration window appears:

4. Select the mode as ACTIVE_ACTIVE.

See Overview.
5. Select the role as either Primary or Secondary.
Important! Make sure that the HA peer is configured to the opposite role for the HA
mode to work correctly.
6. For the HA Port, click the Add button and select a port to use for HA communication to its peer
systems.
Note: Supported HA Port speeds are 10G or 40G. The system makes this port a
bidirectional fabric port. A port speed of 1G is not supported.
This port will be used only to synchronized configuration between the two devices and will not
forward regular traffic. The port is bidirectional in order to allow HA configuration traffic in both
directions.
Although it is not required that this HA port be the same on both systems, we recommend that
you choose the same port on both systems to avoid allocating more than a single port for
HA communication on each system.
Note: You cannot configure any filters on this port or make the port part of a Port Group.

After HA is configured, you can push the configuration to the peer or pull the configuration from the
peer by clicking File > Push config to peer or File > Pull config from peer.

Inline Synchronization Status

A system's synchronization status is shown visually on its Inline Diagram tab using the following
indicators:

Synchronization Status Icon Status Description

913-2398-01 Rev A – 262 –

Chapter 15 Using the System with Inline Tools

The system detects that the HA port is link-down.

HA status is failed.

HA synchronization process is disabled.

The system is synchronized with its peer.

The systems are not synchronized.

Configure two Vision E40 systems in HA Mode

To configure two (2) Vision E40 systems in HA mode:

1. Connect a cable between two HA ports.

2. Choose the primary device and configure the HA settings.
Do not reboot now.
3. Choose the secondary device and configure as the Secondary.
Note: After step three (3) is completed (the last step above), HA will be in sync. In some
instances there may be a sync issue or a link up/down situation, mostly resolved by flapping the
HA port using the enable/disable option.

– 263 – 913-2398-01 Rev A

Chapter 15 Using the System with Inline Tools

SNMP Inline-Specific Traps

A new MIB named ANUE-INLINE-MIB was added for the Inline Tool functionality. It has the same 32620
Vendor Code and it contains inline-specific SNMP OIDs. In the current version of the application it
contains only traps.

Four new traps have been added:

l anueInlineEventToolStatusChanged (1.3.6.1.4.1.32620.4.1.1) – This trap is send whenever the

status of an inline Tool Port Pair is changed.
l anueInlineEventHaStateChanged (1.3.6.1.4.1.32620.4.1.2.1) – This is a High Availability (HA)
specific trap which is sent whenever the HA switch state has changed.
l anueInlineEventHaLinkStateChanged (1.3.6.1.4.1.32620.4.1.2.2) – This is a HA specific
notification which is sent whenever the HA link state changed.
This notification is similar to the existing Link Up/Down trap which will also be sent for the HA
Sync port. However, while the Link Up/Down trap refers to the physical linkup status of the port,
this notification provides details about the logical connection. So, even if the port link is up, the
HA link could be in a failure state that is caused by a communication issue other than a link down
condition.
l anueInlineEventHaSyncStatusChanged (1.3.6.1.4.1.32620.4.1.2.3) – This is a HA specific trap
that is used to notify about a change in the synchronization state of two connected HA systems.

913-2398-01 Rev A – 264 –

CHAPTER 16 Viewing and Changing System
Settings
The System menu allows you to view and change Vision Edge system information. The following menu
options are available under System:

l Status
l Settings
l License
l Hardware

Each of these menu options are described in detail in the sections that follow.

– 265 – 913-2398-01 Rev A

Chapter 16 Viewing and Changing System Settings

Viewing System Status

The Status page shows the overall status of the system and its components, including information such
as system up time, temperatures, components health status, alarms, and an event history.

The page includes the following sections:

l System Time Status

l General
l System History
l External Alarms
l Power Supplies
l Fan Modules
l Port Modules
l SubSystem Alarms
l Management port statistics

These standard alarm indicators appear on the page:

l Green - Indicates normal operation.

l Yellow - Indicates a problem of relatively low severity.
l Red - Indicates a problem with a resource of a relatively high severity that requires urgent
action

The following fields and indicators are displayed :

l System time: Displays the current time on a Vision Edge system. The time is displayed in both
Greenwich Mean Time (GMT) and the local time zone of the PC running the control panel - for
example, Central Daylight Time (CDT). Users running the control panel in different time zones
will see different local times displayed here, but the GMT remains the same regardless of the
time zone where users run the control panel.
l Transceiver info: Click this button to display transceiver information for all of the ports on the
system. This feature displays the properties and capabilities of the installed transceivers. This
helps to ensure that the transceivers are the correct devices for your network configuration and
are compatible with your optical wiring. Diagnostics are also provided to verify that transceiver
links are operating within adequate margins and to troubleshoot connectivity issues.
Transceivers that had an alert or warning status at the time the snapshot was taken will display
an alert indicator.
Note: Diagnostics data is only displayed when the transceiver supports it. Not all
transceivers support diagnostic data.

l Temperature: Displays the system temperature in Celsius and Fahrenheit units.

913-2398-01 Rev A – 266 –

Chapter 16 Viewing and Changing System Settings

l Management port: Displays the speed and state of the system's management port. Clicking
Management Statistics displays a list of statistics for the system's management port,
including received and transmitted bytes, packets, errors, and so on.
l NTP: Specifies if a connection to an Network Time Protocol (NTP) server is configured or not on
the Vision Edge system. If a server is configured, click NTP Server Details to display
information for that server.

– 267 – 913-2398-01 Rev A

Chapter 16 Viewing and Changing System Settings

Viewing and Modifying System Settings

The System Settings view shows the current values of the system-wide configuration settings and, for
system administrators, provides a means to change the settings. Non-administrators can view the
settings, but cannot change them.

The view includes the following sections:

l General
l Filter Memory Allocation
l Remote Services
l Tool Port Group Load Balance Settings

913-2398-01 Rev A – 268 –

Chapter 16 Viewing and Changing System Settings

General Section
Note: To enable some of the System Settings features, open the appropriate port in your
firewall. This is noted for features that require it. See Appendix F - Firewall Ports to Open.

System Info: Click the hyperlink to configure system information. A name, location and contact
information can be defined. The name defined for the system will be displayed in the title bar of the
control panel. There is no character length limitation for System Info fields but note that only the first
255 characters can be queried through SNMP.

The system information can be retrieved via SNMP MIB-II get requests.

IPv4 configuration and/or IPv6 configuration: A system needs its own IP address (IPv4 and/or
IPv6) to support troubleshooting and NTP. Click the hyperlink to configure the system's IP address,
subnet mask or gateway.

Important! Changing the IP configuration or Management port settings will cause the system
to restart and forces all users off the system. If the IP address values are not correct you will not
be able to log back in to the system through the Web GUI or the Tcl API. In this case, the serial
port menu would be the only means of correcting the error.

Management port settings: Click the hyperlink to configure the management port duplex settings.
The supported options are Auto-Negotiate and 1G Full Duplex.

Tcl API: Click the hyperlink to the right of the Tcl field to enable/disable Tcl, a deprecated feature.

To enable this feature, open the appropriate port in your firewall. See Appendix F - Firewall Ports to
Open.

Serial port access: When enabled, allows a direct connection to the system through its craft port. To
see the options that the craft (serial) port allows, see Craft Port Interface.

Console session timeout: Click the hyperlink to configure the idle login session timeout. If a
timeout is specified, a user will be automatically logged out if there is no GUI activity from that user in
the specified time. The logout can be configured for minutes, hours, or never. Login session timeout
should be set at least 10 minutes to allow potential software upgrades to complete.

Important! Ensure that the Login Session Timeout value is greater than the Web API token
timeout value. This affects the Web Console and Web API.

Console log level : Click the hyperlink to configure the log level for the console and API. The log
level can be raised to help troubleshoot issues. Log level options are None, Errors, Warnings, and Info.
Log levels should be changed only as directed by Ixia Technical Support.

Power-on self-test (POST): The POST provides a mechanism to initiate a series of diagnostic tests
at startup to validate the health of the system hardware. To enable the POST, click Disabled. Click
OK to confirm that you want the POST to run every time the system is restarted. The Disabled text
will change to display Enabled.

Note: The POST adds approximately 10 minutes to the system restart process.

– 269 – 913-2398-01 Rev A

Chapter 16 Viewing and Changing System Settings

To disable the automatic POST, click Enabled and then click OK to confirm that you wish to disable
the automatic POST.

Console login banner: You can add a login banner, such as a security warning banner, to the control
panel console. Once configured, all users, including vendors, will see it prior to logging in to the
console or Tcl shell. See Adding a Login Banner.

Tool Management View: Displays several statistical values for the filters and network ports
connected to a tool port or tool port group, thus providing a high level view that helps to analyze port
utilization and optimization. This view is optional. The default is for this view to be disabled to
conserve system resources. See Tool Management View.

Statistics Polling Interval : This is the interval for how frequently the system server retrieves
statistics from hardware. The default interval is 1 second. You can set the polling interval from 1 to 15
seconds. Longer polling intervals conserve CPU resources and improve system performance. Shorter
polling intervals get the most information on statistics flow.

Web API settings: You can change Web API properties and thus better adapt the functionality for
your environment.

To enable this feature, open the appropriate port in your firewall. See Appendix F - Firewall Ports to
Open.

The following properties can be configured:

l Enabled/disabled Web API service. It's better to keep the Web API deactivated when there
is no need for it.
l Listening port. Some ports might be blocked or assigned to other services, so it's better to be
able to configure the port to be used.
l Authentication token timeout. Depending to the number of users and business requirements,
tokens that expire faster or slower than the standard value might be needed.

Any update to any of those properties will cause a restart of the Web API service. Current connections
are dropped and ongoing request might not execute successfully. However, authentication tokens are
preserved.

To enable the Web API:

1. On the System view Settings sub-tab, click the link to the right of the Web API field.
The Web API Configuration dialog appears, as shown below.

913-2398-01 Rev A – 270 –

Chapter 16 Viewing and Changing System Settings

2. Select the Enable Web API service check box.

3. Optionally change the listening port from the default port 8000.
4. Optionally change the timeout for Invalidate authentication token after <> of inactivity
field. The default is 10 minutes. The valid range is a decimal between 1 and 2147483647. The
drop-list allows you to set the decimal value to Seconds, Minutes, Hours, Days, or Weeks.
5. Optionally click the Default button to reset the configuration to the factory default values
provided with the system.
6. Click OK to apply the changes.
Important! Ensure that the Login Session Timeout value is greater than the Web API token
timeout value. This affects the Web Console and Web API.

CLI settings: Allows you to enable or disable the CLI service and set the listening port on which the
SSH server accepts connections. To enable the CLI service, select the CLI Settings link. In the
CLI Settings dialog, select the Enabled check box and enter the desired port value in the Listening port
box, then select OK in the two successive confirmation message boxes. See CLI Command Line
Interface Introduction.

TLS/HTTPS: The Transport Layer Security (TLS) protocol is designed to help protect the privacy and
integrity of data while it is transferred between the Web and Java Console and the Vision Network
Packet Broker (NPB). Vision NPBs only support TLS 1.2 for all HTTPS TLS communication in Web
Console and Web API. The Web Console automatically uses TLS 1.2 because it uses HTTPS.

Note: The Java Console also supports TLS 1.2, but only when you enable TLS on it. Enabling
TLS encryption logs off all users and restarts the system.

By default, Vision NPBs use a self-signed certificate that is shared by the Web Console, Web API, and
the Java Console. If a higher degree of security is required, the NPB allows customers to add customer-
authorized certificates issued by a certificate authority (CA) to eliminate browser vulnerability
warnings. Certificates cannot be shared by NPBs because each NPB must generate a unique
Certificate Signing Request (CSR) that is then used by the CA to create the certificate.

See Uploading a Custom TLS Certificate.

– 271 – 913-2398-01 Rev A

Chapter 16 Viewing and Changing System Settings

Be sure to open the appropriate port in your firewall for any management interface you plan to use.
See Appendix F - Firewall Ports to Open.

Note: Vision NPBs do not support SSL protocol.

TAC SSH: This option should only be enabled with guidance from Ixia Technical Support.

To enable this feature, open the appropriate port in your firewall. See Appendix F - Firewall Ports to
Open.

Filter Multi-Tenancy Option: When a dynamic filter is created by regular (non-admin users), their
view access settings value is inherited by default from the ports or port groups to which it is
connected. As a result, if a dynamic filter is created that is not connected to any ports or port groups, it
has no objects from which to inherit its view access settings and as such can be viewed by everyone
using the respective system. You can restrict or allow for the creation of such filters by using one of
these options:

l No restriction: If used, dynamic filters not connected to any ports or port groups can be
created.
l Unconnected filters allowed but show warning: If used, dynamic filters not connected to
any ports or port groups can be created, but a warning appears, informing you about this.
l Unconnected filters not allowed: If used, dynamic filters not connected to any ports or port
groups cannot be created.
l To enable this feature, open the appropriate port in your firewall. See Appendix F - Firewall Ports
to Open.

913-2398-01 Rev A – 272 –

Chapter 16 Viewing and Changing System Settings

Uploading Custom TLS/HTTPS Certificates

When delivered to customers, a Vision Edge system uses an Ixia-signed TLS/HTTPS certificate. The
default certificate is not sufficient to ensure that the Control Panel client has really connected to the
system they think they are connecting to, because a default certificate ignores the user domain. If a
superior level of security is required, customers can obtain their own certificates, issued by a trusted
certificate authority and tied to their system's domain or the IP address. The certificates can be then
uploaded from the TLS/HTTPS Configuration dialog. The expected certificate format is a PKCS#7 .pem
or .der X509 certificate.

Note:
The Vision Edge supports X509 certificates in PKCS#7 PEM or DER formats. PKCS#7 p7b and p7c
formats are not supported by the Vision Edge.

The following openssl command can be used to convert from p7b format into PEM:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

The following openssl command can be used to convert from p7c format into PEM:

openssl pkcs7 -print_certs -in certificate.p7c -out certificate.cer

The following openssl command can be used to convert from p7b format into DER:

openssl pkcs7 -print_certs –inform DER -in certificate.p7b -out

certificate.cer
The following openssl command can be used to convert from p7c format into DER:

openssl pkcs7 -print_certs –inform DER -in certificate.p7c -out

certificate.cer

To generate a custom certificate:

1. On the System>Settings tab, click the hyperlink to the right of the TLS/HTTPS field.
The TLS/HTTPS Configuration window is displayed.

– 273 – 913-2398-01 Rev A

Chapter 16 Viewing and Changing System Settings

2. Generate a key pair and Certificate Signing Request (CSR) by clicking Generate CSR.
The Certificate Signing Request dialog appears.

3. Fill in the appropriate values and click Update.

4. Click Generate CSR.
This this will generate a new key pair and create a CSR request with the provided information.
You are prompted for a location to save the request as a .csr file, using the standard Save
window that displays.
A success notification appears, informing you of the system location where the request was
saved.

913-2398-01 Rev A – 274 –

Chapter 16 Viewing and Changing System Settings

5. Click Close to close the CSR window.

At this point, you have obtained a certificate request that can be sent to a Certificate Authority (CA) for
signing. Alternatively it can be signed by a local Windows CA. When the certificate is received from the
CA, it can be uploaded to the server.

Important! Before uploading the certificate to the Vision Edge system, the certificate must be
combined with the trusted root and the intermediate CA certificates (if any) to create a
certificate chain. This is done by putting the ASCII data from all of the certificates into a single
file, in order, starting with the Vision Edge certificate, through the intermediate certificates (if
any) and ending with the trusted root certificate.

Once you have obtained a CA-signed certificate, upload it to the server:

1. In the TLS/HTTPS Configuration window click Upload.

The Choose TLS Certificate File dialog appears.
2. Navigate to the directory containing the custom certificate and double-click the certificate file.
3. Click OK. An information dialog appears, informing you of the TLS certificate update.
4. Check Enable console encryption, and then click OK.
A confirmation dialog appears.
All users are logged off and the system restarts to use the new communication mode.
Note: The console also quits and has to be restarted.

Important! Certificates are not affected by configuration import or export operations. Since
custom certificates are not exported, when you import a configuration file with TLS/HTTPS
enabled onto a system that does not have the custom certificate, the TLS functionality will be
enabled with the default certificate.

Note: A single custom certificate can be installed at any time on a Vision Edge system. If you
click Generate CSR again, a new public/private key pair is generated and the existing key pair
will be overwritten. If there is already a certificate uploaded based on the existing key pair, it
will continue to be used until this certificate is deleted or until a new certificate is uploaded,
based on a new CSR and new key pair.

Important! After an Actions> Clear System operation is performed, the TLS setting is

disabled and any previously uploaded custom certificate is removed.

To set up TLS encrypted communication, see Syslog Support.

– 275 – 913-2398-01 Rev A

Chapter 16 Viewing and Changing System Settings

Filter Memory Allocation Settings

See Filter Memory Allocation.

913-2398-01 Rev A – 276 –

Chapter 16 Viewing and Changing System Settings

Remote Services Settings

Note: All of the Remote Services features require that you open the appropriate port in your
firewall to use them. See Appendix F - Firewall Ports to Open.

Note:
In software release 5.0.0, as a preview feature, the following servers can be configured with true
IPv6 addresses:

l Authentication – TACACS+ and RADIUS

l Syslog
l SNMP
l DNS
l NTP

Authentication: The current authentication mode is displayed. Click the hyperlink to configure the
system's authentication mode. Options include Local, TACACS+, and RADIUS. For detailed information
on configuring TACACS+ and RADIUS, refer to Authentication, Authorization, and Accounting (AAA)
Using TACACS+ and RADIUS.

Syslog: Click the hyperlink to specify one or more servers to which the system should send syslog
status messages. These messages are used to notify listeners when changes are made to the system
or when adverse conditions are present. Servers can be identified by IP address or DNS name. The
Facility (local0 - local7 or User) and Port can also be defined. Unencrypted Syslog uses UDP port 514
by default. You can set up Syslog to use encrypted TLS communication. Please see the SYSLOG for
detailed information on how to configure this feature.

SNMP: Click the hyperlink to configure SNMP support. For detailed information on configuring SNMP,
refer to SNMP.

DNS: Click the hyperlink to configure the system to use DNS to resolve host names entered in fields
within the system configuration. A DNS server must be configured if any Remote Services (TACACS+,
RADIUS, Syslog, or NTP) servers have been specified using DNS names. Note that the TTL (time-to-
live) for a successful DNS resolution is 5 minutes.

After the Set DNS Configuration window appears, the IP address of a preferred and alternate DNS
server can be entered.

Optionally, you can enter up to two suffixes to use when resolving unqualified domain names. The
expected valid characters are “A-Z, a-z, 0-1, ., or –“. Other characters can be accepted, but the user
will receive a warning.

Click OK to save the changes.

NTP: The Network Time Protocol (NTP) is a clock synchronization feature that maintains
synchronization with a network time source. The system supports NTP version 4, but also retains
compatibility with versions 1-3. NTP converges to an accurate time more quickly when multiple NTP
servers are configured. The following NTP functionality is supported:

– 277 – 913-2398-01 Rev A

Chapter 16 Viewing and Changing System Settings

l Add and enable an NTP server list (also called server pool) using either IP address or fully
qualified domain name, up to a maximum of five (5) servers.
l Display the detailed status of the NTP server pool.
l Disable servers from the NTP server pool
l Delete servers from the NTP server pool.
Note: You must have system administrator privileges to use this feature.

913-2398-01 Rev A – 278 –

Chapter 16 Viewing and Changing System Settings

Tool Port Group Load Balance Settings

These settings allow you to specify how the traffic is balanced across all tool interconnect port groups
and load balance port groups. Note that load balance group traffic flows are maintained after system
events such as system restart, import, and image upgrade.

Adjusting the Tool Port Group Load Balance Settings

To adjust the Tool Port Group Load Balance Settings, click any of the links to the right of the following
fields:

l IPv4 packets
l IPv6 packets
l MPLS packets
l L2 packets

When you click any of these links, the Tool Load Balance Settings dialog appears which has the
following settings:

Separate settings for each packet type: Select this option to use the settings in the IPv4, IPv6
and L2 sections of this dialog to load balance packets.

Same settings for all packet types: Select this option to only use Layer 2 header information to
load balance IPv4, IPv6 and L2 packets.

IPv4 Packets
IPv4 packets (Ethertype 0x0800) are always balanced using the source and destination IP addresses
and the IP protocol. To maintain host to host sessions, when an IPv4 packet is detected, then Layer 2
information is ignored in the algorithm.

Source and destination L4 ports: Select this option to include the source and destination L4 ports
in the load balance hashing algorithm. This might be necessary if the default settings do not balance
evenly enough, so you need additional variability.

IPv6 Packets
IPv6 packets (Ethertype 0x86DD) are always balanced using the source and destination IP addresses
and the Next Header field. To maintain host to host sessions, when an IPv6 packet is detected, then
Layer 2 is ignored in the algorithm.

MPLS Packets
MPLS packets are load balanced based on the following options:

– 279 – 913-2398-01 Rev A

Chapter 16 Viewing and Changing System Settings

l MPLS Labels (Up to 3 labels): Load balancing is done based on the first, second, and third
MPLS labels found in MPLS packets. For non-MPLS IP packets, load balancing is done based on
the criteria selected for IPv4 Packets or IPv6 Packets, depending on whether the packet is
IPv4 or IPv6. For non-IP packets, load balancing is based on the criteria selected for L2 Packets.
l MPLS Tunneled IPv4/IPv6 source and destination addresses (L3 packets only): Load
balancing is done based on the inner IPv4/IPv6 addresses contained within the MPLS packets. For
non-MPLS IP packets, load balancing is done based on outer IP address. For non-IP packets, load
balancing is based on the criteria selected for L2 Packets.
Note: Specify the fields to be used to load balance MPLS packets (MPLS unicast 0x8847 or
multicast 0x8848). Note that packets with more than 3 labels will load balance using the L2
algorithm.

Note: Load balancing based on inner IPv4/IPv6 addresses does not work for VPLS packets.
In this case, the load balancer will fall back on the outer L2 criteria.

BothMPLS Labels and MPLS Tunneled IPv4/IPv6 source and destination addresses: Select
both check boxes to load balance MPLS packets based on both options.

NeitherMPLS Labels nor MPLS Tuenneled IPv4/IPv6 source and destination address: Leave
both check boxes empty (de-selected) to ignore MPLS altogether and use Ipv4/Ipv6 or L2 criteria to
load balance packets. In this case, MPLS traffic is not given any special status and is balanced as non-
MPLS traffic.

L2 Packets
Non-IP Layer 2 packets are always balanced using the source and destination MAC addresses.

Ethertype: Select this option to add that header to the load balancing algorithm. This might be
necessary if the default settings do not balance evenly enough, so you need additional variability.

913-2398-01 Rev A – 280 –

Chapter 16 Viewing and Changing System Settings

Viewing and Managing System Licenses

The Feature Summary view shows licensing information such as licensed ports, unused floating
licenses, system software versions, and port license assignments.

Click System > License to display this view.

Ports
The types and numbers of the licensed ports are displayed. Vision Edge 40 has two types of physical
data ports. Port numbers P01 - P48 are 1G/10G SFP+ ports, port numbers P49 - P54 are 40G QSFP+
ports. With breakout cables, this block of six 40G ports can be broken out into 24, 10G ports. If you do
that, then they number P49-P72, a total of 72 ports, P01 - P72.

The types and numbers of the licensed ports are displayed. Vision Edge 100 has 32, 100G QSFP28
ports with 3 speed options:

l 100G
l 40G
l 10G (4x10G breakout mode)

Depending on the configured port speed, the port denominations are the following:

l When used in the 40G/100G mode, port numbers P01 - P32 are present.
l When used in 10G (4x10G breakout) mode, port numbers are sub-numbered.
n For example, P02 becomes:
o P02-1
o P02-2
o P02-3
o P02-4

QSFP+ Port Type and Ports if License Expires

If the QSFP+ license expires, then for QSFP mode 40G (ports 49-54) or 10G (ports 49-72), these ports
display status EXP in the following pages:

If the QSFP+ license expires, then for QSFP mode 40G (ports 49-52) or 10G (ports 49-64), these ports
display status EXP in the following pages:

l Diagram
l Ports
l System > License

If you change the QSFP mode from 40G to 10G or 10G to 40G , then the related ports no longer display
in the views listed above.

Once you install a new license, the system displays the QSFP+ ports.

– 281 – 913-2398-01 Rev A

Chapter 16 Viewing and Changing System Settings

License Details
Click this button to display license information for this specific system. From within the License Details
display window, the hardware information can also be viewed to compare the installed hardware with
the installed license as well as licensed software features.

Click View Hardware Info to display hardware information about the System and System
Components. Part numbers, serial numbers and other hardware information is also provided.

Enter License Key

Click this button to upgrade the license key.

1. Locate and select the license key file.

2. Click Open to install the key.

Allocated Licenses
Since the system uses a floating licensing mechanism, in the Allocated Licenses window you can
modify the default port license configuration and re-allocate port licenses as best fits your
configuration.

To reallocate licenses from one port to another compatible port:

1. Select a first port in the list.

2. Select a second port by pressing CTRL and clicking it.
If the two ports are compatible (they have the same port mode, type, and speed), the Swap
License button becomes available.
3. Click Swap License.
The port licenses are swapped.

E40 Floating Licenses

On the E40, all licenses are 10G licenses. To move licenses, the port speeds have to be the same on
both ports, the one you move the license from and the one you move the license to. You literally swap
licenses. You can move 10G to 10G or 40G to 40G. The 40G ports require four 10G licenses.

If you want to move 40G, it is usually easier to move it all at once from 40G to 40G. For example, to
move 40G from port P54 to P01, P02, P03, and P04, you aggregate four 10G ports into one 40G port,
then move the license from P54 to the aggregated port. Conversely, aggregate four 10G ports, then
move them (swap them) with a 40G port, like P54.

E100 Floating Licenses

On the E100, to float licenses to or from ports they must not be in 4x10 breakout mode. They must be
in a single port speed mode, either 100G or 40G.

913-2398-01 Rev A – 282 –

Chapter 16 Viewing and Changing System Settings

System Software Version View

Software version: Displays the software version running on the Vision Edge server.

Software build: Displays the build number of the software running on the Vision Edge server.

Maintenance expiration: Displays the date that the maintenance (support) contract expires for the
Vision Edge server. Dates will be highlighted in yellow when maintenance will expire within 7 days.
Dates will be highlighted in red after maintenance has expired.

Note: When system maintenance expires, all system components will continue to work normally
but system administrators will no longer be able to install software upgrades released after the
maintenance expiration date. Contact your local Ixia sales person or contact
[email protected] to renew maintenance.

Install Software Button

Click the Install Software button to upgrade the Vision Edge server software. For more information,
refer to Software Upgrade.

1. Locate and select the software upgrade file.

2. Click Open to start the software upgrade.

Revert to Button
This feature allows the administrator to revert the Vision Edge server to the software version installed
before the last upgrade. For more information, refer to Software Downgrade.

To obtain a license key for additional ports and/or features, please contact Ixia Systems Technical
Support.

– 283 – 913-2398-01 Rev A

Chapter 16 Viewing and Changing System Settings

Viewing System Hardware Information

The System > Hardware page provides hardware information about the System and System
Components. Part numbers, serial numbers and other hardware information is also provided.

913-2398-01 Rev A – 284 –

CHAPTER 17 Settings > User Options
(Settings)
When you select Settings > User Options, the User Settings window appears. This window allows
users to set up and apply Web Console settings that initiate from the current server for their user
account. It includes the following tabs:

l View Settings
l Refresh Settings
l Confirmation Settings
l Time Settings
l Search Settings

The topics in this section explain each of these tabs.

Note: When upgrading to release 4.7.3 or later from any pre-4.7.3 release, the options that
users set here with the Web Console are deleted. It is recommended that you note your user
option settings so you can re-enter them if they are deleted.

You have the option to apply these settings as the default for all the tabs in the User Settings window
or just the current tab displayed by clicking one of the following buttons at the bottom of the window:

l Default All Values

l Default <Tab Name> Values

– 285 – 913-2398-01 Rev A

Chapter 17 Settings > User Options (Settings)

View Settings
The View Settings tab allows administrators to set the following items:

l Initial View - sets which view the Web Console shows you when you launch it.
l Initial Item Size - sets the size of each item (object) that displays in the Web Console.
l Timeout Action - sets the action the Web Console takes when it times out, log out user or
countdown.
l Initial View Filter - sets the initial view filter when Web Console launches.
l Marquee Messages - sets whether to show marquee messages.

913-2398-01 Rev A – 286 –

Chapter 17 Settings > User Options (Settings)

Refresh Settings
The Refresh Settings tab allows administrators to set the following items:

Item Refresh Mode - automatic or manual refresh.

Stats Refresh Rate - how many seconds before refreshing statistics.

Item Refresh Rate - how many seconds before refreshing items.

Chart Refresh Rate - how many seconds before refreshing charts.

– 287 – 913-2398-01 Rev A

Chapter 17 Settings > User Options (Settings)

Confirmation Settings
The Confirmation Settings tab allows administrators to set the options for confirmation dialogs:

l Never ask
l Always ask
l Never do this
l Always do this

913-2398-01 Rev A – 288 –

Chapter 17 Settings > User Options (Settings)

Time Settings
The Time Settings tab allows administrators to set the following items:

l Date Format - Use Local Console settings or how and what order to list day, month, and year.
l Time Format - Use Local Console settings, 12 hour with/without local timezone, 24 hour
with/without timezone
l Timezone
n Server Default - By default, all Web Console sessions are set to Server Default, which
means display whatever timezone the NPB system is set to by the administrator.
Web Console users can override the default setting, that is, ignore NPB systems settings:
n Local Console - Forces Web Console to display the console’s timezone
n GMT (UTC+00:00) - Forces Web Console to display GMT time
n Select - Forces Web Console to display the selected alternate timezone from a predefined
list of timezones
n Custom - Forces Web Console to display a user defined timezone by defining name,
abbreviation, UTC Offset, etc.

Search Settings
The Search Settings tab allows you to define which properties for the displayed objects are included
when you enter text in the search field at the top right of the Web Console, shown below.

You can click the down arrow drop-list to define more details about how the search is done.

To select the properties that you wish to be considered when searching objects in the Web Console:

1. From the Control Bar, select Settings > User Options.

– 289 – 913-2398-01 Rev A

Chapter 17 Settings > User Options (Settings)

2. Click the Search Settings tab.

3. Select the check box for each item you want to include in the Search field.
Tip:
Mouse over each check box item for a tool tip that describes that item.

4. You have the option to apply these settings as the default for all the tabs or just the current one
displayed by clicking one of the following buttons:
a. Default All Values
b. Default Search Settings Values
5. Click OK to apply the changes.

913-2398-01 Rev A – 290 –

CHAPTER 18 Viewing System Statistics
Vision Edge provides a wide range of statistics to help users optimize tool utilization. Network ports,
tool ports and filters report statistics. There are also tool management view statistics which provide
statistics for all the objects connected to a specific tool port. To enable and view the Tool
Management View panel for individual tool ports, see Enabling and Viewing Tool Management View.

You can access statistics in multiple ways:

l Open the Statisticsmenu and select one of the options to view statistics in a table format.
l Right-click a port and select either View Statistics to see the Statistics Panel (dialog
view) or View Statistics Graph to see the Statistics Graph tab of the Statistics Panel, which
displays a graph view of statistics over time.
l Right-click a filter and select View Statistics to see the Statistics Panel view.
l Right-click two or more objects and select one of the Statistics sub-menu options:
n Statistics Panel – a hybrid view, showing Counts at the top and Rates/Percentages at the
bottom of the panel; includes the Standard features tab and a Graph view tab
n Statistics Grid – a tabular view of statistics for the selected objects
n Statistics Graph – detailed graphic views over time of the specific rate, utilization, or
counts that you select (either bits or packets for rates and counts) – for example, Average
Pass Rate, Bits or Packets
n Reset Stats – resets the statistics since the last statistics reset
n Reset Drops – resets the drops since the last drops reset

– 291 – 913-2398-01 Rev A

Chapter 18 Viewing System Statistics

Statistics Menu Views

This menu provides access to the following views:

l Port Stats
l Port Groups Stats
l Dynamic Filter Stats

Reset Statistics
To reset statistics:

l From the Control Bar, select Actions > Reset Statistics (and select one of the following sub-
menu items):
n Reset Statistics for all Ports, Port Groups and Filters
n Reset Statistics for all Ports & Port Groups
n Reset Statistics for all Filters

This menu provides the ability to reset the statistics for all the objects of the specific type(s). Once you
select a sub-menu item, the system prompts you with a confirmation dialog that provides a count for
each of the types of objects you wish to reset. The following are examples of each of those dialogs,
which vary in number of ports, port groups, and filters according to each NPB model and how you
configure it:

913-2398-01 Rev A – 292 –

Chapter 18 Viewing System Statistics

Confirmation dialog for Reset Statistics for all Ports, Port Groups and Filters:

Confirmation dialog for Reset Statistics for all Ports & Port Groups:

Confirmation dialog for Reset Statistics for all Filters:

– 293 – 913-2398-01 Rev A

Chapter 18 Viewing System Statistics

Viewing Statistics Panels

In addition to the tabular statistics views accessed through the Statistics menu, you can view statistics
panels for various objects:

l Viewing Network Port Panel Statistics - Standard Tab

l Viewing Tool Port Panel Statistics - Standard Tab
l Viewing Dynamic Filter Panel Statistics - Standard Tab
l Viewing Packet Processing Panel Statistics
l Viewing Statistics in a Graph (Network, Tool, and Dynamic Filter) - Graph Tab
l Enabling and Viewing the Tool Management View

913-2398-01 Rev A – 294 –

Chapter 18 Viewing System Statistics

Invalid Packets Passed/Dropped

The Network Port Statistics window includes a row that shows invalid packets that are dropped. This
statistic is also a link, shown below in the red box.

Click the link to see the Invalid Packets Breakdown dialog, which shows the following statistics for two
categories:

l RFC 2665 Dot 3 Stats

n Frame-too-long errors
n FCS Errors
n Alignment errors
n Symbol errors
l RFC 1757 Ether Stats
n Collisions
n CRC alignment errors
n Fragments
n Runts
Note: When you click the Invalid packets link, the Invalid Packets Breakdown dialog may
appear behind the Network Port Statistics window. Drag that window out of the way to see the
dialog behind it.

For all models, for incoming packets with the Ethernet Source multicast bit set, the packets will not be
marked as invalid. Both network port filters and dynamic filters will include these packets in their
respective passed packet and byte counts before the packets are silently dropped prior to the Tool port
filter. Invalid packets will be counted in the Invalid row of the Network Port Statistics window.

The statistics of each stage of a system report invalid packets slightly differently as described in the
following table. See Supported Packet Sizes for information on packets that are classified as invalid
because of their size.

– 295 – 913-2398-01 Rev A

Chapter 18 Viewing System Statistics

They are dropped at the Network port, and are not counted as passed packets or passed bytes,
beginning with the Network port. Packets that contain an invalid 802.3 Length/Type field are also
accounted for as invalid packets. Ethertype 0x8808 (MAC Control) is not counted at the Network port
as a received packet. It is counted in the Network port Received Byte count, but not in the Passed Byte
count.

In order to enable you to analyze invalid traffic packets, instead of dropping these packets, the system
passes on various types of invalid packets to the probes that can be attached to system Tool ports.

Invalid or Inconsistent Packet Type Action

Multicast source MAC Pass

MAC destination address and source address, with zeroes in the rest of the packet Pass

Unicast MAC, Ethertype 0x800 that are not IPv4 or IPv6 Pass

Unicast MAC, where the destination IP address = 0.0.0.0 Pass

Multicast MAC, Unicast destination IP address Pass

Ethertype IPv4, IPv6 header Pass

Ethertype IPv6, IPv4 header Pass

Unicast destination MAC, source IP address 0.0.0.0 Pass

Unicast destination MAC, Unicast destination IP address and TTL = 0 Pass

Unicast destination MAC, Unicast destination IP address and TTL = 1 Pass

Unicast MAC, Multicast destination IP address Pass

Multicast MAC, destination IP address >= 240.0.0.0 Pass

Packets with bad IPv4 checksum Pass

Packets having a Frame-too-long error Drop

FCS Errors Drop

Alignment errors Drop

Symbol errors Drop

Collisions Drop

CRC alignment errors Drop

Fragments (incomplete L2 frames) Drop

913-2398-01 Rev A – 296 –

Chapter 18 Viewing System Statistics

Invalid or Inconsistent Packet Type Action

Runts Drop

– 297 – 913-2398-01 Rev A

Chapter 18 Viewing System Statistics

Network Port Panel Statistics - Standard Tab

Vision Edge computes a set of standard statistics for all ports and filters. These statistics are displayed
in the Standard tab of the Statistics window.

Note: Network and Tool ports are also capable applying some packet processing operations,
Port Tagging and VLAN stripping, that modify the packets in some way. For information on these
statistics see Packet Processing Statistics.

The following standard statistics are computed for a Network port.

Counts
Received: A total count of the received Packets or Bytes since statistics were last reset for the port.
Packet counts display under the Packets column, byte counts display under the Bytes column.

Valid: A total count of the valid packets received since the statistics were last reset.

Invalid: A total count of the invalid packets received since the statistics were last reset. This value is
also a link that provides details about the invalid packets.

Note: For all models, the system does not pass invalid packets to tool ports, nor does it pass
packets that should not propagate to tools. See Invalid Packets Passed/Dropped.

Transmitted (To-Resource): A total count of Packets and/or Bytes that were transmitted by the
port to an attached PacketStack resource. This statistic is computed and displayed only if the port has
a resource attached.

Dropped (Pre-Resource): A total count of Packets and/or Bytes that were dropped by the port
before passing on the traffic to an attached PacketStack resource. This statistic is computed and
displayed only if the port has a resource attached.

Passed: A total count of the Packets or Bytes that were allowed to pass through the port since port
statistics were last reset. Packet counts display under the Packets column, byte counts display under
the Bytes column. Traffic is allowed to pass through the port based on the filter mode and criteria.

Rates/Percentages
Rates and percentage values are displayed under the following categories:

Current: The value recorded in the last second.

Average: The average value per second since statistics were last reset for the port.

Peak: The largest value recorded since statistics were reset for the port.

Time Since Peak: The time in seconds since the peak value was recorded.

913-2398-01 Rev A – 298 –

Chapter 18 Viewing System Statistics

Note:
Statistics are measured once per second by accurately counting a physical quantity such as bits,
bytes or packets during that second and then representing that value in the appropriate format
and units for display to the user.

Traffic patterns in actual networks may fluctuate on a timescale faster than the measurement
period of the statistics (one second). When this occurs, it is important to understand the
limitations of such one-second measurements.

The counts of bits, bytes or packets over a one second period (and cumulative statistics based
directly on them) will always be correct. However, caution must be used when interpreting any
statistic that indicates a "rate" such as bits per second or percentage load.

One-second rate statistics are essentially averages over a whole second. When traffic is bursty,
and those bursts last less than one second, a portion of the one second measurement period will
have a traffic intensity above the reported value. During the rest of the one second
measurement period, the traffic intensity will be below the reported value.

Received Bits/Sec: A count of the bits received each second.

Transmitted (To-Resource) Bits/Sec: The rate of bits that were transmitted by the port per
second to an attached PacketStack resource. This statistic is only computed and displayed only if the
filter has a resource attached.

Dropped (Pre-Resource) Bits/Sec: The rate of bits that were dropped by the port per second
before passing on the traffic to an attached PacketStack resource. This statistic is computed and
displayed only if the filter has a resource attached.

Passed Bits/Sec: A count of the bits that were allowed to pass through the port’s filter each second.
Traffic is allowed to pass through the port based on the filter mode and criteria.

% Bytes Passed: The percentage of bytes that were allowed to pass through the port’s filter. Traffic
is allowed to pass through the port based on the filter mode and criteria.

Received Pkts/Sec: A rate of packets received each second.

Transmitted (To-Resource) Pkts/Sec: The rate of packets that were transmitted by the port to an
attached PacketStack resource. This statistic is only computed and displayed if the filter has a
resource attached.

Dropped (Pre-Resource) Pkts/Sec: The rate of packets that were dropped by the port per second
before passing on the traffic to an attached PacketStack resource. This statistic is only computed and
displayed if the port has a resource attached.

Passed Pkts/Sec: The rate of packets that were allowed to pass through the port’s filter each
second. Traffic is allowed to pass through the port based on the filter mode and criteria.

% Pkts Passed: The percentage of packets that were allowed to pass through the port’s filter. Traffic
is allowed to pass through the port based on the filter mode and criteria.

– 299 – 913-2398-01 Rev A

Chapter 18 Viewing System Statistics

Receive Utilization: Displays the percentage of available port bandwidth being used by the
incoming traffic.

Refresh
The Resume button is available only when traffic is paused. Clicking Resume restarts the update of
statistics.

See Features Common to All Statistics Pages.

Reset
Resets statistics since the last time they were reset.

See Features Common to All Statistics Pages.

913-2398-01 Rev A – 300 –

Chapter 18 Viewing System Statistics

Tool Port Statistics - Standard Tab

Vision Edge computes a set of standard statistics for all ports and filters. These statistics are displayed
in the Standard tab of the Statistics window.

Note: Note that Dropped Packets is a very important statistical value that will indicate when
incoming traffic has exceeded the configured port rate. The most common reason that packets
are dropped is due to several networks ports directing traffic to a tool port and exceeding the
tool port capacity.

The following standard statistics are computed for a Tool port.

Counts
Inspected: A total count of the packets that were inspected since port statistics were last reset.

Passed: A total count of the packets that were passed by the tool port filter.

Transmitted (To-Resource): A total count of Packets and/or Bytes that were transmitted by the
port to an attached PacketStack resource. This statistic is only computed and displayed only if the
filter has a resource attached.

Received (From-Resource): A total count of Packets and/or Bytes that were received by the port
from an attached PacketStack resource. This statistic is computed and displayed only if the filter has a
resource attached.

Transmitted: A total count of Packets and Bytes that were transmitted since port statistics were last
reset. Packet counts display under the Packets column, byte counts display under the Bytes column.

Received Pause: A total count of the pause frames received from the device connected to the tool
port.

Current rate: The rate of the inspected packets in the last second.

Average rate: The average rate of inspected packets since the last reset of the port statistics.

Drops
Dropped packet count: The count of the dropped packets since port statistics were last reset or
Reset Drops was clicked.

Time since last drop: The time in seconds since the last dropped packet. This value is reset when
the port statistics are reset or Reset Drops is pressed.

Time since drops reset: The time in seconds since the Dropped Packets count was reset.

Drops reset by: The Login ID of the last user who reset the port statistics.

– 301 – 913-2398-01 Rev A

Chapter 18 Viewing System Statistics

Rates/Percentages
Rates and percentage values are displayed under the following categories:

Current: A display of the value recorded in the last second.

Average: A display of the average value per second since statistics were last reset for the port.

Peak: A display of the largest value recorded in any single second since statistics were last reset for
the port. Please note that since statistics are sampled once per second, peaks that occur between
samples may be missed, and may be larger than what is actually reported.

Time Since Peak: The time in seconds since the Peak value was recorded.

Dropped Pkts/Sec: A rate of dropped packets since port statistics were last reset or Reset Drops
was clicked.

Inspected Pkts/Sec: A rate of inspected packets per second.

Transmitted Pkts/Sec: A rate of transmitted packets per second.

Passed Pkts/Sec: A rate of packets passed on per second to external tools.

Transmitted (To-Resource) Pkts/Sec: The rate of packets that were transmitted by the port per
second to an attached PacketStack resource. This statistic is only computed and displayed if the filter
has a PacketStack resource attached.

Received (From-Resource) Pkts/Sec: The rate of packets per second that were received by the
port from an attached PacketStack resource. This statistic is only computed and displayed if the filter
has a PacketStack resource attached.

% Pkts Passed: The percentage of packets that were allowed to pass through the port's filter. Traffic
is allowed to pass through the port based on the filter mode and criteria.

Passed Bits/Sec: A rate of packets passed on per second through the port's filter. Traffic is allowed
to pass through the port based on the filter mode and criteria.

Transmitted (To-Resource) Bits/Sec: The rate of bits that were transmitted by the port per
second to an attached PacketStack resource. This statistic is computed and displayed only if the filter
has a PacketStack resource attached.

Received (From-Resource) Bits/Sec: The rate of bits that were received by the port from an
attached PacketStack resource. This statistic is computed and displayed only if the filter has a
PacketStack resource attached.

Transmitted Bits/Sec: The rate of transmitted bits per second.

Transmit Utilization: The percentage of available port bandwidth being used to transmit traffic.

Refresh
The Resume button is available only when traffic is paused. Clicking Resume restarts statistics
updating.

913-2398-01 Rev A – 302 –

Chapter 18 Viewing System Statistics

See Features Common to All Statistics Pages.

Reset
Resets statistics since the last time they were reset.

See Features Common to All Statistics Pages.

– 303 – 913-2398-01 Rev A

Chapter 18 Viewing System Statistics

Dynamic Filter Panel Statistics - Standard Tab

A Dynamic Filter's standard statistics are a set of statistics that are computed regardless if the filter
has a PacketStack resource attached or not.

Counts
Inspected: A total count of the Packets and/or Bytes that were inspected since Fynamic filter
statistics were last reset. Packet counts display under the Packets column, byte counts display under
the Bytes column.

Passed: A total count of Packets and/or Bytes that were allowed to pass through the dynamic filter
since filter statistics were last reset. Packet counts display under the Packets column, byte counts
display under the Bytes column. Traffic is allowed to pass through the dynamic filter based on the
filter mode and criteria.

Note:
The Dynamic Filter statistics dialog (panel) does not display the application filter statistics for
each VLAN filter. To see the application-specific traffic statistics, you need to open the desired
Tool port's statistics dialog and look at the Inspected count. This represents all filtered
application data matching the VLAN ID(s) for that Tool port.

If a Dynamic Filter has a PacketStack resource attached to it, then the following statistics are
displayed:

l Transmitted (To-Resource): A total count of Packets and/or Bytes that were transmitted by
the dynamic filter to an attached PacketStack resource. This statistic is computed and displayed
only if the filter has a resource attached.
l Dropped (Pre-Resource): A total count of Packets and/or Bytes that were dropped by the
dynamic filter before passing on the traffic to an attached PacketStack resource. This statistic is
computed and displayed only if the filter has a resource attached.

Rates/Percentages
Rates and percentage values are displayed under the following categories:

Current: A display of the value recorded in the last second.

Average: A display of the average value per second since statistics were last reset for the dynamic
filter.

Peak: A display of the largest value recorded in any single second since statistics were last reset for
the dynamic filter. Note that since statistics are sampled once per second, peaks that occur between
samples may be missed, and may be larger than what is actually reported.

Time Since Peak: The time in seconds since the Peak value was recorded.

Inspected Bits/Sec: The rate of bits inspected per second.

913-2398-01 Rev A – 304 –

Chapter 18 Viewing System Statistics

Transmitted (To-Resource) Bits/Sec: The rate of bits that were transmitted per second by the
dynamic filter to an attached PacketStack resource. This statistic is only computed and displayed if the
filter has an resource attached.

Dropped (Pre-Resource) Bits/Sec: The rate of bits that were dropped per second by the dynamic
filter before passing on the traffic to an attached PacketStack resource. This statistic is only computed
and displayed if the filter has a resource attached.

Passed Bits/Sec: The count of the bits that were allowed to pass through the dynamic filter per
second.

% Bytes Passed: The percentage of bytes that were allowed to pass through the dynamic filter.
Traffic is allowed to pass through the dynamic filter based on the filter mode and criteria.

Inspected Pkts/Sec: The rate of packets inspected per second.

Transmitted (To-Resource) Pkts/Sec: The rate of packets that were transmitted per second by
the dynamic filter to an attached PacketStack resource. This statistic is only computed and displayed if
the filter has a resource attached.

Dropped (Pre-Resource) Pkts/Sec: The rate of packets that were dropped per second by the
dynamic filter before passing on the traffic to an attached PacketStack resource. This statistic is only
computed and displayed if the filter has a resource attached.

Passed Pkts/Sec: The rate of packets that were allowed to pass through the dynamic filter per
second.

% Pkts Passed: The percentage of packets that were allowed to pass through the dynamic filter.
Traffic is allowed to pass through the dynamic filter based on the filter mode and criteria.

Refresh
The Resume button is available only when traffic is paused. Clicking Resume restarts the update of
statistics.

See Features Common to All Statistics Pages.

Reset
Resets statistics since the last time they were reset.

See Features Common to All Statistics Pages.

– 305 – 913-2398-01 Rev A

Chapter 18 Viewing System Statistics

Packet Processing Statistics

The following standard Packet Processing features are available on a Network or Tool port:

l Port Tagging: This functionality, which is available only for Network ports, adds a VLAN tag to
incoming packets.
l VLAN Stripping: This functionality, which is available for both Network and Tool ports, removes
VLAN tag(s) from packets that traverse the port.

If any of the features are enabled on the Network port, the bytes added or stripped are reflected on the
downstream Tool port. Because no statistics are computed for either of these features, the only way to
verify that port tagging or VLAN stripping has been applied is to monitor the byte count on the Tool
port.

For further information on the packet processing functionality see Packet Processing.

913-2398-01 Rev A – 306 –

Chapter 18 Viewing System Statistics

All Statistics Panels - Graph Tab

The Graph tab is available for all the Statistics Panels (Network, Tool, and Dynamic Filters). It
displays a graphical view of statistics over time.

– 307 – 913-2398-01 Rev A

Chapter 18 Viewing System Statistics

Enabling and Viewing Tool Management View

Once you enable the Tool Management View (by default it is disabled), you can use it to view statistics
for each Tool port.

To enable the Tool Management View:

1. From the System menu at the top of the Web Console GUI, select System > Settings.
2. To the right of the Tool Management View field, select the Disabled link.
3. Select the Enable Tool Management View check box and OK.

To view the Tool Management View for a tool port:

1. From the Diagram view, right-click a single tool port and select Tool Management View.
or
2. From the Ports view (Objects > Ports), select the ellipsis (...) for a single tool port and select
Tool Management View.

913-2398-01 Rev A – 308 –

Chapter 18 Viewing System Statistics

Features Common to All Statistics Pages

The following common features are available on the Network, Dynamic Filter, and Tool Port statistics
pages.

Refresh
Time of Displayed Stats: Displays the time at which the statistics were collected on the server. The
time is displayed in the local time zone of the PC running the control panel. Users running the control
panel in different time zones see different times displayed here.

Display Refresh Interval : The configured refresh interval is displayed. Click the value to configure
the interval. This setting does not affect how often statistics are collected on the NPB, which is always
once per second. The refresh interval can also be configured under the Edit -> Options menu.

The Pause button pauses the update of the statistics displayed in the control panel for the currently
logged in user (the button name changes to Resume during pause). This button does not the affect
the actual collection of statistics on the NPB server.

Reset
Time since stats reset: Displays the amount of time that has transpired since the reset of the port
statistics.

Reset by: Displays the Login ID of the last user who reset the port statistics.

The Reset button resets the tool port statistics.

The Reset Open button resets the statistics of all of the ports and filters with statistics windows that
are currently open. This feature allows the statistics for different objects to be synchronized to a similar
point in time. Note that since the statistic windows are reset serially, the statistics displayed on the
open statistic windows are not completely synchronized.

The Close All button closes all of the currently open statistics windows.

The Close button closes the tool port statistics window.

– 309 – 913-2398-01 Rev A

CHAPTER 19 Managing Users
The Vision Edge system supports role based access control (RBAC).

RBAC is a secure method of restricting account access to authorized users. This method enables the
account owner to add users to the account and assign each user to specific roles. Each role has specific
permissions defined by an administrator who added the user. RBAC allows users to perform various
actions based on the scope of their assigned role.

See Users View

See User Groups View

– 310 – 913-2398-01 Rev A

Chapter 19 Managing Users

The following details are available for each user listed in the Users view:

l User Login Id—the ID assigned to a user

For more information please see Add Users and Managing Users.

Modifying Users Details from the Users View

User details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding "..." button

l By right-clicking the respective detail

The right-click menu and "..." button options are:

l Add to Group
l Remove from Group
l Delete
l Properties

913-2398-01 Rev A – 311 –

Chapter 19 Managing Users

Searching for a User or User Detail in the Users View

To search for a particular user or user detail in the Users view:

l In the search field at the top of the view, enter the concerned user or user detail.
As you type the text, the valid matches are highlighted in the view.

– 312 – 913-2398-01 Rev A

Chapter 19 Managing Users

Add Users
To add a user:

1. Click Add > User.

2. Enter a user name (Login Id) and a password.
3. Select the System Administrator check box if you want to enable the user with system
administrator privileges.
4. Click OK to apply the changes.

913-2398-01 Rev A – 313 –

Chapter 19 Managing Users

User Groups View

The following details are available for each user group listed in the User Groups view:

l Group Name—the name given to the group by its creator

For more information please see Add User Groups and Managing Users.

Modifying User Groups Details from the User Groups View

User group details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding "..." button

l By right-clicking the respective detail

The right-click menu and "..." button options are:

l Add User(s)
l Remove User(s)
l Delete
l Properties

Searching for a User Group or User Group Detail in the User

Groups View
To search for a particular user group or user group detail in the User Groups view:

l In the search field at the top of the view, enter the concerned user group or detail.
As you type the text, the valid matches are highlighted in the view.

– 314 – 913-2398-01 Rev A

Chapter 19 Managing Users

Add User Groups

To add a user group:

1. Click Add > User Group.

2. Enter a name and description.
3. Click Add to add users to the group from the Available Users list that appears.
4. Select the Group Owner check box if you want the user to be the group owner.
5. Click OK to apply the changes.

913-2398-01 Rev A – 315 –

CHAPTER 20 Defining Access Control Policies
For some organizations, there is a need to protect and coordinate access to network ports, tool ports,
filters, and sensitive data that is passing through the system. For example, there may be a need to
define access so that only members of the Security team can modify the settings of a specific tool port
that is attached to an Intrusion Detection System (IDS). Access Control using groups provides the
features required to meet these security concerns.

Access policies for each port can be defined by arranging users into groups. Groups can be defined in
any manner to meet your organization’s needs. The group composition can be based on function
(networking, security, compliance, and so on), role (administrators, basic users, managers) or group
structure (project team, geographic location, and so on).

By default, filters automatically inherit the access control of the network and tool ports to which they
are connected. This ensures that the access policies are consistently enforced. As an option, the
access policies of dynamic filters can be customized by a system administrator. This feature can be
used to restrict the ability of users to view and modify filters that may be receiving and filtering out
sensitive data, passing only cleansed data to the tools.

Port Groups always inherit the combined security settings of the ports they contain.

Note: Only system administrators can configure access control and have the ability to create
groups. System administrators can view, modify, and connect all diagram objects regardless of
the object access control settings.

Note: Access control using groups utilizes local groups when the system is in local
authentication mode and remotely-defined groups when the system is in TACACS+ or RADIUS
authentication mode with Groups != Local. The TACACS+ feature that uses the "group = "
keyword (in the TACACS+ Server Configuration File located on the TACACS+ Server) is
unrelated to access control using groups. The "group =" keyword is used to define whether a
user is to have regular user or system administrator privileges on login.

– 316 – 913-2398-01 Rev A

Chapter 20 Defining Access Control Policies

Access Control Settings for Ports

Viewing, modification, and connection access for a Network or a Tool port can be used to customize
policies for an organization.

For example, you may want to set up access to a Tool port for an IDS tool such that only members of
the security engineering team can connect to a Tool port, and only members of the security
management team can view and modify the Tool port settings (filter criteria, connection speed, and so
on).

For a Network or Tool port, access control privileges specify which users can view, modify the port,
connect it to Dynamic Filters, and attach a PacketStack system resource to the port. For any of these
operations, there are three options: Allow all , Require Group Member , or Require Admin. If
access to modification and connection to Dynamic Filters is restricted, a lock for the restricted action is
shown on the port representation in the Diagram view, as shown in the following figure.

In the figure above for a Network Port, the leftmost lock indicates a restriction to modify the port
settings and the rightmost lock indicates a restriction to connect the port to a Dynamic Filter.

Note: Only system administrators can configure access control. System administrators also
have access to all objects, regardless of the access control settings of the object.

Once access control policies are set, each user sees a customized view of the ports that they can
access. On a Network or Tool port, the access control privileges of the current user are represented as
follows:

l No lock: Any user has the privileges to view, modify or connect the port settings. This
corresponds to the Allow All option set for a specific action (view, modify, or connect) in the
Access Control tab of the port.
l Open lock : You have the privileges to view, modify, or connect the port.
l Closed lock : You do not have the privileges to modify or connect the port.
Note: If the current user does not have access privileges to a few objects, those objects do not
appear in the Diagram view at all.

Defining Access Control Settings for Ports

To set access control policies for a Network or Tool port:

913-2398-01 Rev A – 317 –

Chapter 20 Defining Access Control Policies

1. Right-click the desired Network or Tool port (See Right-click Menu on page 40 for details on the
menu options).
2. Select Permissions>Access Control List or Permissions>For Viewing/For
Modifying/For In Connections/For Out Connections/For Resource Attachments
(depending on the access type that you want to modify).
3. Select one of the available options:
l Allow All
l Require Group Member
l Require Admin
4. In the dialog that opens:
l If you selected Require Group Member at the previous step:
n Select a user group to set as, add, or remove from the respective access type list.
n Click Set to set the permissions for the desired access type (for example, permission to
modify a particular port) for the members of the respective group.
n Click Add to allow access for the respective group to a particular type of action (for
example, add access to view a particular port).
n Click Remove to take away privileges for the respective group for a particular type of action
(for example, take away privileges to view a particular port).
l If you selected either Allow All or Require Admin at the previous step:
n Click Yes to apply the selected option.

– 318 – 913-2398-01 Rev A

Chapter 20 Defining Access Control Policies

Access Control Settings for Port Groups

Port Groups inherit the security settings of their contained ports. As an option, you can modify access
settings from the port group's Right-click Menu on page 40.

A user must have view privileges to every port contained in the port group to be able to see it in the
Diagram view. In the same manner, a user must have modify privileges to every port contained in a
group to have modify access to the port group. A user must have connect/disconnect access to every
port contained in a group to be able to perform those operations on a port group.

As a consequence, if at least one of the contained ports has restricted view, modify, or
connect/disconnect access privileges for a specific user, then that action at port group level is not
permitted for that user.

Unlike ports, you cannot attach any system resources to port groups, so there are no resource
attachment privileges defined for a port group.

Access restrictions on port groups are reflected by the presence of a padlock on the Port Group icon in
the Diagram view. Depending on the type of access policy set to the containing ports, the padlock icon
is:

l solid closed if the access policy for the containing ports is set to Require Admin or Require Group
Member.
l solid open if the access policy for the containing ports is set to Allow All.
l clear closed if the access policy for the containing ports is set to Inherit and the inherited access
policy denies access to the respective action type: view, modify, or (dis)connect.
l clear open if the access policy for the containing ports is set to Inherit and the inherited access
policy allows access to the respective action type: view, modify, or (dis)connect.
For example, a port group with restricted modify access and full view and connect access

913-2398-01 Rev A – 319 –

Chapter 20 Defining Access Control Policies

For inline port groups, if the corresponding inline objects have non-inherit access control settings,
you cannot modify access control settings in any way. Otherwise, if access control settings for inline
objects are configured as inherited, then access control settings for inline port groups can be
configured similarly with normal PGs.

For example, see the following non-inherit access control settings

– 320 – 913-2398-01 Rev A

Chapter 20 Defining Access Control Policies

and their result: view-only access control

settings .

913-2398-01 Rev A – 321 –

Chapter 20 Defining Access Control Policies

For example, see the following inherit access control settings

and their
result: access to modify access control settings

Defining Access Control Settings for Port Groups

To set access control policies for a port group:

1. Right-click the desired port group.

2. Select Permissions.
The Modify Access Control List Dialog on page 42 opens.
3. Select the check box corresponding to the desired access type.

– 322 – 913-2398-01 Rev A

Chapter 20 Defining Access Control Policies

4. In the New Setting column, select the desired option from the drop-down box.
5. Click OK.

913-2398-01 Rev A – 323 –

Chapter 20 Defining Access Control Policies

Access Control for Dynamic Filters

For a Dynamic Filter, access control privileges specify which users can view the filter, modify it,
connect it with Network and Tool ports, and attach a system resource to it. If access to filter
modification, connection to Network or Tool ports, or system resource attachment is restricted, a lock
for the restricted action is shown on the filter representation in the Diagram view, as shown in the
following figure.

In the figure above for a Dynamic Filter, the leftmost lock indicates a restriction to connect the filter to
a Network port, the middle lock indicates a restriction to modify the filter or attach a resource, and the
rightmost lock indicates a restriction to connect the filter to a Tool port.

By default, filters inherit the access control settings of the Network and Tool ports to which they are
connected, which ensures that the access policies are consistently enforced. As an option, the access
policies of filters can be modified and configured locally by a system administrator.

If the access control setting for viewing, modification, or connection is inherited from the connected
ports, a transparent lock is displayed.

If the access control setting for viewing, modification, or connection is not inherited from the ports, but
configured at filter level, a solid lock is displayed instead.

On a Dynamic Filter, the access control privileges of the current user are represented as follows:

l No lock: Any user has privileges to view, modify, or connect the filter. This corresponds to the
Allow All option set for a specific action (view, modify, or connect) in the Access Control tab of a
Dynamic Filter.
l Open lock : You have privileges to view, modify, or connect the filter.
l Closed lock : You do not have privileges to modify or connect the filter.
Note: If the current user does not have access privileges to a few objects, those objects do not
appear in the Diagram view at all.

Defining Access Control for Dynamic Filters

To set access policies for a Dynamic Filter:

1. Right-click the desired Dynamic Filter (See Right-click Menu on page 40 for details on the menu
options).
2. Select Permissions>Access Control List or Permissions>For Viewing/For
Modifying/For In Connections/For Out Connections/For Resource Attachments
(depending on the access type that you want to modify).
3. Select one of the available options:
l Allow All

– 324 – 913-2398-01 Rev A

Chapter 20 Defining Access Control Policies

l Require Group Member
l Require Admin
4. In the dialog that opens:
l If you selected Require Group Member at the previous step:
n Select a user group to set as, add, or remove from the respective access type list.
n Click Set to set the permissions for the desired access type (for example, permission to
modify a particular filter) for the members of the respective group.
n Click Add to allow access for the respective group to a particular type of action (for
example, add access to view a particular filter).
n Click Remove to take away privileges for the respective group for a particular type of action
(for example, take away privileges to view a particular filter).
l If you selected Allow All , Inherit,or Require Admin at the previous step:
n Click Yes to apply the selected option.

Access Control Settings for Inline Tools

For inline tools, access control privileges involve access to bypass port pairs (BPPs), inline tool
resources (ITRs), and service chains (SCs). There are two use cases that are envisaged:

l connect and modify access are configured on the ports and by inheritance these settings are
propagated to BPPs and ITRs. SCs can inherit the access control settings from the connected
BPPs.
l connect and modify access are configured directly on the inline objects, respectively on BPPs,
ITRs, and SCs . Once made on the ITRs or BPPs, these settings propagate to their corresponding
ports, if any.
Note: There can also be mixed modes between these two, with the respective access settings
configured both on ports and directly on inline objects, but this is not recommended as it might
prove confusing.

Access control settings can be set individually for each BPP, ITR, and SC, using the Access Control tab
of the inline object's Properties dialog.

For example

Note: Only system administrators can change access control settings.

913-2398-01 Rev A – 325 –

Chapter 20 Defining Access Control Policies

The following options are available for the Modify and Connect/Disconnect operations for bypass port
pairs, tool resources, and service chains:

l Allow All : Allows all user types to make modifications to or (dis)connect the selected inline
object.
l Inherit: The permissions to modify or (dis)connect the selected inline object are inherited from
the ports in the case of BPPs and ITRs (for ITRs, only the Modify access policy is inherited). In the
case of SCs, Modify and (Dis)connect access privileges are inherited from the connected BPPs.
On a side note, both Modify and (Dis)connect access privileges (inherited from connected BPPs)
are inherited from the (Dis)connect access policies from connected BPPs.
Important! Also, when the ITR and BPP are set to Inherit, the ports within them can be
configured by the administrator with other access control settings to be inherited by the
BPP or ITR as appropriate. Creating a new access configuration on the BPP or ITR overrides
the settings on the ports.
l Require Admin: Allows only users with administrative privileges to modify or (dis)connect the
selected inline object.
l Require Group Member: Allows only members of specified user group(s) to make
modifications to or (dis)connect to/from the selected inline object.
Note: For systems being upgraded from versions without inline access policies, the access
policies for all existing inline resources are set to Inherit. For newly-created BPPs and ITRs, the
access policy is set to Inherit-From-Ports, that is the intersection of port access settings. For
newly-created SCs, the access policies are set to Inherit-From-BPPs.

Modify and (Dis)connect Access configured on the ports from which Bypass Port
Pairs and Tool Resources inherit the access control settings (Service Chains
inherit from BPPs)
To configure the Modify and (Dis)connect privileges for bypass port pairs, tool resources and service
chains, making use of the Inherit permission, access policies for the respective bypass port pairs and
tool resources must be set to the ports that will be used to create the BPPs and ITRs. In this case, the
access control settings from ports will be inherited by the BPPs and ITRs which contain those ports.
Service chains will inherit the access control settings from the connected BPPs.

Modify and (Dis)connect Access configured directly on the Bypass Port Pairs,
Tool Resources, and Service Chains
To configure the Modify and (Dis)connect privileges directly for bypass port pairs, tool resources, and
service chains, access settings for the respective bypass port pairs, tool resources, and service chains
must be set directly on them. In this case, the access control settings from the ITRs and BPPs will be
propagated to the ports from within BPPs and ITRs.

– 326 – 913-2398-01 Rev A

Chapter 20 Defining Access Control Policies

Defining Access Control Settings for Bypass Port Pairs

For bypass port pairs, the following options are available for the Modify and Connect/Disconnect
operations in the Access Control tab of the Edit/Add Bypass Port Pair dialog:

l Allow All : Allows all user types to make modifications to or (dis)connect the BPP.
l Inherit: The permissions to modify or (dis)connect the BPP are inherited from the ports within
the BPP.
l Require Admin: Allows only users with administrative privileges to modify or (dis)connect the
BPP.
l Require Group Member: Allows only members of specified user group(s) to make
modifications to the BPP or (dis)connect to/from an SC.
Important! Adding and removing ports to/from a BPP requires Connect access privileges to the
ports being added to/removed from the BPPs if the Connect access policy set up on the BPP is
Inherit-From-Ports. Modify privileges from BPPs do not influence adding/removing ports to/from
a BPP.

Important! Connecting/disconnecting a BPP to/from an SC requires (dis)connect access

privileges to the ports from the BPP, the BPP, and the SCs you want to (dis)connect.

Depending on whether access to modify or (dis)connect a BPP is allowed or not, the padlock icon on
the BPP graphic representation in the Inline diagram changes to:

l solid closed if modify or (dis)connect access is denied through either the locally set Require
Admin or the Require Group Member access option

l clear closed if modify or (dis)connect access is denied through an Inherited access option
l solid open if modify or (dis)connect access is allowed through a locally set Allow All access
option
l clear open if modify or (dis)connect access is allowed through an Inherited access option

Defining Access Control Settings for BPPs

To set the desired access control policies for Bypass Port pairs (BPPs):

1. Right-click the desired BPP and select Properties from the right-click menu.
The Edit Bypass Port Pair dialog opens.
Note: You can configure access control settings from the onstart, when adding a brand new
BPP, from the Access Control tab of the Add ByPass Port Pair dialog. See Define the Bypass
Port Pair for details on adding a new bypass port pair.
2. Select the Access Control tab.
3. Select the check box corresponding to the desired access type.

913-2398-01 Rev A – 327 –

Chapter 20 Defining Access Control Policies

4. In the New Setting column, select one of the available options, then OK. See Access Control
Settings for Inline Tools for details on the options.

Important!
The following BPP properties require Modify access to the BPP to be editable:

l General tab:
n Name
n Description
n Enable LFD
l Heartbeat tab:
n all properties
l Service Chain Priority List

The following BPP properties require Connect access to the BPP to be editable:

l Side A Port
l Side B Port

Defining Access Control Settings for Inline Tool Resources

For inline tool resources, the following options are available for the Modify operations in the Access
Control tab of the Edit/Add Inline Tool Resource dialog:

l Allow All : Allows all user types to make modifications to the selected inline tool resource.
l Inherit: The permissions to modify the selected inline tool resource are inherited from the ITR's
ports.
l Require Admin: Allows only users with administrative privileges to modify the selected inline
tool resource.
l Require Group Member: Allows only members of specified user group(s) to make
modifications to the selected inline tool resource.
Note: Adding and removing tool connectors (ITCs) to/from the inline tool resource also requires
Connect access to the ports that belong to the ITC. The Modify access privileges set on an ITR
with access policies different from Inherit-From-Ports are propagated to the underlying inline
ports, overwriting the existing Modify and Connect In/Out port access settings.

Important! When adding ports to an ITR, the Modify and Connect In/Out access settings of the
ports must be the same.

Depending on whether access to modify an inline tool resource is allowed or not, the padlock icon on
the inline graphic representation in the Inline diagram changes to:

l solid closed if modify access is denied through either the locally set Require Admin or the
Require Group Member access option

– 328 – 913-2398-01 Rev A

Chapter 20 Defining Access Control Policies

l clear closed if modify access is denied through an Inherited access option

l solid open if modify access is allowed through a locally set Allow All access option
l clear open if modify access is allowed through an Inherited access option

Defining Access Control Settings for Inline Tool Resources

To set the desired access control policies for Inline Tool Resources (ITRs):

1. Right-click the desired ITR (either in the Resources pane of the Inline view or regular Diagram
view) and select Properties from the right-click menu.
The Edit Inline Tool Resource dialog opens.
Note: You can configure access control settings from the onstart, when adding a brand new
ITR, from the Access Control tab of the Add Inline Tool Resource dialog. See Add an Inline
Tool Resource for details on adding a new inline tool resource.
2. Select the Access Control tab.
3. Select the check box corresponding to the desired access type.
4. In the New Setting column, select one of the available options, then OK. See Access Control
Settings for Inline Tools for details on the options.
Important! All ITR properties require Modify access to the ITR to be editable. There are no
configurable Connect access settings for ITRs.

913-2398-01 Rev A – 329 –

Chapter 20 Defining Access Control Policies

Defining Access Control Settings for Service Chains

For service chains, the following options are available for the modify and (dis)connect operations in the
Access Control tab of the Edit/Add Inline Service Chain dialog:

l Allow All : Allows all user types to make modifications to or (dis)connect the selected inline
service chain.
l Inherit: The permissions to modify or (dis)connect the selected inline service chain are inherited
from the connected bypass port pairs. When the Modify policy of an SC is set to Inherit-From-
BPPs, the set of users who can change the SC settings is determined by the Connect policies of
the connected BPPs. When the Connect policy of an SC is set to Inherit-From-BPPs, the set of
users who can add and/or remove BPP connections to/from the SC is determined by the Connect
policies of the connected BPPs.
Important! The inherited SC access settings are the intersection of all corresponding
access settings of the connected BPPs.
l Require Admin: Allows only users with administrative privileges to modify or (dis)connect the
selected inline service chain.
l Require Group Member: Allows only members of specified user group(s) to make
modifications to the selected service chain or (dis)connect to/from a bypass port pair.

Important!
If the modify and/or (dis)connect policy of an SC is set to Inherit(Inherit-From-BPPs), then
adding a BPP connection to that SC could cause some users to lose their ability to perform those
operations. For example:

l Let us suppose SC1 is connected to BPP1. It has a Connect policy of Require Group
Member and an access list containing group A. This means that the set of users who can
modify SC1 are 'members of group A'.
l Now, let us suppose that a user who is a member of both group A and group B connects
BPP2 to the SC and that BPP2 has a Connect policy of Require Group Member and an
access list containing only group B. That user’s membership in group A gives them
permission to connect to SC1 and his/her membership in group B gives them permission to
connect to BPP2.
l As a result, the set of users who can modify SC1 is now described as 'members of group A
(from BPP1) and members of group B (from BPP2)'. Now, users must be in both groups in
order to connect to the SC. The connection of BPP2 has increased the restrictions on SC1.

Depending on whether access to modify or (dis)connect a service chain is allowed or not, the padlock
icon on the service chain graphic representation in the Inline diagram appears as:

l solid closed if modify or (dis)connect access is denied through either the locally set Require
Admin or the Require Group Member access option
l clear closed if modify or (dis)connect access is denied through an Inherited access option
(which involves restricted access set on the connected BPPs)
l solid open if modify or (dis)connect access is allowed through a locally set Allow All access
option

– 330 – 913-2398-01 Rev A

Chapter 20 Defining Access Control Policies

l clear open if modify or (dis)connect access is allowed through an Inherited access option (which
involves allowed access set on the connected BPPs)

Enabling and disabling Tool Sharing and VLAN Translation requires Modify access to all SCs connected
to all connected BPPs.

Changing the VLAN IDs of connected BPPs requires Modify access to all SCs connected to the updating
BPPs

Note: BPP VLAN IDs can be configured in the SC's Properties dialog by calling new Web API
operations instead of directly updating the internal VLAN BPP property.

Adding and removing a BPP to/from the SC (using the right-click menu>Properties>Add/Edit Service
Chain dialog) requires Connect access to the SC and the BPP.

Changing Fail Open and Fail Close actions requires Modify access to the SC.

Note: Changing the order of ITR within an SC or attaching/detaching an ITR to/from the SC
requires only Modify access privileges on the SC, ignoring the Modify access privileges set on
the ITR. Also, changing an SC's direction requires Connect access privileges on the SC.

Defining Access Control Settings for Inline Service Chains

To set the desired access control policies for inline service chains (SCs):

1. Right-click the desired SC and select Properties from the right-click menu.
The Edit Inline Service Chain dialog opens.
2. Select the Access Control tab.
3. Select the check box corresponding to the desired access type.
4. In the New Setting column, select one of the available options, then OK. See Access Control
Settings for Inline Tools for details on the options.

Important!
The following properties and actions require Modify access to the SC to be editable:

l General tab:
n Name
n Description
n Enable Tool Sharing
n VLAN ID column of the Bypass Port Pairs table
l Criteria tab:
n all properties
l Inline Tool Resource tab:
n Fail Open
n Fail Closed
n adding, removing, and reordering ITRs
l VLAN Translation tab:
n all properties

The following properties and actions require Connect access to the SC to be editable:

l Service Chain Traffic Direction

l adding and removing BPPs to/from the SC
913-2398-01 Rev A – 331 –
Chapter 21 Authentication, Authorization, and Accounting (AAA)

CHAPTER 21 Authentication, Authorization,

and Accounting (AAA)
This section describes the support for remote user authentication, authorization, and accounting (AAA)
using TACACS+ (Terminal Access Controller Access-Control System Plus) and RADIUS (Remote
Authentication Dial-In User Service).

RFC 1492 (http://www.faqs.org/rfcs/rfc1492.html) describes TACACS+ in full.

RFC 2865 (http://www.faqs.org/rfcs/rfc2865.html) describes RADIUS in full.

RFC 2866 (http://www.faqs.org/rfcs/rfc2866.html#b) describes RADIUS accounting.

One use for RADIUS is as a bridge to a Microsoft Active Directory installation. Microsoft provides a
native RADIUS module, the Network Policy Server (NPS), as a part of Windows Server 2008.

Note: With the 4.7.3 release, the options that users set in the Web Console under Settings
> User Options are deleted when the authentication mode is changed. It is recommended that
you note your user option settings so you can re-enter them in case they are deleted.

– 332 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Comparing Authentication Modes

The Vision NPB system supports user authentication by using locally-managed user accounts or by
using the remote AAA services TACACS+ or RADIUS. When using a remote service, the service
determines which users are allowed to log in.

The system supports user authorization for two purposes:

l Determining whether a user of the system is a regular user or an administrator

l Controlling access to port and filter settings and connections

Both locally and remotely managed users may be authorized as system regular users or
administrators. Port and filter access control can be configured using locally-managed user groups or
using groups defined in the remote AAA services. When using a remote AAA service, you may choose
whether to use the groups defined by the service or to manage groups locally. When using local
authentication, groups are always managed locally.

913-2398-01 Rev A – 333 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Some of the primary differences between local and remote authentication are outlined in the following
table:

Local Users
and Local
Groups Remote Users and Local Groups Remote Users and Remote Groups

User accounts User accounts are created and managed on a centralized TACACS+ or RADIUS
are created server.
and managed
from the
system's Web
Console GUI.

Separate user User accounts exist on the TACACS+ or RADIUS server and can be shared between
accounts exist multiple systems.
on each
system.

The Users The Users View lists remote users The Users View lists only remote users
View lists all who are currently logged in, as well as who are currently logged in.
user accounts. remote users who are listed in the
local groups.

When picking When picking remote users to add to Remote users cannot be picked for remote
users for the local groups, only the users shown groups from the Web Console GUI.
groups, all in the Users View are listed. Other Remote group creation and membership
users are remote users (known to exist on the are handled automatically by the
listed. TACACS+ or RADIUS server) may be TACACS+ or RADIUS server
typed in. configuration.

Groups are created and managed by an administrative Group creation and membership are
user from the system's Web Console GUI. handled automatically by the TACACS+ or
RADIUS server configuration.

Groups can be deleted from the system's Web Console Groups may not be deleted from the Web
GUI. Console GUI. When the last member of a
remote group logs out, if the group is not
used in any port or dynamic filter access
list, the group is removed from the
Groups View.

The Groups View lists all groups. The Groups View lists only remote
groups with users who are currently
logged in, or groups listed in port access
lists.

– 334 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

By default, systems are configured in Local authentication mode with one initial user, admin. This
user is referred to as the default administrator and cannot be deleted. This local user account is
accessible even when using TACACS+ or RADIUS authentication, as a fail-safe in the event that the
remote server is unreachable due to either a communication or misconfiguration error.

Remote authentication must be enabled on both the system and on the remote server. Reference your
TACACS+ or RADIUS server documentation for information on configuring and enabling your server.

Please be aware of the following system behavior when the unit is in TACACS+ or RADIUS
authentication mode:

l When remote authentication is enabled on the system, it is not possible to add users using the
system's Add New User option. This option is for adding local users only.
l When the system is configured to use remote authentication with local groups, groups must be
created locally on each system. Local groups can be deleted and their membership can be
updated by a user with administrator rights.
l When the system is configured to use remote authentication with remote groups, group creation
and membership is handled via configuration of the remote server itself. It is not possible to add
groups using the system's Add New Group option. This option is for adding local groups only.
l When using remote groups, groups cannot be imported or exported.
l When using remote groups, and after the last member of a group logs out of a particular system,
the group is removed from the Groups View on that system if the group is not used in any port
or dynamic filter access list. In the Groups View, the system lists only remote groups that are
known to exist by the fact that a member of the group is logged in or by the fact that the group is
listed in a port or dynamic filter access list.

The effect of changing from one authentication mode to another is described in Effects of
Authentication Mode Changes on Users and Groups.

913-2398-01 Rev A – 335 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Configuring Remote Authentication

To configure and enable remote authentication,

1. Log in to the system using an account that has the system administrator capability.
2. Select System > Settings.
The System Settings view appears.
3. In the Remote Services section, to the right of the Authentication field, click the Local
hyperlink:

The Authentication Settings dialog appears.

4. Select either the TACACS+ or RADIUS option and configure the settings.

Subsequent sections describe in further detail how to configure both TACACS+ and RADIUS.

– 336 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Effects of Authentication Mode Changes on Users and

Groups
Although changes to the authentication mode would typically be a one-time activity, you should be
aware of the following effects of changing authentication modes.

From To Result

Local Remote All local users (except admin) are deleted. Users in local groups
Authentication Authentication will continue to be listed in the Users View under the assumption
with Local that the same users will exist in the remote authentication server.
Groups Local groups can be edited to remove unwanted users.

Local Remote All local users (except admin) and groups are deleted. Groups in
Authentication Authentication access lists will continue to be listed in the Groups View under
with Remote the assumption that the same groups will exist in the remote
Groups authentication server. Access lists can be edited to remove
unwanted groups.

Remote Local Initially, the only local user is the admin user. All groups are
Authentication Authentication retained but will be empty because there are no local users.
with Local Access lists are not affected. Users who were members in a group
Groups will be created with a random password in order to retain group
membership. An administrator can either delete those users after
the switch or assign them new passwords.

Remote Remote All local groups are deleted. Groups in access lists will continue to
Authentication Authentication be listed in the Groups View under the assumption that the same
with Local with Remote groups will exist in the remote authentication server. Access lists
Groups Groups can be edited to remove unwanted groups.

Remote Local Initially, the only local user is the admin user, and there are no
Authentication Authentication local groups. Access lists are cleared, but access policies such as
with Remote Require Group remain in place, albeit with empty group lists.
Groups

Remote Remote Initially, there are no local groups. Access lists are cleared, but
Authentication Authentication access policies such as Require Group remain in place, albeit
with Remote with Local with empty group lists.
Groups Groups

Note: The system does not allow switching directly from one remote authentication mode to the
other (TACACS+ to RADIUS or RADIUS to TACACS+). If you need to make a change like that you
must first change to Local authentication mode, apply the change, and then change to the
desired mode.

913-2398-01 Rev A – 337 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Configuring TACACS+
This section describes the settings available when TACACS+ is selected as the Authentication Mode.

Note: The options configured in the Common TACACS+ Settings section of this window apply to
ALL of the configured TACACS+ servers.

When Authorization is set to Default, all users defined in TACACS+ will be able to log in to the
system, and they will all be non-administrators. Administrator login privileges cannot be established
when Default authorization is used. Users can log in but cannot be granted administrator capabilities.

When Authorization is set to Custom, attributes in TACACS+ will be used to determine whether
users will be allowed to log in to the system and whether they will be designated as administrators or

– 338 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

non-administrators. You must tell the system which TACACS+ attributes to consider when determining
whether a user is allowed to log in and whether or not they will be an administrator.

The Groups setting indicates whether you want the system to manage user groups (choose Local ) or
whether you want TACACS+ to manage them (choose TACACS+ ). User groups are not required but
can be used to control access to specific ports and dynamic filters in the system.

913-2398-01 Rev A – 339 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Custom Authorization Settings

When Authorization is set to Custom, clicking the Configure button on the Authorization line
displays the Configure Tacacs+ User Authorization dialog:

In this dialog, you will specify the TACACS+ attributes that the system will use to identify
administrators and regular users. The first step is to specify the TACACS+ “service” under which these
attributes will be found. Here is an example of defining a service named “anue” in TACACS+:

user = Jane {
service = anue {
}
}
In this case you would enter the text “anue” as the service value in the All Users section of the
dialog. If you are using a different service name, enter that name here instead.

The next step is to specify which attribute or attributes (if any) indicate whether the user is a system
administrator. Here is an example of using a “role” attribute to identify system administrators:

user = Jane {
service = anue {
role = admin
}
}

– 340 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

In this case, in the Admin Users section of the dialog you would enter “role” to the left of the “=” and
“admin” to the right. The left box is for the attribute name and the right box is for the value.

If you use more than one attribute to identify system administrators you can specify additional
attributes using the “+” button to the right of the value. You can remove unwanted attributes using the
“-” button. Note that the changes do not modify the TACACS+ server in any way. They simply tell the
system what is present in the TACACS+ server.

If you have specified more than one attribute, you can tell the system whether all attribute values
must match or whether only one of them must match in order to authorize a user as a system
administrator.

Note: If there are no administrator user attributes specified, users will not be able to log in to
the system with administrator capabilities.

The final step is to specify which attribute or attributes (if any) indicate whether the user is a regular
system user. Here is another example of using a “role” attribute for this purpose:

user = Jane {

service = anue {
role = user
}
}
In this case, in the Regular Users section of the dialog, you would enter “role” to the left of the “=”
and “user” to the right.

If you use more than one attribute to identify system users, you can specify additional attributes in the
same manner as described earlier in this section for system administrators.

Note: If there are no regular user attributes defined, all TACACS+ users will be allowed to log in
to the system as regular users. Be aware that this is opposite behavior as when no admin user
attributes are defined.

913-2398-01 Rev A – 341 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

TACACS+ Access Control Group Settings

When Groups is set to TACACS+ , clicking the Configure button on the Groups line displays the
Configure Group Authorization dialog:

In this dialog you will specify the TACACS+ attributes that the system will use to place regular users
into groups. As with custom authorization, the first step is to specify in the Service Name section the
TACACS+ “service” under which these attributes will be found.

The next step is to specify which attribute indicates the names of the groups to which a user belongs.
Here is an example of using a “groups” attribute to specify a list of groups:

user = Jane {

service = anue {
role = user
groups = Engineering,Dallas
}
}
In this case, in the Group List section of the dialog, you would enter “groups” to the left of the “=”.
Note that a group list is only needed if the role is “user” (non-administrator). System administrators
can do anything and are not subject to group membership checks.

– 342 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

TACACS+ Servers
Your company may use a single TACACS+ server, or it may use multiple servers to guard against the
failure of a single server. In either case, you specify the TACACS+ server details in the TACACS+
Servers section of the Authentication Settings dialog:

Click the Add button to add a TACACS+ server. As TACACS+ servers are added, they are listed in the
dialog. There is no limit to the number of TACACS+ servers that can be added.

Servers are checked in the order listed when attempting to authenticate users. The first server that
responds to an authentication request will be used for future authentications. If the active TACACS+
server goes down and a user attempts to authenticate, the first server to respond to the authentication
request will become the active TACACS+ server.

To change the settings of a TACACS+ server, select it and click the Edit button.

913-2398-01 Rev A – 343 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

To change the order in which the servers are checked, select a server and click the Up or Down
button.

To validate the settings of a server, select it and click the Test Settings button. The system will
attempt to connect to the server using the defined IP address (or DNS name), TCP port, and specified
secret password and will report the result.

To remove one or more servers from the list, select them and click the Delete button.

– 344 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Adding a TACACS+ Server

When the Add button is clicked, the Add TACACS+ Server dialog appears:

The network address of the TACACS+ server can be specified as a DNS name or an IPv4 address in the
Server field. To use a DNS name, a DNS server must be configured on the System Settings tab. See
Settings View.

By default, TACACS+ servers communicate over TCP port 49. If your server is configured differently,
you may change the value in the Port field.

Communications between the system and the TACACS+ server are encrypted using a secret key
configured on the TACACS+ server. Enter the key in the Secret and Confirm Secret fields. The
corresponding entry in the TACACS+ configuration file is usually defined as “key =”. The value listed
after the equals sign must be the same as the value entered here.

The default amount of time the system will wait on a TACACS+ server to respond before reporting a
connection failure is 10 seconds. To shorten or lengthen this amount of time change the value in the
Timeout field.

When an attempted communication times out, the system can be configured to re-try the
communication. The default is to re-try two more times after the initial failure before giving up. To
reduce or increase the number of re-try attempts change the value in the Retry field.

The system supports two different protocols for sending user passwords to the TACACS+ server - CHAP
(challenge encoded password) or PAP (plain text password). Select the protocol you want the system
to use from the Authentication type drop-list.

Information related to user login attempts (both successful and failed) and authorization checks can be
tracked using the TACACS+ accounting feature. You can turn accounting on or off using the
Accounting drop-list. When accounting is on, you may configure the attributes to be tracked using the
Configure button (see Configuring TACACS+ Accounting).

Click the Clear All button to reset all settings for this server to their default values.

913-2398-01 Rev A – 345 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Click the Test Settings button to verify that the system can connect to the TACACS+ server using the
configured settings.

– 346 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Configuring TACACS+ Accounting

Accounting logs are stored on the TACACS+ server. Please refer to your TACACS+ server
documentation for information on how to retrieve accounting logs.

At the bottom of the Add TACACS+ Server dialog, if you open the Accounting drop-list and select
On, the Configure button appears.

Click the Configure button, and the Configure Accounting dialog appears.

913-2398-01 Rev A – 347 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

You can log four different events:

l Log Authentication success – this event occurs when a user (either regular or admin)
successfully logs in to the system.
l Log Authentication failure – this event occurs when a user fails to log in either because the
login ID was not authorized as a regular user or an administrator or because the password was
incorrect.
l Log Authorization of Admin Users – this event occurs when a user successfully logs in as a
system administrator.
l Log Accounting Regular Users – this event occurs when a user successfully logs in as a
regular (non-admin) user.

For each event, you may specify one or more informational values to be logged as name/value pairs.
For the authentication events, the login ID attribute is already populated with a value that will be
automatically filled in with the current user’s login ID. You will just supply the name you want to use for
that value – for example, by typing “user” in the field labeled User ID. You may add or remove
name/value pairs using the “+” and “-” buttons. You may type your own attribute names on the left or
select from a list of standard TACACS+ accounting attributes (cmd, event, priv_level, reason, and
service). In addition, you may specify custom accounting attributes by entering any text in the name
fields on the left. For every named attribute you enter, you must also specify the value to be logged.
For example, under Log Authentication Success, if you added the attribute “event”, then you might
enter the value as “login success.”

– 348 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

TACACS+ Configuration Examples

This section provides several examples of configuring TACACS+ settings, showing both what would be
defined on the TACACS+ server and what would be entered in the system's user interface:

l TACACS+ User Authorization Examples

l TACACS+ Access Control Group Examples

Note: TACACS+ attributes are case sensitive.

913-2398-01 Rev A – 349 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

TACACS+ User Authorization Examples

The following figure shows a section of a TACACS+ server configuration file with the settings for several
users. The examples that follow discuss this information and show how to enter it through the system's
Web Console GUI interface.

Lines 1, 5, 12, 18, and 21 (red text) define the user login name.

Lines 2, 6, 13, 19, 22, and 32 (green text) define the password and authentication type for each
user. The CHAP authentication type is used on lines 2, 13, 19, and 22. The “global” authentication type
is used on line 6 and indicates that the password defined for “staylor” will work for any authentication

– 350 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

method, including CHAP or PAP. In the system's TACACS+ Configuration dialog for this server, you
would select CHAP as the authentication type.

Lines 3, 7, 14, 23, 26, and 33 (black text) define the service for the user. This is the service name
you would enter in the system's Configure Authorization and Configure Groups dialogs.

See how these lines of code work in the following TACACS+ configuration examples:

l TACACS+ Configuration Example 1

l TACACS+ Configuration Example 2
l TACACS+ Configuration Example 3
l TACACS+ Configuration Example 4
l TACACS+ Configuration Example 5

913-2398-01 Rev A – 351 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

TACACS+ Configuration Example 1

With a service name of “anue” (lines 3, 7,
14, and 26), all users except
“mthompson” (who does not have the
”anue” service defined) can be logged in
as regular users.
In the dialog to the left, no attributes have
been specified to authorize administrator
users, so none of the users will be able to
log in as system administrators.
Also in the dialog to the left, no attributes
have been specified to authorize regular
users, so all users (except for
“mthompson”) will be able to log in as
regular users.
Quick Reference:
Lines 3,7,14, and 26:
service = anue { }

– 352 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

TACACS+ Configuration Example 2

Adding an Admin Users attribute of
role=ADMIN allows “mjones” and
“pjackson” (lines 15 and 27) to be logged
in as administrators. “staylor” and
“rjohnson” continue to log in as regular
users.
Note: The term name “role” and value
“ADMIN” are arbitrary. This could just as
easily be “level=administrator” or any
other name/value pair you want to
configure in your TACACS+ server.
Quick Reference:
Lines 15 and 27:
role = ADMIN

913-2398-01 Rev A – 353 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

TACACS+ Configuration Example 3

Specifying a Regular Users attribute of
role=REG to authorize regular users
makes “rjohnson” no longer able to log in.
This occurs because “rjohnson” does not
have the attributes required for either
administrator or regular users.
By contrast, “staylor” can continue to log
in as a regular user because of the
role=REG statement in the “staylor” user
settings in the TACACS+ configuration file.

Quick Reference:
8. role = REG

– 354 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

TACACS+ Configuration Example 4

Adding another Admin Users attribute of
priv_level=7 and leaving the administrator
users selection criteria set to Match any
does not affect the administrator users in
this example.
Both “mjones” and “pjackson” can still be
logged in as administrator users because
they each have at least one of the required
attributes.
Quick Reference:

913-2398-01 Rev A – 355 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

TACACS+ Configuration Example 5

Maintaining the same Admin Users
attributes as in the last example, but
changing the selection criteria to Match
All, results in only “pjackson” being able
to login as an administrator.
“mjones” does not possess all of the
attributes required to be authorized as an
administrator user but pjackson does
(lines 27, 28).
Quick Reference:

TACACS+ Access Control Group Examples

If your Groups setting in the system's Authentication Settings dialog is TACACS+ (and not
Local ), then you must tell the system how to recognize the access control groups defined in TACACS+.

Note: These access control groups are not the same as the groups defined using the group and
member keywords as described in the previous TACACS+ section. See Defining Access Control
Policies for additional access control information.

Because TACACS+ does not provide any way to query the values specified for the member keyword,
you must use a TACACS+ attribute to specify lists of access control groups that the system can read.

The following figure shows a section of a TACACS+ server configuration file with a user jane and an
attribute named Example2 whose value is a list of system access control groups named Engineering
and Dallas.

– 356 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

The system now needs to know the name of the attribute.

To name the attribute:

1. In the Authentication Settings dialog, in the TACACS+ Common Settings section, to the
right of the Groups field, open the drop-list and select TACACS+ .
The Configure button appears.

2. Click the Configure button.

The Configure Group Authorization dialog appears.

3. In the Group Service section, to the right of the service field, enter anue.
4. In the Group List section, to the left of the group list field, enter Example2.
5. Click OK to apply these settings.

913-2398-01 Rev A – 357 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Based on the settings described above, the user jane will be a member of the Engineering and
Dallas access control groups on the system when she logs in. See Defining Access Control Policies for
additional access control information.

When TACACS+ users are logged in, their administrator status and access control group membership
can be verified on the Users view of the system's Web Console GUI. A user with administrator
capabilities will have a check in the System Administrator column.

For details on the capabilities of users and system administrators, see Defining Access Control
Policies.

– 358 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Configuring RADIUS
This section describes the settings available when RADIUS is selected as the Authentication Mode, as
shown in the following figure.

Note: The options configured in the Common RADIUS Settings section of this window apply to
all of the configured RADIUS servers.

When Authorization is set to Default, all users defined in RADIUS will be able to log in to the
system, and they will all be non-administrators. Administrator login privileges cannot be established
when Default authorization is used. Users can log in, but they cannot be granted administrator
capabilities.

913-2398-01 Rev A – 359 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

When Authorization is set to Custom, policies in RADIUS will be used to determine whether users
will be allowed to log in to the system and whether they will be designated as administrators or non-
administrators. The policies are described further in Configuring the Microsoft Network Policy Server.

The Groups setting indicates whether you want the system to manage user groups (choose Local ) or
whether you want RADIUS to manage them (choose RADIUS). User groups are not required, but can
be used to control access to specific ports and dynamic filters in the system.

RADIUS Custom Authorization Settings

When Authorization is set to Custom, clicking the Configure button on the Authorization line
displays the Configure RADIUS User Authorization dialog:

In this dialog, you will specify the RADIUS attributes that the system will use to identify administrators
and regular users.

The first step is to specify which attribute or attributes (if any) indicate whether the user is a system
administrator. Here is an example of using an “Admin-Role” attribute to identify system
administrators:

user = Jane {
Anue-Role = ADMIN {
}
}
In this case, in the Admin Users section of the dialog you would enter ADMIN to the right of the “=”.
The left box is for the attribute name and the right box is for the value.

Note: You cannot change the attribute name text Anue-Role. It is not editable.

If you use more than one attribute to identify system administrators you can specify additional
attributes using the “+” button to the right of the value. You can remove unwanted attributes using the
“-” button. Note that the changes do not modify the RADIUS server in any way. They simply tell the
system what is present in the RADIUS server.

– 360 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Note: If there are no administrator user attributes specified, users will not be able to log in to
the system with administrator capabilities.

The final step is to specify which attribute or attributes (if any) indicate whether the user is a regular
system user. Here is another example of using an “Anue-Role” attribute for this purpose:

user = Jane {

Anue-Role = REG {
}
}
In this case, in the Regular Users section of the dialog, you would enter REG to the right of the “=”.

If you use more than one attribute to identify system users, you can specify additional attributes in the
same manner as described earlier in this section for system administrators.

Note: If there are no regular user attributes defined, all RADIUS users will be allowed to log in to
the system as regular users. Be aware that this is opposite behavior as when no admin user
attributes are defined.

913-2398-01 Rev A – 361 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

RADIUS Servers
Your company may use a single RADIUS server, or it may use multiple servers to guard against the
failure of a single server. In either case, you specify the RADIUS server details in the RADIUS
Servers section of the Authentication Settings dialog.

Click Add to add a RADIUS server. As RADIUS servers are added they are listed in the dialog. There is
no limit to the number of RADIUS servers that can be added.

Servers are checked in the order listed when attempting to authenticate users. The first server that
responds to an authentication request will be used for future authentications. If the active RADIUS
server goes down and a user attempts to authenticate, then the first server to respond to the
authentication request will become the active RADIUS server.

To change the settings of a RADIUS server, select it and click Edit.

To change the order in which the servers are checked, select a server and click Up or Down.

To validate the settings of a server, select it and click Test Settings. The system attempts to connect
to the server, using the defined IP address (or DNS name), TCP port, and specified secret password,
and it reports the result.

To remove one or more servers from the list, select them and click Delete.

– 362 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Adding a RADIUS Server

When clicking Add, the Add RADIUS Server dialog appears, as shown below.

The network address of the RADIUS server can be specified as a DNS name or an IPv4 address in the
Server field. To use a DNS name, a DNS server must be configured in the System > Settings view.
(See Settings View.)

By default, RADIUS servers communicate over TCP port 1812. If your server is configured differently,
you may change the value in the Authentication Port field.

Communications between the system and the RADIUS server are encrypted using a secret key
configured on the RADIUS server. Enter the key in the Secret and Confirm Secret fields.

The default amount of time the system will wait on a RADIUS server to respond before reporting a
connection failure is 10 seconds. To shorten or lengthen this amount of time, change the value in the
Timeout field.

The system supports two different protocols for sending user passwords to the RADIUS server - CHAP
(challenge encoded password) or PAP (plain text password). Select the protocol you want the system
to use from the Authentication type drop-down selector.

Information related to user login attempts (both successful and failed) and authorization checks can be
tracked using the RADIUS accounting feature. You can turn accounting on or off using the Accounting
drop-down selector.

By default, RADIUS servers communicate accounting information over TCP port 1813. If your server is
configured differently, you may change the value in the Accounting Port field.

Click Clear All to reset all settings for this server to their default values.

913-2398-01 Rev A – 363 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Click Test Settings to verify that the system can connect to the RADIUS server using the configured
settings.

Accounting logs are stored on the RADIUS server. Please reference your RADIUS server documentation
for information on how to retrieve accounting logs.

– 364 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

RADIUS Accounting
When a user successfully logs on to a system (or fails to log on), an Accounting-Request message is
sent by the system to the RADIUS server. This message will contain five attributes:

l Acct-Status-Type – the data will always be 1 (Start) to indicate that this is a login message.
l NAS-IP-Address – the data will be the IP address of the system.
l User-Name – the data will be the system login ID of the user.
l Anue-Login-Status – the data will be 1 if the login succeeds or 2 if the login fails.
l Anue-Role – the data will be 1 if the user logged in as an administrator or 2 if the user logged in
as a regular user. This value will also be 2 if the login fails.

913-2398-01 Rev A – 365 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Configuring the Microsoft Network Policy Server

In order for a system to communicate with Microsoft’s Network Policy Server (NPS), the NPS must be
configured as follows:

l Each system must be added to the NPS as a RADIUS client.

l NPS network policies must be set up to provide to the system the groups to which each user
belongs.

– 366 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Adding a System as a RADIUS Client of the NPS

In the NPS Server Manager GUI, select Server Manager > Roles > Network Policy and Access
Services > NPS (Local) > RADIUS Clients and Servers > RADIUS Clients. Right-click
RADIUS Clients and select New from the pop-up menu. The following screen appears:

In the Address (IP or DNS) field, enter the system’s IP address or DNS name. If you are using Windows
Server 2008 Enterprise Edition, you can specify a range of system IP addresses using CIDR notation.
For example, enter 192.168.81.0/24 to add all systems in the 192.168.81 subnet as RADIUS
clients. The example figure above shows a single system with IP of 192.168.81.89.

In the Shared Secret fields, enter the same value as was entered in the Secret fields when the
RADIUS server was added to the system. (See Adding a RADIUS Server.)

913-2398-01 Rev A – 367 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

On the Advanced tab leave all the settings as the default.

– 368 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Configuring the NPS Network Policies

The system uses Anue-specific RADIUS attributes to receive the group list and administrator settings
for a user. The NPS uses network policies to assign these attributes when a user logs in. This section
describes how to define the NPS network policies to provide the system with the necessary attributes.

The sequence below shows the Anue-specific attribute dictionary:

VENDOR AnueSystems 32620

BEGIN-VENDOR AnueSystems
ATTRIBUTE Anue-Role 1 integer
ATTRIBUTE Anue-Groups 2 string
ATTRIBUTE Anue-Service 3 string
ATTRIBUTE Anue-Login-Status 4 integer
VALUE Anue-Role ADMIN 1
VALUE Anue-Role REG 2
VALUE Anue-Login-Status SUCCESS 1
VALUE Anue-Login-Status FAILURE 2
END-VENDOR AnueSystems
For example, the Anue-Role attribute is attribute number 1 and can be assigned a value of 1 (for an
admin user) or 2 (for a regular user). The Anue-Groups attribute is attribute number 2 and can be
assigned a string. The string is a comma-separated list of group names. You can also see the Anue-
Service and Anue-Login-Status attributes used during accounting.

The network policies you create will be checking membership in your Active Directory groups and will
be setting Anue attributes when membership conditions are met. Network policies are an ordered set of
rules. The NPS checks them in order until a match is found. As a consequence, you will want to create
a network policy for every possible combination of Active Directory groups that users might belong to
and put them in order from a greater number of groups to fewest groups.

For example, if you have two Active Directory groups, Engineering and Security, and users could be in
one or both of the groups, you would want to create three network policies in this order:

l Engineering and Security Policy

l Engineering Policy
l Security Policy

The first policy would have as a condition membership in both the Engineering and Security Active
Directory groups and upon a match would set Anue attribute 2 (Anue-Groups) to Engineering,
Security.

The second policy would have as a condition membership in the Engineering group and upon a match
would set Anue attribute 2 to Engineering.

The third policy would have as a condition membership in the Security group and upon a match would
set Anue attribute 2 to Security.

To create a network policy, in the NPS Server Manager GUI, select Server Manager > Roles >
Network Policy and Access Services > NPS (Local) > Policies > Network Policies. Right-

913-2398-01 Rev A – 369 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

click Network Policies and select New from the pop-up menu. The New Network Policy dialog
appears.

In the Policy name field, enter a name that reflects the groups being checked, such as Engineering
Policy. Click Next to advance to the Specify Conditions page. Click Add and select the User Groups
condition. Click Add and the User Groups dialog appears. Click Add Groups and the Select Group
dialog appears. Enter the group name(s). Click OK in the Select Group and User Groups dialogs.
When finished, the Specify Conditions dialog should look something like the following image.

Click Next to advance to the Specify Access Permissions dialog. Select Access Granted. Click
Next to advance to the Configure Authentication Methods and Configure Constraints dialogs, select
both (CHAP) and (PAP, SPAP), and configure the settings as desired. Consult your NPS documentation
for more information on these settings.

Click Next to advance to the Configure Settings dialog and select Vendor Specific under RADIUS
Attributes. Click Add and the Add Vendor Specific Attribute dialog appears. Select Custom from
the Vendor list and then select the Vendor-Specific attribute.

– 370 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Click Add and the Attribute Information dialog appears. Click Add again and the Vendor-Specific
Attribute Information dialog appears.

913-2398-01 Rev A – 371 –

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Select Enter Vendor Code and enter 32620 for Anue. Select Yes. It conforms and then click
Configure Attribute. The Configure VSA (RFC Compliant) dialog appears.

In this example, we want to specify the system group(s) that correspond to this policy, so enter 2
(Anue-Groups) for the Vendor-assigned attribute number, select String for the Attribute format, and
enter Engineering (for example) as the Attribute value. In this case, Engineering corresponds to a
group name in the system port access lists.

If you want to create a policy that controls whether users are system administrators, modify your
Conditions to make theappropriate check of Active Directory groups or settings and then add a vendor-
specific attribute with attribute number 1 (Anue-Role), attribute format Decimal and attribute value 1
(Anue-Role ADMIN from the Anue dictionary).

– 372 – 913-2398-01 Rev A

Chapter 21 Authentication, Authorization, and Accounting (AAA)

Note that if you have a policy for authorizing users as system administrators, you will also need a
policy for authorizing them as regular users. For regular users, set the attribute value to 2 (Anue-Role
REG from the Anue dictionary).You will also need to make sure that Authorization is set to Role-
Based in the Common RADIUS Settings panel of the Set Authentication Mode dialog. When
Authorization is set to Default in the system, the Anue-Role attribute is ignored. If your NPS
authorization policies are not working as expected this is one place to check.

913-2398-01 Rev A – 373 –

CHAPTER 22 Monitors View
Event monitors allow you to send SNMP traps or syslog messages when certain conditions or events
occur—for example, when invalid packets are received, utilization thresholds are exceeded, or packets
are dropped.

l Monitor Name
l Description
l Trigger Statistics
l Trigger Condition
l Trigger Ports
l SNMP Trap Action
l Syslog Action
l Created By
l Created Time
l Modified By
l Modified Date

Modifying Monitor Details from the Monitors View

Monitors details can be edited using the right-click menu, which can be brought up either:

l By clicking the corresponding '...' button

l By right-clicking the respective detail

Searching for a Monitor or Monitor Detail in the

Monitors View
To search for a particular monitor or monitor detail in the Monitors view:

– 374 – 913-2398-01 Rev A

Chapter 22 Monitors View

l In the search field at the top of the view, enter the concerned monitor name or detail.
As you type the text, the valid matches are highlighted in the view.

913-2398-01 Rev A – 375 –

Chapter 22 Monitors View

Operational Concepts and Actions

The following operational concepts and actions should help you create and configure event monitors:

l Actions and Triggers

l Statistic Count, Utilization, and Thresholds Triggers
l Managing Event Monitors
n Ignoring Transient Events
n Preventing Trap and Syslog Floods
l Enabling Per-Port Link Up/Down Traps

Actions and Triggers

There are two parts to event monitors – actions and triggers. Actions are either sending an SNMP trap
and/or sending a syslog message when a trigger occurs. Triggers are the events that you create and
configure to monitor. They trigger the actions that you configure. Triggers and actions are the two main
sections on the Event Monitor dialog.

Statistic Count, Utilization, and Thresholds Triggers

Many statistics are cumulative counts, whereby the number you are tracking continues to rise unless
you reset it. System event monitors expand your tracking ability to include changes in the counts of
invalid or dropped packets on a port. These changes are thresholds that you configure. They trigger
traps and/or syslog messages as a statistical value crosses over these thresholds.

In the Trigger section of the Monitor dialog, the Statistic drop-down contains the following options:

l Dropped packet count (TP)

l Invalid packet count (NP)
l Receive utilization (NP)
l Transmit utilization (TP)

Your trigger choices for statistics are between a count and an utilization value. In parentheses, the NP
stands for Network Port, TP stands for Tool Port.

The counts are level-triggered events. The trigger is the amount of change in the count. The monitor
continues taking actions only if the count continues to change by the threshold amount. For example,
let us say you create a monitor with a count trigger and specify a threshold value of 10 for 1
consecutive period. Let us say the next seven consecutive samples of the count look like this:

0 11 20 28 40 53 59

Triggering would occur on the 11 (delta = 11), the 40 (delta = 12), and the 53 (delta = 13), but not on
the others – 20, 28, and 59.

In the Add Monitor dialog (see Create an Event Monitor), the settings for the previous dropped
packets scenario with 10 drops for 1 consecutive periods would look like in the following figure.

– 376 – 913-2398-01 Rev A

Chapter 22 Monitors View

The three configurable fields, or thresholds, in the previous figure are the following:

l The amount of count change per period – 10 in this example

l The number of statistics polling intervals per period – 1 in this example
l The number of periods happening in a row – 1 in this example

The statistics polling interval is a configurable setting on the System > Settings window and
represents the interval for how frequently the system server retrieves statistics from the hardware.

System event monitors expand your tracking ability to include the amount of traffic that crosses
configurable thresholds going upwards, exceeding a percentage that you set, or downwards, falling
below a percentage that you set. For either condition, exceeding or falling below a threshold value, the
process of crossing over includes the threshold value that you set. In other words, when the value is
greater than or equal to the threshold, it triggers an action, a trap or syslog message.

The utilization figures are edge-triggered events. You set the threshold trigger edges, and only when
the utilization crosses over those edges, the monitor performs the configured action(s). It does not
continue performing the configured action(s) when the utilization stays at the same level.

For example, for the utilization scenario where you want to send a trap or a syslog message when
utilization meets or exceeds 90% for five (5) statistics polling intervals in a row, and again when
utilization falls below 90% for five (5) statistics polling intervals in a row, the trigger configuration (or
edges) would look like in the following figure.

The three configurable fields, or thresholds, in the previous figure are the following:

l Percentage that the value must exceed to trigger an action, 90% in this example
l Percentage that the value must fall below to trigger an action, 90% in this example
l The number of statistics polling intervals in a row that the value must exceed or fall below before
it triggers an action, 5 statistics polling intervals in a row in this example.

913-2398-01 Rev A – 377 –

Chapter 22 Monitors View

Managing Event Monitors

System event monitors allow you the flexibility to send SNMP traps or syslog messages when invalid
packets are received, utilization thresholds are exceeded, or packets are dropped, all while avoiding a
flood of traps or syslog messages and ignoring transient events. You can configure the monitors so you
get just the right amount of notifications–not too many nor too often. And you can configure them to
ignore transient events so you do not see a large number of statistical spikes.

Ignoring Transient Events

To help you filter out transient events, event monitors allow you to specify a window of time for
monitoring events before triggering an event. There are two time window control mechanisms – the
window size and the window count, as shown in the following figure.

– 378 – 913-2398-01 Rev A

Chapter 22 Monitors View

For invalid and dropped packets, the window size is the number of statistics polling intervals you set
for the change in count to occur. In the previous figure, the window size is 1 statistics polling interval.
The window count is the number of periods in a row. In the previous figure, the window count is 7
statistics polling intervals in a row.

Tip: To smooth out spikes in statistical values, increase the window size for a trigger, that is,
the number of statistics polling intervals for the period.

For utilization, the window size is fixed at 1 statistics polling interval. The window count is the number
of statistics polling intervals in a row that you set to trigger an event.

913-2398-01 Rev A – 379 –

Chapter 22 Monitors View

To be absolutely certain that a condition is consistently present, increase the window count. For
utilization thresholds, the window count is the number of statistics polling intervals in a row, 5 in the
previous figure. For invalid and dropped packets, the window count is the number of periods in a row.

Preventing Trap and Syslog Floods

To prevent the system from sending a flood of traps or syslog messages, the event monitor allows you
to limit the number of seconds, minutes, or hours that must pass before sending the next trap or syslog
message. For example, you can determine the system to send traps or syslog messages no more than
once every 5 seconds, 2 minutes, or 1 hour. You can configure these limits in the Actions section of

– 380 – 913-2398-01 Rev A

Chapter 22 Monitors View

the Add Monitor dialog. In the previous figure, the SNMP traps are limited to one every 15 seconds,
and the syslog messages are limited to one every minute.

When traps are sent, they include the information suppressed by the limit that you set, that is, the
configured “Limit to one every” number of seconds, minutes, or hours. This information includes the
count of traps or syslog messages that were not sent since the last time they were sent.

913-2398-01 Rev A – 381 –

Chapter 22 Monitors View

Enabling Per-Port Link Up/Down Traps

You can enable SNMP traps for link up/down separately for each port. You can do this in the port
properties dialog, on the General tab, for both network and tool ports, as shown in the example in the
following figure.

The default setting is enabled. When upgrading older systems, the default setting is also enabled for
all ports.

– 382 – 913-2398-01 Rev A

Chapter 22 Monitors View

Note:
Even though SNMP traps are enabled per-port by default, for the traps to be sent, you must still
enable SNMP trap recipients.

To enable SNMP trap recipients:

1. Select the System > Settings view.

2. In the Remote Services section, to the right of the SNMP field, select the Disabled link.
The Set SNMP Configuration dialog appears.
3. Select the Traps tab.
4. Select the Enable SNMP trap generation check box.
5. In the Trap Recipients section, select the Add button.
The Add trap recipient dialog appears.
6. Select the SNMP Version for the system—V1, V2, or V3—for example, V2.
7. In the Trap recipient field, type an IP address—for example, 10.10.1.1.
8. Enter a Community string—for example, ixiacom.
9. In the Traps section, select the event you want to generate SNMP traps, including Port
link up/down, as shown in the following figure, and click OK.

913-2398-01 Rev A – 383 –

Chapter 22 Monitors View

Sample Monitor Configuration

The trigger conditions are level-triggered events that occur when a specified statistic count—for
example the number of packet drops or the system utilization—exceeds a threshold level. In this case,
the system generates an event—an SNMP trap and/or a syslog message—and continues sending
messages as long as the count of dropped/invalid packets stays at or above the specified level.

For example, for a scenario in which you would like to monitor packet drops whereby at least 20 packet
drops occur each second for five (5) consecutive seconds, an action configuration would use the
following values for the configurable fields:

l The number of seconds per period, 1 in this example

l The amount of change per period, 20 in this example
l The number of successive periods the event occurs, 5 in this example

– 384 – 913-2398-01 Rev A

Chapter 22 Monitors View

Create an Event Monitor

An event monitor specifies a trigger condition and an associated action—the sending of an SNMP trap
or a syslog message—that is taken automatically when the condition occurs, for as long as the
condition occurs.

Tip: Many statistics are cumulative counts, where the number you are tracking rises continually
unless you reset it. System event monitors expand your tracking ability to include changes in
the counts of invalid or dropped packets on a port. Once you configure these thresholds, they
trigger traps and/or syslog messages as statistical values cross these thresholds.

To create a new event monitor:

913-2398-01 Rev A – 385 –

Chapter 22 Monitors View

1. Click Add > Monitor.

2. Specify a name and choose a trigger condition from the Statistic drop-down:
l Dropped packet count (TP): Triggers when the dropped packets count across one or multiple
Tool ports exceeds a specified value.
l Invalid packet count (NP): Triggers when the invalid packets count across one or multiple
Network ports exceeds a specified value.
l Receive utilization (NP): Triggers when the receive utilization across one or multiple
Network ports exceeds a specified value.
l Transmit utilization (TP): Triggers when the receive utilization across one or multiple Tool
ports exceeds a specified value.
3. Since the trigger condition can be applied simultaneously to multiple ports, click Add to specify

– 386 – 913-2398-01 Rev A

Chapter 22 Monitors View

the port(s) to be monitored.

4. Specify a compound trigger criterion. For example, referring to the sample scenario described
previously, instead of monitoring transient conditions such as packet drops at random intervals,
you could be interested only in packet drops occurring continuously over a longer duration of
time.
5. Specify an action to be taken, sending a SNMP trap, sending a syslog message, or both. For each
action, you can also specify the transmit frequency in the adjacent field.
Note: After creating event monitors, if you change the mode of ports (for example, from
Network to Tool ports), and one or more of the ports are used in event monitors, then you must
confirm whether to delete the ports from the monitors before you can finish changing the port
mode. The confirmation dialog lists the affected ports.

913-2398-01 Rev A – 387 –

CHAPTER 23 Object Selection Window
The Selection window enables you to connect Diagram view objects—ports, Dynamic Filters, and port
groups—more quickly, by enabling you to see all target objects in a tabular view and select the
connection targets more easily. In the Selection window you can filter the displayed connection targets
using a number of criteria—such as element name, media type, and so on—thus narrowing down the
possibly large set of target elements to smaller number of elements.

Using the object selection window, you can establish connections between the following elements:

l Network port to Dynamic Filter(s)

l Network port to Tool port(s)
l Network port to Tool port group(s)
l Dynamic Filter to Tool port(s) or Tool port group(s)
l Dynamic Filter to Network port(s) or Tool port group(s)
l Tool port to Dynamic Filter(s)
l Tool port to Network port(s) or Network port group(s)
l Tool port group to Dynamic Filter(s)
l Tool port group to Network port(s) or Network port group(s)

For example, assuming you wish to connect a Network port to a Dynamic Filter, you can double-click
the port and then click Add Dynamic Filter from the Connections tab, which displays a dialog
window such as the following.

– 388 – 913-2398-01 Rev A

Chapter 23 Object Selection Window

In this window, the left pane displays a number of filter categories, while the right pane displays a list
view of all applicable target objects, Dynamic Filters for our example.

In order to filter the view, you need to select criteria in one or more categories. After the filter results
are displayed, select the desired target elements (Dynamic Filters in this example) and click OK to
complete the assignation.

913-2398-01 Rev A – 389 –

CHAPTER 24 SNMP
This chapter describes the SNMP (Simple Network Management Protocol) support provided by the
Vision Edge system.

– 390 – 913-2398-01 Rev A

Chapter 24 SNMP

SNMP
SNMP (Simple Network Management Protocol) allows monitoring of network device configuration,
state, and statistics. SNMP traps/informs provide real time notifications of particular events.

The Vision Edge supports SNMPv1, SNMPv2c and SNMPv3.

The different versions of SNMP implement the following functionality:

l SNMPv1 provides for basic gets, get-nexts, and sets, responses along with traps.
l SNMPv2c is SNMPv1 plus get-bulks and informs. SNMPv2c supports both traps and informs. Traps
do not require acknowledgement whereas informs do require acknowledgement.
SNMPv2 traps are generated to trap recipients configured for SNMP version V2 with Retries set to
0. Informs are generated to trap recipients configured for SNMP version V2 with Retries set to 1 or
greater.
l SNMPv3 is SNMPv2c plus security. The security features added by SNMPv3 include
authentication, privacy, and access control.
SNMPv3 Authentication verifies that the message is from a valid source. It also verifies that the
message was not altered in transit and that it was not artificially delayed or replayed. In addition
to authentication, SNMPv3 provides for privacy through encryption to prevent eavesdropping by
third parties. When privacy is invoked between a principal and a remote engine, all traffic
between them is encrypted using the encryption methods such as Data Encryption Standard
(DES).

In the Vision Edge system, Access Control for SNMPv3 determines whether a specific type of access
(read, write, notify) to a particular object (instance) is allowed. Currently, access is open to the entire
set of MIBs that the system supports.

SNMPv3 informs also provide for authentication, privacy and access control. The same way that SNMP
requests are authenticated by the agent informs are authenticated by the end user or Network
Management Station.

Ixia SNMP support is restricted to SNMP requests and trap generation. SNMP sets (writes) are not
supported at this time.

The Vision Edge can only respond to SNMP requests on UDP port 161. This setting is not configurable.

913-2398-01 Rev A – 391 –

Chapter 24 SNMP

Supporting MIBs
Portions of the following MIBs and their corresponding traps are supported. A spreadsheet detailing the
specific MIB objects and traps supported by the can be requested from Ixia Technical Support.

Note:
Ixia also provides a proprietary Anue MIB in order to model system configurations and statistics
which cannot be modeled in a straightforward manner with existing standard MIBs. These objects
include filter configuration (including custom offset filtering), advanced PacketStack features
(excluding timestamping and trailer stripping), history, connections, and statistics. The Anue
MIB also includes extended interface information and authentication objects/traps. Details about
the specific Anue MIB objects and traps supported can be requested from Ixia Technical Support.

Port filters and dynamic filters can be assigned an SNMP tag. The SNMP tag field is a free-form
text field that users may optionally configure for each filter. A user can configure one or more
keywords using comma, space, or colon as separators. A SNMP management application can
then use the keywords to facilitate customized search, sort, and aggregation of the Anue MIB
filter information.

Ixia has registered with IANA and been assigned Private Enterprise number 32620
[http://www.iana.org/assignments/enterprise-numbers]. All Ixia's Anue MIB objects are
organized under this uniquely assigned OID anueMIB (1.3.6.1.4.1.32620).

l IF-MIB http://www.ietf.org/rfc/rfc2863.txt
l Etherike Interfaces http://www.ietf.org/rfc/rfc2665.txt
l VACM MIB http://www.rfc-editor.org/rfc/rfc3415.txt
l FRAMEWORK MIB http://www.ietf.org/rfc/rfc3411.txt
l USM-MIB http://www.ietf.org/rfc/rfc3414.txt
l TARGET-MIB and NOTIFICATION-MIB http://www.ietf.org/rfc/rfc3413.txt
l COMMUNITY MIB http://www.ietf.org/rfc/rfc3584.txt
l RMON MIB http://www.ietf.org/rfc/rfc2819.txt
l Entity MIB http://www.ietf.org/rfc/rfc4133.txt
l Entity State MIB http://www.ietf.org/rfc/rfc4268.txt
l IP MIB http://www.ietf.org/rfc/rfc4293.txt
l SNMPv2 MIB http://www.ietf.org/rfc/rfc3418.txt

– 392 – 913-2398-01 Rev A

Chapter 24 SNMP

Configuring SNMP
Note that SNMP request processing can be enabled or disabled separately from SNMP trap generation.

Note: If a firewall is in place, UDP ports 161 and 162 need to be open for SNMP communication.
If the SNMP trap port is changed to a number other than 162, the new port number would then
need to be opened in a firewall configuration.

To configure SNMP:

1. Log in to the system using an account that has system administrator capabilities.
2. Select System > Settings.
3. Select the hyperlink next to SNMP.
The Set SNMP Configuration window appears.
4. Select the Requests tab.
5. In the Access Control (Community String or Local User) section, select the Add button.
The Add SNMP Access Control window appears.
6. Select the SNMP version (V1, V2 or V3).
a. For SNMP V1 and V2 enter a Community String.
Note: The community string or local user name must be unique for all trap recipients.
b. For SNMP V3, configure the settings as described in the SNMP V3 configuration example
below.
c. Select OK.
d. Select Add again if you wish to add additional community strings.
7. Select Enable SNMP requests to allow SNMP requests to be received.
8. Configure the Refresh SNMP data every __ seconds field value.
9. Select the Traps tab of the Set SNMP Configuration window.
10. Select Add.
11. Configure the Trap Recipient IP address and other settings.
12. Select the specific Traps to send.
13. Select the SNMP version (V1, V2 or V3).
a. For SNMP V1 and V2 enter a Community String.
Note: The community string or local user name must be unique for all trap recipients.
b. For SNMP V3, configure the settings as described in the SNMP V3 configuration example
below.
c. Select OK
d. Click Add again if you wish to add additional community strings.
14. Select Enable SNMP trap generation to allow SNMP traps to be sent.
15. Select OK.

913-2398-01 Rev A – 393 –

Chapter 24 SNMP

For SNMP Authentication Failure there are 2 options:.

l Enhanced Anue MIB: In the case of SNMP Authentication failure, send the Anue enhanced trap.
Enhancements beyond RFC 1213 include text in the trap message indicating the last failed SNMP
query system time, source IP address, IP type, message security model and user
name/community string.
l Standard MIB-II: Send the standard RFC 1213 MIB-II trap when SNMP authentication failures
occur.

Retries - This value indicates how many times the system will attempt to send an Inform PDU (a trap
acknowledgement).

Retry timeout - This value indicates the amount of time in seconds that the system will retry sending
a trap.

SNMP Configuration Example

In the following example, we will configure the system to accept SNMPv2 requests from the IxiaComm1
and IxiaComm2 communities. We will also configure the system to send SNMPv2 formatted inform
messages to IP address 192.168.40.119 (default UDP destination port 162) when a cold start or
authentication failure occurs.

1. Log in to the system using an account that has system administrator capabilities.
2. Click System> Settings.
3. Click the hyperlink to the right of SNMP.
4. Select the Traps tab.
5. Select Enable SNMP requests to allow SNMP requests to be received.
6. Click Add. Select SNMP version V2. Type the word "IxiaComm1" in the Community String field.
Click OK.
7. Repeat step 4 and type the word “IxiaComm2” in the Community String field.
8. Click the Enable SNMP requests checkbox.

Note that the system will not respond to SNMP requests when this setting is disabled. Configured
community string information is maintained when SNMP requests are disabled.

9. Click the Traps tab and then click the Enable SNMP Traps checkbox.

Note that the system will not generate SNMP traps when this setting is disabled. Configured trap
recipient information is maintained when SNMP trap generation is disabled.

10. Click the Add button.

Select SNMP Version V2. Enter “192.168.40.119”. Leave the Destination UDP Port set at “162”.

Click the Cold start and SNMP Authentication failure checkbox.

Set the Retries to 1. This value indicates that the system will attempt to send the inform up to two
times.

– 394 – 913-2398-01 Rev A

Chapter 24 SNMP

Set the Retry timeout to 5 seconds. This value indicates the amount of time in seconds that the
system will retry sending the trap.

Click OK.

11. The SNMP configuration has now been completed. The bottom portion of the window provides a
summary of the configuration of the selected SNMP trap. Click OK to save all of the changes.

Return to Government Security Configuration Guide, Configure SNMPv3.

913-2398-01 Rev A – 395 –

Chapter 24 SNMP

Configuring SNMP IPv6

Note: In release 5.0.0, support for IPv6 is in preview status.

To configure SNMP for IPv6:

1. Log in to the system using an account that has system administrator capabilities.
2. Select System > Settings.
3. Select the hyperlink next to SNMP in the Remote Services section.
The Set SNMP Configuration window appears.

– 396 – 913-2398-01 Rev A

Chapter 24 SNMP

4. Select the preferred IP protocol IPv6.

Follow the same procedure starting with step 5 as shown in Configuring SNMP on page 393.

Note: The IPv4 option is set as default.

Important! You can always switch from IPv6 to IPv4, but you can only switch from IPv4 to IPv6
if you have assigned the system an IPv6 address from the IPv6 Configuration in System >
Settings. An error is displayed if you haven't configured an IPv6 address when you select it as
your preferred protocol.

913-2398-01 Rev A – 397 –

Chapter 24 SNMP

Note: Trap recipients must all be configured with addresses of the same IP type as the preferred
IP type, whether or not traps are enabled. If the system is currently configured to prefer IPv4 and
two traps are configured, in order to prefer IPv6, the two traps must either be removed or the
address of the recipient changed to an IPv6 address at the same time as changing the preferred
protocol type.

When you configure a trap recipient with a domain name, the system must be able to resolve the
name to its associated address at the time when the trap is saved, at which time the system stores
only the IP address. After saving the trap calling up the dialog to display the trap again shows only the
IP address, the domain name is discarded.

If you attempt to disable IPv6 support for the system when the SNMP preferred IP is set to IPv6 in the
IPv6 Configuration dialog, a warning is displayed that the SNMP preferred IP is changed to IPv4
automatically:

You can now return to Government Security Configuration Guide or Configure SNMPv3.

– 398 – 913-2398-01 Rev A

Chapter 24 SNMP

Testing SNMP Traps

To validate the SNMP configuration on the agent and SNMP management system, you can send test
SNMP traps on-demand.

On the Traps tab of the Set SNMP Configuration dialog, there are two buttons, Set Test Alarm
and Clear Test Alarm, as shown in the following figure:

These two buttons are enabled when at least one trap recipient is added and selected in the Trap
Recipients section of the Traps tab. For information about how to add trap recipients, see SNMP
Configuration Example. You can select multiple trap recipients and send a test alarm to them all.

Note: The Set SNMP Configuration dialog remains open after you click the Set Test Alarm
button so that you can test different configurations without having to reopen the dialog.

913-2398-01 Rev A – 399 –

Chapter 24 SNMP

The Set Test Alarm button sends a test trap to all selected recipients unless a selected recipient is
new or changed. If you select more than one recipient and one or more are new or changed recipients,
then a confirmation dialog appears asking you whether to save the configuration before performing the
test.

If you click Yes in the confirmation dialog, all trap configuration changes are saved, including changes
to unselected recipients, and a test trap is sent to all selected trap recipients.

If you click NO in the confirmation dialog, changes are ignored, and test traps are only sent to all
unchanged recipients selected in the list.

If you click Cancel in the confirmation dialog, no test traps are sent.

Test traps cannot be sent unless Enable SNMP trap generation is checked.

A final informational dialog appears that states whether the test was successfully sent.

In the case where you have selected more than one trap recipient, where one or more are new or
changed recipients, and you select No in the confirmation dialog, then the final informational dialog
lists the number of recipients where the test traps have been sent out of the total number of recipients
selected.

If unsuccessful, an informational dialog appears that informs you that no test traps were sent.

In special circumstances, depending the network tools you use, you can use the Clear Test Alarm
button to ensure that test alarms are cleared out of the monitoring tool where they have been
gathering – for example, before the end of a time-out period. If you click the Clear Test Alarm
button, a clear test trap is sent to the configured recipient.

Note: The new test trap is defined in the Anue MIB at the same level as the SNMP
Authentication Failure notification.

– 400 – 913-2398-01 Rev A

Chapter 24 SNMP

Enabling Per-Port Link Up/Down Traps

You can enable the sending of SNMP traps for link up/down condition separately for each port. You can
do this in the port Properties dialog for both Network and Tool ports, as shown in the following image.

The default setting is enabled. When upgrading older systems, the default setting is also enabled for
all ports.

Even though per port SNMP traps are enabled by default, for the traps to be actually sent, you must
enable SNMP trap recipients in the Settings window and check Port link up/down check box in the
Add Trap Recipient window, as shown below.

913-2398-01 Rev A – 401 –

Chapter 24 SNMP

Note: The system returns an error when a server cannot be reached at the DNS name.

– 402 – 913-2398-01 Rev A

CHAPTER 25 About Local Syslog Viewer
The Vision Network Packet Broker (NPB) systems generate Syslog Events and can send them to
configured Syslog Servers. The Local Syslog Viewer (LSV) allows you to see the events that have been
generated and the data contained in them.

– 403 – 913-2398-01 Rev A

Chapter 25 About Local Syslog Viewer

Local Syslog Viewer Window

To view the Local Syslog Viewer:

1. From the Control Bar, select View > Show Syslog Viewer.
The Local Syslog Viewer window opens.

This window covers a big part of the display but it can be changed to any size.
2. On the Title Bar (a window header that provides window control tool buttons), select from the
following:
l - Closes the window.
l - Displays help documentation for the Local Syslog Viewer.
l - Minimizes the window.
l - Opens the minimized window.
3. On the Tool Bar you can find most of the functionality used for displaying Syslog Events. Select
the following options:
l View (menu button): Provides a menu with options that affect the look and presentation of
the Local Syslog Viewer (LSV).

913-2398-01 Rev A – 404 –

Chapter 25 About Local Syslog Viewer

Note: Anytime you change one of these options, they are saved in the user options so
that the next time you enable the LSV these values are the same as they were last
time when you accessed this Vision system.
Select from the following:
n Highlight Severity Level : The rows from the Event Grid are displayed with a
background color which indicates the Severity Level for each message. The severities
are displayed in colors ranging from dark red for Critical to light blue for Info:
o CRITICAL: Most sever event, something critical happened.
o ALERT: Very important event, must be attended to immediately.
o ERROR: There is a problem that needs investigation.
o WARNING: A potential issue has occurred.
o NOTICE: An event has occurred which mostly likely contains auditing information.
o INFO: General informational message.

n Wrap Message Text: The message text for some events can be fairly lengthy so the
default is to display as much of the message as it fits horizontally. However, if you wish
to see the full message for each of the messages in the grid, then select this check box.
n Auto Scroll on Add: This causes the grid to be auto scrolled up or down to the last
syslog event that was added. This is useful if you are watching new messages come in,
but you need to turn this off if you are examining specific messages.
n Show Message Area: This option turns on or off the text area below the Syslog Event
grid. To fill it in, select the row of the event for which you want to see the message
content and the text displayed is the selected message. This is useful for long
messages when Wrap Message Text is not selected.

– 405 – 913-2398-01 Rev A

Chapter 25 About Local Syslog Viewer

n Show Info Footer: This option turns on or off the event grid footer which displays
information about the number of messages, brief description of the current event filter,
event and sequence Ids, and event timestamps.
n Clear All Displayed Messages: This option opens a confirmation dialog. It explains
that clearing the syslog display items will remove all the items in the Syslog Viewer but
will not affect the items currently stored on the server. To view these again, close and
re-open the syslog viewer.
n Syslog Viewer Options: This option opens the Syslog Viewer Options dialog where
you can set the maximum number of messages to display in the syslog viewer. The
default is 10,000. Minimum is 100. Maximum is 15,000.
l Export (to CSV button): This button allows you to export the current view to a csv file. The
columns and the values that are currently displayed are listed in the file. To change which
values are being displayed, you can change the filter, which is discussed in the Filter button
section below. To change the columns, see Event Grid.
l Filter (button): This button opens the Syslog Viewer Filter window. The filter values are
saved in the user settings once applied so they will be used the next time the LSV is opened.

913-2398-01 Rev A – 406 –

Chapter 25 About Local Syslog Viewer

n Regular Syslog Mode options of Syslog View Filter window:

o Filter Enabled: Select this check box to enable and configure the filters on this
window.
o Message Severity: Select which severity levels to display:
o Info
o Notice
o Warning
o Alert
o Error
o Critical
o Date/Time Range: Start and End time of range to display.
o Sequence Id Range: Start and End id of range to display.
o Message Text:
o Drop-list with following options to chose:
o Contains
o Starts with
o Ends with
o Regex
o Text entry field
o Case Sensitive check box
l Refresh (rate menu): Controls how often the information is updated. When you enable the
LSV, it loads all the available Syslog Events up to the maximum number of events. After the
initial load, the server is polled at the refresh interval to get any new events since the last
update. Set one of the following refresh rate intervals:
n 10 seconds
n 15 seconds
n 20 seconds
n 30 seconds

– 407 – 913-2398-01 Rev A

Chapter 25 About Local Syslog Viewer

n 1 minute
n 2 minutes

l To the right of the Refresh rate setting is the server poll

time, last time the server was polled and the information was updated. This time is Web
Console time, not the server time.
l Search (text-entry field): Use this field to search values in the grid and the Message
Area. Enter text to search for and press the Enter key or the magnifying glass icon. The
LSV highlights all instances of the search text in the Message column or the entire message
area.

n The drop-list between Search and the text-entry field gives you the following options:

o Match Actions > Highlight Matches: Highlights any matching piece of text
displayed in the previous section.

913-2398-01 Rev A – 408 –

Chapter 25 About Local Syslog Viewer

o Match Type:
o Contains: Matches the search field text-entry text to text in any position in
the message area.
o Regex pattern: You can enter some sophisticated patterns to match specific
values in the message field with this Regular Expression matching.
o Starts With: The message field must have a value that starts with the search
text.
o Ends With: The message field must have a value that ends with the search
text.
o Case Sensitive: Flag determines whether the match is case sensitive or not.
4. In the Event Grid area, you can control how you want to sort the information and what
information types are displayed on the Event Grid.
l Event Grid - Sorting

You can control which column is being used to sort the information in the Syslog Viewer .
To sort the table view:
1. Mouse over a column header and open the drop-list that appears.
2. Select either Sort Ascending or Sort Descending.
3. To select what information type displays in each column , select the Columns menu item
and select the check boxes for the information types you want to display in the table.
These column visibility settings are saved in the user settings per user / per system.
l Event Grid - Ordering
To control the order of the columns, drag the column you wish to move into the position where
you want to see it and drop it.
Note: Unlike the column visibility, the column order is not maintained between usages of
the LSV

– 409 – 913-2398-01 Rev A

Chapter 25 About Local Syslog Viewer

l Event Footer:

n The footer displays aggregated information for the current information being displayed in the
Event Grid. This includes the number of messages being displayed versus the number in the
cache, a short description of the Filter, the range of Event Ids, range of Sequence Ids, and
the range of Event Times or Message Times depending on the current View Mode.
n To turn the footer off or on, open the View menu and select Show Info Footer to toggle
between showing or hiding it.

913-2398-01 Rev A – 410 –

CHAPTER 26 Syslog Support
Syslog is a client/server protocol for forwarding log messages in an IP network. Typically, a third-party
(external) syslog viewer must be run in order to receive the syslog messages sent by a system.

To enable syslog on the system, you must supply the IP address or DNS name of an external syslog
server in System > Settings > Remote Services >Syslog field link.

Reference your external syslog server documentation for information on configuring and enabling your
external syslog server.

After an external syslog server is configured on the system, syslog messages are created and sent to
each external syslog server configured whenever configuration or state changes occur on the system.

Unencrypted Syslog uses the UDP port 514 by default.

You can enable TLS encryption.

To set up Syslog to use TLS encrypted communication:

1. Provide a Trusted Root Certificate for the Server and a Client Certificate.
For instructions, see Uploading Custom TLS/HTTPS Certificates.
2. Navigate to the System Settings view.
3. In Remote Services section, click the link to the right of the Syslog field.
The Syslog Settings window appears.
4. In the Syslog Servers section, click the Add button.
The Add Syslog Server dialog appears.
5. For the Server address, choose either IPv4 Address (the default), IPv6 Address, or DNS
Name, and then enter it.
6. For the Facility field, open the drop-list and select a facility.
7. For TLS Encryption, open the drop-list and select Enabled.
8. By default, TLS encryption uses TCP port 514, but you can modify the Port field to use 6514
(Syslog over TLS port). See the example images below.

– 411 – 913-2398-01 Rev A

Chapter 26 Syslog Support

913-2398-01 Rev A – 412 –

Chapter 26 Syslog Support

Adding or Modifying External Syslog Servers

The system can send syslog messages to multiple external syslog servers that are specified from the
System > Settings page.

The system (the syslog client) does not provide default syslog certificates for the connection to a
syslog server. If you want to use the encryption and mutual authentication capability that is provided
by TLS, you need to upload both a client and a server trusted root certificate.

l Client certificate: Similar to the TLS/HTTPS configuration, after generating a client key pair, a
Certificate Signing Request (CSR) is generated on the system and is then sent to a Certificate
Authority (CA). Alternatively the certificate request can be signed by a local Windows CA. Once
the public certificate is received from the CA, it can then be uploaded to the V as the syslog client
certificate.
l Server certificate: In addition to uploading a client certificate to the system, you also need to
upload a server trusted root certificate for client to be able to verify the certificate received from
the syslog server. This certificate is the root certificate of the certificate chain configured on your
syslog server.
Note: A single server certificate is allowed for all syslog servers that the system connects to.
This means that all the syslog server certificates have to be signed by the same certificate
authority (CA), as this CA’s certificate is the one uploaded to the server. A certificate cannot be
deleted if any syslog servers have TLS encryption enabled.

Generate and Upload a Client Certificate to a System

To generate a custom certificate:

– 413 – 913-2398-01 Rev A

Chapter 26 Syslog Support

1. On the System>Settings tab, click the hyperlink to the right of the Syslogfield.
The Syslog Servers window is displayed.

2. Click Generate Key Pair.

A message is displayed informing you that the key pair—that consists of a private and a public
key—was generated.
3. Generate a Certificate Signing Request (CSR) by clicking Get CSR.
The Certificate Signing Request window is displayed. Suggestions for filling in the fields are
shown in the figure below.

913-2398-01 Rev A – 414 –

Chapter 26 Syslog Support

4. Fill in the appropriate values and click Update.

5. Click Generate CSR and save the request as a .csr file, using the standard Save window that is
displayed.
A success notification is displayed, informing you of the system location where the request was
saved.
6. Click Close to close the CSR window.

At this point, you have obtained a certificate request that can be sent to a Certificate Authority (CA) for
signing. When the certificate is received from the CA, it can be uploaded to the system.

Important! Before uploading the certificate to the system, the certificate must be combined
with the trusted root and the intermediate CA certificates (if any) to create a certificate chain.
This is done by putting the ASCII data from all of the certificates into a single file, in order,
starting with the certificate, through the intermediate certificates (if any) and ending with the
trusted root certificate.

To upload the resulting certificate to the system:

1. in the Syslog Servers window click Upload in the Client Certificate / Key area.
The Choose TLS Certificate File dialog appears.
2. Navigate to the directory containing the custom certificate and double-click the certificate file.
3. Click OK. An information dialog appears, informing you of the TLS certificate update.

Once a certificate has been uploaded, it can be viewed and deleted.

– 415 – 913-2398-01 Rev A

Chapter 26 Syslog Support

Important! After a File > Clear System operation is performed, the syslog certificates
stored on the system will be removed.

Important! Certificates are not affected by configuration import or export operations. If an

import file containing TLS enabled syslog servers is loaded onto a system that has no syslog
certificates, TLS for syslog communication will be disabled and a warning message will be
displayed.

Note: A single custom certificate can be installed at any time on a system. If you click
Generate Key Pair again, a new public/private key pair is generated and the existing key pair
will be overwritten. If there is already a certificate uploaded based on the existing key pair, it
will continue to be used until this certificate is deleted or until a new certificate is uploaded,
based on a new CSR and new key pair.

Upload a Server Trusted Root Certificate

To upload a server trusted root certificate:

1. Click Upload.
2. In the Choose TLS Certificate window that is displayed choose a certificate file in PKCS#7
.pem or .der format.
3. Click OK to complete the certificate selection.

Add Syslog Server

To add a new syslog server that the sends syslog messages to, click Add and specify the following
parameters:

l Server address: The server DNS name or IP address.

l Port: The server listening port.
l Facility: The facility is the application or operating system component that generates a log
message. The level is the severity or significance of the message that has been generated. The
action defines what happens with any newly-arrived message that matches the facility and level.
This combination of facility and level, referred to as the selector, allows system administrators to

913-2398-01 Rev A – 416 –

Chapter 26 Syslog Support

customize message handling, based on which parts of the system are generating data and how
critical the data is. Eight facilities, Local0-Local7 and User, are used for customized auditing.
Configure the system to match the facility level on your external syslog server. For example, if
your external syslog server uses Local5, then select Local5 from the Facility drop-down list.
l Enable TLS encryption: Encrypts the communication between the system and the specified
syslog server. In order for this to work, the client certificate and the server trusted root certificate
are required.

Return to Government Security Configuration Guide, Configure Syslog Servers.

– 417 – 913-2398-01 Rev A

Chapter 26 Syslog Support

Confirming Connections to External Syslog Servers

To test individual external syslog server connections:

1. In the Syslog Settings dialog, select an external syslog server DNS name or IP address from the
list.
2. Click the Test button to send a test message to the external syslog server.

The Test button reports a successful send, an error locating the host or IP address, or an error in
communication.

Note:
A syslog message is sent via UDP, and no acknowledgment of its receipt is returned. For that
reason, in order for an external syslog server configuration to be confirmed with 100% certainty,
receipt of the test message must be confirmed at the server end.

913-2398-01 Rev A – 418 –

CHAPTER 27 CLI Command Line Interface
Introduction
The Command Line Interface (CLI) is an interface which enables the user to quickly issue simple
commands so as to get information about a running NPB. It is a command line which allows the user to
issue commands from a prompt through an SSH session.

Enabling the CLI Feature

To be able to use the CLI, the CLI feature must be enabled. To enable it:

1. Log on to the NPB system you are using and go to System>Settings>General section.

2. Select the CLI settings link.
3. In the CLI Settings for S1 dialog, select Enabled and optionally enter the desired Listening port
value, then select OK.

Connecting to the CLI

After enabling the CLI feature, to access the CLI:

1. Open a SSH session to the desired NPB system using your preferred SSH tool.
2. On the CLI screen, enter the default credentials:
l username: admin
l password: admin

– 419 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

Your CLI screen should look like this

This section of the user guide covers the following topics:

l CLI Architecture
l CLI Navigation
l CLI Commands
l CLI Limitations

913-2398-01 Rev A – 420 –

Chapter 27 CLI Command Line Interface Introduction

CLI Architecture
CLI architecture consists of the following components:

l Communication with the stack

l Communication with the client
l CLI client context

– 421 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

Communication with the Stack

The CLI is interacting with the NPB by using the WebAPI service. Hence the CLI must be configured
with the port on which the WebAPI is listening.

For example,

The CLI uses an internal HTTP client to communicate with the WebAPI. As the WebAPI service
demands user authentication, the CLI must ask for user credentials which it then uses to get an
authentication token from the WebAPI. This token is used in all subsequent calls to the WebAPI.

To end communication with the stack, an exit command must be issued.

913-2398-01 Rev A – 422 –

Chapter 27 CLI Command Line Interface Introduction

Communication with the Client

For every client connection, a thread (session) is created. This thread is running as long as the
connection is alive.

The thread is maintaining a session context. The context keeps any specific client data.

The CLI and the client exchange text-based commands.

User communication with the CLI service is secured by using SSL. The CLI service runs as an SSH
server accepting connections on port 22222. The port value can be set in System>Settings>CLI
Settings.

Implicitly, the CLI service is deactivated and must be activated from the Web UI. See Enabling the
CLI Feature on page 419.

– 423 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

CLI Client Context

The CLI provides a "working directory" model. The NPB object model has a tree-like structure. You can
walk through the NPB objects model, listing objects corresponding to the current "working
directory"/level, possibly updating an object property.

A typical path in this tree would be:

/<NTO Top Object>s/<object default name>

The current path in the tree is kept in the context. Any command the client issues is executed by using
this context.

For example,

The user -show admin email command is executed taking into account the current node, 'users'; it
attempts to search for a child node within this node, namely the 'admin' node, so as to be able to list
the 'email' property.

CLI Navigation
After opening an SSH session to the CLI and entering the default credentials, the CLI screen prompt
appears.

913-2398-01 Rev A – 424 –

Chapter 27 CLI Command Line Interface Introduction

Typing either ? or help brings up a list of the available commands at the current level:

– 425 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

Typing TAB inside a line brings up suggestions for possible commands/usage relative to the cursor
position. Use this autocomplete functionality when you need suggestions about how to continue
moving through the CLI.

For example,

Typing F1 brings up context help.

For example,

913-2398-01 Rev A – 426 –

Chapter 27 CLI Command Line Interface Introduction

Typing help <command name> brings up more details about the respective command usage. Unlike the
context help, which provides a brief description and usage details, this brings up an extensive
overview of the respective command which includes a summary, usage details, a description, flags,
context and a few examples.

For example,

– 427 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

913-2398-01 Rev A – 428 –

Chapter 27 CLI Command Line Interface Introduction

The TAB and SHIFT+TAB key combination allows you to move up/down/forwards/backwards through
the list of suggestions on the CLI screen.

For example,

– 429 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

CLI Commands
The following is an index that lists, defines, and gives examples of the basic CLI commands and flags.
For all non-CLI specific commands, see the Web API documentation available at: https://<ip_address
of NPB>:<web_api_port of NPB>/docs

Type Name Definition and Examples

flag rm When this flag is present, the command behaves like rm and deletes
instances.

show When this flag is present, the command behaves like show and displays the
specified instance properties or the entire set of readable properties.

quiet This flag is used either to reduce the verbosity of the outputs or to prevent
the interaction with the user (the user is no longer asked whether he wants
to create/modify an object or not; the answer is assumed to be affirmative
by default.)

operation This flag is used to apply operations to a given target. When an operation is
specified, the property name/value pairs are those corresponding to the
specified operation.

913-2398-01 Rev A – 430 –

Chapter 27 CLI Command Line Interface Introduction

action It is an interface used to call Web API actions.

command This command takes -name as mandatory argument. Depending on each
action, it might be required to pass additional arguments.
Examples:
action –name get_login_info - Invokes the 'get login info' action.

– 431 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

clear Clears the console screen, including its scrollback buffer.

No argument is required.
Examples:
clear - Clears the terminal screen.

913-2398-01 Rev A – 432 –

Chapter 27 CLI Command Line Interface Introduction

cd Changes the current directory to TARGET_DIR.

If TARGET_DIR begins with a slash (/), cd is looking for TARGET_DIR
starting from the root directory. Otherwise, the search starts from the
current directory.
TARGET_DIR is a mandatory argument.
Examples:
cd filters – Changes the directory to /filters.
cd . - Changes the directory to current directory.
cd .. - Changes the directory to the parent directory relative to the current.
If the current directory is root, the command has no effect.
cd - Returns an error as cd requires a valid directory as argument.

– 433 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

config It is used to update properties of existing elements within a logical node in

the NPB infrastructure. It requires a TARGET element on which the update is
applied and at least one pair of valid PROPERTY_NAME and VALUE. A pair of
valid PROPERTY_NAME and VALUE means that PROPERTY_NAME is a
writable property of the TARGET element.
If TARGET begins with a slash (/), config is trying to identify the element
starting from the root directory. Otherwise, the search starts from the
current directory.
Also, the TARGET argument must contain at least a backslash (/).
Otherwise, the command will assume TARGET is a property, rather than a
path to an object.
Examples:
config filters/F1 name otherName – Updates the property name of the
existing filter F1 to otherName.
config description change all – Changes the description property of
all the existing filters (F1 and F2).
config - Returns an error as the command requires at least one pair of
PROPERTY_NAME and VALUE is required. But also, config without a TARGET
cannot
be run from root.

913-2398-01 Rev A – 434 –

Chapter 27 CLI Command Line Interface Introduction

exit Exits the console screen. Closes the current session.

Closes the input and output streams that interact with the user, as well as
the terminal itself.
Examples:
exit - Closes the terminal screen.

– 435 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

export Exports the entire NPB configuration into a binary destination file.
The export result will be a binary file with the .ata extension. It is located in
the configuration folder within the CLI hierarchy.
The export command is the equivalent of Export config from the Web UI.
The CLI export works only as a full export, in contrast to the Web UI version,
which allows the user to export only some NPBs.
The command accepts the -file argument to specify the name of the
exported configuration. This argument is optional.
Examples:
export – Exports the full configuration to a file whose name is given by the
NPB.
export -file test.ata – Exports the full configuration to the test.ata file.

913-2398-01 Rev A – 436 –

Chapter 27 CLI Command Line Interface Introduction

filter Creates, displays, deletes, or updates filters within the NPB infrastructure.
It is an interface over the config, mk, show, and rm commands, particularly
for handling the filters in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with filter.
The second argument is the filter identifier and if the user wants to configure
an existing filter, it has to be mentioned. Based on this value, the filter
command decides whether the passed value identifies an existing instance.
IDENTIFIER is a required argument.
FLAG, PROPERTY_NAME and VALUE are optional arguments.
In the case of filters, the IDENTIFIER should not contain a slash (/) as the
command is able to identify the context based on its syntax.
Consequently, an absolute path will be interpreted as a single unit.
The following arguments come in pairs of filter attribute - value to pass.
When creating a new instance, PROPERTY_NAME and VALUE are not
necessarily mandatory as filter command allocates the first available
default name and uses the passed identifier as name, if that value is not
already used.
When editing an existing filter, the PROPERTY_NAME and VALUE keys are
used to identify the attributes to be modified.
To create new filters, the user should specify only the name for the
IDENTIFIER, as default names are reserved values.
To update existing filters, the user can specify either the name or the default
name for the IDENTIFIER.
Examples:
filter F_NEW name F_NEW_2 - Asks the user whether a new filter having
the name F_NEW should be created. If the user answers positively, a new
filter is created and then its name is changed to F_NEW_2.
filter F1 name otherName - Updates the property name of the existing
filter F1 to otherName.
filter - Returns an error as this command requires at least an identifier.

– 437 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

filtert Creates, displays, deletes, or updates filter templates within the NPB
infrastructure.
It is an interface over the config , mk, show, and rm commands, particularly
for handling the filter templates in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with filtert. Each of them is detailed in the next section.
The second argument is the filter template identifier and if the user wants to
configure an existing filter template, it has to be mentioned.
Based on this value, the filtert command decides whether the passed
value identifies an existing instance.
In the case of filter templates, the IDENTIFIER should not contain a slash (/)
as the command is able to identify the context based on its syntax.
Consequently, an absolute path will be interpreted as a single unit.
When creating a new instance, PROPERTY_NAME and VALUE keys are used
to provide the collection and criteria - mandatory arguments.
When editing an existing filter template, the PROPERTY_NAME and VALUE
keys are used to identify the attribute to be modified.
IDENTIFIER, PROPERTY_NAME and VALUE are required arguments.
FLAG is an optional argument.
Examples:
filtert FT_NEW collection FTC criteria (vlan( priority 0 vlan_
id 1 )) - Prompts a message to ask whether to create or not a new filter
template. In case of an affirmative answer, it creates a new filter template
having the name FT_NEW which belongs to the FTC filter template
collection.
filtert FT1 description changed - Changes the description of existing
filter template FT1 to changed.
filtert - Returns an error as filtert requires at least an identifier, a
collection, and criteria to be created.

913-2398-01 Rev A – 438 –

Chapter 27 CLI Command Line Interface Introduction

filtertc Creates, displays, deletes, or updates filter template collections within the
NPB infrastructure.
It is an interface over the config, mk, show, and rm commands, particularly
for handling the filter template collections in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with filtertc. Each of them is detailed in the next section.
The second argument is the filter template collection identifier and if the
user wants to configure an existing filter, it has to be mentioned. Based on
this value, 'filter' command decides whether the passed value identifies an
existing instance.
In case of filter template collections, the IDENTIFIER should not contain a
slash (/) as the command is able to identify the context based on its syntax.
Consequently, an absolute path will be interpreted as a single unit.
To create new instances or update existing filter template collections, the
user should specify only the name for the IDENTIFIER.
IDENTIFIER is a required argument.
FLAG, PROPERTY_NAME and VALUE are optional arguments.
Examples:
filtertc FTC_NEW - Prompts a message to ask whether to create or not a
new filtertc. In case of an affirmative answer, it creates a new filtertc having
the name FTC_NEW.
filtertc FTC1 description changed - Changes the description of
existing filtertc FTC1 to changed.
filtertc - Returns an error message as filtertc requires at least an
identifier.

– 439 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

group Creates, displays, deletes, or updates groups within the NPB infrastructure.
It is an interface over the config, mk, show, and rm commands, particularly
for handling the groups in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with filter. Each of them is detailed in the next section.
The second argument is the group identifier and if the user wants to
configure an existing group, it has to be mentioned. Based on this value,
groupcommand decides whether the passed value identifies an existing
instance.
When creating a new instance, PROPERTY_NAME and VALUE are not
necessarily mandatory as the group command uses the passed identifier as
name, if that value is not already used. When editing an existing group, the
PROPERTY_NAME and VALUE keys are used to identify the attribute to be
modified.
To create new instances or update existing groups, the user should specify
only the name for the IDENTIFIER.
IDENTIFIER is a required argument.
FLAG, PROPERTY_NAME and PROPERTY_VALUE are optional arguments.
Examples:
group G_NEW - Prompts a message to ask whether to create or not a new
group. In case of an affirmative answer, it creates a new group having the
name G_NEW.
group G1 description changed - Changes the description of existing
group G1 to changed.
group - Returns an error message as group requires at least an identifier.

913-2398-01 Rev A – 440 –

Chapter 27 CLI Command Line Interface Introduction

heartb Creates, displays, deletes, or updates inline heartbeats within the NPB
infrastructure.
It is an interface over the config, mk, show, and rm commands, particularly
for handling the inline heartbeats in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with filter. Each of them is detailed in the next section.
The second argument is the heartbeat identifier and if the user wants to
configure an existing heartbeat, it has to be mentioned. Based on this
value, the heartb command decides whether the passed value identifies an
existing instance.
When creating a new instance, PROPERTY_NAME and VALUE are not
necessarily mandatory as heartb command uses the passed identifier as
name, if that value is not already used. When editing an existing heartbeat,
the PROPERTY_NAME and VALUE keys are used to identify the attribute to
be modified.
To create heartbeats, the user should specify only the name for the
IDENTIFIER, as default names are reserved values.
To update existing heartbeats, the user might specify either the name or the
default name for the IDENTIFIER.
IDENTIFIER is a required argument.
FLAG, PROPERTY_NAME and PROPERTY_VALUE are optional arguments.
Examples:
heartb HB_NEW - Prompts a message to ask whether to create or not a new
heartb. In case of an affirmative answer, it creates a new inline heartbeat
having the name HB_NEW.
heartb HB1 description changed description - Changes the
description of existing inline heartbeat HB1 to changed description.
heartb - Returns an error message as heartb requires at least an identifier.

– 441 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

help It is a utility function used to present a detailed documentation of each

command available under CLI. This documentation includes details about
the specified command, contexts from where it may be called and several
usage examples.
The command takes as argument the name of the command (optional
argument).
If no command name is passed, a general help message about the
commands available in the CLI is displayed.
Examples:
help config - Displays the documentation page for the config command.
help - Displays the list of possible commands that might be invoked.

913-2398-01 Rev A – 442 –

Chapter 27 CLI Command Line Interface Introduction

ibypassc Creates, displays, deletes, or updates new inline bypass connectors within
the NPB infrastructure.
It is an interface over the config,mk, show, and rm commands, particularly
for handling the inline bypass connectors in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with ibypassc. Each of them is detailed in the next section.
The second argument is the bypass identifier and if the user wants to
configure an existing bypass, it has to be mentioned. Based on this value,
ibypassc command decides whether the passed value identifies an existing
instance.
When editing an existing bypass connector, the PROPERTY_NAME and
VALUE keys are used to identify the attribute to be modified.
When creating a new instance, PROPERTY_NAME and VALUE keys are used
to provide the lfd_enabled - mandatory argument.
When editing an existing bypass connector, the PROPERTY_NAME and
VALUE keys are used to identify the attribute to be modified.
To create new bypass connectors, the user should specify only the name for
the IDENTIFIER, as default names are reserved values.
To update existing bypass connectors, the user can specify either the name
or the default name for the IDENTIFIER.
IDENTIFIER, PROPERTY_NAME and VALUE are required arguments.
FLAG is an optional argument.
Examples:
ibypassc IBC1 description changed description - Changes the
description of existing inline bypass connector IBC1 to changed description.
ibypassc IBC_NEW - Prompts a message to ask whether to create or not a
new ibypassc. In case of an affirmative answer, it creates a new inline
bypass
connector having the name IBC_NEW.
ibypassc - Returns an error message as ibypassc requires at least an
identifier.

– 443 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

import Imports a specified NPB configuration.

The configuration is recreated using a binary file having the .ata extension.
This is the only acceptable format for import.
The configuration to be imported must be specified using -file argument.
This argument is mandatory.
The import command is the equivalent of Import config from Web UI.
FILE_NAME must identify an available file under the CLI configuration folder.
Examples:
Import -file test.ata – Imports the full configuration available in the
test.ata file.

913-2398-01 Rev A – 444 –

Chapter 27 CLI Command Line Interface Introduction

iservicec Creates, displays, deletes, or updates inline service chains within the NPB
infrastructure.
It is an interface over the config, mk, show, and rm commands, particularly
for handling the inline service chains in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with iservicec. Each of them is detailed in the next section.
The second argument is the service chain identifier and if the user wants to
configure an existing service chain, it has to be mentioned.
Based on this value, iservicec command decides whether the passed
value identifies an existing instance.
When creating a new instance, PROPERTY_NAME and VALUE are not
necessarily mandatory as iservicec command uses the passed identifier
as name, if that value is not already used. When editing an existing service
chain, the PROPERTY_NAME and VALUE keys are used to identify the
attribute to be modified.
To create new service chains, the user should specify only the name for the
IDENTIFIER, as default names are reserved values.
To update existing service chains, the user might specify either the name or
the default name for the IDENTIFIER.
IDENTIFIER is a required argument.
FLAG, PROPERTY_NAME and VALUE are optional arguments.
Examples:
iservicec ISC1 description changed description - Changes the
description of existing inline service chain ISC1 to changed description.
iservicec ISC_NEW - Prompts a message to ask whether to create or not a
new iservicec. In case of an affirmative answer, it creates a new inline
service chain having the name ISC_NEW.
isercvicec - Returns an error message as iservicec requires at least an
identifier.

– 445 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

itoolc Updates or displays inline tool connectors within the NPB infrastructure.
It is an interface over the config and show commands, particularly for
handling the inline tool connectors in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with itoolc. Each of them is detailed in the next section.
The second argument is the tool connector identifier and if the user wants to
configure an existing tool connector, it has to be mentioned.
Based on this value, itoolc command decides whether the passed value
identifies an existing instance.
Tool connectors cannot be created or deleted, per se. They are created only
in scope of tool resources, using itoolr command for property tool_
connector_list.
When the tool_connector_list of a tool resource is set to empty, tool
connectors that belonged to that list are deleted.
When editing an existing bypass connector the PROPERTY_NAME and VALUE
keys are used to identify the attribute to be modified.
To update existing tool connectors, the user can specify either the name or
the default name for the IDENTIFIER.
IDENTIFIER is a required argument.
FLAG, PROPERTY_NAME and VALUE are optional arguments.
Examples:
itoolc ITC1 default_name changed - Returns error as itoolc works only
for modifiable attributes.
itoolc ITC1 description changed - Changes the description of existing
inline tool connector ITR1 to changed.
itoolc - Returns an error message as itoolc requires at least an identifier.

913-2398-01 Rev A – 446 –

Chapter 27 CLI Command Line Interface Introduction

itoolr Creates, displays, deletes, or updates inline tool resources within the NPB
infrastructure.
It is an interface over the config, mk, show, and rm commands, particularly
for handling the inline tool resources in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with itoolr. Each of them is detailed in the next section.
The second argument is the tool resource identifier and if the user wants to
configure an existing tool resource, it has to be mentioned.
Based on this value, the itoolr command decides whether the passed
value identifies an existing instance.
When creating a new instance, PROPERTY_NAME and VALUE are not
necessarily mandatory as the itoolr command uses the passed identifier
as name, if that value is not already used. When editing an existing tool
resource, the PROPERTY_NAME and VALUE keys are used to identify the
attribute to be modified.
To create new tool resources, the user should specify only the name for the
IDENTIFIER, as default names are reserved values.
To update existing tool resources, the user can specify either the name or
the default name for the IDENTIFIER.
IDENTIFIER is a required argument.
FLAG, PROPERTY_NAME and PROPERTY_VALUE are optional arguments.
Examples:
itoolr ITR_NEW - Prompts a message to ask whether to create or not a new
itoolr. In case of an affirmative answer, it creates a new inline tool resource
having the name ITR_NEW.
itoolr ITR1 description changed description - Changes the
description of existing inline tool resource ITR1 to changed description.
itoolr - Returns an error message as itoolr requires at least an identifier.

– 447 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

load Loads an NPB configuration based on an input text file.

config The configuration is recreated using a text file having the .txt extension.
This is the only acceptable format for load_config. The configuration to be
imported must be specified using the -file argument. This argument is
mandatory.
The load_config command is similar to Import config from Web UI.
FILE_NAME must identify an available text file under the CLI configuration
folder. This file consists of a sequence of commands resulted from a
previous call of the save_config command that could have eventually been
modified.
Examples:
load_config -file test.txt - Loads the full configuration available in
the test.txt

913-2398-01 Rev A – 448 –

Chapter 27 CLI Command Line Interface Introduction

ls Lists directory content. Lists information about the files and directories
located either in the current directory or in the specified PATH in an
alphabetical order. As a convention, in CLI, all the directories are preceded
by a plus (+) and all the files are preceded by a minus (-).
The command takes as input a valid path (optional argument).
Examples:
ls ports – Lists all the ports associated with the current configuration.
ls filters – Lists all the filters configured for the current system. If none
is defined, then ls will return an empty message.
ls – Lists all the directories located under root.

– 449 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

mk Creates new elements within a logical node within the NPB infrastructure.
It can be invoked with or without additional arguments. Normally, mk
creates new elements based on the name and default_name attributes. The
latter is read-only and is automatically assigned by the NPB, while the
former might be specified by the user. Otherwise, it has the same value as
default_name.
When used without arguments, the command tries to create a new child
element relative to the current location. If the current location is root, or any
other directory where creation of new resources is not allowed, then the
operation aborts.
When RESOURCE_TYPE is specified, the command tries to create a child
node relative to the RESOURCE_TYPE directory, considering if other
arguments are present.
If the PROPERTY_NAME name is passed as argument and the value is not
already assigned to a different existing element, then a new one is created.
Otherwise, a message stating that the resource already exists will be
displayed.
RESOURCE_TYPE and the pair of PROPERTY_NAME and VALUE are optional
arguments. If any pair of PROPERTY_NAME VALUE is mentioned,
RESOURCE_TYPE
becomes mandatory, but only when mk is called from directories where
creation of new resources is allowed.
Examples:
mk - Returns an error message as mk without arguments cannot be run from
root.
mk filters name NEW_AVAILABLE_FILTER - Creates a new filter assigning
the first available value for default_name and setting NEW_AVAILABLE_
FILTER for the name.

913-2398-01 Rev A – 450 –

Chapter 27 CLI Command Line Interface Introduction

monitor Creates, displays, deletes, or updates monitors within the NPB

infrastructure.
It is an interface over the config,mk, show, and rm commands, particularly
for handling the monitors in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with 'monitor'. Each of them is detailed in the next section.
The second argument is the monitor identifier and if the user wants to
configure an existing monitor, it has to be mentioned. Based on this value,
the monitor command decides whether the passed value identifies an
existing instance.
When creating a new instance, PROPERTY_NAME and VALUE keys are used
to provide the actions, the name and the trigger - mandatory arguments.
When editing an existing monitor, the PROPERTY_NAME and VALUE keys are
used to identify the attribute to be modified.
To create new monitors, the user should specify only the name for the
identifier, as monitors do not have default names.
To update existing monitors, the user can specify the name for the identifier,
as monitors do not have default names.
IDENTIFIER, PROPERTY_NAME and VALUE are required arguments.
FLAG is an optional argument.
Examples:
monitor M1 actions [ ( type TRAP enabled true min_interval
(unit SEC value 2 ) ) trigger (stat TP_CURRENT_TX_UTILIZATION
ports [P01] type PERCENT_STAT] - Creates a new monitor.
monitor M1- Returns an error message as monitor also requires an array of
actions, a name, and a trigger.
monitor - Returns an error message as monitor requires an array of actions,
a name, and a trigger to be created.

– 451 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

port Displays and updates existing ports within the NPB infrastructure.
It is an interface over the config and show command, particularly for
handling the ports in the infrastructure.
The first argument is the port identifier and if the user wants to configure an
existing port, it has to be mentioned.
In the case of ports, the IDENTIFIER should not contain a slash (/) as the
command is able to identify the context based on its syntax.
Consequently, an absolute path will be interpreted as a single unit.
The following arguments come in pairs of port attribute - value to pass.
When editing an existing port, the PROPERTY_NAME and VALUE keys are
used to identify the attribute to be modified.
In the case of ports, the user can use the name or the default name as port
IDENTIFIERs.
IDENTIFIER, PROPERTY_NAME and PROPERTY_VALUE are required
arguments.
FLAG is an optional argument.
Examples:
port NEW_PORT - Returns an error message as port could not find an
instance by NEW_PORT identifier and the user cannot create new ports.
port P01 description changed - Changes the description of P01 to
changed.
port - Returns an error message as port requires at least an identifier. Also,
a pair of PROPERTY_NAME and VALUE is mandatory as well.

913-2398-01 Rev A – 452 –

Chapter 27 CLI Command Line Interface Introduction

portg Creates, displays, deletes, or updates port groups within the NPB
infrastructure.
It is an interface over the config, mk, show, and rm commands, particularly
for handling the port groups in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with portg. Each of them is detailed in the next section.
The second argument is the port group identifier and if the user wants to
configure an existing port group, it has to be mentioned. Based on this
value, portg command decides whether the passed value identifies an
existing instance.
When creating a new instance, PROPERTY_NAME and VALUE keys are used
to provide the mode and type - mandatory arguments.
When editing an existing port group, the PROPERTY_NAME and VALUE keys
are used to identify the attribute to be modified.
To create new port groups, the user should specify only the name for the
identifier, as default names are reserved values.
To update existing port groups, the user can specify either the name or the
default name for the identifier.
IDENTIFIER, PROPERTY_NAME and VALUE are required arguments.
FLAG is an optional argument.
Examples:
portg - Returns an error message as the IDENTIFIER element is required.
No filter can be created or edited without specifying the
identifier.
portg NEW_PG mode NETWORK type INTERCONNECT - Creates a new port
group assigning the port mode to NETWORK and the type to
INTERCONNECT.
portg PG1 type NETFLOW - Changes the port group type of an existing port
group to NETFLOW.

– 453 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

refresh Regenerates the CLI model when external physical changes happen.
It is a utility command designed to regenerate the CLI model whenever an
external change occurs. For example, if a line card containing a particular
resource is removed from the physical stack, the CLI is not automatically
notified about the change.
Consequently, a refresh of the model is required for the integrity of the
system.
Examples:
refresh - Regenerates the CLI model.

913-2398-01 Rev A – 454 –

Chapter 27 CLI Command Line Interface Introduction

rm Removes existing logical nodes in the NPB infrastructure.

It is used to delete existing elements. It requires a valid target argument
used to identify the element to be removed. Among node attributes, usually
identifiers are id, name, default_name or equivalents of them, such as
login_id.
TARGET is usually a mandatory argument.
The only exception from this rule is when rm is called from /configurations.
Examples:
rm F1 - Removes the existing filter using the default_name.
rm FILTER_NAME - Removes the existing filter using the name.
rm (run from root directory) - Returns an error message as rm without
arguments cannot be run for root.

– 455 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

save Saves the entire NPB configuration to a destination text file.

config The result of save_config is a text file that is located under the
configuration folder within the CLI hierarchy. This text file consists of a
sequence of CLI commands which, if executed on a different target
equipment, will produce an exact replica of the source configuration. The
user can modify the text file, but he is responsible if the changes he makes
are in contrast with the existing configuration.
The CLI save_config works only as full export, in contrast to the Web UI
Export config, which allows the user to export only some NPB entities.
Examples:
save_config - Saves the full configuration to a file whose name is given by
NPB.
save_config -file test.txt - Saves the fill configuration to the test.txt
file.

913-2398-01 Rev A – 456 –

Chapter 27 CLI Command Line Interface Introduction

show Displays the valid readable properties of a particular logical node in the NPB
infrastructure.
From a general point of view, show is similar to ls. But while the ls
command lists file and directory hierarchies, exposing how the NPB is
structured at a physical level, the showcommand presents the logical level
of what makes up the NPB.
PATH and PROPERTY_NAME are optional arguments. If none are specified,
show tries to display the properties of the current node or if current node
identifies a type (/filters) it displays the properties of all its children.
Examples:
show ports/P01 ports/P02 (run from root directory) – Displays the valid
readable properties of P01 and P02.
show filters (run from root directory) – Displays the valid readable
properties all the filters defined in the FILTERS node.
show(run from filters directory) – Displays the valid readable properties all
the filters defined in the hierarchy.

– 457 – 913-2398-01 Rev A

Chapter 27 CLI Command Line Interface Introduction

stats Displays statistics associated to NPB entities.

The command takes as input several NPB entities identifiers, specified as
paths, optionally followed by a list of statistics to be displayed.
If no identifier is specified, then the current path is the target directory.
IDENTIFIER and PROPERTY_NAME are optional arguments.
Examples:
stats /ports/P1-01 – Displays all the statistics of port P1-01.
stats /filters – Displays all the statistics of all the filters.
stats /port_groups/PG1 /port_groups/PG2 np_average_pass_
percent_packets – Displays np_average_pass_percent_packets for port
groups PG1 and PG2.

user Creates, displays, deletes, or updates users within the NPB infrastructure.
It is an interface over the config, mk, show, and rm commands, particularly
for handling the users in the infrastructure.
The first argument is optional and represents one of the FLAGs that may be
used along with user. Each of them is detailed in the next section.
The second argument is the user identifier and if the user wants to configure
an existing user, it has to be mentioned. Based on this value, the
usercommand decides whether the passed value identifies an existing
instance.
When creating a new user, the PROPERTY_NAME and VALUE keys are used
to provide the account password - a mandatory argument.
When editing an existing user, the PROPERTY_NAME and VALUE keys are
used to identify the attribute to be modified.
To create new instances or update existing users, the user should specify
only the login_id for the IDENTIFIER.
IDENTIFIER, PROPERTY_NAME and VALUE are required arguments.
FLAG is an optional argument.
Examples:
user NEW_USER password NEW_PASSWORD - Creates a new user, assigning
the login_id to NEW_USER and password to NEW_PASSWORD.
user admin email NEW_EMAIL - Changes the email of the admin user to
NEW USER.
user - Returns an error message as user requires at least an identifier. Also,
a pair of PROPERTY_NAME and VALUE is mandatory.

913-2398-01 Rev A – 458 –

Chapter 27 CLI Command Line Interface Introduction

CLI Limitations
The following are the current limitations to the CLI:

l Partial support for IFC. Only connections and members are available. IFC operations are not
implemented, nor are IFC statistics.
l Create and delete NPB entities commands are not available.
l Resource (PacketStack, Appstack, Capture) support is not available.
l Import works locally only.
l Export works only as full export.
Important! User should use both save_config and export feature at the same time to
have both an .ata export and a CLl export as backup.
l Actions that require files are not available.
l Not all command arguments or enumeration values have a context help message associated
(NTO entity properties may appear with blank context help messages).
l The context help works only for:
n commands
n identifiers
n command arguments
n values of type enumeration
l Custom icons cannot be created from the CLI. If a custom icon is created from the Web UI, the
respective icon can be further used in the CLI through its identifiers.
l Using load_config with users exported will re-write their password to the same value as the login
ID.
l Using load_config with SNMPv3 users exported will re-write their authentication and privacy
passwords to the same value as the login ID.
l Using load_config with password policies enabled revokes local passwords, the administrator
must reset it from the Web UI.
l If a command that configures several properties at the same time is processed and one of the
properties is rejected, none of the other properties will be applied.
l Commands always re-write themselves. If a command has multiple parameters, skipped
parameters will be set to default.

The following features are available at Beta quality:

l Port Mode Simplex(for E40 only)

l Users
l Groups
l Filter Templates
l Filter Template Collections
l Monitors

– 459 – 913-2398-01 Rev A

APPENDIX A Packet Processing Features
This section describes the Vision Edge features that modify (process) the incoming and outgoing
(ingress and egress) traffic packets in some way.

The packet processing features are configured on the Packet Processing tab in the Edit Network Port
(or Edit Tool Port) dialog.

As of this writing, the following packet processing features are supported on the Vision Edge system:

l Port Tagging: This features is available on Network ports.

l VLAN Stripping: This feature is available on both Network and Tool ports.

–1– 913-2398-01 Rev A

Appendix A Packet Processing Features

Port Tagging
Port tagging can help you use tools more effectively and monitor traffic across multiple, interconnected
systems. In a situation where multiple Network ports are aggregated to a single Tool port at egress,
you can use port tagging to identify on which Network port each packet arrived. Also, VLAN-aware
monitoring tools can process and report on traffic based on the port tag.

Similarly, in a scenario where you have multiple systems interconnected, you can identify the Network
port and the system where a packet arrived on the system where you have monitoring tools connected.
This allows you to direct traffic from specific Network ports to specific Tool ports across multiple
systems – for example, from Network port 5 on system 1 to Tool port 3 on system 4. You can ensure
that tools are monitoring specific access points.

You can change the default VLAN ID on any Network port and assign a new value in the 1-4094 range
(0 and 4095 are reserved). This custom value allows you to create VLAN IDs for port tags that are more
unique.

Custom port-tagged VLAN IDs can also help you minimize potential conflicts if you also use the de-
duplication packet processing feature. When using both port tagging and de-duplication, if packets
arrive from two Network ports where the only difference is a VLAN header, where one packet has a
VLAN header while the other does not, and the port tagging feature adds a VLAN header that is the
same VLAN ID as the other packet, the packets could become duplicates. In this case, if they both
egress from a Tool port where de-duplication is enabled, one of them could be stripped.

The figure below shows the VLAN header format and a series of packet diagrams for two scenarios
where a port tag is inserted into packets, one when there is no previous VLAN tag, and the second one
when there is a previous VLAN tag.

913-2398-01 Rev A –2–

Appendix A Packet Processing Features

In either scenario, the VLAN tag is added as an outside header to the L2 layer after the EtherType, and
it is four (4) bytes long. In the first scenario, there is no VLAN header present in the incoming packet.
Port tagging adds one to it. In the second scenario, there already is a VLAN tag in the incoming packet,
labeled VLAN 1 in the diagram, and port tagging adds a second VLAN as an outer header, labeled VLAN
2 in the diagram.

The 4-byte VLAN header format consists of the components, bit lengths, and values shown in the
following table.

Component Bit Length Value

TPID (Tag Protocol Identifier) 16 0x8100
TCI – PCP (Priority Code Point) 3 0
TCI – CFI/DE (Canonical Format 1 0
Indicator / Drop Eligible)
TCI – VID (VLAN Identifier) 12 Value added by the port tag (default or
custom value)

Two (2) bytes are used for the Tag Protocol Identifier (TPID). The 2-byte Tag Control

Information (TCI) in the VLAN header is divided into the 3-bit Priority Code Point (PCP), the 1-bit
Canonical Format Indicator / Drop Eligible (CFI/DE), and the 12-bit VLAN Identifier (VID).

–3– 913-2398-01 Rev A

Appendix A Packet Processing Features

You can use the port tagging feature in combination with the VLAN stripping feature to add

a VLAN on ingress and strip it on egress before the packet goes to a monitoring tool. This technique
helps you in cases where you tag a packet at ingress, route it to two different Tool ports, but only want
the tag to be present for one of the Tools.

See VLAN Stripping for the configured versus actual number of VLANs that are stripped for various
conditions.

Port tagging will appear to occur after the Dynamic filter connected to the ingress (Network) port. The
Network port filter and Dynamic filter connected to it will be able to filter on all L2-L4 criteria even if
port tagging adds a third VLAN.

To use the port tagging feature in a port group, either enable the feature on ports before moving them
into a port group, or enable the feature on each port while creating the port group, by adding the ports
from within the new port group, using the Add button on the Ports tab of the new port group.

To configure port tagging:

1. In the Diagram view, right-click a Network port and select Properties.

The Edit Network Port - Pxxx dialog appears.
2. In the Packet Processing tab, select the Port Tagging check box to enable the standard port
tagging feature.
3. If you want to replace the default value with a new value for the port tag, select the number in the
Add VLAN entry field and type in a value from the 1-4094 range (0 and 4095 are reserved).
4. Click OK to accept your modifications and close the dialog.
Note: If you use the same VLAN ID on two different Network ports, the system will detect
this condition and issue a warning.

To disable the warning noted above:

1. Select Edit > Options.

The Options dialog appears.
2. In the Confirmations section, to the right of the Warn when a duplicate VLAN ID is
detected while configuring standard port tagging field, open the drop-down list and select
Never Ask.
3. Click OK to accept this modification and close the dialog.

913-2398-01 Rev A –4–

Appendix A Packet Processing Features

VLAN Stripping
The standard VLAN stripping feature allows you to strip VLAN tags from packets before they get to your
monitoring tools. This allows monitoring tools that do not handle VLAN tags well to operate more
efficiently. You can strip VLAN tags on the Network port side, as packets first arrive at the system, or
on the Tool port side, before egress, or both. VLAN stripping can be enabled on a port-by-port basis.

When packets with VLAN headers are successfully stripped, the resulting packet length and CRC will be
updated to correspond to the modified packet.

System ports can strip both outer and inner VLAN tags. The maximum number of VLANs that you can
strip is two (2) VLAN tags per packet.

Note: Even if you enable stripping two (2) VLANs on Network ports and two (2) on Tool ports,
only the first two (2) VLAN tags are stripped by this feature, not four (4) VLANs.

When VLAN stripping is enabled on a Network port, the VLAN tags are stripped after the Network port
filter. This means that the Network port filters will be able to match on the VLAN tags, but downstream
Dynamic Filters and Tool port filters will not.

Similarly, when VLAN stripping is enabled on a Tool port, the VLAN tags are stripped after the Tool port
filter.

Note: Even though VLAN tags that are stripped at ingress are not visible to downstream
Dynamic and Tool port filters, the bytes represented by those tags are still included in the filter
byte counts.

If you do not want particular Dynamic Filters or Tool ports to receive VLAN tags, you must enable VLAN
stripping on all Network ports feeding those Dynamic Filters and Tool ports.

When VLAN stripping is enabled on a Bidirectional port group, it performs stripping on both the
Network and Tool sides of the port group.

–5– 913-2398-01 Rev A

Appendix A Packet Processing Features

The VLAN Tag Protocol Identifier (TPID)

The Tag Protocol Identifier is a 16-bit field at the beginning of a VLAN tag that is used to distinguish
the VLAN tag from an Ethertype. To operate correctly, the VLAN stripping feature requires that the TPID
be a recognized value. The following table lists the supported TPID values in order for VLAN stripping
to work at network and tool ports:

Port Type VLAN Tag Type Supported TPIDs

Network Outer 0x8100
0x9100
0x88A8
Network Inner 0x8100
Tool Outer 0x8100
Tool Inner 0x8100

Note that for double-tagged packets, the system will strip only the inner tag if the TPID of that tag is
0x8100.

Note: One bit in the VLAN header represents the Canonical Format Indicator (CFI).

913-2398-01 Rev A –6–

APPENDIX B Customizing the Diagram View
You can customize the Diagram view by displaying only a subset of all ports, port groups, and filters,
by filtering the displayed objects either by their state (selected, flagged, enabled, and so on) or by
different keywords. You can also set the display size of object icons displayed in this view.

–7– 913-2398-01 Rev A

Appendix B Customizing the Diagram View

Displaying or Hiding Objects

The various types of objects that you create on the system can be shown or hidden according to your
preferences by using the View menu on the control bar.

In addition, you can use this menu to customize the content of each available view (Diagram,
Navigator, Objects, and Statistics views).

Note: Not all options are available for all views, some of them applying specifically to one or
more of them.

The options are:

l Show All – Shows everything on the current view. If disabled ports are hidden, they remain
hidden.
l Column Vis(ible) – This option, which is available for the Statistics view only, allows you to
select the statistics detail level and the displayed elements:
n Columns... – Opens the Grid Properties dialog, where you can select which columns are
displayed in the respective statistics view table.
n Categories – One or more of these statistics types can be selected as columns to appear in
the statistics view tables:
o Utilization
o Passed
o Inspected
o Drops
o Advanced
n Value Types – One or more of these statistics types can be selected as columns to appear
in the statistics view tables:

913-2398-01 Rev A –8–

Appendix B Customizing the Diagram View

o Counts
o Current
o Average
o Peak
n Units – One or more of these types of statistics can be selected as columns to appear in the
statistics view tables:
o Percentage
o Bits
o Bytes
o Packets
o Time Since
o Users
For further details on each of these statistics types, see Statistics Menu Views.
l Show Selected – Shows only those objects that are currently selected (which appear in the
Selected menu), plus any objects to which they are connected.
Note: This option does not apply to the Navigator, Objects, and Statistics views, where
this functionality is fulfilled by the Selected menu.
l Show Flagged – Shows only those objects that are currently flagged (which appear in the
Flagged menu), plus any objects to which they are connected.
Note: This option does not apply to the Navigator, Objects, and Statistics views, where
this functionality is fulfilled by the Flagged menu.
l Show Enabled – Shows only the currently enabled objects on the Diagram view, plus any
objects to which they are connected.
l Show Disabled – Shows only the currently disabled objects on the Diagram view, plus any
objects to which they are connected.
l Show Accessible – Shows only those objects which the current user is allowed to modify or
connect to, plus any objects to which those objects are connected.
It allows you to view the objects that you can access based on the Access Control settings of the
objects. Note that connected objects are also displayed. For example, if a user has access to a
tool port, the objects connected to that port will also display in the view, even though you might
not have the ability to modify or change the connections to those objects.
l Set View Filter - Allows you to customize the current view, by filtering out specific objects, as
per user needs.
For example, you can customize your Diagram view to show only the disabled ports and the
objects connected to them.

This option allows you to isolate and display a specific set of objects in the Diagram view. It can
be used to simplify a complex diagram and make it easier to read.
l Refresh – Allows you to refresh the contents of the current view.
As a shortcut for this option, you can press the F8 function key.

–9– 913-2398-01 Rev A

Appendix B Customizing the Diagram View

l Set Node Size – Allows you to set the desired size of the Diagram view elements. Can be one
of:
n Small – Decreases the size of elements on the Diagram view to fit the smallest, yet easily
visible version of them. As a result, more items can appear on the Diagram view at a time.
n Medium – Sets the size of the elements on the Diagram view to an optimal one.
n Large – Increases the size of elements on the Diagram view to fit their largest most
accommodating version. As a result, fewer items can appear on the Diagram view at a time.
Tip: As a shortcut for this option, you can press the F9 function key. For example, if
the view elements are shown as small icons, pressing F9 changes them to medium-
sized icons. Pressing F9 again changes the size to Large, and so on.

913-2398-01 Rev A – 10 –
Appendix B Customizing the Diagram View

Setting View Filters

View Filters enable you to determine which object types are shown in the application views (Diagram,
Navigator, Objects, and Statistics). Filters further allow you to filter the objects of the selected type
(s) by various criteria—such as state, associated keywords, or configured access rights—and display
only the matching objects.

To create and set a filter:

1. On the control bar, click Add>View Filter .

The Add New View Filter dialog opens.
2. In the Filter Name field, type a name for the new view filter you are defining.
3. Select the check boxes corresponding to the objects for which you want to set the new view filter.
4. In the View Filter Criteria area, select the desired criteria for the new view filter.
You can choose from one of the following:
l Item States - Defines the state of the selected object. Can be one of:
n Enabled
n Disabled
n Has Link
n No Link
l Keyword - Allows you to set a keyword as a filtering criterion.
l Item Text - Allows you to set a text pattern (to be found within the names of particular

– 11 – 913-2398-01 Rev A
Appendix B Customizing the Diagram View

items) as a filtering criterion. Regular expression (regex) patterns can also be used, if the
Regex pattern check box is selected.
An operator box is available before each of the criteria types. By default, the box is
disabled. Click it once to select the 'or' operator and click it again to select the '&' one. A
third click resets the operator box to its initial, disabled state.
l Item Access: Allows you to use access rights settings (modification, resource
connection) as filter criteria for ports and filters.
5. Click OK. Given that the Set as current filter on OK option is selected by default, the filter is
applied automatically.
If you clear the check box corresponding to the Set as current filter on OK option, the filter is
saved and can be applied from the View>Set View Filter menu.

913-2398-01 Rev A – 12 –
APPENDIX C Software Upgrade/Downgrade
and Cold Spare Upgrade Procedures
This appendix describes the procedures to upgrade/downgrade the system software and to upgrade
cold spare systems.

While installing a new software version on a system, you can now monitor the status of the file being
loaded. The following details are shown:

l the status of the file upload

l the progress of the software upgrade being processed (all other operations are blocked during
this time)
l the progress of the log files processing and download

While the server restarts, an Offline page is displayed.

Once the server becomes available, the user is redirected to the Login page.

Note: If another user tries to access the system while a blocking operation (such as software
install, configuration import or export, log file saving) is performed, an Offline page is displayed.
When the server comes back up, the Login page is displayed.

– 13 – 913-2398-01 Rev A
Appendix C Software Upgrade/Downgrade and Cold Spare Upgrade Procedures

Upgrade Procedures
This section describes the procedures to upgrade the system software and license.

To obtain a license key for additional ports and/or features, please contact Ixia Technical Support. For
information about how to contact Ixia Technical Support, see Technical Support.

Tip: You may be able to use the same license file for more than one system. The license file
covers all of the systems listed in the license, including all cold spare systems. The license is an
ASCII file that can be opened with a text editor. The text displayed towards the top of the license
file lists the systems to which the license pertains, including the cold spare systems. Cold spare
licenses are part of this license file.

In the License dialog under the System View, click Enter License Key to upgrade the license key.
Browse for the license key, then click OK to install the key.

Note: If you receive a license key prompt after powering up the unit the first time, the license
key is located on the USB flash drive that was shipped in the same box as the system.

913-2398-01 Rev A – 14 –
Appendix C Software Upgrade/Downgrade and Cold Spare Upgrade Procedures

Cold Spare Upgrade

Cold spare systems ship with a Perpetual Maintenance license already installed on them. This license
enables you to upgrade the cold spare system firmware to keep the cold spare current and ready to use
if you need it. The Perpetual Maintenance license expires 15 years from the date of your cold spare
purchase.

Note: If you do not have a Perpetual Maintenance license for your current cold spare system,
please contact Ixia Support to obtain one ([email protected]).

Systems are shipped with a USB flash drive that contains a license file. This license file contains the
license key for each of the active systems you purchased. The license file also includes a cold spare
license for each of the cold spare systems you purchased. If a system goes down and you need to
activate a cold spare system, the cold spare license is valid only for 60 days. You will need to contact
support to arrange an RMA and obtain a new license key to replace the 60-day temporary cold spare
license.

To activate your cold spare and RMA the inactive system:

1. Unbox and rack the cold spare system.

2. Upgrade the cold spare system firmware if it does not match that of your active system.
3. Activate the cold spare license by installing the license file.
The cold spare license is part of the license file contained on the USB flash drive that shipped with
your systems.
4. Return the defective system to Ixia for RMA once you have received an RMA number from
Support.
l Ixia either fixes it or replaces it if it cannot be fixed.
l Ixia installs a new Perpetual License on the RMA system because it is now the cold spare
system.
l Ixia sends the new cold spare system to you.
l Ixia Support issues you a new license including a new cold spare license.
5. Install the newly issued license on the activated cold spare system to restore production
licensing.

– 15 – 913-2398-01 Rev A
Appendix C Software Upgrade/Downgrade and Cold Spare Upgrade Procedures

Software Upgrade
The files required to upgrade the system server to the latest version of software will be provided by
Ixia Technical Support. You must be logged in to the system as a system administrator to perform a
software upgrade. Upgrading will restart it.

Please read the following important notes before upgrading the software:

Note:
All users should be logged out of the system before beginning the upgrade procedure. An
administrator can view the accounts logged in to the system in the Users view of the system's
control panel. The install procedure will also allow the System administrator to force logouts.

We recommend that the upgrade be done using a reliable high speed network connection
between the system's management port and the PC running the Control Panel software. We do
not recommend performing an upgrade across a wireless connection or over a VPN connection
that does not guarantee symmetric upstream/downstream performance (an asymmetric link can
result in very slow upload times to the system).

It will take approximately 7 minutes to upgrade the system server. The upgrade should be
scheduled during a time when it is acceptable for the unit to be inaccessible to users for
approximately 7 minutes.

The System setting for Login session timeout should be set at least 10 minutes to allow the
software upgrade to complete. The timeout may need to be temporarily raised or set to “Never”
during an upgrade cycle, especially if the network connection to the system's management port
is slow. After the upgrade is complete, change it back to your normal timeout setting. To see
how to configure the Login session timeout, see Login session timeout.

After upgrading (or downgrading) the software, a version mismatch error similar to the one
shown below may occur after a login attempt.

This problem can be resolved by clearing the Java cache. For more information on how to clear
the Java cache, see How to clear the Java Cache.

Follow the procedure listed below to upgrade the system.

1. From the Version page click the Install Software button.

2. An Installation File window will display. Navigate to the provided by Ixia Technical Support.
Select the zip file then click the Install button.

913-2398-01 Rev A – 16 –
Appendix C Software Upgrade/Downgrade and Cold Spare Upgrade Procedures

A prompt will display indicating that new software will be installed and that the system will be
restarted after the upgrade. Click OK. The upgrade will take approximately 7 minutes.
3. It is recommended that your configuration is exported before the installation begins. Click the
Yes button to export the configuration.

The software upgrade procedure will now begin and the installation progress bar will display.
4. When the software upgrade has completed, a prompt will display indicating that the upgrade has
been successful.

Note that the software upgrade can be undone by reverting to the last version of software that was
running on the system. See the Software Downgrade section for details.

– 17 – 913-2398-01 Rev A
Appendix C Software Upgrade/Downgrade and Cold Spare Upgrade Procedures

Software Downgrade
The system software can be downgraded to the last version of software that was running on the system
before the current software was installed.

Note: Only system administrators can downgrade the software to the last running version.

Please read the following important notes before reverting to earlier versions of software:

Note:
Reversion of the system software to an earlier version will disrupt service and log all users out of
the system. It will take approximately 2 minutes for the reversion process to complete.

Any user that logged in to the system server while it was running the current version of software
may need to clear their Java cache after the system software has been downgraded. For more
information on how to clear the Java cache, see How to clear the Java Cache.

A version mismatch error, similar to the one shown below, may occur after a login attempt.

This problem can be resolved by clearing the Java cache. For more information on how to clear
the Java cache, see How to clear the Java Cache.

The downgrade will return the system to the last pre-upgrade configuration. Any changes that
were made to the system database while running the current software version will be lost! The
current configuration can be exported but it can only be imported into a system running the
current software version or higher.

913-2398-01 Rev A – 18 –
Appendix C Software Upgrade/Downgrade and Cold Spare Upgrade Procedures

Downgrade Using the Web GUI

1. Log in to the system using an account with system administrator capability.
2. From the System view of the Control Panel, click the Version tab. Click the Revert to
(previously installed software version) button.

3. The system administrator will then receive a message indicating that users who previously
logged in to the system server may need to clear the Java cache on their computer after the
revert process has completed. For more information on how to clear the Java cache, see How to
clear the Java Cache.

4. If users are currently logged in to the system, the system administrator will receive a message
indicating their Login IDs. The system administrator will be given the option to abort the revert
procedure or continue the revert procedure and automatically log the users out of the system.
5. Reversion to the previous software version may take 1-2 minutes.

– 19 – 913-2398-01 Rev A
Appendix C Software Upgrade/Downgrade and Cold Spare Upgrade Procedures

How to Clear the Java Cache

Clearing the operating system Java cache may be required after upgrading or downgrading the
system's software.

1. Click Start > Control Panel .

2. Double-click the Java icon. The Java Control Panel will open.

3. Under the Temporary Internet Files section of the window, click the Settings button. The
Temporary Internet File Settings window will open.

913-2398-01 Rev A – 20 –
Appendix C Software Upgrade/Downgrade and Cold Spare Upgrade Procedures

4. Click the Delete Files button.

5. Click OK.
6. Continue to click OK until all of the previously opened windows are closed.

– 21 – 913-2398-01 Rev A
APPENDIX D Safety Guidelines
Safety guidelines are provided in both English and French.

– 22 – 913-2398-01 Rev A
Appendix D Safety Guidelines

English
DANGER: Safety Instructions

Use the following safety guidelines to help ensure your own personal safety and to help protect your
equipment and working environment from potential damage.

SAFETY: General Safety

DANGER: The power supplies in your system may produce high voltages and
energy hazards, which can cause bodily harm. Only Ixia service technicians are
authorized to remove the cover and access any of the components inside the system.

DANGER: This system may have more than one power supply cable. To reduce the
risk of electrical shock, a trained service technician must disconnect all power supply
cables before servicing the system.

Note: The installation of your equipment and rack kit in a rack cabinet has not been approved
by any safety agencies. It is your responsibility to ensure that the final combination of
equipment and rack complies with all applicable safety standards and local electric code
requirements. Ixia disclaims all liability and warranties in connection with such combinations.
Rack kits are intended to be installed in a rack by trained service technicians.

When setting up the equipment for use:

l Place the equipment on a hard, level surface.

l Leave 10.2 cm (4 in) minimum clearance on all vented sides of the equipment to permit the
airflow required for proper ventilation. Restricting airflow can damage the equipment or cause a
fire.
l Ensure that nothing rests on your equipment’s cables and that the cables are not located where
they can be stepped on or tripped over.
l Keep your equipment away from radiators and heat sources.
l Keep your equipment away from extremely hot or cold temperatures to ensure that it is used
within the specified operating range.
l Do not stack equipment or place equipment so close together that it is subject to re-circulated or
preheated air.

When operating your equipment:

DANGER: Do not operate your equipment with the cover removed.

913-2398-01 Rev A – 23 –
Appendix D Safety Guidelines

l Use this product only with approved / certified equipment. Operate this product only with
approved /certified redundant power supplies.
l Operate the equipment only from the type of external power source indicated on the electrical
ratings label. If you are not sure of the type of power source required, consult your service
provider or local power company.
l If the equipment has multiple sources of power, disconnect power from the system by unplugging
all power cables from the power supplies.
l Use only approved power cable(s). If you have not been provided with a power cable for the
equipment or for any AC-powered option intended for the equipment, purchase a power cable that
is approved for use in your country. The power cable must be rated for the equipment and for the
voltage and current marked on the equipment’s electrical ratings label. The voltage and current
rating of the cable should be greater than the ratings marked on the equipment.
l Do not modify power cables or plugs. Consult a licensed electrician or your power company for
site modifications. Always follow your local/national wiring rules.
l To help prevent electric shock, plug the equipment’s power cables into properly grounded
electrical outlets. These cables are equipped with three-prong plugs to help ensure proper
grounding. Do not use adapter plugs or remove the grounding prong from a cable. If you must use
an extension cable, use a 3-wire cable with properly grounded plugs.
l Observe extension cable and power strip ratings. Ensure that the total ampere rating of all
equipment plugged into the extension cable or power strip does not exceed 80 percent of the
ampere ratings limit for the extension cable or power strip.
l If any of the following conditions occur, unplug the equipment from the electrical outlet and
replace the part or contact Ixia:
n The power cable, extension cable, or plug is damaged.
n An object has fallen into the equipment.
n The equipment has been exposed to water.
n The equipment has been dropped or damaged.
n The equipment does not operate correctly when you follow the operating instructions.
l Do not operate the equipment within a separate enclosure unless adequate intake and exhaust
ventilation are provided on the enclosure that adheres to the guidelines listed above.
l Do not restrict airflow into the equipment by blocking any vents or air intakes.
l Do not push any objects into the air vents or openings of your equipment. Doing so can cause fire
or electric shock by shorting out interior components.

DANGER: Only Ixia trained service technicians are authorized to replace the
battery. Should the battery need to be replaced, please contact Ixia to arrange for the
replacement of the battery. Incorrectly installing or using an incompatible battery may
increase the risk of fire or explosion. Replace the battery only with the same or
equivalent type recommended by the manufacturer, carefully following installation
instructions. Dispose of used batteries properly.

SAFETY: Battery Disposal

Your system uses a lithium coin-cell battery. These batteries are long-life batteries, and it is very
possible that you will never need to replace them. However, should you need to do so, please contact

– 24 – 913-2398-01 Rev A
Appendix D Safety Guidelines

Ixia to arrange for the replacement of the battery.

Do not dispose of the battery along with ordinary waste. Contact your local waste disposal agency for
the address of the nearest battery deposit site.

Handle batteries carefully. Do not disassemble, crush or puncture batteries. Do not short external
contacts, dispose of batteries in fire or water, or expose batteries to temperatures higher than 60
degrees Celsius (140 degrees Fahrenheit). Do not attempt to open or service batteries. Replace
batteries only with batteries designated for the equipment.

SAFETY: Risk of Electrical Shock

DANGER: Opening or removing the cover of this equipment may expose you to risk
of electrical shock. Components inside these compartments should be serviced only by
an Ixia service technician.

l Allow the equipment to cool before removing add-in modules. Add-in modules may become very
warm during normal operation. Use care when removing add-in modules after their continuous
operation.
l To help avoid the potential hazard of electric shock, do not connect or disconnect any cables or
perform maintenance or reconfiguration of your equipment during an electrical storm.

SAFETY: Equipment with Laser Devices

DANGER: Do not look directly into a fiber-optic transceiver or into the end of a
fiber-optic cable. Fiber-optic transceivers contain laser light sources that can damage
your eyes.

l This equipment may contain optical communications transceivers which have built-in laser
devices. To prevent any risk of exposure to laser radiation, do not disassemble or open any
optical transceiver assembly for any reason.

GUIDANCE: Only use fiber-optic transceivers that comply with the limits for Class 1 laser safety for
IEC60825, EN60825, and 21CFR1040 specifications.

WARNING: The end-user is ultimately responsible for the selection of the laser modules.

Protecting Against Electrostatic Discharge

DANGER: Disconnect product from mains power source in accordance with product-
specific safety information located in this manual.

Electrostatic discharge (ESD) events can harm electronic components. Under certain conditions, ESD
may build up on your body or an object and then discharge into another object, such as your add-in
modules. To prevent ESD damage, you should discharge static electricity from your body before you
handling any add-in modules.

913-2398-01 Rev A – 25 –
Appendix D Safety Guidelines

You can protect against ESD and discharge static electricity from your body by touching a metal
grounded object before you interact with anything electronic. When connecting other devices to this
equipment, you should always ground both yourself and the other device before connecting it to this
equipment.

You can also take the following steps to prevent damage from electrostatic discharge:

l When unpacking a static-sensitive component from its shipping carton, do not remove the
component from the antistatic packing material until you are ready to install the component. Just
prior to unwrapping the antistatic package, be sure to discharge static electricity from your body.
l When transporting a sensitive component, first place it in an antistatic container or packaging.
l Handle all electrostatic sensitive components in a static-safe area. If possible, use antistatic floor
pads and work bench pads.

– 26 – 913-2398-01 Rev A
Appendix D Safety Guidelines

French
DANGER: AVERTISSEMENT : Instructions relatives à la sécurité

Veuillez suivre les directives de sécurité suivantes afin d’assurer votre sécurité personnelle et de
protéger votre équipement et votre environnement de travail contre les dommages potentiels.

SÉCURITÉ : Sécurité générale

DANGER: AVERTISSEMENT : les sources d’alimentation de votre système peuvent
produire une tension élevée et des dangers électriques qui peuvent causer des blessures
corporelles. Seuls les techniciens de service d’Ixia sont autorisés à retirer le couvercle et
à accéder aux composants à l’intérieur du système.

DANGER: AVERTISSEMENT : ce système peut comprendre plus d’un câble

d’alimentation. Afin de réduire le risque de choc électrique, un technicien de service
formé devra débrancher tous les câbles d’alimentation avant d’effectuer l’entretien sur le
système.

Note: REMARQUE : ’l’installation de votre équipement et de votre ensemble de bâti dans une
armoire n’a été approuvée par aucune agence de sécurité. Il vous incombe d’assurer que la
combinaison finale d’équipements et de bâtis soit conforme à toutes les normes de sécurité
applicables et aux exigences du code local en matière d’électricité. Ixia décline toute
responsabilité et toutes les garanties relatives à de telles combinaisons. Les ensembles de bâtis
sont prévus pour être installés par un technicien de service formé.

Lors de l’installation de l’équipement aux fins d’utilisation :

l Placer l’équipement sur une surface dure et à niveau.

l Laisser un espace d’au moins 10,2 cm (4 po) sur tous les côtés de l’équipement dotés de fentes
d’aération afin de permettre la circulation d’air nécessaire à une bonne ventilation. L’entrave à la
circulation d’air peut endommager l’équipement ou causer un incendie.
l S’assurer que rien ne se trouve sur les câbles de l’équipement et que les câbles ne se trouvent
pas dans un endroit où on pourrait marcher ou trébucher sur eux.
l Tenir l’équipement éloigné des radiateurs et autres sources de chaleur.
l Ne pas exposer l’équipement à des températures extrêmement chaudes ou froides afin d’assurer
qu’il soit utilisé dans la plage de fonctionnement spécifiée.
l Ne pas empiler l’équipement ni placer ses composants si près les uns des autres qu’ils risquent
d’être exposés à de l’air de recirculation ou préchauffé.

Lors de l’utilisation de votre équipement :

913-2398-01 Rev A – 27 –
Appendix D Safety Guidelines

DANGER: AVERTISSEMENT : ne pas utiliser votre équipement avec le couvercle

retiré.

l Utiliser ce produit uniquement avec des équipements approuvés/certifiés. Faire fonctionner ce

produit uniquement avec des alimentations redondantes approuvées/certifiées.
l Faire fonctionner l’équipement uniquement avec le type d’alimentation externe indiqué sur
l’étiquette des caractéristiques électriques. ’En cas de doute quant au type d’alimentation requis,
consulter votre prestataire de services ou la compagnie d’électricité locale.
l Si l’équipement comporte de multiples sources d’alimentation, déconnecter l’alimentation du
système en débranchant tous les câbles d’alimentation des sources d’alimentation.
l Utiliser uniquement des câbles d’alimentation approuvés. Si on ne vous a pas fourni de câble
d’alimentation pour l’équipement ou pour toute autre option alimentée au CA prévue pour
l’équipement, acheter un câble d’alimentation approuvé pour utilisation dans votre pays. Le câble
d’alimentation doit être conforme aux caractéristiques nominales de l’équipement, ainsi qu’aux
valeurs nominales de tension et de courant indiquées sur l’étiquette des caractéristiques
électriques de l’équipement. Les valeurs nominales de tension et de courant du câble doivent
être supérieures à celles indiquées sur l’équipement.
l Ne pas modifier les câbles d’alimentation ou les fiches. Consulter un électricien agréé ou votre
compagnie d’électricité pour toute modification du site. Systématiquement respecter les règles
locales/nationales en matière de câblage.
l Pour prévenir les chocs électriques, brancher les câbles d’alimentation de l’équipement dans des
prises électriques mises à la terre correctement. Ces câbles sont dotés de fiches à trois branches
afin d’assurer une mise à la terre adéquate. Ne pas utiliser de fiches d’adaptation ni retirer la
broche de mise à la terre d’un câble. Si ’une rallonge doit absolument être utilisée, utiliser un
câble à trois fils doté de fiches de mise à la terre adéquates.
l Respecter les caractéristiques nominales ’de la rallonge et de la barrette d’alimentation.
S’assurer que l’ampérage nominal total de tous les équipements branchés ’à la rallonge ou à la
barrette d’alimentation n’excède pas 80 pour cent de l’ampérage nominal maximal ’de la rallonge
ou de la barrette d’alimentation.
l Si l’une des situations suivantes se produit, débrancher l’équipement de la prise de courant et
remplacer la pièce ou contacter Ixia :
n Le câble d’alimentation, ’la rallonge ou la fiche est endommagé.
n Un objet est tombé dans l’équipement.
n L’équipement a été exposé à de l’eau.
n L’équipement est tombé ou a été endommagé.
n L’équipement ne fonctionne pas correctement quand vous suivez les consignes d’utilisation.
l Ne pas utiliser l’équipement dans une enceinte séparée à moins qu’une ventilation d’entrée et de
sortie d’air adéquate soit fournie sur cette enceinte en conformité avec les directives indiquées
ci-dessus.
l Ne pas ’’entraver l’arrivée d’air dans l’équipement en bloquant les fentes d’aération ou les entrées
d’air.
l Ne pas introduire d’objets dans les fentes ’d’aération ou ouvertures de votre équipement au
risque de causer un incendie ou un choc électrique à la suite d’un court-circuit des composants
internes.

– 28 – 913-2398-01 Rev A
Appendix D Safety Guidelines

DANGER: AVERTISSEMENT : seuls les techniciens de service formés d’Ixia sont

autorisés à remplacer la pile. Si la pile doit être remplacée, contacter Ixia pour prendre
les dispositions nécessaires au remplacement de la pile. L’installation incorrecte ou
l’utilisation d’une pile incompatible peut augmenter le risque d’incendie ou d’explosion.
Remplacer la pile uniquement par un type de pile identique ou équivalent conformément
aux recommandations du fabricant et suivre les consignes d’installation à la lettre.
Correctement éliminer les piles usées.

SÉCURITÉ : Élimination des piles

Votre système utilise une pile bouton au lithium. Ces piles sont à longue durée et il est très possible
que vous n’ayez jamais à les remplacer. Toutefois, si jamais vous deviez le faire, veuillez contacter
Ixia pour prendre les dispositions nécessaires au remplacement de la pile.

Ne pas éliminer la pile avec les ordures ménagères. ’Contacter l’agence locale chargée de l’élimination
des déchets pour obtenir l’adresse du site de collecte de piles le plus proche.

Manipuler les piles avec précaution. Ne pas démonter, écraser ou percer les piles. Ne pas court-
circuiter les contacts externes, éliminer les piles dans le feu ou l’eau, ni exposer les piles à des
températures supérieures à 60 degrés Celsius (140 degrés Fahrenheit). Ne pas essayer d’ouvrir ou de
’réparer les piles. Remplacer les piles uniquement avec les piles désignées pour l’équipement.

SÉCURITÉ : Risque de choc électrique

DANGER: AVERTISSEMENT : ouvrir ou retirer le couvercle de cet équipement peut
vous exposer à un risque de choc électrique. Les composants à l’intérieur de ces
compartiments doivent être entretenus exclusivement par un technicien de service Ixia.

l Laisser l’équipement refroidir avant de retirer les modules additionnels. Les modules additionnels
peuvent devenir très chauds lors du fonctionnement normal. Faire preuve de prudence lors du
retrait de modules additionnels après un fonctionnement continu.
l Pour éviter le risque potentiel de choc électrique, ne pas connecter ou déconnecter les câbles, ni
effectuer l’entretien ou la reconfiguration de votre système durant une tempête électrique.

SÉCURITÉ : Équipement doté de dispositifs laser

DANGER: AVERTISSEMENT : ne jamais regarder directement dans un émetteur-
récepteur à fibres optiques ou dans l’extrémité d’un câble à fibres optiques. Les
émetteurs-récepteurs à fibres optiques contiennent des sources de lumière laser qui
peuvent endommager vos yeux.

l Cet équipement peut contenir des émetteurs-récepteurs de communication par fibre optique qui
comportent des dispositifs laser intégrés. Pour prévenir tout risque d’exposition au rayonnement
laser, ne jamais démonter ou ouvrir un émetteur-récepteur à fibres optiques.

913-2398-01 Rev A – 29 –
Appendix D Safety Guidelines

Protection contre les décharges électrostatiques

DANGER: AVERTISSEMENT : débrancher le produit de la source principale
d’alimentation conformément aux informations de sécurité spécifiques au produit fournies
dans ce manuel.

Les décharges électrostatiques peuvent endommager les composants électroniques. Dans certaines
conditions, les décharges électrostatiques peuvent s’accumuler sur votre corps ou sur un objet, puis se
décharger dans un autre objet comme vos modules additionnels. Pour prévenir les dommages dus aux
décharges électrostatiques, vous devez décharger l’électricité statique de votre corps avant de
manipuler un module additionnel.

Vous pouvez assurer la protection contre les décharges électrostatiques et décharger l’électricité
statique de votre corps en touchant un objet en métal mis à la terre avant ’de toucher quoi que ce soit
d’électronique. Lors de la connexion d’autres dispositifs à cet équipement, vous devez toujours assurer
votre mise à la terre et celle de l’autre dispositif avant de le connecter à cet équipement.

Vous pouvez aussi suivre les étapes suivantes afin de prévenir les dommages causés par les
décharges électrostatiques :

l Lors du retrait d’un composant sensible à l’électricité statique de son carton d’expédition, ne pas
retirer le composant de son matériau d’emballage antistatique ’avant d’être prêt à installer ce
composant. Juste avant de retirer l’emballage antistatique, ’veiller à décharger l’électricité
statique de votre corps.
l Lors du transport d’un composant sensible, le placer préalablement dans un contenant ou un
emballage antistatique.
l Manipuler tous les composants sensibles à ’l’électricité statique dans une zone à protection
antistatique. Si possible, utiliser des tapis antistatiques pour le sol et la surface de travail.

– 30 – 913-2398-01 Rev A
APPENDIX E Firewall Ports to Open
The Vision Network Packet Broker (NPB) requires you to open specific ports in your firewall for some
features to function. The following table lists each port and the feature it supports. Entries note which
default ports are configurable.

Note: If the feature uses an enable/disable setting, then the port only needs to be opened in the
firewall when the feature is enabled.

Default Port NPB Feature

22 TAC SSH (Ixia Technical Support Debugging)

49 (configurable) TACACS+

53 DNS; AppStack Threat Insights

67, 68 DHCP/UDP

123 (configurable) NTP

161, 162 (only 162 is configurable) SNMP

443 NPB Webstart page; AppStack Threat Insights

514 (configurable) Syslog

1099 NPB Java Console ( if enabled, 7300 only)

1812, 1813 (configurable) RADIUS

4369, 8099, 9001 Ixia Fabric Controller (IFC) Clustering management

4739 (configurable) AppStack NetFlow Collector

8000 (configurable) HTTPS for Web API and NPB Web Console

8443 AppStack Web GUI and SecureStack

22222 (configurable) CLI Listening port

42426 TradeVision SNMP notifications

– 31 – 913-2398-01 Rev A
Appendix E Firewall Ports to Open

For more information about these features, see the descriptions for the following sections in the
System > Settings view:

l General Section
l Remote Services Settings

913-2398-01 Rev A – 32 –
APPENDIX F Syslog Messages
A syslog message is logged whenever a user performs an operation in a system, or when something
changes internally due to external factors or due to a consequence of a different operation.

– 33 – 913-2398-01 Rev A
Appendix F Syslog Messages

Syslog Message Format

A syslog message is logged whenever a user performs an operation on a system, or when something
changes internally due to external factors or as a result of a different operation.

Syslog Message Format

The format used is defined in RFC 5424.

Let us consider an example of syslog messages received by a syslog server. In this example, the
server places the local date and time the message was received, and the IP address it was received
from, in addition to the rest of the received message.

Some syslog servers place the fields in a table, as in the following example:

RFC 5424 message provides the following fields:

l Facility – Local 0, etc.

l Severity (or Level) of the message as described below.
l TIMESTAMP – This is a formalized timestamp. TIMESTAMP denotes the date and time when the
event is logged and includes the syslog generation time with the year and milliseconds with
respect to the time zone.
n The following examples show the date and time format in RFC 5424.
Note: The suffix “Z”, when applied to a time, denotes a Coordinated Universal Time
(UTC) offset of 00:00.
n For example, 2016-07-29T21:10:48.668Z represents July 29, 2016 at 9:10:48pm, 668
milliseconds into the next second. The timestamp is in UTC. The timestamp provides
millisecond resolution.
l HOSTNAME – It identifies the machine that originally sent the Syslog message. This will be the
system name configured, or the IP address if the system name is not configured.
l APP-NAME – is the model of the system, such as Vision ONE or Vision 7303.
l The three (3) fields that follow are blank, and represented by dashes: “- - -“
l MSG – It contains the Sequence ID, followed by a free form message that provides information
about the event.

A syslog message is generally logged in the following format:

<system_info>:<user_id/object_type> <object_details>
For example, the following message is a test message that is sent to the syslog server whenever a
system user configures a syslog server in the system console's System > Settings tab to verify that it
is reachable.

10.218.80.130:”admin”

913-2398-01 Rev A – 34 –
Appendix F Syslog Messages

If a user does not perform a specific action and the syslog message is triggered by internal changes,
the object_type parameter can be a port, a dynamic filter, a port group, or the system.

Examples

10.218.80.130:System "main" changed: TOPOLOGY_STATUS=READY

Syslog Levels
Syslog messages are logged using different levels that show the severity of the logged message. The
following levels are supported:

l ERROR - Error has occurred

l WARNING – Warning condition
l NOTICE – Normal but significant condition
l INFO – Information for the user

Pre-Defined Syslog Messages

Every system property that users can change generates a syslog message. Whenever any system
properties changes, a syslog message is generated at the informational (info) level in the following
format:

<ip_address>:<user_id> changed <object_type> ?<object_id>?: <object_details>

Examples

10.218.80.130:"admin" changed System: MEMORY_

ALLOCATION=NetworkDynamicSipAllocationType = 25% Network port + 75% Dynamic IP
address; Network = 100% L2 and IPv4 L3/L4; Dynamic SIP = 100% IPv4 address;
Dynamic = 100% L2/L3/L4 excluding MAC; Tool = 100% L2 and IPv4 L3/L4; Custom =
None
10.218.80.130:"admin" changed Port "P1-03": STD_VLAN_STRIP_SETTINGS=Enabled,
Strip mode:Ingress, Ingress Count:1
The properties that are syslogged are listed below by categories.

Switch Properties

l SESSION_TIMEOUT_INTERVAL
l LOG_LEVEL
l NETWORK_FILTER_MEMORY_ALLOCATION
l DYNAMIC_FILTER_MEMORY_ALLOCATION
l MEMORY_ALLOCATION
l AUTHENTICATION_MODE
l PASSWORD_POLICIES
l SNMP_CONFIG
l ALLOW_LCD_ADMIN_PW_RESET
l ALLOW_SERIAL_PORT_ACCESS

– 35 – 913-2398-01 Rev A
Appendix F Syslog Messages

l POWER_ON_SELF_TEST_ENABLED
l RADIUS_SERVERS
l SYSTEM_INFO
l TACACS_SERVERS
l DNS_CONFIG
l FAN_CONTROL_MODE
l MGMT_PORT_LINK_SETTINGS
l MGMT_PORT_LINK_STATUS
l MGMT_PORT2_LINK_STATUS
l POWER_SUPPLY_STATUS
l EXTERNAL_POWER_SUPPLY_STATUS
l SYSLOG_SERVER_LIST
l NTP_SERVER_LIST
l NTP_SERVER_STATUS_SUMMARY
l TIMESTAMPING_CONFIG
l SSL_ENABLED
l SSL_CUSTOM_CERT
l SSL_CUSTOM_PRIVATE_KEY
l STATS_POLLING_INTERVAL
l HASH_ALGORITHM_INFO
l POWER_MODULE_A
l POWER_MODULE_B
l POWER_MODULE_MAP
l READY_TIME
l FAN_MODULE_MAP
l PORT_SUPPORTED_LICENSE_MAP
l PORT_ASSIGNED_LICENSE_MAP
l CUSTOM_FIELD_SET_CONFIG
l GPS_FIX_STATUS
l STD_GRE_STRIP_SETTINGS
l LOGIN_BANNER_CONFIG
l TOOL_MANAGEMENT_VIEW_ENABLED
l WEB_API_CONFIG

Port Properties

l PORT_LIST
l SOURCE_FILTER_LIST
l DEST_FILTER_LIST
l PORT_GROUP_ID
l NAME
l DESCRIPTION

913-2398-01 Rev A – 36 –
Appendix F Syslog Messages

l ICON_TYPE
l CUSTOM_ICON_ID
l MODE
l ENABLED_STATE
l PRESENT
l IGNORE_PAUSE_FRAMES
l TX_LIGHT_STATUS
l TYPE
l MEDIA_TYPE
l LINK_SETTINGS
l LINK_STATUS
l COPPER_LINK_POLLING
l FILTER_CRITERIA
l LICENSE_STATUS
l MAX_LICENSED_SPEED
l EXPIRATION_TIME
l FILTER_MODE
l FILTER_MATCH_COUNT_UNIT
l MODIFY_ACCESS_SETTINGS
l CONNECT_IN_ACCESS_SETTINGS
l CONNECT_OUT_ACCESS_SETTINGS
l PORT_GROUP_TYPE
l REMOTE_INTERCONNECT
l ENABLED_STATUS
l PAUSE_FRAMES_STATUS
l SNMP_TAG
l HASH_ALGORITHM
l FAILOVER_MODE
l DEDUP_SETTINGS
l TRIM_SETTINGS
l MPLS_STRIP_SETTINGS
l GTP_STRIP_SETTINGS
l MPLS_FILTER_SETTINGS
l GTP_FILTER_SETTINGS
l BURST_BUFFER_SETTINGS
l TIMESTAMPING_SETTINGS
l TRAILER_STRIP_SETTINGS
l VNTAG_STRIP_SETTINGS
l FABRIC_PATH_STRIP_SETTINGS
l VXLAN_STRIP_SETTINGS
l L2GRE_STRIP_SETTINGS

– 37 – 913-2398-01 Rev A
Appendix F Syslog Messages

l ERSPAN_STRIP_SETTINGS
l LINK_UP_DOWN_TRAP_ENABLED
l STD_MPLS_STRIP_SETTINGS
l STD_PORT_TAGGING_SETTINGS
l STD_VLAN_STRIP_SETTINGS
l TX_ON_LINKDOWN
l KEYWORDS
l GTP_FD_SETTINGS
l FILTERING_DIRECTION
l TUNNEL_SETTINGS
l TUNNEL_MAC

Filter Properties

l SOURCE_PORT_LIST
l DEST_PORT_LIST
l SOURCE_PORT_GROUP_LIST
l DEST_PORT_GROUP_LIST
l NAME
l DESCRIPTION
l MODE
l DYNAMIC_FILTER_TYPE
l CRITERIA
l MATCH_COUNT_UNIT
l MODIFY_ACCESS_SETTINGS
l CONNECT_IN_ACCESS_SETTINGS
l CONNECT_OUT_ACCESS_SETTINGS
l SNMP_TAG
l KEYWORDS

Filter Template Properties

l COLLECTION
l NAME
l DESCRIPTION
l CRITERIA

Filter Template Collection Properties

l NAME
l DESCRIPTION
l MODIFY_ACCESS_SETTINGS

User Properties

913-2398-01 Rev A – 38 –
Appendix F Syslog Messages

l LOGIN_ID
l PASSWORD
l PASSWORD_HISTORY
l PASSWORD_LAST_CHANGED
l FULL_NAME
l EMAIL
l PHONE
l IS_SYSADM
l SESSION_TYPE

Group Properties

l ACCESSIBLE_PORTS
l ACCESSIBLE_FILTERS
l NAME
l DESCRIPTION
l MEMBERS
l OWNERS

Monitor Properties

l NAME
l DESCRIPTION
l TRIGGER
l ACTIONS

Custom Icon Properties

l NAME
l DESCRIPTION
l IMAGE

Syslog Common Action

Depending on the action—creating, modifying, or deleting— that is performed on an object, logging is
done at different levels.

Creating Objects

Whenever a user creates an object, it is syslogged at the info level in the following format:

<ip_address>:<user_id> created <object_type> <object_id>:<object_details>

Example

10.218.80.130:"admin" created Dynamic Filter "F1": CONNECT_OUT_ACCESS_

SETTINGS=Inherited, KEYWORDS=, NAME=F1, CONNECT_IN_ACCESS_SETTINGS=Inherited,
DYNAMIC_FILTER_TYPE=Two-stage, MATCH_COUNT_UNIT=Packets, MODE=Deny All,
CRITERIA=, MODIFY_ACCESS_SETTINGS=Inherited

– 39 – 913-2398-01 Rev A
Appendix F Syslog Messages

In the previous message the <object_type> can be any of the following:

l Dynamic Filter
l Filter Template
l Filter Template Collection
l Port Group
l Custom Icon
l Group
l Monitor
l User

while <object_id> refers to the object's default name.

Ports are syslogged at the info level in a different way, since it gets added when the system comes up.
The log format for ports is the following:

<ip_address>:<user_id> added <object_type> <object_id>:<object_details>

Changing Objects

Whenever an object is changed, a message is logged in the following format at info level.

<ip_address>:<user_id> changed <object_type> <object_id>: <object_details>

For example, the following message indicates that a port has been connected with a dynamic filter:

10.218.80.130:"admin" changed Dynamic Filter "F1": SOURCE_PORT_LIST="P1-01"

Deleting Objects

Whenever an object gets deleted, it is syslogged at info level in the following format:

<ip_address>:<user_id> deleted <object_type> <object_id>

For example, the following message illustrates the deletion of a dynamic filter.

10.218.80.130:"admin" deleted Dynamic Filter "F1"

Custom Syslog Messages
Some events are syslogged using custom messages, without being directly related to the system
properties. Examples of such syslog messages are listed below.

Syslog server state changes

If a user takes the server back online from the offline state or the other way round, this event is logged
at the Info level. For example:

INFO - "admin" took offline Syslog server 10.0.0.0 (Port: 514,

Local0)).
If the server goes from the online to the offline state for a communication error, it is syslogged at the
Warning level.

913-2398-01 Rev A – 40 –
Appendix F Syslog Messages

When the syslog server is deleted by a user, it is syslogged at the Info level, with a notification that
the server is going offline.

Alarm cut off (ACO)

When the ACO button on the chassis is pressed by a user, this is syslogged at the Info level.

Example

1. When the ACO button from the chassis is used:

10.218.80.130: ACO (alarm cut-off) button pressed, suppressed audible alarm(s):
Temperature – Major Alarm.
2. When the ACO button from the console is used:
10.218.80.130: admin pressed ACO (alarm cut-off) button, suppressed audible
alarms(s): Temperature - Major Alarm.
Alarm state change

Whenever an alarm is cleared from the Major, Minor, or Critical state, this is syslogged at the Notice
level.

Alarm states can be Major, Minor, or Critical. Depending on the alarm states, the messages are
syslogged at different severity levels.

Examples

10.218.80.130:System Temperature – Alarm cleared.

10.218.80.130:System System Alarm – Alarm cleared.

Alarm state Syslog level

Minor Error

Major Critical

Critical Critical

None Notice

Examples

10.218.80.130:System Temperature – Major alarm set.

10.218.80.130:System System alarm – Minor alarm set1.
Import/Export Configuration

1These messages are logged at the Critical and Error level respectively, as mentioned in the table.

– 41 – 913-2398-01 Rev A
Appendix F Syslog Messages

Import/Export messages are syslogged at the Info level.

Examples

Export

10.218.80.130:"admin" exported Full Backup file C:\Import-Export-Upgrade\u91_

4.2.0_FULL_BACKUP.ata
Import

When importing, three types of messages are syslogged:

10.218.80.130:"admin" BEGIN importing Full Import (from Backup) file C:\Import-

Export-Upgrade\u91_4.2.0_FULL_BACKUP.ata
10.218.80.130:"admin" END importing Full Import (from Backup) file C:\ Import-
Export-Upgrade\u91_4.2.0_FULL_BACKUP.ata
10.218.80.130:"admin" ERROR importing Full Import (from Backup) file C:\ Import-
Export-Upgrade\u91_4.2.0_FULL_BACKUP.ata
System Shutdown

System shutdown messages are syslogged at the Info level.

Temperature state changes

Temperature change messages are syslogged at different levels depending on the alarm state. See the
previous table for a description of the Alarm state change.

Examples

l Error level
10.218.80.130:System Temperature is warm at 80C/176F. No action required.
l Critical level
192.168.41.99:System Temperature is hot at 85C/185F. Check your equipment. System
will automatically shut down above 95C/203F
l Notice level
192.168.41.99:System Temperature is normal at 75C/167F. No action required
Insufficient Memory