쫑콩아빠의 지금 이 순간...

Example 15 expands on Example 14 by combining out-of-band (OOB) maps with a map passall originating from an inline network group on GigaVUE-HC2.

When the source port of an OOB map is associated with an inline network group, only one port is supported in the port list. In this case, multiple OOB maps are needed because each OOB map only accepts one inline network port as the input (the from argument of the map command).

A protected inline network (which uses bypass combo modules) is included in Example 15. You do not need to configure inline network ports or the inline networks because they are created automatically. The port pairs in Example 15 are
1/1/x17 and 1/1/x18, as well as 1/1/x19 and 1/1/x20. The aliases of the default inline networks in Example 15 are default_inline_net_1_1_1 and default_inline_net_1_1_2.

In Example 15, two OOB maps send traffic from each inline network port (associated with default_inline_net_1_1_1) to the OOB tool. Two more maps would be needed to send traffic from each inline network port (associated with default_inline_net_1_1_2) to the OOB tool, but this is not included in Example 15.

On GigaVUE-HC3, protected inline bypass can be configured on the bypass combo module on ports c1..c4.

On GigaVUE-HC1, protected inline bypass can be configured on the bypass combo module, or on the TAP-HC1-G10040 module placed in either bay 2 or bay 3, so the ports will be 1/2/g1..g8 or 1/3/g1..g8. On the TAP module, you will need to configure inline network ports and the inline network because they are not created automatically (as they are on bypass combo modules).

Step

Description

Command

1. Configure an inline network group consisting of two protected inline networks.

(config) # inline-network-group alias inNetGroup
(config inline-network-group alias inNetGroup) # network-list default_inline_net_1_1_1,default_inline_net_1_1_2
(config inline-network-group alias inNetGroup) # exit
(config) #

2. Configure a regular tool port of port type (tool) and administratively enable it. This is the OOB tool.

(config) # port 1/1/x12 type tool
(config) # port 1/1/x12 params admin enable

3. Configure two inline tool ports of port type (inline-tool) and administratively enable them.

(config) # port 1/2/x23 type inline-tool
(config) # port 1/2/x23 params admin enable

(config) # port 1/2/x24 type inline-tool
(config) # port 1/2/x24 params admin enable

4. Configure inline tool and enable it. Also, specify that the inline tool is going to be shared by different sources. When shared is enabled (true), the inline tool can receive traffic from multiple sources (the inline networks in the inline network group).

(config) # inline-tool alias inTool1 pair tool-a 1/2/x23 and tool-b 1/2/x24
(config) # inline-tool alias inTool1 enable
(config) # inline-tool alias inTool1 shared true

5. Configure a map passall, from the inline network group to the inline tool. This sends all the traffic to the inline tool.

(config) # map-passall alias inline_map1
(config map-passall alias inline_map1) # from inNetGroup
(config map-passall alias inline_map1) # to inTool1
(config map-passall alias inline_map1) # exit
(config) #

6. Configure the first rule-based map. This is an OOB map from one inline network port (associated with default_inline_net_1_1_1) to the OOB tool.

(config) # map alias OoB_map1
(config map alias OoB_map1) # type regular byRule
(config map alias OoB_map1) # rule add pass ipver 4
(config map alias OoB_map1) # to 1/1/x12
(config map alias OoB_map1) # from 1/1/x17
(config map alias OoB_map1) # exit
(config) #

7. Configure a second rule-based map. This is an OOB map from the other inline network port (associated with default_inline_net_1_1_1) to the OOB tool.

(config) # map alias OoB_map2
(config map alias OoB_map2) # type regular byRule
(config map alias OoB_map2) # rule add pass ipver 4
(config map alias OoB_map2) # to 1/1/x12
(config map alias OoB_map2) # from 1/1/x18
(config map alias OoB_map2) # exit
(config) #

8. Configure a third rule-based map. This is an OOB map from a single inline tool port to the OOB tool.

(config) # map alias OoB_map3
(config map alias OoB_map3) # type inline byRule
(config map alias OoB_map3) # rule add pass ipver 4
(config map alias OoB_map3) # to 1/1/x12
(config map alias OoB_map3) # from 1/2/x23
(config map alias OoB_map3) # exit
(config) #

9. Configure the path of the traffic to inline tool.

(config) # inline-network alias default_inline_net_1_1_1 traffic-path to-inline-tool
(config) # inline-network alias default_inline_net_1_1_2 traffic-path to-inline-tool

10. Disable physical bypass on the default inline network aliases.

(config) # inline-network alias default_inline_net_1_1_1 physical-bypass disable
(config) # inline-network alias default_inline_net_1_1_2 physical-bypass disable

11. Display the configuration and statistics for this example.

(config) # show inline-network
(config) # show inline-network-group
(config) # show inline-tool
(config) # show map

Example 14 combines out-of-band (OOB) maps with a map passall originating from an inline network on GigaVUE-HC2. In Example 14, the map passall sends all traffic to the inline tool. The OOB rule-based map sends traffic to an OOB tool.

When the source port of an OOB map is associated with an inline network, multiple source ports are supported in the port list (the from argument of the map command).

A protected inline network (which uses bypass combo modules) is included in Example 14. You do not need to configure inline network ports because they are created automatically. The port pairs in Example 14 are 1/1/x21 and 1/1/x22. You do not need to configure an inline network because it is also created automatically. The alias of the default inline network in Example 14 is default_inline_net_1_1_3.

On GigaVUE-HC3, protected inline bypass can be configured on the bypass combo module on ports c1..c4.

On GigaVUE-HC1, protected inline bypass can be configured on the bypass combo module, or on the TAP-HC1-G10040 module placed in either bay 2 or bay 3, so the ports will be 1/2/g1..g8 or 1/3/g1..g8. On the TAP module, you will need to configure inline network ports and the inline network because they are not created automatically (as they are on bypass combo modules).

Step

Description

Command

1. Configure a regular tool port of port type (tool) and administratively enable it. This is the OOB tool.

(config) # port 1/1/x12 type tool
(config) # port 1/1/x12 params admin enable

2. Configure two inline tool ports of port type (inline-tool) and administratively enable them.

(config) # port 1/2/x23 type inline-tool
(config) # port 1/2/x23 params admin enable

(config) # port 1/2/x24 type inline-tool
(config) # port 1/2/x24 params admin enable

3. Configure inline tool and enable it.

(config) # inline-tool alias inTool1 pair tool-a 1/2/x23 and tool-b 1/2/x24
(config) # inline-tool alias inTool1 enable

4. Configure a map passall, from the inline network to the inline tool. This sends all the traffic to the inline tool.

(config) # map-passall alias inline_map1
(config map-passall alias inline_map1) # from default_inline_net_1_1_3
(config map-passall alias inline_map1) # to inTool1
(config map-passall alias inline_map1) # exit
(config) #

5. Configure the OOB rule-based map, with both inline network ports in the from argument, and the OOB tool in the to argument.

(config) # map alias OoB_map
(config map alias OoB_map) # type regular byRule
(config map alias OoB_map) # rule add pass ipver 4
(config map alias OoB_map) # to 1/1/x12
(config map alias OoB_map) # from 1/1/x21..x22
(config map alias OoB_map) # exit
(config) #

6. Configure the path of the traffic to inline tool.

(config) # inline-network alias default_inline_net_1_1_3 traffic-path to-inline-tool

7. Disable physical bypass on the default inline network alias.

(config) # inline-network alias default_inline_net_1_1_3 physical-bypass disable

8. Display the configuration and statistics for this example.

(config) # show inline-network
(config) # show inline-tool
(config) # show map
(config) # show port stats

How To: Configure Out of band clustering on H series

Objective
How to get going with Out of Band Clustering: In OOB clustering all the cluster control traffic uses eth0 or eth2 interface depending on the type of the node.
If you have HD & HC devices then you can use either eth0 or eth2 as your cluster control interface (where the control traffic will bet exchange between the nodes)
If you have low end devices like HB & TAxx you have to use only eth0 as your cluster control interface. eth2 is not supported on this platforms.

Environment
H series of nodes
Procedure
Planning
Assign a dedicated IP for the new cluster.
NB: this must be unique and is different to the two mgmt IP's if you are using eth2 interface as your cluster interface

Cluster Details
Name = provide any cluster name could be the combination of letters and numbers (e.g 1007)
ID = provide any cluster name could be the combination of letters and numbers (e.g 1007)
Mgmt IP = x.x.x.x /x (e.g 10.150.56.71/24)

Device A (Master node)
Stack ports = 1/1/x1..x2
Mgmt IP =
Cluster mgmt port = eth2 (for HD & HC devices)
Chassis Serial Number =
Box id = 1

Device B (standby node)
Stack ports = 2/1/x1..x2
Mgmt IP =
Cluster mgmt Port = eth2
Chassis Serial Number
New box id = 2

First, set up the cluster so each box communicates

On device A:
Re-run the Jump-Start script
(config) # config jump-start
...
Step 12: Cluster enable? [no] yes
Step 13: Cluster interface? [eth2]
Step 14: Cluster id (Back-end may take time to proceed)? [default-cluster] 1007
Step 15: Cluster name? [default-cluster] 1007
Step 16: Cluster mgmt IP address and masklen? [0.0.0.0/0] 10.150.56.71/24

#On device B
Change the chassis ID, please note, this will remove any existing configuration, so please take a back up first.
no chassis box-id 1
chassis box-id 2 serial-num <>

#Re-run the Jump-Start script
(config) # config jump-start
...
Step 12: Cluster enable? [no] yes
Step 13: Cluster interface? [eth2]
Step 14: Cluster id (Back-end may take time to proceed)? [default-cluster] 1007
Step 15: Cluster name? [default-cluster] 1007
Step 16: Cluster mgmt IP address and masklen? [0.0.0.0/0] 10.150.56.71/24

Log into VIP Address, the cluster mgmt IP set above.
chassis box-id 1 serial
card all box-id 1

chassis box-id 2 serial
card all box-id 2

Set up cluster stack-links (stack- link is used to send the data traffic between Gigamon nodes)
port 1/1/x1..x2 type stack
gigaStream alias box1-GSstack port 1/1/x1..x2

port 2/1/x1..x2 type stack
gigaStream alias box2-GSstack port 2/1/x1..x2

stack-link alias hc2-hc2 between gigastreams box1-GSstack and box2-GSstack

Additional Notes
please make sure that in an order to form the out of band cluster cluster name, cluster id, cluster interface and software version has to match with other nodes.
please also do not keep the cluster master preference default. for master node keep the cluster master preference higher (100 preferred) and for other nodes you can pick other number between 50 to 99
Verify all by using below commands on each nodes
show version
show cluster config
show cluster global brief

We recommend a clean node before joining existing cluster (reset factory only-traffic)

GigaVUE H Series nodes support Secure Sockets Layer (SSL) decryption. SSL is a cryptographic protocol that adds security to TCP/IP communications such as Web browsing and email. The protocol allows the transmission of secure data between a server and client who both have the keys to decode the transmission and the certificates to verify trust between them. Out-of-band SSL decryption delivers decrypted traffic to out-of-band tools that can then detect threats entering the network.

SSL decryption is a pillar of the GigaSECURE Security Delivery Platform. For an overview of GigaSECURE, refer to the “GigaSECURE Security Delivery Platform” section in the GigaVUE-FM User’s Guide.

Configure Out-of-Band SSL Decryption Examples
The following sections provide examples of out-of-band SSL decryption. Refer to the following:

• Example 1: Out-of-Band SSL Decryption with a Regular Map
• Example 2: Out-of-Band SSL Decryption with De-Duplication
• Other Usage Examples
For details on the CLI commands used in the following sections, refer to apps ssl, gsparams, and gsop in the reference section.

Example 1: Out-of-Band SSL Decryption with a Regular Map
In Example 1, a regular map is configured to use with out-of-band SSL decryption.

Step

Description

Command

1. Upload a key and create a service. Refer to Working with Keys and Services on page 732.

(config) # apps ssl key alias key1 download type private-key url https://keyserver.domain.com/path/keyfile.pem
(config) # apps ssl service alias service1 server-ip 192.168.1.1 server-port 443

2. Configure a GigaSMART group.

(config) # gsgroup alias gsgrp1 port-list 1/1/e1

3. Specify the GigaSMART group alias.

(config) # gsparams gsgroup gsgrp1

4. Specify a failover action.

(config gsparams gsgroup gsgrp1) # ssl-decrypt decrypt-fail-action drop

5. Configure session timeouts, in seconds.

(config gsparams gsgroup gsgrp1) # ssl-decrypt pending-session-timeout 60
(config gsparams gsgroup gsgrp1) # ssl-decrypt session-timeout 300
(config gsparams gsgroup gsgrp1) # ssl-decrypt tcp-syn-timeout 20

6. Configure cache timeouts, in seconds.

(config gsparams gsgroup gsgrp1) # ssl-decrypt key-cache-timeout 9000
(config gsparams gsgroup gsgrp1) # ssl-decrypt ticket-cache-timeout 9000

7. Configure a key/service mapping that maps how a key is assigned to an IP address of a server.

(config gsparams gsgroup gsgrp1) # ssl-decrypt key-map add service service1 key key1

8. Enable out-of-band SSL decryption.

(config gsparams gsgroup gsgrp1) # ssl-decrypt enable

9. Exit the GigaSMART group configuration mode.

(config gsparams gsgroup gsgrp1) # exit
(config) #

10. Configure a GigaSMART operation for out-of-band SSL decryption.

(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto port-list gsgrp1

In the previous step, gdssl1 is the alias for a GigaSMART operation, in-port specifies the destination port on which to listen, out-port specifies the destination port on which to send decrypted traffic, and port-list is set to the GigaSMART group alias previously configured. The in-port and out-port arguments can also be a port number between 1 and 65535.

Next, configure a traffic map, as follows:

Step

Description

Command

1. Specify a map alias (m1) and specify the map type and subtype.

(config) # map alias m1

(config map alias m1) # type regular byRule

2. Specify the GigaSMART operation alias (gdssl1) as part of the map. This applies the associated GigaSMART functionality to packets matching a rule in the map.

(config map alias m1) # use gsop gdssl1

3. Specify a map rule.

(config map alias m1) # rule add pass ipver 4

4. Specify the destination for packets matching this map.

(config map alias m1) # to 1/1/g2

5. Specify the source port(s) for this map.

(config map alias m1) # from 1/1/g1

6. Exit the map prefix mode.

(config map alias m1) # exit
(config) #

7. Display the configuration.

(config) # show gsop
(config) # show map
(config) # show gsparams

Example 2: Out-of-Band SSL Decryption with De-Duplication
In Example 2, the configuration steps are the same except when you configure a GigaSMART operation you send the decrypted traffic to de-duplication for additional filtering, as follows:

(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto dedup set port-list gsgrp1
Other Usage Examples
Two typical usage examples are as follows:

• Use map rules to filter on the IP address of the server and send everything to GigaSMART. Configure a GigaSMART operation to listen on the in-port used by the server. The GigaSMART will drop other traffic.
• Use map rules to filter on the IP address of the server and in-port and send specific port traffic to the GigaSMART. Configure a GigaSMART operation to listen on in-port any.

Example 7—Protected Flexible Inline, Out-of-Band Copy

Example 7 demonstrates a flexible inline map with OOB copy configuration as follows:

• an example of the source as a protected inline network and the destination as a hybrid port
• an example of the source as a tool member in the a-to-b list and the destination as a regular tool port
• an example of the source as a tool member in the a-to-b list and the destination as a GigaStream
Use the following steps to configure Example 7:

 

Step

Description

Command

1.    
Configure inline tool ports, port type (inline-tool), and administratively enable inline tool ports.

(config) # port 1/3/x1..x4 type inline-tool
(config) # port 1/3/x1..x4 params admin enable

2.  
Configure inline tools, specify that the inline tool is going to be shared by different sources, specify heart-beat, and enable inline tools.

(config) # inline-tool alias it1 pair tool-a 1/3/x1 and tool-b 1/3/x2
(config) # inline-tool alias it1 shared true
(config) # inline-tool alias it1 heart-beat
(config) # inline-tool alias it1 enable

(config) # inline-tool alias it2 pair tool-a 1/3/x3 and tool-b 1/3/x4
(config) # inline-tool alias it2 shared true
(config) # inline-tool alias it2 heart-beat
(config) # inline-tool alias it2 enable

3.  
Configure hybrid port, port type (hybrid), and administratively enable hybrid port. The flexible inline map will configure out-of-band (OOB) traffic to this hybrid port.

(config) # port 1/3/x19 type hybrid
(config) # port 1/3/x19 params admin enable

4.  
Configure regular tool ports, port type (tool), and administratively enable tool ports. The flexible inline map will configure out-of-band (OOB) traffic to a regular tool port. Two other tool ports will be used in a GigaStream.

(config) # port 1/3/x20..x22 type tool
(config) # port 1/3/x20..x22 params admin enable

5.  
Create a GigaStream using two of the regular tool ports.

(config) # gigastream alias gs1 port-list 1/3/x21,1/3/x22

6.  
Configure the flexible inline map from the default inline network to inline tools in both directions, specify a rule, and a user-defined tag. Then configure out-of-band traffic as follows:

• from a protected inline network to a hybrid port using the same VLAN tag as the flexible inline map
• from the first tool member in the a-to-b list to a regular tool port without a VLAN tag. The tag can be configured to none, because traffic goes to a different destination, it1.
• from the second tool member in the a-to-b list to a GigaStream using the same VLAN tag as the flexible inline map
Finally, enable the map.

(config) # map alias FLEX1
(config map alias FLEX1) # type flexInline byRule
(config map alias FLEX1) # from default_inline_net_1_4_1
(config map alias FLEX1) # rule add pass vlan 500
(config map alias FLEX1) # a-to-b it1,it2
(config map alias FLEX1) # b-to-a same
(config map alias FLEX1) # tag 11
(config map alias FLEX1) # oob-copy from default_inline_net_1_4_1 to 1/3/x19 tag as-inline
(config map alias FLEX1) # oob-copy from it1 to 1/3/x20 tag none
(config map alias FLEX1) # oob-copy from it2 to gs1 tag as-inline
(config map alias FLEX1) # enable
(config map alias FLEX1) # exit
(config) #

7.  
Configure the path of the traffic to inline tools.

(config) # inline-network alias default_inline_net_1_4_1 traffic-path to-inline-tool

8.  
Disable physical bypass on the default inline network.

(config) # inline-network alias default_inline_net_1_4_1 physical-bypass disable