Security Switch Modules (SSMs)

The Security Switch ModuleClosed A hardware component on a 60000 / 40000 Appliance (Chassis) that manages the flow of network traffic to and from the Security Gateway Module in the Chassis. Acronym: SSM. (SSM):

  • Distributes network traffic to the Security Gateway Modules (SGMs)

  • Transmits traffic to and from the SGMs

  • Shares the load between the SGMs

The SSMs and SGMs communicate automatically through SNMP requests. You can also connect directly to the SSM and run CLI commands.

The SSM contains two modules:

  • Fabric switch - Includes the data ports

  • Base switch - Includes the management ports

For more information, see the Quantum Scalable Chassis Getting Started Guide and sk93332.

SSM CLI

The SSM communicates with the SGMs through SNMP.

Sometimes, it is necessary to connect directly to the SSM and run CLI commands.

Connecting to the SSM CLI

You can connect to the SSM CLI in one of these ways:

Connection

Description

Through a serial console port on the SSM front panel

Use the default serial connection parameters: 9600, 8, N, 1

From the CLI of one of the SGMs

  1. Connect to the command line on the SGM.

  2. Log in to the Expert mode.

  3. Go to the CLI on the applicable SSM:

    member ssm1

    member ssm2

Important - The default administrator password for the SSM CLI is: admin

Available SSM CLI Commands

Command

Description

show running-config [<Feature Name>]

Shows the current SSM configuration.

Best Practice - Because the full configuration is very long, we recommended that you show a configuration only for one specified feature.

To see a full list of the available features, enter "show running-config" and press the Tab key.

For example, run the "show running-config load-balance" command to see the load balancing configuration.

show port

Shows the current status of SSM ports.

show port <Port ID>

Shows detailed port information such as speed, administrative state, link state and so on for the specified SSM port.

show port <Port ID> statistics

Shows interface statistics for the specified SSM port.

show version

Shows the firmware version.

 
# show port 1/3/1 statistics
===============================================================================
 Port Statistics
===============================================================================
                                                  Input                 Output
-------------------------------------------------------------------------------
Unicast Packets                                    5003                   7106
Multicast Packets                                568409                   1880
Broadcast Packets                                122151                   1972
Flow Control                                          0                      0
Discards                                             16                      0
Errors                                                0                      0
-------------------------------------------------------------------------------
Total                                            695563                  10958
===============================================================================
 
===============================================================================
 Ethernet Statistics in Packets
===============================================================================
RX CRC Errors                     0         TX Collisions                    0
RX Undersize                      0
-------------------------------------------------------------------------------
                                                  Input                 Output
-------------------------------------------------------------------------------
Fragments                                             0                      0
Oversize                                              0                      0
Jabbers                                               0                      0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Packets                                                       Input and Output
-------------------------------------------------------------------------------
Octets                                                                71085491
Packets                                                                 706521
Packets of 64 Octets                                                      2290
Packets of 65 to 127 Octets                                             689951
Packets of 128 to 255 Octets                                              4122
Packets of 256 to 511 Octets                                              6009
Packets of 512 to 1023 Octets                                              258
Packets of 1024 to 1518 Octets                                             994
Packets of 1519 or more Octets                                               0
-------------------------------------------------------------------------------
Total                                            695563                  10958
===============================================================================
 
===============================================================================
 Rates in Bytes per Second
===============================================================================
                                                  Input                 Output
Rate for last 10 sec                               1477                     25
Rate for last 60 sec                               1435                     50
===============================================================================

Note - In the output of this specific command, pay special intention to the Discards and Errors fields. If the values in these fields constantly increase, this can indicate a problem.

Viewing the SSM Logs

Step

Instructions

1

Connect to the command line on the SSM.

See Connecting to the SSM CLI.

2

Enable the private shell:

unhide private

The default password is: private

3

Open the private shell:

show private shell

4

Run:

tail /var/log/messages

Changing the Load Distribution on SGM Groups

Step

Instructions

1

Connect to the command line on the SSM.

See Connecting to the SSM CLI.

2

Connect to the configuration terminal:

configure terminal

3

Configure the load distribution on SGM Groups:

(config)# load-balance mtx-bucket 1 buckets [<SGM ID1><SGM ID2>:<SGM ID3><SGM ID4> ...]

Important - You must provide a full list of the SGMs. Otherwise, SSM might drop the traffic.

4

Save the changes:

(config)# commit

5

Exit the configuration terminal:

(config)# exit

6

Apply the new load distribution configuration:

load-balance apply

7

Log out from current session:

logout

Changing the SSM Administrator Password

Note - You must perform this procedure on each SSM separately. This procedure does not cause any traffic interruption.

Step

Instructions

1

Connect to an SGM over SSH or serial console.

2

Log in to the Expert mode.

3

Go to one of the SSMs:

member ssm1

member ssm2

4

Enter the administrator password.

The default administrator password for the SSM CLI is: admin

5

Connect to the configuration terminal:

configure terminal

6

Configure the administrator user:

system security user admin

7

Configure the password:

password

8

Enter the new password.

9

Save the changes:

(config)# commit

10

End the current session:

end

11

Log out from current session:

logout

[Expert@HostName-ch0x-0x:0]# member ssm2

Moving to ssm2

T-ATCA404

admin@ssm2's password: *****

BATM T-ATCA404

admin connected from 198.51.100.204 using ssh on T-ATCA404

--- WARNING ------------------------------------------------------

Running db may be inconsistent. Enter private configuration mode and

install a saved configuration.

------------------------------------------------------------------

T-ATCA404#

T-ATCA404# conf t

Entering configuration mode terminal

T-ATCA404 (config)# system security user admin

T-ATCA404 (config-user-admin)# password

(<MD5 digest string>): *****

T-ATCA404 (config-user-admin)# commit

Commit complete.

T-ATCA404 (config-user-admin)# end

T-ATCA404# logout

Connection to ssm2 closed

Mapping of SSM Port IDs to SGM Port IDs

Each port ID on the SGM maps to a port on the SSM.

SGM Port Mapped to SSM #1

SGM Port Mapped to SSM #2

SSM160 Port

SSM440 Port

eth1-01

eth2-01

1/3/1

1/1/1

eth1-02

eth2-02

1/3/2

1/1/2

eth1-03

eth2-03

1/3/3

1/1/3

eth1-04

eth2-04

1/3/4

1/1/4

eth1-05

eth2-05

1/3/5

1/1/5

eth1-06

eth2-06

1/3/6

1/1/6

eth1-07

eth2-07

1/3/7

1/1/7

eth1-Sync

eth2-Sync

1/3/8

1/1/8

eth1-09

eth2-09

1/1/1

1/4/1

eth1-10

eth2-10

1/1/2

1/4/2

eth1-11

eth2-11

1/1/3

1/4/3

eth1-12

eth2-12

1/1/4

1/4/4

eth1-13

eth2-13

1/2/1

1/4/5

eth1-14

eth2-14

1/2/2

1/4/6

eth1-15

eth2-15

1/2/3

1/4/7

eth1-16

eth2-16

1/2/4

1/4/8

eth1-17

eth2-17

N/A

1/4/9

eth1-18

eth2-18

N/A

1/4/10

eth1-19

eth2-19

N/A

1/4/11

eth1-20

eth2-20

N/A

1/4/12

eth1-21

eth2-21

N/A

1/4/13

eth1-22

eth2-22

N/A

1/4/14

eth1-23

eth2-23

N/A

1/4/15

eth1-24

eth2-24

N/A

1/4/16

eth1-25

eth2-25

N/A

1/2/1

eth1-26

eth2-26

N/A

1/2/2

eth1-27

eth2-27

N/A

1/2/3

eth1-28

eth2-28

N/A

1/2/4

eth1-29

eth2-29

N/A

1/2/5

eth1-30

eth2-30

N/A

1/2/6

eth1-31

eth2-31

N/A

1/2/7

eth1-32

eth2-32

N/A

1/2/8

eth1-33

eth2-33

N/A

1/3/1

eth1-34

eth2-34

N/A

1/3/2

eth1-35

eth2-35

N/A

1/3/3

eth1-36

eth2-36

N/A

1/3/4

eth1-37

eth2-37

N/A

1/3/5

eth1-38

eth2-38

N/A

1/3/6

eth1-39

eth2-39

N/A

1/3/7

eth1-40

eth2-40

N/A

1/3/8

eth1-Mgmt1

eth2-Mgmt1

1/5/1

N/A

eth1-Mgmt2

eth2-Mgmt2

1/5/2

N/A

eth1-Mgmt3

eth2-Mgmt3

1/5/3

1/6/1

eth1-Mgmt4

eth2-Mgmt4

1/5/4

1/6/2

Checking the Connectivity from the SGMs to the SSMs

Step

Instructions

1

Connect to the command line on an SGM.

2

Log in to the Expert mode.

3

Send ping from SGMs to IP addresses of all the SSMs.

4

Get the firmware version of all SSMs:

asg_chassis_ctrl get_ssm_firmware all

Adding or Removing SSMs After Initial Setup

Description

If you add or remove SSMs after the initial chassis installation, the chassis can show an incorrect number of installed SSMs or an SSM in the DOWN state.

Use the "asg_ssm_amount" command to define the correct number of SSMs in the chassis.

Important:

  • When you change the number of SSMs, it is necessary to reboot the chassis. This interrupts the traffic.

  • You must run this command if you add or remove SSMs on the Standby Chassis.

  • Make sure that only one SGM is turned on when you run this command.

  • When you change the number of SSMs from 2 to 1, make sure that the remaining SSM is installed in the SSM Slot 1.

Syntax

asg_ssm_amount <Number of SSMs in Standby Chassis>

Parameters

Parameter

Description

<Number of SSMs in Standby Chassis>

Total number of SSMs in the Standby Chassis.

For more information, see the Quantum Scalable Chassis Getting Started Guide > Chapter Hardware Components.

Changing the number of SSMs

You can change the number of SSMs with one of these procedures.

This procedure is for changing the number of SSMs from 1 to 2.

This procedure is simple, but requires a longer down time, because you reboot all SGMs at the same time.

Step

Instructions

1

Make sure all SGMs are in the state "UP".

2

Connect to the SMOClosed See "SMO". Security GroupClosed A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Member over a serial console.

Using a console connection, in the Expert mode, run on the SMO:

3

Log in to the Expert mode.

4

Set the number of SSMs in the Standby Chassis to two:

asg_ssm_amount 2

5

Reboot all SGMs:

reboot -b all

6

Wait for all the SGMs to be in the state "UP".

Note - An additional reboot is expected. The utility prompts you for auto-reboot.

7

Insert the new SSM.

Use a console connection to monitor the booting process.

Note - In a Dual Chassis configuration, make sure to connect the new sync slave.

8

On the SMO Security Group Member, run:

asg_port_speed create_conf

9

Verify the configuration integrity:

asg diag verify

This procedure is for changing the number of SSMs from 1 to 2, and from 2 to 1.

This procedure requires a minimal down time, because the Standby Chassis are rebooted one at a time.

However, this procedure requires to disconnect the Sync and Data ports, which causes a traffic outage.

Part 1 - On the Standby Chassis

Step

Operation

Command

Notes

1

Disconnect the cables from the Sync and Data ports on the Standby Chassis.

 

 

2

Physically pull out all the SGMs except the SMO.

 

 

3

Physically install or remove the additional SSMs.

Important - When you change the number of SSMs from 2 to 1, make sure that the remaining SSM is installed in the SSM Slot 1.

 

 

4

Using a console cable, connect to the remaining SGM (SMO).

 

 

5

Configure the required number of SSMs.

  • To set the number of SSMs to one:

    asg_ssm_amount 1

  • To set the number of SSMs to two:

    asg_ssm_amount 2

 

6

Reboot the remaining SGM (SMO).

reboot

 

7

When the SGM is in the state "UP" on the Standby Chassis, make sure the configuration matches the configured number of SSMs.

  1. Examine the list of active SSMs:

    ccutil active_ssm

    Example output:

    SSM1 ACTIVE

    SSM2 ACTIVE

    SSM3 ACTIVE

    SSM4 ACTIVE

  2. Examine the chassis status:

    asg stat -v

  3. Examine the interfaces:

    ifconfig

For verification, see Configuring the Chassis ID.

Make sure the chassis has the eth3-<XX> and eth4-<XX> ports.

8

Insert all other SGMs.

 

 

9

When the SGMs are in the state "UP" on the Standby Chassis, disconnect the cables from the Sync and Data ports on the Active Chassis.

 

This causes a traffic outage.

10

Connect the cables to the Sync and Data ports on the Standby Chassis.

 

The Standby Chassis is now the Active Chassis and inspects the traffic.

Part 2 - On the former Active Chassis

Step

Operation

Command

Notes

11

Repeat steps 2 - 8 on the former Active Chassis, which is now disconnected.

 

 

12

Connect the cables to the Sync and Data ports on the former Active Chassis.

 

 

13

When the SGM is in the state "UP" on the former Active Chassis, make sure the configuration matches the configured number of SSMs.

  1. Examine the list of active SSMs:

    ccutil active_ssm

    Example output:

    SSM1 ACTIVE

    SSM2 ACTIVE

    SSM3 ACTIVE

    SSM4 ACTIVE

  2. Examine the chassis status:

    asg stat -v

  3. Examine the interfaces:

    ifconfig