Intel A31032-001 User Manual
Intel® NetStructure™ 7110/7115 e-Commerce Accelerator
Version 2.3
User Guide
A31032-001
Copyright
Copyright © 2000 Intel Corporation. All Rights Reserved.
This User Guide as well as the software described in it is furnished
under license and ma y only b e u sed or c opied in ac cordanc e with t he
terms of the license. The i nfo rm ation in this manual is fu rnished for
informational use only, is subject to change without notice, and
should not be con str ue d a s a commi tmen t by I nte l C or porat i on. Int el
Corporation assumes no responsibility or liability for any errors or
inaccuracies that may appear in this document or any software that
may be provided in association with this document.
Information in this document is provided in connection with Intel®
products. No license, express or imp lied, by estoppe l or otherwise, to
any intellectual prope rty rights is granted by this document. Excep t as
provided in Intel’s Terms and Conditions of Sale for such products,
Intel assumes no liability whatsoever, and Intel di sclaims any express
or implied warranty, relating to sale and/or use of Intel® products
including liability or warranties relating to fitness for a particular
purpose, merchantability, or infringement o f any patent, copyright or
other intellectual property right. Intel products are not intended for
use in medical, life saving, or life sustaining applications.
Intel may make changes to specificati ons and product descr iptions at
any time, without notice.
Trademarks
Intel, NetStructure™ 7110 e-Commerce Accelerator, and
NetStructure™ 7115 e-Commerce Accelerator are trademarks of or
trademarks applied for by Intel Corporation.
§ Other product and corporate names may be trademarks of other
companies and are used only for explanation and to the owners’
benefit, without intent to infringe.
Intel Corporation
Network Equipment Division
13280 Evening Creek Drive
San Diego, California 92128-4102
USA
July 28, 2000 A31032-001
Table of Contents
Chapter 1: Introduction
About this User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
New in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Who Should Use this Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
How to Use this Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Chapter 2: Installation and Initial Configuration
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Installing the 7110/7115 Free-Standing or in a Rack . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Rack Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Free-Standing Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Network Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Status Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
C O N T E N T S Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
Network and Server LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Inline LED. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Admin Terminal Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
HyperTerminal§ Paste Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Server and Network LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Continuing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Chapter 3: Theory of Operation
Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Single Server Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Working with Internet Traffic Management (ITM) Devices . . . . . . . . . . . . . . . . . . 3-3
Positioning 7110/7115 between ITM Device and Client Network . . . . . . . . . . . 3-3
Positioning 7110/7115 between ITM Device and Server . . . . . . . . . . . . . . . . . . 3-4
Multiple 7110/7115s and Cascading Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Scalability and Cascading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Spilling and Throttling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Cutting and Pasting with HyperTerminal§ . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Obtaining a Certificate from VeriSign§ or Other Certificate Authority . . . . . . . 3-7
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Exporting a Key/Certificate from a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Apache Interface to Open SSL§ (mod_ssl). . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Apache SSL§. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Stronghold§. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Importing into the 7110/7115 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Creating a new Key/Certificate on the 7110/7115. . . . . . . . . . . . . . . . . . . . . . . 3-14
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Global Site Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Global Site Certificate Paste Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Redirection: Clients and Unsupported Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Creating a Client CA Certificate using OpenSSL§ . . . . . . . . . . . . . . . . . . . . . . 3-20
SSL Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
iv
Table of Contents
Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Automapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Automapping with user-specified key and certificate. . . . . . . . . . . . . . . . . . 3-22
Automapping with multiple port combinations . . . . . . . . . . . . . . . . . . . . . . 3-22
Deleting automapping entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Manual mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Combining automapping and manual mapping . . . . . . . . . . . . . . . . . . . . . . 3-23
Blocking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Specific IP, Specific Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Subnet IP, Specific Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
All IPs, Specific Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
Delete a Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
Failure Conditions, Fail-safe, and Fail-through . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
Chapter 4: Scenarios
Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Scenario 1—Single Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Procedure for Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Automapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Manual Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Scenario 2—Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Procedure for Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Scenario 3—Multiple 7110/7115s, Cascaded. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
Assumptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
Procedure for Scenario 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Scenario 4—Different Ingress and Egress Routers . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Procedure for Scenario 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Chapter 5: Command Reference
Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Command Line Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Abbreviation to Uniqueness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Moving the Insertion Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Command History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Cut and Paste . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
v
C O N T E N T S Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
Command Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Command Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
Help Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
Status Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
SSL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12
Port Mapping Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
Remote Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27
Alarms and Monitoring Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34
Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38
Administration Commands
Logging Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44
Chapter 6: Remote Management
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Remote Management CLI Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Remote Telnet Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Local Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Remote Console, Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Changing the Telnet Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Disabling Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Remote SSh Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Local Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Remote Console, SSh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Changing the SSh Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Disabling SSh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Standards Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
Intel MIB Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
Where to find MIB Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
Enterprise Private MIB Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Trap Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Standard SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Private Traps in ssl-appliance-mib.my . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Enabling SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
vi
Table of Contents
Specifying SNMP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
Community String. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
Trap Community String . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21
Chapter 7: Alarms and Monitoring
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Alarm Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
ESC: Encryption Status Change Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Alarm Modifiers and Messages: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
RSC: Refused SSL Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
Alarm Modifiers and Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
Extended Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
RSC Alarm CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
UTL: Utilization Threshold Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Alarm Modifiers and Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Extended Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
UTL Alarm CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
OVL: Overload Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
Alarm Modifiers and Messages: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
Extended Data: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
OVL Alarm CLI Commands: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
NLS: Network Link Status Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8
Alarm modifiers and messages: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8
Extended Data: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8
Alarm Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Monitoring Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Report Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Monitoring Reports CLI Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14
Chapter 8: Software Updates
Using Windows§ HyperTerminal§. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Using Unix§ ‘cu’ and uuencoded image file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
vii
C O N T E N T S Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
Chapter 9: Troubleshooting
Appendix A: Front Panel
Buttons and Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Front Panel LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Appendix B: Failure/Bypass Modes
Bypass Button. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2
Fail-through Switch (Security Level) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2
Appendix C: Supported Ciphers
Cipher Strength. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1
SSL Version Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2
Appendix D: Regulatory Information
Appendix E: Terms and Conditions and Software License
Glossary
Support Services
viii
List of Figures
Mounting Bracket Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Wiring Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Front Panel Connectors and LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
7110/7115 in Single Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
7110/7115 in Multiple Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
7110/7115 Between Router and ITM Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
7110/7115s Between ITM Device and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Cascaded 7110/7115s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Single 7110/7115, Single Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Single 7110/7115, Multiple Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Multiple (Cascaded) 7110/7115s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Installation with Ingress and Egress Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
F I G U R E S Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
Intel’s MIB Tree (top level) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
Front Panel Connectors, Controls, and Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Front Panel Detail: Failure/Bypass Mode Controls and Indicators . . . . . . . . . . . . . B-2
xii
Introduction
Congratulations on your choice of the Intel® NetStructure™ 7110/
7115 e-Commerce Accelerator. The processin g of secure transactions
through Secure Sock et Layer (SSL) ca n occupy up to 90% of even the
largest servers’ CPU power and can degrade response time
significantly. The 7110/ 711 5 pr ov ide s a completely transparent way
to increase the performance of Web sites for SSL transactions. The
7110/7115 is positioned in front of the server farm, where it intercep ts
SSL transactions, processes them, and rel ays them to the servers. The
7110/7115 performs all encryption and decryption management in
this environment with a minimum of administrator interaction.
About this User Guide
This User Guide supports the Intel® NetStructure™ 7110 e-Commerce Accelerator and the Intel ® NetStructure™ 7115 e-Commerce
Accelerator. By default this text refers to the product as “7110/71 15.”
Where appropriate, the text refers to “7110” or “7 115.” Additional ly,
notes in the left -hand margin may be used to distinguish th e two products. Illustrations of the command prompt use “
Intel 7115>.”
C H A P T E R 1 Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
New in This Release
New features in the Intel® NetStructure™ 7110/7115 e-Commerce
Accelerator include:
• Impro ved performance: Threefo ld in crease in S SL connect ions
processed per second—from 200 to 600 (7115 only)
• More certificate mappings: Up to 1000 certificate mappings
supported
• Remote Management:
• Telnet—standard remote access to the Command Line
Interface (CLI) with new “Console Monitoring” features
• SSh—complete, secure CLI access with new “Console
Monitoring” features
• SNMP—Includes both Private Enterprise MIB and MIBII
functionality
• Alarms: The 7110/7115 can be configured to display—at the
administration console or a remote management session (Telnet
and SSh)—autonomous one-line reports of the following
exceptional conditions:
1-2
• Encryption status change
• Refused SSL connect i ons
• T hreshol d alerts
• Overload alerts
• Network link status
C H A P T E R 1 Who Should Use this Book
• Monitoring: Users can now configure the 7110/7115 to send
periodic multi-status reports to the administration console or a
remote management session (Telnet and SSh). Monitor reports
include such information as:
• Inline/bypass mode
• Failsafe/failthrough mode
•CPU status
• S SL connections status
• Network interface status
• Server interface status
• Rate of encryption/decryption
Who Should Use this Book
This User Guide is intended for administrators with the following
background:
• Familiarity with networking concepts and terminology.
• Basic knowledge of network topologies.
• Basic knowledge of networks and IP routing.
• Some knowledge of SSL, keys, and certificates.
• Knowledge of Web servers.
Before You Begin
7110/7115 setup can be divided into three basic procedures:
• Physically install single or multiple 7110/7115s with single or
multiple servers.
• Configure your 7110/7115 in the Command Line Interface.
• Identify existing certificates or obtain new ones you wish to use
in SSL operations.
1-3
C H A P T E R 1 Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
How to Use this Book
The information in this book is organized as follows:
• Chapter 1: Introduction provides an introduction and overview
of the 7110/7115, and a summary of new features.
• Chapter 2: Installation and Initial Configuration contains
installation and initia l configurat ion procedur es. (This material is
also discussed in the separate Quick Start Guide.)
• Chapter 3: Theory of Operation explains the general principles
behind 7110/7115 operation.
• Chapter 4: Scenarios provides examples of 7110/7115
configurations, together with specific procedures for their
implementation.
• Chapter 5: Command Reference explains the Command Line
Interface (CLI), and lists the commands and their functions.
• Chapter 6: Remote Management detail s how you can use Telnet,
Secure Shell (SSH), and SNMP to manage the 7110/7115 from
remote locations.
1-4
• Chapter 7: Alarms and Monitoring explains the ways in which
you can configure the device to report information to you, either
routinely or as a result of abnormal events or conditions.
• Chapter 8: Software Updates provides procedures for obtaining
7110/7115 system software updates.
• Chapter 9: Troubleshooting is a table containing symptoms of
problems you may encounter with corresponding likely causes
and remedies.
• Appendix A: Front P anel diagr ams and explains the 7110 /7115’s
front panel LEDs, buttons, and connections.
• Appendix B: Failure/Bypass Modes explains how the 7110/7115
deals with failure conditions and details the bypass function.
• Appendix C: Supported Ciphers lists the supported encryption
ciphers.
• Appendix D: R egulatory Information provides information
regarding the 7110/7115’s compliance with applicable
regulations.
C H A P T E R 1 How to Use this Book
• Appendix E: Terms and Conditions contains the software license
and terms and conditions of user of this product.
• Glossary defines terms appearing in this User Guide.
1-5
C H A P T E R 1 Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
Notes
1-6
Installation and Initial Configuration
Intel® NetStructure™ 7110/7115 e-Commerce Accelerator
installation and initial configuration instruc tions are in this chapte r.
Before You Begin
WARNING: Do not
remove the cover. There
are no user-servicable
parts inside.
Before you begin installation, you need the following:
• IP address for 7110/7115 (only if you intend to use the Remote
Management)
• IP addresses and ports of servers.
• Keys/certificates. See Chapter 3 for information on obtaining
keys and certificates.
• Network cables, such as straight-through and/or crossover
cables. (Procedures in the section,“Wiring Connections” in this
chapter will ident ify t he ty pes of cables you must use.) If you are
installing the 7110/7115 in a rack, you will also need:
• Phillips screwdriv e r
• Rack-mounting screws
C H A P T E R 2 Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
Installing the 7110/7115 FreeStanding or in a Rack
The Intel® NetStructure™ 7110/7115 e-Commerce Accelerator is
physically installed in either of two ways:
• In a standard 19” rack, cantilevered from the provided mounting
brackets
• Free-standing on a flat surface with sufficient space for air-flow
Rack Installation
Rack mounting requires the use of the mount ing brackets, and all four
of the included Phillips screws.
1. Locate the two mounting brackets and the four screws. (Two
screws for each bracket.)
2. Attach a mounting bracket to each side of the 7110/7115, using
two of the provided screws for each bracket. Use the holes near
the front of the 7110/7115’s sides. The brackets have both round
and oval holes; the flange with round holes attaches to the 7110/
7115, the oval holes to the rack.
2-2
Figure 2-1: Mounting Bracket Orientation
C H A P T E R 2 Installing the 7110/7115 Free-Standing or in a Rack
3. Position the 7110/7115 in the desired space of your 19” rack and
attach the front flange of each mounting bracket to the rack with
two screws each. (Rack-mounting screws are not provided.)
Free-Standing Installation
1. Attach the provided self-adhesive rubber feet to the 7110/7115’s
bottom.
2. Place the 7110/7115 on a flat surface and make sure that there is
adequate airflow surrounding the unit (allow at least one inch of
air space on all sides).
Network Connections
1. Use the “Network Cable Require ments ” t able near the beginning
of this guide to select and install the the appropria te cables.
NOTE: Never connect
both ports to the same
network segment (e.g., to
the same hub or switch).
Doing so creates a
feedback loop that
adversely effects network
bandwidth.
Hub/Router/Switch
2. Connect the provided power cable to the bac k of the unit . (Ther e
is no power switch.) Under no rmal circumstan ces, the 71 1 0/71 1 5
requires approximately 30 seconds to boot. When the boot is
complete, the unit’s Power LED is steadily illuminated. (If the
Power LED is not steadil y illuminated, see Chapte r 9,
“Troubleshooting.)
3. If the Inline LED is neither steadily illuminated or blinking, press
the Bypass switch.
4. At this point both the Network and Server LEDs should be
steadily illuminated. If not, please see Chapter 9,
“Troubleshooting.
Intel® NetStructure™ 7110/7115 e- Commer ce Acc elerators
Server
Figure 2-2: Wiring Connections
2-3
C H A P T E R 2 Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
Status Check
Before proceeding to the PC In it i al iza ti on sect i on, t ake a moment to
verify that the 7110/7115 is correctly connected.
Network and Server LEDs
Verify that the Network and Server LEDs are both illuminated. If one
or both are not, ref er to the T roubleshoot ing section at the end of this
chapter .
Inline LED
A blinking Inline LED indicates that t he system is online i n Fail-safe
mode. Refer the T roubleshooting section at the end of this chapter or
Appendix B, “Failure/Bypass Modes.”
Admin Terminal Connection
Run HyperTerminal§ or a similar termin al emulator on your PC. The
steps below are illustrative of HyperTerminal§. Other terminals will
require different procedures.
2-4
1. Use the serial cable provided with the 7110/7115 to connect the
device’s serial port (the left-hand serial port labeled “Console”)
to the serial port of any terminal. (A PC running Windows
HyperTerminal§ is used here as an example.)
Power Error Overload Activity
(green) (red) (amber) (green)
Console
Aux Console
Figure 2-3: Front Panel Connectors and LEDs
Network Link
(green)
Network Link
(RJ45)
Inline
(green)
Server Link
(green)
Server Link
(RJ45)
C H A P T E R 2 Installing the 7110/7115 Free-Standing or in a Rack
2. Type an appropriate name in the Name field of the Connection
Description window (e.g., “Configuration”), and then click the
OK button. The Phone Number panel appears.
3. In the Connect Using… field specify “Direct to COM1” (or the
serial port through wh ich th e PC is co nnected to the 7 1 10 /7 1 15 if
different from COM1).
4. Click the OK button. The COM1 Properties panel appears. Set
the values displayed here to 9600, 8, none, 1, and none.
5. Click the OK button.
HyperTerminal§ Paste Operations
If you’re using Hyperterminal§ you must make the following
configuration change:
1. In the File menu, click Properties.
2. Click the Settings tab.
3. Click the ASCII Setup button.
4. Change the values of Line and Character delay from 0 to at least
1 millisecond.
5. Click OK twice to exit.
2-5
C H A P T E R 2 Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
T roubleshooting
Server and Network LEDs
If either the Network or Server LED fails to illuminate using either
straight-through or crossover network cables, the problem may be
elsewhere in the network. Verify by wiring around the 7110/7115.
Inline LED
The Fail-through switch allows you to control what happens in the
event of a failure. It is located in a recess between the Network and
Server connectors. Use a small screwdriver or paper clip to
manipulate the switch. The two options are:
• Allow traffic to flow through the 7110/7115 unprocessed. (Fail-
through mode, indicated by a steadily illuminated Inline LED.)
• Block traffic flow through the 7110/7115 entirely. (Fail-safe
mode, indicated by a blinking Inli ne LED.)
Please see Appendix B for a table describing all permutatio ns of LED
operation.
2-6
Continuing Configuration
This concludes basic configuration of the 7110/7115. To configure
the unit for production please continue with Chapter 3, Theory of
Operations, or Chapter 4, Scenarios.
Theory of Operation
Security
New in the Intel® NetStructure™ 7110/7115 e-Commerce
Accelerator is Remote Management cap ability. Thi s feature requires
that the 7110/7115’s network interface be assigned an IP address,
thus security becomes a matter for your attention. If you intend to
manage your 7110/7115 from a remote location, be sure to read the
section “Access Control,” Chapter 6, “Remote Management.”
Single Server Acceleration
Typically, the Intel® NetStructure™ 7110/7115 e-Commerce
Accelerator supports the SSL processing needs of a single server.
This is the simplest and most common con figuration. The 7110/7115
is connected to the network between the router and the server.
C H A P T E R 3 Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
Ideally, the 7110/7115 is located in the same rack as the server,
separated by a short distance. .
Intel® NetStructure™ 7110/7115 e-Commerce Accelerator
Router
Single Server
Figure 3-1: 7110/7115 in Single Server Configuration
Multiple Servers
Given the SSL processing power of the 7110/7115, multiple servers
can be supported. In this configuration, the 7110/7115 sits between
the router and th e switch. SSL traf fic intended for these s erv ers is
intercepted and other traffic is passed through.
3-2
Server 1
Server 2
hub/switchRouter
Server 3
Intel® NetStructure™ 7110/7115
e-Commerce Accelerator
Figure 3-2: 7110/7115 in Multiple Server Configuration
C H A P T E R 3 Working with Internet Traffic Management (ITM) Devices
Working with Internet Traffic Management (ITM) Devices
The 7110/7115 is compatible with Internet Traffic Management
(ITM) devices. In such environments, the 7110/7115 lies b etween the
router and the ITM device, or bet ween the ITM device and the se rver.
ITM devices distribute workload across multiple servers and redirect
traffic based on content.
Positioning 7110/7115 between ITM Device and Client Network
If the ITM device supports layer 7 traffic management, URLs must
be readable (that is, unencrypted), thus in environments performing
layer 7 load balancing, it is recommended that the 7110/7115 be
placed between the ITM device and the client network.
Client
Internet
Intel® NetStructure™ 7110/7115 e-Commerce Accelerator
Router
ITM Device
Figure 1-3: 7110/7115 Between Router and ITM Device
Server 1
Server 2
Server 3
3-3
C H A P T E R 3 Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
Positioning 7110/7115 between ITM Device and Server
If security considerations require limited net work access to clear text,
the 7110/7115 should be placed between the ITM device and the
server.
Intel® NetStructure™ 7110/7115
e-Commerce Accelerators
int l
e
int l
e
int l
e
Servers
Internet
Client
Router
ITM Device
NOTE: The
configuration in Figure
1-4 precludes layer 7
load balancing because
secure traffic through the
ITM device is encrypted.
Figure 1-4: 7110/7115s Between ITM Device and Servers
Multiple 7110/7115s and Cascading Processing
Scalability and Cascading
The 7110/7115’s capabilities are scalable by chaining, or
“cascading,” multiple 7110/7115s together. In such configurations,
each unit’s server side connector is wired to the network side
connector of the next 7110/ 7115 in line. The last 711 0/7115 in line is
connected to the server, switch, or ITM device.
Spilling and Throttling
When the 7110/7115’ s “spill” opt ion is enabled, if a given 711 0/7115
cannot process a request within a specified interval, the request is
passed on, still encrypted, to the next 7110/7115 in line. The last
3-4
C H A P T E R 3 Keys and Certificates
7110/7115 on the server side can also be enabled to spill to the server.
Spilling is performed dynamically on a connection-by-connection
basis. (See spill command, Chapter 5, “Command Reference.”) If
spill is disabled, the 7110/7115 “throttles,” that is, will not accept
incoming requests when it becomes overloaded.
Intel® NetStructure™ 7110/7115 e-Commerce
Accelerators
Hub/Router/Switch
Figure 3-5: Cascaded 7110/7115s
Availability
When a 7110/7115 fails or is set t o Bypass mode while Fail-through
is enabled, the 7110/7115’s network side and server side network
adapters are directly conn ected, allowing traffic to pass throu gh to the
next device until the fa iled unit is brought back into service. This
feature eliminates a single point of failure and provides a high level
of availability, should there be a failure. In installations with multiple
7110/7115s, the next unit in the cascade picks up the encryption/
decryption workload, while in single 7110/7115 configurations, the
server assumes the load. See“Failure/Bypass Modes in Appendix B
for more information.
Server
WARNING: The 7110/
7115 comes with default
keys and certificates for
test purposes, however
certificates for
production use should be
obtained from a
recognized certificate
authority.
Keys and Certificates
A necessary part of the 7110/7115 configuration is the use of keys
and certificates. A key is a set of numbers used to encrypt or decryp t
data. A certificate is a “form” that identifies a server or user. The
certificate contains information about your company as well as
information from a third party that verifies your identity.
3-5
C H A P T E R 3 Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
There are three ways to obtain keys and certificates:
• Obtaining a certificate from VeriSign§ or other certificate
authority
• Using an existi ng key/certificate
• Creating a new key/certificate on the 7110/7115
Cutting and Pasting with HyperT ermi nal§
Cutting and pasting is an integ ral part of t he next several proc edures.
Below are procedures for cutting and pasting in HyperTerminal§. If
you use some other terminal program, consult that product’s
documentation for appropriate procedures.
To copy an item (key, certificate signing request, etc.) from
HyperTerminal§:
1. Open the HyperTerminal§ window.
2. Click and drag to select the item.
3. After the item is selec ted, open th e Edit menu and cli ck Co py (or
type <ctrl-c>).
3-6
4. Open the window where you will paste the data, and posit io n the
cursor at the appropriate point.
5. In the Edit menu, click Paste (or type <ctrl-v>).
To paste an item (key, certificate signing request, etc.) into
HyperTerminal§:
1. Display the item in the appropriate applic ation window, then
click and drag to select the item.
2. Once the item is selected, click the Edit menu and select Copy
(or type <ctrl-c>).
3. Move to the HyperTerminal§ window, and position the cursor at
the appropriate point.
4. Pull down the Edit menu, and select Paste to Host (or type
<ctrl-v>).
C H A P T E R 3 Keys and Certificates
Obtaining a Certificate from V eriSign§ or Other Certificate Authority
Use the create key command to create your key and the create sign
command to create a signing request to be sent to VeriSign or other
certificate authority for authentication. The certificate authority will
return it in approximately one to five days. After you have received
the certificate, use the import cert command to import it into the
7110/7115.
The fields input to create a signing request are called collectively a
Distinguished Name (DN). For optimal security, one or more fields
must be modified to make the DN unique.
Procedure
Create a key:
1. Type the create key command at the prompt:
Intel 7115> create key
Key strength (512 /1024) [512]:
New keyID [001]: 002
Keypair was created for keyID: 002
2. Create a Certificate Signing Request:
Intel 7115> create sign 002
You are about to be asked to enter information
that will be incorporated into your
certificate request. The "common name" must be
unique. For other fields, you could use
default values.
Certifying authoritie s have specific guidelines o n how to answer each
of the questions. These guidelines may vary by certifying authority.
Please refer to the guid elines of the cer tifying a uthorit y to who m you
submit your Certificate Signing Request (CSR). Please keep the
following in mind when entering the i nformation that will be
incorporated into your certificate request:
• Country code: This is the two-letter ISO abbreviation for your
country (for example, US for the United States).
• State or Province: This is the name of the state or province
where your organization’s head of fice is lo cat ed. Pl ease enter the
full name of the state or province. Do not abbreviate.
3-7
C H A P T E R 3 Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide
• Locality: This is usually the name of the city where your
organization’s head office is located.
• Organization: This should be the organization that owns the
domain name. The organization name (corporation, limited
partnership, university, or government agency) must be
registered with some author it y at th e national, state, or city level.
Use the legal name under which your organization is registered.
Please do not abbreviate your or ganizat ion’s name and do not use
any of the following characters: < > ~ ! @ # $ % ^ * / \ ( ) ?.
• Organizational unit: This is normally the name of the
department or group that will use the certificate.
• Common name: The common name is the “fully qualified
domain name,” (or FQDN) used for DNS lookups of your server
(for example, www.mysite.com). Browsers use this information
to identify your Web site. Some browsers will refuse to establish
a secure connection with your site if the server name does not
match the common name in the certificate. Please do not include
the protocol specifier “http://” or any port number s or pathnames
in the common name. Do not u se wildcard c haracters such as * or
?, and do not use an IP address.
3-8
• E-mail address: This should be the e-mail address of the
administrator responsible for the certificate.
3. Export the Certificate Signing Request (CSR).
In this example, xmod em i s used t o se nd the CSR to a PC connec ted
to the console port.
Intel 7115> export sign mywebserver
Export protocol: (xmodem, uuencode, ascii)
[ascii]:x <Enter>
Use Ctrl-x to kill transmission
Beginning export...
Export successful!
Intel 7115>
To submit the CSR to a certifying authority, paste it into the field
provided in the authority’s online request form. Remember to include
the “-----BEGIN CERTIFICATE REQUEST-----” and “-----END
CERTIFICATE REQUEST-----” lines.
Loading...