About Security and Access

The GigaVUE HC Series nodes provide an interlocking set of options that let you create a comprehensive security strategy for the node. These options are summarized in the following table:

Security Tools

Description

Roles/Groups

Roles specify which users have access to a given port. The following built-in roles are provided:

Admin – This role provides access to all command modes, including Standard, Enable, and Configure. Admin users also have access to all commands and all ports. They are also members of all groups.
Default – This role also provides access to all command modes. Users with the Default Role has no access to unassigned ports. New users are created with the Default role automatically. However, you can remove it if you do not want to allow a user access to unassigned ports
Monitor – This built-in role provides view-only access to ports and configurations

Administrators create additional custom roles and assign them to users together with the Default role. For example, if you create a role named Security_Team and assign it to tool port 5/1/x2, users assigned the Security_Team role will be able to access tool port 5/1/x2. Conversely, users without a role that gives them some access to tool port 5/1/x2 will not even be able to see it in the CLI. Users can have multiple assigned roles, allowing administrators to fine-tune access to the Gigamon Deep Observability Pipeline.

Permissions

Administrators assign Permissions to specify what users can do with a port to which they have access. You can assign the following permission levels:

Level 1: Can view the port but cannot make any changes to port settings or maps. When applied to a network port, can view maps attached to the network port. This level is used for users who only need to monitor the activities of the port.
Level 2: Can use the port for maps, create tool-mirror to/from port, and change egress port filters. Can configure port-lock, lock-share, and all traffic objects except port-pair. Also includes all Level 1 permissions.
Level 3: Can configure port parameters (such as administrative status of the port, speed, duplex, and autonegotiation), as well as create port pairs. Also includes all Level 2 and Level 1 permissions.
Level 4: Can change the port type. Also includes all Level 3, 2, and 1 permissions.

Permissions are hierarchical so that higher levels include all lower-level permissions (for example, a Level 3 user also has Level 2 permissions and can configure all traffic distribution, set locks, and share locks).

Administrators can configure permissions differently on a port-by-port basis for a given role. This can be useful in situations where you want to give a group full authority to reconfigure maps and port parameters for a set of tool ports but only map creation permissions for a network port shared with other groups.

Port Locking/Sharing

Port locking lets a user with Level 2+ access to a port prevent other users from changing any settings for a locked port. This is useful in situations where a user needs undisturbed access to a port for short-term troubleshooting.

When a port is locked, all users with Level 2+ access to the port will temporarily only have Level 1 access (read-only). Normal configured permissions are restored when the lock is released.

Users can also share a locked port with any other specified user. Sharing a locked port provides the account with whom the port is shared the same port permissions as the account sharing the port. So, for example, if UserX has Level 2 permissions on port 12/5/x3, he can share a lock on 12/5/x3 with any other user account, providing them with Level 2 permissions regardless of their normal privileges on the port.

Authentication

The GigaVUE HC Series node can authenticate users against a local user database or against the database stored on an external authentication server (LDAP, RADIUS, or TACACS+).

Admin users can specify the authentication methods used for logging in using AAA Authentication.

Note:  The serial console port always retains local authentication as a fallback option to prevent unintended lockouts.