A
- access control lists
- access security
- accounts
- address filter, IP See IP access filter
- Admin Center
- accessing
- groups
- passwords
- users
- adding
- automatic logout
- counters
- deleting active
- deleting inactive
- deleting prohibited
- displaying prohibited
- IP access filters, creating
- IP access filters, removing
- locked-out IP addresses
- lockout period
- logging out selected
- login attempts
- login properties
- managing access
- modifying properties
- monitoring
- prohibiting
- reinstating prohibited
- administrative passwords
- administrative settings
- Apache daemon
- archive file
- authentication
B
- bandwidth throttling
- banner
- BIOS menu
- booting CTPView server from CD
- browser
C
- Circuit to Packet network
- clock options
- CompactFlash card
- configuration settings
- configuration, server
- CTP devices
- CTP platforms
- adding and removing
- adding comments to monitoring status
- automatically collecting statistical data
- changing display settings for network monitoring
- checking connections to the CTPView server
- displaying network statistics
- displaying reports
- displaying runtime query results
- host groups, adding and removing
- managing
- manually overriding monitoring status
- monitoring (CTPView GUI)
- passwords
- port forwarding
- restoring configuration
- saving configuration automatically
- setting audible status alert
- SNMP communities, adding and removing
- SSH connections
- understanding network reports
- updating CTPOS
- CTPOS
- burn CTPOS flash image 1, 2
- burning image to a CompactFlash card
- default accounts and passwords
- updating
- upgrade files
- CTPView
- CTPView Admin Center See Admin Center
- CTPView GUI
- adding comments to platform monitoring status
- Admin Center, accessing
- automatically removing outdated files
- automatically synchronizing servers
- bandwidth throttling
- browser settings
- browser, logging in
- changing default user password
- checking network connections
- configuring automatic functions
- creating more server disk space
- CTP platform reports
- display settings
- display settings help
- displaying platform and port runtime query results
- email notifications
- Global_Admin account, creating
- groups
- host groups, adding and removing
- managing users and groups
- manually overriding platform monitoring status
- monitoring the CTP platform network
- network monitoring display settings
- network reports 1
- network statistics
- NTP servers, managing
- passwords
- platforms, adding and removing
- port forwarding, managing
- restoring configuration
- CTP platform
- CTPView server, by synchronizing servers 1, 2
- restoring server configuration
- saving configuration
- server clock, setting
- setting audible platform status alert
- SNMP communities, adding and removing
- start-up (log-in) banner
- support for tabbed or nontabbed browsers
- synchronizing servers
- user properties, modifying
- users
- adding
- automatic logout
- counters
- deleting active
- deleting inactive
- deleting prohibited
- displaying prohibited
- IP access filters, creating
- IP address access filters, removing
- locked-out IP addresses
- lockout period
- logging out selected
- login attempts
- login properties
- managing access
- monitoring
- prohibiting
- reinstating prohibited
- validating server configuration 1, 2
- verifying server OS installation
- CTPView server
- access security, managing 1, 2
- account
- acquiring shell access
- booting from CD
- clock, setting
- configuring guidelines on a virtual machine
- configuring on a Hyper-V server
- configuring on an ESXi server
- creating disk space
- data file permissions, resetting
- default accounts and passwords
- determining free disk space
- disk space, creating
- firewall defaults, restoring
- installation log
- installing OS (CTPView server CLI)
- installing the software overview
- log-in banner, setting
- logging level, setting
- logs, managing
- MySQL server, restarting
- network access, configuring
- on a Hyper-V server
- on a Hyper-V server, overview
- on a virtual machine, overview
- on an ESXi server
- on an ESXi server, overview
- password
- password requirements 1, 2
- port forwarding, configuring
- preparing a new
- restoring browser access
- restoring configuration by synchronizing servers 1, 2
- restoring configuration overview
- restoring configuration settings
- restoring shell access
- software installation and upgrade
- start-up (log-in) banner
- synchronizing to restore configuration 1, 2
- system administrator account, resetting
- system file defaults, restoring
- TACACS+ settings
- TACACS+, configuring
- third-party software on
- upgrade files
- upgrading the software overview
- user passwords, managing
- users, managing shell account
- validating configuration 1, 2
- verifying OS installation
- web certificate, creating
- CTPView server CLI
- BIOS menu password 1, 2
- burning CTPOS image to a CompactFlash card
- changing default user password
- changing root account password 1, 2
- installing server OS
- reviewing the installation log
- CTPView server menu
- access security, managing
- accessing
- creating more server disk space 1, 2
- GRUB boot loader password 1, 2
- log-in banner, setting
- logging level, setting
- logs, managing
- MySQL Apache account password 1, 2
- MySQL IP access lists
- MySQL root account password 1, 2
- MySQL server, restarting
- network access, configuring
- OpenSSL authenticaton, creating and self-signing web certificate
- port forwarding, managing
- restoring server configuration settings 1, 2
- saving CTPView configuration settings 1, 2
- TACACS+, configuring
- user passwords, managing
- users, managing shell account
- web certificate, creating
- CTPView server OS
- software installation and upgrade
- verifying installation
- CTPView server, OpenSSL
- CTPView software
- configuring administrative settings
- saving configuration settings 1, 2
- updating CTPOS
- upgrade files
- upgrading
- user security levels
D
- data file permissions
E
- email notifications
- ESXi server
F
- files
- removing (CTPView GUI)
- removing (CTPView server menu) 1, 2
- firewall
G
- Global_Admin account
- groups, user
- GRUB boot loader
H
I
- installation
- IP access filter
- IP address filter See IP access filter
L
- limiting CTP network bandwidth
- log-in banner
- configuring
- setting
- logging level
- login security
- logs
M
- menu
- MySQL database
- automatically backing up
- changing the Apache account password 1, 2
- changing the root account password 1, 2
- configuring IP access control lists
- MySQL server
N
- native authentication with Steel-Belted RADIUS
- network access
- network reports
- nonroot account
- nonroot passwords
- NTP servers
O
- OpenSSL authentication
- OS, CTPView server
- installing (CTPView server CLI)
- software installation and upgrade
- verifying installation on server
- outdated files
- automatically removing
- removing (CTPView GUI)
- removing (CTPView server menu) 1, 2
- overview
- Circuit to Packet network
- CTP network software
- restoring configuration 1, 2
- restoring server configuration
- software installation and upgrade
- synchronizing servers (CTPView)
P
- passwords
- BIOS menu changing 1, 2
- changing administrative
- changing requirements
- CTP platform user
- CTPOS
- CTPView GUI
- CTPView server
- changing default
- changing root 1, 2
- creating nonroot
- default
- recovering lost
- requirements 1, 2
- setting new nonroot
- setting new root
- excluding from use
- expiration of user
- Global_Admin account
- GRUB boot loader changing 1, 2
- limiting use
- managing user
- MySQL database changing 1, 2, 3, 4
- reinstating excluded
- requirements of user
- port forwarding
R
- receive packet processing
- redundant files
- removing (CTPView GUI)
- removing (CTPView server menu) 1, 2
- remote host See CTP platforms
- root passwords
- RSA SecurID authentication with Steel-Belted RADIUS
S
- security levels
- serial stream processing
- setting user password
- shell access to CTPView server
- SNMP communities See adding and removing
- software
- installation and upgrade
- upgrade files
- SSH
- connections to CTP platforms
- persistent connections to CTP platforms
- start-up banner
- configuring
- setting
- Steel-Belted RADIUS
- synchronization of CTPView servers
- automatic method
- configuring the synchronization network
- manual method
- overview
- to restore configuration 1, 2
- system administrator account
- system file
T
- third-party software
- transmit packet processing
- troubleshooting
- two factor authentication with Steel-Belted RADIUS
U
- upgrade
- user accounts, unlocking
- user groups See groups, user
- user passwords
- changing CTP platform
- changing CTPView GUI default
- changing server’s default
- changing server’s root 1, 2
- expiration
- requirements
- users
- adding
- authentication with Steel-Belted RADIUS
- automatic logout
- counters
- deleting active
- deleting inactive
- deleting prohibited
- displaying prohibited
- IP access filters
- locked-out IP addresses
- lockout period
- logging out selected
- login attempts
- login properties
- managing
- managing access
- managing passwords
- modifying properties
- monitoring
- password requirements 1, 2
- prohibiting
- reinstating prohibited
- security levels 1, 2
- shell account, classification
- shell account, managing
V
- virtual machine
W
- web certificate
Download This Guide
Separate Interfaces for Management and Circuit Traffic Overview
Until CTPOS and CTPView Release 7.1, only one network device (the default device) is used for both management and circuit data. In certain network topologies, a segregation is required between the circuit or Ethernet traffic and management traffic. Therefore, separate interfaces need to be used for the management and circuit networks so that traffic segregation can be achieved at the physical interface level. Starting with CTPOS Release 7.2, support for configuring two default gateways, one for management traffic and the other for circuit device, is available, which enables circuit and management traffic to be segregated.
The functionality to segregate management and circuit traffic requires at least two Ethernet devices—one for circuit traffic and the other for management traffic. When this feature is enabled, both management and circuit interfaces are required to be configured. Segregation of traffic is performed on the basis of the management and circuit device or interface. CTP devices that support two default gateways are required—one for management device and other for circuit device. Each interface replies to incoming packets via its own default gateway. All incoming and outgoing packets in the circuit network traverse through the circuit device gateway (main default gateway). All incoming and outgoing packets in the management network traverse through the management device gateway.
For having two default gateways, policy-based routing is required.
Policy-based routing enables the creation of multiple routing tables,
one for each interface. Policy-based routing provides a flexible
mechanism for forwarding data packets based on polices configured
by a network administrator. This capability enables you to implement
policies that selectively cause packets to take different paths. For
circuit traffic, the main routing table, inet.0 is referred and for
management traffic, the newly-created policy-based routing table is
referred. The policy-based routing table is used, based on a set
of rules. Using the main routing table for circuit device enables
any IP table-related changes for the SAToP and CESoPSN bundles to
be avoided. An entry of this newly created policy-based routing table
is stored at /etc/iproute2/rt_tables.
The “IPV4 configuration” under “Config Network Settings” menu is modified to enable the configuration of different interfaces for management traffic and circuit or Ethernet traffic. The Display network settings menu is modified to display the circuit and management network devices. A separate conf file is implemented to indicate the status of this feature (whether it is enabled or not). Apart from feature status, this configuration file also stores information related to circuit and management device. With this feature to distinguish management and circuit traffic, Ethernet failover is supported only on the circuit interface and not on the management interface. This feature cannot be activated during the first boot process.
After the management device is selected, a new policy based routing table is created for this device. For example, if the routine table is named 10 tab-eth0, 10 denotes the route table number and tab-eth0 signifies the route table name created for management device eth0. This table is referred according to the rule specified in the rule-eth0 file.
The following command displays the main route table and the newly created policy based route table “tab-eth0”:
[root@ctp_90 ctp_cmd 2]# ip route show tab main 1.1.1.0/24 dev eth0 scope link 10.216.118.0/23 dev eth1 scope link 169.254.0.0/16 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 10.216.119.254 dev eth1
[root@ctp_90 ctp_cmd 3]# ip route show tab tab-eth0 1.1.1.0/24 dev eth0 scope link default via 1.1.1.3 dev eth0
The following command displays the rules added for the policy-based route table:
[root@ctp_90 ctp_cmd 4]# ip rule show 0: from all lookup local 32764: from all to 1.1.1.1 lookup tab-eth0 32765: from 1.1.1.1 lookup tab-eth0 32766: from all lookup main 32767: from all lookup 253
When this feature is disabled, the IP config/query section in the CTP Menu does not display the option for segregating management and circuit traffic.
Operations Performed When Management and Circuit Traffic Are Segregated
When you activate the feature to separate management and circuit traffic, you are prompted to enter the default circuit and default management device. If you enter the same device for both management and circuit devices, an error message is displayed stating that you need to define different devices for circuit and management traffic. When you enter a correct management device (say ethX), a reference for the policy-based routing table is created for management device. An entry of its route-table number and route-table name is added in /etc/iproute2/rt_tables. This route table is referred for the management device according to the rule specified by its rule file (rule-ethX).
After you configure the management device, a route entry for
its own subnet and a default gateway route for that device is added
to the route- ethX file. Rules are added to rule-ethX file to handle
the inbound and outbound packets through this network. The rule-ethX
file contains the rules such that if any packet arrives for the management
network or if any packet is originated from the management network
IP address, then such a packet is transmitted through the management
device gateway. An existing configuration file, /etc/sysconfig/ctp, is used to store this feature configuration. The configuration
of this feature contains the status of this feature, circuit device
name, and management device name.
The following example illustrates the contents of the /etc/sysconfig/ctp file:
[root@ctp_90 ctp_cmd 5]# cat /etc/sysconfig/ctp CTP=yes TARGET=yes CTP_IP_PROTO=0 status=1 ckt_dev=eth0 mgmt_dev=eth1
When you disable this feature, the policy-based route table and the rules corresponding to that route table are deleted from the system and the system is configured as it was configured previously (with one default gateway). The route-ethX file and rule-ethX files are also be deleted from the system after the feature is disabled.
This feature is not supported with IPv6-only or independent IPv6 (and not a combination of IPv4 and IPv6) configuration. This limitation denotes that with IPv6 configuration settings specified on a CTP device, the option to separate management and circuit traffic is not available for configuration. If this feature is enabled on CTP150 devices, Ethernet failover cannot be activated because CTP150 devices contain only two Ethernet devices and the PCI mezzanine card (PMC) is not supported on such devices.
