User Guide iBypass HD Eight segment bypass switch Doc.
PLEASE READ THESE LEGAL NOTICES CAREFULLY. By using a Net Optics iBypass HD device you agree to the terms and conditions of usage set forth by Net Optics, Inc. No licenses, express or implied, are granted with respect to any of the technology described in this manual. Net Optics retains all intellectual property rights associated with the technology described in this manual. This manual is intended to assist with installing Net Optics products into your network.
iBypass HD Contents Chapter 1 Introduction............................................................................................... 1 Key Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Bypass Modes. . . . . . . . . . . . .
iBypass HD Save and Load the iBypass HD Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Manage the Security Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Use the CLI Command History Buffer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Undertand the Commit Commands . . . . . . . . . . . . . . . . . . . . . .
iBypass HD Chapter 1 Introduction Net Optics iBypass HD is a high density solution for fail-safe attachment of in-line devices such as intrusion preventions systems (IPSs), firewalls, and data loss prevention (DLP) appliances. (For simplicity, the acronym IPS will be used for all such in-line devices in this manual.) The iBypass HD provides eight independent intelligent bypass switches in a 1U form-factor, the highest bypass switch density in the industry.
iBypass HD Bi-Directional Heartbeat The iBypass HD periodically sends small Heartbeat packets through attached IPSs to verify their ability to process traffic. If a Heartbeat packet is not returned within a configurable timeout and number of retires, the IPS is assumed to be down and Bypass On mode is entered, taking the IPS offline.
iBypass HD Unsurpassed Support • Net Optics offers technical support throughout the lifetime of your purchase. Our technical support team is available from 8:00 to 17:00 Pacific Time, Monday through Friday at +1 (408) 737-7777 and via e-mail at ts-support@netoptics.com. Information is also available on the Net Optics Web site at www.netoptics.com. About this Guide Please read this entire guide before installing the iBypass HD.
iBypass HD Bypass On Traffic bypasses the IPS IPS Figure 3: Bypass On mode – the IPS is off-line Note:__________________________________________________________________________________________________ If fail_state is set to no_traffic rather than fail-to-wire, then network traffic is blocked in Bypass On mode.
iBypass HD Heartbeat Bypass The bypass switch protects against both physical link failure and application failure on the IPS. The bypass switch checks the path through the IPS by sending a packet at a predetermined rate—for example, once every second—to the IPS from monitor port 1. When the bypass switch receives the packet on monitor port 2, having passed through the IPS, it knows the path is valid.
iBypass HD Traffic Statistics The iBypass HD collects statistics about the traffic passing through each of its ports. The statistics can be viewed and cleared through the management interface.
iBypass HD iBypass HD Management The iBypass HD is configured and managed using a command-line interface (CLI) that will be familiar to most network administrators. GUI-based Indigo management tools will be available soon. The iBypass HD Front Panel The features of the iBypass HD front panel are shown in the following diagram.
iBypass HD Port LEDs Each port has LEDs that indicate the port's Link state and Activity. The LED on the left is the Link LED; it is illuminated when a link is established. The LED on the right is the Activity LED; it blinks when traffic is passing through the port. For 10/100/1000 ports, the Link LED illuminates green when the link speed is 1000 Mbps, yellow when it is 100 Mbps, and amber when it is 10 Mbps.
iBypass HD Chapter 2 Installing the iBypass HD This chapter describes how to install and connect iBypass HD devices. The procedure for installing the iBypass HD follows these basic steps: 1. Plan the installation 2. Unpack and inspect the iBypass HD device 3. Install DBM modules 4. Install SFP modules 5. Rack mount the iBypass HD device 6. Connect power to the iBypass HD 7. Connect the command line interface (CLI) RS232 RJ45 port or the Management port (SSH) 8. Log into the CLI 9.
iBypass HD Plan the Installation Before you begin the installation of your the iBypass HD device, determine the following information: • IP address of the iBypass HD device for the management interface; or a range of IP addresses if you are deploying multiple the iBypass HD devices • Net Mask for the iBypass HD • IP address of the remote management console, if deployed over a WAN; this address will be used for SNMP traps (when available) • Gateway to the remote management console, if deployed over a WAN •
iBypass HD Install DBMs If the Dual Bypass Modules (DBMs) are not already installed when you receive the unit, install them by sliding them into the DBM slots in the front panel. DBMs can be installed in any or all of the four slots; if you do not populate all of the slots, it does not matter which ones you leave empty. If there is a plate covering the DBM slot, remove it by unscrewing two thumb‑screws; then install the DBM module. The DBM circuit boards slide in the rails provided in the slots.
iBypass HD Rack Mount the iBypass HD device The iBypass HD is designed for rack mounting in a 19-inch equipment rack and occupies one rack unit. To mount the iBypass HD device: 1. Attach a slide rail bracket to each of the slide rails. Use either the short or long slide rail brackets, as needed to match the depth of your rack. The slide rail bracket is placed over the two mounting studs and adjusted to the required length.
iBypass HD Management Port Console Port AC Models Independent Power Sources Figure 8: Connecting redundant AC power supplies Caution:_ ______________________________________________________________________________________________ Use the AC power cords supplied with the product. If you use another AC power cords, they should have a wire gauge of at least 18 and a 230VAC 2A rating. Be sure to use a three-prong cords and connect them to sockets with a good earth grounds.
Independent Power Sources iBypass HD Management Port Console Port DC Models Earth Ground Power Source 1 -48VDC Return Power Source 2 -48VDC Return Figure 9: Connecting redundant DC power supplies Caution:_ ______________________________________________________________________________________________ DC power cables should have a wire gauge of at least 14 and a 72VDC 6A rating. Always connect the earth grounds first, and keep the earth grounds connected whenever you are working on the device.
iBypass HD Warnings and Symbols Warnings on product WARNING: Warranty void if removed Two of the labels illustrated above cover screws on the chassis top cover near the front corners. They prevent you from taking the cover off without voiding your warranty. You should not take the cover off because there are no user‑serviceable parts inside, and there is a danger of electrical shock.
iBypass HD To connect the CLI locally over an RS232 serial port: 1. Connect a PC with terminal emulation software, such as HyperTerminal (or a Linux workstation running minicom), to the iBypass HD using a network cable and a DB9 or USB serial adapter. Management Port Console Port RJ45 to DB9 adapter Computer with terminal emulation software Figure 10: Connecting RS232 Cable to the iBypass HD 2.
iBypass HD Connect the Remote CLI Interface To run the CLI remotely, connect a network cable from a switch to the Management port on the back of the iBypass HD chassis. Use any computer with an SSH client to access the CLI over the network.
iBypass HD login as: ibypass # SSH login as "ibypass" ibypass@10.60.4.8's password: # password is not displayed (default "netoptics") Last login: Thu Sep 4 09:40:31 2008 from 10.30.1.62 *********************************************************** * Net Optics Command Line Interface (CLI) * * for iBypass HD * * * * Copyright (c) 2010 by Net Optics, Inc.
iBypass HD Log into the CLI Each iBypass HD maintains a list of accounts for users authorized to access that particular iBypass HD device. The default account for new systems is User Name admin and Password netoptics. To log into the CLI: 1. Type the user name. (The default user name is admin.) The Enter Password prompt is displayed. 2. Type the password. The default password is netoptics. For security, the password is not displayed as you type it.
iBypass HD Configure the iBypass HD Using the CLI Log into the iBypass HD CLI. The factory-set default values for the iBypass HD are: • • • • • • • • • • • • • • • Username: admin Password: netoptics IP Address: 10.60.4.180 (address for remote CLI, and for Indigo manager software, when available) Netmask: 255.0.0.0 (associated with IP Address) Manager IP Address: 192.168.1.2 (address for SNMP traps, when available) Gateway IP Address: 10.0.0.
iBypass HD Change the iBypass HD Login Password It is strongly recommended that you change the login password from the default to provide security against unauthorized access. To change the login password: 1. Type user mod name=admin pw= priv=1. The password is changed. 2. Record the new password in a secure location. If you want to change the user name, use the user add command to create a new user account under that name. You can use the user del command to delete a user account.
iBypass HD Change Port Modes You can use the port set command to configure the operating speed, autonegotiation, and duplex settings of 10/100/1000 copper-interface ports. All four ports of each bypass switch must be set to the same mode in order for the link to pass data. iBypass HD does not perform data rate conversion for unlike interfaces.
iBypass HD To load a the iBypass HD configuration: 1. Type config load where is the name of a saved configuration. The configuration is loaded. 2. Type commit. The loaded filters are activated in the hardware. To view a list of all saved the iBypass HD configurations: • Type config list. A list of the iBypass HD configurations is displayed. To view a saved the iBypass HD configuration: • Type config show where is the name of a saved configuration.
iBypass HD Net Optics> config show Error: file name must be specified.
iBypass HD Setting Commit commands heartbeat set commit heartbeat commit Persistent? yes no module set commit module commit yes no segment set commit segment commit yes no server add, del, mod commit server commit yes yes sysip set sysip commit (but not commit) yes system set commit yes Connect the iBypass HD to the Network Each of the eight bypass switches can be attached in-line in network links.
iBypass HD Connect IPSs to the iBypass HD To connect an IPS or other inline monitoring tool to the iBypass HD, attach monitor port 1 to one side of the IPS and monitor port 2 to the other side using the following procedure. To connect an IPS: 1. Plug the appropriate cable into a bypass switch's monitor port 1. 2. Plug the other end of the cable into the IPS's network port. The Link LED for the port illuminates after a short delay to indicate that a link has been established. 3.
iBypass HD Chapter 3 Configuring Bypass Switches Using the CLI This chapter describes how to use the CLI to modify the configuration of the bypass switches in the iBypass HD.
iBypass HD Configure Bypass Switch and DBM Options Each bypass switch can be configured independently as a bypass switch or a Tap. To configure switch 1 as a bypass switch, type segment set index=1 mode=sw. To configure switch 1 as a Tap, type segment set index=1 mode=tap.
iBypass HD Customize Heartbeat Packets You can define a custom Heartbeat packet for each of the eight segments. The packet contents can be specified using the heartbeat set command. In addition, the timeout, retries can also be changed. A default Heartbeat packet is available for all segments.
iBypass HD • Heartbeat Mode (mode) – selects whether Heartbeat Packets should be issued from monitor port 1, 2, or both • Heartbeat Retry Count (retries) – number of times in a row that the Heartbeat packets are missed in order to trigger Bypass On state; for example, when retries=1, Bypass On is triggered when a single Heartbeat packet is lost; the value must be in the range of 1 to 10; the default value is 1 • Heartbeat Interval (interval) – number of milliseconds between emitting Heartbeat packets; the v
Active link Normal Operation IPS iBypass HD HA mode—Link failure Internet In Figure 19, the active router failed and its link to the iBypass Switch went down. The bypass switch reacted to the link down condition by entering Bypass On mode on the primary link and routing the traffic on the backup link through the IPS. This action occurred automatically, without any manual intervention by the system administrator.
Passive link IPS X Operation When Primary Link Fails Internet iBypass HD Active link Backup IPS While in HA mode, the administrator can manually take an IPS offline for maintenance or other purposes by setting the DBM HA mode to force (ha_mode=force) and assigning the link you want to be active as the primary_link and the link tool you want to beActive active as the primary_tool. The other tool is offline and can be removed from the system.
iBypass HD Chapter 5 Configuring AAA Servers The iBypass HD can access RADIUS and TACACS+ servers to perform user authentication and authorization. (Athentication and authorization, along with accounting, are referred to as AAA services.
iBypass HD AAA Privilege Level the iBypass HD Privilege Level 12 admin 11 10 9 priv_map=v,5,9 8 user 7 6 5 4 3 view 2 1 Figure 23: Privilege level mapping with lower numbers as View level If the AAA server does not return an authorization privilege level, the iBypass HD privilege level defaults to view. You can change the default privilege level on a per server basis with the priv_default argument, setting it to 1 for admin, 2 for user, and 3 for view.
iBypass HD To add an AAA server at the beginning of the AAA services query sequence: 1. Type server add id=1 type= admin=enable srvip=120.30.10.3 pw=rad_password priv_map=v,5,9, replacing the argument values with ones appropriate for your system environment. The server configuration is made pending. 2. Type server commit. The server configuration is activated. To disable an AAA server while leaving its configuration in the system: 3. Type server show.
iBypass HD Configuring AAA servers Below are examples for configuring RADIUS and TACACS+ servers. To set the privilege level to 2 for the user account raduser on an Open RADIUS server: 1. Locate the RADIUS configuration file /usr/local/etc/raddb/users. 2. Add the line Class = 2 to the file for user account raduser.
iBypass HD Appendix A iBypass HD Specifications Specifications Mechanical Dimensions: 1.75” high x 19” wide x 27" deep Mounting: Surface or 19” rack mount (1U) Weight: 8.2 lbs (3.7 kg) Connectors Network Ports: (16) RJ45 (copper) or 16 Duplex LC (fiber) Monitor Ports: (16) RJ45 (copper) or 16 SFP (fiber) Management Ports: (1) RJ45 RS232 and (1) RJ45 10/100/1000 copper network Power: (2) AC universal or (2) -48VDC, redundant, hot-swappable Electrical Interface AC Input: 100-240 VAC, 47-63 Hz, 1.
iBypass HD Available Models IBP-8000 IBP-8000-DC DBM-100 DBM-200 DBM-250 DBM-300 iBypass HD, Main Chassis, 4 DBM Bays iBypass HD, Main Chassis, 4 DBM Bays, DC Power DBM, iBypass HD, 10/100/1000, RJ45 DBM, iBypass HD, Gig, MM, 62.5um, SFP Monitor Ports DBM, iBypass HD, Gig, MM, 50um, SFP Monitor Ports DBM, iBypass HD, Gig, SM, 8.
iBypass HD Appendix B Command Line Interface The CLI is case-sensitive; commands must be entered in lower case. However, certain items such as user-defined text strings, user names, and passwords can be entered in upper, lower, or mixed case, and are also case-sensitive. The tab key or the space key can be used to automatically complete words in the CLI. This function works for commands as well as arguments.
iBypass HD iBypass HD CLI Quick Reference Table key The table uses alternate row shading to distiguish commands and subcommands, as indiated in the following example.
iBypass HD Command Sub-Command heartbeat commit Arguments Example Net Optics> heartbeat commit reset index=<1..8|seglist|all> Net Optics> heartbeat reset index=1-4,7 set index=<1..8|seglist|all> [mode=] [retries=<1..10>] [interval=<1..
iBypass HD Command Sub-Command Arguments Example port clear ports= Net Optics> port clear ports=s8 set ports= [admin=] [autoneg=] [content=] [duplex=] [speed=<10|100|1000>] Net Optics> port set ports=s3,s4 autoneg=on ports=
iBypass HD Command Sub-Command sysip commit Net Optics> sysip commit discard Net Optics> sysip discard set system Arguments Example ipaddr=
mask= gw= Net Optics> sysip set ipaddr=100.6.4.15 mask=255.255.0.0 gw=10.0.0.iBypass HD Limitations on Warranty and Liability Net Optics offers a limited warranty for all its products. IN NO EVENT SHALL NET OPTICS, INC. BE LIABLE FOR ANY DAMAGES INCURRED BY THE USE OF THE PRODUCTS (INCLUDING BOTH HARDWARE AND SOFTWARE) DESCRIBED IN THIS MANUAL, OR BY ANY DEFECT OR INACCURACY IN THIS MANUAL ITSELF.
www.netoptics.com © 2008-2010 by Net Optics, Inc. All Rights Reserved.
