Summary of Contents for IXIA iBypass VHD IBYPVHD-CH-AC
Page 1
User Guide iBypass VHD Software Version 1.0 iBypass VHD Chassis with Interface Modules IM-21-BYP Interface Module 913-2174-01 Rev A 07/16...
Page 2
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. Ixia, the Ixia logo, and all Ixia brand names and product names in this document are either trademarks or registered trademarks of Ixia in the United States and/or other countries.
Features Increase uptime and ROI on your security infrastructure with a high density bypass switch. The iBypass VHD hardware platform leverages reliable Ixia bypass technology with next-generation intelligence and flexibility to ensure that your security tools continuously see network traffic. The Ixia iBypass VHD provides that critically reliable separation point between the network and security layers, for resilient inline security and monitoring deployments.
For a few of the more recognized tools, the iBypass VHD software has pre-configured the Heartbeat packets, saving you time. The iBypass VHD has included preset Heartbeat scenarios for: • Ixia NPB, Vision ONE, xStream 40 • FireEye NX 44XX (1G), NX 74XX/75XX (1G), NX 94XX/10XXX (10G) • Imperva X6510/4510/2510 (1G) X10K/8510 (10G) • Cisco FIREPower 7000 (1G), FirePOWER 8000 (10G)
iBypass VHD User Guide v1.0 features help prevent unwanted access to the interfaces. In the event there are system, link, power, or threshold changes, the iBypass VHD issues SNMP traps that are directed to the desired management devices. Network Intelligence The iBypass VHD switch includes Remote Monitoring (RMON) statistics that provides great visibility into the network to allow integration with existing network management tools.
iBypass VHD User Guide v1.0 Chapter 2 Device Overview This chapter provides an overview of the iBypass VHD product. iBypass VHD Front View The following illustrations show the front and rear views of the iBypass VHD product. The front of the iBypass VHD chassis comes with two RJ45 connectors on the right side.
iBypass VHD User Guide v1.0 iBypass VHD Rear View The rear of the chassis contains two redundant power supplies which provide power to the chassis and Interface modules. There are five fans to keep the device cool. Figure 1. iBypass VHD Front and Rear Views Table 2. Rear Panel Features Field name Description Cooling fans Field-replaceable, hot-swappable fans.
iBypass VHD User Guide v1.0 Ports Each Interface module contains eight (8) network ports (1-8) and eight (8) tool ports (9-16). The following describes the features of the iBypass VHD Interface module: Table 3. Interface module Ports Feature Description Network Ports Ports 1 through 8.
iBypass VHD User Guide v1.0 Battery Connection The Interface module contains a lithium-ion battery that is intended to power the module when the chassis power has been disabled or disconnected. There are battery indicators on the front of the module. Latch Knob Connect/Disconnect Battery Battery Charged...
iBypass VHD User Guide v1.0 Battery Preparation The Interface module contains a lithium-ion battery. When you remove the Interface module from the packaging, you will notice that the battery cable is not physically inserted into the socket. Remove the protective label, insert the connector to the socket and ensure the connector is well seated.
iBypass VHD User Guide v1.0 Warnings and Symbols Warnings on product WARNING: Warranty void if removed A WARNING label, like the one illustrated above, covers a screw on the top cover near the rear corner. The label is intended to prevent you from taking the cover off. Taking the cover off would void your warranty.
Page 19
iBypass VHD User Guide v1.0 Note: The iBypass VHD has two power supplies, use a separate AC power source for each supply to add redundancy. If one power source fails, the iBypass VHD can continue to operate using the other power source.
Page 20
iBypass VHD User Guide v1.0 Laser Warning: The 10 gigabit Ethernet fiber-optic interfaces use Class 1 lasers. To reduce the risk of eye injury, do not stare into the interface or otherwise direct the laser beam into your eye. Electrostatic Discharge: The electrostatic discharge (ESD) symbol indicates proper antistatic precautions should be taken to avoid damaging electronic equipment including printed circuit boards and components that are sensitive to static electricity.
The SFP+ transceivers and cables are ordered and shipped separately. For more product details, download the iBypass VHD User Guide, CLI Reference and Release Notes from the Ixia Customer Portal. Check the packing slip against parts received. If a component is missing or damaged, please contact our Order Management department via email at Order-Management@ ixiacom.com...
iBypass VHD User Guide v1.0 Rack Mount Installation The iBypass VHD chassis is designed for rack mounting in a 19-inch equipment rack and occupies one rack unit. Each chassis is shipped with a set of rails that can fit into a standard 19” rack. To rack mount the iBypass VHD chassis: There are two rails. The one marked ‘R’ mounts on the right side of the rack and the one marked ‘L’...
iBypass VHD User Guide v1.0 Power Connections For AC power units, use the power cords that were included with the unit. For DC power, you must supply your own cables. If you plan to use redundant power, make sure that you connect each power supply to two independent power sources for maximum protection.
Page 24
iBypass VHD User Guide v1.0 To connect DC power to the iBypass VHD device: Note: If you have not already done so, unpack the chassis and verify that you possess the appropriate DC power cables. You also need a Phillips screwdriver to complete the installation.
iBypass VHD User Guide v1.0 Warning: This unit might have more than one power supply connection. All connections must be removed to completely power off the unit. Prepare the Interface Module To prepare the Interface Module for the iBypass VHD chassis: Remove the Interface Modules from the packaging.
iBypass VHD User Guide v1.0 With the front of the Module facing towards you, with a small thin probe, insert into and press the Connect Battery switch (right side of the module) to make the connection between the battery and the Module. Refer to the illustration below that shows the Connect/Disconnect Battery location.
iBypass VHD User Guide v1.0 Connect and Log In iBypass VHD Default Settings The iBypass VHD Chassis ships with the following default system settings: IP Address: 192.168.41.88 Username: admin Netmask: 255.255.255.0 Password: admin Gateway: 192.168.41.1 You can connect the device to your network and log in using the default address. To log into the iBypass VHD, attach a PC to the Console port.
iBypass VHD User Guide v1.0 Configure the iBypass VHD IP Initial Setup To initially configure the iBypass VHD Switch, it is recommended that you assign a new management IP address, create a new password for the admin account, and create new accounts for administrators who will access the switch. You can perform the initial configuration of the switch by connecting to the Console port of the iBypass VHD chassis and establish a direct console connection. You can assign a static IP address or use DHCP: To assign a static IP address: While still in config mode, at the command prompt, type in the following...
iBypass VHD User Guide v1.0 Log in to the iBypass VHD Web UI To confirm that your chassis and modules are functional, log in. Open a browser on a PC and enter the IP address of the iBypass VHD device. Enter the default username, admin, and the default password, admin or the new password.
iBypass VHD User Guide v1.0 Chapter 4 Licensing License Overview The iBypass VHD product consists of a chassis and up to 3 Interface Modules per chassis. When you purchase the chassis and one or more Interface Modules, you will receive the chassis and your Interface Modules shipped in separate boxes. The chassis itself requires a license to run.
Go to Web UI, log in, SETTINGS > License > Wizard tab Get Host ID and copy to clipboard Give the Activation IDs and Host ID to the Ixia License server. ement Enter in browser URL, https://ful llment-prod.ixiacom.com/activation mail...
When you purchase the iBypass VHD chassis and modules, the product information is kept in the Ixia Order Management System, and the Order Management System keeps track of the licenses and entitlements. After the purchase, Ixia sends an email to the purchaser confirming the order and also includes the Activation Codes for each license. You will need the Activation Codes to obtain the license file from the Ixia...
iBypass VHD User Guide v1.0 Host ID Find the Host ID of the device. With the CLI Start with the CLI command (in config mode), show license hostId. Using the Web UI Go to SETTINGS > License > Wizard tab. Copy the hostID. License Server The License Server is where you will obtain the license file for your device. Open a browser and enter https://licensing.ixiacom.com/activation. The license server portal page opens.
Page 34
iBypass VHD User Guide v1.0 Click the Load data button. The button will change to say "Processing". The server will return the list of entitlements available. Chapter 4 Licensing License Server...
Page 35
0 quantity available of the total (1) purchased, and you cannot check out a base license - "No available quantities". This is because Ixia has already installed the Chassis Base license on your device before it was shipped to you. You can verify that by going to the License >...
iBypass VHD User Guide v1.0 Click the Download License File button to save the license file onto your local computer. Web License Wizard Log back into your iBypass VHD through the Web UI Click on Click to choose file. Select the license file you just downloaded from the License Server. Click Open. The Web UI will process the file immediately. The system message will display briefly confirming the number of features you are licensed to use. 10. Go to SETTINGS > License > Active to also confirm what is licensed. Congratulations. You just licensed your device to configure Taps, Bypasses, Aggregation and Regeneration.
VHD User Guide v1.0 Deactivation The Ixia License Server gives you the ability to deactivate a license. You may have a number of reasons for this. One example is you want to remove some entitlements from this device and transfer them to another device.
Page 38
iBypass VHD User Guide v1.0 Therefore, select the TAP license and change the New License Count to 0. Changing the New License Count to 0 tells the License Server that the host does not want any TAP licenses. In this example, we will leave the chassis base license assigned to the host. Click Submit.
IP address. The system ships with the Web interface enabled. Recommended Browsers The Web UI for the iBypass VHD is compatible with all major Web browsers. However, for optimal user experience, Ixia recommends the following Web browsers when using the Web UI: • Firefox - v45.0 (or later) • Chrome - v48.0 (or later)
iBypass VHD User Guide v1.0 Web UI After a successful log in, the DASHBOARD appears. Taking a quick inventory of what you see: • Logged in user and system name and IP • Bypass, battery, power statuses - icon details are described below • System Settings • Log Out The Navigation bar has six topics and a Find field.
iBypass VHD User Guide v1.0 DASHBOARD - Ports Enabled The dashboard below shows all 16 ports on modules A, B and C are licensed and enabled. A green port indicates that the port is enabled and up. Web UI - Top Icons In the next illustration, there are some various status icon shapes with different colors along the top right of the page.
iBypass VHD User Guide v1.0 Bypass Switches The Bypass switch status icons use these coding rules: Icons Description Green circle Bypass is off including ALL tools in an active-active service chain. Yellow triangle Bypass off overall, but at least one tool is up and at least one tool is down in an active-active service chain. OR Bypass might be forced_off.
Page 43
iBypass VHD User Guide v1.0 Icons Description A battery icon appears if a module's battery has an alert condition. The icon will be orange for a minor alert and red for a major alert. Orange icon appears when the (module is inserted): - battery is absent or disconnected or - high voltage is higher than 8.5V or - low voltage is lower than 6.72V.
iBypass VHD User Guide v1.0 Icons Description The thermometer icon will be orange for a minor alarm and red for a major alarm. For South and East of FPGA sensors: - High temperatures between 41C-47C will cause minor alarms. - High temperatures above 47C will cause major alarms. - Low temperatures between -5C and -10C will cause minor alarms.
iBypass VHD User Guide v1.0 Filtering Boxes On many displays that have long lists, the Web UI includes a set of filtering boxes. These boxes enable you to define search criteria and list only those lines that match. This is really handy if you have a huge number of lines to look through and want to see specific details. You can limit the amount of data you view in the port configuration, traffic statistics, and events tables using the two filter boxes above the table. The filter boxes are labeled port list or "sel" or "vis" and value or column:value. Let's call them the port list and content filters. (The Events table has only the content filter.) Port Filter Use the port list filter to select a set of ports to view. If you type a port list such as "A.01,A.05,B.11" into the port list filter box, all of the ports except those three are hidden. The port list filter accepts a relaxed syntax; for example, "a.7-a.11" selects all of the ports from A.07 through A.11. You can also type "sel" to create a port list of all of the ports that are currently selected.
iBypass VHD User Guide v1.0 Content Filter Use the content filter to select what to view based on the text in the table row. For example, type "disabled" to view all of the rows that contain the string "disabled". This filter would pick up all of the ports that are admin=enabled, but it could pick up other ports, for example if the string "disabled" was part of the port name. You can restrict the search to a particular column by prefixing the string with the table header, such as "admin:disabled"...
iBypass VHD User Guide v1.0 System Settings This section describes how to configure System Settings. The order of the topics follows the order of topics in SETTINGS in the Web UI. Each section gives a brief description of the purpose of the section. For each subject, you can choose to configure with a CLI command or through the Web UI. You can configure the following: • Access Control (AAA servers) - Full description in "Chapter 9 AAA Servers"...
iBypass VHD User Guide v1.0 Device Management On the Device Information and Configuration page, you have the ability to: • Set the system clock, configure NTP servers • Set the Console Port baud rate • View hardware health • Make installation notes • Configure Management port and view status • Configure Interface IP address Clock and NTP iBypass VHD maintains a time-of-day clock. Time is based on the 24-hour clock. The time and date should be maintained so that log messages will have meaningful timestamps and license validity dating works correctly.
iBypass VHD User Guide v1.0 Using the Web UI Go to SETTINGS > Device > Clock. The Time & Date page displays. Note the time and date. NTP Servers You can define up to three NTP servers from which to get time and you can enable each NTP server individually. With the CLI Start with the CLI command (in config mode), device timeDate ntp. Using the Web UI Go to SETTINGS >...
iBypass VHD User Guide v1.0 Alarms Description majorAlarm This alarm displays on the page when a serious condition exists. You might have to act upon it. minorAlarm This alarm displays on the page when a not a serious condition exists, but should be watched. Normal operations Enter Installation Notes You have the ability to enter installation notes here.
iBypass VHD User Guide v1.0 Using the Web UI Go to SETTINGS > Device > Installation Notes tab. Configure and View Management Port You have the ability to configure the speed, duplexity and negotiation for the Management Port. With the CLI Start with the CLI command (in config mode), device mgmtPort. Using the Web UI Go to SETTINGS > Device > Mgmt Port tab. Configure Interface IP Address You have the ability to re-configure the Management port address to another address or use DHCP.
Page 52
iBypass VHD User Guide v1.0 Using the Web UI Go to SETTINGS > Device > License tab. On the License Management page, you have various tabs to view license details. Click on the blue info button to display the help. To see what features are currently licensed on this device, click the Action tab.
iBypass VHD User Guide v1.0 Management Interfaces You have the ability to enable or disable three interfaces of the iBypass VHD: • SNMP • SSH • Web UI Configure SNMP You have the ability to configure SNMP traps, configure protocols, v2 authorization and add v3 user credentials. See the Chapter on SNMP. Configure SSH You have the ability to configure and enable/disable the SSH (CLI) server.
iBypass VHD User Guide v1.0 Security You can configure the iBypass VHD security profile, configure the Management Port firewall, and install your own SSL certificate. You have the ability to set: • Profile • Firewall • SSl Certificate Configure Profile The iBypass VHD device allows you to set three categories of security options: Default, STIG and PCI. The difference in options is shown in the following table. STIG default Item...
Using the Web UI Go to SETTINGS > Security > Firewall tab. Click the +Add to add a rule. SSL Certificate You, the admin user, have the ability to replace the self-assigned SSL certificate installed on the iBypass VHD device. The installed certificate relies on Ixia's security certificate and is the default setting. After you have obtained a certificate and key that you want to use, you can import those files using FTP, scp, or SFTP into iBypass VHD via the iBypass VHD CLI system security certificate command or through the Web UI. After you import the certificate and key files, iBypass VHD stores them. They become the User Certificate.
Page 56
iBypass VHD User Guide v1.0 You can delete or replace the User Certificate, but you cannot delete the Default certificate. You can change the focus from Default certificate to User certificate at anytime. With the CLI Start with the CLI command (in config mode), system security certificate. Using the Web UI Go to SETTINGS > Security > SSL Certificate tab. Click Delete to delete an SSL User Certificate. You can easily import a certificate file from your computer by clicking on the "Click to choose file", choose a file from your system and click Open. The file is imported automatically. Chapter 5 Web UI and System Settings Security...
iBypass VHD User Guide v1.0 Show Version and Upgrade You have the ability to view the running image version, switch the next boot image and view information about the last upgrade. With the CLI Start with the CLI command (in operational mode), image switch. Using the Web UI Go to SETTINGS >...
iBypass VHD User Guide v1.0 System and Restart You have the ability to do the following: • Restart, shutdown, unconfig, see hidden settings, create full configuration backup, restore full configuration • Create, modify the system name • Create and enable/disable Message of the Day • Specify authentication order • Configure CLI prompts and idle timeout • Create pre-login banner • Recovery Restart You, the admin user, can restart the system with a CLI command or clicking on the...
iBypass VHD User Guide v1.0 Unconfig You have the ability to remove all configuration settings from the device. The command will remove from the database, configuration settings, SSH password, pre- loaded configuration files, backups, the sysIP and logs. With the CLI Start with the CLI command (in operational mode), system unconfig. iBypass VHD# system unconfig action restart_system Using the Web UI Go to SETTINGS > System, restart > Restart tab > Unconfig link. Create Full Backup You have the ability to perform a full system backup of iBypass VHD database and configurations. The iBypass VHD application itself is not backed up.
You have the ability to give this system a customized hostname and a system name. With the CLI Start with the CLI command (in config mode), system hostname or system name. iBypass VHD (config)# system hostname IXIA-100 iBypass VHD (config)# system name "Zeus the Mighty" iBypass VHD (config)# commit Using the Web UI Go to Settings >...
iBypass VHD User Guide v1.0 With the CLI Start with the CLI command (in config mode), system authentication system authentication authOrder < aaa-only | aaa-pam | pam-aaa | pam-only > Using the Web UI Go to Settings > System, restart > Authentication Order tab. Select the authentication order preference. Click the Save button to activate the setting.
A page displays which enables you to set the recovery mode to auto or manual. When a recovery event occurs, some statuses will be tracked here, mainly used by the Ixia Support team. Chapter 5 Web UI and System Settings...
There are two other accounts, the locksmith and root accounts, both enable Ixia support personnel to log in without compromising the existing security of the device. Activation of the three support accounts is controlled by the admin account. In other words, the admin can enable or disable any of the three accounts from being used.
Page 64
iBypass VHD User Guide v1.0 With the CLI Start with the CLI command (in config mode), support account. Using the Web UI Go to Settings > Users > Support Accounts tab. The User Account Management page displays. Select Enabled or Disabled for each support account. Then click the Save button to commit the change to the database.
Page 65
Root Account The root account is used by the Ixia TAC team to troubleshoot any system issues on the device. This account is accessible via the Console port when support account root is enabled and via SSH when device extraSSH is also enabled.
iBypass VHD User Guide v1.0 Sessions The user has the ability to see which users are logged onto the system. With the CLI Start with the CLI command (in operational mode), show sessions. Then use session terminate ID# to terminate a session. Using the Web UI Go to SETTINGS >...
Export System Files You have the ability to export several types of files to the your local PC. While you have the option to use an FTP, scp, or SFTP protocol to transfer your file(s), FTP is the default file transfer mechanism. Ixia Support personnel may ask you to use this utility to capture and send information when they are working with you investigating issues. With the CLI Start with the CLI command (in operational mode), tools capture.
iBypass VHD User Guide v1.0 3. Click the Export button. If you selected FTP/SCP/SFTP, you need to supply more transfer details. Logging The user has the ability to manipulate the system logs. The user can clear the system log, enable/disable audit logs, configure to send log messages to remote servers. With the CLI Start with the CLI command (in config mode), logging.
With the CLI Start with the CLI command (in operational mode), send. IBPVHD [admin@IXIA] # send all "The system is going down in 10 min." Using the Web UI Go to SETTINGS > Utilities > Pop-Up Utils > Chat. The Chat dialog box displays.
iBypass VHD User Guide v1.0 Using the Web UI Go to SETTINGS > Utilities > Pop-Up Utils > Ping. 1. In the dialog box, enter the IP address you want to ping. 2. Click the Ping button. 3. Click the Done button when you have finished viewing the results. Traceroute The user has the ability to perform a traceroute on an IP address.
iBypass VHD User Guide v1.0 Links Description DASHBOARD Displays the configuration and status of the system. DIAGRAM Diagraming tool to configure Taps, Port Maps and Bypass switches. STATUS Displays the Events log, Bypass switches status, Tool Watch status and Traffic Statistics. CONFIGURATION Configure: • Link Default Detect • Modules and chassis • Ports • Tool Watch • Configuration files • With Preset Configurations HELP Overview - Guide to using Context-Sensitive Help and...
iBypass VHD User Guide v1.0 Events Page The Events page displays a log of system events, such as, Heartbeat or hardware temperature change alarm occurrences and module discovery. Other types of messages, such as user log-in auditing, system restarts, will be listed in Logging.
iBypass VHD User Guide v1.0 Tool Watch Page The Tool Watch page displays the status of each configured Tool Watch session. Traffic Statistics Page The Traffic Statistics pages display the incoming and outgoing traffic statistics for all ports. Chapter 5 Web UI and System Settings iBypass VHD Configuration and Status...
iBypass VHD User Guide v1.0 CONFIGURATION From the CONFIGURATION menu, you can select and configure the following: • Link Fault Detects • Modules and Chassis Settings • Ports • Tool Watch • Configuration Files • Presets Link Fault Detect Page The Link Fault Detect (LFD) page enables you to select port pairs and enable or disable them.
iBypass VHD User Guide v1.0 Modules and Chassis Page The Modules and Chassis page displays Chassis and module statuses. You can click on the blue buttons to set Administrative Status, Asset ID, and Alias for each module. You can also create custom attributes for each module. Chapter 5 Web UI and System Settings CONFIGURATION...
iBypass VHD User Guide v1.0 Ports Page The Ports page displays the configuration information of each licensed port. To edit a port's configuration, click on the port's row in the table. You can change the configuration of multiple ports at once by selecting the checkboxes in the left column and then clicking Edit. Chapter 5 Web UI and System Settings CONFIGURATION...
iBypass VHD User Guide v1.0 Tool Watch Page The Tool Watch page gives you the ability to monitor the health of external devices by monitoring them over the iBypass VHD Management port. To create a tool watch, first set up a method using the Method tab, and then configure the tool watch session using the method you just created, go to the Session tab. To see the status of a Tool Watch session, go to Status >...
iBypass VHD User Guide v1.0 Configuration Files Page The Configuration Files page displays the list of preset configurations that are included with the device. When you click on one of the presets, the configuration is listed in the right window. The page also enables the user to save the current running configuration into a file or load a configuration from a configuration file. Just enter a file name in the Filename field and click Save config. Show running will list the configuration that is currently running on the device. Load will load the configuration file named in the Filename field into the running configuration. Highlight a name on the left and click Delete to delete the file from the list. Click Import to import a configuration file from your computer. Click Export to save the named configuration file onto your computer. Click Full Backup to create a backup of the current running system configuration. Chapter 5 Web UI and System Settings CONFIGURATION...
iBypass VHD User Guide v1.0 Presets Page The Presets link on the CONFIGURATION drop-down menu enables you to use pre- configured Tap, Bypass, Aggregation and Regeneration settings to configure those functions on the device with a single click. You can do this while you are on any page of the UI, but it is easiest to do it from the Diagram page because then you can immediately see the results of loading the preset configuration. After loading a preset, you can examine its effects and then SAVE it if you like it, or make further changes before Saving, or Cancel to back out...
Page 80
iBypass VHD User Guide v1.0 The diagram redraws with the Module C ports configured. Here are a few operational items to consider: • When you hover over the Configuration > Presets link, it lists all saved configuration files with the extension .preset. • Filenames that begin with A_, B_, or C_ are grouped under the A_, B_, C_ cascade menus.
iBypass VHD User Guide v1.0 Chapter 6 Taps and Bypasses The section describes how to configure the Module to function as Taps and Bypasses. You can configure any mix of taps and bypass switches within a single module. Taps The iBypass VHD gives you the ability to configure Tap functionality and Bypass functionality in one set of hardware. Each iBypass VHD Interface Module consists of 8 network ports and 8 tool ports. A tap by definition uses two network ports and two tool ports. Therefore you can enable 4 taps on each module. Rules The network ports per tap are paired.
iBypass VHD User Guide v1.0 Tap ow One link down ow Both links down ow Tool Tool Tool Create a Tap Go to the Diagram tab. Click the +Add icon and select Tap. The Edit Tap box appears. Enter a Name, some description, and optionally select to administratively enable this tap now or wait until later.
Page 83
iBypass VHD User Guide v1.0 To define the tool ports, select the Tap Connections tab. Click Add Ports... next to the first box. Select a tool port. Click Add Ports... next to the second box. Select a tool port. Click OK. The Diagram updates to show the Tap and its network and tool port connections. Chapter 6 Taps and Bypasses Create a Tap...
iBypass VHD User Guide v1.0 Bypass Switches The iBypass VHD can be configured for at least one Bypass switch per module. The only rule about Bypass switches is it needs two network ports. The network ports must be paired. There are only 8 tool ports you can configure. If you configure one bypass switch to hook up to all 8 tool ports, then you can only configure one bypass switch. If you only hook up 4 tool ports on the fist bypass switch, you could configure a second bypass switch to use the remaining 4 tool ports. There are some rules along the way for creating a bypass switch. As you click on each page, there are meaningful instructions that guide you along the way.
Some of the tools that iBypass VHD have presets for are: The tools that iBypass VHD has presets for are: • Ixia NPB, Vision ONE or xStream 40 • FireEye NX 44XX (1G), NX 74XX/75XX (1G), NX 94XX/10XXX (10G) • Imperva X6510/4510/2510 (1G) X10K/8510 (10G) • Cisco FIREPower 7000 (1G), FirePOWER 8000 (10G)
Page 86
iBypass VHD User Guide v1.0 Enter a Name and description. In the Fail state field, select how you want the Bypass to handle the traffic when a failed state occurs and the Bypass is ON: Open or Closed. If you set to Open, traffic will flow (when bypass is on). If you set to Closed, traffic is BLOCKED (when bypass is on). In the Force bypass field, select the operation you want to happen at all times: no force (let flows happen normally), force bypass on all the time, or force bypass off all the time. The Force Bypass On button is a way to quickly make the traffic bypass the tools without pressing OK and SAVE.
Page 87
iBypass VHD User Guide v1.0 Click Add Ports on the A side. The Select Network Port page appears. Select the A side ports. Click OK. The B-side ports will auto fill. Chapter 6 Taps and Bypasses Create a Bypass Switch...
Page 88
iBypass VHD User Guide v1.0 If you want to change the position of the ports, select a port and click one of the positional buttons. Click OK. The bypass switch will draw on the page so you can see what has been configured so far.
Page 89
iBypass VHD User Guide v1.0 In the right panel, click Add Ports on A side (top). Select a port, click OK. Click Add Ports on B side (bottom). Select a port, click OK. Click OK. The tool port pairs will appear in the Inline Tools page. 11.
Page 90
iBypass VHD User Guide v1.0 At this point, after you have selected your pair of tool ports, the system sets each tool port to a default port setting and a default heartbeat configuration. Default tool port setting: Item Value Admin enabled Configure Speed 10000 (10Gps) Auto-negotiation Duplex Full Alert Interval Rising Threshold 80 on Rx and Tx Falling Threshold 75 on Rx and Tx Default Heartbeat scenario settings:...
iBypass VHD User Guide v1.0 Now you can adjust the configuration settings of each tool port and its heartbeat packet value. Adjust Tool Ports Settings Click on Action icon > Properties of the port box (under Tool Ports) to adjust settings of that tool port. Click Admin Enable or Disable if you want to turn on or off, respectively, the tool port.
This saves you a great deal of time configuring if you use these tools. The tools that iBypass VHD has presets for are: • Ixia NPB, Vision ONE and xStream 40 • FireEye NX 44XX (1G), NX 74XX/75XX (1G), NX 94XX/10XXX (10G) • Imperva X6510/4510/2510 (1G) X10K/8510 (10G) • Cisco FIREPower 7000 (1G), FirePOWER 8000 (10G)
Page 93
iBypass VHD User Guide v1.0 Click SAVE > SAVE CHANGES. Go to and select the Switch's Action icon > Properties and select the Show arrow of the port connected to the special inline tool. You will see that the heartbeat value here took on the special tool's preset heartbeat value. You can change your mind about the heartbeat value and edit the Heartbeat value on the Edit Heartbeat Packet Value page or you can Set to default.
iBypass VHD User Guide v1.0 Chapter 7 Port Maps This chapter describes how to configure the Module to function as Port Maps. You can configure Port Maps and Taps in the same module, but you cannot configure Port Maps in a module that contains a Bypass switch. Port Maps Port Maps route traffic from input ports to output ports. While Taps and Bypass switches are inline with the network link traffic, and deal with bi-directional traffic, Port Maps are out-of-band and are uni-directional. In other words, Port Maps route traffic from your router span ports and external taps to out-of-band monitoring tools. Port Maps support the following topologies: • One-to-one mapping A copy of the traffic from a single input port is sent to a single output port so that a single tool can monitor the traffic from that span port or tap. One-to-...
iBypass VHD User Guide v1.0 Port maps provide a “double your ports” capability for iBypass VHD because a 16-port module provides 16 inputs and 16 outputs that can be used independently in port maps. This is why the Diagram view shows each port number as both a network port on the left and a tool port on the right.
iBypass VHD User Guide v1.0 Click Add Ports... to select the A side ports. Click OK. Click Add Ports... to select the B side ports. Click OK. The Diagram shows the existence of the port map you just created. Click SAVE > SAVE CHANGES to save it in the database. How to Double Your Ports In practice, to use the input and output sides of a port independently, you usually need a splitter cable that has both the TX and RX fibers in a single connector on one...
iBypass VHD User Guide v1.0 Chapter 8 Aggregation and Regeneration The iBypass VHD gives you the ability to configure the modules to perform the functions of a port aggregator, a link aggregator and a regeneration tap. Note: To use the Aggregation and Regeneration functions, you need to apply the Add-on Aggregation and Regeneration license. Port Aggregation A port aggregator is a tap that sends to an out-of-band monitoring tool a copy of the combined traffice from both directions on the tapped link.
Page 98
iBypass VHD User Guide v1.0 Link aggregation can be combined with port aggregation to send all traffic from both directions on the links to a single out-of-band monitoring tool like this: Chapter 8 Aggregation and Regeneration Link Aggregation...
iBypass VHD User Guide v1.0 Regeneration A regeneration tap makes multiple copies of the same traffic so that different out- of-band tools can monitor the same traffic at the same time. Typical regeneration taps send copies of the traffic from each direction on the link to separate outputs. Regeneration is built into the iBypass VHD tap function – simply connect multiple tool ports to the same tap outputs. For example, here is a tap that regenerates four copies of the link traffic: Of course, the tap’s port aggregation output can also regenerate multiple copies: Chapter 8 Aggregation and Regeneration Create a Bypass Switch...
iBypass VHD User Guide v1.0 Aggregation Regeneration Presets Two of the preset configurations shipped with the product illustrate how port aggregation, link aggregation, and regeneration functionality can be combined. Preset configuration “A Link Aggregator” aggregates the traffic from four links and provides both single-ended outputs and the port aggregation output: Preset configuration “A Link Agg Regen” aggregates the traffic from four links and provides four copies of the single-ended outputs: Chapter 8 Aggregation and Regeneration Aggregation Regeneration Presets...
Page 101
iBypass VHD User Guide v1.0 Chapter 8 Aggregation and Regeneration Aggregation Regeneration Presets...
iBypass VHD User Guide v1.0 Chapter 9 AAA Servers Configuring for RADIUS and TACACS+ Servers The iBypass VHD can be configured to obtain AAA services from up to ten RADIUS and TACACS+ servers, in addition to its local (internal) user account list. When a user attempts to log into the system, iBypass VHD queries, the local account to authenticate the user. When AAA services are enabled, the user has the ability to configure which authentication servers are queried and in what order. If authentication is unsuccessful locally and on all configured servers, the login request is denied.
iBypass VHD User Guide v1.0 priv_map a,2,2 view user admin Privilege level mapping with lower numbers as View level AAA Privilege Level iBypass VHD Family Privilege Level admin priv_map v,5,9 user view If the AAA server does not return an authorization privilege level, the iBypass VHD privilege level defaults to a,2,2.
The account should be a privilege level one. After connecting to the Console port and getting a login prompt: Type in ixia for the login name, and ixia for the password. 2. At the next set of prompts, type in your account credentials that the authentication server will recognize.
iBypass VHD User Guide v1.0 After the second prompt log in, you will be able to view and configure the system as if you had logged in with a local account. Configuring AAA Servers Below are examples for configuring RADIUS and TACACS+ servers. Please consult the documentation for the specific AAA server you are utilizing. For Radius servers, iBypass VHD requires a standard reply message and the standard CLASS attribute must be included in the reply message. The CLASS attribute can be 1 to 99. For example, if you assign a user CLASS=45, and you configure iBypass VHD with priv_map=a,30,40, iBypass VHD will enable this user with 'Viewer' privileges.
iBypass VHD User Guide v1.0 Accounting Messages to TACACS+ AAA Servers An admin user has the ability to configure iBypass VHD to send AAA accounting messages to the TACACS+ AAA server,s where those messages will be stored in the accounting log files (predefined on the server by the user). iBypass VHD divides the accounting messages into three categories: • Session accounting messages, which contain information about the user session (log in and exit). • Command accounting messages, which contain information about the commands the user issued during the user session.
Page 107
iBypass VHD User Guide v1.0 • cmd: This indicates the command name – not only for a shell command, but also for any of the proposed service values. A NULL value indicates that the service itself is being referred to. For example, if the service is “webui” and the “cmd” is NULL, this would mean the establishment (START flag in the accounting record header) or the end (STOP flag in the accounting record header) of the Web UI user session.
Page 108
iBypass VHD User Guide v1.0 • Actual CLI commands have the format: “cmd=CLI <CLI entry parameters>” • Database commits have the format “cmd=DB <object path> <action> [ <new _value> ] Where: object path = the sequence of object names and indexes describing the object which changed action = one of created, deleted, modified, value_set, etc.
iBypass VHD User Guide v1.0 Chapter 10 SNMP SNMP This section describes the capabilities of the SNMP (Simple Network Management Protocol) agent in the iBypass VHD product. This section explains how to configure an iBypass VHD Family device to configure SNMP either through CLI commands or the Web UI. This section also describes specific SNMP conditions, provides a list of supported MIBs (both standard and private enterprise MIBs), and details specific coverage of MIB objects (with a focus on private MIBs) including exceptions and limitations. SNMP Capabilities The following list describes the general capabilities of the iBypass VHD SNMP: • SNMP v2c and SNMP v3-capable;...
iBypass VHD User Guide v1.0 Transactions and Commit Each SNMP Protocol Data unit (PDU) acts like an atomic transaction. That is, it is either committed or rejected in its entirety. There are multiple SET varbinds in a PDU, so if all parameters are correct, the system will commit all changes simultaneously.
iBypass VHD User Guide v1.0 Object Description Write Community This is the authentication string used for SNMP v2c write access control. You String can enter up to 255 characters. (In the CLI, use quotes to enclose text with spaces.) System location This describes the location of the device.
iBypass VHD User Guide v1.0 Configure the SNMP Agent Using the CLI Do the following to enable the SNMP agent using the CLI: iBypass VHD (config) # snmp ? Possible completions: address SNMP agent listen address disabled Enable/disable the SNMP agent. enabled Enable/disable the SNMP agent.
iBypass VHD User Guide v1.0 the agent to listen on the address set with the sysIP. The default port, '161' is an industry standard setting, so typically you would not change these values. However, if you want to change the SNMP agent’s listening port. Using the CLI snmp address port <port number>...
Page 115
iBypass VHD User Guide v1.0 Object Command snmp trap trapv2i trap_type v2i enabled ip 10.60.6.100 port 6000 SNMPv2c inform target community public snmp trap trapv3 trap_type v3 enabled ip 10.60.6.100 port 7000 SNMPv3 trap target (security level noAuthNoPriv): authProto noAuth privProto noPriv snmp trap trapv3i trap_type v3i enabled ip 10.60.6.100 port 7001 SNMPv3 inform target (security level noAuthNoPriv)
Page 116
iBypass VHD User Guide v1.0 4. From the Trap Type drop-down menu, select the trap type, including: • SNMPv2c • SNMPv2c inform • SNMPv3 • SNMPv3 inform. 5. Click the Enabled checkbox. 6. Use the Access drop-down list to select an access privilege, including: • No access • Read only • Read and write...
This trap contains a single text message (defaults is “hello”). It tests trap transmission and reception in NMS devices without the risk of triggering an undesired response, which is normally associated with either a coldStart or warmStart trap. This trap is a proprietary trap specified in the IXIA-COMM-TRAPS-MIB file. ixiaGenericTrap This trap contains a single text message (defaults is “generic trap”). It allows you to specify a severity level (default is debugAlert).
Page 118
iBypass VHD User Guide v1.0 SNMPv2 Authorization – Community Strings SNMP access control is associated with user privilege levels. The iBypass VHD devices provide three privilege levels: • level 1 or admin access – full access to all management objects • level 2 or user access –...
MIBs directly you may inadvertently create internal conflicts amongst these tables. The device manages trap targets, USM users and VACM views via the CLI and web interfaces under the snmp command namespace. In addition the IXIA-COMM-SNMP-MIB presents a simplified API to manage these objects. Before writing to these MIBs, it is recommended that you thoroughly understand the relationships. You can achieve this by configuring the device via the CLI and...
The following table lists the module names and indicates the top-level object that can be used to walk the entire MIB via the mibwalk command. • IXIA-COMM-AAA-SERVER-MIB.mib • IXIA-COMM-DEVICE-MIB.mib • IXIA-COMM-FILES-MIB.mib • IXIA-COMM-IMAGE-MIB.mib...
iBypass VHD User Guide v1.0 Traps – General Information Standard Traps The following traps are supported. Cold start and warm start are defined in standard MIBs. Trap Name Variable Bindings Notes/Limitations coldStart none warmStart none coldStart and warmStart Trap Behavior When the iBypass VHD device boots up and starts the server processes, it is ready to send a warmStart or coldStart trap.
DC Input: -48VDC, 5.0A; DC Receptacle: Terminal peak, 12 gauge wire Power Consumption: 300W typical Warranty All Ixia products come standard with a 1 year manufacturer’s warranty. Additional Service Plan options to extend warranty coverage are available for purchase. Visit for details. www.ixiacom.com...
VHD User Guide v1.0 Certifications Safety Indicates MET compliance (U.S.A. safety) MET Labs – Ixia (E112548) Indicates CE compliance Russia Compliance symbol WARNING! Disconnect all power sources before servicing. 警告: 可能提供有多个电源,维修前请断开所有电源, 以便降低电击风险. WARNING HAZARDOUS VOLTAGES CONTAINED WITHIN THIS SYSTEM.
iBypass VHD User Guide v1.0 Emissions and Immunity FCC NOTICE (Class A) This device complies with Part 15 of the FCC rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.
iBypass VHD User Guide v1.0 Appendix B Third Party Software Third Party Software Vendor Name Software Software Redistri- License Recipe Source URL Name version bution base-files 3.0.14-r89 GPLv2 base-files base-passwd 3.5.29-r0 GPLv2+ base-passwd bash 4.3-r0 process GPLv3+ bash ftp://ftp.gnu.org/pub/gnu/bash/bash- 4.3.tar.gz binutils 2.24-r0 process...
Page 128
iBypass VHD User Guide v1.0 SkBuff.NET iputils s20121221-r0 process BSD & iputils http://www.skbuff.net/iputils/ GPLv2+ iputils-s20121221.tar.bz2 Eric json-c 0.11-r0 dynamic json-c https://s3.amazonaws.com/json-c_ Haszlakiewicz releases/releases/0.11.tar.gz Linux Kernel 2.0.2-r0 process GPLv2+ https://www.kernel.org/pub/linux/utils/ Organization kbd/kbd-2.0.2.tar.xz Linux Kernel kerne 3.17.1+gitAUTOINC+ GPLv2 linux-yocto https://www.kernel.org/pub/linux/kernel/ Organization b86dd5c6f4_ v3.x/linux-3.17.1.tar.gz 0caf16d385-r0 Free Software...
Page 129
iBypass VHD User Guide v1.0 xorg libxdmcp 1.1.1-r0 dynamic MIT-style libxdmcp http://xorg.freedesktop.org/releases/ individual/lib/libXdmcp-1.1.1.tar.gz fedora logrotate 3.8.7-r0 process GPLv2 logrotate https://fedorahosted.org/releases/l/o/ logrotate/logrotate-3.8.7.tar.gz purdue lsof 4.87-r0 process lsof ftp://lsof.itap.purdue.edu/pub/tools/unix/ lsof/lsof_4.87.tar.bz2 mmonit monit 5.8-r0 process GPLv3 monit http://mmonit.com/monit/dist/monit- 5.8.tar.gz ncurses- 5.9-r15.1 dynamic, ncurses ftp://ftp.gnu.org/pub/gnu/ncurses/ libncurses as process...
Page 130
iBypass VHD User Guide v1.0 valgrind valgrind 3.11.0-r0 process GPLv2 & valgrind http://www.valgrind.org/downloads/ GPLv2+ & valgrind-0.7.tar.bz2 zlib zlib 1.2.8-r0 process Zlib zlib http://www.zlib.net/zlib-1.2.8.tar.xz From Confd File/library License Reference backbone.js https://github.com/jashkenas/backbone/ blob/master/LICENSE jquery.js https://jquery.org/license/ jquery.flot.js & ?? Looks like MIT https://github.com/flot/flot/blob/master/ plugins LICENSE.txt jquery-ui.js...
Page 131
iBypass VHD User Guide v1.0 jquery-picklist.js ?? Looks like MIT https://github.com/awnry/jquery-picklist/ blob/master/LICENSE jquery.caret.js http://www.plugin.jquery.hk/my-plugins/ jquery-caret-plugin jquery.flot. MPL v2.0 https://github.com/markrcote/flot- hiddengraphs.js hiddengraphs/blob/master/jquery.flot. hiddengraphs.js jquery.tableDnD.js "like jquery" therefore MIT https://code.google.com/p/tablednd/ source/browse/trunk/stable/jquery. tablednd.js?r=7 jQuery.download.js MIT or GPL (dual-license) http://www.filamentgroup.com/examples/ mit-license.txt http://www.filamentgroup.com/examples/ gpl-license.txt Font Awesome icon SIL Open Font License https://fortawesome.github.io/Font- font...
Page 132
Copyright (c) 2016 Ixia. All rights reserved.
Need help?
Do you have a question about the iBypass VHD IBYPVHD-CH-AC and is the answer not in the manual?
Questions and answers