Anue 5200 User Guide

Anue Systems, Inc. http://www.anuesystems.com

Anue Net Tool Optimizer User Guide

Version 3.7

Anue Net Tool Optimizer User Guide, October 11, 2012 Part no: 510-12-0017-A0-0

Copyright © 2008-2012 Anue Systems, Inc. All Rights Reserved.

The information contained in this document is subject to change without notice and does not represent a commitment on the part of Anue Systems. No part of this manual may be copied, reproduced, stored in a retrieval system, or transmitted in any form, or by any means, electronic, mechanical, or otherwise, without the prior written permission of Anue Systems, Inc.

Anue Systems makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.

The information in this document is believed to be accurate and reliable, however, Anue Systems assumes no responsibility or liability for any errors or inaccuracies that may appear in the document.

Limited Warranty

Anue Systems warrants that its Products will conform to the description on the face of order, that it will convey good title thereto, and that the Product will be delivered free from any lawful security interest or other lien or encumbrance.

Anue Systems further warrants to Customer that hardware which it supplies and the tangible media on which it supplies software will be free from significant defects in materials and workmanship for a period of twelve (12) months, except as otherwise noted, from the date of delivery (the “Hardware Warranty Period”), under normal use and conditions.

To the extent the Product is or contains software (“Software”), Anue Systems also warrants that, if properly used by Customer in accordance with the Software License Agreement, the Software which it supplies will operate in material conformity with the specifications supplied by Anue Systems for such Software for a period of ninety (90) days from the date of delivery (the “Software Warranty Period”). The “Product Warranty Period” shall mean the Hardware Warranty Period or the Software Warranty Period, as applicable. Anue Systems does not warrant that the functions contained in the Software will meet a specific requirement or that the operation will be uninterrupted or error free. Anue Systems shall have no warranty obligations whatsoever with respect to any Software which has been modified in any manner by Customer or any third party.

Defective Products and Software under warranty shall be, at Anue Systems' discretion, repaired or replaced or a credit issued to Customer's account for an amount equal to the price paid for such Product provided that: (a) such Product is returned to Anue Systems after first obtaining a return authorization number and shipping instructions, freight prepaid, to Anue Systems' location in the United States; (b) Customer provides a written explanation of the defect or Software failure claimed by Customer; and (c) the claimed defect actually exists and was not caused by neglect, accident, misuse, improper installation, improper repair, fire, flood, lightning, power surges, earthquake, or alteration. Anue Systems will ship repaired Products to Customer, freight prepaid, based on reasonable best efforts after the receipt of defective Products.

Except as otherwise stated, any claim on account of defective materials or for any other cause whatsoever will conclusively be deemed waived by Customer unless written notice thereof is given to Anue Systems within the Warranty Period. Anue Systems reserves the right to change the warranty and service policy set forth above at any time, after reasonable notice and without liability to Customer.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, ALL IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY EXCLUDED, AND THE LIABILITY OF ANUE SYSTEMS, IF ANY, FOR DAMAGE RELATING TO ANY ALLEGEDLY DEFECTIVE PRODUCT SHALL BE LIMITED TO THE ACTUAL PRICE PAID BY THE CUSTOMER FOR SUCH PRODUCT. THE PROVISIONS SET FORTH ABOVE STATE ANUE SYSTEMS' ENTIRE RESPONSIBILITY AND CUSTOMER'S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY BREACH OF ANY WARRANTY.

Contents

Preface............................................................................................................7Organization ............................................................................................................... 7

CHAPTER 1 Overview....................................................................................................... 13Port Connection Options ........................................................................................... 15Supported Packet Sizes ........................................................................................... 16Filter Overview .......................................................................................................... 16Filter Criteria Options ................................................................................................ 17

CHAPTER 2 Configuring the Management Port IP Settings ......................................... 19Connect and Configure Ethernet Management Ports ............................................... 19

Port Locations and Labels .................................................................................. 195273/5288/5293 Rules and Practices ................................................................ 19

Configuring the Management Port IP Address ......................................................... 20

CHAPTER 3 5273/5288/5293 Craft Port Interface ........................................................... 23Craft Port Connection ............................................................................................... 23Craft Port Main Menu ................................................................................................ 23Reboot System ......................................................................................................... 24IP Config ................................................................................................................... 25Management Port Config .......................................................................................... 26Reset Administrator Password ................................................................................. 26Run POST Tests ....................................................................................................... 27Get POST Results .................................................................................................... 28

CHAPTER 4 Log in to the Management Control Panel.................................................. 29Requirements for the NTO Management PC ............................................................ 29Adding a Login Banner ............................................................................................. 30Logging in to the NTO ............................................................................................... 32Port Forwarding for NAT Firewall Network Environments ........................................ 36Manage Multiple NTO Systems from the Same Control Panel Interface using ULM 37Adding Users and Configuring Authentication .......................................................... 39

Using NTO Local Authentication ........................................................................ 39Creating a New User Account ............................................................................ 40

Control Panel Overview ............................................................................................ 42Title Bar, Menu and Shortcut Toolbar ................................................................ 43Management Frame ........................................................................................... 44Diagram Area ..................................................................................................... 44Available Filter Memory Meters and Function Key Legend ................................ 45Diagram Area Menu and Tool Tips .................................................................... 45

Right-Click Function ....................................................................................... 46

CHAPTER 5 Control Panel Menu Options ...................................................................... 49File Menu .................................................................................................................. 49

Exporting and Importing an NTO Configuration ................................................. 51Edit Menu .................................................................................................................. 57View Menu ................................................................................................................ 64Help Menu ................................................................................................................ 65Icon Toolbar and Focus Status ................................................................................. 66

CHAPTER 6 Creating and Using Objects........................................................................67Features Common to All Object Pages .................................................................... 67

Anue Net Tool Optimizer User Guide 1

Control Panel Behavior when Adding or Removing Port Modules ........................... 68Creating Network or Tool Ports ................................................................................ 68

Using the Port General Tab ................................................................................ 70Using the Network Port (Ingress) or Tool Port (Egress) Filter Criteria Tab ........ 73Using the Port Connections Tab ........................................................................ 73Using the Port Access Control Tab .................................................................... 75

Creating Dynamic Filters .......................................................................................... 75Using the Dynamic Filter General Tab ............................................................... 76Using the Dynamic Filter Criteria Tab ................................................................ 77Using the Dynamic Filter Connections Tab ........................................................ 77Using the Dynamic Filter Access Control Tab .................................................... 78

Creating Port Groups ................................................................................................ 78Interconnect Port Groups ................................................................................... 79

Using the Interconnect Port Group General Tab ............................................ 81Using the Interconnect Port Group Ports Tab ................................................ 83Using the Interconnect Port Group Filter Criteria Tab .................................... 85Using the Interconnect Port Group Connections Tab ..................................... 86Using the Interconnect Port Group Access Control Tab ................................ 86

Load Balance Port Groups ................................................................................. 89Using the Load Balance Port Group General Tab .......................................... 91

Using the Load Balance Port Group Ports Tab .................................................. 92Using the Load Balance Port Group Filter Criteria Tab .................................. 94Using the Load Balance Port Group Connections Tab .................................. 94Using the Load Balance Port Group Access Control Tab .............................. 95

Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters ......................... 96Filter Mode ......................................................................................................... 97Available Criteria ................................................................................................ 98Detailed Criteria Descriptions ........................................................................... 100Selected Criteria ............................................................................................... 105Library .............................................................................................................. 108

Custom Dynamic Filtering ....................................................................................... 109Define Custom Fields ....................................................................................... 114

MPLS Custom Fields .................................................................................... 114GTP Custom Fields (5288 only) ................................................................... 115Raw Custom Fields ...................................................................................... 117

Use Custom Fields in Filters ............................................................................ 118Quick Example: GTP-U Custom Filtering Field (5288/5293 only) .................... 119Custom Filter Portion of Available Filter Memory Meter ................................... 127

Filtering on 802.1Q VLAN Tags .............................................................................. 127Port, Port Group, and Dynamic Filter Symbols and Indicators ............................... 129

Packet Drop Indicator ....................................................................................... 133Link Down Indicator .......................................................................................... 133

CHAPTER 7 Control Panel Views .................................................................................. 135Diagram View ......................................................................................................... 137Ports View ............................................................................................................... 138Port Groups View .................................................................................................... 140Dynamic Filters View .............................................................................................. 141Library View ............................................................................................................ 143

Filter Template Collections ............................................................................... 143Creating Filter Templates ................................................................................. 146Custom Icon Library ......................................................................................... 148

Users View .............................................................................................................. 149Groups View ........................................................................................................... 151

Creating Groups and Adding Users to Groups ................................................. 153

2 Anue Net Tool Optimizer User Guide

Remove Users from Groups ............................................................................. 156System View ........................................................................................................... 157

Status Tab ........................................................................................................ 157Settings Tab ..................................................................................................... 166Version/License Tab ......................................................................................... 184Hardware Info Tab ............................................................................................ 186Available Filter Memory Meters ........................................................................ 189

CHAPTER 8 Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS ....................................................................................................... 191Comparing Authentication Modes ........................................................................... 191Configuring Remote Authentication ........................................................................ 193Subsequent sections describe in further detail how to configure both TACACS+ (page 197) and RADIUS (page 213). ................................................................... 195Effects of Authentication Mode Changes on Users and Groups ............................ 195Configuring TACACS+ ............................................................................................ 197

Custom Authorization Settings ......................................................................... 198TACACS+ Access Control Group Settings ...................................................... 199TACACS+ Servers ........................................................................................... 200Adding a TACACS+ Server .............................................................................. 201Click the Test Settings button to verify that the NTO can connect to the TACACS+

server using the configured settings. ...................................................................... 202Configuring TACACS+ Accounting .................................................................. 202TACACS+ Configuration Examples ................................................................. 204

TACACS+ User Authorization Examples ..................................................... 205TACACS+ Access Control Group Examples ................................................ 212

Configuring RADIUS ............................................................................................... 213RADIUS Servers .............................................................................................. 215Adding a RADIUS Server ................................................................................. 215RADIUS Accounting ......................................................................................... 217Configuring the Microsoft Network Policy Server ............................................. 217

Adding an NTO as a RADIUS Client of the NPS .......................................... 217Configuring the NPS Network Policies ......................................................... 219

CHAPTER 9 SNMP .......................................................................................................... 225Introduction ............................................................................................................. 225SNMP Configuration Example ................................................................................ 228

CHAPTER 10 SYSLOG...................................................................................................... 233Syslog Severity Levels ............................................................................................ 233Adding or Modifying Syslog Servers to the NTO .................................................... 235Example Syslog Messages ..................................................................................... 236

Example Syslog Message 1 ............................................................................. 237Example Syslog Message 2 ............................................................................. 237

Confirming Connections to Syslog Servers ............................................................ 237

CHAPTER 11 Access Control Using Groups.................................................................. 239Access Control Examples ....................................................................................... 241

Access Control Example #1 - Restrict Access to a Tool (Port) ........................ 242Access Control Example #2 – Protect Sensitive Data but Allow Non-sensitive Data

to be Accessed ....................................................................................................... 245Access Control Example #3 - Restrict Access to Allow One Group to Modify a Port

and another Group to Make Connections to the Port ............................................. 246Access Control Example #4 – Add TACACS+ Users to Local Groups ............ 248

CHAPTER 12 Use Cases and Common Configurations ................................................ 249


Quick Start Example ............................................................................................... 249Use Case 1: Aggregating Three Network Ports to One Tool Port .......................... 252Use Case 2: Easily Extending the Configuration .................................................... 252Use Case 3: Sending SPAN Port Data to Several Devices .................................. 257

CHAPTER 13 Control Panel Ease of Use Features ........................................................ 259Using Tooltip Help .................................................................................................. 259Modifying Several Objects of the Same Type Simultaneously ............................... 260Modifying Several Objects of Different Types Simultaneously ............................... 260Duplicating a Dynamic Filter ................................................................................... 260Copying Filters from One Diagram View to Another ............................................... 261Using the Select All Feature ................................................................................... 261Quick Access to Object Statistics ........................................................................... 261Properties Window Shortcuts ................................................................................. 261Bring All Open Statistics Windows into the Foreground ......................................... 262Hiding Disabled Ports ............................................................................................. 262Function Keys ........................................................................................................ 262

CHAPTER 14 Automation Scripting ................................................................................ 265

CHAPTER 15 Statistics..................................................................................................... 267Features Common to All Statistics Pages .............................................................. 267Network Port Statistics ............................................................................................ 268Dynamic Filter Statistics ......................................................................................... 273Tool Port Statistics .................................................................................................. 274Port Group Statistics ............................................................................................... 277

Network Interconnect Port Group Statistics ..................................................... 277Tool Interconnect Port Group Statistics ............................................................ 277Bidirectional Interconnect Port Group Statistics ............................................... 279

Statistics Charting ................................................................................................... 281Tool Management View .......................................................................................... 286

APPENDIX A Software Upgrade and Port Allocation Procedures ............................... 291Upgrade Procedures ............................................................................................... 291

License Update ................................................................................................ 291Cold Spare Upgrade ......................................................................................... 292Software Upgrade ............................................................................................ 294Software Downgrade ........................................................................................ 296

Downgrade Using the GUI Control Panel ..................................................... 2975204/5236/5273 Downgrade Using the Front Panel LCD and Keypad ........ 299

How to clear the Java Cache ........................................................................... 300Port License Allocation ........................................................................................... 301

Default Port License Allocation ........................................................................ 302Possible Port License Allocations .................................................................... 303Using the NTO Control Panel to Allocate Ports ................................................ 304

APPENDIX B 5204/5236/5273 Front Panel LCD Menu Reference................................. 309Front Panel LCD and Keypad ................................................................................. 309Reading the LCD .................................................................................................... 309Navigating the LCD Menu Using the Keypad ......................................................... 310Resetting the Admin Password from the LCD Menu .............................................. 311

APPENDIX C Packet Processing Features..................................................................... 313Standard Packet Processing Features ................................................................... 314

Standard VLAN Stripping ................................................................................. 314The VLAN Tag Protocol Identifier (TPID) ..................................................... 314


Advanced Packet Processing Features .................................................................. 315VNTag Stripping (5288 only) ............................................................................ 316GTP Stripping ................................................................................................... 317MPLS Stripping ................................................................................................ 317

L2 VPN with Pseudowire Control Words ...................................................... 317L2 VPN without Pseudowire Control Words ................................................. 318L3 VPN ......................................................................................................... 318

De-duplication .................................................................................................. 318Packet Trimming .............................................................................................. 320

Packet Trimming Example 1 ........................................................................ 320Packet Trimming Example 2 ........................................................................ 320Packet Trimming Example 3 ........................................................................ 321Packet Trimming Example 4 ........................................................................ 321

Packet Timestamping (5288 only) .................................................................... 321Configurable Time Sources .......................................................................... 322Unavailable Time Sources ........................................................................... 323Trailer Format ............................................................................................... 323Configured Time Sources and Alarms ......................................................... 324

Burst Protection (5236/5273 1G tool port only) ................................................ 325Packet Processing Pipeline .............................................................................. 326

AFM Network Port Pipeline Order ................................................................ 326Non-AFM Network Port Pipeline Order ........................................................ 326AFM Tool Port Pipeline Order ...................................................................... 326Non-AFM Tool Port Pipeline Order .............................................................. 327

AFM Statistics ......................................................................................................... 327At What Point Does Oversubscription (dropped packets) Occur? ................... 328AFM Oversubscription Example ....................................................................... 328

In this scenario: ............................................................................................ 329AFM Operational Considerations ............................................................................ 329

APPENDIX D How Licenses are Remapped Due to a Configuration Change........................................................................ 331Overview ................................................................................................................. 331Port Numbers Review ............................................................................................. 331Floating License Remapping Algorithm .................................................................. 332

Terminology and Assumptions ......................................................................... 332Remapping Process ......................................................................................... 332

APPENDIX E Troubleshooting ........................................................................................ 335Port LED Legend .................................................................................................... 335Power On Self Test (POST) ................................................................................... 336

Manual POST ................................................................................................... 337Automatic POST ............................................................................................... 3375273/5288/5293 View POST Results Via the Serial (Craft) Port Interface ....... 3385204/5236/5273 View POST Results Via the Front Panel LCD ....................... 339

Login Issues ............................................................................................................ 339Login Failures Using the IE7 Browser on Windows Vista ................................ 340Login Failures Using the IE8 and IE9 Browsers on Windows 7 and Vista ....... 340

Background .................................................................................................. 341Issue ............................................................................................................. 341Exception ...................................................................................................... 342Solutions ....................................................................................................... 342Use the Firefox Browser ............................................................................... 342Temporarily Disable User Account Control (UAC) ....................................... 342Reference ..................................................................................................... 346


APPENDIX F 5273/5288/5293 Safety Guidelines............................................................ 347English .................................................................................................................... 347French ..................................................................................................................... 350


Preface

About this Document

This documentprovides detailed information about the Anue Net Tool Optimizer™ (NTO), as well as the procedures necessary to use the Anue NTO to manage your network. For information about installing the Anue NTO, refer to the Installation Guide for your NTO model.

Audience

This document is intended for Anue customers that use the Anue Net Tool Optimizer (NTO). Readers should be familiar with networking concepts.

Organization

The following table describes the chapters and appendixes in this document.

NOTE This document is intended to be printed using double-side printing. If you print this document using single-side printing, some pages appear blank.

NOTE Some Control Panel details differ for various models of the NTO. Therefore, the screen captures you see in this document may differ from what you see for your particular model.

Chapter/Appendix Description

Chapter 1, “Overview” Provides an overview of the Anue NTO.

Chapter 2, “Configuring the Management Port IP Settings”

Describes how to configure the management port IP address.

Chapter 3, “5273/5288/5293 Craft Port Interface”

Describes the Craft Port Interface.

Chapter 4, “Log in to the Management Control Panel”

Describes how to log in to the management control panel.

Chapter 5, “Control Panel Menu Options”

Describes the control panel menu options.


Chapter 6, “Creating and Using Objects”

Describes how to create and configure objects.

Chapter 7, “Control Panel Views” Describes control panel views.

Chapter 8, “Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS”

Describes TACACS+ and RADIUS authentication.

Chapter 9, “SNMP” Describes SNMP functionality.

Chapter 10, “SYSLOG” Describes SYSLOG functionality.

Chapter 11, “Access Control Using Groups”

Describes how to control access using groups.

Chapter 12, “Use Cases and Common Configurations”

Provides use cases and describes common configurations.

Chapter 13, “Control Panel Ease of Use Features”

Describes control panel ease of use features.

Chapter 14, “Automation Scripting”

Describes automation scripting.

Chapter 15, “Statistics” Describes statistics.

Appendix A, “Software Upgrade and Port Allocation Procedures”

Describes software upgrade and port allocation procedures.

Appendix B, “5204/5236/5273 Front Panel LCD Menu Reference”

Describes the front panel LCD menus and functions.

Appendix C, “Packet Processing Features”

Describes packet processing features, both standard features and advanced features that are part of the advanced features modules for the 5236/5273 and the 5288.

Appendix D, “How Licenses are Remapped Due to a Configuration Change”

Describes how floating licenses change when the configuration changes.

Appendix E, “Troubleshooting” Describes troubleshooting tools and procedures.

Appendix F, “5273/5288/5293 Safety Guidelines”

Describes safety guidelines.

Chapter/Appendix Description

Preface8 Anue Net Tool Optimizer User Guide

Document Conventions

Typographic The following table describes the typographic conventions used in this document.

Notational The following table describes the notational conventions used in this document.

Convention Description Example

ABCdef Identifies book titles, emphasized words or words that appear in the glossary, and command variables.

You must log in as root.C:\>cd directory_name

ABCdef Identifies commands and graphical user interface items with which you interact.

Click the OK button.

ADCdef Identifies a hyperlink or URL. http://www.anuesystems.com

ABCdef Identifies computer-generated output, API elements, and code samples.

package require anuento

?? Indicates optional parameters within a syntax description. This convention applies to scripting documentation only.

?login_id?

| Separates items in a list of choices; used with braces (??) in a syntax description. This convention applies to scripting documentation only.

?-include tcl_list(import_export_spec)| -exclude tcl_list(import_export_spec)?

Type Icon Description

Tip Provides information that might help you use the product more efficiently.

NOTE Provides information that emphasizes the main text.

CAUTION

Provides information of critical importance that is required to ensure your own personal safety and to help protect your equipment and working environment from potential damage.

Indicates an electrical hazard. This convention applies to hardware-related material only.

Indicates a laser light hazard. This convention applies to hardware-related material only.

Document ConventionsAnue Net Tool Optimizer User Guide 9

http://www.anuesystems.com

Additional Information

The following table lists additional documentation associated with the Anue Net Tool Optimizer (NTO).

Indicates that the material should not be discarded with ordinary waste. This convention applies to hardware-related material only.

Indicates a dual power supply. This convention applies to hardware-related material only.

Type Icon Description

Resource Description

Installation Guide for your NTO model

Provides instructions for installing the Anue NTO.

Anue 5204/5236 Redundant AC Power Supply Connection Guide

Describes how to connect the Unipower AC Redundant Power Supply to the Anue NTO.

Anue 5204/5236 Redundant DC Power Supply Connection Guide

Describes how to connect the Unipower DC Redundant Power Supply to the Anue NTO.

Anue 5200 Automation Scripting Guide

Provides detailed information about the Anue NTO Automation Scripting capabilities.


Technical Support

Contacting Anue Technical Support

For technical support, contact Anue Systems:

– Email: [email protected]

– Phone:

• Direct(512) 600-7200

• Toll Free (US & Canada Only)1-877-268-3269 (Select option 2 from the phone menu.)

• Asia+852 2824 8850

• EMEA (Europe, Middle East, Africa)+44 (0) 1189 076 204

The Anue Customer Portal (http://support.anuesystems.com) is also available. The customer portal allows customers to open support tickets, search for solutions and download documentation. All customers with a current support contract have an employee that has been designated as their Customer Administrator. Contact your Customer Administrator for details on how to request an Anue Customer Portal password and login account.

Optional service and maintenance contracts are available for each of Anue’s products and may be purchased separately. Contact Anue at [email protected] for details.

Sending Log Files to Anue Technical Support

A technical issue may require that you send the Anue NTO log files to Anue Technical Support.

To send log files to Anue Technical Support:

1. Select Help > Save and Send Logs from the menu.

2. Type a name for the log file, and click the Save button.

Your email application launches with a new message addressed to [email protected] as shown in the image below.

3. Attach the log from the directory indicated in the body of the email.

4. Specify the reason you are sending the logs and include any other pertinent information in the body of the message.

5. Click Send.

Technical SupportAnue Net Tool Optimizer User Guide 11

mailto:[email protected]

http://support.anuesystems.com



CHAPTER 1

Overview

The Anue Net Tool Optimizer (NTO) directs network data from SPAN ports and TAPS in your data center and forwards it to a convenient centralized tool farm where multiple tools can share simultaneous access to the network data.

The Anue NTO has a full range of connectivity capabilities so that each network tool is fed exactly the data it needs from anywhere in your network.

Figure 1-1. Anue NTO Tool Optimization

Inbound traffic from any incoming port may be switched to one or more outgoing ports, regardless of the speed of the incoming and outgoing ports.

Ports designated through software as Network Ports are used to connect tap and SPAN ports to the Anue NTO.

Ports designated through software as Tool Ports are used to connect tools such as data recorders and VoIP monitors to the Anue NTO.

The NTO server runs on the unit chassis and the Control Panel client, a Java based graphical user interface (GUI), is provided so that the configuration and visualization of port mappings is easy and intuitive.

Multiple users can manage the NTO simultaneously and passwords and access privileges can be assigned. The Anue NTO server manages access to the configuration database. Users are warned when potential database conflicts exist and are allowed to decide if changes are saved to the database.

Models 5273, 5293: These models of the NTO are Network Equipment-Building System (NEBS) certified.


NTO Automation Scripting enhances the functionality of the NTO by providing the ability to automate the configuration and management of the NTO. NTO Automation Scripting consists of a command interpreter and a set of commands that can be saved in script files for automated processing or typed into an interactive shell for immediate processing. For example, this functionality allows you to interactively manage several Anue Net Tool Optimizers, to track specific traffic patterns during certain times of day, and to automatically update filter criteria and/or connections based on user defined trigger parameters.

Statistics are also provided to help monitor tool utilization and optimization.

Table 1-1 summarizes the physical characteristics of the different NTO models.

Figure 1-2. Anue 5204 Net Tool Optimizer



Table 1-1: Characteristics of NTO Models

Models Characteristics

5204, 5236, 5273

The unit chassis is 1U high (5273 is 2U high) and supports up to 28 ports on the front and back. Port speeds of 1G and 10G are supported. In addition, built-in copper ports support 10/100/1000.

5288, 5293 The unit chassis is 2U high and supports up to 64 ports on the front. Port speeds of 1G, 10G, and 40G are supported.

Chapter 1, Overview14 Anue Net Tool Optimizer User Guide



Port Connection Options

The Anue NTO supports up to 28 (Models 5204/5236/5273) or 64 (Models 5288/5293) ports. Ports can be configured in the following manner:

■ Single Input (network port) to Single Output (tool port)

■ Single Input (network port) to Multiple Outputs (tool ports) (i.e. port sharing)

■ Multiple Inputs (network ports) to Multiple Outputs (tool ports)

■ Multiple Inputs (network ports) to Single Output (tool port) (i.e. aggregation)

■ Port Groups – Provides the ability to aggregate ports into higher bandwidth trunks for the purposes of load balancing tool traffic or interconnecting Net Tool Optimizers.

You can combine the port connection combinations listed above in any speed mapping combination.

NOTE When you map ports with higher rates of traffic to ports with lower rates of traffic (for example, a 10G Ethernet port mapped to a 1G port or multiple 1G ports aggregated to a 1G port), you should use filters so excess traffic is not passed to lower rate ports. Filtering can help tools avoid being overloaded with unnecessary or unwanted data.

Port Connection OptionsAnue Net Tool Optimizer User Guide 15

Supported Packet Sizes

The Anue Net Tool Optimizer supports packet sizes from 64 bytes to 16K bytes (jumbo packets) at all line rates.

The following information provides details about how different packets sizes are defined and handled by the NTO:

■ Runt packets: Runt packets are packets that are less than 64 bytes. Runt packets are dropped at the ingress of the NTO.

■ Standard packets: Packets that are between 64 and 1,518 bytes (1522 with VLAN) are considered standard packets. Standard packets are supported.

■ Jumbo packets: Packets that are between 1,519 and 16,360 bytes are considered jumbo packets. Jumbo packets are supported.

Filter Overview

This section provides an overview of the filter types that are available on the NTO.

Filter Types

Dynamic filters are the primary method used to filter traffic on the Anue NTO. These are the filters that appear in the middle of the NTO Control Panel Diagram View. They are optimized for topologies that require both aggregating traffic from multiple network ports to a single tool, as well as sharing traffic from a network port with multiple tools. Dynamic filters are recommended as the default filtering approach because nearly all users have both of these topology requirements.

In addition to the dynamic filters, three other filter types are available: an ingress filter (located in the Network Ports column in the control panel), an egress filter (located in the Tool Ports column), and a Dynamic One-Stage filter (an advanced mode of dynamic filter, located in the Dynamic Filters column). All of the filter types can be used in combination with each other.

Tip: Several technical notes on advanced filtering subjects can also be downloaded from the Anue Customer Portal. See “Technical Support” on page 11 for information on how to access the Anue Customer Portal.


Ingress Filters

Ingress filters are configured at the network port. Ingress filtering occurs immediately upon traffic entering a network port, upstream from other filter types. One ingress filter can be applied to each network port. “Deny” and “Pass” filter modes are supported. Any traffic that is filtered out (i.e. removed) at ingress is no longer available to any downstream filters or tools. Therefore, care should be used when applying Ingress filters.

Ingress filters are typically used in conjunction with dynamic filters to remove traffic that is not needed by the tools that are connected, or plan to be connected to a network port. By filtering at ingress, traffic that is not needed is removed from the beginning and the overall filtering capacity of the NTO is improved.

Egress Filters

Egress filters are configured at the tool port. Egress filtering occurs downstream from Ingress and Dynamic filters. “Deny” and “Pass All” filter modes are supported. This filter type is typically used to fine tune filtering in combination with the Dynamic filters. Using a Deny filter to remove traffic that is not required by tools can also improve tool performance.

Dynamic One-Stage Filters

One-stage is an advanced setting on a dynamic filter. This type of filter is appropriate for applications that require sharing network port traffic with multiple tools, but do not require a heavy aggregation capability that could exceed the bandwidth of the tool port to which it is connected.

Filter Criteria Options

Filter criteria are available to define the type of traffic that can pass through a filter or be denied from passing through a filter. Dynamic filters, network ports (ingress filters) and tool ports (egress filters) all have filter criteria settings. Network ports allow or deny traffic from passing through based on the defined criteria. The filter can also be configured to pass all or deny all traffic.

Filter Criteria OptionsAnue Net Tool Optimizer User Guide 17

■ Dynamic filters (which display in the center of the diagram area) allow traffic to pass through based on the defined criteria. The filter can also be configured to Pass All or Deny All traffic.

■ Tool ports deny traffic from passing through based on the defined criteria. The filter can also be configured to Pass All or Deny All traffic.

The following filter criteria options are available. Note that the available filter criteria options may vary based on the object type (port or dynamic filter), filter mode (Pass All or Deny All) and the filter memory allocation settings.

Layer 2

■ MAC Address

■ Ethertype

■ VLAN Tag

IPv4

Layer 3

– IPv4 Address

– IP Protocol

– DSCP/ECN

Layer 4

– L4 Port (TCP/UDP Port)

– TCP Control

IPv6 (Models 5236/5273 only)

Layer 3

– IPv6 Address

– Next Header

– Traffic Class

Layer 4

– L4 Port (TCP/UDP Port)

– TCP Control

Several criteria options can be selected per filter. The selected criteria can be “AND’d” or “OR’d”.


CHAPTER 2

Configuring the Management Port IP Settings

This chapter describes the basic setup procedure and other related information required to quickly get the Anue Net Tool Optimizer up and running.

Connect and Configure Ethernet Management Ports

This section covers information about connecting and configuring Ethernet Management Ports. Topics include:

■ “Port Locations and Labels” on page 19

■ “5273/5288/5293 Rules and Practices” on page 19

Port Locations and Labels

Table 2-1 describes the locations of the Ethernet management port(s) on each model of NTO:

5273/5288/5293 Rules and Practices

For models with two Ethernet management ports, one port will be active and the other port will be a backup (standby). Each Ethernet port provides a transparent backup in the event of an Ethernet port link failure. If the link status of the active port stays down for approximately 5 seconds, the IP interface will move to the backup Ethernet port.

Table 2-1: Ethernet Management Port Locations and Labels

Model Location(s) and Labels

5204 One port on the rear of the chassis

5236 One port on the front of the chassis

5273 Two ports: one on the front of chassis labeled “front”, one on the rear labeled “rear”

5288, 5293 Two ports on the front of the chassis numbered “1” and 2”


The following rules and practices apply to the management ports:

■ Connecting both management ports allows for failover redundancy which is recommended but not required.

■ Both management ports must be connected to the same subnet.

■ Both management ports will automatically be assigned the same IP address but have unique MAC addresses.

■ If both management ports are connected and report a link up status when the

unit is powered up, the 1st Ethernet port will be the active port and the 2nd Ethernet port will be the standby (backup).

■ In the event of failover to the standby Ethernet port, the standby port will remain active when the original active port returns to service. The original active port becomes the standby (backup) port.

Configuring the Management Port IP Address

This procedure describes how to configure the management port IP address using the GUI.

NOTE You cannot access the standby port to manage the NTO while it is the standby, only if it becomes the active port.

Models 5273/5288/5293: Auto-MDIX (automatic medium-dependent interface crossover) is supported for copper 1G, 100M and 10M copper ports. Auto-MDIX allows the interface to automatically detect and support a straight through or crossover Ethernet cable.

NOTE In the event of management port failover the NTO will issue gratuitous self ARPs to cause the remote nodes to update their ARP tables. Customers should verify that the routers in their network have gratuitous ARPs enabled. If gratuitous ARPS are not enabled on remote nodes, management port switchover may take longer to complete.

Table 2-2: Additional Information per Model

Model More Information

5200, 5236, 5273

For information about configuring the management port IP address using the front panel control panel and LCD, refer to the either the Anue 5204/5236 Installation Guide or the Anue 5273 Installation Guide.

5273, 5288, 5293

For information on how to configure the management port IP address using the craft port, see Chapter 3, “5273/5288/5293 Craft Port Interface.”

Chapter 2, Configuring the Management Port IP Settings20 Anue Net Tool Optimizer User Guide

1. Log in to the control panel as described in Log in to the Management Control Panel using an account that has System Administrator privileges.

2. Click System in the management frame at the left side of the control panel and access the Status Settings tab. The information on this tab differs depending on your NTO model.

Figure 2-1. System Settings

3. Click the hyperlink to the right of either IPxx configuration: field.

Caution: Changing the IPv4 address, subnet mask, default gateway, IPv6 address, or network prefix settings will restart the NTO and force all users off the system. The user performing the IP address change will lose connection to the unit from the control panel GUI after saving the modification. To regain access to the unit, log in to the ANUE NTO using the new IP address. If the newly assigned IP address values are not correct, users will not be able to access the NTO remotely.

(Models 5204/5236/5273) Misconfigured IP address settings can only be corrected using the LCD interface. (Model 5273 addresses can be corrected using either the LCD or the craft/serial port interface.)

(Models 5273/5288/5293) Misconfigured IP address settings can only be corrected using the craft/serial port interface.

Configuring the Management Port IP AddressAnue Net Tool Optimizer User Guide 21

4. Configure the desired IP address, subnet mask and gateway in the Set IP Configuration window. Click OK to save the changes.

Figure 2-2. Set IP Configuration

The NTO supports dual stack IPv4/IPv6 management. IPv4 is always enabled and available for static assignment. IPv6 can optionally be enabled for dual stack operation and a static IPv6 management address can be assigned. IPv6 addresses may be entered using preferred format (e.g. - 2001:0:0:0:0:80:21AF:3DAB) or compressed format (e.g. - 2001::80:21AF:3DAB where ‘::’ collapses consecutive groups of zeros.

The default gateway for the NTO’s IPv6 management interface is automatically determined by periodic router advertisements received on the interface.

Chapter 2, Configuring the Management Port IP Settings22 Anue Net Tool Optimizer User Guide

CHAPTER 3

5273/5288/5293 Craft Port Interface

The craft/serial port interface provides access to several commands which are described in detail below.

Craft Port Connection

Table 3-1 describes the craft port connections and their locations for each of the relevant NTO models.

Connect a serial cable between the NTO craft port and the serial port of a computer running a COM port terminal utility.

The settings of the COM port terminal utility must be set to 115200 baud, 8 data bits, 1 stop bit, and no parity.

You can configure the NTO for IPv4 and IPv6.

Craft Port Main Menu

After connecting to the unit craft port, the following unit status information is displayed at the top of the menu.

■ The unit IP address is displayed.

■ The System Name is displayed if this feature is configured.

■ System Type displays the NTO model number.

■ The System Status displays the alarm state of the NTO. When the System Status is “Not ready” the System Type will not be shown and only the Reboot System menu option will be available.

Models 5204, 5236: The craft port interface is not available on these models.

Table 3-1: Craft Port Connections

Model More Information

5273 Standard 9-pin, RS-232 serial port, located on the rear panel

Note that the 5273 craft port exposes a “female” connector.

5288, 5293 Standard RJ45 serial port, located on the front panel


Main Menu options are displayed below the unit status information.

Welcome to Anue Systems <IP Address, IPv4 and IPv6 if it’s also enabled.>Hit Enter to refresh status

[System Name]<System Type: System Status>

Main Menu:1. Reboot System2. IP Config3. Management Port Config4. Reset Admin Password5. Run POST tests6. Get POST resultsEnter command number:

Reboot System

From the Main Menu type 1 to reboot the system and then press the Enter key on the keyboard.

A reboot verification message will be received. Type “yes” to begin the system reboot.

Chapter 3, 5273/5288/5293 Craft Port Interface24 Anue Net Tool Optimizer User Guide

IP Config

1. From the Main Menu, type 2 and then press the Enter key on the keyboard. The following menu will display. Notice that the current settings are displayed next to each menu item.

IP Config:

1. Set IP Address (192.168.41.99)

2. Set Netmask (255.255.255.0)

3. Set Gateway Address (0.0.0.0)

4. Commit changes

5. Cancel/Return to Main Menu

2. Enter the command number for the IP setting you wish to change (1, 2, or 3).

For this example, we will select menu option 1 (Set IP Address). The following prompt will display.

Enter new IP Address:

Type 192.168.162.12.Then press the Enter key on the keyboard.

A confirmation message will then display.

Value entered: 192.168.162.12Correct? Enter Y or N

Type “y” or “Y”. Then press the Enter key on the keyboard.

3. The IP Config menu will now display the modified IP address along with the other settings and options. Note that the modification will not take effect on the NTO until the changes have been committed (menu option 4).

IP Config:

1. Set IP Address (192.168.162.12)

2. Set Netmask (255.255.255.0)

3. Set Gateway Address (0.0.0.0)

4. Commit changes

5. Cancel/Return to Main Menu

Select option 1, 2 or 3 to continue modifying the current IP settings using the procedure described above. Select option 4 to commit changes (there will be another verification prompt before changes are actually applied). Select option 5 to cancel all changes that have not been committed.

Note: The System Status displayed on the main menu may indicate “Not ready” until management port configuration changes have been completed. Once the configuration changes have completed, the full main menu will display.

IP ConfigAnue Net Tool Optimizer User Guide 25

Management Port Config

The duplex mode of the Ethernet management port(s) is set to Auto-negotiate by default. The example below configures both Ethernet management ports simultaneously.

1. From the Main Menu, type 3 and then press the Enter key on the keyboard. The following menu will display. Note that “(current)” is displayed next to the currently configured duplex mode.

Management Port Config

1. Auto (current)

2. 1G Full

3. 100M Full

4. 100M Half

5. 10M Full

6. 10M Half

7. Return to Main Menu

2. Type a command number to select the duplex mode for the management port(s). Type 7 if you wish to return to main menu. For this example, we will type 2 (1G Full). Then press the Enter key on the keyboard.

A confirmation message will then display.

Changing management port to 1G Full.

Type “yes” to accept, anything else to cancel:

3. To accept the change, type yes and then press the Enter key on the keyboard. To cancel the changes, type any key on the keyboard and then press the Enter key.

Reset Administrator Password

From the Main Menu, type 4, the Reset Admin Password menu will display.

Enter the last 8 digits of the unit serial number. For example, serial number 5236-00000003 will be entered as “00000003.” The unit serial number is located on the rear of the unit.

Anue 5236: Status: Normal

Hit Enter to refresh status

Models 5204/5236: These NTO models have only one Ethernet management port.


Main Menu:1. Reboot System2. IP Config3. Management Port Config4. Reset Admin Password5. Run POST tests6. Get POST results

Enter command number:4Enter the key to reset the admin pasword:00000003Value entered: 00000003Type "yes" to accept, anything else to cancel:yesThe password has been reset to default.

Run POST Tests

From the Main Menu, type 5 to initiate Power On diagnostic SelfTests. This will cause the system to restart. Note that running POST adds several minutes to system startup.

Welcome to Anue Systems IP address: 192.168.162.33

Anue 5288: Status: Normal

Hit Enter to refresh status


Enter command number:5Run Power On Self TestsType "yes" to accept, anything else to cancel:yesThe NTO is being restarted. The power-on self-test will run during restart.

Run POST TestsAnue Net Tool Optimizer User Guide 27

Get POST Results

From the Main Menu, type 6 to retrieve the results of the last POST run. This command cannot be run while the system is restarting.



Enter command number:6Get Power On Self Tests resultsType "yes" to accept, anything else to cancel:yesResults: Passed

Note: If the POST fails, contact Anue Technical Support for assistance.


CHAPTER 4

Log in to the Management Control Panel

The NTO allows multiple users to access and manage the system simultaneously but any single account may only be logged in from one location at a time. For example, if a user logs into the “admin” account on an NTO from one PC, a user on a different PC cannot also log into the "admin" account on the same NTO until the first user logs off.

Users can also manage multiple NTO systems from the same Control Panel. For information, see “Manage Multiple NTO Systems from the Same Control Panel Interface using ULM” on page 37.

Requirements for the NTO Management PC

■ The Control Panel application requires a Windows operating system environment. Windows XP and Windows 7 have been tested and are recommended.

■ Internet Explorer version 6 and higher and Mozilla Firefox 2.x and higher are the supported HTML browsers. Other browsers should also work. Note that Anue has only tested on Internet Explorer 8 and 9 and on Firefox 9.0.1 and 10.0.1.

■ The Control Panel requires the installation of a Java Runtime Environment (JRE) on the client PC. Both JRE 1.6 and 1.7 (that is, Java 6 and Java 7) are supported. If Java is not installed on the client PC, the Anue NTO HTML Welcome page will provide a link to a website from which you can download and install Java. Anue has tested on and recommends Java versions 1.6.0_31 and 1.7.0_05-b05. Both the 32-bit and 64-bit version of JRE are supported.

■ HTML browser “cookies” need to be enabled.

■ If you wish to enable cookies only for the NTO, follow the steps below:

A. In the Internet Explorer browser, select Tools > Internet Options. Click the Privacy tab. Click the Sites button. In the Address of website field, enter the IP address of the NTO – for example, “http://192.168.40.122/”. Click the Allow button. Click OK.

B. At the top of the Mozilla Firefox browser, select Firefox > Options > Options. Click the Content tab. Click the Privacy tab. To the right of the Firefox will field, open the drop-list and select Use custom settings for history. Ensure the check box is selected for the field Accept cookies from sites, and to the right of that field, click the Exceptions button. In the


Address of website field, enter the IP address of the NTO – for example, “http://192.168.40.122/”. Click the Allow button. Click the Close button. Click OK.

C. For network environments where NAT (Network Address Translation) firewall traversal is required, see “Port Forwarding for NAT Firewall Network Environments” on page 36.

Adding a Login Banner

You can add a login banner, such as a security warning banner, to the control panel console and Tcl shell. Once configured, all users, including vendors, will see it prior to logging in to the console or Tcl shell. One use for this feature is compliance with the Sarbanes-Oxley Act (SOX).

For the control panel console, the login banner displays in a text banner as part of the login dialog. System administrators (admins) can add plain text or simple HTML. Admins can also enter Uniform Resource Identifiers (URI’s) that display as clickable links, opening the associated application (if available). The URI’s are user-defined. They may include internet URL’s, file shares, and any other system recognizable URI.

For the Tcl shell, once the login banner is configured, the Tcl shell presents the login banner text after a session initiates and the user logs in to the NTO. The login banner text displays directly above the current session result notice.

To add a login banner:

1. In the control panel, select the System view.

2. Click the Settings tab.

NOTE If your browser version requires a different procedure to enable cookies, please consult the help information of the browser for instructions.

Chapter 4, Log in to the Management Control Panel30 Anue Net Tool Optimizer User Guide

3. In the General section, click the link to the right of the Login banner field.The Set Login Banner Configuration dialog displays, Figure 4-1.

Figure 4-1. Set Login Banner Configuration Dialog

4. Type in the login banner text and URI you want to display at login and click Preview to see it – for example, see Figure 4-2.

Figure 4-2. Preview of Login Banner

5. Click Cancel to close the preview.

6. Click OK to accept the new login configuration.A portion of the login banner text displays to the right of the Login banner field.

Adding a Login BannerAnue Net Tool Optimizer User Guide 31

Logging in to the NTO

To log in to the NTO Control Panel:

1. Enter the IPv4 or IPv6 address assigned to the NTO into the URL field of your browser. You will be prompted to accept the Anue Software License Agreement.

2. The Welcome page will then display as shown in the figure below.

The Welcome page provides general information about the Net Tool Optimizer and resources to help manage and configure your NTO model.

Figure 4-3. NTO Control Panel Welcome Page

At the left side of the page, there are links to the PDF versions of the Startup Guide and the User Guide.

NOTE When entering an IPv6 address into a browser, square brackets “[ ]” must surround the IPv6 address. For example, “http://[fe80::21b:6eff:fe01:8]/”


At the lower left side of the page there is a display that indicates the current status of the NTO. This is a real time display that is updated once a second.

In the center of the page, there are links to the Anue Systems Support web page, the Anue Systems home page, and the Tcl package to be downloaded. Unzip the Tcl package zip file to install the Tcl package. Complete help for installing and using the Anue Tcl Package can be found in the Automation Scripting Guide for your NTO model.

Click the Launch 52xx Control Panel button.

If this is the first time you have launched the application, a Java based client will automatically download to the client PC from the NTO server. The Java based client requires Java Runtime Environment (JRE) 1.6 or 1.7 (that is, Java 6 or Java 7). Anue has tested on and recommends Java versions 1.6.0_31 and 1.7.0_05-b05. Both the 32-bit and 64-bit version of JRE are supported.

The Firefox browser may prompt you to open console_jnlp.jsp with Java (TM) Web Start Launcher as shown in. Click Ok if you receive this prompt.

Figure 4-4. Open console_jnlp.jsp Prompt

Models 5204, 5236, 5273: The current status information also appears on the front panel LCD for the NTO. For information about status messages, see the 5204/5236/5273 Front Panel LCD Menu Reference.

Tip: If you have previously accessed the NTO server from your current PC, you can skip to the Control Panel Login instructions as described below. See Login Issues in the Appendix E, “Troubleshooting” for information on resolving log in issues.

Logging in to the NTOAnue Net Tool Optimizer User Guide 33

If an older version of Java is installed on the client PC, one of the following will happen:

■ The NTO Server will attempt to update client PC to the supported version. The browser will display the message, “This website wants to install the following add-on: ‘Java (TM) SE Runtime Environment 6 Update #’ from ‘Sun Microsystems, Inc.’ If you trust website and the add-on and want to install it click here.”

Click the message and select “Install Active X control” to upgrade Java.

■ The NTO Welcome page will provide a link to a website that will allow Java to be downloaded and installed instead of displaying the Launch 52xx Control Panel button (as shown in). The prompt will also display if the client PC does not have any version of Java installed.

Figure 4-5. Required Java Files Not Installed Message

Control Panel Log In

When the Control Panel Log In window displays, enter the NTO DNS name or address (IPv4 or IPv6), Login ID, and password. Note the system default Login ID (admin) and default Password (admin).

Figure 4-6. Log In Window

If this is the first time that the NTO has been powered up or the unit has been reset to factory defaults a license key must be entered. The license key is located on the USB memory stick that was shipped in the same box as the NTO unit.


Figure 4-7. License Prompt Window

To enter the license key, click the Browse button at the bottom of the window, navigate to the license key on the USB flash drive, select the license key, and click the OK button.

Log In Window options:

NTO:

Enter the IP address (IPv4 or IPv6) or DNS name defined for the NTO.

If this is the first attempt to log in to the NTO, the displayed IP address or DNS name matches the value entered into the HTML browser URL field. Subsequent login attempts will display the IP address or DNS name of the NTO that was last successfully logged in to.

NOTE IPv6 management must be enabled before IPv6 can be used to login or manage the NTO. IPv4 addresses must be entered using dotted quad format (e.g. - 192.168.162.25). IPv6 addresses may be entered using preferred format (e.g. - 2001:0:0:0:0:80:21AF:3DAB) or compressed format (e.g. - 2001::80:21AF:3DAB where ‘::’ collapses consecutive groups of zeros.’

Logging in to the NTOAnue Net Tool Optimizer User Guide 35

History: If there have been prior logins, clicking the History button will provide a pick list of IP addresses and/or DNS names that can be selected for login - for example, the Address History shown below:

A selection from the History will populate the NTO field.

Login Id: Enter the login name. Note the system default Login Id (admin)

Password: Enter the password associated with the name entered in the Login Id field. Note the system default Password (admin)

Click OK to log in.

Port Forwarding for NAT Firewall Network Environments

To allow an NTO server (or any other server) to reside behind a Network Address Translation (NAT) firewall, the network administrator typically configures the firewall to perform port-forwarding to ensure the server receives the necessary packets. For an NTO server, the NAT firewall needs to be configured to do port forwarding for the following four (4) ports:

■ NTO port (default 1099)

■ HTTP port (default 80)

■ Tcl port (default 5200)

■ SNMP port (default 161)

Note: Additional users can be added as described in the Adding Users and Configuring Authentication section.


Table 4-1 shows an example port forwarding table (using default ports):

As shown in Table 4-1 above, any traffic received by the NAT firewall destined for port 80 will be forwarded to port 80 on the NTO server at 10.0.0.21.

Given the configuration shown above, clients inside and outside the NAT firewall could still access NTO web server at IP address 10.0.0.21 using the default HTTP port 80.

Clients inside the firewall can access the NTO web server as follows:

■ http://10.0.0.21

Clients outside the NAT firewall could access the NTO web server as follows:

■ http://67.195.3.55

By using default incoming ports as shown in the example above, only one NTO server can be configured behind the NAT firewall because the default ports can only be forwarded to one server. If more than one NTO server resides behind the firewall, the administrator needs to configure additional (non-default) ports.

For more detailed information about setting up NAT firewall traversal and using multiple NTO servers behind the firewall, go to the customer portal and download the NTO tech note entitled 5200 - Anue 5200 Series NAT Traversal.

Manage Multiple NTO Systems from the Same Control Panel Interface using ULM

The ULM (Unified Login and Management) feature allows users to log in to and manage multiple NTO systems without having to start multiple instances of the Control Panel interface. Using ULM a user will be able to easily switch between NTO units for viewing and management.

Although the diagram area and controls for the NTO units appear in the same interface, the units are completely independent and do not share data. A change made to the configuration of one of the units will have no effect on the other units.

Table 4-1: Example Port Forwarding Table, Using Default Ports

Incoming IP Address: Port Destination Server: Port

67.195.3.55:1099 10.0.0.21:1099

67.195.3.55:80 10.0.0.21:80

67.195.3.55:5200 10.0.0.21:5200

67.195.3.55:161 10.0.0.21:161

Note: All NTO systems managed with ULM must be running the same software version.

Manage Multiple NTO Systems from the Same Control Panel Interface using ULM

After logging in to a NTO system, select File -> New Session from the Control Panel menu to log in to additional systems.

The user can also log in to the same system more than once using different Login IDs. This feature can be used as a method to troubleshoot security issues. For example, an administrator could log in to the same unit as a System Administrator and as a non-System Administrator to verify that applied security settings are having the desired effect for certain users.

Figure 4-8. Tabs for Each Login

After more than one user is logged in, a separate tab will appear in the Control Panel interface for each unique login Id/NTO combination.

Information displayed on the tab:

■ A user icon. Non-administrators are represented by a person wearing a blue shirt. System administrators are represented by a person wearing a shirt and tie.

■ A system alarm status indicator which indicates the highest alarm state of all subsystems.

■ The System Info name (if defined on the Settings tab of the System view). The System Info name in the example above is “NTO-52 3.0 Testing”.

■ The NTO model number (for example, 5293).

■ The user Login Id name “@“ the NTO IP address or DNS name.

■ The user can choose which system to manage by clicking on the appropriate tab. The active tab will have a gold border along the top edge.

ULM Functionality Notes:

■ Except for the Edit -> Options settings, actions performed using the menu options will only apply to the configuration of the NTO system that is selected. The Edit -> Options settings are stored locally and apply to all systems that are logged in to from the same PC.

■ Objects (filters and filter criteria, for example) can be copied and pasted from one NTO diagram to another.

■ It is possible to have multiple property and statistic dialog boxes from different NTO systems open simultaneously. The title bar of each dialog box will display the NTO model number, user name and unit IP address or DNS name.

■ When several port or filter statistic dialog boxes are open (from the same system or different systems), clicking the Pause button in one of the dialog boxes will pause the reporting of statistics for all open dialog boxes. Clicking the Resume button in one of the dialog boxes, will resume the reporting of statistics for all open dialog boxes. Note that pausing and resuming of


statistics reporting also affects the statistics displayed in the ports and dynamic filter views.

To log out of a system (close the tab for the system):

1. Click the tab of the system.

2. Select File -> Log Out from the menu or use the Ctrl+L shortcut.

Subsequent Log in using the Saved Sessions Feature

The control panel GUI has the ability to remember active sessions upon exit. Session information can be saved to the user’s local PC preferences and recalled the next time the user logs in.

This feature is enabled by default but it can be disabled by selecting Edit -> Options from the menu, deselecting the “Remember active sessions on exit” option and clicking OK.

After the IP address of an NTO (that was active upon exit of the last session) is entered into a HTML browser and the Launch 52xx Control Panel button is clicked, the user will be prompted for the Login IDs and passwords that were active during the last session.

Adding Users and Configuring Authentication

The NTO supports user authentication using locally-managed user accounts or using the remote authentication services TACACS+ (Terminal Access Controller Access Control System Plus) or RADIUS (Remote Authentication Dial-In User Service). Configuration and use of TACACS+ and RADIUS are documented in Chapter 8, “Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS.” Both locally and remotely managed users may be authorized as NTO administrators or non-administrators.

Using NTO Local Authentication

By default the NTO is configured to authenticate using locally managed user accounts. It comes from the factory with a single local administrator account with

Tip: The F12 function key can be used to bring all open statistics windows into the foreground at the same time

Tip: If the last session included logins to systems that used the same login name/password combination, the login name/password combination only has to be entered once to log into all of those systems. For example, if a session included 4 systems with the login name/password of admin/admin, the user will automatically be logged into all 4 systems after entering “admin/admin” once at the Log In prompt.

Adding Users and Configuring AuthenticationAnue Net Tool Optimizer User Guide 39

login ID “admin” and password “admin.” The admin account cannot be deleted, even when using one of the remote authentication services. You should change the password for the admin account at your earliest opportunity.

Creating a New User Account

To create a new local user account on an NTO using local authentication:

1. Log in to the NTO Control Panel with a Login ID that has System Administrator capability.

2. Select File > New > User from the control panel menu or click the Add New User icon located on the shortcut tool bar.

Figure 4-9. Add New User Icon

3. Configure the user account in the New User window. Click the System Administrator checkbox to assign system administrator capability to the user account.

A password must be assigned for new users. Users can change their passwords after logging in.

Caution: If forgotten, account passwords cannot be recovered. If the admin account password is lost, and it is not possible to use one of the reset procedures described below, the NTO unit must be returned to Anue Systems to be reset.

Models 5204, 5236, 5273: The password for the admin account can be reset using the front panel controls if the LCD admin password reset feature is enabled on the System Settings page. Note that this feature is enabled by default. See “Resetting the Admin Password from the LCD Menu” on page 311 for more information.

Models 5273, 5288, 5293: The password for the admin account can be reset using the serial/craft port interface. See “Reset Administrator Password” on page 26.


Figure 4-10. New User Window

4. Click OK to save the account settings.

Table 4-2 lists the capabilities of System Administrators and Non-Administrator Users.

Table 4-2: System Administrator and Non-Administrator User Capabilities

CapabilitiesSystem Administrator

User

Add and delete user accounts and modify the properties of any user account

x

Modify system configuration settings x

Install a license and software upgrades x

Save, restore and clear configurations x

Clear filters x

Clear the system x

Import/export configurations x

Create groups and port groups x

Shutdown/restart the system x

Add, modify, delete, enable and disable any object x

Modify the Edit->Option settings x x

Modify their own user account properties x x

View objects created by all users x x

Adding Users and Configuring AuthenticationAnue Net Tool Optimizer User Guide 41

Control Panel Overview

The control panel is the client interface to the Net Tool Optimizer (NTO) server. The control panel is a Java based graphical user interface (GUI) that provides simple and intuitive configuration and tool management features.

Multiple users can manage the NTO simultaneously and passwords and access privileges can be assigned to each individual user.

Statistics are also provided to help manage tool utilization and optimization.

After logging into the NTO, the Control Panel will display. The Control Panel allows network operators to easily manage NTOs and perform day-to-day troubleshooting. The graphical user interface (GUI) provides a clear view of the links and filtered traffic each optimizer is monitoring.

The following is an overview of the control panel options. Detailed descriptions of how to use these controls are presented later in this document.

View, reset and export object statistics x x

Add, modify and delete filters x x

Delete and add connections between objects x x

Create and modify custom icons and filter templates

x x

Table 4-2: System Administrator and Non-Administrator User Capabilities

NOTE Some Control Panel details differ for various models of the NTO. Therefore, the screen captures you see in this document may differ from what you see for your particular model.


Figure 4-11. Control Panel

The Control Panel is the primary user interface for controlling, configuring, and monitoring the NTO. There is also an automation scripting interface. See Automation Scripting for more information.

Title Bar, Menu and Shortcut Toolbar

The title bar area displays the System Info name (if it is assigned in the System Settings), the 5200 model number (for example, 5293), the current Login ID and the IP address or DNS name assigned to the NTO. The title bar information changes when the user selects the tabs that represent unique logins into the same or different NTO units (described in detail in the “Manage Multiple NTO Systems from the Same Control Panel Interface using ULM” on page 37).

Figure 4-12. Title Bar, Menu and Shortcut Toolbar

The menu options (File, Edit, View, Help) and shortcut toolbar can be used to configure the NTO settings and gather information. Focus indicates which objects are currently displayed in the diagram. Selection indicates the selected object.

Control Panel OverviewAnue Net Tool Optimizer User Guide 43

Management Frame

The management frame provides high level views and configuration options for Ports, Port Groups, Dynamic Filters, Library (filter and icon), Users, Groups and the NTO System. The default selection is “Diagram” which displays the diagram area. The view that is selected will have a gold strip along its left edge.

Figure 4-13. Management Frame

Diagram Area

The Diagram Area is used to connect and configure NTO objects such as dynamic filters, ports and port groups.

Figure 4-14. Diagram Area


The diagram area title bar shows the number of objects configured and displayed in the diagram. For example in the figure above, “Tool Ports/Port Groups (5 of 12)” indicates that 12 tool ports or port groups are configured and 5 of them are visible. In this case, the remaining 7 ports are contained within the port groups displayed. The count of ports that are not displayed will also include disabled ports that are hidden.

Note that objects in the diagram area are automatically arranged using an algorithm designed to minimize crossed connections. See the Edit Menu section for details on the Auto-organize algorithm and information on how to disable the feature if desired.

Available Filter Memory Meters and Function Key Legend

Adjustable memory pools are available for filter criteria. The Available Filter Memory area provides information on the currently available filter memory. See the section on Available Filter Memory Meters for detailed information on the memory meters how to adjust the filter memory settings. Hovering the mouse pointer over a meter also provides information about the meter settings and status.

Figure 4-15. Available Filter Memory

The bottom section of the diagram area provides a Function Key Legend for several viewing options. See the Function Keys section for a description of displayed and non-displayed functions keys.

Figure 4-16. Function Keys

Diagram Area Menu and Tool Tips

Hovering the mouse over any diagram object, except for connectors, provides tooltip help that summarizes the object configuration and the displays the text in the object Description field (an example is shown in the figure below). In general, all of the buttons and fields in the control panel GUI provide tooltip help. The F7 key can be used to toggle these tool tips on or off.


Figure 4-17. Filter Tooltip Help

Right-Click Function

You can right-click many items for a shortcut menu of options. For example, right-clicking on the diagram area background displays a menu with the options shown in the figure below.

Figure 4-18. Diagram Area Menu


Right-clicking on ports, port groups and dynamic filters will also display a menu, like the one below when you right-click a network port icon.



CHAPTER 5

Control Panel Menu Options

This chapter describes the NTO Control Panel menu options. These menu options are found along the top of the Control Panel.

File Menu

This section describes the File menu.

Note that the file menu options are different for regular users and system administrators.

Figure 5-1. File Menu Options

■ New Session

Sessions allow users to log in to multiple NTO systems. Unified Login and Management (ULM) is used to manage sessions. See Manage Multiple NTO Systems from the Same Control Panel Interface using ULM for more information.

■ Log Out

Ends the current session (the one whose session tab is active).

■ New >

Tip: Control and function keys can be used as shortcuts for several menu options. Shortcuts are indicated by the text “Ctrl + letter” or “F number” (e.g. F3 after the menu option).


– Dynamic Filter

Opens a dialog for configuring a new dynamic filter.

– New Interconnect Port Group -> (Network, Tool or Bidirectional)

Opens a dialog for configuring a new network, tool, or bidirectional interconnect port group.

– New Load Balance Port Group

Opens a dialog for configuring a new load balance group.

– Filter Template Collection

Opens a dialog for configuring a new collection of filter templates.

– Filter Template

Opens a dialog for configuring a new, reusable filter template.

– User

Opens a dialog for adding a new local user to the system. (This option is available only to system administrators, and it is available to system administrators only when the NTO is in local authentication mode.)

– Group

Opens a dialog for adding a new local group to the system. (This option is available only to system administrators, and it is available to system administrators only when the NTO is configured to manage groups locally.

The following menu options are only available to system administrators.

■ Export Configuration

Opens a dialog for saving the current system settings and configuration to an external file for backup purposes or to share the settings between systems. (See “Exporting and Importing an NTO Configuration” on page 51.)

■ Import Configuration

Opens a dialog for applying the settings from a previously exported configuration file to the system.(See “Exporting and Importing an NTO Configuration” on page 51.)

■ Restart

Restarts the hardware and software systems of the NTO as if from power down and power up.

■ Power Down

Shuts down the hardware and software systems of the NTO.

Note that the system will need to be restarted manually after power down. For information about restarting after power down, refer to the Installation Guide for your NTO model.

Chapter 5, Control Panel Menu Options50 Anue Net Tool Optimizer User Guide

■ Clear Filters and Ports

Removes all filters and port groups and reset all ports to factory default.

■ Clear Configuration

Does the same thing as Clear Filters and Ports, and removes all user groups, filter templates and collections, and local users (except for the default administrator).

■ Clear System

Does the same thing as Clear Configuration and removes all library items and resets all system settings and the default administrator password to factory default. The unit will then be restarted.

Exporting and Importing an NTO Configuration

The NTO configuration can be exported and imported. There are options that allow pre-defined subsets of the configuration to be exported/imported as well as options that allow for the customization of exported/imported data.

Note that the configuration database (stored on the NTO server) is automatically backed up as necessary on the unit itself. Importing and exporting can be used to perform manual backups, to save and restore specific configurations, or to copy settings between units.

NOTE For the 5288/5293, import/export issues may arise as the filter memory nears 100% in use (full).

By default, each port on a 5288/5293 uses up some of the available filter memory. For example, an NTO with 32 ports uses up more filter memory than an NTO with 16 ports. This is true even before adding filters to an NTO configuration.

As an NTO nears 100% filter memory in use (unavailable), you may not be able to import its configuration into another NTO if the second NTO has more ports than the first NTO. More ports use up more of the filter memory from the start. If you attempt to do this, you may receive a filter programming error that there is no space for the input rule.

The available filter memory is displayed at the bottom of the Diagram view in the NTO control panel. Mouse over the memory meters to see the percentage of memory available and the percentage in use (unavailable). For more information about available filter memory meters, see “Available Filter Memory Meters” on page 189.

File MenuAnue Net Tool Optimizer User Guide 51

The export and import features allow the user to accomplish four (4) essential tasks:

1. Make a full backup of an NTO configuration. This feature can be used to restore a unit to a base configuration in the case of accidental data loss.

2. Make identical copies of a “master unit”. The master configuration could be used as a starter template when there is a need to deploy several units.

3. Allow users to share partial information between NTO units.

4. Allow for easily changing the traffic configuration of an NTO. Note that this feature can be used manually or automatically (using TCL) by importing a different configuration based on traffic conditions.

There are three (3) export types:

1. Full Backup – This export is a copy of the entire configuration (ports, filters, system configuration settings, etc.). Exceptions are noted below.

2. Traffic Configuration – This export saves the following configuration information:

– All ports, port groups, filters, and custom port icons.

– System tab settings related to ports, port groups and filters, including filter memory allocation settings, port group load balance settings (if applicable), etc.

3. Custom – This export gives you the option to select the objects that will be saved to the configuration file.

Import Behavior and Characteristics

When importing a configuration, the options and items available for import vary depending on the type of the export file and depending on the unit into which the configuration is being imported. Some of the factors affecting the items available for import are shown below:

■ Users cannot be shared between NTO units and can be imported only into the same unit from which they were exported.

■ Settings that are specific to one NTO model can be shared only with the same NTO model (for example port settings from a 5273 NTO cannot be imported into a 5288 optimizer).

These factors result in several different options being available during an import.

For example, when importing a full backup configuration into the same unit that it was exported from, the user will be given the following import options:

■ Full Import (from Backup)

■ Traffic Configuration

■ Custom

Note: Regardless of the export type, the default administrator account and the NTO IP address settings (IP, Subnet Mask, Default Gateway) are never exported/imported.


When importing a full backup configuration into a different unit, the user will given the following import options:

■ Full Copy (without users)


■ Custom

When importing a traffic configuration into the same or a different unit, the full import options will not be available, and the user will be given the following import options:


■ Custom

When importing a custom configuration, the full import and traffic configuration options will not be available. Only the custom option will be available.

You can export and import across all model types, with some restrictions. The import will always be treated as a custom import in those cases

Notes:

• When dynamic filters are imported via a Custom import, copies of the filters will be created with no connections. Filters that previously existed on the target system will be unaffected. When importing dynamic filters via any other type of import, the previously existing filters on the target system will first be deleted and the imported filters, and their connections, will be created.

• The user will be alerted if any of the requested items could not be imported.

• Importing a configuration that changes management port settings will result in the NTO restarting.

• Importing a configuration that changes the authentication mode or the TACACS+ or RADIUS configuration settings will result in all users being logged out of the NTO.


To export a configuration:

1. Select File -> Export Configuration from the control panel menu.

The Export Configuration dialog box appears.

Figure 5-2. Export Configuration Window


Figure 5-3. Export Selection

2. A description of the export configuration can be entered in the Description field. This field is for the convenience of the user and can be used to describe the contents and purpose of the export file. The description will be visible when later importing this file.

3. In the Export Selection area, select the Export Type. The export types are Full Backup, Traffic Configuration and Custom. The components of the configuration that are selected will change depending on the type of export selected.

After an export type is selected, components within the categories of Ports, Port Groups, Dynamic Filters, Library, Users, Groups and System can be checked for inclusion in and unchecked for omission from the backup.

Hovering the mouse over a component will cause more information about that component to be displayed in the form of a pop-up tool tip. (see image below).

4. Click the Export button.

5. In the Export Configuration window, accept the default name or enter a new name for the configuration file and select the destination directory.

Note that the NTO configuration files by default have an “.ata” file name extension. The default file name is composed of: the unit IP address or System name (if configured)_model number (for example, 5293)_yyyymmdd_unit software version_export type (Full, Traffic or Custom).ata.


To import a configuration:

1. Select File -> Import Configuration from the control panel menu. The Select the Import File window appears.

2. Select the appropriate directory and configuration file. Note that the NTO configuration files have an “.ata” file extension by default.

3. Click the Import button.

4. If an Import exception occurs, read the exception and then click OK button. The Import Configuration window appears.

Figure 5-4. Import Configuration Window

5. The user can customize the import and remove an entire category of data by unchecking the category checkbox or expanding a category and selecting options from the category.

Notes: After an import has succeeded, import exceptions can be reported if configuration conflicts need to be resolved.


Edit Menu

This section describes the Edit menu.

Figure 5-5. Edit Menu Options

The Edit menu gives users options with objects such as filters, groups, filter template collections, etc., to:

■ Copy to the system clipboard

■ Paste from the system clipboard

■ Delete

Users can also:

■ Configure display Options (described in detail below)

■ Configure the user profile settings under My Profile (described in detail below)

■ Configure the Properties of a selected object

Edit MenuAnue Net Tool Optimizer User Guide 57

Configure Display Options (Edit > Options):

Figure 5-6. Options Window

The settings on the Options page apply to all NTO sessions started from the current PC user account and are only applied on the current PC.

For example:

1. A user configures control panel options while logged in at PC#1.

2. The user logs out of an NTO at PC#1 and then logs into the same NTO from PC#2.

The control panel settings configured while logged in at PC1 will not be in effect during the user’s control panel session at PC#2.

Also, if a second user logs into the NTO from PC#1, the options configured by the first user will not be in effect for the second user.

General

Remember window location and size on exit – When this option is enabled, the location and size of the control panel window is saved upon exit and recalled when the user logs in again.

Remember active sessions on exit - When this option is enabled, the active session information is saved (excluding passwords) and recalled when the user


logs in again. Details about this feature can be found in the Manage Multiple NTO Systems from the Same Control Panel Interface using ULM section.

Show disabled ports – When this option is selected, network and tool ports that are disabled display in the diagram area. Unselect this option to hide disabled ports. Hiding disabled ports may help to make the diagram easier to read.

Control panel log level: Click the hyperlink to configure the log level for the control panel. The control panel log level can be raised to help troubleshoot control panel issues. Log levels should only be changed as directed by Anue Technical Support.

Diagram

Automatically re-organize when changes occur - Selecting this option will cause the diagram to automatically re-arrange objects so that the diagram connections are easier to see.

Filters and ports are automatically arranged using an algorithm designed to minimize crossed connections. When Auto-organize is disabled, the diagram can be organized by pressing the F5 key.

The rules for reorganization (or organization after pressing the F5 key) are:

■ Network ports with connections to filters are arranged before network ports without connection to filters.

■ Ports connected to the same filter are sorted alphabetically by name.

■ Ports without connections are sorted alphabetically, with enabled ports having higher priority than disabled ports.

■ Enabled ports are arranged before disabled ports.

■ Filters that have the most port connections are displayed at the top of the diagram.

■ Filters that have equal connection counts are sorted alphabetically by name.

■ Port groups are treated the same as ports although port groups have a higher priority than ports.

Statistics

Refresh statistics every – The statistics refresh rate can be configured in seconds, minutes or hours. This setting is only applicable to the current control panel and does not affect the actual collection of statistics on the NTO.

Chart sample interval – Configure the sample rate for port and dynamic filter statistics charts. This control panel option does not affect the actual collection of statistics on the NTO. The drop-down list provides options that range from 1 second to 5 minutes. Each interval option also indicates how long each sample is retained in the chart history before being discarded to make room for a new sample. For example, the option “30 sec (max data range 15 hours)”, indicates that chart statistics will refresh every 30 seconds and that statistics data can be charted at this sample interval, continuously, without data loss, for up to 15 hours.


Confirmations

Confirmation messages display when users perform certain actions. These messages may become undesirable if a user is familiar with a feature and already understands the ramifications of their actions. The settings in this section of the page allow confirmation messages to be suppressed or displayed. Confirmation messages can be suppressed from the confirmation dialogs, themselves.

Confirm mandatory statistics reset when filter connections are added:

The options for this confirmation message are: Always ask and Never ask. For example, a user has drawn a connecter between a filter and a tool port. The following message will display: (notice the “Don’t show this message again.” checkbox at the bottom of the confirmation dialog box):

Figure 5-7. Reset Filter Statistics Confirmation

Display edit dynamic filter dialog when connecting two ports on the diagram:

The options for this confirmation message are: Always ask, Always do this (automatically open the Edit filter dialog box when this action occurs) and Never do this (never ask about configuring the filter).

For example, a user has drawn a connector between a network port and a tool port. This action will cause a filter to be created automatically. The following message will display (notice the “Remember my answer…” checkbox at the bottom of the confirmation dialog box):

Figure 5-8. Configure Filter Prompt


Automatically enable disabled ports when a connection is added:

The options for this confirmation message are: Always ask, Always do this (always enable disabled ports when a connection is added) and Never do this. For example, a user draws a connector between a filter and a disabled tool port. The following message will display (notice the “Remember my answer…” checkbox at the bottom of the confirmation dialog box):

Figure 5-9. Enable Port Prompt

While editing a dynamic filter, warn when statistics will be reset:

The options for this confirmation message are: Always ask and Never ask. For example, a user has changed the criteria of a filter from Pass All to Pass by Criteria. When OK is clicked to accept the modifications, the following message displays (notice the “Don’t show this message again.” checkbox at the bottom of the confirmation dialog box):

Figure 5-10. Reset Filter Statistics Confirmation

Display edit port group dialog when creating a port group from selected ports:

The options for this confirmation message are: Always ask, Always do this (always open the Edit Port Group window after the port group is added) and Never do this.


Figure 5-11. Configure Object Prompt

Confirm editing far-end when a remote interconnect port group is set up:

The options for this confirmation message are: Always ask, Always do this (always open the Edit Port Group window after the port group is added) and Never do this. This message displays after the Remote Far End feature is configured. The system attempts to connect to the far end configure the far end port group “Interconnected with” settings.

Figure 5-12. Confirm Remote Far-End Connection

Allow a dynamic filter to connect to both ends of bidirectional interconnect port group:

The options for this confirmation message are: Always ask, Always do this (always open the Edit Port Group window after the port group is added) and Never do this. This message displays after the user attempts to a make a connection between both ends of the same bidirectional interconnect port group. The message serves as a minor warning because this sort of connection is unnecessary.

Figure 5-13. Confirm Bidirectional Interconnect Port Group

At the bottom of the Options window there are OK, Cancel and Reset buttons. The Reset button can be used to reset the display option configuration to the default settings.


Configure My Profile (Edit -> My Profile)

The following settings can only be modified when the NTO is in local authentication mode. User profiles cannot be modified when the NTO is in TACACS+ or RADIUS authentication mode.

All users can modify the following settings for their account:

■ Login ID

■ Full Name

■ Email Address

■ Phone number

■ Password

Figure 5-14. Edit User Window

Created: Displays the date and time the account was created and the name of the system administrator who created the account.

Last Modified: Displays the date and time the account was last modified and the name of the user who modified the account. A brief description of the change that was made to the account is described in parentheses.


View Menu

This section describes the View menu.

Figure 5-15. View Menu Options

The View menu is used to modify the view of the diagram area. The options are:

■ Zoom In – Makes the elements of the diagram larger, consequently displaying fewer of them at a time.

■ Zoom Out – Makes the elements of the diagram smaller, consequently displaying more of them at a time.

■ Zoom to 100% – Restores the diagram elements to their default sizes.

■ Focus diagram on (All ports and dynamic filters or Selected object(s) or My access) – Shows only certain diagram elements and their connections.

– All ports and dynamic filters - Shows everything on the diagram. If disabled ports are hidden they remain hidden.

– Selected object(s) - Shows only those objects that are currently selected, plus any objects they are connected to.

– My access - Shows only those objects which the current user is allowed to modify or connect to, plus any objects those objects are connected to.

The Focus feature allows the user to isolate and display a specific set of objects in the diagram area.

Focus can be used to simplify a complex diagram and make it easier to read.

The user can choose to focus on: selected object(s), all ports and dynamic filters or my access. Focus is a local option that only affects the diagram view of the current user.

The diagram focus can be selected using the following methods:

– F6 focuses on the selected objects or removes focus from the view.

– Right-click the selected objects or the diagram background and select the desired focus option.

– Select View -> Focus diagram on.

Tip: When selecting objects, press and hold the Ctrl key to select more than one object.


The My access focus allows the user to view the objects that they can access based on the Access Control settings of the objects. Note that connected objects are also displayed. For example, if a login account has access to a tool port, the objects connected to the tool port will also display in the view even though the user might not have the ability to modify or change the connections to those objects.

Administrator users will not have the “Focus on My access” option because they always have access to all objects.

Help Menu

This section describes the Help menu.

Figure 5-16. Help Menu Options

The Help options provide access to the following:

■ Anue Net Tool Optimizer Help: Access the online help system.

■ Documentation: Access the user guide and the startup guide.

■ Support: Launches your default email application and opens a message addressed to Anue Technical Support.

■ Save and Send Logs: Allows you to save and send server logs to Anue Technical Support. For more information, see “Technical Support” on page 11.

■ Licensing: Opens an HTML page that displays the license agreement.

■ About: Provides information about the version of the NTO Control Panel that is currently running.

Help MenuAnue Net Tool Optimizer User Guide 65

Icon Toolbar and Focus Status

This section describes the Icon Toolbar and Focus Status area that is located above the diagram area.

The shortcut icons, reading from left to right, are:

■ Copy the selected object(s).

■ Paste the most recently copied object(s).

■ Delete the selected object(s).

■ Edit the properties of the selected object.

■ Add a Dynamic Filter. (See Creating Dynamic Filters.)

■ Add an Interconnect Port Group. (See Interconnect Port Groups.)

■ Add a Load Balance Port Group. (See Load Balance Port Groups.)

■ Add a Filter Template Collection. (See Filter Template Collections.)

■ Add a Filter Template. (See Creating Filter Templates.)

■ Add a User. (See Adding Users and Configuring Authentication.)

This icon will only appear when a system administrator is logged in and the NTO is in local authentication mode.

■ Add a Group. (See Creating Groups and Adding Users to Groups.)

This icon is only available when a system administrator is logged in, and the NTO is using local groups.

Figure 5-17. Icon Toolbar and Focus Status

The Focus status lists the selected focus and the Selection status provides information about the objects that are selected.

The default focus is on all objects. In this mode, the focus status will indicate “All”.

When a single object is selected for focus, Focus will display the object type and the name of the object. When several objects are selected for focus, Focus will display the type of objects selected and a count of each type of object selected.


CHAPTER 6

Creating and Using Objects

This section provides detailed information about creating and configuring ports, port groups and dynamic filters.

Features Common to All Object Pages

The following features and displayed information are available on all of the NTO objects described in the sections below:

Port, Port Group, or Filter Icon Image: A status image is displayed in the upper right corner of the window, other windows associated with this port, and on the diagram. The image displays the same port/filter status and configuration information that is displayed on the icon in the diagram area.

Within any window that this icon is visible:

■ Double-click the icon image to open the port properties window.

■ Ctrl + double-click the icon image to open the port statistics window.

Last Modified: Displayed on the General tab. Displays the date and time the object was last modified and the name of the user who modified the object. A brief description of the changes that were made to the port is provided in parenthesis.

Up to 3 modification descriptions will be listed, followed by the text “more…” if there were more than 3 changes made to the object during the last modification. When the text “more” is displayed in the dialog, the tooltip help for the Last Modified field provides the complete list of changes that were made to the port.

Except for Dynamic Filters, the following features and displayed information are available on all of the NTO objects described in the sections below:

Port or Port Group Icon

The current icon is displayed at the lower left of the General tab. You may select a different icon from the icons displayed on the right or click the Custom Icon button to add or remove a custom icon from the Icon Library. The custom icon will then be used as the port icon.

Supported file types for custom icons are; .jpg, .gif and .png. Larger images will be automatically resized down to a maximum of 64x64 pixels, maintaining their original aspect ratio. Images smaller than 64x64 maintain their original size.


Figure 6-1. Diagram Image Section

Use the Reset To Default button to revert back to using the default port/port group icon.

Control Panel Behavior when Adding or Removing Port Modules

The following information applies to all port module types that can be installed into the NTO.

■ At this time, only cold-swapping of port modules is supported. In order to remove or install port modules, the system should be powered off.

■ Configuration information for a port (settings and connections) is associated with the slot, not the port module. Therefore, configuration information will not “follow” a port module if it is moved from one slot to another.

■ If a port module is replaced (cold swapped) with the same type of port module, the system will retain the port configuration information and apply it to the newly installed port module.

■ If a port module is replaced (cold swapped) with a different type of port module, the ports and port configuration information previously configured for the slot will be removed. The new ports, if licensed, will be initialized with default configuration settings. If the new ports are not licensed, they will display as unlicensed ports in the Control Panel GUI.

■ If a port module is removed and not replaced, the associated port configuration information will be removed. Ports for the slots will not be displayed in the Control Panel GUI.

Creating Network or Tool Ports

Network ports are connected to network devices such as switches, routers, SPANs and taps. Tool ports are used to connect tools such as protocol analyzers and intrusion protection systems to the NTO.

Any NTO port can be configured as a network or tool port. The options for network and tool ports are the same except where noted.

Chapter 6, Creating and Using Objects68 Anue Net Tool Optimizer User Guide

The Control Panel uses this default naming convention for ports:

P<slot><port.>

where:

slot indicates the interface module in a particular slot

port indicates the port number

For example, PA10 indicates port 10 in the interface module installed in slot A.

You can also give the port a more descriptive name using the Port Name field in the Port Properties dialog.

Table 6-1 describes the ports available on each NTO model and the capabilities of those ports.

Figure 6-2 shows the expansion slots on an NTO 5293. Your model may look different.

Table 6-1: Available Ports on NTO Models

Model Available Ports

5204 • Ports 1-20 support copper connections.• Ports 21-24 can support copper or fiber connections.

5236, 5273 • Ports 1-20 support 1G copper or fiber or 10G fiber connections.

• Ports 21-24 support copper connections.

5204, 5236, 5273

• Ports PA1 and PA2 are physically located on the interface module in slot A. These ports do not appear if no card is present in slot A.

• Ports PB1 and PB2 are physically located on the interface module in slot B. These ports do not appear if no card is present in slot B.

5288, 5293 Port modules, with a varying number of ports and capabilities, can be installed into expansion slots A, B, C or D. A label below each port indicates the port number.

Creating Network or Tool PortsAnue Net Tool Optimizer User Guide 69

Figure 6-2. Expansion Slots

Using the Port General Tab

The port dialog has the following tabsunder which the configuration settings are grouped:

1. General Tab – Used to define a port name, port description and configure link settings.

2. Filter Criteria Tab – Used to specify the filtering characteristics of the port.

3. Connections – Used to configure the connections to dynamic filters.

4. Access Control – Used by system administrators to define the access policies for the port.

5. (5236/5273 only) Advanced – Displays if you have installed an Advanced Feature Module in your NTO. Used to configure the features of the Advanced Feature Module. (For more information, see Appendix C, “Packet Processing Features.”)

To configure a port, double-click the icon of an unassigned port. The Edit Port dialog will then display.

The General Tab options are:

Port Number #: The port number is displayed. This number corresponds to a physical port on the chassis or interface module.

Name: The name field allows a name to be assigned to the port. A default name, such as P10 (models 5204/5236/5273) or PA10 (models 5288/5293), will be used if none is specified.


Figure 6-3. Network Port General Tab Options

Description: The description field provides an area to document detailed information about the port. Text entered in this field will display in the tooltip help of the port icon and in a column of the Ports View.

Port Status Image: See “Features Common to All Object Pages” on page 67.

Last Modified: See “Features Common to All Object Pages” on page 67.

Port Settings

Media Type: The media type for the port connection.

Possible values depend on licensing. If a port can be 1G SFP/10G SFP+, you can license the port for 1G-only or for 1G/10G. When ports are licensed for 1G/10G,


you can select which media type you want to use (1G SFP or 10G SFP+) for each port. See Table 6-2 for media types available on the different NTO models.

Port Mode: The user can select Network or Tool. Network ports are used to connect SPAN ports or taps to the NTO. Tool ports are used to connect devices such as intrusion detection systems, VoIP analyzers and data storage devices to the NTO. Network ports will display on the left side of the diagram area. Tool Ports will display on the right side of the diagram area.

Pause Frames (Tool Ports Only): The user can select Ignore or Accept.

A pause frame is a flow control mechanism defined by IEEE 802.3x that uses MAC Control frames to carry pause commands. Pause commands are generated when a sending device is transmitting data faster than a receiving device can receive it. The receiving device generates a pause frame that indicates the amount of time it wants the sending device to “pause” sending traffic.

When the NTO accepts pause frames it will stop the transmission of data until Ethernet flow control indicates that the device that sent the pause frame is ready to receive additional traffic.

When the NTO ignores pause frames it will continue to forward traffic to the connected device regardless of the Ethernet flow control state of the device.

“Ignore Pause Frames” is the default tool port setting. This feature is not supported on network ports.

Enabled: The user can select Enabled or Disabled. A port must be enabled in order to pass traffic. Disabled ports will display as dimmed in the diagram view, tabular views, and pick lists.

Table 6-2: Possbile Media Types

Model Media Types

5204 • Ports 1-20 are 1G copper only. • Ports 21-24 can be 1G copper or 1G SFP (Fiber). • Ports A1, A2, B1, B2 (on expansion modules) can be

10G XFP or 1G SFP/10G SFP+, depending on the expansion module type.

5236, 5273 • Ports 1-20 are 1G SFP/10G SFP+. • Ports 21-24 are 1G copper. • Ports A1, A2, B1, B2 (on expansion modules) can be

10G XFP or 1G SFP/10G SFP+, depending on the expansion module type.

5288, 5293 All ports are on expansion modules and can be 1G SFP/10G SFP+, or 40G QSFP+, depending on the module type.

Note: When accepting pause frames, the NTO will buffer a very small amount of data before dropping packets. Configuring the NTO to ignore pause frames will prevent packets from dropping at the NTO but the port of the connected device may drop packets due to oversubscription.


Link Settings: The available link settings depend on the port media type. For 1G SFP ports, the only supported link setting is 1G Full Duplex. For 10G SFP+ ports, the only supported link setting is 10G Full Duplex.

Port Status

Link Status: Displays the connectivity status of the port. Displays Link Up or Link Down.

A red “X” ( ) appears on icon when a port is enabled and down.

Port Icon

See “Features Common to All Object Pages” on page 67.

Using the Network Port (Ingress) or Tool Port (Egress) Filter Criteria Tab

Filter criteria are used to define the type of traffic that will be allowed to pass through an object or define the type of traffic that will be prevented from passing through an object.

See Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters for detailed information.

Using the Port Connections Tab

The connections tab for a network port displays the Destination Dynamic Filters to which traffic will be sent and allows dynamic filters to be connected to, and disconnected from, the port.

Models 5204, 5236, 5273: Auto-MDIX (automatic medium-dependent interface crossover) is always used for copper 1G, 100M and 10M copper ports. Auto-MDIX allows the interface to automatically detect and support a straight-through or crossover Ethernet cable.


Figure 6-4. Network Port Connections Tab

Connections to dynamic filters can be removed using the Remove button (select one or more dynamic filters and then click the Remove button).

To add connections use the Add dynamic filter button. The Select dynamic filters window will display. Select one or more dynamic filters to connect to the tool port (the Shift and Ctrl keys can be used to select more than one dynamic filter).


Figure 6-5. Select Dynamic Filters

Using the Port Access Control Tab

The Access Control tab provides a means for administrators to restrict who can modify the network port settings and connect dynamic filters to the port.

For details about access control, see Chapter 11, “Access Control Using Groups”.

Creating Dynamic Filters

The Dynamic Filter dialog has four tabs under which the configuration settings are grouped:

■ General Tab – Used to define a filter name and description.

■ Filter Criteria Tab – Used to specify the traffic filtering behavior.

■ Connections Tab – Used to add, remove, and view the current connections to tool and network ports.

■ Access Control – Used by system administrators to define access policies for the filter.

NOTE Adds and removes occur immediately after clicking OK and connection modifications cannot be canceled using the Cancel button on the main Port Properties window.

Creating Dynamic FiltersAnue Net Tool Optimizer User Guide 75

There are several ways to begin the filter creation process:

1. From the control panel menu, select File > New > Dynamic Filter.

2. Right-click in the Diagram area and select New Dynamic Filter.

3. Click the Add a new dynamic filter icon ( ) in the control panel toolbar.

4. Draw a connector between a network port and a tool port. Note that when a filter is created in this manner the filter is configured to deny all packets by default.

Using the Dynamic Filter General Tab

The General Tab options are:

Name: The name field allows a name to be assigned to the filter.

Description: The description field provides an area to document detailed information about the filter. Text entered in this field will display in the tooltip help of the dynamic filter icon and in a column of the dynamic filters view.

Figure 6-6. New Dynamic Filter Window

Filter Status Image: See “Features Common to All Object Pages” on page 67.

Advanced: The advanced options are designed for experienced users who want to configure one-stage filters. For more details about one-stage filters, see the 5200 - Advanced Filtering Concepts and Options Technote, which is available for


download from the Anue Customer Portal. See “Technical Support” on page 11 for information on how to access the Anue Customer Portal.

The customer portal (http://support.anuesystems.com) allows customers to open support tickets, search for solutions, and download documentation.

Using the Dynamic Filter Criteria Tab

Filter criteria are used to define the types of network packets that will be allowed to pass through a filter.


Using the Dynamic Filter Connections Tab

The connections tab displays the network and tool ports that are connected to the dynamic filter. Dynamic filters receive traffic from network ports and send traffic to tool ports.

Figure 6-7. Dynamic Filter Connections Tab

Connections can be removed by highlighting the connected port and clicking the Remove button. The Shift and Ctrl keys can be used to select more than one port.

Network and tool port connections can be added using the Add Port buttons.

Creating Dynamic FiltersAnue Net Tool Optimizer User Guide 77

http://support.anuesystems.com

When the Add Port button is clicked the Select Ports window will display. Select one or more ports and click OK. The Shift and Ctrl keys can be used to select more than one port.

Figure 6-8. Select Network Ports

Using the Dynamic Filter Access Control Tab

The Access Control tab provides optional features that allow administrators to configure security policies that restrict who can modify the dynamic filter settings and add and remove connections to ports.

Access Control is described in detail in the Chapter 11, “Access Control Using Groups.”

Creating Port Groups

Port groups provide the ability to aggregate ports into higher bandwidth trunks for load balancing tool traffic or interconnecting Net Tool Optimizers (NTOs). Port groups also provide other management features that are described later in this section.

NOTE Unlike the Select Dynamic Filter connection dialog reached from the Port Properties dialog, these port connection changes do NOT take effect immediately after you click OK. If you change your mind, you can cancel them by clicking the Cancel button on the main Filter Properties window.


Interconnect Port Groups

Interconnect port groups support connections between NTO units.

Figure 6-9. Interconnect Port Groups

The figure above demonstrates how port groups can be deployed to share tools between NTOs. A detailed description is provided below. The notation “4x10 G” indicates that an interconnect port group (ICPG) contains four 10G ports.

Models 5236, 5273, 5288, 5293: You can combine up to eight ports (1G and 10G) into a unified trunk to provide interconnect bandwidth.

Model 5204: Port groups can contain only one port.

Note: Physical cable connections must be made between the NTO units that will share an interconnect port group. Port connections must follow the standard rules related to port speed and duplex modes to ensure a port “link up” status.

The information below describes the settings that are required to configure an Interconnect Port Group.

Creating Port GroupsAnue Net Tool Optimizer User Guide 79

Note that in all ICPG scenarios, it is required that an ICPG be created on both of the NTO systems that share the interconnect:

■ NTO #1 has local tools. The ICPG connection to NTO #4 is unidirectional. The tools that are directly connected to NTO #1 can only be shared by the SPAN and taps that are directly connected to NTO #1. Those same SPANs and taps can access the tools on NTO #4 by way of the interconnect port group.

■ NTOs #2 and #3 can share their local tools with each other because of the bidirectional ICPG between them. Both NTO #2 and NTO #3 have a unidirectional ICPG to NTO#4. SPANs and taps that are directly connected to NTO #2 and NTO #3 can access the tools on NTO #4.

■ NTO #4 has unidirectional network-side interconnects with NTOs #1, #2, and #3. The tools connected to NTO #4 can be shared by all of the NTOs deployed at the site. NTO #4 has no access to tools on the other NTOs.

The tool side of an ICPG is always set to a Rebalance failover mode. In Rebalance mode, a port failure will cause the port to be disabled and removed from the load balancing algorithm. Traffic that was destined for the failed port will be transmitted out of an in-service port within the group. Once the port's link status returns to link up, the port is re-added into the load balance algorithm.

Creating an Interconnect Port Group

There are three methods that can be used to create an interconnect port roup:

Method One

1. Select ports in the diagram area.

2. Right-click one of the selected ports.

3. Select Create Interconnect Port Group -> Network, Tool or Bidirectional from the menu.

Note that the options displayed vary depending on the ports selected. For example, if a tool port and network port are selected, the menu only displays “bidirectional” because it is the only possible configuration when a network and tool port are in the same group.

Method Two

■ Click the New Interconnect Port Group icon in the toolbar area.

Note: The ports within an interconnect port group can be a combination of 1G and 10G ports but caution should be taken when mixing port speeds within tool interconnect port groups. If one of the ports within a tool interconnect port group goes down, its traffic will automatically be diverted to the other ports in the group. Failover to in-service ports occurs regardless of port speed. Failover from a 10G port to a 1G port could lead to traffic congestion and dropped packets. Also, traffic will not balance well between the 10G and 1G ports, resulting in drops on the 1G ports and/or under-use of the 10G ports. The load balancing algorithm cannot weight the ports such that the 10G ports would get 10 times the load of the 1G ports.


Method Three

1. Right-click in the diagram area.

2. Select New Interconnect Port Group > Network, Tool or Bidirectional from the menu.

The New Interconnect Port Group or Edit Interconnect Port Group dialog window displays depending on the creation method chosen:

Figure 6-10. New Interconnect Tool Port Group

The following sections explain how to use the tabs on the New Tool Interconnect Port Group window.

Using the Interconnect Port Group General Tab

Name: Enter a name for the Interconnect Port Group.

Interconnected with: This is an optional setting that allows you to access and manage the NTO at the other end of the interconnect. The field displays the IP address or DNS name of the far-end NTO. Click the hyperlink to configure or modify the Far-End Interconnect Port Group setting. When information is entered about the far-end system, right-clicking the Interconnect Port Group provides a Manage Other End menu option as shown in the following image:


Figure 6-11. Select Far End ICPG

The following options can be configured on this dialog box:

■ Address: Enter the IP Address or DNS name of the far-end NTO. Click the History button to select a far-end NTO from a list of NTO units that have been accessed during earlier NTO Control Panel sessions.

■ Interconnect Port Group: Displays the remote or far-end interconnect port group. Click the Select button to select an interconnect port group from the remote NTO.

■ Clear: Click the Clear button to remove the current Far-End Interconnect Port Group settings.

Description: You can enter a description of the Interconnect Port Group in this field so for future reference you can tell at a glance the nature of this specific interconnect port group that you created and configured.

Interconnect Port Group Settings: This section displays Port Mode settings and options. The displayed port mode can be Network, Tool or Bidirectional.

Interconnect Port Group Status:

Enabled Status: This field displays the number of ports within the port group that are enabled followed by the total number of ports in the port group.

Enabled Port Status:

Combined Speed: This field displays the combined speed of all the enabled ports within the port group.

Note: To use the Manage Other End Feature and configure the “Interconnected with” setting, the NTO units that share an interconnect port group must be running the same version of software.

After the address of the far-end NTO is selected, a login prompt will be launched for that system. The user will need to have a login account on the far-end NTO to complete the interconnection. The login accounts do not have to be the same account.


The word “partial” after the speed value, indicates that 1 or more of the enabled ports within the port group have a link down status. The reported combined speed does not include the port speed settings of link-down ports.

Link Status: This field indicates the number of enabled ports within the port group that have a link up status.

Port Group Icon


Using the Interconnect Port Group Ports Tab

1. Click the Add button.

2. Select the ports that will be contained within the port group.

Models 5236, 5273, 5288, 5293: You can combine up to eight ports (1G and 10G) into a unified trunk to provide interconnect bandwidth.

Model 5204: Port groups can contain only one port.

NOTE Ports may not be added or removed while the port group is connected to a dynamic filter. Ports that are currently connected to dynamic filters cannot be added to a port group. They must first be disconnected from all filters before they can be added


.


Ports can be removed by selecting them in the port section and clicking the Remove button.

Using the Interconnect Port Group Filter Criteria Tab

Filter criteria are used to define the types of network packets that will be allowed to pass through a filter.


NOTE The following are the effects of adding ports to an interconnect port group:• When a port is added to a port group, its icon is removed from the

diagram area. The individual port properties can then only be accessed from the Ports tab within the port group or from the right-click menu of the port group.

• A port added to a port group maintains its media settings. • A port added to a port group inherits the filter criteria settings of the

port group. • Port groups inherit the access control settings of the ports within the

group that have the most restrictive access control settings.• The icon for a bidirectional port group is displayed on both sides of the

diagram area as shown in the figure below. Notice that the port group maintains the same name (whether automatically assigned or user assigned) on both sides of the diagram area. The “BIC-#” (Bidirectional Interconnect #) label indicates the number of ports in the port group.

Tip: Right-clicking on a port displayed in the Ports section provides the ability to access the properties of the port, disable the port, and for system administrators, modify the access control settings of the port.


Using the Interconnect Port Group Connections Tab

Click the Add Dynamic Filter button to connect filters to the port group.

■ Destination dynamic filters can be configured for network port groups.

■ Source dynamic filters can be configured for tool port groups.

■ Both the source and destination dynamic filters can be configured for bidirectional port groups.

Using the Interconnect Port Group Access Control Tab

The Access Control tab displays information about the users who can modify the property and connection settings of the port group. Detailed information about access control can be found in Chapter 11, “Access Control Using Groups.”.

Note: Adding and removing connections to filters are immediate operations, not controlled by the OK or Cancel buttons at the bottom of the Edit Port Group window.

If the dynamic filters to be connected are configured to inherit their access control settings from their connected ports, a user might receive a warning message that a new connection to a filter might cause some users to lose access to that filter if the new connections come with more access restrictions. In that case, the user will be prompted to confirm a loss of access before the connection is completed.


Figure 6-12. Edit Network ICPG

The access policies for a port group are inherited from the contained ports.

Operation: Modify this Port Group: This section displays the access policy in effect and the users who are allowed to change the configuration settings of this port group.

Operation: Connect/Disconnect Filters to/From this Port Group: This section displays the access policy in effect and the users who are allowed to connect filters to this port group and disconnect filters from this port group.


The Details buttons provide information about the specific users with access and how the access settings were determined, as shown in the following image:

Figure 6-13. Access Details for Modify - Interconnect Port Group Dialog

The Users section displays the users who can change the property settings of the port group. Note that system administrators can always modify the property settings.

The Ports sections displays a table showing the ports that determine the Modify access settings of the port group. A user must meet the access requirements for every port shown in order to modify the port group settings.

Modifying Port Access Control Settings

System administrators can modify the access control settings of ports from the Ports tab by right-clicking on the ports within the port group as shown in the figure below:


Load Balance Port Groups

Load balance port groups allow traffic to be dynamically distributed across multiple tool ports while keeping network conversations intact so that each load balanced tool sees a complete session (all packets from a session will be sent out of the same port). Load balancing can also be used in conjunction with all NTO tool port filtering capabilities.

Load balance port groups can be configured to used one of two different failover modes: Rebalance or None.

In Rebalance mode, a port failure will cause the port to be removed from the port group. Traffic that was destined for the failed port will be transmitted out of one or more of the other in-service ports within the group.

Models 5236, 5273, 5288, 5293: You can combine up to eight ports (1G, 10G, and 40G) into a load balance port group.

Model 5204: Load balance port groups are not supported.

Note: The ports within a load balance port group can be a combination of 1G, 10G, and 40G ports. But caution should be taken when mixing port speeds within Tool load balance port groups. If one of the ports within a load balance port group goes down, its traffic can automatically be diverted to the other ports in the group. Failover to in-service ports occurs regardless of port speed. Failover from a 10G or 40G port to a 1G port could lead to traffic congestion and dropped packets. To keep that from happening, you can disable the load balance port group failover feature. Also, traffic will not balance well between the 10G, 40G, and 1G ports, resulting in drops on the 1G ports and/or under-use of the 10G/40G ports. The load balancing algorithm cannot weigh the ports such that the 10G/40G ports would get 10 times or 40 times the load of the 1G ports.


When the Rebalance mode is set to None, a port failure will cause packets destined for the port to be dropped. When the failed port returns to service, packets will resume transmission out of the port.

Access Control Required to Create and Modify Load Balance Port Groups

Note the Access Control required to create and modify load balance port groups:

■ In order to connect/disconnect to/from a port group, a user must have Connect access on all ports within the port group.

■ In order to modify the properties of a port group, a user must have Modify access on all ports within the port group.

■ In order to add/remove ports to/from a port group, a user must have Connect access on the port group (which requires Connect access on all the ports within the port group).

There are three methods to that can be used to create a load balance port group.

1. Select tool ports in the diagram area. Right-click one of the selected ports. Choose Create Load Balance Group from the menu.

2. Click the New Load Balance Port Group icon in the toolbar area.

3. Right-click in the diagram area. Choose New Load Balance Port Group from the menu.

The New Load Balance Port Group or Edit Load Balance Port Group dialog window displays depending on the creation method chosen:


Figure 6-14. Edit Tool Load Balance Port Group (LBPG) Window

Using the Load Balance Port Group General Tab

Name: Enter a name for the load balance port group.

Description: Use this field to describe the purpose and use of this port group.

Load Balance Port Group Settings: This field displays the Port Mode which will always be “Tool.”

Port Pause Frames: This setting is always set to Ignore pause frames for load balance port groups. The setting is applied to all contained ports.

When the NTO ignores pause frames it will continue to forward traffic to the connected device regardless of the Ethernet flow control state of the device.


Failover: In the event of port failure the Rebalance option redistributes traffic amongst in-service ports within the port group. Rebalance is the default setting. The None option disables the failover feature.

Load Balance Status:

Enabled Status: This field displays the number of ports within the port group and the number of ports within the port group that are enabled.

Enabled Port Status:

Combined Speed: This field displays the combined speed of all the enabled ports within the port group.

The word “partial” after the speed value, indicates that 1 or more of the enabled ports within the port group have a link down status. The reported combined speed does not include the port speed settings of enabled link-down ports.

Link Status: This field indicates the number of enabled ports within the port group that have a link up status.

Port Group Icon


Using the Load Balance Port Group Ports Tab

To add ports to the port group, click the Add button. Select the ports that are to be contained within the port group. You can combine up to eight ports (1G and 10G) into a load balance port group.

Model 5204: Load balance port groups are not supported.

NOTE Ports may not be added or removed while the port group is connected to a dynamic filter. Ports that are currently connected to dynamic filters cannot be added to a port group. They must first be disconnected from all filters before they can be added


Figure 6-15. New Tool LBPG Window


Ports can be removed by selecting them in the port section and clicking the Remove button.

Using the Load Balance Port Group Filter Criteria Tab

Filter criteria are used to define the type of traffic that will be allowed to pass through an object or will be prevented from passing through an object.


Using the Load Balance Port Group Connections Tab

Click the Add dynamic filter button to add connections to a port group. Source dynamic filters can be configured for load balance port groups.

Note: The Effect of Adding Ports to a Load Balance Port Group

• When a port is added to a port group, its icon is removed from the Diagram Area. The individual port properties can then only be accessed from the Ports tab within the port group or from the right-click menu of the port group.

• A port added to a port group maintains its media settings. • A port added to a port group inherits the filter criteria settings of the

port group. • Port groups inherit the access control settings of the port within the

group that has the most restrictive access control settings.• The load balance group will be assigned a “LBG-#” (load balance

group number) label. The number displayed indicates the number of ports in the load balance port group.

Tip: Right-clicking on the ports displayed in the Ports section provides the ability to access the properties of the port, disable the port, and for system administrators, modify the access control settings of the port.

Notes:

Adding or removing filter connections are immediate operations, not controlled by the OK or Cancel buttons on the Connections tab.

Because dynamic filter access control may be determined by the connections, the user will receive a warning message before a connection to a dynamic filter is complete if the access control settings of the port group will adversely affect users that can currently access the dynamic filter. The user will be prompted to confirm a loss of access before the connection is completed.


Using the Load Balance Port Group Access Control Tab

The Access Control tab displays information about the users who can Modify the property settings of the port group and the connection settings of the port group.

The access policies for a port group are inherited from the contained ports.

Operation: Modify this Port Group: This section displays the access policy that is in effect and the users with access.

Operation: Connect/Disconnect Filters to/From this Port Group: This section displays the access policy that is in effect and the users with access.

The Details buttons provide detailed information about the specific users with access and how the access settings were determined.

The Users section displays the users that can perform modify operations on the property settings of the port group. Note that system administrators can always modify the property settings of a port group.

The Ports sections displays a table that shows the ports that determine the Modify access to the connection settings of the port group. A user must meet the access requirements for every port shown in order to modify the port group connections.


Systems administrators can modify the access control settings of the ports from the Ports tab by right clicking on the ports within the port group as shown in the figure below.

Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters

Dynamic Filters, Network Ports, Tool Ports, and Port Groups all have filter criteria settings. Filter criteria are used to define the types of network packets that will be allowed to pass through a filter or will be prevented from passing through a filter.

Additional information that can help users take full advantage of NTO filtering capabilities is provided in the tech note 5200 - Advanced Filtering Concepts and Options. This guide can be downloaded from the Anue Customer Portal. See “Technical Support” on page 11 for information on how to access the Anue Customer Portal.

The Filter Criteria tab of a Network Port is shown in the following figure.


Figure 6-16. Network Port (Ingress) Filter Criteria Tab

Filter Mode

Filters can be placed in one of four modes, as shown below. Note that some filters do not support all four choices. Refer to Table for details.

Pass All: This setting allows all traffic to pass through the filter.

Pass by Criteria: This setting allows the user to describe the characteristics of the packets that should be allowed to pass through the filter.

Deny All: This setting prevents all traffic from passing through the filter.

Deny by Criteria: This setting allows the user to describe the characteristics of the packets that should be prevented from passing through the port.


NTO objects have different filter mode options. The following table displays the filter mode options for each object type.

Available Criteria

When determining whether packets should be passed or denied, the NTO has the ability to look at the Layer 2 Ethernet headers *or* the Layer 3 and 4 IP headers of each packet. Users may specify which layer they want to look at, and within each layer, which header fields to look at. Figure 6-17, Figure 6-18, and Figure 6-19 show the available header fields for each layer. Note that the VLAN field (first VLAN only) can be examined with both Layer 2 and Layer 3/4.

Figure 6-17. Layer 2 Filter Criteria

Table 6-3: Filter Modes

Filter Type Pass AllPass by Criteria

Deny AllDeny by Criteria

Network Port/Network ICPG/Bidirectional ICPG

√

Note: The tool side of a Bidi ICPG is always Pass All.

√ √ √

Dynamic Filter √ √ √

Tool Port/Tool ICPG/Load Balance Port Group

√ √ √

Models 5204/5288/5293: These NTO models do not support IPv6 criteria.


Figure 6-18. IPv4 Layer 3/4 Filter Criteria

Figure 6-19. IPv6 Layer 3/4 Filter Criteria

Multiple criteria may be combined to create more complex filters. Criteria may be combined as "Match All" (AND) or "Match Any" (OR). When using "Match All", each criterion may only be used one time in a single filter. When using "Match Any", each criterion may be used more than once in the same filter. Therefore, in a "Match All" filter, once a criterion is used that button will gray out indicating the criterion cannot be used again in that filter. Refer to the Selected Criteria section for more information.

One other reason that a criterion button might be grayed out would be that the current filter memory allocation settings do not support that type of criterion.

When a criterion button is pressed, a criterion-specific dialog will be displayed in which specific values can be entered for the header fields related to that criterion type. For example, using the Layer 2 Criteria Type, select the VLAN button. The New VLAN Filter Criterion window will display.


Figure 6-20. New VLAN Filter Criteria

Detailed Criteria Descriptions

Although configuring filter criteria is very intuitive and on screen and tool tip help is provided, some features that may need further description are described below.

Tip: The instructions at the top of the window describing how to enter ranges of values. All criterion windows will have similar instructions and/or tool tip help.


VLAN

When connecting trunk port taps or SPANs to NTO ports, trunk links are required to pass VLAN information. NTO ports are configured for 802.1Q (dot1q) encapsulation by default, and automatically belong to VLANs 1-4094. Packets with 802.1Q tags for VLANs 1-4094 may be filtered using the NTO filter criteria. See the section on Filtering on 802.1Q VLAN Tags for detailed information and an example router configuration.

VLAN

• VLAN using Layer 2 Criteria Type: When the Criteria Type is Layer 2, the VLAN button allows the user to specify the VLAN IDs to be matched on both IP and non-IP packets.

• VLAN with Layer 3/4 Criteria Type: When the criteria type is Layer 3/4, the VLAN button allows the user to specify the VLAN IDs to be matched in IP packets only. In this case, non-IP packets will not match, even if they have the specified VLAN ID.


MAC Address - Specify Attributes of Address

When matching a MAC address, users may choose to look for a value in the source address, a value in the destination address, a value in the source *or* destination address, or a value in the source address in combination with another value in the destination address. These are described in more detail in the following sections.

The picture below shows the MAC dialog when matching on the source address header field:

The address may be specified as one or more actual addresses, with optional "don't care" parts, or by the administration type. When more than one address is specified (using the "+" button) the filter will match on address 1 *or* address 2, and so on. Multiple addresses here are always combined with an "or", regardless of whether the containing filter is set to "Match All" (AND) or "Match Any" (OR).

The Administration options are:

■ Universal (Globally Unique)

■ Local

A universally administered MAC address (globally unique) is assigned to a device by its manufacturer.

A locally administered MAC address is assigned to a device by a network administrator.


The picture below shows the MAC dialog when matching on the destination address header field:

Destination addresses are specified in the same manner as source addresses. Destination addresses, however, support different attributes which can be matched as an alternative to the addresses.

The Administration options are:

■ Don’t Care: The address can be Local or Universal (Globally Unique).

■ Universal (Globally Unique)

■ Local

The Destination Address options are:

■ Don’t Care: The address can be Individual (Unicast) or Group (Multicast/Broadcast)

■ Individual (Unicast)

■ Group (Multicast/Broadcast)

Address Combinations

Several header fields, including MAC addresses, IPv4 addresses, and Layer 4 Port numbers involve source and destination values. The NTO allows simplified filtering on different combinations of these values. As has already been shown for MAC addresses, one can filter on the source value or destination value alone.

Note: Both the Destination Address and Administration attributes cannot be set to “Don’t Care”. One of the options must be configured to a value other than “Don’t Care”.


It is also sometimes useful to look for a particular value in either the source address *or* the destination address. The IPv4 address dialog below shows the selection of "Source or Destination" as the criterion type:

Figure 6-21. New IPv4 Filter Criterion

When the Source or Destination criterion type is configured, a packet will match if either the Source or Destination matches any of the defined address or port values. Note the instructions below the Type section of the window explaining how to duplicate a row. This feature allows the user to quickly create a list of addresses that only require minor modifications to make an address unique.

When the Mask Type is set to CIDR or Netmask, hovering the mouse over the magnifying glass displays the range of addresses that have been configured. Non-contiguous addresses are not displayed. The range helper feature is only available for IPv4.

The Address Pair(s) option allows a pair of ports or addresses to be configured.


A packet will match if either of the following conditions is true:

1. Source equals any address/port A and destination equals any address/port B.

2. Source equals any address/port B and destination equals any address/port A.

This requires that every address/port A be paired with every address/port B. This fact may be important in scenarios where the available filter memory is limited.

Selected Criteria

The Selected Criteria section displays the configured criteria and allows the user to "AND" or "OR" the defined criteria. Filter criteria can also be retrieved from the filter template library.

Network Port/Network ICPG/Network side Bidirectional ICPG options:

AND: Pass or Deny packets that match ALL of the specified criteria.

OR: Pass or Deny packets that match ANY of the specified criteria.


Figure 6-22. Selected Criteria Section

Tool Port/Tool ICPG/Load Balance Port Group options:

AND: Deny packets that match ALL of the specified criteria.

OR: Deny packets that match ANY of the specified criteria.

Figure 6-23. Selected Criteria Section

The chosen filter criteria are displayed under the Criteria Type and Criteria Values columns.

To modify a criterion, choose one of the following methods:

■ Highlight the criterion and then press the Modify button.

■ Right-click the criterion and select Modify.

■ Double-click the criterion.


To remove a criterion, chose one of the following methods:

■ Highlight the criterion and click the Remove button.

■ Highlight the criterion and press the Delete key on the keyboard.

■ Right-click the criterion and press the Delete key on the keyboard.

Note: Select several criteria for deletion by holding down the Shift or Ctrl key while clicking.

The Paste (Replace) option removes the current filter criteria from the destination filter and replaces them with the criteria that were copied from the source filter.

The Paste (Merge) option maintains the current filter criteria of the destination filter and adds the criteria that were copied from the source filter.

Figure 6-24. Copy Criteria from One Filter and Merge into Another Filter

Tip: Criteria can be copied and pasted between filters. To copy and paste criteria, select the criteria, right-click the selection and then choose Copy. Access the Filter Criteria tab of a Dynamic Filter, port or Filter Template, right-click in the Selected Criteria area of the tab and choose Paste (Replace) or Paste (Merge).


Ctrl+C can also be used to copy criteria from the source filter. Ctrl+V can be used to paste criteria into the destination filter. The user will receive the following prompt after pressing Ctrl+V.

Library

Replace: Filter criteria can be changed by replacing the current filter criteria with criteria selected from the Filter Template Collections.

Merge: Filter criteria can be augmented by merging the current filter criteria with criteria selected from the Filter Template Library. This option maintains the currently defined criteria and adds criteria from the Filter Template Library.

Save: Selected filter criteria can be saved to the Filter Template Library.

Figure 6-25. Filter Template Library Options

SNMP Tag

The SNMP tag field is a free-form text field that users may optionally configure for each filter. A user can configure one or more keywords using comma, space, or colon as separators. An SNMP management application can then use the keywords to facilitate customized search, sort, and aggregation of Anue MIB filter information.

The filter will be tagged with the defined text. The maximum length of this field is 255 characters.


Custom Dynamic Filtering

This section applies to all models except the 5204.

The NTO comes with several predefined fields for filtering traffic. Using those fields, you can specify the types of network packets allowed or not allowed to pass through a filter. The predefined filtering fields are available for network ports, tool ports, and dynamic filters. For a detailed explanation of how to use the predefined fields, see “Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters” on page 96.

With Custom Dynamic Filtering, you can now define custom fields to use in your dynamic filters to match on parts of the packet headers and payload that are not accessible using the predefined fields. Custom fields allow you to match on 2- or 4-byte fields, up to 128 bytes deep into Ethernet packets. By defining your own custom fields, you can filter on specific bit patterns and values at selected locations in a packet. This allows access to header and payload fields in protocols such as MPLS, GTP, GRE, HTTP, FCoE, FIP, iSCSI, L2TP, VoIP, RTP, and more. Table 6-4 outlines the number and sizes of the custom fields available on each NTO model.

The NTO has built-in support for MPLS (all models) and GTP (5288/5293 models only), providing access to specific named fields within those protocols, avoiding the need to calculate the exact packet positions of the fields. You can also create “raw” custom fields, or as the control panel refers to them, “Custom” fields. These more generic fields allow you to specify the size of the field and the offset from a location in the packet to the beginning of the field. The relative starting position for the offset can either be the beginning of the packet or the end of the Layer 2 header.

When using the raw custom fields, be aware that if you’re looking for a byte match at a certain offset, you can unintentionally match on random data at that offset. To

Models 5236/5273: Custom dynamic filtering is not supported on 5236/5273 when IPv6 filtering is enabled (that is, when filter memory is allocated to support IPv6 filtering).

Table 6-4: Available Custom Fields on NTO Models

Model Available Custom Fields

5204 Custom dynamic filtering is not supported.

5236, 5273 Up to 8, 4-byte fields, with 4-byte boundaries and sizes to be even multiples of 4.

Note: In the specific case of using offset 0 from the start of a packet, the sizes allowed are 2 or 6.

5288, 5293 Up to 16, 2-byte fields, with 2-byte boundaries and sizes to be even multiples of 2

Custom Dynamic FilteringAnue Net Tool Optimizer User Guide 109

avoid that, check some other field, such as the IP protocol or TCP source port, to confirm that the packet is of the correct type. When you use the built-in protocols, MPLS and GTP, the NTO automatically provides these confirmation fields for you.

Unlike the predefined fields, which you can use on network ports and tool ports, you can only use custom fields in the dynamic two-stage filters that connect network ports to tool ports on the NTO. A dynamic two-stage filter using custom fields is also referred to as a “custom filter.”

Some things to keep in mind when using custom filters are the following:

■ When using custom fields, not all predefined fields will be available in the same filter.

■ A network port can only be connected to one custom filter at a time.

■ A network port connected to a tool port through a standard dynamic filter cannot at the same time be connected to the same tool port through a custom filter.

In the NTO, custom fields are allocated in one or two “field sets.” These field sets appear on the Dynamic Custom Filtering dialog, where you define the custom fields. Access the dialog from the System Settings tab by clicking the link to the right of the Custom dynamic filtering field. You can enable and define one or two field sets, but only enable what you need because the field sets come with a price. Each field set uses about 10% of the available dynamic filter and tool port filter memory, which reduces the amount of memory available for other types of filters.

If you enable two field sets, you have the choice of using them in the same filter or different filters. By using them in the same filter, you get up to 32 bytes of custom fields for a single filter. If you use them in different filters, you only get up to 16 bytes of custom fields in any one filter. You get “up to” an amount because, in most cases, you don't use up the full amount all at once. As you chose the composition of your custom fields, your choices use up bytes, usually in 2- or 4-byte increments, depending on the NTO model (see Table 6-4 on page 109).

Not all of your choices cost bytes. Some are “free.” They don't count against the total 16 or 32 bytes available. These are typically fields in the outer headers of tunneled packets, and the ones that you get for free depend on which layers and protocols you select to filter. For example, MPLS is a Layer 2 tunnel protocol which is identified by a specific Ethertype. When you choose MPLS & Custom as the types of fields you want to include in field set 1, Ethertype is provided as a free outer header field to use for confirmation.

As another example, GTP is a Layer 3 and 4 tunnel protocol which is identified by a specific UDP source port When you choose GTP & Custom (5288/5293 only) as the types of fields you want to include in field set 1, Outer IP protocol and outer L4 source port are provided as free outer headers to use for confirmation. Table 6-5 shows the free headers you get as optional confirmation fields with the


custom field types you choose to filter. It also shows the optional additional outer header fields you can select at a cost of 10% filter memory.

Table 6-5: Free Outside & Additional Headers with Selected Field Types

Selected Field Types

Default Available Outer Header Fields

Additional Available Outer Header Fields

Field Set 1 - MPLS & Custom

■ Ethertype ■ VLAN

Field Set 1 - GTP & Custom (5288/5293)

■ DSCP/ECN

■ Outer IP protocol

■ VLAN

■ Ethertype

■ Outer IPv4 source or destination address

■ Outer L4 source or destination port

■ TCP Control

Field Set 1 - Custom (5236/5273)

■ DSCP/ECN


■ VLAN

■ Ethertype

■ Outer IPv4 source or destination address


Field Set 2 - MPLS & Custom

■ Ethertype None

Field Set 2 - GTP & Custom (5288/5293)

■ DSCP/ECN


None

Field Set 2 - Custom (5236/5273)

■ DSCP/ECN


None

Field sets in same filter

■ VLAN

■ Ethertype

■ DSCP/ECN

■ Outer IP Protocol


■ TCP Control (5236/5273 only)

None


To use custom fields, perform the following tasks, explained in detail in the sections that follow:

1. Enable one or both field sets. If you enable both field sets, choose whether to use them in the same or different filters.

2. Select the network layer with headers that will be most useful for your filtering.

3. Assign pre-defined (GTP-C, GTP-U, or MPLS) or Custom fields and their associated confirmation fields to the field sets.

4. Use the fields in the field sets in one or more dynamic filters, specifying the values to be matched.

Once you enable field sets and select a packet header layer for the custom fields, you can start adding custom fields to the field sets. You can allocate fields to a field set until you use up the available bytes - 16 bytes for one field set, or 32 bytes when both field sets are enabled for use in the same filter. Depending on the field type you select, you will be prompted to enter additional information, such as enabling confirmation fields and configuring the number of optional header words.

Confirmation fields are necessary to ensure the pre-defined fields are actually there. For example, if you add a GTP-U tunneled IPv4 source address field to a field set, you are given the option to confirm that the outer IP protocol is UDP, the outer UDP destination port is 2152, and the inner IP version is IPv4. If you don’t check these confirmation fields you might match packets that are not GTP-U packets that just happen to have an IPv4 address (or even just some matching bits!) at the same location.

In many cases, the packet protocols provide for optional fields in the headers. For example, IPv4, IPv6, TCP, and GTP headers all include optional fields which may or may not be present in a particular packet. In tunneled packets, the IP and TCP

NOTE If you enable field sets 1 and 2 to be used in the same filter, all the custom fields you create must be for the same layer type. For example, if you add a GTP-U field (Layer 3/4) to the field sets you cannot later add an MPLS field (Layer 2) to the field sets.

5236/5273 GTP custom fields are not available at this time.

NOTE When editing fields in field sets, an existing field may be removed as long as it is not either (a) in use in a Dynamic Filter or (b) saved as a filter template. If removal is attempted, and one of these conditions exists, an error message describing the above will be displayed. In that case, first delete its use in all Dynamic Filters and filter templates. The field can then be removed from the field set.

NOTE The 16-byte limit of one field set is only large enough for one IPv6 address. To filter on both the source and destination IPv6 address in one filter, you need to enable both field sets in the same filter.


headers can appear both outside and inside the tunnel. In order to filter on custom fields, the NTO must know the exact offset from the start of the packet or the end of the outer Layer 2 header to that field. Therefore, if a custom field is deeper in the packet than one of the headers with optional fields, you must specify the size of those optional fields.

For example, if you want to add the pre-defined field “Tunneled IPv4 L4 Source Port” in a GTP-U packet, you must specify the number of 32-bit words in the optional fields in the GTP-U header plus the number of 32-bit words in the optional fields in the inner IPv4 header. If you need to filter on packets with different numbers of optional fields, you will have to add the pre-defined field multiple times, once for each different size of the optional fields.

As another example, to filter on fields inside MPLS tunnels you must specify the number of MPLS labels you expect in the packets, the service type (L2 VPN or L3 VPN), whether the pseudowire code word is present, and the number of VLAN tags in the tunneled frame.

If one of the pre-defined GTP or MPLS fields does not suit your needs, you can also define raw custom fields, specifying your own offsets and field sizes. You specify a byte offset relative to the start of the packet or the end of the Layer 2 header and a byte length (or size). The byte offset and length must be multiples of 2 on the 5288/5293 and multiples of 4 on the 5236/5273. By selecting the end of the Layer 2 header, you can avoid having to account for any VLANs or variations in Ethernet frame formats (for example, Ethernet II, 802.2, LLC/SNAP, etc.). Be sure to account for any optional headers beyond the relative starting position when you define a Custom field. You must also specify a name for this field. The name is limited to 32 characters and must be unique across all custom fields. This name will appear in the dynamic filter dialog to allow you to filter on this custom field.

To perform custom filtering, complete the following two main tasks:

1. “Define Custom Fields” on page 114.

2. “Use Custom Fields in Filters” on page 118.

For a quick example of these two main tasks, see “Quick Example: GTP-U Custom Filtering Field (5288/5293 only)” on page 119.

Tip: A network protocol analyzer tool like Wireshark can help you determine information you need before you create custom filters. Using a tool like Wireshark, you can examine some sample traffic to determine the following kinds of information:

• MPLS — How many MPLS labels are present • MPLS — How many VLAN tags are present in the inner L2 header• GTP-U — How many words are in the optional fields in your GTP-U

headers• Raw — The size of bytes, that is, the number of words in an optional

field, like the IPv4 header options values


Define Custom Fields

You can define three types of custom fields:

■ “MPLS Custom Fields” on page 114

■ “GTP Custom Fields (5288 only)” on page 115

■ “Raw Custom Fields” on page 117

MPLS Custom Fields

To define MPLS custom fields:

1. In the System view, on the Settings tab, in the Filtering section, to the right of the Custom dynamic filtering field, click the link - for example, click Disabled (which is the default setting).

Note: Once you enable custom dynamic filtering, the text on this link will change to describe the field sets that you enable.

The Custom Dynamic Filtering dialog displays.

2. Select an Enabled State - for example, Field set 1 enabled.

3. In the Field Set 1 section, select the MPLS layer and protocol you want to define in this custom filter field - for example, MPLS & Custom (Layer 2 outer headers).

4. (Optional) In the Available Outer Header Fields section, select Provide additional outer headers (reserves an additional 10% of filter memory.)

5. In the Field Set 1 (0 of 16 bytes use) section, click the Add button and select the protocol you want from those available on the list - for example, MPLS.

The Select MPLS Field Type dialog displays.

6. Select an MPLS field type to create - for example, Tunneled IPv4 L4 Src (source) Port.

7. Click OK.

The Add Tunneled IPv4 L4 Src Port Field dialog displays.

8. In the Outer L2 section, you can select Confirm outer Ethertype and select an Ethertype - for example, Either unicast or multicast (doubles the filter memory usage).

9. In the MPLS section, enter How many labels are present - for example, 1.

Note: You can use a tool like Wireshark to examine some sample traffic to determine how many MPLS labels are present.

10. In the MPLS section, select What is the service type from the drop-list - for example, L2 VPN with psuedowire control words.

NOTE 5236/5273 only supports L3VPN MPLS custom fields.L2VPN (with or without pseudowire) is NOT supported on 5236/5273.


11. In the MPLS section, select How many VLAN tags are present in the inner L2 header - for example, 1.

Note: You can use a tool like Wireshark to examine some sample traffic to determine how many VLAN tags are present in the inner L2 header.

12. In the Inner L3 section, select the confirmations you prefer - for example, Confirm IP version and Confirm IP protocol, which if you select, you also need to select the protocol - for example, TCP.

13. In the Inner L3 section, enter How many 32-bit words are present in the inner L2 header - for example, 1.

14. In the Inner L4 section, either accept the default Field Name or change the text.

Note: The Field Name text is what displays as the button text on the Filter Criteria tab of the Edit Dynamic Filter dialog after you finish defining this custom filter field.

15. Click OK.

In the Field Set 1 section, the Main Fields and Confirmation Fields populate with a summary of your selections, and in parentheses to the right of Field Set 1, it shows the number of bytes you have used so far out of the total 16 bytes available - for example, 4 of 16 bytes used on the 5288.

16. Click OK.

The Custom Dynamic Filtering dialog closes and the field sets you enabled display to the right of the Custom dynamic filter field in the Filtering section of the Settings tab - for example, Field Set 1.

To use a MPLS custom field, see “Use Custom Fields in Filters” on page 118.

GTP Custom Fields (5288 only)

To define GTP custom fields:

1. In the System view, on the Settings tab, in the Filtering section, to the right of the Custom dynamic filtering field, click the link - for example, click Disabled (which is the default setting).

Note: Once you enable custom dynamic filtering, the text on this link will change to describe the field sets that you enable.



NOTE If you create a custom MPLS field type of Label, then when you use this custom field in a dynamic filter, the MPLS Label field can be a

decimal input between 0 and 1,048,575 (220 - 1).

Note: 5236/5273 GTP custom fields are not available at this time.


3. In the Field Set 1 Free Outer Headers section, select the GTP layer and protocol you want for this custom filter field - for example, GTP & Custom (Layer 3/4 outer headers).


5. In the Field Set 1 section, click the Add button and select the GTP protocol you want from those available on the list - for example, GTP-U.

The Select GTP-U Field Type dialog displays.

6. Select a GTP-U field type to create - for example, Tunneled IPv4 Src (source) Address - and click OK.

The Add GTP-U Tunneled IPv4 Src Address Field dialog displays.

7. In the Outer L4 section, if desired, select Confirm outer L4 dst (destination) port. This confirmation uses 2 of the total 16 bytes available for this custom field set.

8. In the GTP-U section, enter How many 32-bit words are present in the optional fields in the GTP-U headers - for example, 2.

Note: You can use a tool like Wireshark to examine some sample optional fields in your GTP-U headers to determine how many words you need to include in this custom dynamic filtering field.

9. In the Inner L3 section, if desired, select Confirm outer IP version. This confirmation uses 4 of the total 16 bytes available for this custom field set.

10. For the Field Name, either accept the default field name or change the text.

Note: The Field Name text (in this example, GTP-U Tunneled IPv4 Src Address) is what displays as the button text for this custom field set when you select it on the Filter Criteria tab of the Dynamic Filter dialog.

11. Click OK.

The selections you made in this dialog now display in the Field List for Field Set 1.

Note: Notice that you have used 8 of the available 16 bytes for Field Set 1, shown in parentheses to the right of Field Set 1, You can add other Layer 3 and Layer 4 related protocol custom dynamic fields to Field Set 1 until you use all of the 16 bytes available.


To use the a GTP custom field, see “Use Custom Fields in Filters” on page 118.

NOTE If you create a custom GTP-U field type of TEID, then when you use this custom field in a dynamic filter, the GTP TEID field can be a

decimal input between 0 and 4,294,967,295 (232 - 1).


Raw Custom Fields

To define raw custom fields:

1. In the System view, on the Settings tab, in the Filtering section, to the right of the dynamic custom filtering field, click the link - for example, click Disabled (which is the default setting).



3. In the Field Set 1 Free Outer Headers section, select the layer and protocol you want for this custom filter field - for example, GTP & Custom ( Layer 3/4 outer headers).


5. In the Field Set 1 section, click the Add button and select the protocol you want from those available on the list - in this case, Custom.

The Add Custom Field dialog displays.

6. In the Offset field, enter the number of bytes to offset and select the point where to begin the offset - for example, 20 bytes offset from the end of Layer 2 on the 5288 (remember, even multiples of 2). You can begin the offset either at the beginning of the packet or the end of Layer 2.

Note: For the 5236/5273, the offset bytes need to be multiples of 4. From the end of Layer 2, the offsets are 0, 4, 8, etc. From the start of the packet, offsets are 0, 2, 6, 10, 14, etc. See Table 6-4 on page 109.

7. In the Size field, enter the number of bytes you want to match on for this custom filter field - for example, 4 for the 5288.

Note: For the 5236/5273, in the specific case of using offset 0 from the start of a packet, the sizes allowed are 2 or 6. See Table 6-4 on page 109.

Note: You can use a tool like Wireshark to determine the size of bytes, that is, the number of words in an optional field, like the IPv4 header options values.

8. For the Field Name, either accept the default text or enter the button name you want to display for this custom field set when you select it on the Filter Criteria tab of the Dynamic Filter dialog - in this example, IPv4 Header Options.

9. Click OK.

The selections you made in this dialog now display in the Field List for Field Set 1.

Note: Notice that you have used 4 of the available 16 bytes for Field Set 1, shown in parentheses to the right of Field Set 1. You can add other Layer 3 and 4 related protocol custom dynamic fields to Field Set 1 until you use all of the 16 bytes available.

10. Click OK.



To use the a raw custom field, see “Use Custom Fields in Filters” on page 118.

Use Custom Fields in Filters

To use custom fields in filters:

1. Ensure that the Diagram view is displayed, and if not, click the Diagram icon on the Control Panel main window to display it.

2. In the Diagram view, right-click a Dynamic Filter icon, select Properties, and click the Filter Criteria tab.

3. Select Pass by Criteria, select a custom field set, and click a button to the right of one of the protocols to set its filtering values.

An Edit Filter Criterion dialog displays.

4. Enter the filter criterion.

5. Click OK.

The filter criterion displays in the Selected Fields section of the Filter Criteria tab.

6. Click OK.

The Confirm dialog displays.

7. Click OK.

The Confirm dialog closes, the Edit Dynamic Filter dialog closes, the Diagram view displays, and your custom filter begins filtering traffic.

NOTE If you create a custom MPLS field type of Label, then when you use this custom field in a dynamic filter, the MPLS Label field can be a

decimal input between 0 and 1,048,575 (220 - 1).

NOTE If you create a custom GTP-U field type of TEID, then when you use this custom field in a dynamic filter, the GTP TEID field can be a

decimal input between 0 and 4,294,967,295 (232 - 1).


Quick Example: GTP-U Custom Filtering Field (5288/5293 only)

The following is a quick example of creating and using a custom filtering field, showing screenshots of the process from start to finish. This example is for filtering on the tunneled IPv4 source address inside a GTP-U packet.

1. In the System view, on the Settings tab, to the right of the Custom dynamic filtering field, click Disabled (which is the default setting).




2. Select Field set 1 enabled, GTP & Custom (Layer 3/4 outer headers), Provide additional outer headers, and click Add.

A drop-list appears.

3. Select GTP-U from the drop-list.


The Select GTP-U Field Type dialog displays.

4. Select Tunneled IPv4 Src Address and click OK.

The Add GTP-U Tunneled IPv4 Src Address Field dialog displays.

5. Select the confirmation field and type 2 in the field for How many 32-bit words are present in the optional fields in the GTP-U headers (assuming that’s how many optional words your incoming packets will have).


Note: You can use a tool like Wireshark to examine some sample optional fields in your GTP-U traffic to determine how many words you want to include in this custom dynamic filtering field.

Note: The Field Name GTP-U Tunneled IPv4 Src Address is the button text that will display on the Filter Criteria tab of the Dynamic Filters dialog next to the GTP-U field once you select Custom Field Set 1 (see steps 8 and 9 below). In this dialog, you can change the button text that will display on the Filter Criteria tab.

6. Click OK.

The selections you made in this dialog display in the Main Fields and Confirmation Fields for the Field Set 1 section of the Custom Dynamic Field dialog.

Note: Notice that you have used 6 of the available 16 bytes for Field Set 1, shown in parentheses to the right of Field Set 1, You can add other custom fields to Field Set 1 until you use all of the 16 bytes available.

7. Click OK.


8. Click the Diagram view icon on the Control Panel main window.

9. Right-click a Dynamic Filter icon, select Properties, and click the Filter Criteria tab.


The Filter Criteria tab displays.

10. Select Pass by Criteria, Custom Field Set 1, and click the GTP-U Tunneled IPv4 Src Address button.

The Edit IPv4 Filter Criterion dialog displays.

11. Enter a valid source address or range of addresses and click OK.


The IPv4 filter criterion displays in the Selected Fields section of the Filter Criteria tab.

12. Click OK.

The Confirm dialog displays.

13. Click OK.

The Confirm dialog closes, the Edit Dynamic Filter dialog closes, the Diagram view displays, and your custom filter begins filtering traffic.


Custom Filter Portion of Available Filter Memory Meter

Custom filters use up some of the available filter memory from dynamic filters and tool ports. The percentage they use is reflected in the Custom portion of the Available Filter Memory meters that display at the bottom of the Diagram view on the control panel, shown in Figure 6-26

.

Figure 6-26. Custom Filter Memory Meter

In this example, “96% Custom” displays to the right of the Dynamic filter/Tool port meter, shown with a red box around it in the figure. In this case, 96% is how much dynamic filter and tool port filter memory that is still available for use.

Filtering on 802.1Q VLAN Tags

While network administrators can assign VLANs to a network switch, the assignment of these VLANs effectively remains transparent to the end devices, such as servers, storage devices and end-user stations who are generally assigned to access ports. 802.1Q VLAN tags are not delivered in the datagrams sent to the devices connected to access ports. Only devices connected to trunk ports on switches responsible for routing, bridging or channeling traffic between networking devices will have visibility to VLAN tags in order for the devices to direct traffic on each end of the link.

Filtering on VLAN Id is one of the options for pass filters and tool port drop filters where users may direct traffic based on 802.1Q VLAN headers. To use VLAN IDs as criteria for filtering, users must ensure specific conditions are met to enable visibility of VLAN 802.1Q headers.

In summary:

■ Anue can filter on 802.1Q VLANs.

■ For the Anue NTO to filter on VLANs, the 802.1Q tags must be present. You must ensure that tapped trunk connections are configured to send 802.1Q tags to the NTO.

■ If connected via a SPAN/Mirrored port, users must ensure the SPAN port is also set as a trunk port. Most switches support this capability but this should be confirmed by checking the switch manufacturer’s documentation.

Note: You might have to use custom fields in dynamic filters connected to several network and tool ports before the display registers an available percentage less than “100% Custom.”

Filtering on 802.1Q VLAN TagsAnue Net Tool Optimizer User Guide 127

Providing VLAN information to the Anue NTO

There are two ways to direct traffic to an incoming network port on an Anue NTO:

■ Mirrored ports (SPANs) - Port mirroring is used on a network switch to send a copy of all network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network tools that require a copy of what is happening on a VLAN such as protocol analyzers or intrusion-detection system. Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN) but other vendors may have other names for it, such as Roving Analysis Port (RAP) on 3Com switches. Mirrored ports by default will be defined as access ports on switches.

■ Trunk port taps - A tap (Test Access Point) is a passive splitting mechanism installed inline on a trunk connection between switches or other internetworking devices where the trunk link is terminated. taps transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring device in real time.

NTO ports are configured for 802.1Q (dot1q) encapsulation, and automatically belong to VLANs 1-4094. Packets with 802.1Q tags for VLANs 1-4094 may be filtered using the NTO. Because mirrored (SPAN) ports are configured as access ports by default, they will not receive, nor pass any 802.1Q header information in the traffic coming from that interface. This means you may not create any Pass or Deny filters on the NTO that use VLAN ID as a pass or drop criteria if the ingress network port providing traffic to the filter is coming from a SPAN port that is configured as an access port.

Once taps or SPAN ports have been properly installed and configured to pass desired traffic to the NTO, pass filters or tool port deny filters can then be created on any L2 or L3 criteria including VLAN ID.

An example of a SPAN port configuration providing 802.1Q headers from a Cisco 4506 switch is provided below.

SPAN port configuration providing 802.1Q headers

Note: It is important to remember that when using taps, two network port connections are necessary for each tap because their TX and RX traffic is sent on dedicated paths to the NTO. For a configuration example, refer to the Installation Guide for your NTO model. Taps will normally be connected to trunk ports but can also be connected to access ports.


This configuration example displays the commands necessary to create a SPAN port on a Cisco 4506 Catalyst Switch that will deliver traffic to the Anue network port which includes 802.1Q VLAN header information:

DDCPHRCE1#

monitor session 1 source vlan 1 - 4094

monitor session 1 destination interface Gi4/13 encapsulation dot1q

interface GigabitEthernet4/13

description DDC-SPN-DSW1 G7

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

no cdp enable

Port, Port Group, and Dynamic Filter Symbols and Indicators

Ports and filters display several symbols that indicate their status and configuration

A port number is preceded by the letter “P” followed by the port number. A filter number is preceded by the letter “F” followed by the filter number. If a port or filter has been given a label by a user, the port or filter number will be displayed in parenthesis.

Filter Indicators

Various symbols along the left side of the icon are used to summarize the filter settings.

Four green arrows passing through a gray line indicate that a filter is configured to Pass All packets.

Figure 6-27. Tool Port Pass All Filter Mode

Notes:

■ Not all switches will support this function

■ Check with manufacturers’ instructions to enable this feature

■ The sequence commands are entered in may be important

■ Specifying the 802.1Q encapsulation method may be necessary


Two black arrows touching a vertical black line indicates that a filter is configured to Drop All packets.

Figure 6-28. Tool Port Drop All Filter Mode

When a filter is set to Pass by Criteria or Deny by Criteria, several additional indicators are displayed:

Figure 6-29. "And" and "OR" Indicators

The “AND” symbol indicates that the filter mode is Pass by Criteria and the defined filter criteria are logically AND’d to allow traffic that matches all of the criteria. An “OR” symbol indicates that the filter mode is Pass by Criteria and the defined filter criteria are logically OR’d to allow traffic that matches any of the criteria.

The “-AND” symbol indicates that the filter mode is Deny by Criteria and the defined filter criteria are logically AND’d to deny traffic that matches all of the criteria. The “-OR” symbol indicates that the filter mode is Deny by Criteria and the defined filter criteria are logically OR’d to deny traffic that matches any of the criteria. Dynamic filters do not support Deny by Criteria.

The text below the “AND” and “OR” symbols, provides a quick overview of the configured filter criteria. For example, “IP” indicates that an IP protocol filter criteria has been defined and “L4SPT” indicates that a Layer 4 source port filter criteria has been defined. When more than three filter criteria are defined, the word “more” is displayed.

The text in the lower right corner describes the physical port. Table 6-6 lists the types of physical ports you will see for each NTO model.

Table 6-6: Supported Physical Port Types

Models Physical Port Type

5204, 5236, 5273

XFP, CX4, RJ-45, SFP, SFP+

5288, 5293 SFP, SFP+, QSFP+


The text in the upper right corner indicates the link status. If the link is up, the text will indicate the link speed. For example, the text “1G” indicates that port has successfully connected to a device at 1 Gbps. If the link is down, a red "X" will be displayed.

If the letters "EXP" are shown, that indicates the port has a time-limited license and the license has expired.

Filter Criteria Indicators - The table below provides a partial list of the filter indicators and a description of the corresponding filter criteria.

Models 5288, 5293: These models do not support IPv6. Table entries below that refer to IPv6 are for models 5204, 5236, and 5273.

Filter Indicator Filter Criteria

MACSA MAC Source Address

MACDA MAC Destination Address

VLAN VLAN ID

VLANI VLAN ID (packet must contain an IPv4 header)

ETYPE Ethertype

IP4DA IPv4 Destination Address

IP4SA IPv4 Source Address

IP6DA IPv4/IPv6 Destination Address

IP6SA IPv4/IPv6 Source Address

PROTO More than one IP protocolis defined (when a single IP protocol is defined, the indicator will represent that specific protocol)

Layer 2 Layer 2

L3/4 v4 Layer 3/4 IPv4

L3/4 v6 Layer 3/4 IPv6

L3/4 Layer 3/4 IPv4 or IPv6

DSCP DSCP/ECN

L4SPT Layer 4 Source Port

L4DPT Layer 4 Destination Port

TCP-C TCP Control


Filter Symbols

Once a filter is created it will display the filter name, the filter criteria indicators and a filter icon. The filter icon displayed will differ based on the filter mode.

Three arrows in and one arrow out indicate that the dynamic filter is configured to Pass traffic by criteria.

Figure 6-30. Pass by Criteria

Three arrows in and three arrows out indicates that the dynamic filter is configured to Pass All traffic.

Figure 6-31. Pass All

Three arrows in and no arrows out indicates that the dynamic filter is configured to Drop All traffic.

Figure 6-32. Drop All

The circled number “1” indicates that a dynamic filter is configured as a one-stage filter.

Figure 6-33. Dynamic One-stage Filter


Packet Drop Indicator

When the incoming packet rate exceeds the configured rate of a tool port, packets may be dropped. When that occurs, the following symbol will be displayed to the right of the tool port icon:

Cause: The most common cause for this indicator is that several network ports have been aggregated to the tool port (for example, three 1G network ports aggregated to one 1G tool port). Traffic burstiness may also be a factor with many-to-one connections.

Troubleshooting tips:

1. Observe the tool port Tool Management View to find out which network port is sending the most traffic and contributing the greatest amount of packets to the overflow condition. Re-configure as necessary to prevent the alarm condition.

2. Apply filter criteria to the filter to prevent unnecessary traffic from flowing to the tool port.

3. Be aware that in some scenarios, overlapping filter criteriacan cause packets to drop. For more information about overlapping filter criteria, see the Tool Management View section.

4. Microbursts of traffic can occur that may also cause traffic to drop. Bursts of traffic with durations shorter than 1 second are typically referred to as microbursts. Additional information about microbursts can be found in the Understanding Traffic Burstiness technical note that can be downloaded from the Anue Customer Portal.

See “Technical Support” on page 11 of this document for information on how to access the Anue Customer Portal.

Link Down Indicator

Ports will display a red "X" to indicate that the link is down. Port groups will display a solid red "X" if all ports in the group are link down, and a hollow red "X" if some, but not all ports in the group are link down.

Cause: The network or tool port could not negotiate speed and duplex (half, full) with the connected device.


Troubleshooting tips:

1. Verify the connectivity between the device and the NTO port (re-seat the cables and SFP/XFP if applicable).

2. Verify that the connectivity elements are correct and match, i.e. multi-mode fiber and 850 nm multi-mode SFP. For information about supported SFPs/XFPs, refer to the Installation Guide for your NTO model.

3. Check the port LED status. For more information, refer to the Installation Guide for your NTO model.

4. Change the NTO port speed to match the connection speed and duplex mode of the connected device.


CHAPTER 7

Control Panel Views

The management frame provides several views that allow different aspects the Anue NTO to be managed and configured. The main view is the Diagram View, which shows how the ports and filters are connected. There are also views showing the lists of Ports, Port Groups, Dynamic Filters, Library Items, Users, and Groups. Finally, there is a view of the System settings and status. The Available Filter Memory Meters and Function Key Legend are also important management tools that are discussed in this section.

The settings and features described below are common across several views.

View

Settings: Select this option to display configuration and status information.

Statistics: Select this option to display statistic information.

Detail Level (Settings View only)

Brief: Select this option to display the configuration and status information using a quick summary format..

Verbose: Select this option to display the configuration and status information using a more detailed format..

For example, the Filter Criteria field displays the type of criteria defined (i.e. VLAN) in brief mode but also displays the specific criteria value (i.e. VLAN 100-102) in verbose mode.

Category (Statistics View only)

Due to the large number of statistics available, checkboxes have been provided to allow subsets of the statistics to be viewed. Statistics can be viewed by Category/Type or by Unit.

Units (Statistics View only)

Checkboxes are available for Packet, Bytes and Other.

A checked box indicates that all statistics with that category or unit are currently being displayed.


A filled box indicates that some (but not all) statistics with that category or unit are currently being displayed. An empty box indicates that no statistics with that category or unit are being displayed.

Time of Displayed Stats: Displays the time at which the statistics were collected on the NTO server. The time is displayed in the local time zone of the PC running the control panel. Users running the control panel in different time zones will see different times displayed here.

Display Refresh Interval: Indicates how often the display is updated to show new statistics values. Click the value to configure the interval. This setting does not affect how often statistics are collected on the NTO, which is always once per second. The refresh interval can also be configured under the Edit -> Options menu.

The Export to CSV button exports the information displayed in the view (Settings or Statistics) to a comma separated value file.

The Pause button temporarily suspends the display of new statistics values throughout the control panel (the button name will change to Resume during pause). This button does not the affect the actual collection of statistics on the NTO server.

General View Tips

■ You can click a column heading to sort by values in that column.

■ There are scroll bars at the bottom and along the right side of the view that allow fields that are not visible to be displayed.

■ Disabled ports can be hidden/displayed by pressing the F11 key on the keyboard.

■ Double clicking on an object or selecting a port and clicking the Properties Icon will display the properties window. Ctrl – double clicking on a port/filter will open the statistics window.

■ Right clicking on an object provides a menu with several options specific to the object type. For example, the object properties can be opened, an object can be connected to other objects, ports can be added to port groups.

Several objects can be modified simultaneously by:

■ Holding down the Ctrl key, selecting the ports and then right clicking on one of the ports and choosing an available menu option. For example, several ports can be enabled at once by selecting the Enable option.

■ Dragging the mouse to highlight several objects and then right clicking on one of the objects and choosing an available menu option. For example, port statistics can be reset for several ports at once using this method.

Chapter 7, Control Panel Views136 Anue Net Tool Optimizer User Guide

Customizing the Tabular Views

To hide columns, right click on any column name. A list of all column names that can be displayed in the view appears. A check will be visible to the right of all currently displayed columns. Select the name of the column that you want to hide. Reverse the procedure to display columns that are currently hidden. Columns that are grayed out cannot be hidden.

The width of the columns in the view can be adjusted by clicking on the border to either side of the column heading and dragging to the left or right.

Diagram View

The diagram view (the default view) displays the ports, port groups and filters laid out graphically. This view shows how packets flow through the NTO, entering the box through network ports on the left, then through dynamic filters in the middle, and finally out through tool ports on the right.

Figure 7-1. Diagram View

Diagram ViewAnue Net Tool Optimizer User Guide 137

Ports View

The ports view displays licensed port settings and statistics in tabular form.

Figure 7-2. Ports View (Settings)

Transceiver Info: Click this button to display transceiver information for all of the ports on the system. This feature displays the properties and capabilities of the installed transceivers. This helps to ensure that the transceivers are the correct devices for your network configuration and are compatible with your optical wiring.

Diagnostics are also provided to verify that transceiver links are operating within adequate margins and to troubleshoot connectivity issues.

An example of a Transceiver Info window is shown below. The window has been split into three sections for ease of understanding.

The top section of the window displays the NTO model number, the NTO IP address, and the date the snapshot of transceiver information was obtained.

The Alerting Port(s) summary lists the ports containing transceivers that had an alert or warning status at the time the snapshot was taken. The example above

Model 5204: Transceiver Information is displayed only for transceivers that are installed into the ports of expansion modules. Expansion modules are installed at the rear of the unit.


indicates that the transceivers in ports P02, P03 and P04 have an alert. Alerts and warnings are explained in more detail below.

The next section of the display lists the port number, transceiver identification information and the characteristics or capabilities of the transceiver installed in the port.

The bottom section of the display provides real time transceiver diagnostics and operating parameters. When the Transceiver Info button is clicked, a snapshot of the current Rx and Tx Power, Temperature, Voltage, and Tx Laser Bias is displayed in the Current Value column. The Units column provides the unit of measurement.

The Diagnostics field indicates whether the transceiver was internally or externally calibrated. Internally calibrated transceivers directly report calibrated values in units of current, power, etc. Externally calibrated transceivers report A/D (analog-to-digital) counts which must be converted to real world units by the NTO using calibration values read from the EEPROM.

Note: Only the transceiver capabilities relevant to operation within Ethernet networks are displayed.

The displayed data is retrieved from the EEPROM of the transceiver. If the transceiver does not provide certain data, the field may display the value “unknown”.

Ports ViewAnue Net Tool Optimizer User Guide 139

The Alert Low, Warn Low, Warn High and Alert High columns display thresholds for the different states. For example, the current Rx Input Power is -40.00 dBm. The table indicates that a value less than or equal to -23.98 dBm is an Alert Low which explain the Alert status for Rx Input Power.

The Current Status column displays whether the current value is in the Normal (green), Warning (orange), or Alert (red) range.

Figure 7-3. Ports View (Statistics)

Network Port statistic definitions can be found in the Network Port Statistics section.

Tool Port statistic definitions can be found in the Tool Port Statistics section.

Port Groups View

The Port Groups view provides the user with a list of all port groups. The view also displays port group settings and statistics.

Tool port groups are listed in black text. Network port groups are listed in brown text.

Figure 7-4. Ports Group View (Settings)

Figure 7-5. Ports Group View (Statistics)


Dynamic Filters View

The Dynamic Filters view provides the user with a list of all dynamic filters. The view also displays filter settings and statistics.

Figure 7-6. Dynamic Filters View (Settings)

Figure 7-7. Dynamic Filters View (Statistics)

When the Settings option is selected, the Dynamic Filters View provides the following information.

■ Filter Name

■ Mode

■ Criteria

■ Dynamic Filter Type

■ Description

■ Network Ports

■ Tool Ports

■ Access Settings for Modifying

■ Access Settings for Connecting/Disconnecting Network Ports

■ Access Settings for Connecting Tool Ports

■ Modified

■ Modified By

■ Created

■ Created By

When the Statistics option is selected, the Dynamic Filters View provides the following information.

Dynamic Filters ViewAnue Net Tool Optimizer User Guide 141

■ Name

■ Mode

■ Access

■ % Bytes Passed (cur)

■ % Bytes Passed (avg)

■ % Bytes Passed (peak)

■ Time Since % Bytes Passed (peak)

■ % Pkts Passed (cur)

■ % Pkts Passed (avg)

■ % Pkts Passed (peak)

■ Time Since % Pkts Passed (peak)

■ Inspected Bytes

■ Inspected Bits/Sec (cur)

■ Inspected Bits/Sec (avg)

■ Inspected Bits/Sec (peak)

■ Time Since Inspected Bits/Sec (peak)

■ Inspected Pkts

■ Inspected Pkts/Sec (cur)

■ Inspected Pkts/Sec (avg)

■ Inspected Pkts/Sec (peak)

■ Time Since Inspected Pkts/Sec (peak)

■ Passed Bytes

■ Passed Bits/Sec (cur)

■ Passed Bits/Sec (avg)

■ Passed Bits/Sec (peak)

■ Time Since Passed Bits/Sec (peak)

■ Passed Pkts

■ Passed Pkts/Sec (cur)

■ Passed Pkts/Sec (avg)

■ Passed Pkts/Sec (peak)

■ Time Since Passed Pkts/Sec (peak)

■ Time Since Stats Reset

■ Reset By

Filter statistic definitions can be found in the Dynamic Filter Statistics section.


Library View

The Library View is used to organize libraries of filter templates and custom icons shared by all users. Collections can also be shared between NTO systems by copying one or more collections from one NTO and pasting them into the library of another system or by exporting them from one system and importing them into another.

All users can create and modify library collections.

The Library View provides a Filter Templates tab and Custom Icons tab.

Filter Template Collections

The filter template library allows filter criteria settings to be saved, organized and reused as templates.

A filter template contains the filter criteria for a filter. A name must be assigned to a filter template. Each filter template can also be given a description that can describe when and how the filter criteria should be used.

Filter templates can be organized into filter template collections. The collections can be named in any manner that meets the needs of the user. For example: security filters, specific tool type filters, organization/location specific filters, or John Doe’s favorite filters. There is one default filter template collection named “Public”.

All users can create and modify filter templates and filter template collections.

The library view displays the Filter Template Collections in the top pane. When a filter template collection is selected, the Filter Templates in the collection are displayed in the bottom pane.

Once a filter template is created, the defined filter criteria can be easily be placed into the filter settings of dynamic filters, network ports and tool ports in a number of convenient ways described below.

Library ViewAnue Net Tool Optimizer User Guide 143

Filter template collections can be shared between NTO systems by copying one or more collections from one NTO and pasting them into the filter library of another system.

Figure 7-8. Filter Template Collections

For collections and templates, the following information is displayed:

■ The Name of the filter template or collection

■ A Description of the filter template or collection

■ The Criteria of the filter template (this field is not available for collections)

■ The date the filter template or collection was last Modified

■ The name of the user who last modified the filter template or collection (Modified By)

■ The date the filter template or collection was Created

■ The name of the user who created the filter template or collection (Created By)

Modifying Filter Templates

There are several methods that can be used to modify a filter template:

1. Double click on the template.

2. Right click on the template and select Properties.

3. Select the template and then click the Properties Icon in the toolbar below the main menu.

Deleting Filter Templates

The listed filter templates can be deleted by right clicking on the template and selecting Delete from the pop-up menu. The user can also select the filter


template and press the Delete key on the keyboard or click the Delete Icon in the tool bar.

Creating Filter Template Collections

There are several methods to create filter template collections:

1. Select File->New->Filter Template Collection.

2. Filter template collections can be created using the New Filter Template Collection icon displayed in the toolbar below the main menu options.

3. When saving filter templates from the filter criteria tab of any object, there is an option to create a new filter template collection. Use the New button to create a new collection.

Figure 7-9. Save New filter template

4. Filter templates can be created by right clicking in the Filter Template Collections pane of the Library view and selecting New Filter Template Collection.


Figure 7-10. Create New Filter Template Collection

The New Filter Template Collection window displays. A Name and an optional Description can be entered.

Figure 7-11. New Filter Template Collection Window

Creating Filter Templates

There are several methods to create filter templates:

1. Select File-> New->Filter Template.

2. Filter templates can be created using the New Filter Template icon ( ) displayed in the toolbar below the main menu options.

3. Filter templates can be created by using the Save button in the Library section of the filter criteria tab of ports and filters.


Figure 7-12. Save Filter Criteria

4. Filter templates can be created by right clicking in the Filter Templates pane of the Library view and selecting New Filter Template.

Figure 7-13. Create New Filter Template

The New Filter Template window will open.


Figure 7-14. New Filter Template Window

Collection: The filter template will be saved to the selected filter template collection. The drop down box can be used to select the target filter template collection. The New button can be clicked to create a new filter template collection.

A Name and an optional Description can be entered.

Filter Template Available Criteria

The same filter criteria options that can be specified for dynamic filters, ports and port groups can also be specified for filter templates. See Defining Filter Criteria for Ports, Port Groups, and Dynamic Filters for details and examples.

Custom Icon Library

Ports and port groups can be configured to show custom icons in place of the default port icons. In order to show a custom icon on a port, the icon must first be added to the Custom Icon Library. The library is shared by all users of the NTO.

Click the Add button to add an icon. Supported file types for custom icons are; .jpg, .gif and .png. Images larger than 64x64 pixels in size will be automatically resized down to a maximum of 64x64 pixels, maintaining their original aspect ratio. Images smaller than 64x64 will maintain their original size.


A tooltip can be assigned to the icon. The icon file name is the default icon tooltip but the name can be modified during the processing of adding the icon to the library. Tooltips can also be edited using the Edit Tooltip button. Note that tooltips are only visible in the library and in the Port Icon area of the Properties tab of ports, dynamic filters and port groups.

Use the Remove button to remove an icon from the custom icon collection.

Users View

The Anue NTO supports 2 flavors of user authentication: Local and Remote (using TACACS+ or RADIUS).

When the system is using local authentication, the Users view displays all local users that are defined in the internal NTO user database. When the system is using remote authentication, it is not possible to determine the complete list of users defined in the remote server. In that case, the Users view infers as many users as it can by displaying the list of currently logged-in users, and any users which appear in locally-defined groups.

Figure 7-15. Users View

The default administrator account, "admin," is always a local account and is always present even when remote authentication is used.

The following information is displayed in the Users View:

■ Login ID

■ System Administrator capabilities—Whether the user has system administrator capabilities. A red x indicates a non-system administrator, a green check (√) indicates that a user has system administrator capabilities.

■ Online status—A red x indicates offline; a green check (√) indicates online.

■ Session Type—Indicates whether a user is logged in from a Control Panel GUI or a Tcl shell.

■ Full Name—The full name assigned to the user.

■ Email Address and Phone Number—The email address and phone number assigned to the user.

■ Authentication Mode —Indicates whether the user is a Local, TACACS+, or RADIUS user.

■ Owner of Groups—Lists the groups for which the user is an Owner.

Users ViewAnue Net Tool Optimizer User Guide 149

■ Member of Groups—Lists the groups of which the user is a Member.

■ Port Modify Access—Lists the ports which the user has permission to modify.

■ Port Connect/Disconnect Access—Lists the ports to which the user has permission to connect.

■ Dynamic Filter Modify Access—Lists the dynamic filters which the user has permission to modify.

■ Dynamic Filter Connect/Disconnect Network Port Access—Lists the dynamic filters which the user has permission to connect to network ports.

■ Dynamic Filter Connect Tool Port Access—Lists the dynamic filters which the user has permission to connect to tool ports.

■ Modified—The date and time the user properties were last modified.

■ Modified By—The login ID of the user who last modified the user account.

■ Created—The date and time the user was created.

■ Created By—The login ID of the user who created the user.

The text at the top left of the view indicates the authentication mode of the Net Tool Optimizer. The text reads Locally-Defined Users when the unit is in local authentication mode, TACACS+ authentication enabled when the unit is in TACACS+ authentication mode, and RADIUS authentication enabled when the unit is in RADIUS authentication mode. User account information cannot be modified when the unit is in TACACS+ or RADIUS authentication mode with the exception that the local administrator (“admin”) can modify their own account.

In local authentication mode, users without system administrator capabilities can view the properties of all users and modify their own user properties by double clicking on a user entry. System administrators can double click on any user to view and modify the user properties.

Modifying User Settings

The user settings can be modified by right clicking on a user and selecting a menu option.

Right clicking on a user provides several menu options:

■ New Users can be created

■ Users can be Deleted

■ The user Properties can be accessed

Note: The password for the "admin" account can only be changed by the "admin" user. It cannot be changed by any other administrator account. If forgotten, the "admin" password can be reset. Details differ depending on the NTO model:

■ Models 5204/5236/5273: See Resetting the Admin Password from the LCD Menu for more information.

■ Models 5288/5293: See Reset Administrator Password for more information.


■ Users can be Added to Groups

■ Users can be Removed from Groups

Figure 7-16. User Right Click Menu

Groups View

When the system is using Local authentication, the Groups view displays all local groups that are defined in the internal NTO group database. When the system is using remote (TACACS+ or RADIUS) authentication, it is not possible to determine the complete list of groups defined in the remote server. In that case, the Groups view infers as many groups as it can by displaying the list of groups to which any currently logged-in users belong, and any groups which appear in port access lists.

Groups are used to conveniently assign access privileges for ports and filters to a group of users with similar access needs. This eliminates the burden of having to assign and maintain an access list of individual users. For example, members of the security team can be organized into a security group that has access to modify and connect to the Intrusion Detection System (IDS) tools.

Groups can be defined in any manner to meet your organizations needs. Group composition can be based on function (networking, security, compliance, etc.), roles (administrators, basic users, managers) or group structure (project team, geographic location, etc.).

In Local authentication mode or in remote authentication mode with local groups, groups can be created, edited, and deleted from the group view. Once defined, groups can then be granted access control privileges to network ports and tools ports by a system administrator. For more details about access control, see Access Control Using Groups.

The following fields are displayed in the Groups view:

■ Name

■ Description

Groups ViewAnue Net Tool Optimizer User Guide 151

■ Group Owners—the Login IDs of the users who can add/remove users from the group

■ Group Members

■ Used in Ports—the list of ports whose access control lists include the group

■ Modified—The date the group was last modified

■ Modified By—the Login ID of the user who last modified the port group

■ Created—The date the group was created

■ Created By—the Login ID of the user who created the port group

Figure 7-17. Groups View

The Export to CSV button exports the information displayed in the view to a comma separated value file.

The view can display Brief or Verbose information. The CSV file can then be imported into a spreadsheet so the information can be used for documentation purposes.

Modifying Group Settings

Groups can be modified by right clicking on a group and selecting a menu option.

Right clicking on a group provides the following menu options:

■ New Group—New groups can be created

■ Add User(s)—Users can be added to groups

■ Remove User(s)—Users can be removed from groups

■ Copy—Groups can be copied (and then pasted into the Groups view under a different name)

■ Paste—Groups can be pasted into the Groups view

■ Delete—Groups can be deleted

■ Properties—Group properties can be accessed


Figure 7-18. Groups Right Click Menu

Creating Groups and Adding Users to Groups

Users are often added to access control groups based on organizational or functional duties. Security policies can be defined that control which groups can connect to ports and dynamic filters and modify the port and dynamic filter configuration.

The following rules apply to the creation of local groups:

■ Only system administrators can create local groups

■ A member of a group can also be designated as an Owner of the group. The owner of a group has the ability to add and remove group members. Each group can have more than one owner.

■ Users can be assigned as members and/or owners of more than one group

There are three methods that can be used to begin the process of creating a local group (note that these options are only visible to system administrators):

1. Groups can be created using the New Group icon displayed in the toolbar below the main menu options.

2. Right click in the table area of the Groups View and select New Group.

3. Select File->New->Group from the main menu.

When the New Group window displays, enter a Name and optional Description.

The NTO Access Control Using Groups feature uses locally-defined groups when: 1) the NTO is in Local authentication mode, or: 2) when it is in remote authentication mode with Groups set to “Local”.

TACACS+-defined groups are used when the NTO is in TACACS+ authentication mode with Groups set to “TACACS+”.

RADIUS-defined groups are used when the NTO is in RADIUS authentication mode with Groups set to “RADIUS”.


Figure 7-19. New Group Window

Click the Add button to begin adding users to the new group. Note that system administrators do not need to be (and cannot be) added to groups because they always have full access to every port and filter.

Figure 7-20. Select Users Dialog


Select the users from the displayed list. Several users can be selected by using the Shift or Ctrl keys. Then click OK to add the users.

When the NTO is configured in TACACS+ or RADIUS authentication mode, a slightly different Select Users dialog appears (shown below). For more information about TACACS+ and Radius authentication modes, see Chapter 8, “Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS”.

Only non-administrator users that are currently logged in to the NTO will appear on the Select Users list.

A comma-separated list of names of remote users that are not listed in the dialog can be entered manually in the field at the bottom of the dialog.

A remote user is defined as a Login ID listed in the configuration database of the remote authentication server (either TACACS+ or RADIUS).

Figure 7-21. Select Users Dialog - Remote Authentication

If there are no non-administrator remote users logged in to the NTO at the time, the Select Users dialog will show only the name entry text field, as show in Figure 7-22.


Figure 7-22. Enter a List of Remote Users

After users have been added to a group, one or more users can be designated as a Group Owner. Click the checkbox under the Group Owner field to designate a user as a group owner. The owner of a group has the ability to add and remove group members.

Figure 7-23. Designate Group Owners

Remove Users from Groups

There are three methods to remove users from groups:

1. Right click on the group in the Groups View and select Remove User(s). Select the users that you want to remove from the group and then select OK.

2. Access the group properties. Select the users you wish to delete and then click the Remove button. Click OK to save the changes.

3. Right clicking on a user name in the User View provides a Remove from Group(s) menu option.

Tip: Users can be copied from one group and pasted into another group. Select users from the Members area of the of a group’s General tab, right click and select Copy. Right click in the Members area of the destination group’s General tab and select Paste.


System View

The System view provides status, settings, version, license, and hardware information about the overall system. These elements are described in more detail in the following sections.

Status Tab

The Status tab displays overall status of the system and its components, including information such as uptime, temperatures, and an event history. The Status tab displays different information depending on the model of your NTO.

Figure 7-24. NTO Model 5236 Status Tab

System ViewAnue Net Tool Optimizer User Guide 157





Several items shown on the Status tab can give rise to system alarms due to various failure conditions. In the presence of no adverse conditions, the alarm status of these items is shown as a green check mark, indicating that the subsystem is functioning normally - i.e. no alarms are present. A minor alarm, such as a small rise in temperature, will appear as a yellow exclamation point, and a major alarm, such as a large rise in temperature, will appear as a red exclamation point. Details about an alarm, such as the time it occurred, can be seen by hovering the mouse over the alarm icon. The most severe alarm will be reflected in the Session tab at the top of the window. This alarm indicator will always be visible, even when not viewing the System Status tab.


The following table describes the various alarm levels:

System

System time: Displays the current time on the NTO server. The time is displayed in the local time zone of the PC running the control panel. Users running the control panel in different time zones will see different times displayed here.

Up Time: Displays the amount of time since the NTO was last restarted.

General

Temperature: Displays the primary temperature of the system in Celsius/Fahrenheit.

Acceptable temperature ranges differ for the various models of NTO. Table 7-1 shows the messages for the different models.

Operational Condition

Color Meaning

Normal Green Resource is in a normal operational state

Minor Yellow Alarm level that indicates a problem of relatively low severity that should not impede use of the resource. Corrective action should be taken in order to prevent a more serious fault.

Major Red Alarm level that indicates some kind of possibly service-affecting problem with the resource. The severity of the problem is relatively high and normal use of the resource is likely to be impaired. This requires urgent action.

Table 7-1: Acceptable Temperature Ranges

Models

Temperature Status

NormalWarm

(Minor Alarm)Hot

(Major Alarm)

5204 <=63C/145F >63C/145F >66C/151F

5236 <=61C/142F >61C/142F >64C/147F

5273 <=75C/167F >75C/167F >80C/176F

5288 <=49C/120F >49C/120F >65C/149F

5293 <=49C/120F >49C/120F >65C/149F


Fan Status (5236 only): Displays the status of the unit fans. “OK” will display if all fans are working correctly. If there has been a fan failure, the total number of failed fans will display and a minor alarm will be raised.

Power supply (5204/5236 only): Displays the power supply status. Status reported will be “Good” or “Bad”. A power supply failure (“Bad” status) will raise a major alarm.

External power supply (5204/5236 only): Displays the external power supply status. Status reported will be “Good”, “Bad” or “Not Present”. An external power supply failure (“Bad” status) will raise a major alarm.

The following series of screen shots illustrate the control panel status indicators for various power supply and external (auxiliary) power supply situations:

Temperature Warning:

Please ensure that the Net Tool Optimizer is properly ventilated

The NTO will shutdown automatically once the unit temperature rises above a critical temperature. Temperatures vary between NTO models. See Table 7-2 for details.

Table 7-2: Critical Shutdown Temperatures per Model

Model Critical Shutdown Temperature

5204 70C/158F

5236 69C/156F

5273 90C/194F

5288 70C/158F

5293 80C/176F


■ Initial startup state with only AC power

■ State with AC and the external (auxiliary) power supply connected but turned off


■ State with AC and the external (auxiliary) power supply connected and turned on.

■ State with AC unplugged and external (auxiliary) power supply connected and the external power supply not turned on.

Mgmt port (Management port status) (5204/5236 only): Displays the speed and duplex of the management port connection.

Management port (front and back) (5273 only): Displays the speed and duplex of the front panel management port connection. Will indicate "active" if the port is the active management port. Will indicate "standby" if the port is the standby management port.

Management port 1 and 2 (5288/5293 only): Displays the link status of the two management ports. The word "active" indicates which port is currently being used.


The word "standby" indicates which port is ready to become active should the active port fail or go link-down.

Expansion Modules (5204/5236/5273 only)

Module A: Indicates whether an interface module has been detected in slot A. The field also indicates whether the installed card supports 1G SFP+, 10G copper CX-4,10G XFP or 10G SFP+.

Module B: Indicates whether a 10G expansion card has been detected in slot B. The field also indicates whether the installed card supports 1G SFP+, 10G copper CX-4,10G XFP or 10G SFP+.

Port Modules (5288/5293 only)

Module A, B, C and D: Indicates whether an interface module has been detected in the slot. Displays the type of module installed and the current module temperature.

Power Modules (5288/5293 only)

Module A and B:

Power supply: Displays the power supply status. Status reported will be “Good” or “Bad”. A power supply failure (“Bad” status) will raise a major alarm.

Fan Status: Displays the status of the power supply fans. “OK” will display if all fans are working correctly. If there has been a fan failure, the total number of failed fans will display and a minor alarm will be raised.

Fan Modules (5288/5293 only)

Module A, B and C: Displays the status of the independent, pluggable fan modules.

System History

Settings last modified: The last system setting that was changed is displayed along with the date and time of the change and the name of the user who made the change.

Software last installed: The name of the last NTO software file installed is displayed along with the date and time of the installation and the name of the user who performed the installation. The NTO software file is used to upgrade the system software version.

License last installed: The name of the last NTO license file installed is displayed along with the date and time of the installation and the user who performed the installation. This field will be blank until a license update is performed in the field.

Configuration last imported: The name of the last configuration file that was imported is displayed along with the date and time of the import and the name of the user who performed the import.


Restart last requested: The date and time that a system restart was last requested is displayed along with the name of the user who requested the restart.

Power down last requested: The date and time that the last request to power down the system was made.

External Alarms (5273, 5293 only)

Visual Alarms: The visual alarm status displays.

Audible Alarms: The audible alarm status displays.

Alarm Cut-Off (button) Pressing the ACO button mutes the critical and major audible alarms that are present and lights the ACO LED on the front panel of the unit (note that major and/or critical visual alarms are still present).

ACO Last pressed: Indicates the date and time the ACO button on this page or on the front panel of the unit chassis was last pressed. If the ACO button on this page was pressed, the Login ID of the user will also be displayed.

Power Module A (5273 only)

Fan Status: Displays the status of the unit fans. “OK” will display if all fans are working correctly. If there has been a fan failure, the total number of failed fans will display and a minor alarm will be raised.


Power Module B (5273 only)

Models 5204, 5236, 5273: If the restart request was initiated using the LCD and keypad on the front panel of the unit, the name listed will be “LCD panel”. Note that this is the time of the request, not the time the system actually came back up.

Models 5273, 5288, 5293: If the restart request was initiated using the craft port interface, the name listed will be “Serial port.”

Models 5204, 5236, 5273: If the power down request was initiated using the LCD and keypad on the front panel of the unit, the name listed will be “LCD panel.”

Models 5273, 5288, 5293: If the power down request was initiated using the craft/serial port, the name listed will be “Serial port.”

Note: Critical and Major alarms are reported via audible and visual alarms that can be relayed to a centralized alarm system. Refer to the Anue 5273 Installation Guide or the Anue 5293 Installation Guide for information on how to make connections between a local alarm system and the 5273 or 5293 alarm port.


Fan Status: Displays the status of the unit fans. “OK” will display if all fans are working correctly. If there has been a fan failure, the total number of failed fans will display and a minor alarm will be raised.


Note that a 2nd power supply is an optional feature.

Settings Tab

The System Settings tab displays the current values of the system-wide configuration settings and, for system administrators, provides a means to changes the settings. Non-administrators can view the settings but cannot change them. The following figures show some of the differences on various models of NTO. Your display may differ depending on your configuration.

Figure 7-28. NTO Model 5204 System Settings Tab







General

System Info: Click on the hyperlink to configure NTO system information. A name, location and contact information can be defined. The name defined for the NTO will be displayed in the title bar of the Anue NTO Control Panel. There is no character length limitation for System Info fields but note that only the first 255 characters can be queried through SNMP.

The system information can be retrieved via SNMP MIB-II get requests.

IP configuration: Click on the hyperlink to configure the Anue NTO IP address, subnet mask or gateway.

Caution: Changing the IP configuration or Management port settings will cause the NTO to restart and forces all users off the system. If the IP address values are not correct you will not be able to log back into the NTO through the Control Panel GUI or the Tcl API. In this case, the serial port menu would be the only means of correcting the error.

Management port settings: Click on the hyperlink to configure the management port duplex settings. The options are Auto-Negotiate, 1G Full Duplex, 100M Full Duplex, 100M Half Duplex, 10M Full Duplex and 10M Half Duplex.

Serial Port Access (5273 only): Click on the hyperlink to disable or enable serial port access. The 5273 can be restarted from the serial port. This is the only function of the serial port.

LCD admin password reset (5204, 5236, 5273 only): Disabling this feature prevents the password of the default administrator account (“admin”) from being reset from the front panel LCD and keypad. For more information, refer to Resetting the Admin Password from the LCD Menu.

Login session timeout:

Click on the hyperlink to configure the idle login session timeout. If a timeout is specified, a user will be automatically logged out if there is no control panel activity from that user in the specified time. The logout can be configured for minutes, hours, or never. Login session timeout should be set at least 10 minutes to allow potential software upgrades to complete.

Server log level: Click on the hyperlink to configure the log level for the Anue NTO server. The server log level can be raised to help troubleshoot Anue NTO server issues. Log level options are error, warn, info, debug and trace. Log levels should only be changed as directed by Anue Technical Support.

Power on self test (POST): The POST provides a mechanism to initiate a series of diagnostic tests at startup to validate the health of the NTO hardware. To enable the POST, click Disabled. Click OK to confirm that you want the POST to run

Models 5204, 5236, 5273: Auto-MDIX (automatic medium-dependent interface crossover) is supported for copper 1G, 100M and 10M copper ports. Auto-MDIX allows the interface to automatically detect and support a straight through or crossover Ethernet cable.


every time the NTO is restarted. The Disabled text will change to display Enabled.

To disable the automatic POST, click Enabled and then click OK to confirm that you wish to disable the automatic POST.

See the Appendix E, “Troubleshooting” for detailed information about the POST and how to view POST results.

TLS/SSL: The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols are designed to help protect the privacy and integrity of data while it is transferred between the Control Panel and the NTO.

To enable TLS/SSL:

1. On the Settings tab, to the right of the TLS/SSL field, click the Disabled hyperlink. The TLS/SSL Configuration dialog displays.

2. Select the Enable TLS/SSL encryption check box.A Confirm dialog displays.

3. Click OK.An Information dialog displays.

NOTE The POST adds the following time to the NTO restart process:

■ Models 5204/5236/5273: 4-5 minutes

■ Models 5288/5293: approximately 10 minutes


4. Click OK. The TLS/SSL state changes to Enabled, all users are logged off, and the NTO restarts to put the system in the new state.

When connecting to an SSL-enabled NTO, an Anue provided code-signing certificate is presented by the NTO to the Control Panel to establish the identity of the NTO. When an untrusted certificate is recieved – such as the first time connecting to an NTO after SSL has been enabled – the user must determine if the certificate is to be trusted or not.

To determine whether to trust an untrusted SSL certificate on an SSL-Enabled NTO:

1. Log on to an SSL-Enabled NTO.When you connect to an SSL-Enabled NTO which presents an un-trusted SSL certificate, the SSL Certifcate Validation dialog displays.


2. Click Details to see the chain of other certificates certifying the issuer of the main certificate.The Certifcate Details dialog displays.

3. Click any member in the chain to see details about it.You can decide whether the main SSL certificate is trustworthy by viewing the details of the certificate chain.

Once a certificate has been deemed to be trusted, it is stored in the Control Panel's trust store. Trusted certificates will connect without further user inspection. Note that since all NTOs currently present the same certificate, once any NTO certificate has been accepted into the Control Panel's trust store, all subsequent certificates presented by any NTO will be automatically trusted. The NTO presents a code-signing certificate to assure that the application being executed is authentic. The NTO does not support user-provided certificates at this time.

The Control Panel's trust store is located in the file <user-home>\Anue Systems\Anue 52<nn>\anuecerts. <user-home> is typically C:\Document and Settings\username (Windows XP) or


C:\Users\username (Windows 7). If the user decides to _stop_ trusting a particular certificate, the local trust store file (anuecerts) can be deleted.

Fan Control (5204 Only - Not displayed above): Click the hyperlink to configure the fan speed. The options are:

■ Auto – Allow the server to control the fan speed based on temperature

■ Maximum Cool – Run server fan speeds at maximum

Remote Services

Authentication: The current authentication mode is displayed. Click on the hyperlink to configure the NTO authentication mode. Options include Local, TACACS+, and RADIUS. For detailed information on configuring TACACS+ and Radius, refer to Chapter 8, “Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS.”

Syslog: Click on the hyperlink to specify one or more servers to which the NTO should send "syslog" status messages. These messages are used to notify listeners when changes are made to the NTO or when adverse conditions are present. Servers can be identified by IP address or DNS name. The Facility (local0 - local7 or User) and Port can also be defined (the default port is 514). Please see the Chapter 10, “SYSLOG” for detailed information on how to configure this feature.

NOTE If the trust store is deleted while an NTO session is open, the fact that the certificate is no longer trusted will not be detected until that instance of the Control Panel is closed and re-started. The existing session will continue to be secure, since all security artifacts are cached to memory while the Control Panel is open.

NOTE When you are connected to an NTO using TLS/SSL, a secure lock icon displays in the lower right corner of the main window, similar to the way it does in a web browser. You can double-click this secure lock icon to launch the Certificate Details dialog. This also works if you want to inspect a certificate after you have accepted it the first time.


SNMP: Click on the hyperlink to configure SNMP support. For detailed information on configuring SNMP, refer to Chapter 9, “SNMP.”

DNS Configuration: Click on the hyperlink to configure the NTO to use DNS to resolve host names entered in fields within the system configuration. A DNS server must be configured if any Remote Services (TACACS+, RADIUS, Syslog, or NTP) servers have been specified using DNS names. Note that the TTL (time-to-live) for a successful DNS resolution is 5 minutes.

After the Set DNS Configuration window displays, the IP address of a preferred and alternate DNS server can be entered.

Optionally you can enter up to two suffixes to use when resolving unqualified domain names. The expected valid characters are “A-Z, a-z, 0-1, ., or –“. Other characters can be accepted but the user will receive a warning.

Click OK to save the changes.

Figure 7-32. Set DNS Configuration

NTP:

The Network Time Protocol (NTP) is a clock synchronization feature that maintains synchronization with a network time source. The NTO supports NTP version 4, but also retains compatibility with versions 1-3. NTP converges to an accurate time more quickly when multiple NTP servers are configured. The following NTP functionality is supported:

■ Add and enable an NTP server list (also called server pool) using either IP address or fully qualified domain name, up to a maximum of five (5) servers.

■ Display the detailed status of the NTP server pool.

■ Disable servers from the NTP server pool

■ Delete servers from the NTP server pool.

NOTE You must have system administrator privileges to use this feature.


The NTO System Settings page displays the following NTP values depending on what you configure and enable:

To configure and enable NTP servers:

1. On the Settings tab, to the right of the NTP field, click the Not set hyperlink.The NTP Servers dialog displays.

2. Click Add.The NTP Server Configuration dialog displays.

A. Enter a DNS Name - for example, north-america.pool.ntp.org - and click OK.

Table 7-3:

Value Meaning

Not Set No servers are configured.

Enabled - <server name or IP> One server is configured and enabled.

Enabled - <# servers configured> More than one server is configured.

Disabled - <server name or IP> One server is configured but disabled.

Disabled - <# servers configured> More than one server is configured but disabled.


The NTP field displays the added and enabled DNS NTP server name.

or

B. Open the Server address drop-list and select IPv4 Address.The Server address field displays, which allows you to enter a valid IPv4 address for your NTP server.

C. Enter an NTP IPv4 address and click OK.The NTP field displays the added and enabled IPv4 NTP server.

To display the detailed NTP Status, click NTP Status.The NTP Server Status dialog displays.

Configured Address:The address the user entered when configuring the NTP server.

Server Name:This column may be different from the configured address because of DNS lookup.

NOTE The NTP port is 123 and cannot be modified.


Reachable: Indicates whether the server is reachable or unreachable. :

Condition: May display 'reject', 'falsetick', 'excess', or 'outlier' to indicate that the server is currently discarded by the NTP algorithm.

Condition:" Displays 'candidate' when the server is included in the NTP algorithm, 'sys.peer' when the server is a system peer, and 'pps.peer' when the server is a preferred peer.

Time Offset:Displays the offset of this NTP server relative to the NTO time.

Clock Quality:Displays the stratum level (1-15) of this NTP server.

To disable NTP servers:

1. On the Settings tab, to the right of the NTP field, click the Enabled link.The NTP Servers dialog displays.

2. Deselect Enable and click OK.The NTP field displays Disabled.


To delete NTP servers:

1. On the Settings tab, to the right of the NTP field, click the Enabled link.The NTP Servers dialog displays.

2. Select a server and click Delete.The deleted server is removed from the NTP Server list.

3. Click OK.The NTP field displays the remaining enabled server(s).

Filter Memory Allocation

This feature allows system administrators to customize the NTO filter memory in a manner that is specific to their needs. For example, if users only need to filter traffic based on L3/4 (layer 3 and layer 4) criteria, a system administrator can configure the settings to support 100% L3/L4 filter criteria.

Another common use for this feature is to make minor modifications in the memory allocation to complete a filter configuration. For example, a user attempts


to create an L3 filter and receives a notification message indicating that there is not enough L3 memory to create the filter. To resolve the problem, the system administrator can reduce the amount of L2 memory (which will increase the amount of L3 memory) and allow the user to complete the task of creating the filter.

Caution: Modifying the filter memory allocation settings may momentarily disrupt traffic flow.

Figure 7-33. Filter Memory Allocation

Dynamic and tool port filters: Dynamic and tool port (egress) filters share the same memory pool. The current memory allocation for dynamic filters and tool port (egress) filters is displayed.

Network port filters: The current memory allocation for network port filters is displayed. Only system administrators can modify the configuration.

Clicking the Network port filters or Dynamic and tool port filters links will display the Set Filter Memory Allocation window.

The window contains a tab for each of the two memory pools. The functionality of the tabs are exactly the same; both tabs allow the memory allocation for the desired filter criteria types.


Figure 7-34. Set Filter Memory Allocation


Figure 7-35. NTO 5288/5293 Set Filter Memory Allocation

The following options are available:

Once the criteria types are selected, the Available Memory Allocation Options can be used to further customize the memory allocation. The highlighted option indicates the currently selected configuration.

For example, with the default Criteria Types Selected (L2 and IPv4 L3/4) the following options are available:

The selected configuration indicates that 25% of the filter memory will be allocated to L2 filter criteria and 75% of the filter memory will be to IPv4 with a combination of VLAN, L3 and L4 filter criteria.


The memory allocation section of the window provide meters that display a visual representation of the current filter criteria memory allocation.

Note: Tool port deny filter memory cannot be directly configured. The Tool port deny filter meters represent the type of filter criteria that can be configured for tool port deny filters. L2 criteria are only supported on tool ports when “L2” is the only criteria selected.

The Available Criteria/Unavailable Criteria section of the dialog box clearly displays the effect of the configured settings by listing the criteria that will be available and the criteria that will be unavailable. Note that modifications to the memory allocation settings do not take effect until OK is clicked.

Tool Port Group Load Balance Settings

These settings allow the user to specify how traffic is to be balanced across all tool interconnect port groups and load balance port groups. Note that load balance group traffic flows are maintained after system events such as NTO restart, import, and image upgrade.

Clicking the IPv4 packets, IPv6 packets, or L2 packets links will display the Tool Load Balance Settings window.

Model 5204: The Load Balancing feature is not available on this model.


Separate settings for each packet type: Select this option to use the settings in the IPv4, IPv6 and L2 sections of this window to load balance packets.

Same settings for all packet types: Select this option to only use Layer 2 header information to load balance IPv4, IPv6 and L2 packets.

IPv4 Packets

IPv4 packets are always balanced using the source and destination IP addresses and the IP protocol. To maintain host to host sessions, when an IPv4 packet is detected, then Layer 2 is ignored in the algorithm. Users may optionally check the “Source and destination L4 ports” box to add those headers to the load balancing algorithm. This might be necessary if the default settings do not provide an even enough balancing and additional variability is needed.

Source and destination L4 ports: Select this option to include the source and destination L4 ports in the load balance hashing algorithm.

IPv6 Packets

IPv6 packets are always balanced using the source and destination IP addresses and the Next Header field. To maintain host to host sessions, when an IPv6 packet is detected, then Layer 2 is ignored in the algorithm. Users may optionally check the “Source and destination L4 ports” box to add those headers to the load balancing algorithm. This might be necessary if the default settings do not provide an even enough balancing and additional variability is needed.


L2 Packets

Non-IP Layer 2 packets are always balanced using the source and destination MAC addresses. Users may optionally check the “Ethertype” box to add that header to the load balancing algorithm. This might be necessary if the default settings do not provide an even enough balancing and additional variability is needed.

Default: Click the Default button to reset the Tool Load Balance Settings to the defaults.

Version/License Tab

The following figure shows the Version/License tab. The types of available ports will differ depending on your NTO model.

Figure 7-36. NTOVersion/License Tab

Licensed Ports

The types and numbers of the licensed ports are displayed.

Unlicensed Ports

The types and number of any unlicensed ports are displayed. “None” indicates that all ports are licensed.

Unused Floating Licenses

The types and number of unused floating licenses are displayed.

Tip: For detailed information about how floating licenses are remapped after the NTO configuration has changed, see How Licenses are Remapped Due to a Configuration Change.


Maintenance Expiration

System: Displays the date that the maintenance (support) contract expires for the Net Tool Optimizer.

Dates will be highlighted in yellow when maintenance will expire within 7 days. Dates will be highlighted in red after maintenance has expired.

Note: When system maintenance expires, all NTO components will continue to work normally but system administrators will no longer be able to install software upgrades released after the maintenance expiration date. Contact your local Anue Sales person or contact [email protected] to renew maintenance.

View License Details (button): Click this button to display license information for this specific NTO unit and expansion modules. Within the License Details display window the hardware information can also be viewed from here in order to compare the installed hardware with the installed license.

View Hardware Info (button): Clicking on the View Hardware Info button displays system and hardware information including serial numbers and the unit MAC address.

Enter License Key (button): Click this button to upgrade the license key. The Enter License Key window will display.

You can browse for the license key using the Browse button, drag a license key file into the license key window or copy and paste the contents of a license key file into the license key window. Then click OK to install the key.

Allocate Licenses: Use this option to modify the default port license configuration and allocate port licenses to the physical ports on your NTO as best fits your network. For detailed information, see Port License Allocation.

System Software

Server software version: Displays the software version running on the Anue /5288/5288 server.

Table 7-4: Maintenance Expiration per NTO Model

Models Details

5204, 5236, 5273

Expansion Module A: Displays the date that the maintenance (support) contract expires for the interface module installed in slot A.

Expansion Module B: Displays the date that the maintenance (support) contract expires for the interface module installed in slot A.

5288, 5293 Port Modules A-D: Displays the dates that the maintenance (support) contracts expire for the interface modules installed in slots A through D.



Server software build: Displays the build number of the software running on the Anue 5288/5293 server.

Install Software (button): Click the Install Software button to upgrade the Anue NTO server software. For more information, refer to Software Upgrade.

Revert to “ “: This feature allows the administrator to revert the Anue NTO server to the software version installed before the last upgrade. For more information, refer to Software Downgrade.

Figure 7-37. Enter License Key Window

To obtain a license key for additional ports and/or features, please contact Anue Systems Technical Support. For more information about how to contact Anue Technical Support, refer to “Technical Support” on page 11.

Hardware Info Tab

The Hardware Info tab provides hardware information about the System, System Components, and Expansion Modules. Part numbers, serial numbers and other hardware information is provided.

Model 5273, 5293: Where available, the 5273/5293 NTO displays Common Location Equipment Identifier (CLEI) and Unique Serial Number (USI) codes for the system and all modules (alarm/control module, power modules, and I/O modules). Systems and modules manufactured without CLEI and USI codes will display a blank value for these fields. You can also access this information through Tcl and SNMP. In addition, USI information is available on labels on the physical devices.


Figure 7-38. Anue 5236 Hardware Info Tab






Available Filter Memory Meters

The Available Filter Memory section located below the diagram area displays the current state of the filter criteria memory pools by providing memory meters. Filter memory is required to store filter criteria. The displayed memory meters indicate the approximate percentage of filter memory that is currently available for creating new filters.

Network ports, tool ports and dynamic filters have pools of memory allocated to store their filter criteria. The number of filter criteria that can be defined is restricted by the amount of memory available in the pool. A memory meter value of “100%” indicates that approximately 100 percent of the filter criteria memory pool is available to filters or ports. Note that all memory meter values are approximate.

Tip: Users can show or hide the Available Filter Memory status area by pressing the F10 function key.



CHAPTER 8

Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS

This section describes the Anue NTO support for remote user authentication, authorization, and accounting (AAA) using TACACS+ (Terminal Access Controller Access-Control System Plus) and RADIUS (Remote Authentication Dial-In User Service). RFC 1492 (http://www.faqs.org/rfcs/rfc1492.html) describes TACACS+ in full.RFC 2865 (http://www.faqs.org/rfcs/rfc2865.html) describes RADIUS in full. RFC 2866 (http://www.faqs.org/rfcs/rfc2866.html#b) describes RADIUS accounting.

One use for RADIUS is as a bridge to a Microsoft Active Directory installation. Microsoft provides a native RADIUS module, the Network Policy Server (NPS), as a part of Windows Server 2008.

Comparing Authentication Modes

The NTO supports user authentication by using locally-managed user accounts or by using the remote AAA services TACACS+ or RADIUS. When using a remote service, the service determines which users are allowed to log in.

The NTO supports user authorization for two purposes:

■ Determining whether a user of the NTO is a regular user or an administrator

■ Controlling access to port and filter settings and connections

Both locally and remotely managed users may be authorized as NTO regular users or administrators. Port and filter access control can be configured using locally-managed user groups or using groups defined in the remote AAA services. When using a remote AAA service, you may choose whether to use the groups defined by the service or to manage groups locally. When using local authentication, groups are always managed locally.

Some of the primary differences between local and remote authentication are outlined in the Table 8-1:


http://www.faqs.org/rfcs/rfc1492.html






http://www.faqs.org/rfcs/rfc2866.html#b

http://www.faqs.org/rfcs/rfc2866.html#b

Table 8-1: Authentication Mode Differences

Local Users and Local Groups

Remote Usersand Local Groups

Remote Users and Remote Groups

User accounts are created and managed from the NTO Control Panel.

User accounts are created and managed on a centralized TACACS+ or RADIUS server.

Separate user accounts exist on each NTO system.

User accounts exist on the TACACS+ or RADIUS server and can be shared between multiple NTO systems.

The Users View lists all user accounts.

The Users View lists remote users who are currently logged in, as well as remote users who are listed in the local groups.

The Users View lists only remote users who are currently logged in.

When picking users for groups, all users are listed.

When picking remote users to add to the local groups, only the users shown in the Users View are listed. Other remote users (known to exist on the TACACS+ or RADIUS server) may be typed in.

Remote users cannot be picked for remote groups from the control panel GUI. Remote group creation and membership are handled automatically by the TACACS+ or RADIUS server configuration.

Groups are created and managed by an administrative user from the NTO Control Panel.

Group creation and membership are handled automatically by the TACACS+ or RADIUS server configuration.

Groups can be deleted from the NTO Control Panel.

Groups may not be deleted from the control panel. When the last member of a remote group logs out, if the group is not used in any port or dynamic filter access list, the group is removed from the Groups View.

The Groups View lists all groups. The Groups View lists only remote groups with users who are currently logged in, or groups listed in port access lists.

Chapter 8, Authentication, Authorization, and Accounting (AAA) Using TACACS+ and RADIUS192 Anue Net Tool Optimizer User Guide

By default, Anue NTO systems are configured in Local authentication mode with one initial user, admin. This user is referred to as the default administrator and cannot be deleted. This local user account is accessible even when using TACACS+ or RADIUS authentication, as a fail-safe in the event that the remote server is unreachable due to either a communication or misconfiguration error.

Remote authentication must be enabled on both the Anue NTO and on the remote server. Reference your TACACS+ or RADIUS server documentation for information on configuring and enabling your server.

Please be aware of the following NTO behavior when the unit is in TACACS+ or RADIUS authentication mode.:

■ When remote authentication is enabled on the NTO, it is not possible to add users using the Anue NTO Add New User option. This option is for adding local users only.

■ When the NTO is configured to use remote authentication with local groups, groups must be created locally on each NTO. Local groups can be deleted and their membership can be updated by a user with administrator rights.

■ When the NTO is configured to use remote authentication with remote groups, group creation and membership is handled via configuration of the remote server itself. It is not possible to add groups using the Anue NTO Add New Group option. This option is for adding local groups only.

■ When using remote groups, groups cannot be imported or exported.

■ When using remote groups, and after the last member of a group logs out of a particular NTO, the group is removed from the Groups View on that NTO if the group is not used in any port or dynamic filter access list. In the Groups View, the NTO only lists remote groups that are known to exist by the fact that a member of the group is logged in or by the fact that the group is listed in a port or dynamic filter access list.

The effect of changing from one authentication mode to another is described in “Effects of Authentication Mode Changes on Users and Groups” on page 195.

Configuring Remote Authentication

To configure and enable remote authentication,

1. Log in to the Anue NTO using an account that has the system administrator capability.

2. Click the System view.


Configuring Remote AuthenticationAnue Net Tool Optimizer User Guide 193

4. To the right of the Authentication field, click the Local hyperlink:

Figure 8-1. Select Authentication Mode

The Set Authentication Mode dialog appears.

Figure 8-2. Set Authentication Mode

5. Select either the TACACS+ or RADIUS option and configure the settings.


Subsequent sections describe in further detail how to configure both TACACS+ (page 197) and RADIUS (page 213).

Effects of Authentication Mode Changes on Users and Groups

Although changes to the authentication mode would typically be a one-time activity, you should be aware of the following effects of changing authentication modes.

Table 8-2: Effects of Authentication Mode Changes

From To Result

Local Authentication

Remote Authenticationwith Local Groups

All local users (except admin) are deleted. Users in local groups will continue to be listed in the Users View under the assumption that the same users will exist in the remote authentication server. Local groups can be edited to remove unwanted users.


Remote Authenticationwith Remote Groups

All local users (except admin) and groups are deleted. Groups in access lists will continue to be listed in the Groups View under the assumption that the same groups will exist in the remote authentication server. Access lists can be edited to remove unwanted groups.

Subsequent sections describe in further detail how to configure both TACACS+ (page 197) and RADIUS (page 213).



Initially, the only local user is the admin user. All groups are retained but will be empty because there are no local users. Access lists are not affected. Users who were members in a group will be created with a random password in order to retain group membership. An administrator can either delete those users after the switch or assign them new passwords.



All local groups are deleted. Groups in access lists will continue to be listed in the Groups View under the assumption that the same groups will exist in the remote authentication server. Access lists can be edited to remove unwanted groups.



Initially, the only local user is the admin user, and there are no local groups. Access lists are cleared, but access policies such as Require Group remain in place, albeit with empty group lists.



Initially, there are no local groups. Access lists are cleared, but access policies such as Require Group remain in place, albeit with empty group lists.

NOTE The NTO does not allow switching directly from one remote authentication mode to the other (TACACS+ to RADIUS or RADIUS to TACACS+). If you need to make a change like that you must first change to Local authentication mode, apply the change, and then change to the desired mode.

Table 8-2: Effects of Authentication Mode Changes


Configuring TACACS+

This section describes the settings available when TACACS+ is selected as the authentication mode.

Figure 8-3. Set Authentication Mode to TACACS+

When Authorization is set to Default, all users defined in TACACS+ will be able to log in to the NTO, and they will all be non-administrators. Administrator login privileges cannot be established when Default authorization is used. Users can log in but cannot be granted administrator capabilities.

When Authorization is set to Custom, attributes in TACACS+ will be used to determine whether users will be allowed to log in to the NTO and whether they will be designated as administrators or non-administrators. You must tell the NTO which TACACS+ attributes to consider when determining whether a user is allowed to log in and whether or not they will be an administrator.

The Groups setting indicates whether you want the NTO to manage user groups (choose Local) or whether you want TACACS+ to manage them (choose TACACS+). User groups are not required but can be used to control access to specific ports and dynamic filters in the NTO.

NOTE The options configured in the Common TACACS+ Settings section of this window apply to ALL of the configured TACACS+ servers.

Configuring TACACS+Anue Net Tool Optimizer User Guide 197

Custom Authorization Settings

When Authorization is set to Custom, clicking the Configure button on the Authorization line will display the Configure Authorization dialog, Figure 8-4.

Figure 8-4. Configure Authorization Dialog for TACACS+

In this dialog, you will specify the TACACS+ attributes that the NTO will use to identify administrators and regular users. The first step is to specify the TACACS+ “service” under which these attributes will be found. Here is an example of defining a service named “anue” in TACACS+:

user = Jane {service = anue {}

}

In this case you would enter the text “anue” as the service value in the All Users section of the dialog. If you are using a different service name, enter that name here instead.

The next step is to specify which attribute or attributes (if any) indicate whether the user is an NTO administrator. Here is an example of using a “role” attribute to identify NTO administrators:

user = Jane {service = anue {


role = admin}

}

In this case, in the Admin Users section of the dialog you would enter “role” to the left of the “=” and “admin” to the right. The left box is for the attribute name and the right box is for the value.

If you use more than one attribute to identify NTO administrators you can specify additional attributes using the “+” button to the right of the value. You can remove unwanted attributes using the “-” button. Note that the changes do not modify the TACACS+ server in any way. They simply tell the NTO what is present in the TACACS+ server.

If you have specified more than one attribute, you can tell the NTO whether all attribute values must match or whether only one of them must match in order to authorize a user as an NTO administrator.

The final step is to specify which attribute or attributes (if any) indicate whether the user is a regular NTO user. Here is another example of using a “role” attribute for this purpose:


role = user}

}

In this case, in the Regular Users section of the dialog, you would enter “role” to the left of the “=” and “user” to the right.

If you use more than one attribute to identify NTO users you can specify additional attributes in the same manner as described earlier in this section for NTO administrators.

Click OK to save configuration changes.

TACACS+ Access Control Group Settings

When Groups is set to TACACS+, clicking the Configure button on the Groups line will display the Configure Groups dialog.

NOTE If there are no administrator user attributes specified, users will not be able to log in to the NTO with administrator capabilities.

NOTE If there are no regular user attributes defined, all TACACS+ users will be allowed to log in to the NTO as regular users. Be aware that this is opposite behavior as when no admin user attributes are defined.


Figure 8-5. Configure (Access Control) Groups Dialog for TACACS+

In this dialog you will specify the TACACS+ attributes that the NTO will use to place regular users into groups. As with custom authorization, the first step is to specify in the Service Name section the TACACS+ “service” under which these attributes will be found.

The next step is to specify which attribute indicates the names of the groups to which a user belongs. Here is an example of using a “groups” attribute to specify a list of groups:


role = usergroups = Engineering,Dallas

}}

In this case, in the Group List section of the dialog, you would enter “groups” to the left of the “=”. Note that a group list is only needed if the role is “user” (non-administrator). NTO administrators can do anything and are not subject to group membership checks.

TACACS+ Servers

Your company may use a single TACACS+ server, or it may use multiple servers to guard against the failure of a single server. In either case, you specify the TACACS+ server details in the Servers section of the Set Authentication Mode dialog, shown in Figure 8-3.

Click the Add button to add a TACACS+ server. As TACACS+ servers are added, they are listed in the dialog. There is no limit to the number of TACACS+ servers that can be added.


Servers are checked in the order listed when attempting to authenticate users. The first server that responds to an authentication request will be used for future authentications. If the active TACACS+ server goes down and a user attempts to authenticate, the first server to respond to the authentication request will become the active TACACS+ server.

To change the settings of a TACACS+ server, select it and click the Modify button.

To change the order in which the servers are checked, select a server and click the Up or Down button.

To validate the settings of a server, select it and click the Test Settings button. The NTO will attempt to connect to the server using the defined IP address (or DNS name), TCP port, and specified secret password and will report the result.

To remove one or more servers from the list, select them and click the Delete button.

Adding a TACACS+ Server

When the Add button is clicked, the TACACS+ Configuration dialog appears, Figure 8-6.

Figure 8-6. Configure TACACS+ Server Dialog

The network address of the TACACS+ server can be specified as a DNS name or an IPv4 address in the Server field.To use a DNS name, a DNS server must be configured on the System Settings tab. (See “Settings Tab” on page 166.)

By default, TACACS+ servers communicate over TCP port 49. If your server is configured differently, you may change the value in the Port field.

Communications between the NTO and the TACACS+ server are encrypted using a secret key configured on the TACACS+ server. Enter the key in the Secret and Confirm Secret fields. The corresponding entry in the TACACS+ configuration file


is usually defined as “key =”. The value listed after the equals sign must be the same as the value entered here.

The default amount of time the NTO will wait on a TACACS+ server to respond before reporting a connection failure is 10 seconds. To shorten or lengthen this amount of time change the value in the Timeout field.

When an attempted communication times out, the NTO can be configured to re-try the communication. The default is to re-try two more times after the initial failure before giving up. To reduce or increase the number of re-try attempts change the value in the Retry field.

The NTO supports two different protocols for sending user passwords to the TACACS+ server - CHAP (challenge encoded password) or PAP (plain text password). Select the protocol you want the NTO to use from the Authentication type drop-list.

Information related to user login attempts (both successful and failed) and authorization checks can be tracked using the TACACS+ accounting feature. You can turn accounting on or off using the Accounting drop-list. When accounting is on, you may configure the attributes to be tracked using the Configure button (see “Configuring TACACS+ Accounting” on page 202).

Click the Clear All button to reset all settings for this server to their default values.

Click the Test Settings button to verify that the NTO can connect to the TACACS+ server using the configured settings.

Configuring TACACS+ Accounting

When the Configure button on the Accounting line in the TACACS+ Configuration dialog is clicked, the Configure Accounting dialog appears, Figure 8-7.

Tip: Accounting logs are stored on the TACACS+ server. Please reference your TACACS+ server documentation for information on how to retrieve accounting logs.


Figure 8-7. Configure TACACS+ Accounting Dialog

Four different events can be logged:

■ Authentication success – this event occurs when a user (either regular or admin) successfully logs in to the NTO.

■ Authentication failure – this event occurs when a user fails to log in either because the login ID was not authorized as a regular user or an administrator or because the password was incorrect.

■ Administrator authorization – this event occurs when a user successfully logs in as an NTO administrator.

■ User authorization – this event occurs when a user successfully logs in as a regular (non-admin) user.

For each event, you may specify one or more informational values to be logged as name/value pairs. For the authentication events, the login ID attribute is already populated with a value that will be automatically filled in with the current user’s login ID. You will just supply the name you want to use for that value – for example, by typing “user” in the field labeled User ID. You may add or remove name/value pairs using the “+” and “-” buttons. You may type your own attribute names on the left or select from a list of standard TACACS+ accounting attributes


(cmd, event, priv_level, reason, and service). In addition, you may specify custom accounting attributes by entering any text in the name fields on the left. For every named attribute you enter, you must also specify the value to be logged. For example, under Log Authentication Success, if you added the attribute “event”, then you might enter the value as “login success.”

TACACS+ Configuration Examples

This section provides several examples of configuring TACACS+ settings, showing both what would be defined on the TACACS+ server and what would be entered in the NTO user interface.

Note that TACACS+ attributes are case sensitive.


TACACS+ User Authorization Examples

Figure 8-8 shows a section of a TACACS+ server configuration file with the settings for several users. The examples that follow discuss this information and show how to enter it through the NTO control panel.

Figure 8-8. Sample TACACS+ User Configuration

Lines 1, 5, 12, 18. and 21 (red text) define the user login name.

Lines 2, 6, 13, 19, 22. and 32 (green text) define the password and authentication type for each user. The CHAP authentication type is used on lines 2, 13, 19, and 22. The “global” authentication type is used on line 6 and indicates that the password defined for “staylor” will work for any authentication method, including CHAP or PAP. In the NTO TACACS+ Configuration dialog for this server, you would select CHAP as the authentication type.

1. user = rjohnson { 2. chap = cleartext letmein 3. service = anue { } 4. } 5. user = staylor { 6. global = cleartext letmein 7. service = anue { 8. role = REG 9. priv_level = 2 10. } 11. } 12. user = mjones { 13. chap = cleartext letmein 14. service = anue { 15. role = ADMIN 16. } 17. } 18. user = mthompson { 19. chap = cleartext letmein 20. } 21. user = pjackson { 22. chap = cleartext letmein 23. service = google { 24. addr = 10.1.1.104 25. } 26. service = anue { 27. role = ADMIN 28. priv_level = 7 29. } 30. }


Lines 3, 7, 14, 23, 26, and 33 (black text) define the service for the user. This is the service name you would enter in the NTO Configure Authorization (page 198) and Configure Groups (page 200) dialogs..

Figure 8-9. TACACS+ Configuration Example 1

With a service name of “anue” (lines 3, 7, 14, and 26), all users except “mthompson” (who does not have the ”anue” service defined) can be logged in as regular users.

In the dialog to the left, no attributes have been specified to authorize administrator users, so none of the users will be able to log in as NTO administrators.

Also in the dialog to the left, no attributes have been specified to authorize regular users, so all users (except for “mthompson”) will be able to log in as regular users.

Quick Reference:

Lines 3,7,14, and 26:

service = anue { }



Adding an Admin Users attribute of role=ADMIN allows “mjones” and “pjackson” (lines 15 and 27) to be logged in as administrators. “staylor” and “rjohnson” continue to log in as regular users.

Note: The term name “role” and value “ADMIN” are arbitrary. This could just as easily be “level=administrator” or any other name/value pair you want to configure in your TACACS+ server.

Quick Reference:

Lines 15 and 27:

role = ADMIN



Specifying a Regular Users attribute of role=REG to authorize regular users makes “rjohnson” no longer able to log in. This occurs because “rjohnson” does not have the attributes required for either administrator or regular users.

By contrast, “staylor” can continue to log in as a regular user because of the role=REG statement in the “staylor” user settings in the TACACS+ configuration file.

Quick Reference:

8. role = REG



Adding another Admin Users attribute of priv_level=7 and leaving the administrator users selection criteria set to Match any does not affect the administrator users in this example.

Both “mjones” and “pjackson” can still be logged in as administrator users because they each have at least one of the required attributes.

Quick Reference:

12. user = mjones { ……………………14. service = anue { 15. role = ADMIN 16. } 17. }========================21. user = pjackson { ……………26. service = anue { 27. role = ADMIN 28. priv_level = 7 29. }



In the above examples, we saw how we could create a TACACS+ attribute named “role” and use two values, “ADMIN” and “REG” to control the privileges of specific users.

TACACS+ also allows you to define groups with attributes and then make users members of those groups. Users would inherit those attributes by virtue of their membership in the groups. Note that these groups are *not* the same groups that would appear in NTO port and filter access lists. The groups described here are only for determining whether a user is an NTO administrator or regular user. The following example, Figure 8-14, shows how to assign the “role” attribute we used above to a group instead of a user.

Maintaining the same Admin Users attributes as in the last example, but changing the selection criteria to Match All, results in only “pjackson” being able to login as an administrator.

“mjones” does not possess all of the attributes required to be authorized as an administrator user but pjackson does (lines 27, 28).

Quick Reference:

21. user = pjackson { ………………………………………27. role = ADMIN 28. priv_level = 7


Figure 8-14 shows a section of a TACACS+ server configuration file with the settings for several groups.

Figure 8-14. Sample TACACS+ Group Configuration

Two groups have been established in the TACACS+ configuration file:

1. anue_staff (line 1 - blue text).

2. anue_admin (line 5 - brown text).

Users have been assigned to those groups using the TACACS+ member keyword. For example, on lines 12, 16, and 24, users rjohnson, staylor, and mthompson have been assigned to the anue_staff group. As a result they inherit “service = anue”, but do not inherit any roles (none are defined for that group). As long as the configuration settings in the NTO for this TACACS+ server do not require any attributes for regular users, then all of these users will be able to log in.

On lines 20 and 28, users mjones and pjackson have been made members of the anue_admin group. As a result they inherit “service = anue” and “role = ADMIN”. As long as the configuration settings in the NTO for this TACACS+ server specify

1. group = anue_staff { 2. service = anue 3. } 4. 5. group = anue_admin { 6. service = anue { 7. role = ADMIN 8. } 9. }10. user = rjohnson { 11. chap = cleartext letmein 12. member anue_staff13. }14. user = staylor { 15. global = cleartext letmein 16. member anue_staff17. }18. user = mjones { 19. chap = cleartext letmein 20. member anue_admin21. }22. user = mthompson { 23. global = cleartext letmein 24. member anue_staff25. }26. user = pjackson { 27. chap = cleartext letmein 28. member anue_admin29. }


“role = ADMIN” in the Admin Users section, these users will be able to log in as administrators.

For more information on NTO user capabilities, see the table in “Adding Users and Configuring Authentication” on page 39.

TACACS+ Access Control Group Examples

If your Groups setting in the NTO Set Authentication Mode dialog is TACACS+ (and not Local), then you must tell the NTO how to recognize the access control groups defined in TACACS+. Note that these access control groups are not the same as the groups defined using the group and member keywords as described in the previous section. Because TACACS+ does not provide any way to query the values specified for the member keyword, a TACACS+ attribute must be used to specify lists of access control groups that the NTO can read.

Figure 8-15 shows a section of a TACACS+ server configuration file with a user jane and an attribute named Example2 whose value is a list of NTO access control groups named Engineering and Dallas.

Figure 8-15. Sample TACACS+ Access Control Group Configuration

The NTO now just needs to know the name of the attribute. This name is entered in the Group List section of the Configure Groups dialog that is displayed when the Configure button for Groups is clicked in the Set Authentication Mode dialog (page 197).This Configure Groups dialog is displayed below.

1. user = jane {2. chap = cleartext letmein 3. service = anue {4. Example2 = Engineering,Dallas5. }6. }


Figure 8-16. Configure TACACS+ Groups Dialog

Based on the settings described, the user jane will be a member of the Engineering and Dallas access control groups on the NTO when she logs in. See “Access Control Using Groups” on page 239 for additional access control information.

.

Configuring RADIUS

This section describes the settings available when RADIUS is selected as the authentication mode, as shown in Figure 8-17.

When TACACS+ users are logged in, their administrator status and access control group membership can be verified on the Users tab of the NTO Control Panel. A user with administrator capabilities will have a check in the System Administrator column.

For details on the capabilities of users and system administrators, see “Adding Users and Configuring Authentication” on page 39.

Configuring RADIUSAnue Net Tool Optimizer User Guide 213

Figure 8-17. Set Authentication Mode to RADIUS

When Authorization is set to Default, all users defined in RADIUS will be able to log into the NTO, and they will all be non-administrators. Administrator login privileges cannot be established when Default authorization is used. Users can log in, but they cannot be granted administrator capabilities.

When Authorization is set to Role-Based, policies in RADIUS will be used to determine whether users will be allowed to log in to the NTO and whether they will be designated as administrators or non-administrators. The policies are described further in “Configuring the Microsoft Network Policy Server” on page 217.

The Groups setting indicates whether you want the NTO to manage user groups (choose Local) or whether you want RADIUS to manage them (choose RADIUS). User groups are not required but can be used to control access to specific ports and dynamic filters in the NTO.

NOTE The options configured in the Common RADIUS Settings section of this window apply to all of the configured RADIUS servers.


RADIUS Servers

Your company may use a single RADIUS server, or it may use multiple servers to guard against the failure of a single server. In either case, you specify the RADIUS server details in the Servers section of the Set Authentication Mode window (page 214).

Click the Add button to add a RADIUS server. As RADIUS servers are added they are listed in the window. There is no limit to the number of RADIUS servers that can be added.

Servers are checked in the order listed when attempting to authenticate users. The first server that responds to an authentication request will be used for future authentications. If the active RADIUS server goes down and a user attempts to authenticate, then the first server to respond to the authentication request will become the active RADIUS server.

To change the settings of a RADIUS server, select it and click the Modify button.

To change the order in which the servers are checked, select a server and click the Up or Down button.

To validate the settings of a server, select it and click the Test Settings button. The NTO will attempt to connect to the server, using the defined IP address (or DNS name), TCP port, and specified secret password, and it will report the result.

To remove one or more servers from the list, select them and click the Delete button.

Adding a RADIUS Server

When the Add button is clicked, the RADIUS Configuration dialog appears, Figure 8-18:


Figure 8-18. Configure RADIUS Server Dialog

The network address of the RADIUS server can be specified as a DNS name or an IPv4 address in the Server field. To use a DNS name, a DNS server must be configured on the System Settings page. (See “Settings Tab” on page 166.)

By default, RADIUS servers communicate over TCP port 1812. If your server is configured differently, you may change the value in the Authentication Port field.

Communications between the NTO and the RADIUS server are encrypted using a secret key configured on the RADIUS server. Enter the key in the Secret and Confirm Secret fields.

The default amount of time the NTO will wait on a RADIUS server to respond before reporting a connection failure is 10 seconds. To shorten or lengthen this amount of time, change the value in the Timeout field.

When an attempted communication times out, the NTO can be configured to re-try the communication. The default is to re-try two more times after the initial failure before giving up. To reduce or increase the number of re-try attempts, change the value in the Retry field.

The NTO supports two different protocols for sending user passwords to the RADIUS server - CHAP (challenge encoded password) or PAP (plain text password). Select the protocol you want the NTO to use from the Authentication type drop-down selector.

Information related to user login attempts (both successful and failed) and authorization checks can be tracked using the RADIUS accounting feature. You can turn accounting on or off using the Accounting drop-down selector.

By default, RADIUS servers communicate accounting information over TCP port 1813. If your server is configured differently, you may change the value in the Accounting Port field.


Click the Clear All button to reset all settings for this server to their default values.

Click the Test Settings button to verify that the NTO can connect to the RADIUS server using the configured settings.

RADIUS Accounting

When a user successfully logs in to an NTO (or fails to log in), an Accounting-Request message is sent by the NTO to the RADIUS server. This message will contain five attributes:

■ Acct-Status-Type – the data will always be “1” (Start) to indicate that this is a login message.

■ NAS-IP-Address – the data will be the IP address of the NTO.

■ User-Name – the data will be the NTO login ID of the user.

■ Anue-Login-Status – the data will be “1” if the login succeeds or “2” if the login fails.

■ Anue-Role – the data will be “1” if the user logged in as an administrator or “2” if the user logged in as a regular user. This value will also be “2” if the login fails.

Configuring the Microsoft Network Policy Server

In order for an NTO to communicate with Microsoft’s Network Policy Server (NPS), the NPS must be configured as follows:

■ Each NTO must be added to the NPS as a RADIUS client.

■ NPS network policies must be set up to provide to the NTO the groups to which each user belongs.

Adding an NTO as a RADIUS Client of the NPS

In the NPS Server Manager GUI, select Server Manager > Roles > Network Policy and Access Services > NPS (Local) > RADIUS Clients and Servers > RADIUS Clients. Right-click on RADIUS Clients and select New from the pop-up menu. The following screen will appear, Figure 8-19:

Tip: Accounting logs are stored on the RADIUS server. Please reference your RADIUS server documentation for information on how to retrieve accounting logs.


Figure 8-19. NPS New RADIUS Client Dialog

In the Address (IP or DNS) field, enter the NTO’s IP address or DNS name. If you are using Windows Server 2008 Enterprise Edition, you can specify a range of NTO IP addresses using CIDR notation. For example, enter 192.168.81.0/24 to add all NTO’s in the 192.168.81 subnet as RADIUS clients.

In the Shared Secret fields enter the same value as was entered in the Secret fields when the RADIUS server was added to the NTO. (See “Configure RADIUS Server Dialog” on page 216.)

On the Advanced tab leave all the settings as the default.


Configuring the NPS Network Policies

The NTO uses Anue-specific RADIUS attributes to receive the group list and administrator settings for a user. The NPS uses network policies to assign these attributes when a user logs in. This section describes how to define the NPS network policies to provide the NTO with the necessary attributes.

Figure 8-20 shows the Anue-specific attribute dictionary:

Figure 8-20. Anue Vendor-Specific RADIUS Dictionary

For example, the Anue-Role attribute is attribute number ‘1’ and can be assigned a value of ‘1’ (for an admin user) or ‘2’ (for a regular user). The Anue-Groups attribute is attribute number ‘2’ and can be assigned a string. The string is a comma-separated list of group names. You can also see the Anue-Service and Anue-Login-Status attributes used during accounting.

The network policies you create will be checking membership in your Active Directory groups and will be setting Anue attributes when membership conditions are met. Network policies are an ordered set of rules. The NPS checks them in order until a match is found. As a consequence, you will want to create a network policy for every possible combination of Active Directory groups that users might belong to and put them in order from most groups to fewest groups.

For example, if you have two Active Directory groups, Engineering and Security, and users could be in one or both of the groups, you would want to create three network policies in this order:

1. Engineering and Security Policy

2. Engineering Policy

3. Security Policy

The first policy would have as a condition membership in both the Engineering and Security Active Directory groups and upon a match would set Anue attribute ‘2’ (Anue-Groups) to “Engineering, Security”.

The second policy would have as a condition membership in the Engineering group and upon a match would set Anue attribute ‘2’ to “Engineering”.

VENDOR AnueSystems 32620

BEGIN-VENDOR AnueSystems

ATTRIBUTE Anue-Role 1 integerATTRIBUTE Anue-Groups 2 stringATTRIBUTE Anue-Service 3 stringATTRIBUTE Anue-Login-Status 4 integer

VALUE Anue-Role ADMIN 1VALUE Anue-Role REG 2

VALUE Anue-Login-Status SUCCESS 1VALUE Anue-Login-Status FAILURE 2

END-VENDOR AnueSystems


The third policy would have as a condition membership in the Security group and upon a match would set Anue attribute ‘2’ to “Security”.

To create a network policy, in the NPS Server Manager GUI, select Server Manager > Roles > Network Policy and Access Services > NPS (Local) > Policies > Network Policies. Right-click on Network Policies and select New from the pop-up menu. The New Network Policy dialog will appear.

In the Policy name field enter a name that reflects the groups being checked, such as “Anue NTO Engineering Policy”. Click Next to advance to the Specify Conditions page. Click Add and select the User Groups condition. Click Add and the User Groups dialog will appear. Click Add Groups and the Select Group dialog will appear. Enter the group name(s). Click OK in the Select Group and User Groups dialogs. When finished the Specify Conditions dialog should look something like the following, Figure 8-21:

Figure 8-21. NPS Policy Conditions Example

Click Next to advance to the Specify Access Permissions dialog. Select Access Granted. Click Next to advance to the Configure Authentication Methods and Configure Constraints dialogs, select both (CHAP) and (PAP, SPAP), and configure the settings as desired. Consult your NPS documentation for more information on these settings.

Click Next to advance to the Configure Settings dialog and select Vendor Specific under RADIUS Attributes. Click Add and the Add Vendor Specific Attribute dialog will appear. Select Custom from the Vendor list and then select the Vendor-Specific attribute, Figure 8-22:


Figure 8-22. NPS Add Vendor-Specific Attribute Dialog

Click Add and the Attribute Information dialog will appear. Click Add again and the Vendor-Specific Attribute Information dialog will appear, Figure 8-23:


Figure 8-23. NPS Vendor-Specific Attribute Information Dialog

Select Enter Vendor Code and enter 32620 for Anue. Select “Yes. It conforms” and then click Configure Attribute. The Configure VSA (RFC Compliant) dialog will appear, Figure 8-24:

Figure 8-24. NPS Configure Anue-Groups Attribute Dialog

In this example, we want to specify the NTO group(s) that correspond to this policy, so enter ‘2’ (Anue-Groups) for the Vendor-assigned attribute number, select ‘String’ for the Attribute format, and enter ‘Engineering’ (for example) as


the Attribute value. In this case, “Engineering” corresponds to a group name in the NTO port access lists.

If you want to create a policy that controls whether users are NTO administrators, modify your Conditions to make the appropriate check of Active Directory groups or settings and then add a vendor-specific attribute with attribute number ‘1’ (Anue-Role), attribute format ‘Decimal’ and attribute value ‘1’ (Anue-Role ADMIN from the Anue dictionary), Figure 8-25:

Figure 8-25. NPS Configure Anue-Role Attribute Dialog

Note that if you have a policy for authorizing users as NTO administrators, you will also need a policy for authorizing them as regular users. For regular users, set the attribute value to ‘2’ (Anue-Role REG from the Anue dictionary).You will also need to make sure that Authorization is set to Role-Based in the Common RADIUS Settings panel of the NTO Set Authentication Mode dialog (page 214). When Authorization is set to Default in the NTO, the Anue-Role attribute is ignored. If your NPS authorization policies are not working as expected this is one place to check.



CHAPTER 9

SNMP

Introduction

SNMP (Simple Network Management Protocol) allows monitoring of network device configuration, state, and statistics. SNMP traps/informs provide real time notifications of particular events.

The Anue NTO supports SNMPv1, SNMPv2c and SNMPv3.

SNMPv1 provides for basic gets, get-nexts, and sets, responses along with traps. SNMPv2c is SNMPv1 plus get-bulks and informs. SNMPv2c supports both traps and informs. Traps do not require acknowledgement whereas informs do require acknowledgement. SNMPv2 traps are generated to trap recipients configured for SNMP version V2 with Retries set to 0. Informs are generated to trap recipients configured for SNMP version V2 with Retries set to 1 or greater.

SNMPv3 is SNMPv2c plus security. The security features added by SNMPv3 include authentication, privacy, and access control.

SNMPv3 Authentication verifies that the message is from a valid source. It also verifies that the message was not altered in transit and that it was not artificially delayed or replayed. In addition to authentication, SNMPv3 provides for privacy through encryption to prevent eavesdropping by third parties. When privacy is invoked between a principal and a remote engine, all traffic between them is encrypted using the encryption methods such as Data Encryption Standard (DES).

Access Control for SNMPv3 determines whether a specific type of access (read, write, notify) to a particular object (instance) is allowed. Currently, access is open to the entire set of MIBs that the NTO supports.

SNMPv3 informs also provide for authentication, privacy and access control. The same way that SNMP requests are authenticated by the agent informs are authenticated by the end user or Network Management Station.

Anue NTO SNMP support is restricted to SNMP requests and trap generation. SNMP sets (writes) are not supported at this time.

Supported MIBS

Portions of the following MIBs and their corresponding traps are supported. A spreadsheet detailing the specific MIB objects and traps supported by the NTO

Note: The Anue NTO can only respond to SNMP requests on UDP port 161. This setting is not configurable.


can be requested from Anue Technical Support. For more information about how to contact Anue Technical Support, see “Technical Support” on page 11.

■ IF-MIB http://www.ietf.org/rfc/rfc2863.txt

■ Etherike Interfaces http://www.ietf.org/rfc/rfc2665.txt

■ VACM MIB http://www.rfc-editor.org/rfc/rfc3415.txt

■ FRAMEWORK MIB http://www.ietf.org/rfc/rfc3411.txt

■ USM-MIB http://www.ietf.org/rfc/rfc3414.txt

■ TARGET-MIB and NOTIFICATION-MIB http://www.ietf.org/rfc/rfc3413.txt

■ COMMUNITY MIB http://www.ietf.org/rfc/rfc3584.txt

■ RMON MIB http://www.ietf.org/rfc/rfc2819.txt

■ Entity MIB http://www.ietf.org/rfc/rfc4133.txt

■ Entity State MIB http://www.ietf.org/rfc/rfc4268.txt

■ IP MIB http://www.ietf.org/rfc/rfc4293.txt

■ SNMPv2 MIB http://www.ietf.org/rfc/rfc3418.txt

To configure SNMP:

1. Log in to the Anue NTO using an account that has system administrator capabilities.

2. Click System to access the System View.

3. Click the “Disabled” hyperlink to the right of SNMP configuration:

Note: Anue also provides a proprietary MIB in order to model NTO configurations and statistics which cannot be modeled in a straightforward manner with existing standard MIBs. These objects include filter configuration, advanced AFM features (Models 5204/5236/5273 only), history, connections, and statistics. The Anue MIB also includes extended interface information and authentication objects/traps. Details about the specific Anue MIB objects and traps supported can be requested from Anue Technical Support.

Port filters and dynamic filters can be assigned an SNMP tag. The SNMP tag field is a free-form text field that users may optionally configure for each filter. A user can configure one or more keywords using comma, space, or colon as separators. A SNMP management application can then use the keywords to facilitate customized search, sort, and aggregation of the Anue MIB filter information.

Anue Systems has registered with IANA and been assigned Private Enterprise number 32620 [http://www.iana.org/assignments/enterprise-numbers]. All Anue’s MIB objects are organized under this uniquely assigned OID anueMIB (1.3.6.1.4.1.32620).

Chapter 9, SNMP226 Anue Net Tool Optimizer User Guide

http://www.ietf.org/rfc/rfc2863.txt


http://www.rfc-editor.org/rfc/rfc3415.txt










Configure the desired SNMP request and trap parameters. Note that SNMP request processing can be enabled or disabled separately from SNMP trap generation. Multiple trap recipients are supported, each can have their own characteristics and enabled/disabled trap types.

Figure 9-1. SNMP Requests Tab

IntroductionAnue Net Tool Optimizer User Guide 227

Figure 9-2. SNMP Traps Tab

SNMP Configuration Example

In the following example, we will configure the Anue NTO to accept SNMPv2 requests from the “AnueComm1” and “AnueComm2” communities. We will also configure the Anue NTO to send SNMPv2 formatted inform messages to IP address 192.168.40.119 (default UDP destination port “162”) when a cold start or authentication failure occurs.

1. Log in to the Anue NTO using an account that has system administrator capabilities.

2. Click System to access the System View.

3. Click the “Disabled” hyperlink to the right of SNMP configuration:

Note: If a firewall is in place, UDP ports 161 and 162 need to be open for SNMP communication. If the SNMP trap port is changed to a number other than 162, the new port number would then need to be opened in a firewall configuration.


4. Click the Add button. Select SNMP version V2. Type the word “AnueComm1” in the Community String field. Click OK.

Figure 9-3. Add Access Control

5. Repeat step 4 and type the word “AnueComm2” in the Community String field.

6. Click the Enable SNMP requests checkbox.

Note that the Anue NTO will not respond to SNMP requests when this setting is disabled. Configured community string information is maintained when SNMP requests are disabled.

Figure 9-4. Set SNMP Configuration (Requests)

7. Click the Traps tab and then click the Enable SNMP Traps checkbox.

Note that the Anue NTO will not generate SNMP traps when this setting is disabled. Configured trap recipient information is maintained when SNMP trap generation is disabled.

SNMP Configuration ExampleAnue Net Tool Optimizer User Guide 229

Figure 9-5. Set SNMP Configuration (Traps)

8. Click the Add button.

Select SNMP Version V2. Enter “192.168.40.119”. Leave the Destination UDP Port set at “162”.

Figure 9-6. Add Trap Recipient

Click the Cold start and SNMP Authentication failure checkbox.

For SNMP authentication failure, select Enhanced Anue MIB.

Enhanced Anue MIB: In the case of SNMP Authentication failure, send the Anue enhanced trap. Enhancements beyond RFC 1213 include text in the trap message indicating the last failed SNMP query system time, source IP address, IP type, message security model and user name/community string.

Standard MIB-II: Send the standard RFC 1213 MIB-II trap when SNMP authentication failures occur.


Set the Retries to 1. This value indicates that the NTO will attempt to send the inform up to two times.

Set the Retry timeout to 5 seconds. This value indicates the amount of time in seconds that the NTO will retry sending the trap.

Click OK.

9. The SNMP configuration has now been completed. The bottom portion of the window provides a summary of the configuration of the selected SNMP trap. Click OK to save all of the changes.

Figure 9-7. Configured SNMP Traps Tab

SNMP Configuration ExampleAnue Net Tool Optimizer User Guide 231


CHAPTER 10

SYSLOG

Syslog is a standard for forwarding log messages in an IP network. Syslog is a client/server protocol. The syslog sender sends a small (less than 1KB) text message to the syslog receiver. Syslog is typically used for computer system management and security auditing and it can be used to integrate log data from many different systems into a central repository.

In order to enable syslog on the Anue NTO, users must supply the IP address or DNS name of an external syslog server.

When a syslog server is configured on the NTO, syslog messages will be created and sent to each syslog server configured whenever configuration or state changes occur on the NTO.

Syslog Severity Levels

The system logs include eight security levels (0-7), which are defined in Table 10-1.

Note: Reference your syslog server documentation for information on configuring and enabling your syslog server.

Table 10-1: Severity Level Definitions

Log Level Severity Description

0 Emergency The system is unusable.

1 Alert Action must be taken immediately.

2 Critical Critical conditions exist that should be corrected immediately because there is a failure in a primary system - for example, the loss of a backup ISP connection.

3 Error Error conditions exist for non-urgent failures that should be relayed to developers or administrators.


Events usually generate messages at the “Informational” severity level (level 6), but there are exceptions. Table 10-2 shows the types of events that generate messages and the severity level for those events.

4 Warning Warning message, not an error, that indicates an error will occur if action is not taken - for example, the file system is 85% full. Each item must be resolved within a given time.

5 Notice Events that are unusual but are not error conditions. No immediate action is required. These events might be summarized in an email to developers or administrators to spot potential problems.

6 Informational Normal operational messages where no action is required. These events may be harvested for reporting, measuring, throughput, etc.

7 Debug Information that is useful for developers for debugging the application, These events are not useful during operations.

Table 10-2: Severity Level of Message Generating Events

Severity Level

Event

Informational Modification of tool and network port configuration

Informational Creation and modification of port groups, filters, filter templates, template collections

Informational Creation and deletion of connections between ports and filters

Informational Reset of port or filter statistics

Informational State changes – link up/ link down, dropped packet alarm, fan failure, temperature changes, insufficient filter memory, license expiration.

Informational Creation and modification of users and groups, including adding and removing users from groups

Informational Login attempts – success and failure

Table 10-1: Severity Level Definitions

Log Level Severity Description

Chapter 10, SYSLOG234 Anue Net Tool Optimizer User Guide

Syslog servers going offline will be logged. If the server is taken offline by a user, that is logged at level “Informational.” If the server goes offline because of a communication error, that is logged at level “Warning.”

The syslog settings are retained when the NTO is rebooted.

Adding or Modifying Syslog Servers to the NTO

To add or modify syslog servers to the NTO:

1. Select the System view.


3. In the Remote Services section, click the link to the right of the Syslog field, shown in Figure 10-1. The default for this link is “Not set.”

Figure 10-1. Add Syslog Servers

When syslog servers are configured, they can be added by IP address or by DNS name. If DNS name is used, the system DNS configuration must be set before messages can be sent to the server. The port and facility must also be selected.

Informational System settings – software installation, license installation, system info modification, IP address change, DNS configuration, authentication settings, SNMP, settings, syslog settings, etc

Informational TACACS+ server failures when using TACACS+ authentication

Notice The primary configuration database is corrupt,

Notice Login attempts that fail

Warning Link down for the management port

Warning Fan failures

Warning Temperature exceeding the maximum acceptable temperature

Warning All configured TACACS+ servers have failed.

Emergency Both primary and backup configuration databases are corrupt,

Table 10-2: Severity Level of Message Generating Events

Severity Level

Event

Adding or Modifying Syslog Servers to the NTOAnue Net Tool Optimizer User Guide 235

The facility is the application or operating system component that generates a log message. The level is the severity or significance of the message that's been generated. The action defines what's done with any newly-arrived message that matches the facility and level. This combination of facility and level, referred to as the selector, allows system administrators to customize message handling, based on which parts of the system are generating data and how critical the data is. Eight facilities are used for customized auditing: Local0-Local7 and User, as shown in Figure 10-2.

Configure the NTO to match the facility level on your syslog server. For example, if your syslog server uses Local5, then select Local5 from the Facility drop-down list in the Syslog Server Configuration dialog, Figure 10-2.

Figure 10-2. Configure Syslog Facility

Example Syslog Messages

Each syslog message is composed of:

■ A time stamp (not shown in the examples below)

■ Facility - (e.g., local use 1, 2, 3, 4, 5, 6, 7 or User - indicates which file on the syslog server that messages are sent to)

■ Severity level

■ The unit's IP address (or system name if configured)

■ A description of the event


Example Syslog Message 1

Local5 Info 192.168.41.58:"admin" changed Port "P24": MEDIA_TYPE=1G Fiber, ICON_TYPE=SFP

In this example, the user "admin" changed the media type of port 24 to 1G Fiber.

Example Syslog Message 2

Local5 Info 192.168.41.58:"admin" changed Filter "F5": DEST_PORT_LIST="P04", "P10"

In this example, the user "admin" modified the connections for Filter F5. Filter F5 is now connected to Tool Ports P04 and P10. Note that connections to network ports would be logged as "SOURCE_PORT_LIST".

Confirming Connections to Syslog Servers

If there is an error reaching a particular syslog server, a red “X” will appear next to the server name or IP address in the list of syslog servers as well as on the System view Settings tab to the right of the Syslog field link.

To test individual syslog server connections:

1. In the Syslog Servers dialog, select a syslog server DNS name or IP address in the list box.

2. Click the Test button to send a test message to the syslog server.The Test button will report a successful send, an error locating the host or IP address, or an error in communication.

Note: A syslog message is sent via UDP, and no acknowledgement of its receipt is returned. For that reason, in order for a syslog server configuration to be confirmed with 100% certainty, receipt of the test message must be confirmed at the server end.

Confirming Connections to Syslog ServersAnue Net Tool Optimizer User Guide 237


CHAPTER 11

Access Control Using Groups

For some organizations, there is a need to protect and coordinate access to network ports, tool ports, filters, and sensitive data that is passing through the Net Tool Optimizer (NTO). For example, there may be a need to define access so that only members of the Security team can modify the settings of a specific tool port that is attached to an Intrusion Detection System (IDS). Access Control using Groups provides the features required to meet these security concerns.

Access policies for each port can be defined by arranging users into groups. Groups can be defined in any manner to meet your organization’s needs. Group composition can be based on function (networking, security, compliance, etc.), role (administrators, basic users, managers) or group structure (project team, geographic location, etc.).

By default, filters automatically inherit the access control of the network and tool ports to which they are connected. This ensures that the access policies are consistently enforced. As an option, the access policies of dynamic filters can be customized by a system administrator. This feature can be used to restrict the ability of users to modify filters that may be receiving and filtering out sensitive data, passing only cleansed data to the tools.

Port groups always inherit the combined security settings of the ports they contain.

Configuring Access Control

There are two key steps in setting up access control. Note that only system administrators can configure access control.

1. Assign users into Groups.

2. Define the Access Control for the ports that need to be secured.

NOTE Only system administrators can configure access control. Only system administrators have the ability to create groups. System administrators can modify and connect all diagram objects regardless of the object access control settings.

Be aware that NTO Access Control Using Groups is a feature that utilizes local groups when the NTO is in local authentication mode and remotely-defined groups when the NTO is in TACACS+ or RADIUS authentication mode with Groups != Local.

The TACACS+ feature that utilizes the "group = " keyword (in the TACACS+ Server Configuration File located on the TACACS+ Server) is unrelated to NTO Access Control Using Groups. The "group =" keyword is used to define whether a user will have regular user or system administrator capabilities upon login.


For each port, access policies can be set for two operations, 1) Modifying a port’s configuration and 2) Connecting/disconnecting from a port.

For these two operations, there are three choices: Allow all, Require Group Member or Require Admin.

Modification and connection access can be used to customize policies for an organization. For example, you may want to set up access to a tool port for an IDS tool such that only members of the security engineering team can connect to a tool port, and only members of security management can modify the tool port settings (filter criteria, connection speed, etc.).

Access Control Behavior

Once access control policies are set, each user receives a customized view of the ports that they can access. Users can see all port and dynamic filter settings, but lock icons will display on the ports and dynamic filters that they cannot connect to or modify.

Access Control Icon Indicators

The figure below displays a single lock towards the center of the port. This indicates that the user can add and remove port connections but cannot modify the port settings (port speed, filter criteria, etc.).

The next figure displays a lock towards the center of the port and at the port connector. This indicates that the user cannot modify the port settings, add port connections or remove port connections.

Because system administrators have access to all objects regardless of the access control settings of the object, their view will display faded locks on ports and dynamic filters with access control in effect. The faded locks, as shown in the figure below, inform the system administrator that a dynamic filter or port has access control settings other than Allow All configured.

Inheritance

Filters automatically inherit the access control settings of the network and tool ports to which they are connected. This ensures that the access policies are consistently enforced. As an option, the access policies of filters can be

Chapter 11, Access Control Using Groups240 Anue Net Tool Optimizer User Guide

configured by a system administrator. This feature can be used to filter out sensitive data so tools can safely monitor cleansed data (see example #2).

Port Groups inherit the security settings of their contained ports. A user must have modify access to every port contained in a port group to have modify access to the port group. A user must have connect/disconnect access to every port contained in a port group to be able to perform those operations on a port group.

Authorization Failure

If an unauthorized user attempts to add or remove connections or alter port or filter configuration settings, they will receive an authorization failure message similar to the one displayed in the figure below.

Figure 11-1. Authorization Failure

Access Control Examples

Four common usage examples are described below.

1. Restrict the access to a tool port to a specific group. See Access Control Example #1 - Restrict Access to a Tool (Port).

2. Use dynamic filter access control to protect sensitive data while allowing non-sensitive data to be accessed. See Access Control Example #2 – Protect Sensitive Data but Allow Non-sensitive Data to be Accessed.

3. Restrict access so that one group can modify a port and another group can make connections to the port. See Access Control Example #3 - Restrict Access to Allow One Group to Modify a Port and another Group to Make Connections to the Port.

4. Add TACACS+ (w/ Groups = Local) users into NTO groups. The groups can then be added to access control policies. See Access Control Example #4 – Add TACACS+ Users to Local Groups.

Access Control ExamplesAnue Net Tool Optimizer User Guide 241

Access Control Example #1 - Restrict Access to a Tool (Port)

The goal is to ensure that only the Security Team can connect traffic to the IDS 1 tool port (shown in the figure below).

1. Add the appropriate users to the Security Team group.

Click the New Group icon displayed in the toolbar below the main menu options.

(Note that this icon will not visible when a non-system administrator is logged in.)

When the New Group window displays, enter “Security Team” in the Name field.

Then click the Add button to begin adding users to the Security Team group from the list.

Note: This example uses local authentication.


Figure 11-2. Create the Security Team Group

Select the users from the displayed list. Several users can be selected by using the Shift or Ctrl keys.

Click OK to add the users. Click OK to create the group.

For more details on how to create groups, see Creating Groups and Adding Users to Groups.

2. Double-click the “IDS 1” tool port and select the Access Control tab.

Change the Operation: Connect/Disconnect to/from this Port Policy to Require Group Member. Click the Add Group button in this section and add the Security Team to the access list.

Click OK.

Note: More than one group can be added to a group.


Figure 11-3. Add the Group to Access Control List

3. After the access control policy has been enabled, only the members of the Security Team (and system administrators) will be able to make connections to the IDS 1 tool port.

Notice that the “VLAN 100” dynamic filter has inherited the IDS 1 tool port access control settings. The IDS 1 “Connect/Disconnect” policy has been applied to the VLAN 100 filter “Connect/Disconnect” and “Modification” policies.

This ensures that the access policies are consistently enforced. For example, modifications to the VLAN 100 filter settings could alter the data received by to the IDS 1 tool port and disconnecting the VLAN 100 filter from the SPAN 1 network port would stop all traffic from being sent to the IDS 1 tool port.

Note that the access control policies of filters can also be customized by a system administrator.


Access Control Example #2 – Protect Sensitive Data but Allow Non-sensitive Data to be Accessed

The goal of this example is to configure access control to only allow system administrators to direct sensitive data to tool ports.


See the figure below. In this example, sensitive PCI and SOX data is being received from the P01 network port along with other non-sensitive data. The goal of this example is to configure access control to only allow system administrators to direct sensitive data to tool ports.

Note that if the goal of this example was to configure access control to only allow a select group of users to direct sensitive data to tool ports, a group name could be substituted for the Require Admin option selected in this example.

The figure below displays the access control settings that have been enabled. Access control settings are applied on the Access Control tab of each object.

Network Port (P01) Access Control Settings:

The access control setting for modifying this network port has been set to Require Admin (notice the modification lock on the network port in the figure above). This setting will prevent non-system administrators from modifying the type of traffic that will be allowed to pass through the network port. The access control setting for connecting tools to this network port has also been set to Require Admin (notice the connection lock on the network port in the figure above). Only system administrators will be able to modify the network port settings and connect dynamic filters to the network port.

Dynamic Filter (F1) Access Control Settings:

The dynamic filter has been configured with filter criteria that will remove sensitive data from the traffic received from network port (P01) and allow all other data to pass through to connected tool ports.

The access control setting for modifying the dynamic filter has been set to Require Admin (notice the modification lock on the F1 dynamic filter in the figure above). This will prevent the dynamic filter settings from being modified by non-system administrators and ensure that sensitive data cannot be accessed. For


example, if a non-system administrator could change the filter criteria to “Pass All”, all data, sensitive and non-sensitive, could pass through the dynamic filter.

The access control setting for connecting tool ports to the dynamic filter has been set to Allow All. This setting will allow any user to connect a tool port to this dynamic filter. Connected tools will only receive non-sensitive data.

Dynamic Filter (F2) Access Control Settings:

The access control setting for modifying this dynamic filter has been set to Require Admin. The access control setting for connecting tools to this dynamic filter has also been set to Require Admin. Only system administrators will be able to modify the dynamic filter settings and connect tool ports to this dynamic filter.

Access Control Example #3 - Restrict Access to Allow One Group to Modify a Port and another Group to Make Connections to the Port

The goal is to ensure that only system administrators can modify the configuration of a port but all users can connect to the port and direct traffic to tools. This setup will ensure that only system administrators can disable the port and modify filter criteria settings.

1. Double-click the SPAN 1 network port and select the Access Control tab.

Change the Operation: Modify this Port Policy to Require Admin.



The Operation: Connect/Disconnect to/From this Port Policy will remain at the default setting of Allow All.

Notice that there is information below both of the policy access lists indicating which users can perform operations specific to the policy.

Click OK to save the changes.

2. After the access and control policy has been enabled, users who are not system administrators will see a lock towards the center of the port that indicates that the user does not have the ability to modify the port configuration. There is no lock at the port connector indicating that the user can connect tools to the port.


Access Control Example #4 – Add TACACS+ Users to Local Groups

The goal is to add TACACS+ users into NTO groups when the TACACS+ Groups setting is “Local” .

When the NTO is in TACACS+ authentication mode (w/ Groups = Local), users can be added to groups by entering the names listed in the TACACS+ database into a NTO group. Several names can be added by entering the names in a comma separated list as shown in the image below, Figure 11-4. The groups can then be added to access control policies.

Figure 11-4. Add TACACS+ Users to NTO Groups

NOTE This procedure does not apply when the TACACS+ groups are being used (Groups = TACACS+). In this mode, the TACACS+ server automatically populates groups with members. There is no difference in how a group (local or TACACS+ derived) is added to an access control policy.


CHAPTER 12

Use Cases and Common Configurations

The following examples demonstrate common Net Tool Optimizer (NTO) configurations.

Quick Start Example

In this example, the user would like to direct all VLAN 2 traffic from a router span port to an intrusion detection system (IDS) and send the same data to a storage device. The user also wants to prevent all ICMP traffic from reaching the storage device.

Note that the Anue NTO ports used for this example have been chosen for ease of illustration and not because of physical limitations. All connections shown are 1G copper but these procedures will work similarly for all of the port types that can be licensed on the system.

1. Physically connect the router SPAN port to port 2 of the Anue NTO.

2. Physically connect port 1 of the Anue NTO to the IDS.

3. Physically connect port 3 of the Anue NTO to the data storage device.

Figure 12-1. Quick Start Physical Setup

4. Log in to the Anue NTO Control Panel.


5. Create and enable a Router SPAN Port (P01), Data Storage tool port (P02) and IDS tool port (P03). Draw connectors between the ports as shown in the figure below.

Connections are drawn by clicking the mouse pointer on the small green square on the side of an object and dragging to the small green square on the side of another object.

Note that when the first connection is drawn between P01 and P02 or P01 and P03, a dynamic filter will automatically be created.

Figure 12-2. Quick Start Logical Setup

6. Double-click the dynamic filter. Select the Filter Criteria tab and configure the Filter Mode to Pass by Criteria. Select the Layer 2 Criteria Type. Click the VLAN button. Enter the VLAN ID “2”. Click OK in each dialog box until all of the dynamic filter windows are closed.

Figure 12-3. Edit Dynamic Filter Criteria

7. Double-click the Data Storage tool port (P02). Select the Filter Criteria tab and configure the Filter Mode to Deny by Criteria. Click the IP Protocol button. Select “ICMP (1)” from the drop down list. Click OK in each dialog box until all of the tool port windows are closed.

Chapter 12, Use Cases and Common Configurations250 Anue Net Tool Optimizer User Guide

Figure 12-4. Edit Tool Port (Egress) Filter Criteria

The Quick Start Example is now completed.

VLAN 2 traffic from the Router Span Port is being sent to tool port P02. ICMP packets will be dropped at tool port P02 before traffic reaches the Data Storage device. All VLAN 2 traffic from the Router Span Port is being sent to the IDS device connected to tool port P03.

Figure 12-5. Completed Quick Start Example

Quick Start ExampleAnue Net Tool Optimizer User Guide 251

Use Case 1: Aggregating Three Network Ports to One Tool Port

A common use for the Net Tool Optimizer is to aggregate traffic from many network ports to one tool port. The aggregation can give a tool a “big pipe view” and alleviate the need to use multiple tools.

The diagram below shows how three network ports have been aggregated to one tool port by drawing connectors from the network port to a filter and then from the filter to the tool port.

Step-by-step instructions on how to create a configuration like the one shown in the figure below can be found in the Quick Start Example.

Figure 12-6. Three Networks Ports Aggregated to One Tool Port

Three 1G ports (transmitting data at full line rate) have been aggregated to one 1G port. The VLAN 10 Filter eliminates traffic that is not required by the Data Capture (P03) tool port and prevents the three network ports from causing a packet overflow condition at the tool port. Tool port statistics can be used to verify that the traffic from the three network ports, after the VLAN 10 filtering, is equal to less than 1G.

Use Case 2: Easily Extending the Configuration

The Anue NTO control panel provides several features that allow you to use the currently configured objects to easily and quickly extend the configuration.

In Use Case 1: Aggregating Three Network Ports to One Tool Port, traffic from three network ports were aggregated to one tool port (displayed in the figure below). The configuration for that use case contained a filter named VLAN 10 Filter with a Pass by Criteria criterion of “VLAN 10”.


Figure 12-7. Use Case # 1 Diagram

Now we would like to add a similar configuration where the same three network ports will have their traffic aggregated to a 1G IDS tool port and the Pass by Criteria criterion of the filter will be set to “VLAN 2”.

The control panel ease of use features can be used to quickly make the configuration changes in the four simple steps outlined below.

1. Add the additional tool port.

2. Duplicate the “VLAN 10 Filter” and change the criterion to “VLAN 2”

3. Use the Connections tab of the Edit Filter window to connect the filter to the three network ports.

4. Use the Connections tab of the Edit Filter window to connect the filter to the tool port.

For more information about the control panel ease of use features, see Control Panel Ease of Use Features.

Step 1 – Add the IDS tool port

Double-click an available port, configure it as 1G tool port, name the port “IDS” and enable it. Click OK to save the changes.

Use Case 2: Easily Extending the ConfigurationAnue Net Tool Optimizer User Guide 253

Figure 12-8. Add 10G IDS Tool Port

Step 2 – Duplicate the VLAN 10 filter and change the criterion to “VLAN 2”

Note that this feature is most useful when a complex filter has been created and there is a need to create a very similar filter that has minor modifications.

Right-click the “VLAN 10” filter and select Copy.

Right-click the diagram area and select Paste.

You will receive the following message:

Figure 12-9. Specify Filter Name

Enter the name “ VLAN 2 Filter” and click OK.

Double-click the VLAN 2 Filter. In the Selected Criteria section on the Criteria tab, double-click the “VLAN 10” criteria. Set the VLAN ID to “2”. Click OK.


Figure 12-10. Modify the Dynamic Filter

Step 3 – Use the Connections tab of the Edit Dynamic Filter window to connect the (VLAN 2) filter to the three network ports

Click the Connections tab. To the right of the Network Ports section, click the Add Port button.

Use Case 2: Easily Extending the ConfigurationAnue Net Tool Optimizer User Guide 255

Figure 12-11. Dynamic Filter Connections Tab

Ctrl click the three network ports. Click OK.

Figure 12-12. Select Network Ports


Step 4 – Use the Connections tab of the Edit Filter window to connect the (VLAN2) filter to the (IDS) tool port.

To the right of the Tool Ports section on the connections tab, click the Add Port button. Click the Data Capture tool port and click OK. Click OK again on the Edit Filter window to save all of the port changes.

Figure 12-13. Select Tool Ports

The configuration changes are now completed.

Figure 12-14. Use Case 2 Configuration Completed

Use Case 3: Sending SPAN Port Data to Several Devices

A common problem that occurs with a SPAN port is that there is often contention for the data on the SPAN port as other network priorities arise. This problem is easily resolved when the SPAN port is connected to the Anue NTO. A second tool port is simply added and connected to the filter and the second device is physically connected to the Anue NTO.

In the figure below notice that the dynamic filter is passing all traffic from Router SPAN Port 1 (P02) to the IPS (P21) tool port.

Use Case 3: Sending SPAN Port Data to Several Devices

The tool port icon indicates that a layer 4 Source Port deny criterion has been configured (L4SPT). The tool port is configured to deny DNS traffic.

Figure 12-15. SPAN Port Data Sent to One Tool

Create the second tool port for a traffic analyzer and draw a connector to the Pass All Filter. The second tool port is configured to Pass All traffic.

In the figure below, the Router SPAN Port 2 traffic is now being sent to two tool ports. The IPS (P21) tool port is denying or filtering a portion of the available traffic, the Traffic Analyzer (P03) tool port is receiving all of the available traffic.

Figure 12-16. SPAN Port Data Sent to Two Tools


CHAPTER 13

Control Panel Ease of Use Features

The control panel provides several methods for accomplishing most tasks. Several features allow for quick and intuitive configuration of the control panel objects.

Using Tooltip Help

There is extensive tooltip help throughout the NTO Control Panel interface. Hovering the mouse pointer over objects and menu options provides helpful information and configuration details. Some examples are shown below.

Figure 13-1. Filter Mode Tooltip

Figure 13-2. Dynamic Filter Tooltip


Modifying Several Objects of the Same Type Simultaneously

If you want to modify (or view the statistics of) several objects of the same type simultaneously you can “lasso” the objects and then right-click them to select a menu option. For example, to enable several network ports simultaneously:

1. Use the mouse to “lasso” or draw a box around the disabled ports. A dotted green line will appear around the selected objects. Note that the devices can also be selected by holding down Ctrl and clicking on the objects.

2. Right-click one of the selected ports and select Enable as shown in the figure below.

Modifying Several Objects of Different Types Simultaneously

Hold down the Ctrl key and then click the objects.

Right-click one of the objects to modify settings or view statistics. The menu options that are available will differ based on the combination of objects selected.

Duplicating a Dynamic Filter

A complex filter can easily be copied and then modified to avoid creating the filter from scratch.

Right-click the filter and select Copy.

Right-click in the diagram area and select Paste.

You will receive the following message that prompts you to change the name of the new filter:

Figure 13-3. Specify Filter Name

Enter a name for the new filter and click OK.

Chapter 13, Control Panel Ease of Use Features260 Anue Net Tool Optimizer User Guide

Copying Filters from One Diagram View to Another

Filters can be copied between control panel sessions running on the same PC that are logged in to different Anue NTO servers.

Simply copy and paste the filter from one control panel to the other.

Using the Select All Feature

To alternately select the different object types in the diagram repeatedly press Ctrl-a.

The following items will be selected in this order:

1. All dynamic filters.

2. All network ports.

3. All tool ports.

4. All tool ports and network ports.

5. All tool ports, dynamic filters and network ports.

6. All connectors.

The selection order repeats when Ctrl-a is pressed again.

Quick Access to Object Statistics

Ctrl double clicking on a diagram object will display the object statistics. For example, Ctrl double clicking on a network port will display the Network Port Statistics.

Properties Window Shortcuts

Ctrl double clicking on the icon in a properties window of an object will display the statistics window of the object. Ctrl double clicking on the icon in the statistics window of an object will display the properties window of the object.

Copying Filters from One Diagram View to AnotherAnue Net Tool Optimizer User Guide 261

Bring All Open Statistics Windows into the Foreground

Press the F12 key on the keyboard to bring all open statistics windows into the foreground. This feature allows the statistics of different objects to be easily compared.

Hiding Disabled Ports

Ports that are not enabled can be hidden to improve the readability of the diagram.

The F11 function key can be used to hide disabled ports. Disabled ports can also be hidden by right clicking in the diagram area and choosing Hide Disabled Ports.

Function Keys

The function keys provide several features that help with viewing and organizing the diagram.

A Function Key Legend is displayed at the bottom of the main window. The Function Key Legend provides a quick reference to some of the available function keys.

Figure 13-4. Function Key Legend

The options displayed in the legend can change based on the current focus or view. For example, the F5 Organize Diagram option is not displayed in the legend unless the diagram area Auto-organize option is disabled.

There are additional Function Keys that are not displayed in function key legend. Function Key shortcuts are displayed next to several menu options. For example, while in the diagram view, accessing the View menu option indicates that Zoom can be achieved with the F4 key.

The F2 function toggles between Enable Mouseover Pathway Highlighting (when disabled) and Disable Mouseover Pathway Highlighting (when enabled).

When this function is enabled, the user can hover the mouse over a diagram object to highlight the connections unique to the object. For example, looking at this diagram it may be difficult for the user to clearly see the connections to the Data Capture (P03) tool port.


Figure 13-5. P03 Connectivity without Mouseover Pathway Highlighting

When Mouseover Pathway Highlighting is enabled, placing the mouse over the P03 icon will cause the connection lines to be highlighted in bold blue as shown in the figure below. The mouse can be placed over network ports, tool ports and connections to highlight the pathways involving that object.

Figure 13-6. P03 Connectivity with Mouseover Pathway Highlighting

F3: Zoom In (Not listed in the diagram area legend)

This function key will enlarge the size of the diagram view. Note that the menu option View -> Zoom to 100% can be used to restore the view to normal.

F4: Zoom Out (Not listed in the diagram area legend)

This function key will decrease the size of the diagram view. Note that the menu option View -> Zoom to 100% can be used to restore the view to normal.

F5: Organize Diagram

This option will redraw the diagram so that there are a minimum number of crossed connections.

When the “Automatically re-organize....” option is unchecked under the Diagram section of the Options menu (Edit -> Options), the F5 function key can be used to organize the objects on the diagram. See the section on the Edit Menu for details on the algorithm used to organize the diagram. Note that the F5 function key is not available on the function key bar when the diagram area is configured to automatically re-organize.

F6: Focus on all/Focus on selected/Focus on my access

The F6 function key provides three focus option: Focus on all, Focus on selected and (for non-system administrators) Focus on my access. Pressing the F6 key will toggle between the last two focus options selected by the user.

Focus on all: This is the default focus mode that displays all diagram objects.

Focus on selected: To utilize this feature the user selects diagram objects that they want to focus on and then presses the F6 function key. The diagram will then redraw so that only the selected object(s), and the other objects that are

Function Keys Anue Net Tool Optimizer User Guide 263

connected to it, are displayed. To select more than one object the user can hold down the Ctrl key while selecting objects or “lasso” the objects using the mouse.

Focus on my access: When access control using groups has been enabled on ports or dynamic filters, this focus option displays the dynamic filter and ports that the user has access to. This option is only available to non-system administrators because system administrators always have access to all objects. For more information on access control using groups, see Access Control Using Groups.

There are additional methods available to choose the diagram view focus. For more information, see Icon Toolbar and Focus Status.

F7: Suppress/Show Tooltips

This function key will suppress display of tooltips. Most of the Control Panel diagram area objects provide tooltip help. Occasionally the display of tooltips may interfere with the display of information that a user wants to view. Pressing F7 allows the display of tooltips to be suppressed. Pressing F7 (Show Tooltips) again will display tooltips.

F10: Hide/Show Memory Meters

This function key toggles between Hide Memory Meters and Show Memory Meters. It will hide or show the memory meters displaying the filter memory allocation.

F11: Hide Disabled Ports/Show Disabled Ports

This function key toggles between Hide Disabled Ports and Show Disabled Ports. This setting is remembered upon exit and recalled when the user logs in again.

F12: Bring Stats to Front

This function key will bring all open statistics windows to the foreground. The F12 key is only visible in the function key legend when there are statistics windows open.


CHAPTER 14

Automation Scripting

Net Tool Optimizer (NTO) Automation Scripting enhances the functionality of the NTO by providing the ability to automate the configuration and management of the NTO. NTO Automation Scripting consists of a command interpreter and a set of commands that can be saved in script files for automated processing or typed into an interactive shell for immediate processing. This functionality allows you to interactively manage several Anue Net Tool Optimizers or, for example, to track specific traffic patterns during certain times of day or to automatically update filter criteria and/or connections based on user defined trigger parameters.

You download the Anue NTO Tcl Scripting Package from a link on the NTO Welcome Page/Launch Page. For more details see the Anue 5200 Automation Scripting Guide.


Chapter 14, Automation Scripting266 Anue Net Tool Optimizer User Guide

CHAPTER 15

Statistics

The Anue Net Tool Optimizer (NTO) provides a wide range of statistics to help users optimize tool utilization.

Network ports, tool ports and filters report statistics. There are also tool management view statistics which provide statistics for all the objects connected to a specific tool port.

There are several ways to view object statistics.

■ Right click on an object (tool port, network port, or dynamic filter) and choose Statistics.

■ Ctrl double click on an object.

■ Click on Filters or Ports in the management pane and select statistics. This provides a view of all filter or ports statistics at once.

■ Right click on a tool port and select Tool Management View.

■ Shift click on several objects, right click and choose Statistics. The statistics window for all selected objects will open.

Features Common to All Statistics Pages

The following features and displayed information is available on the Network, Dynamic Filter and Tool Port statistics pages described in the sections below:

Clicking the Chart icon displays a chart window. Statistic charts provide a historical view of counts/rates/throughput, traffic patterns and burstiness in line chart format. A detailed description of this feature is provided in the Statistics Charting section.

The following features and displayed information is available on all of the statistics pages described in the sections below:

Port or Filter Icon Image: The status image is displayed in the upper right corner of the window, other windows associated with this port/filter and on the diagram. The image displays the same port/filter status and configuration information that is displayed on the icon in the diagram area.


■ Double-click on the icon image to open the port/filter properties window.

■ Ctrl—Double-click on the icon image to open the port/filter statistics window.


Refresh

Time of Displayed Stats: Displays the time at which the statistics were collected on the server. The time is displayed in the local time zone of the PC running the control panel. Users running the control panel in different time zones will see different times displayed here.

Display Refresh Interval: The configured refresh interval is displayed. Click the value to configure the interval. This setting does not affect how often statistics are collected on the NTO, which is always once per second. The refresh interval can also be configured under the Edit -> Options menu.

The Pause button pauses the update of the statistics displayed in the control panel for the currently logged in user (the button name will change to Resume during pause). This button does not the affect the actual collection of statistics on the NTO server.

Reset

Time since stats reset: Displays the amount of time that has transpired since the reset of the port statistics.

Reset by: Displays the Login ID of the last user who reset the port statistics.

The Reset button will reset the tool port statistics.

The Reset Open button will reset the statistics of all of the ports and filters with statistics windows that are currently open. This feature will allow the statistics for different objects to be synchronized to a similar point in time. Note that since the statistic windows are reset serially, the statistics displayed on the open statistic windows will not be completely synchronized.

The Close All button closes all of the currently open statistics windows.

The Close button closes the tool port statistics window.

Network Port Statistics

See Statistics for information on the various ways to view statistics. The network port statistics are described in detail below.

Chapter 15, Statistics268 Anue Net Tool Optimizer User Guide

Figure 15-1. Network Port Statistics

Counts

Received: A total count of the received Packets or Bytes since statistics were last reset for the port. Packet counts display under the Packets column, byte counts display under the Bytes column.

Valid: A total count of the valid packets received since the statistics were last reset.

Invalid: A total count of the invalid packets received since the statistics were last reset. This value is also a link that provides details about the invalid packets. The invalid packet breakdown window is shown below. Note that invalid packets are not forwarded to tools.

Network Port StatisticsAnue Net Tool Optimizer User Guide 269

Figure 15-2. Invalid Packet Breakdown

The Invalid Packets Breakdown window displays the following RFC 2665 Dot 3 statistics. When a statistic category is selected, a brief description will display in the Description field:

■ Frame-too-long errors

■ FCS Errors

■ Alignment errors

■ Symbol errors

The Invalid Packets Breakdown window displays the following RFC 1757 Ether statistics. When a statistic category is selected, a brief description will display in the Description field:

■ Collisions

■ CRC alignment errors

■ Fragments

■ Runts


Table 15-1 describes how invalid packets are handled on different models of the NTO. See Supported Packet Sizes for information on packets that are classified as invalid because of size.

Passed: A total count of the Packets or Bytes that were allowed to pass through the port since port statistics were last reset. Packet counts display under the Packets column, byte counts display under the Bytes column. Traffic is allowed to pass through the port based on the filter mode and criteria.

Rates/Percentages


Rates and percentage values are displayed under the following categories:

Current: The value recorded in the last second.

Average: The average value per second since statistics were last reset for the port.

Peak: The largest value recorded since statistics were reset for the port.

Table 15-1: Invalid Packets on Different Models

Model Details

5204 Byte counts include both valid and invalid packets. The byte counters increment when invalid packets are received, but packet counters do not.

5236, 5273 Both network port filters and dynamic filters will include invalid packets in packet and byte counts before the packets are dropped prior to the Tool Port filter. Packets that contain an invalid 802.3 Length/Type field will pass through the network port but will not be counted in the packet statistics. These packets will not be passed to tools.

5288, 5293 Both network port filters and dynamic filters will include invalid packets in packet and byte counts before the packets are dropped prior to the Tool Port filter. Packets that contain an invalid 802.3 Length/Type field will pass through the network port but will not be counted in the packet statistics. If Length is the only error, the packet will pass through the Tool Port. Other error packets will not be passed to tools.

Network Port StatisticsAnue Net Tool Optimizer User Guide 271

Time Since Peak: The time in seconds since the Peak value was recorded.

Received Bits/Sec: A count of the bits received each second.

Passed Bits/Sec: A count of the bits that were allowed to pass through the port’s filter each second. Traffic is allowed to pass through the port based on the filter mode and criteria.

% Bytes Passed: The percentage of bytes that were allowed to pass through the port’s filter. Traffic is allowed to pass through the port based on the filter mode and criteria.

Received Pkts/Sec: A count of the packets received each second.

Passed Pkts/Sec: A count of the packets that were allowed to pass through the port’s filter each second. Traffic is allowed to pass through the port based on the filter mode and criteria.

% Pkts Passed: The percentage of packets that were allowed to pass through the port’s filter. Traffic is allowed to pass through the port based on the filter mode and criteria.

Utilization: Displays the percentage of available port bandwidth being used by incoming traffic.

Refresh

See “Features Common to All Statistics Pages” on page 267.

The Resume button is only available when traffic is paused. Clicking the Resume button restarts the update of statistics.

Reset


Note: Statistics are measured once per second by accurately counting a physical quantity such as bits, bytes or packets during that second and then representing that value in the appropriate format and units for display to the user.

Traffic patterns in actual networks may fluctuate on a timescale faster than the measurement period of the statistics (one second). When this occurs, it is important to understand the limitations of such one-second measurements.

The counts of bits, bytes or packets over a one second period (and cumulative statistics based directly on them) will always be correct. However, caution must be used when interpreting any statistic that indicates a "rate" such as bits per second or percentage load.

One-second rate statistics are essentially averages over a whole second. When traffic is bursty, and those bursts last less than one second, a portion of the one second measurement period will have a traffic intensity above the reported value. During the rest of the one second measurement period, the traffic intensity will be below the reported value.


Dynamic Filter Statistics

See Statistics for information on the various ways to view statistics. The filter statistics are described in detail below.

Figure 15-3. Dynamic Filter Statistics

Counts

Inspected: A total count of the Packets and/or Bytes that were inspected since dynamic filter statistics were last reset. Packet counts display under the Packets column, byte counts display under the Bytes column.

Passed: A total count of the Packets and/or Bytes that were allowed to pass through the dynamic filter since dynamic filter statistics were last reset. Packet counts display under the Packets column, byte counts display under the Bytes column. Traffic is allowed to pass through the dynamic filter based on the filter mode and criteria.

Rates/Percentages



Current: A display of the value recorded in the last second.

Average: A display of the average value per second since statistics were last reset for the dynamic filter.

Peak: A display of the largest value recorded in any single second since statistics were last reset for the dynamic filter. Note that since statistics are sampled once

Dynamic Filter StatisticsAnue Net Tool Optimizer User Guide 273

per second, peaks that occur between samples may be missed, and may be larger than what is actually reported.


Inspected Bits/Sec: A count of the inspected bits per second.

Passed Bits/Sec: A count of the bits per second that were allowed to pass through the dynamic filter.

% Bytes Passed: The percentage of bytes that were allowed to pass through the dynamic filter. Traffic is allowed to pass through the dynamic filter based on the filter mode and criteria.

Inspected Pkts/Sec: A count of the inspected packets per second.

Passed Pkts/Sec: A count of the packets per second that were allowed to pass through the dynamic filter.

% Pkts Passed: The percentage of packets that were allowed to pass through the dynamic filter. Traffic is allowed to pass through the dynamic filter based on the filter mode and criteria.

Refresh


The Resume button and is only available when traffic is paused. Clicking the Resume button restarts the update of statistics.

Reset


Tool Port Statistics

See the Statistics section for information on the various ways to display statistics.

The tool port statistics are described in detail below.

Note that Dropped Packets is a very important statistical value that will indicate when incoming traffic has exceeded the configured port rate. The most common reason that packets are dropped is due to several networks ports directing traffic to a tool port and exceeding the tool port capacity.


Figure 15-4. Tool Port Statistics

Counts

Inspected: A total count of the packets that were inspected since port statistics were last reset.

Passed: A total count of the packets that were passed by the tool port filter.

(Models 5236/5273 only) AFM tool port statistics include a total count of the packets that were passed by the tool port filter on to the AFM for advanced packet processing.

Transmitted: A total count of the Packets and Bytes that were transmitted since port statistics were last reset. Packet counts display under the Packets column, byte counts display under the Bytes column.

Dropped: A total count of the dropped packets since port statistics were last reset or the Reset Drops button was pressed.

Received Pause: A total count of the pause frames received from the device connected to the tool port.

Current rate: The rate of the inspected packets in the last second.

Average rate: The average rate of inspected packets since the last reset of the port statistics.

Drops

Dropped packet count: A total count of the dropped packets since port statistics were last reset or the Reset Drops button was pressed.

Time since last drop: The time in seconds since the last dropped packet. This value is reset when the port statistics are reset or the Reset Drops button is pressed.

Tool Port StatisticsAnue Net Tool Optimizer User Guide 275

Time since drops reset: The time in seconds since the Dropped Packets count was reset.

Reset by: Displays the Login ID of the last user who reset the port statistics.

Rates/Percentages



Current: A display of the value recorded in the last second.

Average: A display of the average value per second since statistics were last reset for the port.

Peak: A display of the largest value recorded in any single second since statistics were last reset for the port. Please note that since statistics are sampled once per second, peaks that occur between samples may be missed, and may be larger than what is actually reported.


Inspected Pkts/Sec: A count of the inspected packets per second.

Transmitted Pkts/Sec: A count of the transmitted packets per second.

Dropped Pkts/Sec: A count of the dropped packets per second.

% Pkts Passed: The percentage of packets that were allowed to pass through the port. Traffic is allowed to pass through the port based on the filter mode and criteria.

Transmitted Bits/Sec: A count of the transmitted bits per second.

Transmit Utilization: Displays the percentage of available port bandwidth being used to transmit traffic.

Refresh


The Resume button and is only available when traffic is paused. Clicking the Resume button restarts the update of statistics.

Reset



Port Group Statistics

Network Interconnect Port Group Statistics

See the Statistics section for information on the various ways to display statistics.

The available Network Interconnect statistics are the same as the statistics provided for network ports except that the counts and rates/percentages values reported are for the combined traffic of all ports within the Interconnect. Note that the statistic charting feature is not available for Interconnects.

See Network Port Statistics for details on the reported statistics.

Refresh


Reset


Tool Interconnect Port Group Statistics

The available Tool ICPG statistics are the same as the statistics provided for tool ports except that the counts and rates/percentages values reported are for the combined traffic of all ports within the port group and that Load Balance Distribution statistics are provided. Note that the statistic charting feature is not available for port groups.

Port Group StatisticsAnue Net Tool Optimizer User Guide 277

See Tool Port Statistics for details on the Counts and Rates/Percentages statistics. Load Balance Distribution statistics are described below

Figure 15-5. Tool ICPG Statistics

Load Balance Distribution

View Distribution: Select whether to view how bytes or packets are distributed across the port group. If bytes are selected, then utilization is also displayed.

The following statistics are provided for each port when Transmitted Bytes/Utilization is selected:

Transmitted Bytes (cur): Of the total number of bytes transmitted out of the port group in the last second, this is the percent transmitted by this port.

Transmitted Bytes (avg): Of the total number of bytes transmitted out of the port group since statistics were last reset, this is the percent transmitted by this port.

Transmitted Utilization (cur): The network utilization of the traffic leaving this port in the last second.

Transmitted Utilization (avg): The average network utilization per second of the traffic leaving this port since statistics were last reset.


The following statistic are provided for each port when Inspected/Transmitted Packets is selected:

Inspected Packets (cur): Of the total number of packets inspected by the port group in the last second, this is the percent inspected by this port.

Inspected Packets (avg): Of the total number of packets inspected by the port group since statistics were last reset, this is the percent inspected by this port.

Transmitted Packets (cur): Of the total number of packets transmitted out of the port group in the last second, this is the percent transmitted by this port.

Transmitted Packets (avg): Of the total number of packets transmitted out of the port group since statistics were last reset, this is the percent transmitted by this port.

Bidirectional Interconnect Port Group Statistics

The available Bidirectional ICPG statistics are the combination of the statistics provided for Network ICPGs and Tool ICPGs. Note that the statistic charting feature is not available for port groups.

The statistics window has an Input Statistics tab that is equivalent to the Network ICPG Statistics window. See Network Interconnect Port Group Statistics for details about the Input Stats tab.

The statistics window has an Output Statistics tab that is equivalent to the Tool ICPG Statistics window. See Tool Interconnect Port Group Statistics for details about the Output Stats tab.

Port Group StatisticsAnue Net Tool Optimizer User Guide 279

Figure 15-6. Bidi ICPG Statistics

Refresh


Reset



Statistics Charting

The port and dynamic filter statistics windows provide a charting feature. Statistic charts provide a historical view of counts/rates/throughput, traffic patterns and burstiness in line chart format.

To display the chart window:

1. Access the port or dynamic filter statistics (right click on the port/filter and select Statistics or hold down the Ctrl key and double click the port/filter).

2. Click the Chart icon .

The port or dynamic filter chart window will display.

Figure 15-7. Chart Network Port Statistics

Each section of the chart window will be described in detail below.

Statistics ChartingAnue Net Tool Optimizer User Guide 281

Information

The Information section displays instructions on how to view the charts and focus on a specific data point or period of time. These instructions are described in detail in the chart area section below.

Port or Filter Icon Image: See “Features Common to All Statistics Pages” on page 267.

Chart Area

The chart area for ports and dynamic filters are customized to the functionality of the port/filter. The other sections of the chart window are basically the same for ports and dynamic filters.

Here are some examples:

1. A network filter configured in the Pass All mode displays a Passed Packets per Second chart.

2. A network filter configured in the Deny All mode displays a Received Packets per Second chart.

3. A network filter configured in Pass by Criteria Mode displays a Received and Passed Packets per Second chart as shown in the figure below.

Let’s examine the chart below in detail.

The legend below the chart indicates that Received Packets per Second is represented with a green line. Passed Packets per Second is represented with a blue line and the Percent of Packets Passed per Second is represented by a cyan line.

Time is reflected along the x axis with date/time values displayed periodically along the axis. The most current data is displayed at the right side of the chart. The oldest visible data is displayed at the left side of the chart. As new values and timestamps are collected the axis scale changes accordingly and autoscales based on the range of values being plotted. Note that later in this document we will describe how the chart view can be dragged to view earlier data points.

The Packets/Sec values (Passed Packets per Second, Received Packets per Second) are against the left side y axis. The Pct Passed value (Percent of Packets Passed per Second) is plotted against the right side y axis.

Note: Data is charted only while the chart window is open. The charts will be cleared when the window is closed.


Packets/Bits: Click a radio button to select whether to chart the statistics data in units of packets or bits. The measurement values along the left and right side of the chart will change to represent packets or bits.

Selecting a Data Point

To focus on a specific data point, click on a location in any chart.

When a data point is selected, the Selected Sample section of the window provides detailed information about the data point as shown in the figures above.

Adjusting the Data Point Selection

To move the selection left or right to the next data point, hold the Ctrl key and use the left or right arrow key to move backward or forward in time.

Selecting a Period of Time (zoom feature)

Notice that two of the lines in the figure displayed in the last example are very close together. Zooming into a period of time provides greater detail and usually helps to view the lines separately in the chart.

To zoom in, click a point in the chart and drag the mouse to the left or right to highlight a section.


As shown in the top figure above, closely drawn lines are now much easier to read. “Zooming in” allows the user to clearly see the spikes in the charts and the selected samples.

To reset the zoom view and see the entire data range, click the Reset Zoom button in the Chart Ranges section or right click on the chart and select Reset Zoom from the menu list.

Saving, copying and printing charts

Right click on a chart to access options that allow you to Copy, Save and Print the chart. Charts are saved in PNG file format. The Print option displays a page setup window that allows customization of basic print parameters.

The entire chart window can be copied to the Windows clipboard by pressing the Alt -> PrtSc (print screen) or Fn -> Prtsc keys simultaneously.

The Reset Zoom option will also be available if the chart is in zoom mode.

Selected Sample

Time: When a sample is selected, a timestamp is displayed listing the ending second. This value is displayed as, “x” secs ending Month - Numeric Day of the Month, Year – Hour:Minute:Seconds – AM or PM – Time Zone. “x” equals the sample interval.

Passed Pkts/Sec: A count of the passed packets per second at the time of the selected packet.

Passed Bits/Sec: A count of the passed bits per second at the time of the selected packet.

FCS Error Pkts: A count of the Frame Check Sequence error packets at the time of the selected packet.

Align Error Pkts: A count of the alignment error packets at the time of the selected packet.

Fragment Pkts: A count of fragmented packets at the time of the selected packet.

Runt Pkts: A count of runt packets at the time of the selected packet.

Chart Refresh

Sample interval: The configured sample interval value for charts is displayed. Click the value to change the sample interval. The drop-down list provides options that range from 5 seconds to 5 minutes. Each interval option also indicates how long charting can take place before the oldest chart data must be discarded to make room for new chart data. For example the option “30 sec (max data range 15 hours)” indicates that a new data point will be added to the chart every 30 seconds and that statistics data can be charted at this sample interval, continuously, without data loss, for up to 15 hours.


Note that this value can also be configured on the Edit-> Options page. This value is separate from the refresh rate used in the tabular statistics windows.

Figure 15-8. Change Chart Sample Interval

Max data range: Displays the maximum data range that can be displayed on the chart at the configured sample interval.

Next sample in: Displays a value that counts down in seconds until the next sample will be added to the chart.

Chart Ranges

Data range: Displays the range of chart data (in hours and minutes) that has been stored and can be reviewed.

Begin: Displays the beginning date and time of the data range.

End: Displays the end date and time of the data range.

Visible Range: This value will equal the Data Range value unless a range of data has been selected or zoomed into. When zoom is in effect this value (in hours and minutes) displays the range of data that is visible in the displayed chart. When zoom is in effect this value is also highlighted in yellow to indicate that the visible range is a subset of the actual data range

Begin: Displays the beginning date and time of the Visible data range.

End: Displays the end date and time of the Visible data range.

Reset Zoom (button): Click this button to reset the zoom mode. The chart will revert to displaying the maximum data range. The Visible Range, Begin (visible range) and End (visible range) values will be reset accordingly. The Reset Zoom button will be dimmed unless the user has zoomed in to area of a chart.

Chart Reset

Clear: Clicking this button clears all data samples on the chart window. The charts become blank. The next data sample collected becomes the first sample plotted on the chart. Clearing the chart data does not clear the corresponding Statistics window, nor does it cause the statistics to be reset.

Clear Open: Clicking this button clears all data samples on all open chart windows. The behavior is the same as for the Clear function.


Tool Management View

The Tool Management View (right click on the tool port or port group for this option) displays several statistical values for the filters and network ports connected to a tool port or port group and provides a big picture view that helps to analyze port utilization and optimization.

This view can provide valuable data to answer questions such as:

■ Is a tool underutilized and can it be leveraged to monitor more SPANs/Taps?

■ Should the filter setting filter settings be adjusted to optimize tool coverage and performance?

■ Is a tool over utilized and should another tool be added?

The Tool Port Statistics provide summary information on the port’s utilization. The Breakdown by Data Source displays statistics and configuration information for the network ports and dynamic filters that are connected to the selected tool port or port group. This view is primarily used to see the amount of traffic the individual network ports and dynamic filters are delivering to the tool port or port group.

Figure 15-9. Tool Management View

View

Time Frame: Checkboxes are available for Current and Average. A checked box indicates that all statistics in the category are currently being displayed.

Units: Checkboxes are available for Packet and Bytes. A checked box indicates that all statistics in the category are currently being displayed.

Detail Level: A Brief and Verbose option can be selected for the view.


For example, the Filter Criteria field displays the type of criteria defined (i.e. VLAN) in brief mode but also displays the specific criteria value (i.e. VLAN 100-102) in verbose mode.

Export to CSV : The Export to CSV button exports the information displayed in the view to a comma separated value file (.csv).

Port or Filter Icon Image: The image is displayed in the upper right corner of this window, other windows associated with this port, and on the diagram. The image displays the same port/filter status and configuration information that is displayed on the icon in the diagram area.


■ Double click on the icon image to open the port properties window.

■ Ctrl – double click on the icon image to open the port statistics window.

Tool Port Statistics

The Tool port statistics area provides statistics and configuration information for the selected tool port or port group.

When all the fields in the view are displayed, the following information is provided. Tool Port statistic definitions can be found in the Tool Port Statistics section.

■ Filter Mode

■ Filter Criteria

■ Tx Utilization(cur %)

■ Tx Utilization (avg %)

■ % Passed Pkts (cur)

■ % Passed Pkts (avg)

■ Inspected Pkts

■ Inspected Pkts/Sec (cur)

■ Inspected Pkts/Sec (avg)

■ Tx PktsTx Pkts/Sec (cur)

■ Tx Pkts/Sec (avg)

■ Dropped Packets

■ Dropped Pkts/Sec (cur)

Time since last drop: Displays the amount of time that has transpired since the last packet drop.

Time since drops reset: Displays the amount of time that has transpired since the reset of drop or port statistics.

Clicking the Reset Drops button will reset the Dropped Packets Statistics.

Breakdown by Data Source

This area displays statistics and configuration information for the network ports and dynamic filters that are connected to the selected tool port or port group. This

Tool Management ViewAnue Net Tool Optimizer User Guide 287

view is primarily used to see the amount of traffic the individual network ports and dynamic filters are delivering to the tool port or port group.

Network ports are listed in brown text. The dynamic filters that connect the network port to the tool port or port group are listed in black text and are indented below the network port.

When all fields in the view are displayed, the following information is provided. Network Port statistic definitions can be found in the Network Port Statistics section. Filter statistic definitions can be found in the Dynamic Filter Statistics section.

■ Network Port/Dynamic Filter

■ Filter Mode

■ Port/Filter Criteria

■ Rx Util (cur)

■ Rx Util (avg)

■ % Passed Pkts (cur)

■ % Passed Pkts (avg)

■ Rx/Inspected Pkts

■ Rx/Inspected Pkts/Sec (cur)

■ Rx/Inspected Pkts/Sec (avg)

■ Passed Pkts

■ Passed Pkts/Sec (cur)

■ Passed Pkts/Sec (avg)

■ Dynamic Filter Type

■ Overlaps With

■ Overlaps Inspected

Refresh


Reset


Overlapping Filter Criteria

Dynamic filters are optimized for topologies that require both aggregating traffic from multiple network ports to a single tool, as well as sharing traffic from a network port with multiple tools. Dynamic filters are recommended as the default filtering approach because nearly all users have both of these topology requirements.

The default dynamic filter uses a two-stage filtering approach. The first stage optimizes for aggregation capacity by pre-filtering traffic before aggregation. The purpose of the second stage post-filter is to inspect and resolve any overlapping filter criteria traffic. This is performed by inspecting the overlapping traffic from


other filters attached to the shared network port. This post-filter can add traffic to the overall traffic load of a dynamic filter. The amount and source of this traffic can be seen in the Tool Management View. The overlap inspection traffic from filters connected to other tools is shown in italics in the Tool Management View (see example below).

Figure 15-10. Overlapping Filter Criteria

In the example above, the two filters are overlapping because they share a network port (SPAN 1) and their filter criteria overlap. Overlap occurs because some of the traffic received from the network port could possibly match both the “IPv4 Source Address” and the “MAC Destination Address” filters.

The Tool Management Breakdown by Data Source view of the Data Storage Tool port shows the MAC destination filter statistics (in italics) even though the MAC destination filter is not directly attached to the Data Storage tool port. This is because the MAC traffic from SPAN Port 1 is being inspected by the IPV4 Source second stage filter to resolves overlaps.

Tool Management ViewAnue Net Tool Optimizer User Guide 289


APPENDIX A

Software Upgrade and Port Allocation Procedures

The following information describes software upgrade and port allocation procedures.

Upgrade Procedures

The procedures to upgrade the NTO software and system license are described in the following topics.

License Update

To obtain a license key for additional ports and/or features, please contact Anue Systems Technical Support. For information about how to contact Anue Systems Technical Support, see “Technical Support” on page 11.

On the Version/License tab under the System View, click the Enter License Key button to upgrade the license key. Browse for the license key. Then click OK to install the key.

Tip: You may be able to use the same license file for more than one system. The license file covers all of the systems listed in the license, including all cold spare systems. The license is an ASCII file that can be opened with a text editor. The text displayed towards the top of the license file lists the systems to which the license pertains, including the cold spare systems. Cold spare licenses are part of this license file.


Figure A-1. Enter License Key Window

Cold Spare Upgrade

Cold spare NTOs ship with a Perpetual Maintenance license already installed on them. This license enables you to upgrade the cold spare NTO firmware to keep the cold spare current and ready to use if you need it. The Perpetual Maintenance license expires 15 years from the date of your cold spare purchase.

NTOs are shipped with a USB flash drive that contains a license file. This license file contains the license key for each of the active NTOs you purchased. The license file also includes a cold spare license for each of the cold spare NTOs you purchased. If an NTO goes down and you need to activate a cold spare NTO, the cold spare license is only valid for 60 days. You will need to contact support to arrange an RMA and obtain a new license key to replace the 60-day temporary cold spare license.

To activate your cold spare and RMA the inactive NTO:

1. Unbox and rack the cold spare NTO.

2. Upgrade the cold spare NTO firmware if it does not match that of your active NTO.

NOTE If you receive a license key prompt after powering up the unit the first time, the license key is located on the USB flash drive that was shipped in the same box as the NTO.

NOTE If you do not have a Perpetual Maintenance license for your current cold spare NTO, please contact Anue Support to obtain one ([email protected]).

Software Upgrade and Port Allocation Procedures292 Anue Net Tool Optimizer User Guide




3. Activate the cold spare license by installing the license file.

4. Return the defective NTO to Anue for RMA once you have received an RMA number from Anue Support.

A. Anue either fixes it or replaces it if it cannot be fixed.

B. Anue installs a new Perpetual License on the RMA NTO because it is now the cold spare NTO.

C. Anue sends the new cold spare NTO to you.

D. Anue Support issues you a new license including a new cold spare license.

5. Install the newly issued license on the activated cold spare NTO to restore production licensing.

NOTE The cold spare license is part of the license file contained on the USB flash drive that shipped with your NTOs.

Upgrade ProceduresAnue Net Tool Optimizer User Guide 293

Software Upgrade

The files required to upgrade the Anue NTO Server to the latest version of software will be provided by Anue Technical Support. You must be logged into the Anue NTO as a system administrator to perform a software upgrade. Upgrading will restart the NTO.

Important notes before upgrading:

1. All users should be logged out of the system before beginning the upgrade procedure. An administrator can view the accounts logged into the system in the Users view of the NTO control panel. The install procedure will also allow the System administrator to force logouts.

2. We recommend that the upgrade be done using a reliable high speed network connection between the Anue NTO management port and the PC running the Control Panel software. We do not recommend performing an upgrade across a wireless connection or over a VPN connection that does not guarantee symmetric upstream/downstream performance (an asymmetric link can result in very slow upload times to the NTO).

3. It will take approximately 7 minutes to upgrade the Anue NTO Server. The upgrade should be scheduled during a time when it is acceptable for the unit to be inaccessible to users for approximately 7 minutes.

4. The System setting for Login session timeout should be set at least 10 minutes to allow the software upgrade to complete.Note: The timeout may need to be temporarily raised or set to “Never” during an upgrade cycle, especially if the network connection to the NTO management port is slow. After the upgrade is complete, change it back to your normal timeout setting. To see how to configure the Login session timeout, see “Login session timeout:” on page 169.

5. After upgrading (or downgrading) the software, a version mismatch error similar to the one shown below may occur after a login attempt.

Figure A-2. Version Mismatch Error

This problem can be resolved by clearing the Java cache. For more information on how to clear the Java cache, see How to clear the Java Cache.


Follow the procedure listed below to upgrade the system.

1. From the Version/License tab of the System View page, click the Install Software button.

Figure A-3. Install Software Button

2. An Installation File window will display. Navigate to the Net Tool Optimizer Install File provided by Anue Technical Support. Select the zip file then click the Install button.

A prompt will display indicating that new software will be installed and that the 52xx will be restarted after the upgrade. Click OK. The upgrade will take approximately 7 minutes.

Figure A-4. Install Verification Prompt

3. It is recommended that your configuration is exported before the installation begins. Click the Yes button to export the configuration.

Figure A-5. Export Configuration Prompt

The software upgraded procedure will now begin and the installation progress bar will display.


Figure A-6. Install Progress Bar

4. When the software upgrade has completed a prompt will display indicating that the upgrade has been successful.

Figure A-7. Server Upgrade Complete

Note that the software upgrade can be undone by reverting to the last version of software that was running on the system. See the Software Downgrade section for details.

Software Downgrade

The NTO software can be downgraded to the last version of software that was running on the system before the current software was installed.

NOTE Only system administrators can downgrade the software to the last running version.

Topics include:

■ “Downgrade Using the GUI Control Panel” on page 297 — Recommended way to downgrade.

■ “5204/5236/5273 Downgrade Using the Front Panel LCD and Keypad” on page 299 — Alternate way to downgrade supported on specific NTO models.


Downgrade Using the GUI Control Panel

1. Log in to the NTO using an account with system administrator capability.

2. From the System View of the Anue NTO Control Panel click on the Version/License tab. Click on the Revert to (previously installed software version) button.

Important notes before reverting to earlier versions of software:

1. Reversion of the system software to an earlier version will disrupt service and log all users out of the system. It will take approximately 2 minutes for the reversion process to complete.

2. Any user that logged in to the NTO server while it was running the current version of software may need to clear their Java cache after the system software has been downgraded. For more information on how to clear the Java cache, see How to clear the Java Cache.

A version mismatch error, similar to the one shown below, may occur after a login attempt.

Figure A-8. Version Mismatch Error

This problem can be resolved by clearing the Java cache. For more information on how to clear the Java cache, see How to clear the Java Cache.

3. The downgrade will return the system to the last pre-upgrade configuration. Any changes that were made to the NTO database while running the current software version will be lost! The current configuration can be exported but it can only be imported into a system running the current software version or higher.


Figure A-9. Revert to (last software version)

3. The system administrator will then receive a message indicating that users who previously logged into the NTO server may need to clear the Java cache on their computer after the revert process has completed. For more information on how to clear the Java cache, see How to clear the Java Cache.

Figure A-10. Revert Confirmation Message

4. If users are currently logged in to the system, the system administrator will receive a message indicating their Login IDs. The system administrator will be given the option to abort the revert procedure or continue the revert procedure and automatically log the users out of the system.

5. Reversion to the previous software version may take 1-2 minutes.


5204/5236/5273 Downgrade Using the Front Panel LCD and Keypad

Follow the restart procedure listed below to downgrade the system software after an upgrade.

1. After a software upgrade, the NTO Welcome page will display a message indicating that the software has been updated.

Figure A-11. Software Updated Message

The message indicates that the software update will be complete after any user logs in to the NTO.

In this state, prior to a login by any user, the software upgrade can be undone.

2. Using the front panel LCD and keypad, restart the NTO two consecutive times to revert the system software.

A. Press the Up Arrow (▲) 1 time.

B. Display reads “7 Power Off”.

C. Press the Check Button (√).

D. Display reads “Power Off?, No Yes”.

E. Right Arrow (►) 1 time so that “Yes” is highlighted.

F. Press the Check Button (√).

G. Display reads “Shutting Down Finished”.

H. To power up: Press and hold the chassis keypad check button (√) for 1 second.

I. Wait for the power up to complete (the keypad/LCD will respond after power up).

J. Perform the procedure a 2nd time starting at step “1)”.

This procedure should only be used if the NTO Control Panel cannot be accessed. The Version/License tab of the System View in the control panel provides a “Revert to” option that allows the system software to be downgraded. For more information, see Software Downgrade.


How to clear the Java Cache

Clearing the operating system Java cache may be required after upgrading or downgrading the NTO software.

1. Click Start -> Control Panel.

2. Double-click the Java icon. The Java Control Panel will open.

Figure A-12. Java Control Panel

3. Under the Temporary Internet Files section of the window, click the Settings button. The Temporary Internet File Settings window will open.

Figure A-13. Delete Temporary Java Files


4. Click the “Delete Files…” button.

Figure A-14. Delete Temporary Files Confirmation

5. Click OK.

6. Continue to click OK until all of the previously opened windows are closed.

Port License Allocation

The NTO ships with a key that licenses a specific number of ports at specific speeds (1G, 10G). When the license key is first installed the licenses will be assigned to ports in a default manner, starting with the lowest numbered ports. They may then be re-assigned to other ports, as needed, to best fit the circumstances.

The NTO will automatically prevent invalid license assignments and restrict assignments to the number of licenses available. Valid license allocations are described below.

The license allocation settings can be exported and then imported into an NTO of the same model (e.g., 5236 to 5236, 5273 to 5273, etc.). License assignments are exported by default under the System settings of Full Backup and Traffic configuration exports.

NOTE When your NTO is upgraded from a pre-3.2 release to a 3.2 release or greater, the pre-3.2 licensed ports are preserved as the default license allocation. After the NTO has been upgraded to 3.2 or later, you have the ability to allocate the licenses to the physical ports on your NTO as best fits your network.

Port License AllocationAnue Net Tool Optimizer User Guide 301

Default Port License Allocation

By default, the ports on new NTO units shipped from Anue Systems are allocated in the following manner:

Table A-1: Default Port License Allocation per Model

Models Default Port Allocation

5204 • 1G port licenses are assigned starting from physical port 1 in ascending order.

• Dual media port licenses are assigned to the physical copper and fiber ports 21-24.

• 1G and 10G expansion port licenses are assigned to the ports of expansion cards.

5236, 5273 • 1G/10G port licenses are assigned starting from physical port 1 in ascending order.

• 1G port licenses are assigned after the 1G/10G physical ports in ascending order (for example, if the license key contains 5 10G SFP+ licenses and 5 1G SFP licenses, ports P01-P05 will be 10G and ports P06-P10 will be 1G).

• 1G copper port licenses are assigned to copper ports 21-24.

• 1G and 10G expansion port licenses are assigned to the ports of expansion cards.

5288, 5293 • 40G QSFP+ licenses are assigned starting from physical port 1 in ascending order. The 40G QSFP+ license is valid for 40G ports. A 40G license can also be applied to 10G/1G ports but the 10G/1G port will still run at its maximum speed. (A 40G license applied to a 10G port wastes 30G.)

• 10G AFM SFP+ licenses are assigned first if you have them because the AFM ports that accept them cannot accept 1G licenses. These licenses are assigned starting from physical port 1 in ascending order.

• 10G SFP+ licenses are assigned starting from physical port 1 in ascending order.

• 1G SFP licenses are assigned after the 10G SFP+ licenses in ascending order (for example, if the license key contains 5 10G SFP+ licenses and 5 1G SFP licenses, ports PA01-PA05 will be 10G and ports PA06-PA10 will be 1G).


Possible Port License Allocations

Port licenses can be allocated as shown in the tables below. The indicated License Type can be allocated to the indicated Port Types.

Models 5288, 5293: These models have three types of licenses, 40G QSFP+, 10G SFP+ and 1G SFP, which can be assigned to any port.

Note: Unlike other 52xx models, licenses on Models 5288/5293 can "float" across port modules. For example, on a system with 2 port modules, but only 8 licenses, those licenses can be allocated across the 2 port modules in any combination.

Models 5288, 5293: The 10G AFM SFP+ module has two types of licenses. This module can use the same 10G SFP+ floating license used for the 10G SFP+ I/O module. It can also use a 10G AFM license, which cannot float. The 10G AFM license is tied to a specific 10G AFM SFP+ module.

Models 5204, 5236, 5273: 1G and 10G expansion port licenses are assigned to the ports of expansion cards. Expansion port licenses do not “float”; they cannot be allocated to other port types.

License Type Port Types

5204 1G Copper Copper portsCopper or fiber dual media ports

5204 Dual Media Copper or fiber dual media ports Copper ports

5236/5273 1G Copper

Copper portsSFP+ ports limited to 1G

5236/5273 1G SFP SFP+ ports limited to 1G

5236/5273 1G/10G SFP+

SFP+ ports running at 1G or 10G

5288/5293 1G Copper

Copper portsSFP+ ports limited to 1G


Using the NTO Control Panel to Allocate Ports

To allocate port licenses, select the System View and then click the Version License tab. Click Allocate Licenses.

The License Allocation table will display as shown below.

Figure A-15 shows the License Allocation table for models 5204, 5236, and 5273.

5288/5293 1G SFP SFP+ ports limited to 1GCopper ports

5288/5293 1G/10G SFP+

SFP+ ports running at 1G or 10GCopper ports

5288/5293 10G AFM SFP+

AFM SFP+ ports running at 10G

5288/5293 40G QSFP+

SFP+ ports running at 1G, 10G, or 40G, Copper ports

License Type Port Types


Figure A-15. Model 5204/5236/5273 License Allocation Table

Figure A-16 shows the License Allocation table for models 5288 and 5293. The current floating licenses and unused floating licenses are displayed.


Figure A-16. Models 5288/5293 Asset AllocationTable

To reassign licenses, select a license in the License Type column. Cut (ctrl-x) the license from its port and paste (ctrl-v) on another to swap the licenses.

For example, in the figures below the license assigned to port 4 (P04) has been re-assigned to port 10 (P10).




APPENDIX B

5204/5236/5273 Front Panel LCD Menu Reference

This information describes the front panel LCD menu and functions.

Front Panel LCD and Keypad

The front panel LCD and keypad can be used to configure Anue NTO server parameters and check the status of the NTO and its ports.

Figure B-1. LCD and Keypad

Reading the LCD

The options that are available in the LCD menu are described in the tables below.

An example of how to read the table can be illustrated by reading the 1st entry in the table, “1 Anue 52xx | Mgmt Port Status”. This line describes the default display of the Anue NTO which is the product name and status of the System/Ethernet management port.

Example of the LCD display when the management Ethernet port is up:

1st line on the LCD 2nd line on the LCD Notes

1 Anue 52xx Status Home | System/ Mgmt port status

2 SW Version e.g. 2.2.x.x Software version information

1 Anue 5236

Status:Normal


Example of LCD display when the management Ethernet port is down:

The complete listing of the LCD menu options are provided in the tables below.

Navigating the LCD Menu Using the Keypad

The LCD displays a diagram of the NTO keypad to assist with menu navigation. The arrows in the diagram that blink indicate the arrow buttons that can be pressed to navigate the menu options. The arrows in the diagram that do not blink cannot be pressed for menu navigation.

To navigate down the menu use the down key (▼). For example, to navigate from 1 “Anue 52xx | Status” to 2 “SW Version | main”.

To access an option that is indented in the table press the right arrow key (►). For example, to navigate from “2 SW Version | main” to “2a Build Num | xxxxx” press the right arrow key (►).

To access an option that is a level above an indented item press the left arrow key (◄). For example, to navigate from “2a Build Num | 32587m” to 3 “System | Configuration” press the left arrow key (◄) and then the up arrow key (▲).

1 Anue 5236

Mgmt port down

NOTE When system alarms are present, the LCD will blink and display an alarm warning. The blinking message will indicate Major Alarm or Minor Alarm depending on the highest severity. Pressing the right arrow key on the LCD keypad will provide a set of menu items related to the alarm. Press the up/down arrow keys to view all current alarms.

2 SW Version | main

2a Build Num | 32587M

Note: Some of the values displayed in the table are specific to the software version installed on your Anue NTO. The menu on your system may display different values than the values shown below.

5204/5236/5273 Front Panel LCD Menu Reference310 Anue Net Tool Optimizer User Guide

See the information below for an example of how to use the keypad and LCD to change NTO management port IP address.

To configure the IP address and associated settings using the front panel controls and LCD, follow the instructions below.

1. Down Arrow (▼) 2 times.

2. Display reads “3 System Configuration”.

3. Right Arrow (►) 1 time.

4. Display reads “3a IP Config”

5. Press the check button (√).

6. Display reads “Set IP Addr” (The current IP address is displayed).

7. Use the left or right (◄►) arrows to move to the number that needs to be changed. Up arrow (▲) to increment the value, press the down arrow (▼) to decrement the value. Repeat the process until the address is configured. Press the check button (√) to save the changes.

8. Display reads “Set Netmask” (The current netmask is displayed).

9. Follow the steps described in Step 7 to configure the Netmask.

10. Display reads “Set Gateway” (The current gateway is displayed).

11. Follow the steps described in Step 7 to configure the gateway.

12. Display reads “Restarting please wait”. The system will take approximately 1 minute to restart.

13. Display reads “1 Anue 52xx Status:Normal” when the restart is complete and the new IP address has been configured.

Resetting the Admin Password from the LCD Menu

The default Admin password can be reset using the front panel controls if the LCD admin password reset feature is enabled on the System page. Note that this feature is enabled by default.

If the admin account password is lost and cannot be reset, the Anue NTO must be returned to Anue Systems to be reset.

Follow this procedure to reset the admin (default Admin) password:


2 SW Version | main

2a Build Num | 32587M

2b Build Date | 20081002-095147

3 System | Configuration

Resetting the Admin Password from the LCD MenuAnue Net Tool Optimizer User Guide 311

2. Display reads “3 System Configuration”.



5. Display reads “3d Reset Admin Password”.

6. Press the check button (√) to enter edit mode.

7. Display reads “Enter Key”.

8. Enter the last 8 digits of the unit serial number. For example, serial number 52xx-00001234 will be entered as “00001234.” The unit serial number is located on the rear of the unit.

Press the Down arrow (▼) to decrement the value, press the Up arrow (▲) to increment the value. Use the right arrow (►) to move to next the number field. Use the left arrow (◄) to move backwards and modify a number field.

9. Press the check button (√) to reset the admin password.

The LCD display will return to “3d Reset Admin Password” when the reset is successful. If an incorrect value is entered the LCD will display “Error: Invalid Key”.

5204/5236/5273 Front Panel LCD Menu Reference312 Anue Net Tool Optimizer User Guide

APPENDIX C

Packet Processing Features

This section describes NTO features that modify (process) the incoming network packets in some way. Some packet processing features are standard, meaning they are available on all ports, and some are advanced, meaning they are only available on ports provided by an Advanced Feature Module (AFM). There are two types of AFM:

■ AFM2: 5236/5273 AFM, 2-port, with 1G (SFP) and 10G (SFP+) speeds

■ AFM16: 5288 AFM, 16-port, with 10G (SFP+) speed

Many of the features are the same for both types of AFM. Where the features differ, the model number will be called out in the feature descriptions.

Packet processing features are configured on the Packet Processing tab in the Edit Network (or Tool) Port dialog. Enable a feature by checking the appropriate box and configuring any settings for that feature.

CAUTION

Please follow the steps below before you install either an AFM16, a GPS control module, or both, in an NTO 5288 running software release 3.6 or older:

1. Upgrade the software to version 3.7 or newer.

2. Power down the system.

3. Install the new module(s).

4. Restart the system.

During the restart in step 4 and only that restart, the system will go through an additional firmware upgrade. During the firmware upgrade, the LEDs on the port modules will show a "chase" sequence where the LEDs light up on each port in succession until the firmware upgrade is done, which is approximately 10 minutes.

It is VERY important that you do NOT cycle power or power down the NTO during the firmware upgrade process.

Systems manufactured with release 3.7 or later do not need to go through the firmware upgrade procedure described above.


Standard Packet Processing Features

Standard packet processing features are available on all ports (network and tool, AFM and non-AFM) for all NTO models except the 5204.

As of this writing, VLAN stripping is the only supported standard packet processing feature.

Standard VLAN Stripping

The standard VLAN stripping feature allows you to strip VLAN tags from network packets before they get to your monitoring tools. This allows monitoring tools that don’t handle VLAN tags well to operate more efficiently. You can strip VLAN tags on the network port side, as packets first arrive at the NTO, or on the tool port side prior to egress. VLAN stripping can be enabled on a port-by-port basis.

NTO ports can strip both outer and inner VLAN tags. You can strip up to two (2) VLAN tags per packet. Only the first two tags are stripped by this feature.

When VLAN stripping is enabled on a network port, the VLAN tags are stripped after the network port filter. This means that the network port filters will be able to match on the VLAN tags but downstream dynamic filters and tool port filters will not.

If you do not want particular dynamic filters or tool ports to receive VLAN tags, you must enable VLAN stripping on all network ports feeding those dynamic filters and tool ports.

When VLAN stripping is enabled on a tool port the VLAN tags are stripped after the tool port filter.

When VLAN stripping is enabled on a bidirectional port group, it is enabled on both the network and tool sides of the port group.

When packets with VLAN headers are successfully stripped, the resulting packet length and CRC will be updated to correspond to the modified packet.

The VLAN Tag Protocol Identifier (TPID)

The Tag Protocol Identifier is a 16-bit field at the beginning of a VLAN tag that is used to distinguish the VLAN tag from an Ethertype. To operate correctly, the VLAN stripping feature requires that the TPID be a recognized value. The

NOTE Even though VLAN tags that are stripped at ingress are not visible to downstream dynamic and tool port filters, the bytes represented by those tags are still included in the filter byte counts.

Packet Processing Features314 Anue Net Tool Optimizer User Guide

following table lists the supported TPID values in order for VLAN stripping to work at network and tool ports:

Note that for double-tagged packets, the NTO will only strip the inner tag if the TPID of that tag is 0x8100.

Advanced Packet Processing Features

Advanced packet processing features are available on the ports of an NTO Advanced Feature Module (AFM). For the 5236/5273, the AFM2 is an optional, 2-port expansion card that fits into one of the two expansion slots on the back of the unit. For the 5288, the AFM16 is an optional, 16-port expansion card that fits into one of the four expansion slots on the front of the unit. The AFM provides the ability to groom and buffer packets, which can increase both the efficiency and effectiveness of your monitoring tools. Installation of the AFM expansion module, and the appropriate license, will provide the following features for the AFM ports:

■ VNTag Stripping (5288 only): Allows you to remove VNTag headers from packets to expose tunneled IP traffic enabling you to use widely available tools to analyze it.

■ GTP or MPLS Stripping: Allows you to remove the tunnel headers from packets to expose the tunneled packets to the NTO filters and your monitoring tools. This feature provides the following benefits, among others:

– Allows layer 3 and layer 4 filtering on the tunneled headers.

– Improves tool bandwidth by stripping unneeded headers.

– Allows processing by tools that don’t recognize the stripped headers.

■ De-duplication: Improves tool bandwidth by removing redundant packets before they reach monitoring tools. While some tools are able to detect and remove duplicate packets, this consumes processor resources on the tools.

Table C-1: Supported TPID Values for VLAN Stripping

Port Type VLAN Tag Type Supported TPIDs

Network Outer 0x81000x91000x88A8 (5288/5293 only)

Network Inner 0x8100

Tool Outer 0x8100

Tool Inner 0x8100

NOTE One bit in the VLAN header represents the Canonical Format Indicator (CFI). On the 5236/5273, if this bit is not 0 the NTO will drop the packet when VLAN stripping is enabled.

Advanced Packet Processing FeaturesAnue Net Tool Optimizer User Guide 315

■ Packet Trimming: Improves tool bandwidth by trimming bytes from packets before delivering them to the tools. The ability to eliminate payload information before delivering packets to tools may also help with security compliance.

■ Timestamping (5288 only): Available on network (ingress) ports, the timestamping feature adds custom packet trailers containing arrival times. This feature can be used to provide packet timing data to latency-sensitive tools for accurate analysis without compromising access for other network monitoring tools. Note that packets arriving with timestamps keep their timestamps. This feature appends a trailer that contains a timestamp.

■ Trailer Stripping (5288 only): Available on any AFM tool (egress) port or the tool side of a bidirectional port group, this feature allows you to strip timestamping trailers appended to packets. This feature is useful in cases where the incoming packets need to be timestamped, but not all tools receiving those packets can handle the timestamping trailer.

■ Extended Burst Protection (5236/5273 1G tool port only): Short bursts of network traffic can exceed the queuing resources of an NTO 1G tool port and lead to dropped packets. This feature allows a 5236/5273 AFM tool port to buffer up to 200 MB of traffic. Buffering occurs when traffic bursts above the 1G line rate.

VNTag Stripping (5288 only)

This feature allows you to strip virtual network tag (VNTag) headers from packets. You can do this on network (ingress) ports, tool (egress) ports, and bidirectional port groups. By stripping the VNTag headers, you can make it easier for tools that don’t recognize those headers to process packets.

NOTE If stripping or trimming results in a packet less than 64 bytes in length, the end of the packet will be padded with zeroes up to 64 bytes.

After GTP or MPLS stripping, if the L3 header is IPv4, then the Ethertype will be changed to 0x0800. If the L3 header is IPv6, then the Ethertype will be changed to 0x86DD.

NOTE For bidirectional port groups, you must select one side or the other on which advanced packet processing features are to take place, either network (ingress) or tool (egress). In the Ports view and the Port Groups view, columns show whether advanced features are enabled for a particular port or port group.

NOTE You can combine VNTag with either GTP or MPLS stripping, although GTP and MPLS stripping are mutually exclusive.


GTP Stripping

This feature allows you to strip the outer IP, UDP, and GTP headers from a GTP-U packet, leaving the inner, tunneled L3 and L4 headers exposed. This allows filters to match on fields in the inner headers and provides tools easier visibility to the tunneled packets.

The following diagram illustrates packets of this type.

The green headers in the diagram are the ones that will be stripped; the grey headers are the ones that remain after stripping. The CRC will be recalculated after stripping.

The outer and inner IP headers can be either IPv4 or IPv6, in any combination. For example, it is possible to have an IPv6 packet tunneled inside an IPv4 packet.

After stripping, the Ethertype field in the Ethernet header will be updated to match the tunneled IP header.

MPLS Stripping

This feature allows you to strip up to 8 MPLS labels from MPLS packets, leaving the inner, tunneled L2, L3, and L4 headers exposed. This allows filters to match on fields in the inner headers and provides tools easier visibility to the tunneled packets.

In order to recognize the labels and the tunneled headers, the NTO needs to know whether the MPLS packets coming into a particular network port represent an L2 VPN tunnel or an L3 VPN tunnel. If it is an L2 VPN tunnel, the NTO also needs to know whether the pseudowire code word is present. These tunnels are described in more detail below. In the diagrams below, the green headers in the diagram are the ones that will be stripped; the grey headers are the ones that remain after stripping. The CRC will be recalculated.

L2 VPN with Pseudowire Control Words

These are packets where the last (or bottom) MPLS header is followed by a pseudowire control word (the first nibble is 0) and an L2 (MAC) header:

NOTE GTP and MPLS Stripping are mutually exclusive, if you enable GTP Stripping when MPLS Stripping is already enabled, you will be asked to disable MPLS Stripping.


L2 VPN without Pseudowire Control Words

L2 VPN packets without pseudowire control words are packets where the last (or bottom) MPLS header is followed immediately by an L2 (MAC) header, with no intervening pseudowire control word:

L3 VPN

L3 VPN packets are packets where the last (or bottom) MPLS header is followed immediately by an L3 header:

De-duplication

Duplicate packets are the result of certain network topologies and configurations of SPAN ports. The De-duplication feature removes duplicate packets from the data stream. The default settings remove all exact duplicates that occur within 500 microseconds of the first occurrence. The window of time in which all identical arriving packets are removed is adjustable from 5 to 500 microseconds for a 10G port, and 5 to 5,000 microseconds for a 1G port. In the event an identical packet arrives outside this window, it will be considered unique, and a new window is begun.

Duplicates that arise from spanning both the switch receive (Rx) and transmit (Tx) ports are typically bit-for-bit, exact duplicates. In some network configurations, duplicate payloads may have slightly different headers. For example, packets sampled before and after traversing a router could have different MAC addresses,

NOTE • If there is a mis-match between the service type selected in the NTO

and the service type of the actual MPLS packets, the packets are likely to be corrupted by the AFM, and it is not always possible for the NTO to report that this has occurred. A packet corrupted in this manner, when detected, will display in the port statistics as an invalid packet. Detection of corrupted packets due to a mismatch of MPLS stripping options and actual MPLS traffic is best effort.

• Based on the difference in packet structures, if the traffic on a network port includes a mixture of L2 VPN without a pseudowire control word and L3 VPN MPLS packets, MPLS stripping will result in some corrupted packets.

• Since MPLS and GTP Stripping are mutually exclusive, if you enable MPLS Stripping when GTP Stripping is already enabled, you will be asked to disable GTP Stripping.


times-to-live, and flags, even though their payloads may be the same. These could be counted as duplicates if the headers through Layer 3 were ignored. The de-duplication feature provides this option of ignoring header information if desired.

Ignoring header information is useful when the same payload passes through different network elements, and the header information is changed. When specific headers are ignored (for example, MAC and VLAN), only the content in these headers is ignored. Thus, the impact of lower layer changes on upper layers should be kept in mind when selecting what to ignore.

For example, a MAC header may change as a packet traverses a router. In this case, while the MAC header is ignored, the time to live (TTL) will change. For this situation, the user would want to also ignore all packet headers up through L3.

Another example would be when ignoring L3, and a packet passes through a Network Address Translation element. While the changing IP address will be ignored, TCP and UDP packets would be considered unique because their respective checksums include the IP addresses in the calculation.

De-duplication is available both on a per-port and a per-port group basis. The only difference in AFM functionality between a port and a port group is in the option to ignore header information while de-duplicating. On the tool side of any port group, the user cannot ignore header information while de-duplicating. It is disabled in these cases because it would affect load balancing.

The tool/load balance port group restriction does not apply to network interconnect groups, or to bidirectional interconnect groups. In the case of a bidirectional interconnect group, de-duplication may be done on the ingress side of each link, where it is possible to ignore headers.

NOTE The last 4 bytes of the CRC are always ignored when determining duplicates.

NOTE De-duplication will occur only within the data stream on a single port, regardless of whether that port is in a port group. Duplicate packets arriving on separate ports in the same port group will not be detected as duplicates.


Packet Trimming

Packet Trimming allows bytes to be trimmed from packets before they are delivered to tools. The trim function will retain wanted headers, plus an optional number of the packet bytes after that. The headers that can be retained are:

■ MAC

■ MAC and VLAN

■ MAC, VLAN and MPLS

■ MAC, VLAN, MPLS, and L3

In all cases, the Ethernet FCS/CRC value will be re-calculated. Other header information is not modified, such as the L3 packet length value when L3 is retained.

Depending on the selected header information and the number of additional bytes retained, the result could be less than 64 bytes. In these cases, after trimming to the selected headers, the remainder of the packet will be padded with zeros, and a correct FCS will be added to obtain a valid 64-byte packet.

The valid range for the number of bytes retained after the selected headers is 0 – 16342 bytes.

Below are some examples of packet trimming and its results.

Packet Trimming Example 1

The original packet is 1518 bytes: MAC, QinQ (2 VLANs), 2 MPLS labels, IPv4, TCP, Payload, and FCS.

Select to retain the MAC and VLAN plus the next 0 bytes.

After trimming, and in this case padding, the 64-byte packet consists of MAC DST/SRC/Type (14 bytes), 2 VLANs (2x4 bytes), zeroes (38 bytes), and FCS (4 bytes).


This is the same packet as in Example 1: 1518 bytes, including MAC, QinQ (2 VLANs), 2 MPLS labels, IPv4, TCP, Payload, and FCS.


NOTE You should be aware of the expected traffic on the links when configuring the trimming settings in order to avoid creating invalid packets that may be dropped within the NTO or the downstream device. For example, if MAC Plus the next 0 bytes is selected and VLAN tagged traffic is received, then the VLAN tags will be truncated, resulting in invalid packets. MAC and VLAN should be selected instead if VLAN tags are expected on the link.


After trimming, the resulting packet will be 126 bytes: MAC DST/SRC/Type (14 bytes), 2 VLANs (2x4 bytes), the next 100 bytes in the packet (MPLS, L3, TCP, first bytes of payload), and FCS (4 bytes).


The original packet is 1518 bytes, including the MAC, 2 MPLS labels, IPv4, TCP, Payload, and FCS.


After trimming, the resulting packet will be 118 bytes: MAC DST/SRC/Type (14 bytes), next 100 bytes in the packet (MPLS, L3, TCP, first bytes of payload), and FCS (4 bytes).


The original packet is 1000 bytes, including the MAC, IPv4, TCP, Payload, and FCS.

Select to retain the MAC, VLAN, MPLS, and L3 plus the next 100 bytes.

After trimming, the resulting packet will be 138 bytes: MAC DST/SRC/Type (14 bytes), IPv4 (20 bytes) next 100 bytes in the packet (TCP, first bytes of payload), and FCS (4 bytes).

Packet Timestamping (5288 only)

Timestamping allows you append a trailer containing a timestamp to a packet. This allows you to provide timestamping information downstream to monitoring tools. For example, you can provide timestamping information to:

■ A G10 probe to improve customer experience management in mobile networks

■ Latency-sensitive tools used in high-frequency trading applications for accurate analysis without compromising access for other network monitoring tools

When your 5288 has an AFM16 present in one of its expansion slots, you can enable or disable the timestamping feature on any AFM16 network port or any AFM16 bidirectional port group where advanced features are enabled on the network side.


Configurable Time Sources

Depending on the capabilities of your 5288 and the control module you purchase, the timestamping feature can use one of three possible time sources:

■ Local NTO

■ Network Time Protocol (NTP)

■ Global Position System (GPS)

To configure the time source to use one of the three possible time sources:

1. Click the System Settings tab.

2. In the General section, to the right of the field Timestamp time source, click the link and select one of the following three sources for the timestamp:

– Local NTO – The default source, it relies on the local operating system alone to provide the time. It is not synchronized with an accurate time source, but it is always available. You might use this, for example, while you test the system and no accurate timestamp is needed or if you have an AFM card but no access to an NTP server.

– Network Time Protocol (NTP) – This source requires a connection to a Network Time Protocol (NTP) server. Once you select and configure an NTP server, the time-of-day in the timestamps will be kept in sync with the time received from the configured NTP server. For NTP to be an available choice, you must first configure the NTO to connect to an NTP server. See “NTP:” on page 174 for details on how to configure an NTP server. Connection to an NTP server can be lost. See “Unavailable Time Sources” on page 323 for details about how the NTO deals with a lost connection to an NTP server.

– Global Position System (GPS) – Time can be kept in sync with a Global Positioning System (GPS) source. This is the most accurate of the three time sources. Although you can connect the NTO to a GPS time source, connection to a GPS satellite can be lost. See “Unavailable Time Sources” on page 323 for details about how the NTO deals with a lost GPS signal and what to do about it.

NOTE When using the NTP source, at least one NTP-enabled server must be configured and kept in the list. When you import a configuration that includes a configured time source that is unavailable on a system, the setting is not imported. If you change the NTP configuration while packet timestamping is occurring - for example, if you delete one NTP server and add another in its place - the system will continue packet timestamping, but an alarm will trigger if the NTO is not in sync with the NTP server in the new configuration.

NOTE To use this time source, the 5288 must also be equipped with a GPS control module. The GPS control module includes a GPS connector.


Unavailable Time Sources

When generating timestamps, the system uses the configured time source as long as it is available. This is referred to as the “actual” time source and is indicated in the packet itself. The system starts up in Local and remains there until the configured time source is synchronized.

Once the configured time source has synchronized, if the configured time source becomes unavailable - for example, the satellite link is lost for GPS - then the system flags packets using the “SyncLost” time source and generates the timestamp using the local operating system time, just as it does when using the local time source.

The following situations cause the NTO to use the SyncLost time source:

■ If the configured time source is either NTP or GPS and the synchronization is lost, the NTO uses SyncLost to generate timestamps until the signal is restored.

■ If the configured time source is NTP or GPS, a user changes the configuration to use GPS or NTP, and the new time source is not currently synchronized, all timestamped packets will be flagged using the SyncLost time source until the new time source becomes synchronized.

■ If a new configuration is imported that changes the configured time source, and the new time source is not yet synchronized, all timestamped packets will be flagged using the SyncLost time source until the new time source becomes synchronized.

Trailer Format

The AFM appends a trailer to add timestamping information to the incoming packet. Trailer information is inserted between the Ethernet CRC and the previous contents of L2-L7. The trailer starts with fields and is immediately followed by one byte indicating the length of the fields in bytes, followed by the Magic Number (0xAF12), followed by a trailer checksum. The checksum is calculated in the same manner as an IP Header checksum.

Figure C-1 shows the modified frame:

Figure C-1. Modified Frame

Figure C-2 shows the trailer:

Figure C-2. Trailer


Support has been added to Wireshark for a Layer 2 protocol that includes packet timestamps, using the T,L,V (Type, Length, Value) format. The “Trailer Length” field is one byte. The “Trailer Checksum” field is 2 bytes. The “fields” portion of the trailer is a series of 2-byte fields followed by variable length data. The first byte indicates the field type; the 2nd byte indicates the field length. Table C-2 shows the types supported:

Timestamps for all types are currently parsed in the same format and are always 8 bytes in length. The format is two, signed, 32-bit values stored in Big Endian format. The first value indicates the seconds since January 1, 1970 (Unix Time). The second 32-bit value indicates the fractional second in nanosecond resolution (that is, the maximum value is 0x3b9ac9ff or 999,999,999).

Configured Time Sources and Alarms

The NTO triggers a minor alarm if either of the following conditions occurs:

■ NTP is the configured time source and none of the configured NTP servers are in sync.

■ GPS is the configured time source and the NTO loses sync with the GPS signal.

Table C-2: Types Supported

Type Description

1 RESERVED

2 RESERVED

3 Timestamp (from Local Timebase)

4 Timestamp (from NTP source)

5 Timestamp (from GPS source)

6 Timestamp (from 1588)

7 Synchronization Lost (Timestamp from Holdover)

NOTE Because the timestamp trailer adds 15 bytes per packet, a network port with timestamp-insertion enabled can no longer handle line rate user data traffic. For example, if the incoming data stream were right at line rate, then the data stream with timestamps inserted would be significantly over line rate, resulting in packet drops. How far over line rate depends on the size(s) of the original packets. For example, 15 bytes is a bigger percentage difference on 64-byte packets than it is on 5KB packets.

Packets may arrive with a timestamp trailer already present. In order to apply other packet processing features, the trailer is temporarily removed. If padding occurs, it occurs before the trailer is re-appended. This may result in a few packets growing in size.


The NTO flags packets using the SyncLost time source until it re-syncs with either an NTP server or a GPS satellite, depending on which is configured.

There will almost always be a lag time between the time when an NTO starts and the time when a configured NTP server or GPS satellite time source becomes available. For that reason, the NTO will not trigger an alarm for the first 10 minutes of the startup process.

After 10 minutes, the NTO will trigger a minor alarm if:

■ The GPS source is still not in sync.

■ The NTO cannot contact the NTP server.

After 1 hour, the NTO will trigger a minor alarm if:

■ An NTP server connection was established within 10 minutes, but the NTO has still not completed synchronizing the time. The synchronization process adjusts the clock incrementally. If the process has not completed within an hour, then it triggers a minor alarm.

Burst Protection (5236/5273 1G tool port only)

Extended Burst Protection allows a 1G tool port on a 5236/5273 AFM (an AFM2) to buffer up to 200 MB of traffic and avoid dropped packets due to over-utilization. Buffering occurs when traffic bursts above the 1G line rate.

Since the buffer introduces a small delay to packets that end up having to be buffered, the NTO gives you the ability to tune the size of the buffer if it becomes important to reduce the delay.

The user interface displays the maximum latency value for the specified buffer size and provides guidance as to what size the buffer should be. This is the amount of time it would take to drain the buffer if a burst caused it to fill to capacity. The latency is calculated as buffer size/ bandwidth.

NOTE If the NTO completes synchronizing the time within one (1) hour, it will not trigger an alarm.

NOTE It is recommended that you enable burst protection on a 1G AFM2 tool port to increase tolerance to micro bursts. Adjust the buffer size (1-200) to the maximum latency that works best for the data flow in your network.


Packet Processing Pipeline

Standard and advanced features and filtering are applied in a pre-defined order as packets pass through a packet processing pipeline on each port. Described below is the order of both standard and advanced feature operations. For non-AFM (standard) ports, the order is the same except for the fact that the advanced features are not part of the pipeline.

AFM Network Port Pipeline Order

The pipeline order for AFM network ports is as follows:

1. Drop invalid packets

2. Advanced VNTag stripping (5288 only)

3. Advanced GTP or MPLS stripping

4. Advanced de-duplication

5. Advanced packet trimming

6. Advanced timestamping (5288 only)

7. Network port filtering

8. Standard VLAN stripping

Non-AFM Network Port Pipeline Order

The pipeline order for regular network ports is as follows:

1. Drop invalid packets

2. Network port filtering


AFM Tool Port Pipeline Order

The pipeline order for AFM tool ports is as follows:

1. Tool port filtering


3. Advanced VNTag stripping (5288 only)

4. Advanced trailer stripping (5288 only)

5. Advanced GTP or MPLS stripping

6. Advanced de-duplication

7. Advanced packet trimming

8. Advanced burst protection (5236/5273 only, 1G ports only)


Non-AFM Tool Port Pipeline Order

The pipeline order for regular tool ports is as follows:

1. Tool port filtering


AFM Statistics

To view AFM statistics:

1. Right-click the AFM port or the port group that contains AFM ports and select Statistics.

2. Click the Packet Processing tab. The advanced feature statistics display as shown below.

Packets that have been dropped due to oversubscription after filtering and AFM processing can be applied (Packet Trimming, De-duplication, etc.), are counted under the Drops (AFM) section on the Packet Processing tab of the tool port statistics window.

AFM StatisticsAnue Net Tool Optimizer User Guide 327

At What Point Does Oversubscription (dropped packets) Occur?

AFM hardware functions at 10G. Only bursts that exceed 10G will result in Pre-filter dropped packets on AFM tool ports. After filtering and AFM processing (Trimming, De-duplication, etc.) the amount of traffic on a 1G tool port must be no greater 1G (with the ability for short bursts of an additional 200 MB of traffic when the AFM Burst Protection feature is enabled).

■ For 10G tool ports, bursts that exceed 10G will result in Pre-filter dropped packets.

■ For non-AFM 1G tool ports, bursts that exceed 1G will result in Pre-filter dropped packets.

■ For AFM 1G tool ports, bursts that exceed 10G will result in Pre-filter dropped packets.

AFM Oversubscription Example

In this example, the tool port statistics for a 1G AFM tool port indicates that there are no Pre-filter dropped packets but the tool port icon (at the top right corner of the figure below) indicates that packets have dropped (yellow shield and exclamation symbol).

Also notice that the icon indicates that this is an AFM port (encircled “A” symbol and “ASFP” i.e., Advanced SFP).


However, a look at the Packet Processing tab of the AFM tool port statistics window (see figure below) displays dropped packets under “Drops (AFM)”.

In this scenario:

■ The traffic received did not exceed the Pre-filter capacity of the AFM tool port. (Remember that an AFM 1G port supports up to 10G of Pre-filter traffic.)

■ After the stages where filtering and AFM features can be applied (Packet Trimming, De- duplication, etc.), the remaining traffic exceeded the line rate of the port (1G). Therefore, dropped packers were reported under Drops (AFM).

AFM Operational Considerations

■ Configuration Tip: When using a 1G AFM tool port, it is recommended to always enable the Burst Protection feature. When Burst Protection is disabled on a 1G AFM tool port, there may be less tolerance to micro bursts of traffic than with a non-AFM tool port.

■ The AFM expansion card is not supported on the 5204 NTO model.

AFM Operational ConsiderationsAnue Net Tool Optimizer User Guide 329


APPENDIX D

How Licenses are Remapped Due to a Configuration Change

Overview

When the Net Tool Optimizer (NTO) is restarted with a different configuration of QSFP+/SFP+ modules installed or when a configuration is imported that has a different configuration of QSFP+/SFP+ modules, the port floating licenses will be remapped as necessary.

Port Numbers Review

The NTO port module expansion slots are designated as A, B, C and D, shown in Figure D-1. Ports are numbered based on a slot letter and physical port number.

For example, port B01 refers to the first port of a SFP+ port module installed in slot B. Port D16 refers the 16th port of a 16 port SFP+ module installed in slot D.

Port numbering for QSFP+ modules is slightly different. The port numbers for a QSFP+ port module installed in slot A are: A1, A2, A3 and A4.

.

Figure D-1. Expansion Slots and Port Numbering

Models 5288, 5293: References to 40G licenses refer only to the 5288/5293 NTO models.


Floating License Remapping Algorithm

Terminology and Assumptions

In order to describe the expected behavior when remapping occurs, a few terms need to be defined.

The first term is “old license map”. An old license map refers to the NTO’s current license map (in relation to a new map license that is being imported) or the default license map that is used during NTO startup.

The second term is “new license map”. A new license map refers to a license configuration that is being imported or created upon startup.

The following information should also be known before proceeding.

■ QSFP+ ports require a 40G license

■ A 40G license can be applied to 1G or 10G port

Remapping Process

After the NTO configuration has changed due to a change in the installed port modules or import of a configuration, the remapping of floating licenses occurs in the order shown below.

1. Find exact matches and license: For each port in the new license map, if there is a duplicate entry in the old license map, use it. A duplicate entry is one with the same default port name. For example, a 10G license from port A01 in the old map will be moved over to port A01 in the new map if the current hardware for A01 supports the license.

2. Find port type matches (10G and 1G licenses only) and license: For ports in the new license map, which didn’t receive an exact match license, look for a license in the old map and apply that license to a port in the new map. This process is similar to step 1 except that the default port name doesn’t have to match.

For example, we might find a license at port C04 in the old map that can be reallocated to A01 in the new map.

The algorithm attempts to reallocate 10G licenses into the new map first and then attempts to reallocate 1G licenses. Also note that the old map list is searched in reverse order so that a license is taken from port D16 before it is taken from port A01.

NOTE There may be a scenario where a 10G or 1G port in an old license map had been given a 40G license when that was all that was available. Because a new configuration may require a license for a 40G port, 40G licenses are not reallocated into the new map in the manner described above.

How Licenses are Remapped Due to a Configuration Change332 Anue Net Tool Optimizer User Guide

3. License remaining ports: At this stage, ports may remain in the new license map without a license. This is because the criteria defined in steps 1 and 2 above were not met in order to allow the remapping of licenses from the old license map to ports in the new license map.

Now the algorithm will search through the list of remaining licenses and try to find one that will match the remaining ports. The search and possible licensing occurs in the following order:

A. 40G licenses to apply to 40G ports

B. 10G licenses to apply to 10G ports

C. 1G licenses to apply to 1G ports

D. 40G licenses to apply to 10G ports or 1G ports

E. 10G licenses to apply to 1G ports

Models 5288, 5293: References to 40G licenses refer only to the 5288/5293 NTO models.

Floating License Remapping AlgorithmAnue Net Tool Optimizer User Guide 333

How Licenses are Remapped Due to a Configuration Change334 Anue Net Tool Optimizer User Guide

APPENDIX E

Troubleshooting

Port LED Legend

The following tables provide a legend for interpreting the port LED indicators. LEDs on the left report activity, LEDs on the right report status.

Table E-1: Left LED on RJ-45/SFP/SFP+ and Rear Slot A/B LED

Models 5288, 5296: These NTO models do not currently support Combo ports, Rear Slot A/B, 10/100Mb, or half duplex operation.

Models 5236, 5273: These NTO models do not currently support Combo ports.

Color Description

Solid Green Licensed Port is Enabled and Link is Up

Flickering Green

Licensed Port is Enabled and Link is Up w/ activity. Port is sending or receiving data.

Slow Blinking Green(Off 3 ¾ sec, On ¼ sec)

Licensed Port is Enabled with Link Down

Solid Amber Licensed Port is DisabledLicensed Combo Port Enabled but its Media Type is NOT selected.

Off (Black) Port is UnlicensedRear Slot A/B – No Module Present


Table E-2: Right LED on RJ-45/SFP/SFP+

Power On Self Test (POST)

The Power On Self Test (POST) provides a mechanism to initiate a series of diagnostic tests at startup to validate the health of the NTO hardware including MAC and PHY loopbacks to test data paths.

A one-time POST can be manually run or a POST can be configured to run every time the NTO is restarted.

Once the tests are completed, pass/fail test results can be viewed:

■ (Models 5204, 5236, 5273) Via the front panel LCD.

■ (Models 5273, 5288, 5293) Via the serial port interface.

Color Description

Solid Green Licensed Port is operating at it’s maximum speed (1GB or 10GB) in Full Duplex

Solid Amber Licensed Port is operating at 10Mb or 100Mb Full Duplex or 1GB (SFP+) Full Duplex(N/A for SFPs)

Blinking Amber

Licensed Port is operating at 10Mb or 100Mb Half Duplex(N/A for RJ-45 and SFPs)

Off (Black) Unlicensed PortLicensed Port is Disabled, orLicensed Port is Enabled with Link DownLicensed Combo Port Enabled but its media type is NOT selected

Models 5204, 5236, 5273: PHY loopback is tested for SFP/SFP+, XFP, and AFM expansion module ports. CX-4 expansion modules are not tested during POST.

Troubleshooting336 Anue Net Tool Optimizer User Guide

Manual POST

Manual POST differs for various models of NTO. See Table E-3 for details.

Automatic POST

To configure a POST to run every time the NTO is restarted:

1. Access the Settings tab of the System view.

2. To the right of the Power on self test (POST) field.

3. Click Disabled.

4. Click OK to confirm that you want the POST to run every time the NTO is restarted. The Disabled text will change to display Enabled.

Table E-3: Manual Post on Different NTO Models

Models Details

5204, 5236, 5273

o manually start a POST, use the front panel LCD and keypad. Enter the following commands:

1. Press the down Arrow (▼) 7 times.

2. Display reads “7 Power on Self Test (POST).”


4. Down Arrow (▼) 1 time.

5. Display reads “7b Run POST.”

6. Press the Check Button (√).

7. Display reads “Restart Now? No Yes.”

8. Right Arrow (►) 1 time so that the word “Yes” is highlighted.

9. Press the Check Button (√).

10. Display reads “Shutting down please wait.”

The system will reboot and the POST will execute the during system initialization.

5273, 5288, 5293

A manual POST can be initiated from the serial port menu. The system will restart and the POST will run one time. It will not run after the next restart unless it is configured to run automatically, or another manual POST is initiated.

NOTE The POST adds the following times to the NTO restart process:

■ Models 5204/5236/5273: 4-5 minutes

■ Models 5288/5293: approximately 10 minutes

Power On Self Test (POST)Anue Net Tool Optimizer User Guide 337

To disable the automatic POST:

■ Click Enabled and then click OK to confirm that you wish to disable the automatic POST.

5273/5288/5293 View POST Results Via the Serial (Craft) Port Interface

From the Main Menu, type 6 to retrieve the results of the last POST run. This command cannot be run while the system is restarting.



Enter command number:6Get Power On Self Tests resultsType "yes" to accept, anything else to cancel:yesResults: Passed

Note: If the POST fails, contact Anue Technical Support for assistance.


5204/5236/5273 View POST Results Via the Front Panel LCD

To view the POST completion status and see the details of failed tests, use the keypad and LCD as described below:

1. Press the down Arrow (▼) 6 times.

2. Display reads “7 Power on Self Test (POST).”


4. Display reads “7a Results (Passed or Failed).”


6. If there are failures, press Down Arrow (▼) 1 time to view the 1st test that failed.

7. Display reads “7a1 System Register Test.”

8. Down Arrow (▼) 1 time.

9. Display reads “7a2 System CPU S/G Reload.”

10. Continue pressing the down arrow to display additional test results.

Login Issues

This section documents issues that may cause login failures.

NOTE If the status reads “Passed” all tests have passed and there is no additional information to display. If the status is “Failed” continue using the menu as described below to see the results of individual tests. Up to 20 test failures can be viewed by cycling the down arrow. Failures are categorized as either a system or a specific port failure. There are up to 4 port tests (2 MAC loopback and 2 PHY loopback) that get executed for each port.

Tip: Firewall configurations may need to open TCP port 1099 to allow the NTO Control Panel GUI to communicate with the NTO server.

Tip: A bug in Java version 1.6 update 14 can prevent users from logging in to the NTO Control Panel. If errors are received after clicking on the Launch 52XX Control Panel button, please upgrade to Java version 1.6.0_30, which Anue has tested on and recommends. Both the 32-bit and 64-bit version of JRE are supported. Java version 1.7 (i.e., Java 7) is not currently supported.

Login IssuesAnue Net Tool Optimizer User Guide 339

Login Failures Using the IE7 Browser on Windows Vista

The Protected Mode security feature of the Internet Explorer 7 browser can prevent the download of the NTO management application to the client PC. Customers have reported error messages referencing Java when the login attempt fails.

There are two possible solutions for this issue.

1. Add the IP address of the NTO to the Trusted Sites zone.

Note that the site may need to be added as "https://192.168.41.58" for example, although users will enter “http://192.168.41.58” into the browser URL field.

2. Temporarily disable Protected Mode during the initial login.

This option requires that the user have administrator rights on their PC. Temporarily disabling Protected Mode will allow the NTO management application to be downloaded. Protected Mode can be enabled after the initial login is successful.

To temporarily disable Protected Mode, right-click the Internet Explorer icon or shortcut and select “Run as Administrator” from the right-click menu. Click “Allow” at the User Account Control dialog. Then proceed to log in (click the Launch Anue 52XX Control Panel icon from your browser). Note that protected Mode will automatically be re-enabled the next time the browser is launched.

Protected Mode can be enabled during the normal operation/administration of the NTO.

Note the scenarios that will require that Protected Mode be disabled:

– Before the first attempt to log in to the NTO

– Log in after the unit has had a software upgrade

– Log in after a user clears their Java and or browser cache

Login Failures Using the IE8 and IE9 Browsers on Windows 7 and Vista

Attempting to launch the NTO Control Panel using IE8 and IE9 on Windows 7 and Vista with the default IE Account Control settings produces an error similar to the following:

"The Anue 52xx at ‘10.179.164.49’ is running software version ‘3.5.x.x-xxxxx-xxxxxxx-xxxxxx.’ Please ensure that you start your Control Panel from the launch page at http://10.179.164.49. If this problem persists, refer to ‘Upgrade Procedures.’ Note that the Upgrade Procedures can be found in the NTO User Guide.”


Background

When using Internet Explorer to launch the control panel, the NTO home page and control panel will run in one of the following URL Security Zones:

■ Internet Zone

■ Local Intranet Zone

■ Trusted Sites Zone

■ Restricted Sites Zone

In addition, Protected Mode can either be enabled or disabled.

Typically, applications will run with Protected Mode enabled in the Internet and Restricted Sites Zones, and with Protected Mode disabled in the Local Intranet and Trusted Sites Zones.

Some user accounts may also be configured to bypass these Internet Explorer settings, and disable protected mode even in the Internet Zone. For instance, a user may have disabled change notifications in User Account Control Settings. This configuration may be more common on a Windows 7 system, which was migrated from an earlier Windows release.

Issue

If the Control Panel is launched using Internet Explorer with Protected Mode enabled, the user will observe the following error message:

Confirm the cause by checking the Protected Mode, as follows:

1. Browse to the home page of the NTO.

2. View properties for the NTO page. Either:

A. In the Menu Bar, click File -> Properties.

or

B. Right-click on the webpage and select Properties.

3. Select the values Zone and Protected Mode.

If Protected Mode is off, then the control panel should launch normally.


If Protected Mode is on, then the control panel cannot be launched.

Exception

If the NTO was previously trusted, but is now in another zone with Protected Mode on, the control panel will still launch. This exception can be resolved by clearing the IE cookies.

Solutions

There are two solutions for this issue:

■ Use the Firefox Browser

or

■ Temporarily Disable User Account Control (UAC)

Use the Firefox Browser

1. Install Firefox on the client PC.

2. Launch the 52xx Control Panel using Firefox.

The User Account Control window appears and asks the following question:

"Do you want to allow the following program to make changes to this computer?Program name: FirefoxVerified publisher: Mozilla CorporationFile origin: Hard drive on this computer"

3. Click Yes.

Temporarily Disable User Account Control (UAC)

You can use one of the following methods to work around this issue:

■ Add the NTO to the Trusted Sites Zone with Protected Mode disabled

■ Run the NTO from the Intranet Zone with Protected Mode disabled

■ Run the NTO from the Internet Zone with Protected Mode disabled

■ Run Internet Explorer with Administrator Privileges - One Time Only

■ Run Internet Explorer with Administrator Privileges - Every Time

■ Modify user account to disable change notifications

The goal is to run the Control Panel with Protected Mode off.

NOTE You may need to restart the system, restart Internet Explorer, and/or clear IE cookies for some of these changes to take effect.


Add the NTO to the Trusted Sites Zone with Protected Mode disabled

1. Open Internet Options from Internet Explorer.

2. Click the Security tab.

3. Select Trusted Sites.

4. Confirm Enable Protected Mode is not selected for this zone.

5. Click the Sites button.

6. Add the URL to the website list.

7. Click OK.

8. Reload the webpage.

Run the NTO from the Intranet Zone with Protected Mode disabled

1. Open Internet Options from Internet Explorer.


3. Select Local Intranet.

4. Confirm Enable Protected Mode is not selected for this zone.

5. Click the Sites button.

6. Either:

A. Modify the settings to define which websites are included in the local intranet zone.

or

A. Select Advanced.

B. Add the URL to the website list.

7. Click OK.


NOTE This may be helpful if the NTO is on your intranet, but IE identifies the NTO as being on the internet.


Run the NTO from the Internet Zone with Protected Mode disabled

1. Open Internet Options in Internet Explorer.


3. Select Internet.

4. Deselect Enable Protected Mode for this zone.

5. Click Apply/OK.


Run Internet Explorer with Administrator Privileges - One Time Only

1. Locate the Internet Explorer icon, for instance:

A. Click the Windows Start icon (and look for Internet Explorer without a short-cut icon).

or

B. Browse to C:\Program Files (x86)\Internet Explorer (and look for "iexplore.exe").

2. Right-click the Internet Explorer icon.

3. Select Run as Administrator.

4. Browse to the NTO webpage.

NOTE This disables key security settings of Internet Explorer.

Caution: This security setting will put your computer at risk.

NOTE

■ The user must have administrative privileges.

■ This disables key security settings of Internet Explorer during this session.


Run Internet Explorer with Administrator Privileges - Every Time

1. Locate the Internet Explorer icon, for instance:

A. Click the Windows Start icon (and look for Internet Explorer without a short-cut icon).

or

B. Browse to C:\Program Files (x86)\Internet Explorer (and look for "iexplore.exe").

2. Create a shortcut to the Internet Explorer icon (on the desktop, for instance).

3. Right-click the Internet Explorer shortcut icon.

4. Select Properties.

5. Click the Shortcut tab.

6. Click the Advanced button.

7. Select Run as administrator.

8. Click OK.

9. Double-click the shortcut.


Modify user account to disable change notifications

1. Open the Control Panel.

2. Select User Accounts.

3. Select User Accounts (and confirm you are at "Make Changes to your user account").

4. Select Change User Account Control settings.

5. Change the slider from:

NOTE


■ This disables key security settings of Internet Explorer every time (when run from the shortcut described).

NOTE


■ This method disables key security settings of Windows 7.This approach is NOT recommended.


A. Default - Notify me only when programs try to make changes to my computer.

to

B. Never notify me when.

6. Click OK.

7. Run Internet Explorer normally.


Reference

Internet Explorer Developer Center > Learn > Security and Privacy > Security Zones > Overviews/Tutorials > About URL Security Zones

http://msdn.microsoft.com/en-us/library/ie/ms537183(v=vs.85).aspx


http://msdn.microsoft.com/en-us/library/ie/ms537183(v=vs.85).aspx

APPENDIX F

5273/5288/5293 Safety Guidelines

English

CAUTION: Safety Instructions

Use the following safety guidelines to help ensure your own personal safety and to help protect your equipment and working environment from potential damage.

SAFETY: General Safety

When setting up the equipment for use:

■ Place the equipment on a hard, level surface.

■ Leave 10.2 cm (4 in) minimum clearance on all vented sides of the equipment to permit the airflow required for proper ventilation. Restricting airflow can damage the equipment or cause a fire.

■ Ensure that nothing rests on your equipment’s cables and that the cables are not located where they can be stepped on or tripped over.

■ Keep your equipment away from radiators and heat sources.

CAUTION: The power supplies in your system may produce high voltages and energy hazards, which can cause bodily harm. Only Anue Systems service technicians are authorized to remove the cover and access any of the components inside the system.

CAUTION: This system may have more than one power supply cable. To reduce the risk of electrical shock, a trained service technician must disconnect all power supply cables before servicing the system.

Note: The installation of your equipment and rack kit in a rack cabinet has not been approved by any safety agencies. It is your responsibility to ensure that the final combination of equipment and rack complies with all applicable safety standards and local electric code requirements. Anue Systems disclaims all liability and warranties in connection with such combinations. Rack kits are intended to be installed in a rack by trained service technicians.


■ Keep your equipment away from extremely hot or cold temperatures to ensure that it is used within the specified operating range.

■ Do not stack equipment or place equipment so close together that it is subject to re-circulated or preheated air.

When operating your equipment:

CAUTION: Do not operate your equipment with the cover removed.

■ Use this product only with approved / certified equipment. Operate this product only with approved /certified redundant power supplies.

■ Operate the equipment only from the type of external power source indicated on the electrical ratings label. If you are not sure of the type of power source required, consult your service provider or local power company.

■ If the equipment has multiple sources of power, disconnect power from the system by unplugging all power cables from the power supplies.

■ Use only approved power cable(s). If you have not been provided with a power cable for the equipment or for any AC-powered option intended for the equipment, purchase a power cable that is approved for use in your country. The power cable must be rated for the equipment and for the voltage and current marked on the equipment’s electrical ratings label. The voltage and current rating of the cable should be greater than the ratings marked on the equipment.

■ Do not modify power cables or plugs. Consult a licensed electrician or your power company for site modifications. Always follow your local/national wiring rules.

■ To help prevent electric shock, plug the equipment’s power cables into properly grounded electrical outlets. These cables are equipped with three-prong plugs to help ensure proper grounding. Do not use adapter plugs or remove the grounding prong from a cable. If you must use an extension cable, use a 3-wire cable with properly grounded plugs.

■ Observe extension cable and power strip ratings. Ensure that the total ampere rating of all equipment plugged into the extension cable or power strip does not exceed 80 percent of the ampere ratings limit for the extension cable or power strip.

■ If any of the following conditions occur, unplug the equipment from the electrical outlet and replace the part or contact Anue Systems: .

– The power cable, extension cable, or plug is damaged.

– An object has fallen into the equipment.

– The equipment has been exposed to water.

– The equipment has been dropped or damaged.

– The equipment does not operate correctly when you follow the operating instructions.

5273/5288/5293 Safety Guidelines348 Anue Net Tool Optimizer User Guide

■ Do not operate the equipment within a separate enclosure unless adequate intake and exhaust ventilation are provided on the enclosure that adheres to the guidelines listed above.

■ Do not restrict airflow into the equipment by blocking any vents or air intakes.

■ Do not push any objects into the air vents or openings of your equipment. Doing so can cause fire or electric shock by shorting out interior components.

CAUTION: Only Anue Systems trained service technicians are authorized to replace the battery. Should the battery need to be replaced, please contact Anue Systems to arrange for the replacement of the battery. Incorrectly installing or using an incompatible battery may increase the risk of fire or explosion. Replace the battery only with the same or equivalent type recommended by the manufacturer, carefully following installation instructions. Dispose of used batteries properly.

SAFETY: Battery Disposal

Your system uses a lithium coin-cell battery. These batteries are long-life batteries, and it is very possible that you will never need to replace them. However, should you need to do so, please contact Anue Systems to arrange for the replacement of the battery.

Do not dispose of the battery along with ordinary waste. Contact your local waste disposal agency for the address of the nearest battery deposit site.

Handle batteries carefully. Do not disassemble, crush or puncture batteries. Do not short external contacts, dispose of batteries in fire or water, or expose batteries to temperatures higher than 60 degrees Celsius (140 degrees Fahrenheit). Do not attempt to open or service batteries. Replace batteries only with batteries designated for the equipment.

SAFETY: Risk of Electrical Shock

CAUTION: Opening or removing the cover of this equipment may expose you to risk of electrical shock. Components inside these compartments should be serviced only by an Anue Systems service technician.

■ Allow the equipment to cool before removing add-in modules. Add-in modules may become very warm during normal operation. Use care when removing add-in modules after their continuous operation.

■ To help avoid the potential hazard of electric shock, do not connect or disconnect any cables or perform maintenance or reconfiguration of your equipment during an electrical storm.

EnglishAnue Net Tool Optimizer User Guide 349

SAFETY: Equipment with Laser Devices

CAUTION: Do not look directly into a fiber-optic transceiver or into the end of a fiber-optic cable. Fiber-optic transceivers contain laser light sources that can damage your eyes.

■ This equipment may contain optical communications transceivers which have built-in laser devices. To prevent any risk of exposure to laser radiation, do not disassemble or open any optical transceiver assembly for any reason.

Protecting Against Electrostatic Discharge

CAUTION: Disconnect product from mains power source in accordance with product-specific safety information located in this manual.

Electrostatic discharge (ESD) events can harm electronic components. Under certain conditions, ESD may build up on your body or an object and then discharge into another object, such as your add-in modules. To prevent ESD damage, you should discharge static electricity from your body before you handling any add-in modules.

You can protect against ESD and discharge static electricity from your body by touching a metal grounded object before you interact with anything electronic. When connecting other devices to this equipment, you should always ground both yourself and the other device before connecting it to this equipment.

You can also take the following steps to prevent damage from electrostatic discharge:

■ When unpacking a static-sensitive component from its shipping carton, do not remove the component from the antistatic packing material until you are ready to install the component. Just prior to unwrapping the antistatic package, be sure to discharge static electricity from your body.

■ When transporting a sensitive component, first place it in an antistatic container or packaging.

■ Handle all electrostatic sensitive components in a static-safe area. If possible, use antistatic floor pads and work bench pads.

French

AVERTISSEMENT : Instructions relatives à la sécurité

Veuillez suivre les directives de sécurité suivantes afin d’assurer votre sécurité personnelle et de protéger votre équipement et votre environnement de travail contre les dommages potentiels.


SÉCURITÉ : Sécurité générale

REMARQUE : ’l’installation de votre équipement et de votre ensemble de bâti dans une armoire n’a été approuvée par aucune agence de sécurité. Il vous incombe d’assurer que la combinaison finale d’équipements et de bâtis soit conforme à toutes les normes de sécurité applicables et aux exigences du code local en matière d’électricité. Anue Systems décline toute responsabilité et toutes les garanties relatives à de telles combinaisons. Les ensembles de bâtis sont prévus pour être installés par un technicien de service formé.

Lors de l’installation de l’équipement aux fins d’utilisation :

■ Placer l’équipement sur une surface dure et à niveau.

■ Laisser un espace d’au moins 10,2 cm (4 po) sur tous les côtés de l’équipement dotés de fentes d’aération afin de permettre la circulation d’air nécessaire à une bonne ventilation. L’entrave à la circulation d’air peut endommager l’équipement ou causer un incendie.

■ S’assurer que rien ne se trouve sur les câbles de l’équipement et que les câbles ne se trouvent pas dans un endroit où on pourrait marcher ou trébucher sur eux.

■ Tenir l’équipement éloigné des radiateurs et autres sources de chaleur.

■ Ne pas exposer l’équipement à des températures extrêmement chaudes ou froides afin d’assurer qu’il soit utilisé dans la plage de fonctionnement spécifiée.

■ Ne pas empiler l’équipement ni placer ses composants si près les uns des autres qu’ils risquent d’être exposés à de l’air de recirculation ou préchauffé.

AVERTISSEMENT : les sources d’alimentation de votre système peuvent produire une tension élevée et des dangers électriques qui peuvent causer des blessures corporelles. Seuls les techniciens de service d’Anue Systems sont autorisés à retirer le couvercle et à accéder aux composants à l’intérieur du système.

AVERTISSEMENT : ce système peut comprendre plus d’un câble d’alimentation. Afin de réduire le risque de choc électrique, un technicien de service formé devra débrancher tous les câbles d’alimentation avant d’effectuer l’entretien sur le système.

FrenchAnue Net Tool Optimizer User Guide 351

Lors de l’utilisation de votre équipement :

AVERTISSEMENT : ne pas utiliser votre équipement avec le couvercle retiré.

■ Utiliser ce produit uniquement avec des équipements approuvés/certifiés. Faire fonctionner ce produit uniquement avec des ’alimentations redondantes approuvées/certifiées.

■ Faire fonctionner l’équipement uniquement avec le type d’alimentation externe indiqué sur l’étiquette des caractéristiques électriques. ’En cas de doute quant au type d’alimentation requis, consulter votre prestataire de services ou la compagnie d’électricité locale.

■ Si l’équipement comporte de multiples sources d’alimentation, déconnecter l’alimentation du système en débranchant tous les câbles d’alimentation des sources d’alimentation.

■ Utiliser uniquement des câbles d’alimentation approuvés. Si on ne vous a pas fourni de câble d’alimentation pour l’équipement ou pour toute autre option alimentée au CA prévue pour l’équipement, acheter un câble d’alimentation approuvé pour utilisation dans votre pays. Le câble d’alimentation doit être conforme aux caractéristiques nominales de l’équipement, ainsi qu’aux valeurs nominales de tension et de courant indiquées sur l’étiquette des caractéristiques électriques de l’équipement. Les valeurs nominales de tension et de courant du câble doivent être supérieures à celles indiquées sur l’équipement.

■ Ne pas modifier les câbles d’alimentation ou les fiches. Consulter un électricien agréé ou votre compagnie d’électricité pour toute modification du site. Systématiquement respecter les règles locales/nationales en matière de câblage.

■ Pour prévenir les chocs électriques, brancher les câbles d’alimentation de l’équipement dans des prises électriques mises à la terre correctement. Ces câbles sont dotés de fiches à trois branches afin d’assurer une mise à la terre adéquate. Ne pas utiliser de fiches d’adaptation ni retirer la broche de mise à la terre d’un câble. Si ’une rallonge doit absolument être utilisée, utiliser un câble à trois fils doté de fiches de mise à la terre adéquates.

■ Respecter les caractéristiques nominales ’de la rallonge et de la barrette d’alimentation. S’assurer que l’ampérage nominal total de tous les équipements branchés ’à la rallonge ou à la barrette d’alimentation n’excède pas 80 pour cent de l’ampérage nominal maximal ’de la rallonge ou de la barrette d’alimentation.

■ Si l’une des situations suivantes se produit, débrancher l’équipement de la prise de courant et remplacer la pièce ou contacter Anue Systems :

– Le câble d’alimentation, ’la rallonge ou la fiche est endommagé.

– Un objet est tombé dans l’équipement.

– L’équipement a été exposé à de l’eau.


– L’équipement est tombé ou a été endommagé.

– L’équipement ne fonctionne pas correctement quand vous suivez les consignes d’utilisation.

■ Ne pas utiliser l’équipement dans une enceinte séparée à moins qu’une ventilation d’entrée et de sortie d’air adéquate soit fournie sur cette enceinte en conformité avec les directives indiquées ci-dessus.

■ Ne pas ’’entraver l’arrivée d’air dans l’équipement en bloquant les fentes d’aération ou les entrées d’air.

■ Ne pas introduire d’objets dans les fentes ’d’aération ou ouvertures de votre équipement au risque de causer un incendie ou un choc électrique à la suite d’un court-circuit des composants internes.

AVERTISSEMENT : seuls les techniciens de service formés d’Anue Systems sont autorisés à remplacer la pile. Si la pile doit être remplacée, contacter Anue Systems pour prendre les dispositions nécessaires au remplacement de la pile. L’installation incorrecte ou l’utilisation d’une pile incompatible peut augmenter le risque d’incendie ou d’explosion. Remplacer la pile uniquement par un type de pile identique ou équivalent conformément aux recommandations du fabricant et suivre les consignes d’installation à la lettre. Correctement éliminer les piles usées.

SÉCURITÉ : Élimination des piles

Votre système utilise une pile bouton au lithium. Ces piles sont à longue durée et il est très possible que vous n’ayez jamais à les remplacer. Toutefois, si jamais vous deviez le faire, veuillez contacter Anue Systems pour prendre les dispositions nécessaires au remplacement de la pile.

Ne pas éliminer la pile avec les ordures ménagères. ’Contacter l’agence locale chargée de l’élimination des déchets pour obtenir l’adresse du site de collecte de piles le plus proche.

Manipuler les piles avec précaution. Ne pas démonter, écraser ou percer les piles. Ne pas court-circuiter les contacts externes, éliminer les piles dans le feu ou l’eau, ni exposer les piles à des températures supérieures à 60 degrés Celsius (140 degrés Fahrenheit). Ne pas essayer d’ouvrir ou de ’réparer les piles. Remplacer les piles uniquement avec les piles désignées pour l’équipement.


SÉCURITÉ : Risque de choc électrique

AVERTISSEMENT : ouvrir ou retirer le couvercle de cet équipement peut vous exposer à un risque de choc électrique. Les composants à l’intérieur de ces compartiments doivent être entretenus exclusivement par un technicien de service Anue Systems.

■ Laisser l’équipement refroidir avant de retirer les modules additionnels. Les modules additionnels peuvent devenir très chauds lors du fonctionnement normal. Faire preuve de prudence lors du retrait de modules additionnels après un fonctionnement continu.

■ Pour éviter le risque potentiel de choc électrique, ne pas connecter ou déconnecter les câbles, ni effectuer l’entretien ou la reconfiguration de votre système durant une tempête électrique.

SÉCURITÉ : Équipement doté de dispositifs laser

AVERTISSEMENT : ne jamais regarder directement dans un émetteur-récepteur à fibres optiques ou dans l’extrémité d’un câble à fibres optiques. Les émetteurs-récepteurs à fibres optiques contiennent des sources de lumière laser qui peuvent endommager vos yeux.

■ Cet équipement peut contenir des émetteurs-récepteurs de communication par fibre optique qui comportent des dispositifs laser intégrés. Pour prévenir tout risque d’exposition au rayonnement laser, ne jamais démonter ou ouvrir un émetteur-récepteur à fibres optiques.

Protection contre les décharges électrostatiques

AVERTISSEMENT : débrancher le produit de la source principale d’alimentation conformément aux informations de sécurité spécifiques au produit fournies dans ce manuel.

Les décharges électrostatiques peuvent endommager les composants électroniques. Dans certaines conditions, les décharges électrostatiques peuvent s’accumuler sur votre corps ou sur un objet, puis se décharger dans un autre objet comme vos modules additionnels. Pour prévenir les dommages dus aux décharges électrostatiques, vous devez décharger l’électricité statique de votre corps avant de manipuler un module additionnel.

Vous pouvez assurer la protection contre les décharges électrostatiques et décharger l’électricité statique de votre corps en touchant un objet en métal mis à la terre avant ’de toucher quoi que ce soit d’électronique. Lors de la connexion d’autres dispositifs à cet équipement, vous devez toujours assurer votre mise à la terre et celle de l’autre dispositif avant de le connecter à cet équipement.


Vous pouvez aussi suivre les étapes suivantes afin de prévenir les dommages causés par les décharges électrostatiques :

■ Lors du retrait d’un composant sensible à l’électricité statique de son carton d’expédition, ne pas retirer le composant de son matériau d’emballage antistatique ’avant d’être prêt à installer ce composant. Juste avant de retirer l’emballage antistatique, ’veiller à décharger l’électricité statique de votre corps.

■ Lors du transport d’un composant sensible, le placer préalablement dans un contenant ou un emballage antistatique.

■ Manipuler tous les composants sensibles à ’l’électricité statique dans une zone à protection antistatique. Si possible, utiliser des tapis antistatiques pour le sol et la surface de travail.



Anue 5200 User Guide

Documents

usb flash

original aspect

mouseover

dependent

2a build num

relative starting

extended burst

port terminal