inline-tool

Required Command-Line Mode = Admin

There are two meanings to the term inline tool. The inline tool software construct consists of a pair of inline tool ports plus the inline tool attached to the ports. The software construct has attributes that are configured on the GigaVUE‑HC3, GigaVUE‑HC2, and GigaVUE‑HC1 nodes.

The term inline tool also refers to the pass-through device itself that performs packet inspection and selective forwarding, such as an Intrusion Protection System (IPS). This is a physical device, external to the GigaVUE HC Series node.

Use the inline-tool command to configure the inline tool software construct. An inline tool consists of inline tool ports, always in pairs, running at the same speed, on the same medium (fiber or copper). The inline tool ports must be on the same GigaVUE‑HC3, GigaVUE‑HC2, or GigaVUE‑HC1 node. The inline tool ports must also be on the same GigaVUE‑HC3, GigaVUE‑HC2, or GigaVUE‑HC1 node as the inline network ports.

This command is only applied to GigaVUE HC Series nodes. In a cluster environment, this command is only applied to GigaVUE HC Series nodes through the cluster leader. The inline constructs must all be configured on one GigaVUE‑HC3, GigaVUE‑HC2, or GigaVUE‑HC1 node, not across nodes, even if the nodes are in a cluster.

Each GigaVUE‑HC3 and GigaVUE‑HC2 supports up to 48 inline tools.

On the GigaVUE‑HC1, the base module can be used for inline tools. It supports up to 8 inline tools. On the GigaVUE‑HC1, the bypass combo module can support up to 4 inline tools.

This command is used in the inline bypass solutions described in the “Configuring Inline Bypass Solutions” section and in the flexible inline arrangements described in the “Working with Flexible Inline Arrangements” section in the GigaVUE Fabric Management Guide.

The inline-tool command has the following syntax:

inline-tool alias <alias>
   comment <comment>
   enable
   inline-tool-type <external | gmon>
   failover-action <tool-bypass | tool-drop | network-bypass | network-drop | network-port-forced-down>
   flex-traffic-path <to-inline-tool | bypass | monitoring | drop>
   hb-ip-addr-a <tool-a heartbeat IP address>
   hb-ip-addr-b <tool-b heartbeat IP address>
   hb-profile <hb-profile alias | default>
   heart-beat
   negative-heart-beat
   nhb-profile <negative heartbeat profile alias>
   pair tool-a <port ID or port alias> and tool-b <port ID or port alias>
   recover
   recovery mode <automatic | manual>
   shared <true | false>

The following table describes the arguments for the inline-tool command.

Argument

Description

alias <alias>

Specifies the name of the inline tool. The alias must be unique and can contain up to 128 characters. Aliases are case-sensitive.

For example:

(config) # inline-tool alias inTool

(config inline-tool alias inTool) #

comment <comment>

Specifies a unique text string that describes the inline tool. Comments can be up to 128 characters. Comments longer than one word must be enclosed in double quotation marks.

For example:

(config inline-tool alias inTool) # comment “Inline Tool inTool”

enable

Enables or disables the inline tool. Use enable to put the inline tool into service. Use disable to simulate an inline tool failure or to take the inline tool offline for maintenance purposes.

The default is disabled.

For example, to enable the inline tool:

(config inline-tool alias inTool) # enable

For example, to disable the inline tool:

(config inline-tool alias inTool) # no enable

inline-tool-type

Configures the inline tool type as follows:

external—To configure a third-party tool.
gmon—To configure a GigaVUE node as a tool. The minimum timeout for heartbeat sessions for the inline tool of type, gmon is 200 milliseconds. Heartbeat profiles configured with timeout less than 200 milliseconds cannot be attached to the inline tool of type, gmon. Negative heartbeat profiles cannot be attached with the inline tool of type, gmon. For details, refer to the "Heartbeat Support Between GigaVUE Nodes" section in the GigaVUE-FM User's Guide.

The default is external.

For example, to configure a third-party tool:

(config inline-tool alias inTool) # inline-tool-type external

For example, to configure a GigaVUE node as a tool:

(config inline-tool alias inTool) # inline-tool-type gmon

failover-action <tool-bypass | tool-drop | network-bypass | network-drop | network-port-forced-down>

Specifies the failover action taken in response to a failure of an inline tool as follows:

tool-bypass—Specifies that when the inline tool fails, the traffic that normally was directed to the inline tool is redirected to the bypass path. Use this failover action for configurations involving multiple inline tools associated with an inline network or inline network group using rule-based maps. For configurations using map passalls, tool-bypass is the same as network-bypass.
tool-drop—Specifies that when the inline tool fails, the traffic that normally was directed to the inline tool is dropped. Use this failover action for configurations involving multiple inline tools associated with an inline network or inline network group using rule-based maps. For configurations using map passalls, tool-drop is the same as network-drop.
network-bypass—Specifies that when the inline tool fails, all traffic that would not have been dropped when the inline network or networks had a NORMAL forwarding state is directed to the bypass path. That is, all such traffic arriving at the side A inline network port or ports is forwarded to the side B inline network port or ports and all traffic arriving at the side B inline network port or ports is forwarded to the side A inline network port or ports.
network-drop—Specifies that when the inline tool fails, all traffic coming to the respective inline network (or inline network group) is dropped.
network-port-forced-down—Specifies that when the inline tool fails, the inline network ports of the respective inline network (or inline network group) are forced down.
The default is tool-bypass.

For example:

(config inline-tool alias inTool) # failover-action tool-drop

Note:  Before changing the failover action, enable the inline tool using the enable command.

flex-traffic-path <to-inline-tool | bypass | monitoring | drop>

For flexible inline arrangements, provides per-tool traffic path options. Each inline tool or inline tool group involved in a flexible inline map can specify its own traffic path.

The options are as follows, however the behavior of the traffic will depend on a variety of factors including the inline tools in the sequence, their individual flex-traffic-path settings, the operational state of the inline tools, and the direction of traffic:

to-inline-tool—traffic is forwarded from the inline tool.
bypass—traffic bypasses the inline tool. Use this option for performing maintenance on an inline tool.
drop—traffic is dropped at the inline tool.
monitoring—traffic is fed to the inline tool and absorbed, while a copy of the traffic is sent to the next inline tool in the sequence. Traffic returned from side B of the network is also absorbed at the inline tool in monitoring mode.
The default is to-inline-tool.

For example:

(config inline-tool alias inTool) # flex-traffic-path drop

hb-ip-addr-a <tool-a heartbeat IP address>

Specifies heartbeat IP address A, which is the destination IP address to be used in heartbeat packets sent from side A to side B. The default is N.N.N.N, where N is the port number within the chassis as shown on the face plate. This parameter applies only to heartbeat profiles that use a standard ICMP ARP packet.

For example:

(config inline-tool alias inTool) # hb-ip-addr-a 1.1.1.1

hb-ip-addr-b <tool-b heartbeat IP address>

Specifies heartbeat IP address B, which is the destination IP address to be used in heartbeat packets sent from side B to side A. The default is N.N.N.N, where N is the port number within the chassis as shown on the face plate. This parameter applies only to heartbeat profiles that use a standard ICMP ARP packet.

For example:

(config inline-tool alias inTool) # hb-ip-addr-b 2.2.2.2

hb-profile <hb-profile alias | default>

Specifies the name of a heartbeat profile containing the heartbeat parameters to be used if the heartbeat mechanism is enabled for this inline tool. The default heartbeat profile alias is default.

For example, to specify the heartbeat profile to associate with this inline tool:

(config inline-tool alias inTool) # hb-profile hb_5

or

(config inline-tool alias inTool) # hb-profile default

For example, to delete the heartbeat profile associated with this inline tool:

(config inline-tool alias inTool) # no hb-profile hb_5

Refer to hb-profile.

heart-beat

Specifies the state of the heartbeat as enabled or disabled. When enabled, this parameter controls the use of the heartbeat mechanism for the specified inline tool.

The default is disabled.

For example, to enable the heartbeat:

(config inline-tool alias inTool) # heart-beat

For example, to disable the heartbeat:

(config inline-tool alias inTool) # no heart-beat

negative-heart-beat

Specifies the state of the negative heartbeat as enabled or disabled. When enabled, this parameter controls the use of the negative heartbeat mechanism for the specified inline tool.

The default is disabled.

For example, to enable the negative heartbeat:

(config inline-tool alias inTool) # negative-heart-beat

For example, to disable the negative heartbeat:

(config inline-tool alias inTool) # no negative-heart-beat

nhb-profile <negative heartbeat profile alias>

Specifies the name of a negative heartbeat profile containing the heartbeat parameters to be used if the negative heartbeat mechanism is enabled for this inline tool.

For example to specify the negative heartbeat profile to associate with this inline tool:

(config inline-tool alias inTool) # nhb-profile nhb_1

For example, to delete the negative heartbeat profile associated with this inline tool:

(config inline-tool alias inTool) # no nhb-profile nhb_1

Refer to nhb-profile.

pair tool-a <port ID or port alias> and tool-b <port ID or port alias>

Specifies a pair of inline tool ports (two ports: side A and side B). Tool-a is the port identifier for the port leading to the side A inline tool and tool-b is the port identifier for the port leading to the side B inline tool. Port identifiers can be a port ID <bid/sid/pid> or a port alias.

For example:

(config inline-tool alias inTool) # pair tool-a iT1 and tool-b iT2

recover

Puts an inline tool back into service if the recovery mode is configured as manual and the inline tool has an operational state of ready.

For example:

(config inline-tool alias inTool) # recover

recovery mode <automatic | manual>

Configures the recovery mode for each inline tool. After an inline tool goes down, the following modes specify how to bring it back up after it has recovered:

automatic—Specifies automatic recovery, which redirects traffic back to the inline tool as soon as it has recovered from all faulty conditions.
manual—Specifies manual recovery, which lets you control when to put an inline tool back into service after the tool has recovered using a CLI command. For example, you can wait for a maintenance window to return the inline tool to service.
The default is automatic.

For example:

(config inline-tool alias inTool) # recovery mode manual

If the recovery mode is manual, use the recover command to put the inline tool back into service.

Refer to the “Inline Tool Recovery Mode” section in the GigaVUE Fabric Management Guide for details.

shared <true | false>

Specifies how an inline tool is going to be shared as follows:

true—Specifies that the inline tool is going to be shared by different sources.
false—Specifies that the inline tool will not be shared by different sources.
The default is false.

When shared is enabled (true), the inline tool can receive traffic from multiple sources (inline networks). This means that the inline tool can be used in a map in which the source is an inline network group.

The shared parameter is also used for inline SSL decryption, when the source is GigaSMART.

For an inline network group, shared must be true because traffic is received from multiple sources.

An inline tool group or inline series does not have its own shared setting. The shared setting is derived from the inline tools. Therefore all the members in an inline tool group or inline series must have the same setting. For example, if an inline tool group has three inline tool members, the shared setting of all three inline tools must be the same.

When an inline tool is shared (true), the decrypted traffic will be VLAN tagged. The connected inline device is expected to receive VLAN tagged packets instead of untagged packets. There is an extra outer VLAN tag added to the packet, which the connected inline device needs to see.

When an inline tool is not shared (false), the extra VLAN tag is not added. This allows untagged traffic to be sent to the tool ports.

Starting in software release 5.2 for inline SSL decryption, false is supported for inline tools that are not able to handle more than one VLAN tag, such as Q-in-Q tagged packets. Thus, an inline SSL map can be configured from an inline network or inline network group to an inline tool, inline tool group, or inline series.

When an inline tool is not shared (false), the inline tool can be used in only one flexible inline map.

For example:

(config inline-tool alias inTool) # shared true

Related Commands

The following table summarizes other commands related to the inline-tool command:

Task

Command

Displays inline tools, which displays the status of the inline tool ports and the heartbeat.

# show inline-tool

Displays a specified inline tool.

# show inline-tool alias inTool

Displays all inline tools.

# show inline-tool all

Displays all inline tools in brief format.

# show inline-tool brief

Displays the Gigamon VLAN IDs for all inline tools.

# show inline-tool vlan-mapping

Displays the Rx and Tx statistics for all the inline tools that are part of the inline flow deployment.

# show inline-tool traffic-rate all

Displays the Rx and Tx statistics for the specified inline tool alias that is part of the inline flow deployment.

# show inline-tool traffic-rate alias <alias_name>

Deletes a specified inline tool.

(config) # no inline-tool alias inTool

Deletes the comment for this inline tool.

(config) # no inline-tool alias inTool comment

Disables an inline tool.

(config) # no inline-tool alias inTool enable

Deletes the heartbeat IP address associated with inline tool a.

(config) # no inline-tool alias inTool hb-ip-addr-a

Deletes the heartbeat IP address associated with inline tool b.

(config) # no inline-tool alias inTool hb-ip-addr-b

Deletes the heartbeat profile associated with this inline tool.

(config) # no inline-tool alias inTool hb-profile

Disables the heartbeat associated with this inline tool.

(config) # no inline-tool alias inTool heart-beat

Disables the negative heartbeat associated with this inline tool.

(config) # no inline-tool alias inTool negative-heart-beat

Deletes the negative heartbeat profile associated with this inline tool.

(config) # no inline-tool alias inTool nhb-profile

Deletes the tool port list of this inline tool.

(config) # no inline-tool alias inTool pair

Deletes all inline tools.

(config) # no inline-tool all

Clears all the heartbeat statistics for the specified inline tool.

(config) # clear hb-counters inline-tool alias inTool

Clears the heartbeat statistics for all the inline tools that are part of the flexible inline flow deployment.

(config) # clear hb-counters inline-tool all