Manual Allot Netenforcer AC1010

8/20/2019 Manual Allot Netenforcer AC1010

1/97


2/97


3/97

NetEnforcer AC-1000 SeriesPolicy Based Bandwidth Management

Hardware Guide

P/N D362001 R2


4/97


5/97

Important Notice

AC-1000 Series Hardware Guide iii

Important NoticeAllot Communications Ltd. ("Allot") is not a party to the purchase agreement under which NetEnforcer was purchased, andwill not be liable for any damages of any kind whatsoever caused to the end users using this manual, regardless of the form of

action, whether in contract, tort (including negligence), strict liability or otherwise.

SPECIFICATIONS AND INFORMATION CONTAINED IN THIS MANUAL ARE FURNISHED FORINFORMATIONAL USE ONLY, AND ARE SUBJECT TO CHANGE AT ANY TIME WITHOUT NOTICE, AND

SHOULD NOT BE CONSTRUED AS A COMMITMENT BY ALLOT OR ANY OF ITS SUBSIDIARIES. ALLOT

ASSUMES NO RESPONSIBILITY OR LIABILITY FOR ANY ERRORS OR INACCURACIES THAT MAY APPEAR INTHIS MANUAL, INCLUDING THE PRODUCTS AND SOFTWARE DESCRIBED IN IT.

Please read the End User License Agreement and Warranty Certificate provided with this product before using the product.Please note that using the products indicates that you accept the terms of the End User License Agreement and Warranty

Certificate.

WITHOUT DEROGATING IN ANY WAY FROM THE AFORESAID, ALLOT WILL NOT BE LIABLE FOR ANYSPECIAL, EXEMPLARY, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND,

REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE),STRICT LIABILITY OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, LOSS OF REVENUE ORANTICIPATED PROFITS, OR LOST BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CopyrightCopyright © 1997-2007 Allot Communications. All rights reserved. No part of this document may be reproduced,

photocopied, stored on a retrieval system, transmitted, or translated into any other language without a written permission and

specific authorization from Allot Communications Ltd.

TrademarksProducts and corporate names appearing in this manual may or may not be registered trademarks or copyrights of theirrespective companies, and are used only for identification or explanation and to the owners' benefit, without intent to infringe.

Allot and the Allot Communications logo are registered trademarks of Allot Communications Ltd.

NOTE: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of

the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment

is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not

installed and used in accordance with the instruction manual, may cause harmful interference to radio communications.

Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be

required to correct the interference at his own expense.

Changes or modifications not expressly approved by Allot Communication Ltd. could void the user's authority to operate the

equipment.


6/97

Important Notice

AC-1000 Series Hardware Guideiv

Printing HistoryFirst Edition: July, 2006

Second Edition: September, 2007


7/97

NetEnforcer AC-1000 Hardware Guide v

Table of ContentsImportant Notice .......................................................................................................................... iii Printing History ............................................................................................................................. iv Table of Contents ........................................................................................................................... v Table of Figures ........................................................................................................................... vii

CHAPTER 1: AC-1000 SERIES HARDWARE ......................................................... 1-1 AC-1000 Series Packing List ..................................................................................................... 1-2 NetEnforcer Front Panel ........................................................................................................... 1-3

AC-1000 Series Front Panels ................................................................................................... 1-4

LCD Panel ................................................................................................................................ 1-6

Power Supply Modules ............................................................................................................. 1-8

Accessories Area .................................................................................................................... 1-11 Cabling ...................................................................................................................................... 1-14

AC-1000 Series Copper .......................................................................................................... 1-14 AC-1000 Multi Mode (SX) Fiber ........................................................................................... 1-16 AC-1000 Series Single Mode (LX5, LX20, ZX) Fiber .......................................................... 1-17 Connectors .............................................................................................................................. 1-18

Bypass Units .............................................................................................................................. 1-19 AC-1010 Bypass Units ........................................................................................................... 1-19 AC-1020 Bypass Unit ............................................................................................................. 1-23 AC-1040 Bypass Unit ............................................................................................................. 1-28

Powering Up ............................................................................................................................. 1-30 Connection to AC Power ........................................................................................................ 1-30

Connection to DC Power ........................................................................................................ 1-30 Grounding ............................................................................................................................... 1-31 Powering Up Via LCD Panel ................................................................................................. 1-32

CHAPTER 2: PLACEMENT IN THE NETWORK .................................................. 2-1

CHAPTER 3: SETTING UP THE NETENFORCER ................................................ 3-1 Configuring Via a Terminal or Telnet ...................................................................................... 3-1


8/97

NetEnforcer AC-1000 Hardware Guidevi

Configuring Via the LCD Panel .............................................................................................. 3-12

CHAPTER 4: REDUNDANCY .................................................................................... 4-1 Enabling Redundancy ................................................................................................................ 4-1 Parallel Redundancy ................................................................................................................ 4-13

Status Indicators in Parallel Redundancy Mode ..................................................................... 4-14 Secondary NetEnforcer Activation ......................................................................................... 4-15

Active Redundancy ................................................................................................................... 4-17 Failover ................................................................................................................................... 4-17 Policy Configuration ............................................................................................................... 4-17 Connecting the NetEnforcer in Active Redundancy ............................................................... 4-18 Active Redundancy for the AC-1020 ...................................................................................... 4-18 Active Redundancy for the AC-1040 ...................................................................................... 4-18

Serial Redundancy .................................................................................................................... 4-19

NetEnforcer Failover............................................................................................................... 4-20 Serial Redundancy in Mesh Topologies ................................................................................. 4-21

CHAPTER 5: HARDWARE SPECIFICATIONS ..................................................... 5-1 Dimensions ............................................................................................................................... 5-1 Power Requirements ................................................................................................................. 5-1 Operating Environment ............................................................................................................. 5-2

Standards, Compliance and Certifications ............................................................................... 5-3

CHAPTER 6: FIREWALL PORT REFERENCE ..................................................... 6-1

CHAPTER 7: ÉQUIPEMENT DE SÉRIE AC-1000 ................................................. 7-1 Mises en garde d’ordre général: ................................................................................................ 7-2 Remarques d’ordre général: ...................................................................................................... 7-4 Spécifications matérielles ........................................................................................................... 7-5

Dimensions ............................................................................................................................... 7-5 Spécifications requises .............................................................................................................. 7-5


9/97

NetEnforcer AC-1000 Hardware Guide vii

Table of Figures

Figure 1-1 – Front Panel: AC-1000 Series ................................................................................... 1-3

Figure 1-2 – Front Panel: AC-1010 Copper ................................................................................. 1-4

Figure 1-3 – Front Panel: AC-1020 Fiber .................................................................................... 1-4

Figure 1-4 – Front Panel: AC-1040 Copper ................................................................................. 1-5

Figure 1-5 – NetEnforcer LCD Panel .......................................................................................... 1-6

Figure 1-6 – Dual SC Connector (Multi Mode Fiber) ................................................................ 1-18

Figure 1-7 – Dual LC Connector (Single Mode Fiber) .............................................................. 1-18

Figure 1-8 – Single Copper Bypass Unit ................................................................................... 1-19

Figure 1-9 – Connecting the NetEnforcer AC-802 Copper to the Single Copper Bypass Unit . 1-20

Figure 1-10 –Single Fiber Bypass Unit – Multi Mode ............................................................... 1-21

Figure 1-11 –Single Fiber Bypass Unit – Single Mode ............................................................. 1-21

Figure 1-12 – Connecting NetEnforcer AC-1010 Fiber to Single Fiber Bypass Unit – Multi Mode ............................................................................................................................................ 1-22

Figure 1-13 – Connecting the NetEnforcer AC-1020 to Double Copper Bypass Unit .............. 1-24

Figure 1-14 – Double Fiber Bypass Unit - MultiMode .............................................................. 1-25

Figure 1-15 – Double Fiber Bypass Unit – Single Mode ........................................................... 1-26

Figure 1-16 – Connecting the NetEnforcer AC-1020 to Double Fiber Bypass Unit – Single Mode ............................................................................................................................................ 1-27

Figure 1-17 – Multi-Port Copper Bypass Unit ........................................................................... 1-28

Figure 3-1 – NetEnforcer Setup Menu ......................................................................................... 3-2


10/97

NetEnforcer AC-1000 Hardware Guideviii

Figure 3-2 – Current Configuration (1) ........................................................................................ 3-4

Figure 3-3 – Current Configuration (2) ........................................................................................ 3-5

Figure 3-4 – Network Configuration ............................................................................................ 3-6

Figure 3-5 – Password .................................................................................................................. 3-9

Figure 3-6 – Time Setup ............................................................................................................. 3-10

Figure 4-1 – NIC Tab AC-1010 – NetXplorer Configuration ...................................................... 4-3

Figure 4-2 – Networking Tab AC-1010 – NetXplorer Configuration .......................................... 4-4

Figure 4-3 – NIC Tab AC-1020 – NetXplorer Configuration ...................................................... 4-7

Figure 4-4 – Networking Tab AC-1020 – NetXplorer Configuration .......................................... 4-8

Figure 4-5 – NIC Tab AC-1040 – NetXplorer Configuration .................................................... 4-11

Figure 4-6 – Networking Tab AC-1040 – NetXplorer Configuration ........................................ 4-12

Figure 4-7 – Serial Redundancy – Normal Scenario .................................................................. 4-19

Figure 4-8 – Serial Redundancy – Failover Scenario ................................................................. 4-20

Figure 4-9 – Serial Redundancy – Bypass Scenario ................................................................... 4-21

Figure 4-10 – Serial Redundancy – Mesh Scenario ................................................................... 4-22


11/97

NetEnforcer AC-1000 Hardware Guide 1-1

Chapter 1: AC-1000 Series Hardware

This chapter describes the NetEnforcer AC-1000 series hardware and the initialinstallation and setup of the device. The NetEnforcer is a transparent learning bridgethat is IEEE 802.1-compliant and works with a Bypass Unit to ensure that datacontinues flowing should any hardware or software problem occur. While the NetEnforcer is bypassed, all traffic goes through passive elements only and still allowsthe network to function.

NetEnforcer AC-1000 series offers carrier-grade design with redundant criticalcomponents for fail-safe operation. Redundant hardware components include system

fans and dual hot-swappable power supplies. The NetEnforcer AC-1000 series isdesigned to meet ETSI standards.

All AC-1000 series units come with an additional Bypass Unit.

CAUTION Al l AC-1000 Series models only function when the appropr iateBypass Unit is connected to it. This is to ensure continuous servicein the event of failu re.

NOTE AC-1000 NetEnforcer NIC default factory setting is always Auto-Negotiation enabled, with the exception of the AC-1010 Copper whose

default NIC setting is 1000 full, Auto-Negotiation disabled.

It is recommended to keep the NetEnforcer’s default setting. Changing

NIC settings is done via LCD panel only.

Several NetEnforcer models are available to support large and small sites and differentdata network speeds.

All NetEnforcer AC-1000 series units support 1M connections (2M flows), 2,000 pipesand 8,000 Virtual Channels. Additional Pipes and Virtual Channels can also be purchased separately per device. Allot basic management software is included with allAC-1000 series devices. Allot NetXplorer Centralized Management software can be purchased for any AC-1000 series device using software version S7.1.0 or later,replacing the basic management.


12/97


NetEnforcer AC-1000 Hardware Guide1-2

The NetEnforcer AC-1010 is a general-purpose carrier grade device with one line (two port) connectivity. The device is available with either AC or DC power supplies andwith copper, SX fiber, LX5 fiber, LX20 fiber or ZX fiber interface connectors. The AC-1010 may be ordered with an upgradable throughput of 155 Mbps, 310 Mbps, 622Mbps or 1 Gbps.

The NetEnforcer AC-1020 is intended to be used in a mesh network configurationwhere redundancy is kept by connecting each path to a different network device. TheAC-1020 has two line (four port) connectivity. The device is available with either AC orDC power supplies and with copper, SX fiber, LX5 fiber, LX20 fiber or ZX fiberinterface connectors. The AC-1020 may be ordered with an upgradable throughput of155 Mbps, 310 Mbps, 622 Mbps, 1 Gbps or 2 Gbps.

The NetEnforcer AC-1040 is a carrier grade unit intended for large service providers or

carriers with four line (eight port) connectivity. The unit is available with either AC orDC power supplies and with copper interface connectors. The AC-1040 is providedwith a non-upgradable throughput of 400 Mbps,

AC-1000 Series Packing ListVerify that the following items are included with NetEnforcer:

• NetEnforcer (hardware with pre-installed software)

• NetEnforcer Hardware Guide

• Two mains power cables according to National Electrical Code (NEC) withmolded IEC sockets

• 1 Serial Console Cable

• 1 Ethernet Cross Management Cable

• 2 19" Side Mounting Brackets

• 8 Mounting Bracket Screws

• 1 D-type High Density Backup Cable

NOTE The maximum Ethernet cable length is generally up to 50 meters.


13/97



NetEnforcer Front PanelThe AC-1000 series connects to your network via Link Connection connectors. TheLCD panel, connectors and LED indicators on the front panel, are shown in thefollowing diagrams.

The front panel of each AC-1000 series unit is separated into four areas as shown below:

Figure 1-1 – Front Panel: AC-1000 Series

The front panel of NetEnforcer is laid out as follows:

• LCD panel, described on page 1-6

• The Link Connections area• Power Supply Modules, described on page 1-8.

• Accessory area, including the following:

• Management Port, described on page 1-11

• Management LEDs, described on page 1-12

• Console Connector described on page 1-12

• Backup High Density D-type Connector (see Bypass Units on page 1-19)

• Two power cable connectors described on page 1-13.


14/97



AC-1000 Series Front Panels

AC-1010 Front Panels

Figure 1-2 – Front Panel: AC-1010 Copper

AC-1020 Front Panel

Figure 1-3 – Front Panel: AC-1020 Fiber


15/97



AC-1040 Front Panels

Figure 1-4 – Front Panel: AC-1040 Copper

CAUTION CLASS 1 LASER PRODUCT. DANGER!Invisible laser radiation when opened.

AVOID DIRECT EXPOSURE TO BEAM.


16/97



LCD PanelThe NetEnforcer LCD panel provides an indication of traffic usage and enables you toconfigure NetEnforcer directly without the need to connect a terminal. You can alsostart, reboot and shutdown NetEnforcer from the front panel.

On/Off Enter

Up Arrow

Display Area

Select

Power Indicator

Active Indicator

Standby Indicator

Left Arrow

Right Arrow

Down Arrow

On/Off Enter

Up Arrow

Display Area

Select

Power Indicator

Active Indicator

Standby Indicator

Left Arrow

Right Arrow

Down Arrow

Figure 1-5 – NetEnforcer LCD Panel

For a description of how to configure NetEnforcer using the LCD panel, refer toConfiguring Via the LCD Panel, page 3-12.

For a description of the Standby, Active and Power LEDs, refer to Interface Status Indicators, page 1-8.


17/97



Unit Status Indicators

The modes of operation of the Standby, Active and Power LEDs on the LCD panel aredescribed in the table below.

Indicator Status NetEnforcer Status

Standby On Two NetEnforcers are connected in Parallel Redundancymode and this NetEnforcer is the secondary system.

Off This NetEnforcer is the primary system. If you have one NetEnforcer, this should be the normal state of the LED. Ifyou have two NetEnforcers configured in ParallelRedundancy mode, this NetEnforcer is the primary system.

Active On NetEnforcer is in Active mode.

Off NetEnforcer is in Bypass mode, or this is the secondary NetEnforcer in a Parallel Redundancy configuration and itis not active. Traffic passes through NetEnforcer with noQuality of Service or traffic shaping.

Power On NetEnforcer is powered up.

Off NetEnforcer is shut down.

Table 1-1 – Standby/Active/Power LED Conditions


18/97



Interface Status IndicatorsThe modes of operation of the Link (External and Internal) LEDs are described in thetable below.

Link Status Indicators – AC-1010/1020

Ext/Int LED NetEnforcer Status

Green A lit green LED indicates that a link is detected.

Amber A blinking amber LED indicates that traffic is detected onthe interface.

Off An unlit LED indicates that neither links nor activities were

detected.Table 1-2 – External/Internal LED Conditions – AC-1010/1020

Link Status Indicators – AC-1040

Ext/Int LED NetEnforcer Status


Red A blinking red LED indicates that traffic is detected on theinterface.

Off An unlit LED indicates that neither links nor activities weredetected.

Table 1-3 – External/Internal LED Conditions – AC-1040

Power Supply Modules NetEnforcer includes two hot-swappable power supply modules and a dual line feed forRedundancy purposes. Each line feed is driving one power supply.


19/97



NOTE The AC power supply automatically adapts to voltages between 100 V and240 V, 50/60 Hz. The DC power supply automatically adapts to voltages

of 48 V or 60 V DC.

This equipment is for use in a restricted access area by qualified

personnel only. To avoid shock, do not perform any servicing other than

those contained in the unpacking instructions.

Should you need to, you can replace one of the power supplies while NetEnforcer isconnected and operating. Replacing a power supply while the unit is operating is possible since the remaining power supply will take the full load and maintain fulloperation.

NOTE To remove a power supply module, undo the two screws in the lower leftand right corners, lift the handle and slide the module out.


20/97



Each power supply has two LEDs located beneath the power supply handles.

Model Copper/Fiber options Power inlet options

AC 1010 Transceiver SFP Copper

Transceiver SFP SX

Transceiver SFP LX 5


Transceiver SFP ZX

AC/DC

AC 1020 Transceiver SFP Copper

Transceiver SFP SX



Transceiver SFP ZX

AC/DC

AC 1040 Copper AC/DC

CAUTION The power entry modules (AC supply op tion) include two fuses (T2A

250 V, 5 x 20 mm) at each power entry. One is a spare fuse forreplacement purposes. You can open the fuse box and change whennecessary. For continued protection against ri sk of fi re, replace onlywith same type and rating o f fuse.

Disconnect the produc t from the power line before removing thecover. Any adjustment and maintenance of the opened deviceshould be done only while the device is disconnected from itssource of power and should only be performed by qualifiedpersonnel


21/97



Accessories Area

Management Port (Out of Band Management)

Out-of-band management provides the following:

• Offers physical separation between shaped traffic and management traffic.

• Enables access to NetEnforcer even if there is a problem in the network (forexample, DoS attack).

• Prevents management traffic from interfering with shaped traffic.

• Permits NetEnforcer management from a DMZ.

The NetEnforcer includes a dedicated Management port for out-of-band management of

the device. The dedicated Management port provides a secure solution for devicemanagement for enterprise and service providers. It enables you to permit access solelyto a closed group of network administrators, so that ISP customers cannot "see" theManagement port and therefore cannot access the NetEnforcer management. Operatingthrough the Management port denies management access to the device from Internal orExternal ports. Moreover, when there is a problem in the regular network, for example,a DoS (Denial of Service) attack, you can still manage and monitor the NetEnforcer.

Using a Management port has the following benefits:

• Provides a security feature that prevents ISP customers from "seeing" theManagement port and thus prevents access to NetEnforcer. The Internal andExternal ports are functioning solely to forward traffic, consequently only the

administrator (the only one who has access to the Management port) hasaccess to NetEnforcer.

• Enables configuring, installing and upgrading while the unit is in Bypassmode. This is particularly important when NetEnforcer is in carrierenvironments.

• Improves NetEnforcer's forwarding performance by separating themanagement traffic from the regular traffic. In addition, if a problem exists inthe regular network you can still communicate with NetEnforcer in order torepair the problem.


22/97



• Provides an infrastructure for improvement of the redundancy capabilities.

NOTE The Management port has its own MAC and IP address.

Management Port Status Indicators

Management Port Status Indicato rs – AC-1010/1020

The modes of operation of the Management port LEDs are described in the table below.

Mgmnt LED NetEnforcer Status


Amber A blinking amber LED indicates that traffic is detected onthe interface.


Table 1-4 –Management LED Conditions – AC-1010/1020

Management Port Status Indicators – AC-1040

Mgmnt LED NetEnforcer Status


Red A blinking red LED indicates that traffic is detected on theinterface.


Table 1-5 –Management LED Conditions – AC-1040

Console Port

The Console Port allows the connection of a PC to the NetEnforcer in order to monitoror configure the unit via the Command Line Interface (CLI)


23/97



Power Cable Connectors

The unit power cables (AC or DC) plug in here. The power cables should not beremoved while swapping the power modules.

CAUTION This equipment has a connection between the earthed conductor of the DCsupply cir cuit and the earthing conductor. Before connecting the product tothe power line, make sure that the protective ground terminal of the device isconnected to the safety ground conductor of the mains power cord. Themains plug should only be inserted in a socket outlet provided with aconnected safety ground. The protective action must not be negated by useof an extension cord (power cable) without a protective conductor(grounding). Any interruption of the protective (grounding ) conductor ordisconnection of the protective ground terminal can make the device unsafeto use. Intentional interruption is proh ibited.


24/97



Cabling AC-1000 Series CopperNOTE Ethernet Cables may be Straight or Cross, depending upon your network.

Shielded cables must be used in order to insure compliance.

Connections Cable Type Connector Type

To NetEnforcerManagement Port Ethernet (Cat-6) (Included,P/N C411011) RJ-45

To NetEnforcer ConsolePort

Ethernet (Cat-6) (Included,P/N C002005B)

RJ-45

Primary NetEnforcerInternal/Eternal toBypass UnitInternal/External

Ethernet (Cat 6) (Included,P/N C411008 x2)

RJ-45

Secondary NetEnforcerInternal/External toNetwork

Ethernet (Cat 6) RJ-45

NetEnforcer BackupConnector to BypassUnit

DB-9 Cable (Included, P/NC002009)

D-Type 9-Pin/26-Pin

Bypass Unit Internal toSwitch


Bypass Unit External toRouter



25/97




26/97



AC-1000 Multi Mode (SX) FiberNOTE Ethernet Cables may be Straight or Cross, depending upon your network.


To NetEnforcerManagement Port

Ethernet (Cat-6) (Included,P/N C411011)

RJ-45



RJ-45

Primary NetEnforcer toBypass Unit(Internal/External)

Built In Built In


DB-9 Cable (Included,P/N C002009)

D-Type 9-Pin/26-Pin

Secondary NetEnforcerto Network(Internal/External)

62.5/125μ fiber optic cable Dual SC






27/97



AC-1000 Series Single Mode (LX5, LX20, ZX) FiberNOTE Ethernet Cables may be Straight or Cross, depending upon your network.


To NetEnforcerManagement Port

Ethernet (Cat-6) (Included,P/N C411011)

RJ-45



RJ-45

Primary NetEnforcer toBypass Unit(Internal/External)

9/125μ fiber optic cable(Included, P/N C411015)

Dual LC


DB-9 Cable (Included,P/N C002009)

D-Type 9-Pin/26-Pin

Secondary NetEnforcerto Network(Internal/External)

9/125μ fiber optic cable Dual LC






28/97



Connectors NetEnforcer Bypass Units using Multi Mode fiber (SX) utilize dual SC Connectors.

Figure 1-6 – Dual SC Connector (Multi Mode Fiber)

NetEnforcer Bypass Units using Single Mode fiber (LX5, LX20 and ZX) utilize dualLC connectors.

Figure 1-7 – Dual LC Connector (Single Mode Fiber)

NOTE Color and appearance of actual connectors may vary.


29/97



Bypass UnitsThe AC-1000 series operates with an external Bypass Unit. The Bypass Unit is amission-critical subsystem designed to ensure network connectivity at all times. TheBypass mechanism provides "connectivity insurance" in the event of a NetEnforcersubsystems failure.

NetEnforcer is supplied with a Bypass Unit appropriate to the Unit. The AC-1010 Fiberoperates with a Fiber Bypass and the AC-1010 Copper operates with a Copper Bypass.The AC-1020 Fiber operates with a Double Fiber Bypass and the AC-1020 Copperoperates with a Double Copper Bypass. The AC-1040 operates with a Multi-portCopper Bypass.

CAUTION A NetEnforcer AC-1000 unit must be connected to the appropriate

Bypass Unit. This is to ensure continuous service in the event offailure.

A separate NetEnforcer Bypass package is included with your AC-1000 seriesshipment.

AC-1010 Bypass Units

Single Copper Bypass Unit

The Single Copper Bypass Unit works in conjunction with NetEnforcer AC-802 Coppermodels.

Figure 1-8 – Single Copper Bypass Unit

NOTE Use UTP CAT-6 straight Ethernet cables to connect link connectionsmarked with Internal and External labels. The maximum Ethernet cable

length is generally 50 meters.


30/97



The Single Copper Bypass Unit includes RJ-45 connectors for Ethernet cables and twoD-type 9-pin connectors for primary and redundant unit to backup connection.

The following procedure describes how to connect a Single Copper Bypass Unit to NetEnforcer.

Figure 1-9 – Connecting the NetEnforcer AC-802 Copper to the Single Copper

Bypass Unit

To connect the Single Copper Bypass to the NetEnforcer:

NOTE For important information regarding cable and connector types, seeCabling on page 1-14.

1. Connect the External cable from the External port on the Bypass Unitto the External port on NetEnforcer.

2. Connect the Internal cable from the Internal port on the Bypass Unit, tothe Internal port on NetEnforcer.

To ExternalRouter

To InternalSwitch


31/97



3. Connect the D-type connector from the Primary port on the BypassUnit, to the Backup port on NetEnforcer. The 9-pin connector is plugged into the bypass unit and the 26 pin connector is plugged intothe NetEnforcer.

4. Connect the External cable from the External port on the Bypass Unit,to a router connector.

5. Connect the Internal cable from the Internal port on the Bypass Unit, toa switch connector.

NOTES To connect a secondary NetEnforcer for Parallel Redundancy, you needtwo NetEnforcers and one Bypass Unit.

Internal and external connectors of the redundant NetEnforcer should be

connected directly to the network. There is no need to connect via theBypass Unit.

Single Fiber Bypass Unit

The Single Fiber Bypass Unit works in conjunction with NetEnforcer AC-1010 Fiber.

There are two different Single Fiber Bypass units, one for Multi Mode connections (SXfiber) and one for Single Mode (LX5, LX20 and ZX fiber).

Figure 1-10 –Single Fiber Bypass Unit – Multi Mode

Figure 1-11 –Single Fiber Bypass Unit – Single Mode


32/97



NOTE Use 62.5/125μ or 9/125μ fiber optic cables with dual LC connectors (notprovided) to connect 1 Gbps ports of the switch and the router.

The Single Fiber Bypass Unit includes either two duplex LC connectors and one built infiber cable (for Multi Mode connections) or two quad LC connectors (for Single Modeconnections), along with two D-type 9-pin connectors for primary and redundant unit to backup connection.

The following procedure describes how to connect a Single Fiber Bypass Unit to NetEnforcer.

Figure 1-12 – Connecting NetEnforcer AC-1010 Fiber to Single Fiber Bypass Unit – Multi Mode

To connect the Single Fiber Bypass to NetEnforcer:


To InternalSwitch

To ExternalRouter


33/97



1. Connect the fiber cable labeled External from the Bypass Unit, to the External porton NetEnforcer.

2. Connect the fiber cable labeled Internal from the Bypass Unit, to the Internal porton NetEnforcer.

3. Connect the D-type connector from the Primary port on the Bypass Unit, to theBackup port on NetEnforcer. The 9-pin connector is plugged into the bypass unitand the 26 pin connector is plugged into the NetEnforcer.

4. Connect a 62.5/125μ or 9/125μ External fiber optic cable from the External port onthe Bypass Unit, to a 1 Gbps router.

5. Connect a 62.5/125μ or 9/125μ Internal fiber optic cable from the Internal port onthe Bypass Unit, to a 1 Gbps switch.



connected directly to the network. There is no need to connect via the

Bypass Unit.

AC-1020 Bypass Unit

Double Copper Bypass Unit

The Double Copper Bypass Unit works in conjunction with NetEnforcer AC-1020Copper.



The Double Copper Bypass Unit includes RJ-45 connectors for Ethernet cables andD-type 9-pin connectors for primary and redundant unit to backup connection.


34/97



The following procedure describes how to connect a Double Copper Bypass Unit to NetEnforcer AC-1020.

Figure 1-13 – Connecting the NetEnforcer AC-1020 to Double Copper Bypass Unit

To connect the Double Copper Bypass to the NetEnforcer:


1. Connect the External cable from the To NetEnforcer External port (Link 1) on theBypass Unit to the External port on the NetEnforcer (Link 1).

2. Connect the Internal cable from the To NetEnforcer Internal port (Link 1) on theBypass Unit to the Internal port on NetEnforcer (Link 1).

3. Connect the External cable from the External port on the Bypass Unit, to a router(1000Base-T) connector.

To InternalSwitch

To ExternalRouter


35/97



4. Connect the Internal cable from the Internal port on the Bypass Unit, to a switchconnector.

5. Repeats Steps 1 to 4 for Link 2.

6. Connect the D-type High Density connector from the Primary port on the BypassUnit, to the Backup port on NetEnforcer. The 9-pin connector is plugged into the bypass unit and the 26 pin connector is plugged into the NetEnforcer.




Bypass Unit.

Double Fiber Bypass Unit

The Double Fiber Bypass Unit works in conjunction with NetEnforcer AC-1020 Fiber.

There are two different Double Fiber Bypass units, one for Multi Mode connections(SX fiber) and one for Single Mode (LX5, LX20, ZX fiber).

Figure 1-14 – Double Fiber Bypass Unit - MultiMode


36/97



Figure 1-15 – Double Fiber Bypass Unit – Single Mode

NOTE Use 62.5/125μ or 9/125μ fiber optic cables with dual LC connectors (notprovided) to connect 1 Gbps ports of the switch and the router.

The Double Fiber Bypass Unit includes connectors for connecting to Link 1 and Link 2on the AC-1020. The Link Connectors area includes either two duplex LC connectors,and one built in fiber cable (for Multi Mode connections) or two quad LC connectors(for Single Mode connections) for each link. In addition, the Double Fiber Bypass Unit

includes two D-type 9-pin connectors for primary and redundant unit to backupconnection.


37/97



The following procedure describes how to connect a Double Fiber Bypass Unit to NetEnforcer AC-1020.

Figure 1-16 – Connecting the NetEnforcer AC-1020 to Double Fiber Bypass Unit –Single Mode

To connect the Double Fiber Bypass to the NetEnforcer:


1. Connect the fiber cable labeled To NetEnforcer External (Link 1) from the BypassUnit to the External port on the NetEnforcer (Link 1).

2. Connect the fiber cable labeled To NetEnforcer Internal (Link 1) from the BypassUnit to the Internal port on the NetEnforcer (Link 1).

3. Connect a 62.5/125μ or 9/125μ External fiber optic cable from the External (link 1) port on the Bypass Unit to a 1 Gbps router.

To InternalSwitch

To ExternalRouter


38/97



4. Connect a 62.5/125μ or 9/125μ Internal fiber optic cable from the Internal port onthe Bypass Unit to a 1 Gbps switch.

5. Repeats Steps 1 to 4 for Link 2.

6. Connect the D-type High Density connector from the Primary port on the BypassUnit, to the Backup port on the Primary NetEnforcer. The 9-pin connector is plugged into the bypass unit and the 26 pin connector is plugged into the NetEnforcer.




Bypass Unit.

AC-1040 Bypass Unit

Multi-Port Copper Bypass Unit

The Multi-port Copper Bypass Unit works in conjunction with the NetEnforcer AC-1040 Copper.

Figure 1-17 – Multi-Port Copper Bypass Unit



The Copper Bypass Unit includes RJ-45 connectors for Ethernet cables and D-type9-pin connectors for primary and redundant unit to backup connection.


39/97



The following procedure describes how to connect the Bypass Unit to NetEnforcerAC-1040.

To connect the Bypass Unit to the NetEnforcer AC-1040:


1. Connect the External cable from the To NetEnforcer External port (Link 1) on theBypass Unit to the External port on NetEnforcer (Link 1).

2. Connect the Internal cable from the To NetEnforcer Internal port (Link 1) on theBypass Unit to the Internal port on NetEnforcer (Link 1).

3. Connect the External cable from the External port on the Bypass Unit to a router

(100Base-T) connector.

4. Connect the Internal cable from the Internal port on the Bypass Unit, to a switchconnector.

5. Repeats Steps 1 to 4 for Link 2 to 4.

6. Connect the D-type High Density connector from the Primary port on the BypassUnit to the Backup port on NetEnforcer. The 9-pin connector is plugged into the bypass unit and the 26 pin connector is plugged into the NetEnforcer.


Internal and external connectors of the redundant NetEnforcer should beconnected directly to the network. There is no need to connect via the

Bypass Unit.


40/97



Powering Up

Connection to AC PowerPower supply cords are intended to serve as the disconnect device. The user can powerdown the device only by removing the two-power cords from the power source or thedevice itself.

Make sure the wall socket outlet is installed near the equipment and that the socket iseasy to access. It is recommended that the wall socket outlet be connected to the building installation protection.

When connecting NetEnforcer to 120 / 240 VAC supply, plug into 10 A servicereceptacles, type N5/10 or NEMA 5-10R. Ensure that each site has a suitable ground.Ground all metal racks, enclosures, boxes and raceways. The NetEnforcer equipmentshould be reliably grounded through the power supply cord.

Connection to DC PowerCAUTION Use a UL listed 10A circuit breaker between a centralized DC power

system and the NetEnforcer power entry module.

Before performing the following procedure, ensure that power is removed from DCcircuit.

1. Verify that power is off to the DC-input circuit.

2. Wire the DC-input power supply to the terminal block, ensuring that allwire connections are secure (suggested DC-input wires are 14-AWGcopper UL listed conductors:

• Ground wire to the ground connector (you should always connect the groundwire first and disconnect it last).

• -48V wire to the - connector.

• -48V return to the + connector.


41/97



3. Restore power to the DC circuit by turning the circuit breaker on (|). Donot restore power until you are ready to boot the NetEnforcer system.

This unit is intended for RESTRICTED ACCESS LOCATIONS in accordance with NEC (National Electric Code) or the authority having jurisdiction. Power supply cablecomprises two sets of 3x14 AWG copper wires; use UL-listed cable only.

When connecting NetEnforcer to 48/60 V , use a UL-listed 10A circuit breaker betweenthe centralized DC power system and NetEnforcer power entry module as thedisconnect device incorporated in the fixed wiring. The circuit breaker must beclose tothe NetEnforcer and easily accessible.

CAUTION A two-pole 10A circuit breaker must be used between the uni t andthe centralized DC power source.

The DC supply source is to be located within the same premises as this equipment.There shall be no switching or disconnecting devices in the grounded circuit conductor between the DC source and the point of connection of the grounding electrodeconductor.

CAUTION DC Unit Grounding: Before connecting the product to the power line,make sure that the protective ground terminal of the device isconnected to the safety ground conduc tor of the mains power cord.

The mains plug should only be inserted in a socket outlet providedwith a connected safety ground. The protective action must not benegated by use of an extension cord (power cable) without aprotective conductor (grounding). Any interruption of the protective

(grounding) conductor or disconnection of the protective groundterminal can make the device unsafe to use. Intentional interruptionis prohibited.

This equipment has a connection between the earthed conductor ofthe DC supply ci rcuit and the earthing conductor.

GroundingAll NetEnforcer equipment has a connection between the grounded conductor of the DCsupply circuit and the grounding conductor.


42/97



Connect to a reliably grounded SELV source. Grounding is achieved throughconnection of the power entry module grounding terminal to one power port of theterminal block by min. No. 14 AWG green/yellow conductor.

This equipment shall be connected directly to the DC supply system groundingelectrode conductor or to a bonding jumper from grounding terminal bar or bus towhich the DC supply system grounding electrode is connected. When connecting thesupply wires to the DC main supply, the earth conductor will be connected first anddisconnected last.

This equipment shall be located in the same immediate area (such as, adjacent cabinetsor any other equipment that has a connection between the grounded conductor of thesame DC supply circuit and the grounding conductor, and also the point of grounding ofthe DC system. The DC system shall not be grounded elsewhere.

Powering Up Via LCD PanelNOTE The NetEnforcer and the Bypass Unit have to be fully plugged and

connected before power is turned on. This is to ensure proper and

systematic power up.

It is recommended to connect the two power line feeds to separate power sources tohave full power redundancy. The two bi-color Power LEDs on the rear of NetEnforcerare lit indicating that the power supply is connected to power and no failure conditionexists.

The Power LED on the LCD panel is lit and the Mode LED on the Bypass Unit is off,

indicating that the power is on and NetEnforcer is bypassed.

The display area of the LCD panel indicates the following: Power On.

After a few seconds, the display area of the LCD panel indicates the following:Syst emLoadi ng * .

Once the system has completed loading, the following occurs:

The Active LED on the LCD panel is lit and the Mode LED on the Bypass Unit is lit,meaning that NetEnforcer is now connected to the network.


43/97



The display area of the LCD panel indicates the default view - the current bandwidthconsumption. For example:

Inbound: XXX.XOutbound: YYY.Y

You can now proceed to configure NetEnforcer, as required.


44/97


45/97


Chapter 2: Placement in the Network

The NetEnforcer is normally placed on the internal side of your access router. TheInternal port of the NetEnforcer interfaces with your Local Area Network (LAN) andthe External port of the NetEnforcer interfaces with your access router.

To connect NetEnforcer to your network:

1. Connect the Bypass Unit to NetEnforcer, as described in Bypass Units, page 1-8.

2. Connect the LAN side of your network to the Internal connector of each link on thefront panel of the Bypass Unit.

3. Connect the cable connected to the WAN side of your network to the Externalconnector of each link on the front panel of the Bypass Unit.

NOTE For important information regarding cable and connector types, seeCabling on p. 1-8.

4. Power up NetEnforcer. Refer to Powering Up, page 1-30.


46/97


47/97


Chapter 3: Setting Up the NetEnforcer

In order to manage and configure NetEnforcer policies remotely from your Web browser or NetXplorer centralized management software, several basic parameters must be configured on NetEnforcer. You can configure these basic parameters using aterminal connected to NetEnforcer or by using the LCD panel.

Configuring Via a Terminal or TelnetYou can use a standard terminal /PC running terminal emulation software connected tothe Console port, or Telnet via the internet to configure a NetEnforcer. If you choose toconnect via the Console port, most standard windows-based PC systems have a terminalemulation program called HyperTerminal that can be used for this purpose. Configurethe terminal to run VT100 terminal emulation with the following parameters:

• Baud rate 19200

• 8 bits

• Stop bits 1

• No flow control

• No parity


48/97



To connect a terminal to the NetEnforcer:

1. Use the supplied serial cable to connect the terminal to the Console Connector onthe front panel of the NetEnforcer.

2. Connect the power cable and power up NetEnforcer, as described in Powering Up, page 1-30.

3. At the terminal, select Start > Programs > Accessories and double-click on theHyperTerminal icon. Enter a name for the session and then to set the com portand the parameters (see above). The system boots up and you are prompted for alogin and a password.

4. Enter admin for the login and allot for the password. (To change the password, see

page 3-9.)

5. Press . The NetEnforcer Setup Menu is displayed:

Figure 3-1 – NetEnforcer Setup Menu


49/97



To connect to a NetEnforcer via Telnet:

1. Open a Microsoft DOS window on a PC and at the C:\ prompt, enterTelnet (IP address of NetEnforcer). Press . The system bootsup and you are prompted for a login and a password.

2. Enter admin for the login and allot for the password. (To change the password, see page 3-9.)

Press . The NetEnforcer Setup Menu is displayed:

NetEnforcer Start Menu

From this menu, you can perform the following tasks:

• Display the current configuration, page 3-4.

• Configure network parameters, page 3-6.

• Change the login password, page 3-9.

• Modify the date and time settings, page 3-10.

• Reboot and Shutdown the unit, p 3-16.


50/97



Displaying the Current Configuration

You can display and view the currently set network configuration parameters at anytime.

To display the current configuration:

1. In the NetEnforcer Setup Menu, enter 1 (List current configuration) and press . The current network configuration parameters aredisplayed. A sample screen is shown below:

Figure 3-2 – Current Configuration (1)

2. Press to show the second screen of parameters:


51/97



Figure 3-3 – Current Configuration (2)

3. Press to return to the NetEnforcer Setup Menu.


52/97



Configuring Network Parameters

You can define network parameters manually.

To define network parameters manually:

1. In the NetEnforcer Setup Menu, enter 2 (Network configuration) and press . The Network Configuration menu is displayed:

Figure 3-4 – Network Configuration

2. Enter 2 (Manual configuration) and press .


53/97



3. Enter values for the following IP parameters:

Device IP Address The IP address for your NetEnforcer, for example,10.1.18.7.

Network mask The network mask for your NetEnforcer, forexample, 255.0.0.0.

Device Hostname The host name for your NetEnforcer, for example,Jonny2.

Domain name A domain name for your NetEnforcer, for example,allot.com. Do not provide a leading ‘.’.

Default gateway IP address The IP address of your default gateway, forexample, 10.0.0.2. If you do not have a defaultgateway, enter NONE.

Primary name server IPaddress

If you have a Domain Name Server (DNS), its IPaddress. If you do not have a DNS, enter none.

Secondary name server IPaddress

If you have a second DNS, its IP address. If you donot have a second DNS, enter none.

VLAN ID, or NONE[NONE]

Allows the mgmt port to be connected to aVLAN tagged interface.

CAUTION: Misconfiguring this parameter willresult in a loss of connection to the NetEnforcer.

The Ethernet Adapter Settings screen is displayed.

4. Enter the following parameters to set up the NetEnforcer Ethernetadapters:• The duplex type for the Internal interface. Enter full for full duplex, half for half

duplex or auto for AutoSensing.

• If you selected full or half duplex, enter the link speed of the Internal interface,10M or 100M. Use M for Mbps.


54/97



• The duplex type for the External interface. Enter full for full duplex, half forhalf duplex or auto for AutoSensing.

• If you selected full or half duplex, enter the link speed of the External interface,10M or 100M. Use M for Mbps.

5. Enter the following parameters to set up the Management Port:• The duplex type for the Internal interface. Enter full for full duplex, half for half

duplex or auto for AutoSensing.

• If you selected full or half duplex, enter the link speed of the Internal interface,10M or 100M. Use M for Mbps.

• The duplex type for the External interface. Enter full for full duplex, half forhalf duplex or auto for AutoSensing.

• If you selected full or half duplex, enter the link speed of the External interface,10M or 100M. Use M for Mbps.

NOTE If the NetEnforcer unit is being managed via NetXplorer, only theManagement Port can be configured on the Ethernet Adapter Settings

screen.

6. Press to finish and return to the Network Configuration menu.

7. To save your configuration, enter 3 (Save latest settings as currentconfiguration) from the Network Configuration menu. A message isdisplayed, asking whether you wish to make your changes effectiveimmediately. Enter y or n.


55/97



Changing the Passwords

You can change the login password for either the Admin user or the Monitor user. TheAdmin user has access to all NetEnforcer functions, while the Monitor user hasread-only access. It is strongly recommended to change the default password (allot). NetEnforcer might enable access from anywhere on the Internet, and should therefore be protected with a unique password.

To change the users’ password:

1. In the NetEnforcer Setup Menu, enter 3 (Change password) and press. The Password screen is displayed:

Figure 3-5 – Password

2. Enter 1 or 2 to specify the type of user whose password you want to

change and press .3. Enter a new password and press . The password must be

between 5 and 8 characters. You can use a combination of upper andlower case letters and numbers.

4. Re-enter the password and press . If NetEnforcer detects asimple password, a warning is displayed on the screen.

NOTE The new user name and password will be used in the NetEnforcer Log In window when accessing NetEnforcer through a browser.


56/97



Modifying Date and Time Settings

You can modify date and time settings as required. You can set the system timemanually, or you can set up NetEnforcer to receive time checks from an NTP (NetworkTime Protocol) server, if you have one on your network.

To modify the date and time settings:

1. In the NetEnforcer Setup Menu, enter 4 (Set time) and press .The Time Setup screen is displayed:

Figure 3-6 – Time Setup

The current day, date, system time and time zone are displayed at the top of thescreen.

2. To change the time zone, perform the following steps:• Enter 1 and press .

• Enter y and press . NetEnforcer displays a list of time zones.

• Enter the required time zone and press .

3. To change the system time, perform the following steps:• Enter 2 and press .

• Enter the new date and time in the format DD-MM-YYY -HH-mm. Forexample, 12-05-2001-11-20 for 12th May 2001, 11:20 am.


57/97



• Press to set the time.

Changing the Root User Password

You can change the root password that provides access to super-user rights.

To change the root password:

1. Use the supplied serial cable to connect the terminal to the Console Connector onthe front panel of NetEnforcer.

2. Set the NetEnforcer power switch, located near the NetEnforcer power cable, to theON position. The system boots up and on the terminal you are prompted for a loginand a password.

3. At the terminal, press . The system boots up and you are prompted for alogin and a password.

4. Enter root for the login and bagabu for the password, and then press .

5. Enter passwd and then press .

6. Enter a new password and press . The password must be between 5 and 8characters. You can use a combination of upper and lower case letters andnumbers.

7. Re-enter the new password and press .

When all necessary parameters are set, NetEnforcer prompts you to reboot. Afterrebooting is completed, NetEnforcer is ready to be connected and to add Quality ofService in your network.

TIP You can further protect access to the NetEnforcer by limiting the hosts thatare allowed to manage the unit.


58/97



Configuring Via the LCD PanelAll NetEnforcer models provide an LCD panel from which you can configure basic NetEnforcer parameters without connecting a terminal. This enables quick and easysetting of basic parameters such as the IP address of NetEnforcer and NIC settings.

When not being used to configure the NetEnforcer, the display area in the LCD paneldisplays its default view, which is the current inbound and outbound bandwidth usage.The units are in Kbps or Mbps with one digit after the point and the display is refreshedevery five seconds.

NOTE When you are configuring NetEnforcer and there is no activity for morethan 30 seconds, the display area returns to the default view and any

modifications to parameters that were not saved are lost.

The Main Menu

The LCD panel provides one main menu from where you can perform the followingoperations:

• Configure NIC settings, page 3-13.

• Set the NetEnforcer IP address, page 3-14.

• Activate Bypass, page 3-16.

• Reboot, shutdown or exit NetEnforcer, page 3-16.

Getting Started on NetEnforcer

In order to start working with NetEnforcer, press the Power button to turn on NetEnforcer. Once the system has completed loading, the display area of the LCDindicates its default view, the current bandwidth consumption of NetEnforcer. Forexample:Inbound: XX.XMOutbound: YYY.YM

You can now proceed to configure NetEnforcer, as required.


59/97



NOTE If QoS functionality is not included in your NetEnforcer (not enabled byyour activation key), the default view indicates the following:

I nbound: -Outbound: - .

Configuring NIC Settings

Configuring NIC settings enables you to configure the internal and external Ethernetadapters to either automatically sense the direction and speed of network traffic, or use a predetermined duplex type and speed.

NOTE If the NetEnforcer unit is being managed via NetXplorer, only theManagement Port can be configured via the LCD.

To configure NIC settings:

1. With the display area displaying the default view, press the Select button. The mainmenu is displayed as follows:

Main menu:1. NIC Settings

2. Press the Select button. If the Management port is enabled, the display areaindicates the following:1-1.[M]anagement[In]/[Ex]ternal

NOTE If the Management port is disabled, the display area indicates the

following:1- 1. I nt er f ace[ I n] / [ Ex] t ernal .

3. Use the arrow buttons to select the required interface and press the Enter button.The display area indicates the following:

Mode: [A]uto or[F]ull/[H]alf du

4. Use the arrow buttons to select the duplex type for the selected interface and pressthe Enter button. The display area indicates the following:Speed: [A]uto or


60/97



[100]/[10] Mbps

5. Use the arrow buttons to select the link speed of the selected interface and press theEnter button. The display area indicates the following:[S]ave/[C]ancel

6. Use the arrow buttons to select whether to save the settings or cancel and press theEnter button. The new NIC settings are applied and after a few moments, thedisplay area displays its default view, the current bandwidth consumption.

Setting the NetEnforcer IP Address

Setting the NetEnforcer IP address enables you to specify the IP address, netmask anddefault gateway for NetEnforcer.

To configure the IP address:

1. With the display area displaying the default view, press the Select button. The Mainmenu is displayed.

2. Press the down arrow once to display the following: Main menu:2. Setup IP

3. Press the Select button. The display area indicates the following:2-1.Set IP:

xxx.xxx.xxx.xxx (the current IP address definitions are displayed)

4. Specify the IP address of NetEnforcer. Use the up and down arrow buttons to selectthe required number and the left and right arrow buttons to move between the digits.

5. Press the Enter button. The display area indicates the following:2-2.Set mask:

xxx.xxx.xxx.xxx (the current netmask definitions are displayed)

6. Specify the netmask of NetEnforcer. Use the up and down arrow buttons to selectthe required number and the left and right arrow buttons to move between the digits.

7. Press the Enter button. The display area indicates the following:2-3 Gateway exists [Yes/No]


61/97



Select whether you have a gateway defined in your network. If you select N thenyou will exit to the next step, skipping step 2-4. If you have a gateway select Y and proceed:2-4.Gateway:

xxx.xxx.xxx.xxx (the current gateway definitions are displayed)

8. Specify the IP address of the default gateway. Use the up and down arrow buttons toselect the required number and the left and right arrow buttons to move between thedigits.

9. Press the Enter button. The display area indicates the following:[S]ave/[C]ancel

10. Use the arrow buttons to select whether to save the settings or cancel and press the

Enter button. The new IP and gateway settings are applied and after a fewmoments, the display area displays its default view, the current bandwidthconsumption.

The following cases of failure may be indicated:

Failure Display

Register NIC SettingsFail: NE IP saveChk NE IP config

Netmask SaveFail: MASK saveChk NE IP config

Management NIC SaveFail: Mgmt saveChk NE IP config

Gateway Save

Fail: GW save

Chk NE IP config


62/97



Act ivating Bypass

To send the NetEnforcer into Bypass:

1. With the display area displaying the default view, press the Select button. The Main menu is displayed.

2. Press the down arrow three times to display the following: Main menu:4. Bypass

3. Press the Select button. If the system is not in Bypass mode, the displayarea indicates the following:Go into Bypass?[Y]es/[N]o

4. Use the arrow buttons to select whether to enter Bypass mode and pressthe Enter button. NetEnforcer switches to Bypass mode and after a fewmoments, the display area displays its default view, the current bandwidth consumption.

Rebooting, Shutting Down and Exiting the NetEnforcer

You can reboot or shut down the NetEnforcer and exit from LCD configuration asrequired.

To reboot the NetEnforcer:


2. Press the down arrow four times to display the following: Main menu:5. Reboot

3. Press the Select button. The display area indicates the following:Reboot?[Y]es/[N]o


63/97



4. Use the arrow buttons to select whether to reboot NetEnforcer and pressthe Enter button. NetEnforcer reboots and the display area indicates thefollowing:System

Rebooting * (blinking asterisk)

NOTE This message also appears in the display area when the NetEnforcer isrebooted using a terminal.

To shutdown the NetEnforcer:


2. Press the down arrow five times to display the following: Main menu:6. Shutdown

3. Press the Select button. The display area indicates the following:Shutdown?[Y]es/[N]o

4. Use the arrow buttons to select whether to reboot NetEnforcer and pressthe Enter button. NetEnforcer reboots and the display area indicates thefollowing:System

Shutting down * (blinking asterisk)

After a few seconds, the display area indicates that NetEnforcer may be powered off.

NOTE This message also appears in the display area when the NetEnforcer isshutdown using a terminal.


64/97



To return to LCD default view:


2. Press the down arrow six times to display the following: Main menu:7. Exit

3. Press the Enter or the Select button. The display area displays itsdefault view, the current bandwidth consumption.


65/97


Chapter 4: Redundancy

Enabling RedundancyIn order to implement redundancy, it is necessary to configure the network interfacesand enable redundancy in each NetEnforcer involved.

Configuring the AC-1010 via the NetEnforcer

1. Configure the Management Port interface via the LCD on the front panel of the NetEnforcer.

2. Log into the NetEnforcer via the Management Port or Telnet (see page 3-1).

3. Open a console connection to the NetEnforcer and use the following CLIcommands:

To set the interfaces:

go config nic

• Options are:

o internal1 MODE:SPEED

o external1 MODE:SPEED

For example: go config nic –internal1 full:100


66/97



To set redundancy mode:

go config network -redund_mode

• Options are:

o parallel

o serial

For example: go config network –redund_mode parallel

To toggle redundancy:

go config network –bypass_unit• Options are:

o enable

o disable

For example: go config network –bypass_unit enable


67/97



Configuring the AC-1010 via NetXplorer1. Log into NetXplorer

2. Right click the NetEnforcer you wish to configure in the NavigationPane

3. Select Configuration from the drop down menu.

4. Open the NIC tab and in the Action on Failure field, set INTERNAL1and EXTERNAL1 to fail paired port.

Figure 4-1 – NIC Tab AC-1010 – NetXplorer Configuration

5. Open the Networking tab and set the Redundancy Mode as required toParallel or Serial.

6. Select the Enable Bypass Unit checkbox.


68/97



Figure 4-2 – Networking Tab AC-1010 – NetXplorer Configuration

7. Click Save. The system will reboot

After rebooting, you can view the changes from the Configuration tab.

For more information concerning NetEnforcer configuration via NetXplorer, see theNetXplorer Operation Guide.

Configuring the AC-1020 via the NetEnforcer1. Configure the Management Port interface via the LCD on the front panel of

the NetEnforcer.



69/97





go config nic

• Options are:








• Options are:

o parallel

o active

o serial



70/97




go config network –bypass_unit

• Options are:

o enable

o disable


Configuring the AC-1020 via NetXplorer

1. Log into NetXplorer2. Right click the NetEnforcer you wish to configure in the Navigation

Pane


4. Open the NIC tab and in the Action on Failure field, setINTERNAL1 and EXTERNAL1 to fail paired port.


71/97




5. Set INTERNAL2 and EXTERNAL2 to No Action in the Action onFailure field.

6. Open the Networking tab and set the Redundancy Mode as requiredto Parallel, Serial or Active.

7. Select the Enable Bypass Unit checkbox.


72/97






For more information concerning NetEnforcer configuration via NetXplorer, see the

NetXplorer Operation Guide.

Configuring the AC-1040 via the NetEnforcer

1. Configure the Management Port interface via the LCD on the front panel of the NetEnforcer.




73/97




go config nic

• Options are:












• Options are:

o parallel

o active

o serial



74/97




go config network –bypass_unit

• Options are:

o enable

o disable


Configuring the AC-1040 via NetXplorer

1. Log into NetXplorer

2. Right click the NetEnforcer you wish to configure in the Navigation Pane.


4. Open the NIC tab and in the Action on Failure field, set INTERNAL1,EXTERNAL1, INTERNAL3 and EXTERNAL3 to fail paired port.


75/97




5. Set INTERNAL2, EXTERNAL2, INTERNAL4 and EXTERNAL4 to NoAction in the Action on Failure field.

6. Open the Networking tab and set the Redundancy Mode as required, to

Parallel, Serial or Active.7. Select the Enable Bypass Unit checkbox.


76/97






For more information concerning NetEnforcer configuration via NetXplorer, see the

NetXplorer Operation Guide.


77/97



Parallel RedundancyFailure of a network device can be catastrophic, causing network downtime and lost business. The key to designing any mission-critical network is to recognize that thesefailures can occur, and to design a network that can handle failures and still allow thenetwork to function. In order to do this, it is important to use the most reliableequipment, with redundancy built in to all mission-critical equipment.

A NetEnforcer can operate in parallel to provide Parallel Redundancy. ParallelRedundancy requires two NetEnforcer systems and, where an external Bypass Unit isused, a single Bypass Unit.

The Primary NetEnforcer handles the traffic and the Secondary NetEnforcer is designed

to stand by as long as the Primary NetEnforcer is active. Only if, for any reason, thePrimary NetEnforcer is not able to function properly does the Secondary NetEnforcer become active.

Both NetEnforcers receive traffic from the internal network, but only the Primary NetEnforcer is passing the traffic to the external network.

While the Primary NetEnforcer receives and handles traffic coming from the externalnetwork, the Secondary External interface is disabled, since the system is in Standbymode. If the Primary NetEnforcer should fail, the Secondary NetEnforcer automaticallytakes control of the traffic, and enables its External interface.

In Parallel Redundancy mode, Bypass mode is activated in the unlikely event that both

the Primary and Secondary NetEnforcers fail.


78/97



Status Indicators in Parallel Redundancy ModeWhen operating in Parallel Redundancy mode, two NetEnforcer units are connected.During operation, the LED indicators on NetEnforcer give various readings. The LEDsrelevant to operations in Parallel Redundancy mode are the Standby, Active and PowerLEDs on the NetEnforcer LCD panel.

The modes of operation of the indicators are described in the following tables:

StandbyLED

ActiveLED

PowerLED

Analysis

PrimaryUnit

OFF ON ON Primary NetEnforcer is in Active mode.

SecondaryUnit

ON OFF ON Secondary NetEnforcer is ready to takeover.

PrimaryUnit

OFF OFF ON Primary NetEnforcer fails or is now booting.

SecondaryUnit

OFF ON ON Secondary NetEnforcer took over andis in Active mode.

PrimaryUnit

OFF OFF OFF Primary NetEnforcer is powered OFF.

SecondaryUnit

OFF ON ON Secondary NetEnforcer took over andis in Active mode.

PrimaryUnit

OFF ON ON Primary NetEnforcer is in Active mode.

SecondaryUnit

OFF OFF OFF Secondary NetEnforcer is poweredOFF. The only Fail-safe mode availablenow is Bypass.


79/97



Standby

LED

Active

LED

Power

LED

Analysis

PrimaryUnit

OFF OFF ON Primary NetEnforcer failed or notcompleted booting.

SecondaryUnit

OFF OFF ON Secondary NetEnforcer failed or notcompleted booting. Bypass is activated(in the primary unit and all traffic isgoing through Bypass.

Table 4-1 – LED Conditions: AC-1000 Series, Parallel Redundancy Mode

Secondary NetEnforcer ActivationWhen two NetEnforcers are connected in Parallel Redundancy mode, the Secondary NetEnforcer will take control and become the active unit under the followingconditions:

• Upon a Primary subsystem failure.

• During booting of the Primary NetEnforcer platform. When booting iscompleted, the Primary unit automatically takes control again.

• Upon any Primary NetEnforcer power feed failure and power OFF condition.

• Upon the Primary NetEnforcer Ethernet cable disconnecting from either theInternal or External ports. After reconnecting the cable and rebooting, the

Primary NetEnforcer takes control again.• When the Bypass Unit is not connected properly to the NetEnforcer Backup

connector, even with all other connectors fully plugged.

NOTE If a cable is disconnected, it is recommended to reboot the PrimaryNetEnforcer after reconnecting the cable.


80/97



To connect two AC-1000 Series NetEnforcers in Parallel Redundancy:

Before using NetEnforcers in Parallel Redundancy mode, make sure that theconfiguration of both NetEnforcers is identical; except for their IP addresses, whichmust

Date post:	07-Aug-2018
Category:	Documents
Upload:	timidita
View:	280 times
Download:	2 times

Manual Allot Netenforcer AC1010

Documents