SmartNA-X(TM)

Help View manual Review/apply changes Log out

Device communications have been interrupted!

Session has expired! (Changes can no longer be applied.)

Please enable Java.

System name
System location
System contact
System MAC address
System link local address
Use DHCP
System IPv4 address
IPv4 subnet
IPv4 gateway
DNS Server
Active DHCP setting
Active IPv4 address
Active IPv4 subnet
Active IPv4 gateway
System IPv6 address
IPv6 prefix length
IPv6 gateway
Active IPv6 address
Active IPv6 prefix length
Active IPv6 gateway
All configured maps
Source ports Filters applied Destination ports  
Delete all maps
All filter definitions
Name  
Add new filter
SNMP enabled
Engine ID
Send notifications:
Health
SNMP
System

Configure notification hosts

Traditional access control:

Configure communities

Authenticate users via
NTP server
RADIUS authentication
 Server addressServer port 
Add server
RADIUS accounting
 Server addressServer port 
Add server
TACACS+ authentication
 Server address 
Add server Set shared secret
TACACS+ accounting
 Server address 
Add server Set shared secret
System status
System uptime
Model number
Hardware revision
Serial number
Firmware revision
Firmware built
System temperature
Temperature threshold (°C)
Fan 1
Fan 2
PSU 1
PSU 2

Reboot Reboots all components of the system.

Update Install a firmware update file.

Saved configurations Load/save the current configuration, including restoring factory defaults.

Download configuration Download a configuration file containing the current settings.

Upload configuration Upload a configuration file with new settings.

Upload SSL certificate Upload new certificate/key files for use with HTTPS.

Change password Change your own password (local users only).

 
Card uptime
Model number
Hardware revision
Serial number
Firmware revision
Firmware built
Temperature
Temperature threshold (°C)

Temperature threshold

This determines when an alert is issued if a card becomes too hot, for example by setting the SNMP over-temperature trap.

Set to 0 to disable the check for this card.

Select the System SNMP tab to configure trap recipients.

 
Description
Usage
Type
Speed
MDI
Duplex
Mastery
TAP
Autolock
Lock
 
Description
Bytes in
Bytes out
Packets in
Packets out
Bytes in/s
Bytes out/s
Utilization in (%)
Utilization out (%)

Clear counters

 
Description
Undersize
Fragments
Oversize
Jabber
Rx Error
FCS Error

Clear counters

 
Description
Traffic threshold (high) (%)
Traffic threshold (low) (%)

Usage

A port may be designated as a network or tool port for future reference.

TAP mode

Applies to a TAP pair, typically ports A and B.

Ensures that this link will be preserved at hardware level in the event of a power failure.

Also causes a "link down" on one port in the pair to be repeated to the other port, as if the SmartNA-X device were not there and a direct connection existed.

Mutually exclusive with autolock.

Autolock

Mutually exclusive with link failure propagation.

Lock

Traffic thresholds

These determine when the system will warn about an oversubscribed port, for example by setting the SNMP traffic trap.

Values must satisfy

0 ≤ low threshold < high threshold ≤ 100.

Set to 0 and 100 to disable the check for this port.

Select the System SNMP tab to configure trap recipients.

Map configuration

From ports
To ports

Delete map Define new filter View all maps

FilterIgnoreRequireExclude

Welcome to SmartNA-X™

User ID
Password

Log in

Information

This help screen contains a “quick start” guide.

For more detailed information, please refer to the manual.

Getting help

At the top of your screen are two buttons:

Help buttons

These will access this help screen and an online copy of the user manual from most parts of this user interface.

For detailed configuration tasks, such as defining filters, context-sensitive help will also be provided.

The system automatically checks for certain common configuration errors. If any problems are detected, you will see warnings like this at the bottom of your screen:

Warning display

Finding your way around the graphical user interface

The GUI is built around a schematic diagram. This shows the module cards installed in your device and the available ports:

Schematic diagram

As you move your pointer over the diagram, you highlight different parts of the system. Click on an item of interest to select it. A supplementary view will be displayed under the diagram, where you can see the item’s status or change its configuration.

Schematic diagram with system selected

Select the outer box to configure system-wide settings, such as:

  • the device name and IP address
  • TACACS+ or RADIUS servers
  • SNMP access.

You can also view system health information and details of your serial number and firmware version here.

Schematic diagram with ports selected

Select a port to:

  • configure link settings: speed, duplex, …
  • enable the TAP mode or lock/autolock features
  • view traffic and error counters
  • specify a description and network/tool usage.

You can select multiple ports by holding shift or control while clicking.

Schematic diagram with card selected

You can also select cards to check their serial number, firmware revision and health information.

Making changes

Warning

Most changes you make in this user interface will not affect
the live settings on the device until you explicitly apply them.

When you log in and start to modify settings, the changes do not take effect immediately. This allows you to configure a set of related changes without leaving the device settings partially updated while you work.

At the top of your screen is a “Review/apply changes” button. You can click this at any time to see a summary of what you have changed so far.

Review changes screen

When you are finished, click “Apply changes” to replace the live settings on the device with your new configuration.

If there is a problem, you can go back to make further adjustments, or you can abort the entire process by logging out without applying your changes. The next time you log in, the user interface will revert to the live settings on the device and you can start again.

Moving traffic with maps

Traffic is moved around the system by “maps” between source (ingress) and destination (egress) ports.

Add a map using a drag-and-drop action: move the pointer over your chosen source port, press and hold your mouse button, move the pointer over your chosen destination port, and release the button.

When you add maps, they appear as lines on the diagram. Arrows show the direction of traffic:

Simple maps

Map lines are drawn using different colours so you can tell them apart in complicated configurations. You can also move the pointer over a map line, and the other maps will fade into the background:

Hovering over a map

You can aggregate traffic from multiple source ports to a single destination port. To create a many-to-one map, first select all source ports you require, then drag from any of those ports and drop on the required destination port. This appears as a single map connecting all of the ports:

Hovering over a map

You can also replicate traffic and send copies to multiple destination ports. To create a one-to-many map, first select all destination ports you require, then drag from the required source port onto any of the destination ports. This also appears as a single map connecting all of the ports:

Hovering over a map
Schematic diagram with a map selected

Select a map, by clicking on its line on the diagram, to:

  • see a summary of source and destination ports
  • delete the map
  • define and apply filters (see below).
Schematic diagram with system selected and Mapping tab open

Select the system and open the Mapping tab to:

  • review all maps on the system in tabular form
  • quickly delete multiple maps
  • delete all maps on the system.

There are a few more ways to add, edit and delete maps. Please refer to the user manual for details.

Restricting traffic with filters

By default, a map will send a copy of all packets that enter its source port(s) out of its destination port(s).

You can apply “filters” to a map, so that only packets that match criteria you specify will pass.

To configure filtering, select a map you want to restrict and then click the “Define new filter” button. This opens the filter definition screen, with context-sensitive help on the right.

Defining a filter

Give your filter a name, and specify criteria of interest such as the VLAN tag, IP addresses or TCP ports. Additional filtering options become available when they are compatible with the settings you choose, and invalid specifications will be highlighted in red.

When you have finished, click “Add filter” to return to the selected map.

You can now choose whether that map requires or excludes the filter you have just defined, or any other filters that are already defined on your system. If the filter is required, only packets that match the filter criteria will pass. If the filter is excluded, packets that match the filter criteria will be blocked.

Requiring or excluding filters for a map

You may specify multiple filters for the same map. Only packets that match all required filters and do not match any excluded filters will pass.

Applied filters are shown above the map line on the diagram. “Not X” indicates that filter X is excluded.

A map with filters applied
Schematic diagram with system selected and Filters tab open

Select the system and open the Filters tab to:

  • review all filters defined on the system in tabular form
  • edit existing filters
  • quickly delete multiple filters.

You can also define new filters from here.

Combinations of maps and filters

You can use the same port as a source or destination for many maps:

Multiple maps sharing ports
Information

Maps operate independently and do not interact.
There is no need to specify an order for applying filters.

In this case:

Legal

Copyright 2012 Network Critical Solutions Limited and others.

This device uses open source software.

Detailed copyright notices and licences

 

Please wait...

OK

 

OK

OK

Set description

SNMP Notification Hosts
Host SNMP version Notify type Credentials Engine ID  
Add new notification host
Notification host configuration
Destination
SNMP version
Notification type
Credentials
Engine ID
Set host configuration

A notification host already exists with these details.

You may not create a notification host with a duplicate identity.

You must specify a valid destination for these notifications.

You must specify an existing local user to go with SNMPv3 traps.

You must specify an existing remote user and engine ID to go with SNMPv3 informs.

You must specify a valid community string to go with SNMPv1 or SNMPv2c notifications.

SNMPv1 does not support informs. Select a higher SNMP version or use traps for notification.

Define the configuration for this notification host.

All hosts must have a destination and specify the SNMP version and whether traps or informs will be sent.

Suitable credentials to send with the notification, depending on the SNMP version and notification type, must also be provided.

Destination

You must specify the location of the notification host.

The format should be:

[{protocol}:]{host}[:{port}]

{protocol} may be udp or udp6.

{host} may be a hostname or an IPv4 or IPv6 address.

{port} is the UDP port on the host.

SNMP version

Notifications may be sent using SNMP v1, v2c or v3.

Notification type

Notifications may be sent as traps or (where supported) informs.

Credentials and engine ID

For SNMP v1 or v2c, this is the community string to send with the notification.

For SNMP v3, this is an existing local user (for traps) or remote user (for informs).

Where a remote user is specified, the corresponding engine ID must also be given.

SNMP Users
Name Location  
Add new user
User configuration
User name
Engine
Engine ID
Authentication
Authentication phrase
Confirm authentication phrase
Privacy
Privacy phrase
Confirm privacy phrase
Set user configuration

A user already exists with these details.

You may not create a user with a duplicate identity.

You must specify a valid name for the user.

You must specify a valid engine ID for remote users.

You must specify a valid authentication phrase when using MD5 or SHA authentication.

Authentication phrases must match.

You must specify a valid privacy phrase when using DES or AES encryption.

Privacy phrases must match.

Define the configuration for this user.

All users must have a name and specify whether they are local or remote (and, if remote, also specify the remote engine ID).

Additional options will be displayed when they are available.

Information about possible settings for each configuration option will appear here as you make changes.

User name

You must specify a name for the user.

Names consist of 1–32 alphanumeric characters, and must begin with a letter.

Engine

You may define local users (for most uses) and remote users (for use with sending SNMPv3 informs).

If this is a remote user, you must also specify the corresponding remote engine ID.

An engine ID consists of 10–64 hex digits.

Authentication

You may specify whether authentication is to be used, and if so whether to use MD5 or SHA.

If authentication is in use, you must also specify a passphrase.

Authentication phrases must be 8–64 ASCII non-control characters.

For users already set up on the device, either enter a new passphrase if you wish to make a change or leave this field blank to keep the existing passphrase.

Privacy

You may specify whether encryption is to be used, and if so whether to use DES or AES.

If encryption is in use, you must also specify a passphrase.

Privacy phrases must be 8–64 ASCII non-control characters.

For users already set up on the device, either enter a new passphrase if you wish to make a change or leave this field blank to keep the existing passphrase.

SNMP Communities
Community string Version Source Type OID  
Add new community
Community configuration
Community string
IP version
Source
Type
OID
Set community configuration

You must specify a valid community string.

This community string is already being used on the VACM communities list.

A community string may be used for either traditional or VACM communities, but not both at once.

You must specify a valid source or leave this field blank.

You must specify a valid OID or leave this field blank.

Define the configuration for a traditional community string, independent of the view-based access control system.

All community types must have a community string, IP version and type. The other fields are optional.

Information about possible settings for each configuration option will appear here as you make changes.

Community string

You must specify the community string for every community.

Names consist of 1–32 alphanumeric characters, and must begin with a letter.

IP version

You must specify whether this community string allows access via IPv4 or IPv6.

Source

You may restrict access to specific hosts by specifying the source for SNMP requests here.

The following formats are recognised:

myserver.mycompany.comHostname
192.168.50.1IPv4 address
192.168.50.1/255.255.255.0IPv4 subnet (address/mask)
192.168.50.1/24IPv4 subnet (address/prefix length)

For IPv6 access, use the equivalent formats.

Type

You must specify whether read-only or read/write access is permitted for this community.

OID

You may restrict access to part of the MIB tree by specifying the OID here.

SNMP Communities (VACM)
Community string IP version Source Security name  
Add new community
Community configuration (VACM)
Community string
IP version
Source
Security name
Set community configuration

You must specify a valid community string.

This community string is already being used for a traditional (non-VACM) community.

A community string may be used for either traditional or VACM communities, but not both at once.

You must specify a valid source or leave this field blank.

You must specify a valid security name.

Define the configuration for a community string to use with view-based access control.

All fields are mandatory except Source.

Information about possible settings for each configuration option will appear here as you make changes.

Community string

You must specify the community string for every community.

Names consist of 1–32 alphanumeric characters, and must begin with a letter.

IP version

You must specify whether this community string allows access via IPv4 or IPv6.

Source

You may restrict access to specific hosts by specifying the source for SNMP requests here.

The following formats are recognised:

myserver.mycompany.comHostname
192.168.50.1IPv4 address
192.168.50.1/255.255.255.0IPv4 subnet (address/mask)
192.168.50.1/24IPv4 subnet (address/prefix length)

For IPv6 access, use the equivalent formats.

Security name

The security name you specify here may be added to a group as part of the SNMP view-based access control system, like an SNMPv3 user.

SNMP Groups
Group Member Security model  
Add new group
Group membership
Group name
Member name
Security model
Set group configuration

This member is already in a group with this security model.

A security name may only belong to a single group for each security model.

You must specify a valid name for the group.

The group member must be an existing local user or the security name of an existing community.

Adds a member to a group.

A given member, using the same security model, may only belong to one group at a time.

All fields must be completed.

Group name

You must specify a name for the group.

Names consist of 1–32 alphanumeric characters, and must begin with a letter.

Member details

You must specify the member you are adding to the group.

This may be one of:

  • An existing local SNMP user
  • A security name assigned to an existing VACM-enabled SNMP community

The membership will apply only when the specified security model is used for a request. The same member may belong to different groups with different security models.

SNMP Views
Name Type OID Mask  
Add new view
View configuration
Name
View type
OID
Mask
Set view configuration

This view member is already specified.

You must specify a valid name for the view.

Defines a view for reference in the access control list.

Views must have a name, and identify a part of the management information tree to be included/excluded by OID.

Partial trees may be defined by additionally specifying a mask.

View name

You must specify a name for the view.

Names consist of 1–32 alphanumeric characters, and must begin with a letter.

View type

Indicates whether this view contains the tree below the specified OID or everything else.

OID

Specifies the position in the management tree below which this view applies.

Mask

May be used to specify that only some of the subidentifiers in the OID are to be matched.

SNMP Access Control List
Group Security model Security level Read view Write view Notify view  
Add new access
Access control list entry
Group name
Security model
Security level
Read view
Write view
Notify view
Set access configuration

The access control list already specifies views for this group and access method.

Duplicates are not allowed.

You must specify an existing group.

The read view must be an existing view name.

The write view must be an existing view name.

The notify view must be an existing view name.

Adds an entry to the access control list.

This permits access by a group to the specified views, as long as the minimum security requirements are met.

Group name

You must specify the name of an existing group that will receive this access.

Security model

Access will only be granted if the security model matches the request.

Security level

Access will only be granted if the security of the request meets the minimum requirement specified here.

The order is:

  • None (lowest)
  • Authentication only
  • Authentication + Privacy (highest)

Views

These must be the names of existing views.

Local Users
Name Authorisation level  
Add new user
Name
Authorisation level
Change password?

Set user details

Set password

Warning

There are currently warnings for this configuration.

Apply changes

Saved configurations
Name 
Save current configuration
Filter specification
Filter name
Packet type
Layer 2
MPLS top-of-stack label
VLAN tag
MAC addressing
Address
Source address
Destination address
Layer 3
There are no compatible layer 3 filtering options.
IPv4 addressing
Address
Source address
Destination address
IPv6 addressing
Address
Source address
Destination address
IP protocol
Layer 4
There are no compatible layer 4 filtering options.
DSCP
Layer 4 port filtering
Port
Source port
Destination port
Set filter definition

You must specify a name for your filter.

Define the values of interest for your filter.

All filters must have a name and specify a packet type.

Additional options will be displayed when they are available.

Information about possible settings for each filter field will appear here as you make changes.

Filter name

All filters must have a unique name.

This is used to label any maps where the filter is applied.

Packet type

All filters must specify a packet type. This corresponds approximately to the ethertype in the packet header, and determines which additional layer 2, 3 and 4 filter fields are applicable.

MPLS packets may be further filtered by the top MPLS label in the stack. All non-MPLS packet types can instead be filtered by VLAN tag and MAC address at layer 2.

ARP packets can additionally be filtered by IPv4 address at layer 3 and by DSCP at layer 4.

IP packets can additionally be filtered by IP address, if you specify IPv4 or IPv6, and by IP protocol (TCP, etc.) at layer 3. At layer 4, they can be filtered by DSCP, and if an IP protocol is specified, also by relevant additional fields such as port.

MPLS label

You may filter traffic by MPLS label.

Where the MPLS header for a packet contains multiple labels, this will test the top label in the stack.

The following formats are recognised:

100A single label
100-110A range (inclusive)
0/1A value/mask pair (here: all even labels)
100, 150Multiple labels

Multiple labels may each use a range or mask.

VLAN tag

You may filter by VLAN tag.

The following formats are recognised:

100A single tag
100-110A range (inclusive)
0/1A value/mask pair (here: all even tags)
100, 150Multiple tags

Multiple tags may each use a range or mask.

MAC address

You may filter any non-MPLS packet type by MAC address.

You may give either a single specification, to find packets where either the source or the destination address matches, or separate specifications for source and/or destination address.

The following formats are recognised in each case:

01:23:45:67:89:abA single address
01:23:45:67:89:ab, 01:23:45:67:89:acMultiple addresses

For ARP packets, use source for the sender address and destination for the target address.

IPv4 address

You may filter IPv4 or ARP packets by IP address.

You may give either a single specification, to find packets where either the source or the destination address matches, or separate specifications for source and/or destination address.

The following formats are recognised in each case:

192.168.0.1A single address
192.168.0.4-10A range (inclusive)
192.168.0.*A wildcard (here: 192.168.0.0-255)
10.10.0.0/255.255.255.252A mask (here: 10.10.0.0-3)
10.10.0.3, 10.10.0.5Multiple addresses

Ranges and wildcards may be used in any segment(s).

Multiple addresses may each use either ranges and wildcards or a mask.

For ARP packets, use source for the sender address and destination for the target address.

IPv6 address

You may filter IPv6 packets by IP address.

You may give either a single specification, to find packets where either the source or the destination address matches, or separate specifications for source and/or destination address.

The following formats are recognised in each case:

2000:abcd:0:0:0:0:77:88A single address
2000:abcd::77:88A single address (eliding a single run of zero segments)
2000:abcd::77:88-99A range address (inclusive)
2000::*A wildcard (here: 2000::0-ffff)
::ffff:0:0/96A prefix length (any address starting 0:0:0:0:0:ffff)
2000::1, 2000::3Multiple addresses

Ranges and wildcards may be used in any segment(s).

Multiple addresses may each use either ranges and wildcards or prefix notation.

IP protocol

You may filter IP traffic by its IP protocol, for example whether it uses a transport protocol such as TCP or UDP.

If you specify TCP, UDP or both, you may further filter by the corresponding layer 4 ports.

DSCP

You may filter traffic by the DSCP specified in the packet header.

Separate multiple DSCP numbers with commas.

The following formats are recognised:

10A single code point
10-14A range (inclusive)
0/1A value/mask pair (here: all even CPs)
10, 12, 14Multiple code points

Multiple code points may each use a range or mask.

Port

You may filter TCP or UDP packets by port number.

You may give either a single specification, to find packets where either the source or the destination port matches, or separate specifications for source and/or destination port.

The following formats are recognised in each case:

10A single port
10-20A range (inclusive)
0/1A value/mask pair (here: all even ports)
10, 15Multiple ports

Multiple ports may each use a range.

Common examples for TCP include:

80, 8080, 443HTTP/HTTPS
25SMTP
20-21, 989-990FTP/FTPS
22SSH
23Telnet
Server address

Set server details

Set shared secret

Server address
Server port
Change secret?

Set server details