0% found this document useful (0 votes)

118 views

Virtual AED 7.1.0.0 Installation Guide

Uploaded by

donadei.henrique

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

118 views

Virtual AED 7.1.0.0 Installation Guide

Uploaded by

donadei.henrique

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 68

Virtual Arbor Edge Defense

Installation Guide

Version 7.1.0.0
Legal Notice
The information contained within this document is subject to change without notice. NETSCOUT SYSTEMS, INC.
makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. NETSCOUT SYSTEMS, INC. shall not be liable for errors
contained herein or for any direct or indirect, incidental, special, or consequential damages in connection with the
furnishings, performance, or use of this material.
Use of this product is subject to the End User License Agreement available at
http://www.NetScout.com/legal/terms-and-conditions or which accompanies the product at the time of shipment
or, if applicable, the legal agreement executed by and between NetScout Systems, Inc. or one of its wholly-owned
subsidiaries (“NETSCOUT”) and the purchaser of this product (“Agreement”).
Government Use and Notice of Restricted Rights: In U.S. government (“Government”) contracts or subcontracts,
Customer will provide that the Products and Documentation, including any technical data (collectively “Materials”),
sold or delivered pursuant to this Agreement for Government use are commercial as defined in Federal
Acquisition Regulation (“FAR”) 2.101and any supplement and further are provided with RESTRICTED RIGHTS. All
Materials were fully developed at private expense. Use, duplication, release, modification, transfer, or disclosure
(“Use”) of the Materials is restricted by the terms of this Agreement and further restricted in accordance with FAR
52.227-14 for civilian Government agency purposes and 252.227- 7015 of the Defense Federal Acquisition
Regulations Supplement (“DFARS”) for military Government agency purposes, or the similar acquisition
regulations of other applicable Government organizations, as applicable and amended. The Use of Materials is
restricted by the terms of this Agreement, and, in accordance with DFARS Section 227.7202 and FAR Section
12.212, is further restricted in accordance with the terms of NETSCOUT’S commercial End User License
Agreement. All other Use is prohibited, except as described herein.
This Product may contain third-party technology. NETSCOUT may license such third-party technology and
documentation (“Third-Party Materials”) for use with the Product only. In the event the Product contains Third-
Party Materials, or in the event you have the option to use the Product in conjunction with Third-Party Materials
(as identified by NETSCOUT in the Documentation provided with this Product), then such third-party materials are
provided or accessible subject to the applicable third-party terms and conditions contained either in the “Read
Me” or “About” file located in the Software or on an Application CD provided with this Product, or in an appendix
located in the documentation provided with this Product. To the extent the Product includes Third-Party Materials
licensed to NETSCOUT by third parties, those third parties are third-party beneficiaries of, and may enforce, the
applicable provisions of such third-party terms and conditions.
Open-Source Software Acknowledgement: This product may incorporate open-source components that are
governed by the GNU General Public License (“GPL”) or licenses that are compatible with the GPL license (“GPL
Compatible License”). In accordance with the terms of the GNU GPL, NETSCOUT will make available a complete,
machine-readable copy of the source code components of this product covered by the GPL or applicable GPL
Compatible License, if any, upon receipt of a written request. Please identify the product and send a request to:
NetScout Systems, Inc.
GNU GPL Source Code Request
310 Littleton Road
Westford, MA 01886
Attn: Legal Department
No portion of this document may be copied, photocopied, reproduced, translated, or reduced to any electronic
medium or machine form without prior consent in writing from NETSCOUT. The information in this document is
subject to change without notice and does not represent a commitment on the part of NETSCOUT.
The products and specifications, configurations, and other technical information regarding the products
described or referenced in this document are subject to change without notice and NETSCOUT reserves the right,
at its sole discretion, to make changes at any time in its technical information, specifications, service, and support
programs. All statements, technical information, and recommendations contained in this document are believed
to be accurate and reliable but are presented “as is” without warranty of any kind, express or implied. You must
take full responsibility for their application of any products specified in this document. NETSCOUT makes no
implied warranties of merchantability or fitness for a purpose as a result of this document or the information
described or referenced within, and all other warranties, express or implied, are excluded.
Except where otherwise indicated, the information contained in this document represents the planned
capabilities and intended functionality offered by the product and version number identified on the front of this
document. Screen images depicted in this document are representative and intended to serve as example images
only.

© 2018-2023 NETSCOUT All rights reserved. Confidential and Proprietary.

www.netscout.com
Document Number: vAED-IG-7100-2023/10
30 October, 2023
Contents

Preface
How to Use the Documentation 5
Command Syntax 6
Contacting the Arbor Technical Assistance Center 7

Section 1: Introduction to vAED

About Virtual AED 9
System Requirements 10
About the Layer 3 Deployment Mode 11
Configuring the Protection Interfaces for Layer 3 Mode 12
Configuring Software Bypass 14
Accessing vAED 15

Section 2: Installing vAED on KVM

Preparing to Install vAED on KVM 17
Configuring Network Bridges on KVM 19
Installing vAED on KVM 21
Configuring vAED on KVM 23

Section 3: Installing vAED on VMware

Preparing to Install vAED on VMware 26
Configuration Requirements for the VMware Virtual Network 28
Installing vAED on VMware 30
Configuring vAED on VMware 31
Remapping VMware Virtual Networks 33

Section 4: Using Cloud-Init to Initialize vAED

About Using Cloud-Init to Initialize vAED 35
Creating a User Data File for cloud-init 37
Configuring Cloud-Init Modules in the User Data File 38
Creating a Password Hash for vAED 41
About the Default User Data File 42
Using Cloud-Init with an Orchestration Environment 43
Using Cloud-Init without an Orchestration Environment 44
Viewing the Cloud-Init Log 47

Section 5: Licensing vAED

About Cloud-Based Licensing 49
Configuring Cloud-Based Licenses 52
Viewing Cloud-Based License Information 56
Viewing License Details in the CLI 59

Appendix A: vAED Performance Benchmarks

vAED Performance Benchmarks 62

Index 65

End User License Agreement 68

© NETSCOUT Confidential and Proprietary 3

Preface

This guide explains how to install and configure the NETSCOUT® Virtual Arbor Edge
Defense (vAED). vAED contains all of the AED software packages and configurations.

Audience
This guide is intended for system administrators who are responsible for installing,
configuring, and maintaining AED and vAED.

In this section
This section contains the following topics:

How to Use the Documentation 5

Command Syntax 6
Contacting the Arbor Technical Assistance Center 7

© NETSCOUT Confidential and Proprietary 4

Preface
vAED Installation Guide, Version 7.1.0.0

How to Use the Documentation

Using this guide
This guide contains instructions and information about installing and configuring vAED.

Related publications
After you install vAED, see the following documentation for information about how to use
AED:
Reference documentation

Document Contents

AED Online Help Online help topics from the AED User Guide. The Help is context-
sensitive to the AED UI page from which it is accessed.

AED API Programmer Reference information plus a simple code sample that you can
Guide experiment with to learn the basics of the AED API quickly.
This guide is installed with AED. You can access it at the
following link:
https://IP_address/help/AED_PG_HTML5/AED_PG.htm
IP_address = the IP address of hostname for your AED

Online AED API Complete commented code for the AED API.
Documentation This guide is installed with AED. You can access it at the
following link:
https://IP_address/api/aed/doc/v3/endpoints.html
IP_address = the IP address or hostname for your AED

© NETSCOUT Confidential and Proprietary 5

Preface
vAED Installation Guide, Version 7.1.0.0

Command Syntax
This guide uses typographic conventions to make the information in commands and
procedures easier to recognize.

The following table shows the syntax of commands and other types of user input. Do not
type the brackets, braces, or vertical bars that indicate options and variables.

Conventions for commands and user input

Convention Description
Monospaced bold Information that you must type exactly as shown.

Monospaced A variable for which you must supply a value.

italics

{ } (braces) A set of choices for options or variables, one of which is

required. For example: {option1 | option2}.

[ ] (square brackets) A set of choices for options or variables, all of which are
optional. For example: [variable1 | variable2].

| (vertical bar) Separates the mutually exclusive options or variables.

© NETSCOUT Confidential and Proprietary 6

Preface
vAED Installation Guide, Version 7.1.0.0

Contacting the Arbor Technical Assistance Center

The Arbor Technical Assistance Center is your primary point of contact for all service and
technical assistance issues that involve Arbor products.

Contact methods
You can contact the Arbor Technical Assistance Center as follows:
n Phone US toll free — +1 877 272 6721
n Phone worldwide — +1 781 362 4301
n Support portal — https://my.netscout.com

Submitting documentation comments

If you have comments about the documentation, you can forward them to the Arbor
Technical Assistance Center. Please include the following information:
n Title of the guide
n Document number (listed on the reverse side of the title page)
n Page number

Example
vAED Installation Guide

vAED-IG-7100-2023/10

Page 9

© NETSCOUT Confidential and Proprietary 7

Section 1:
Introduction to vAED

This section describes vAED and its key features and licensing options. vAED is the version
of AED that runs on a hypervisor or in the cloud.

In this section
This section contains the following topics:

About Virtual AED 9

System Requirements 10
About the Layer 3 Deployment Mode 11
Configuring the Protection Interfaces for Layer 3 Mode 12
Configuring Software Bypass 14
Accessing vAED 15

© NETSCOUT Confidential and Proprietary 8

Section 1: Introduction to vAED
vAED Installation Guide, Version 7.1.0.0

About Virtual AED

Virtual AED (vAED) is the version of AED that runs on a hypervisor. vAED contains all of the
AED software packages and configurations, and provides you with a hardware-
independent resource. You only need to install the virtual machine and configure its
network settings.

For installation and configuration instructions, see the Virtual AED Installation Guide.

Licensing vAED
vAED uses cloud-based flexible licenses, which you configure in the vAED UI. You need to
configure the cloud-based licenses for each vAED instance.

See “About Cloud-Based Licensing” on page 49.

If vAED does not have a valid license, then the system does not pass traffic or process
mitigations.

About software bypass

vAED supports software bypass. If software bypass is enabled, then traffic bypasses the
vAED protection interfaces when a software failure occurs. In this case, traffic still passes
through vAED to the connected equipment. Software bypass is enabled by default.

Note
Software bypass only works when you deploy vAED in inline mode. If you deploy vAED in
monitor mode, then vAED does not initiate a software bypass. See “About the monitor
mode” in the AED User Guide.

See “Configuring Software Bypass” on page 14.

© NETSCOUT Confidential and Proprietary 9

Section 1: Introduction to vAED
vAED Installation Guide, Version 7.1.0.0

System Requirements
Before you install vAED on a host in your network, the host and the hypervisor that runs
on the host must meet the requirements in this section.

Configuration requirements
The configuration requirements for the hypervisor and host hardware are as follows:
n 4 physical CPUs
n 100 GB hard disk space
n 12 GB RAM
n 4 interfaces (4 x virtio on KVM, 4 x E1000 on VMware)

With this configuration, vAED can support up to 50 protection groups. For information
about changing these settings, see the KVM documentation or the VMware
documentation.

Supported interfaces
vAED provides the following interfaces:
n 2 management interfaces: mgt0 and mgt1
n 2 protection interfaces: ext0 and int0

© NETSCOUT Confidential and Proprietary 10

Section 1: Introduction to vAED
vAED Installation Guide, Version 7.1.0.0

About the Layer 3 Deployment Mode

On vAED, you have the option to deploy in the layer 3 mode. In the layer 3 mode, vAED
forwards all of the traffic that meets the mitigation rules and has a route configured for
the destination network.

See “Setting the Deployment Mode” in the AED User Guide.

In the UI, the inline deployment mode appears as Inline Bridged and the layer 3
deployment mode appears as Inline Routed.

Without a valid license in layer 3 mode, vAED does not pass traffic or process mitigations.

For instructions on how to configure the routes for traffic in layer 3 mode, see
“Configuring Static Routes” in the AED User Guide.

Changing the deployment mode from inline to layer 3

If you change the deployment mode from inline to layer 3, then vAED removes any GRE
tunneling settings, including routes, local IP addresses, remote IP addresses, and the
subnet mask length.

Changing the deployment mode from layer 3 to inline

If you change the deployment mode from layer 3 to inline, then vAED makes the following
changes:
n Removes any routes that are configured for the protection interfaces
n Removes any IP addresses that are configured for the protection interfaces
n Removes any GRE tunneling settings, including local IP addresses, remote IP
addresses, and the subnet mask length

Backing up and restoring data while in the layer 3 deployment mode

If vAED is set to the layer 3 deployment mode, then the following data is not included in
any backup:
n Any GRE tunneling settings that are configured on the Interfaces page in the UI.
n Any routes that are configured for the protection interfaces.

See “Configuring GRE Tunneling” in the AED User Guide.

© NETSCOUT Confidential and Proprietary 11

Section 1: Introduction to vAED
vAED Installation Guide, Version 7.1.0.0

Configuring the Protection Interfaces for Layer 3 Mode

If you deploy vAED in the layer 3 mode, then you need to configure static routes for the
traffic. However, before you configure the routes, you need to assign IP addresses to the
protection interfaces.

For routing information, see “Configuring GRE Tunneling” in the AED User Guide.

For information about the deployment modes, see “Setting the Deployment Mode” in the
AED User Guide.

Specifying IP addresses for protection interfaces on vAED

To specify IP addresses for the protection interfaces:
1. Log in to the CLI with your administrator user name and password.
2. (Optional) To get a list of the protection interfaces on your appliance, enter /
services aed mitigation interface ?
3. Enter / services aed mitigation interface interfaceName network
interfaceName = The name of the protection interface to configure. For example,
ext0 or int0.
network = The IP address and prefix length for the specified protection interface.
The IP address can be IPv4 or IPv6.
4. To verify that any static routes that you previously configured are still valid, enter /
services aed mitigation route show
If Unknown appears in the Interface column, then the route is no longer valid and
you need to reconfigure the route.
5. Repeat step 3 to configure the other protection interfaces.

Important
If you configure GRE tunneling when vAED is set to the layer 3 mode, then vAED uses the
IP address for the external interface as the GRE tunnel destination. See “About GRE
Tunneling and Cloud Signaling” in the AED User Guide.

Deleting the IP address for a protection interface

You can delete the IP address for a protection interface without deleting the configured
routes. However, any routes that go through that interface become invalid. If vAED can
reach a nexthop after you assign a new IP address and subnet to a protection interface,
then vAED reactivates the invalid route.

To delete the IP address for a protection interface:

n In the CLI, enter / services aed mitigation interface interfaceName delete
interfaceName = The name of the protection interface to delete. For example, ext0 or
int0.

© NETSCOUT Confidential and Proprietary 12

Section 1: Introduction to vAED
vAED Installation Guide, Version 7.1.0.0

Deleting the protection interface settings

You can delete the IP addresses as well as all of the routes that are configured for the
protection interfaces.
Caution
This command deletes all of the routes that are configured on vAED, which includes any
GRE tunneling routes that you configured in the UI.

To delete the IP addresses and routes for all of the protection interfaces:
n In the CLI, enter / services aed mitigation clear

© NETSCOUT Confidential and Proprietary 13

Section 1: Introduction to vAED
vAED Installation Guide, Version 7.1.0.0

Configuring Software Bypass

Enabling or disabling software bypass

Note
If AED services are stopped, then you cannot change the bypass settings.

Software bypass is enabled by default. To disable or re-enable software bypass:

1. Log in to the CLI with your administrator user name and password.
2. Enter / services aed bypass software {enable | disable}
{enable | disable} = Enter disable to disable software bypass. Enter enable
to allow AED to use software bypass if a software failure occurs.

© NETSCOUT Confidential and Proprietary 14

Section 1: Introduction to vAED
vAED Installation Guide, Version 7.1.0.0

Accessing vAED
After you install and configure vAED, you can access it through any supported web
browser.

For a list of the capabilities and limitations of vAED, see “About Virtual AED” on page 9.

You can access vAED in the following ways:

n In a browser window, enter https://IP_address
n In a terminal window, enter ssh admin@IP_address
IP_address = the IP address of the management interface on vAED

For vAED installation instructions, see “Installing vAED on KVM” on page 21 and “Installing
vAED on VMware” on page 30.

© NETSCOUT Confidential and Proprietary 15

Section 2:
Installing vAED on KVM

This section describes how to create and configure vAED on a Kernel-based Virtual
Machine (KVM).

In this section
This section contains the following topics:

Preparing to Install vAED on KVM 17

Configuring Network Bridges on KVM 19
Installing vAED on KVM 21
Configuring vAED on KVM 23

© NETSCOUT Confidential and Proprietary 16

Section 2: Installing vAED on KVM
vAED Installation Guide, Version 7.1.0.0

Preparing to Install vAED on KVM

Before you install vAED on a KVM hypervisor, the host server must meet the
requirements for system resources. You also must install several software packages.
For information about the required system resources, see “System Requirements” on
page 10.

Preparing to install vAED

The steps to prepare to install and configure vAED on KVM as follows:

Step Task See...

1 Gather the information to use when you configure vAED on “Collecting the configuration
KVM. information” on the next
page

2 Ensure that the host server on which you install the virtual “Enabling hardware
machine has a processor that supports hardware virtualization on your CPU”
virtualization. below

3 Install the following software, modules, and packages: KVM documentation

n a 64-bit Linux Kernel that supports KVM

n qemu-kvm

n libvirt-bin

n virt-install command line tool

n bridge-utils

4 Ensure that the MTU on the hypervisor is configured properly. KVM documentation

5 Configure the network bridges on KVM. “Configuring Network Bridges

on KVM” on page 19

6 Download the vAED .qcow2 disk image file. “Downloading the vAED disk
image file” on page 21

7 (Optional) If you plan to use a data source to initialize vAED, “Creating a User Data File for
create a user date file. cloud-init” on page 37

Enabling hardware virtualization on your CPU

To run vAED on KVM, the host server on which you install the virtual machine must have a
processor that supports hardware virtualization. Intel and AMD have developed
extensions for their processors: Intel VT-x and AMD-V.

To determine if your processor supports one of these extensions, enter the following
command on your system command line:
egrep -c '(vmx|svm)' /proc/cpuinfo

If the command returns 0, your CPU does not support hardware virtualization. If the
command returns 1 or greater, your CPU supports hardware virtualization. In this case,
you must enable hardware virtualization in the host server’s BIOS.

© NETSCOUT Confidential and Proprietary 17

Section 2: Installing vAED on KVM
vAED Installation Guide, Version 7.1.0.0

Collecting the configuration information

Collect the information that applies to your virtual network and document it on the
following worksheet. This information is required when you configure vAED.
Configuration information worksheet

Item Description Your setting

IP address and netmask The IP address and netmask of the mgt0
of the virtual machine management interface on the virtual machine.
We recommend that you allocate IP addresses
from the same subnet as the host.
Note
If you are using a DHCP server, the IP address for
mgt0 is assigned automatically.

Default router (or The IP address of the first router hop that sends
gateway) outbound network traffic. Typically, this is the
subnet switch or router.

Administrator user The credentials for administrative access to vAED. The default user name
name and password is admin and the
default password is
arbor.

© NETSCOUT Confidential and Proprietary 18

Section 2: Installing vAED on KVM
vAED Installation Guide, Version 7.1.0.0

Configuring Network Bridges on KVM

To run vAED on KVM requires four network bridges. You use these network bridges to
map the interfaces on the host server to the virtual interfaces on KVM.

Configuring network bridges

This procedure provides an example of an interfaces file that you use to configure the
network bridges (vmbr0, vmbr1, vmbr2, vmbr3).

The network bridges use the eth0, eth1, eth2, and eth3 interfaces on the host server. You
map the network bridges to the vAED mgt0, mgt1, ext0, and int0 interfaces on KVM.

To configure an interface mapping file:

1. In a text editor on the Linux shell, edit the interfaces file as follows:
/etc/network/interfaces
# loopback
auto lo
iface lo inet loopback

# Specify 4 interfaces.
iface eth0 inet manual
iface eth1 inet manual
iface eth2 inet manual
iface eth3 inet manual

# Configure bridge vmbr0, assign it a static address,

# and map it to interface eth0.
auto vmbr0
iface vmbr0 inet static
address Server_IP
netmask Netmask
bridge_ports eth0
bridge_stp off
bridge_fd 0

# Configure vmbr1 and map it to interface eth1.

auto vmbr1
iface vmbr1 inet manual
bridge_ports eth1
bridge_stp off
bridge_fd 0

# Configure vmbr2 and map it to interface eth2.

auto vmbr2
iface vmbr2 inet manual

© NETSCOUT Confidential and Proprietary 19

Section 2: Installing vAED on KVM
vAED Installation Guide, Version 7.1.0.0

bridge_ports eth2
bridge_stp off
bridge_fd 0
bridge_ageing 0

# Configure vmbr3 and map it to interface eth3.

auto vmbr3
iface vmbr3 inet manual
bridge_ports eth3
bridge_stp off
bridge_fd 0
bridge_ageing 0
2. To restart network services, enter one of the following commands:
n /etc/init.d/network restart
n sudo service network-manager restart

After you configure the network bridges, you can install vAED on KVM. See “Installing
vAED on KVM” on the next page.

© NETSCOUT Confidential and Proprietary 20

Section 2: Installing vAED on KVM
vAED Installation Guide, Version 7.1.0.0

Installing vAED on KVM

After you have performed the pre-installation steps and verified that the system
requirements are met, you can install vAED on KVM.

To install vAED, you create a virtual machine on a KVM hypervisor and then configure its
settings. You must perform the installation steps for each virtual machine that you want
to create.

Note
For information on the system requirements, see “System Requirements” on page 10.
For an overview of the steps to install vAED, see “Preparing to Install vAED on KVM” on
page 17.

After you complete the installation, you can configure vAED. See “Configuring vAED on
KVM” on page 23.

Downloading the vAED disk image file

To download the software:
1. Go to https://my.netscout.com and log in with your credentials.

2. On the welcome page, click Licensing & Downloads.

3. On the Products page, under Security, click Arbor Edge Defense.

4. On the Licensing, Downloads and Documents page, select the appropriate version from
the list, and then locate the files to download.

Installing vAED on KVM

Important
Before you begin, verify that your host and hypervisor meet the requirements in
“System Requirements” on page 10.

To install vAED on KVM:

1. After you download the disk image file, copy the file to the host on which you are
going to install vAED. The default KVM storage location on the target host is
/var/lib/libvirt/images/.
2. Enter the following commands:

Command Description
sudo virt-install --connect Start the installer on the host server command line.
qemu:///system

--name hostName Enter the host name for vAED as a simple host
name or a fully qualified domain name. For
example: host.example.com

--ram 6144 Allocate 6 GB of memory to the virtual machine.

--cpu host Expose the host CPU configurations to the virtual

machine, to improve performance.

© NETSCOUT Confidential and Proprietary 21

Section 2: Installing vAED on KVM
vAED Installation Guide, Version 7.1.0.0

Command Description
--vcpus=2,sockets=1,cores=2,maxvcpus=2 Indicate the number of virtual CPUs that are
allocated to the virtual machine.

--arch=x86_64 Indicate that the virtual machine uses a 64-bit

architecture.

--os-type linux Indicate the operating system type.

--cpu CPU Specify a CPU that has the MMX, SSE, SSE2, SSE3
(PNI), and SSSE3 instruction sets. The following CPUs
have the required instruction sets:
n AMD CPUs: Bulldozer or later

n Intel CPUs: Westmere or later

If you are unsure of which CPU to use, enter host

--import Indicates that you are using a disk image.

--disk path=filepath/fileName.qcow2, Specify the path to and file name of the disk image
device=disk,bus=virtio,size=100,format=q as well as the size and bus type of the image.
cow2

--network bridge=vmbr0,model=virtio Assign the virtual bridges to the virtual machine and
--network bridge=vmbr1,model=virtio assign the virtual network.
--network bridge=vmbr2,model=virtio See “Configuring Network Bridges on KVM” on
--network bridge=vmbr3,model=virtio page 19.

--vnc --noautoconsole Allow virtual network computing (VNC) access to the

KVM console.

--channel unix,mode=bind,target_ (Optional) Connect the hypervisor to the QEMU

type=virtio,name=org.qemu.guest_ guest agent. The QEMU guest agent allows the
agent.0,path=/var/lib/libvirt/qemu/chann
hypervisor to use a virtio serial console to
el/target/vmHostname.org.qemu.guest_
communicate with and issue commands to vAED.
agent.0
For examples of how to use the QEMU guest agent,
see the QEMU documentation at
https://wiki.qemu.org/index.php/Features/GuestAg
ent#Example_usage

After the commands finish executing, you should see the following output, which
indicates that the virtual machine is running:
Domain creation completed. You can restart your domain by running:
virsh --connect qemu:///system start systemName

© NETSCOUT Confidential and Proprietary 22

Section 2: Installing vAED on KVM
vAED Installation Guide, Version 7.1.0.0

Configuring vAED on KVM

After you install vAED on a KVM hypervisor, you can configure the system settings from
the vAED command line interface (CLI).
For vAED installation instructions, see “Installing vAED on KVM” on page 21.

After you complete the installation and configuration, you can access vAED at any time.
See “Accessing vAED” on page 15.

Using the KVM virtual machine console to access vAED

Before you can use SSH to access the CLI, you have to create an IP access rule for the ssh
service and change the default admin password. To make these changes, you access the
CLI from the KVM virtual machine console.

To access vAED from the KVM virtual machine console:

1. On the host server command line, enter ~# virsh - c qemu:///session
Note
For help with the terminal commands, enter help. To close the console, enter quit.
2. To connect to the vAED CLI, enter virsh # console hostName
hostName = The name of the vAED.

Configuring vAED
To configure vAED:
1. At the CLI login prompt, enter admin
2. At the password prompt, enter arbor
3. Change the default administrator password as follows:
a. Enter / services aaa local password admin interactive
b. At the prompts, enter the new password.
Important
To use vAED, you must change the default administrator password.
4. To configure the management port, enter ip interfaces ifconfig port
ipAddress {netmask | prefix_length} up
port = The management port to configure, in this case, mgt0.
ipAddress = The address of the management port. For example: 198.51.100.2
or 2001:DB8::2.
netmask = For IPv4 addresses, the netmask in dotted-quad format. For example:
255.255.255.0.
prefix_length = For IPv6 addresses, the prefix length for the management
port’s address. For example: /64.
5. (Optional) Repeat the previous step for the mgt1 management port.
6. Enter / ip route add default ipAddress
ipAddress = The IP address for the default gateway. For example: 198.51.100.1
or 2001:DB8::1.

© NETSCOUT Confidential and Proprietary 23

Section 2: Installing vAED on KVM
vAED Installation Guide, Version 7.1.0.0

7. Enter / ip access add service {mgt0 | mgt1 | all} CIDR

service = One of the following services:

https Allows access to the vAED UI.

ping Allows ICMP ping messages for network diagnostics.

ssh Allows administrative users to access the CLI.

cloudsignal Allows the Cloud Signaling server to access vAED.

snmp Allows SNMP access to vAED.

{mgt0 | mgt1 | all} = The name of the management interface on which to apply
a service or to apply the service to all of the interfaces.
CIDR = The address range from which you want to allow communications to a
service.
Caution
We strongly recommend that you do not use 0.0.0.0/0 or ::/0, because these
address ranges allow unrestricted access to a service. To restrict access, specify the
narrowest address range that you can.
8. Repeat the previous step for each service that you want to add on the appliance.
9. To commit the IP access rules, enter / ip access commit
10. To assign a host name to the vAED, enter / system name set hostname
hostname = The simple hostname for the vAED or a fully qualified domain name.
For example: host.example.com.
11. (Optional) To configure a DNS server, enter / services dns server add IP_
address
IP_address =The IP address for the DNS server.
12. Configure the SSH host keys in one of the following ways:
n To have vAED generate the SSH host key files, enter / services ssh key
generate
n To import a file that contains the SSH host keys, enter / services ssh key
host set disk:fileName
fileName = The name of the file that contains the SSH host keys.
13. To start ssh services, enter / services ssh start
14. To save the configuration changes, enter / config write
15. To log out of the CLI and close the hypervisor, enter / exit

© NETSCOUT Confidential and Proprietary 24

Section 3:
Installing vAED on VMware

This section describes how to create and configure vAED on VMware.

In this section
This section contains the following topics:

Preparing to Install vAED on VMware 26

Configuration Requirements for the VMware Virtual Network 28
Installing vAED on VMware 30
Configuring vAED on VMware 31
Remapping VMware Virtual Networks 33

© NETSCOUT Confidential and Proprietary 25

Section 3: Installing vAED on VMware
vAED Installation Guide, Version 7.1.0.0

Preparing to Install vAED on VMware

Before you install vAED on a VMware hypervisor, the host server must meet the
requirements for system resources. You also must install several software packages.
For information about the required system resources, see “System Requirements” on
page 10.

Preparation process
Prepare to install and configure vAED on VMware as follows:

Step Task See...

1 Gather the information to use when you “Configuration information to collect” on the
configure vAED. next page

2 Install VMware vSphere Hypervisor software, http://www.vmware.com/products/vsphere-

version 5.5. or later, on a supported server, hypervisor
which is referred to as the VMware server.

3 Ensure that the MTU on the hypervisor is VMware documentation

configured properly.

4 Install the VMware vSphere Client software, VMware documentation

version 5.5. or later, on a client computer.
Important
This client software runs on Windows
computers only.

5 Download the vAED .ova file. “Downloading the vAED .ova file” on page 30

6 On the VMware server, configure a virtual “Configuration Requirements for the VMware
network for vAED. Virtual Network” on page 28

© NETSCOUT Confidential and Proprietary 26

Section 3: Installing vAED on VMware
vAED Installation Guide, Version 7.1.0.0

Configuration information to collect

Collect the information that applies to your virtual network and document it on the
following worksheet. This information is required when you configure vAED.
Configuration information worksheet

Item Description Your setting

IP address and The IP address and netmask of the mgt0 management
netmask of the virtual interface on the virtual machine.
machine We recommend that you allocate IP addresses from
the same subnet as the host.
Note
If you are using a DHCP server, the IP address for
mgt0 is assigned automatically.

Default router (or The IP address of the first router hop that sends
gateway) outbound network traffic. Typically, this is the subnet
switch or router.

Administrator user The credentials for administrative access to vAED. The default user
name and password name is admin and
the default password
is arbor.

Network mappings The associations between the virtual networks that you mgt0:
create and the vAED interfaces. mgt1:
When you create the virtual networks for the interfaces ext0:
as described in “Configuration Requirements for the int0:
VMware Virtual Network” on the next page, record the
network names here.
The use of management interface mgt1 is optional.

© NETSCOUT Confidential and Proprietary 27

Section 3: Installing vAED on VMware
vAED Installation Guide, Version 7.1.0.0

Configuration Requirements for the VMware Virtual

Network
You must configure the appropriate virtual networks before you can install vAED on
VMware.

This document assumes that you have some knowledge of virtual network configuration
or you have access to someone who has this knowledge.

Important
If you are an experienced VMware user, you may choose to configure your networks
differently. If you use a different configuration, then you must account for those
differences during the vAED installation.

Virtual network overview

In the VMware vSphere Hypervisor, you add or configure virtual networks (also called
Ports or Port Groups) for vAED.

When you create vAED, you map the source networks in the virtual image to the virtual
networks (destination networks) that you configured. The source network names are the
same as the vAED interface names (that is, mgt0, mgt1, ext0, and int0).
The use of management interface mgt1 is optional.

About configuring the management interfaces

When you create vAED, the management interfaces are mapped to the same virtual
network. Optionally, if you want to use separate networks for these interfaces, you can
edit the mapping after you complete the installation. See “Remapping VMware Virtual
Networks” on page 33.

About configuring the ext0 and int0 interfaces

To allow the ext0 and int0 interfaces to receive and send traffic, configure the networks
that these interfaces are connected to as follows:
n Configure the network to allow promiscuous mode connections.
See “Configuring promiscuous mode in VMware” on the next page.
n Connect the network tap or other device that provides traffic for vAED to the same
physical adapter that you assign to the network.

By default, vAED is installed in monitor mode. If you plan to keep the system in monitor
mode, then you can map all of the source networks to the same virtual network.

If you map these interfaces to the same virtual network during the initial installation, you
can remap them at any time. See “Remapping VMware Virtual Networks” on page 33.

Note
In inline mode, we tested the ext0 and int0 interfaces as physical interfaces dedicated to
separate virtual ports. However, other configurations should work, including the use of
VLANs to share a single physical interface, as long as the platform and hypervisor
support the configuration. Because vAED performance varies by platform and
configuration, confirm that the performance is acceptable for your situation.

© NETSCOUT Confidential and Proprietary 28

Section 3: Installing vAED on VMware
vAED Installation Guide, Version 7.1.0.0

Alternative interface configuration in VMware

In VMware, it is possible to configure the external and internal interfaces to share a
physical interface. However, if different VNIC interfaces are bound to the same physical
interface that are configured with different VLAN tags, the vswitch may drop packets. In
this case, the vswitch drops the packets because the source MAC addresses do not match
the VNIC address.

To avoid dropped packets in this configuration, set the Forged Transmits option for the
virtual network to Accept. When Forged Transmits is set to Accept, the vswitch does not
compare the source MAC addresses to the VNIC address.

For instructions on how to set the Forged Transmits option, see your VMware
documentation.

Important
Because vAED performance varies by platform and configuration, we recommend that
you confirm that the performance of vAED in this configuration is acceptable for your
situation.

Configuring promiscuous mode in VMware

To configure a network to allow promiscuous mode connections:
1. Open the VMware vSphere Client and log in, using the credentials for the VMware
server.
2. In the vSphere Client navigation tree, select the host under which you will install
vAED.
3. In the right pane, select the Configuration tab.
4. On the left side of the tab, under Hardware, select Networking.
5. On the right side of the tab, find the vSwitch that has the network on which you want
to allow promiscuous mode, and then click its Properties link.
6. In the switch’s Properties window, on the Ports tab, select the network that you
created for the ext0 interface, and then click Edit.
7. In the Network’s Properties window, configure the network as follows:
a. Select the Security tab.
b. Select the Promiscuous Mode check box, and then select Accept in the list to
the right of the check box.
c. Click OK.
8. Repeat step 6 through step 7 for the network that you created for the int0 interface.
9. In the switch’s Properties window, click Close.

© NETSCOUT Confidential and Proprietary 29

Section 3: Installing vAED on VMware
vAED Installation Guide, Version 7.1.0.0

Installing vAED on VMware

After you have performed the pre-installation steps and verified that the system
requirements are met, you can install vAED on VMware.

To install vAED, you create a virtual machine on a VMware hypervisor and then configure
its settings. You must perform the installation steps for each virtual machine that you
want to create.

When you create the virtual machine, you map the source networks in the virtual image
to the virtual networks (destination networks) that you configured. For more information
about configuring the networks, see “Configuration Requirements for the VMware Virtual
Network” on page 28.

Note
For information on the system requirements, see “System Requirements” on page 10.
For an overview of the steps to install vAED, see “Preparing to Install vAED on VMware”
on page 26.

After you complete the installation, you can configure vAED. See “Configuring vAED on
VMware” on the next page.

Downloading the vAED .ova file

To download the software:
1. Go to https://my.netscout.com and log in with your credentials.

2. On the welcome page, click Licensing & Downloads.

3. On the Products page, under Security, click Arbor Edge Defense.

4. On the Licensing, Downloads and Documents page, select the appropriate version from
the list, and then locate the files to download.

Installing vAED on VMware

To install vAED, you deploy the virtual template (.ova). The virtual machine is a copy of the
virtual hardware, software, and properties that are configured for the template.

To install vAED from an .ova disk image file:

1. Copy the .ova disk image file that you downloaded to the host on your network on
which you will run the VMware hypervisor.
2. Install the .ova file using the Deploy OVF Template feature in VMware vSphere. For
instructions, see https://docs.vmware.com/en/VMware-vSphere/index.html and
search for the topic “Deploy an OVF or OVA Template”.

Important
If you notice reduced performance on vAED when other virtual machines are running on
the host, then you might want to enable hyperthreading and configure latency settings
in vSphere. For instructions, refer to your vSphere documentation.

© NETSCOUT Confidential and Proprietary 30

Section 3: Installing vAED on VMware
vAED Installation Guide, Version 7.1.0.0

Configuring vAED on VMware

After you install vAED on a VMware hypervisor, you can configure the system settings
from the vAED command line interface (CLI).
For vAED installation instructions, see “Installing vAED on VMware” on the previous page.

After you complete the installation and configuration, you can access vAED at any time.
See “Accessing vAED” on page 15.

Using the vSphere Hypervisor to access vAED

To access vAED from the VSphere Hypervisor:

1. On the vSphere Hypervisor, select the Inventory View.
2. If the virtual machine is not powered on, then click the Power On icon.
3. In the inventory list in the left pane, right-click vAED, and then select Open Console
from the context menu.
4. If the GRUB menu appears, select disk (VGA) and press ENTER, or wait and allow the
system to boot automatically.

© NETSCOUT Confidential and Proprietary 31

Section 3: Installing vAED on VMware
vAED Installation Guide, Version 7.1.0.0

7. Enter / ip access add service {mgt0 | mgt1 | all} CIDR

service = One of the following services:

https Allows access to the vAED UI.

ping Allows ICMP ping messages for network diagnostics.

ssh Allows administrative users to access the CLI.

cloudsignal Allows the Cloud Signaling server to access vAED.

snmp Allows SNMP access to vAED.

© NETSCOUT Confidential and Proprietary 32

Section 3: Installing vAED on VMware
vAED Installation Guide, Version 7.1.0.0

Remapping VMware Virtual Networks

When you create vAED, you map the source networks in the virtual image to the virtual
networks (destination networks) that you configured. You can remap the networks at any
time after the installation.

You might want to remap networks in the following situations:

n To map the source networks for the management interfaces (mgt0 and mgt1) to
separate virtual networks.
See “About configuring the management interfaces” on page 28.
n To map the source networks for the ext0 and int0 interfaces to separate virtual
networks so that you can run vAED in inline mode.
See “About configuring the ext0 and int0 interfaces” on page 28.

When you map a virtual network, you connect it to a network adapter that is associated
with a vAED interface. The associations between the network adapters and the interfaces
are predefined in vAED, as shown in the following table.

Associations between network adapters and interfaces

Network adapter Associated interface

Network adapter 1 mgt0

Network adapter 2 mgt1

Network adapter 3 ext0

Network adapter 4 int0

Remapping a source network to a different destination network

To remap a source network:

1. Open VMware vSphere Client and log in, using your credentials for the VMware
server.
2. In the vSphere Client navigation tree, right-click the virtual machine and select Edit
Settings.
3. In the Virtual Machine Properties window, on the Hardware tab, select a network
adapter.
See “Associations between network adapters and interfaces” above to determine
which network adapter to select, based on the interface whose virtual network you
want to remap.
4. In the Network Connection section, in the Network label list, select the virtual
network to which you want to map the source network.
5. In the Virtual Machine Properties window, click OK.

© NETSCOUT Confidential and Proprietary 33

Section 4:
Using Cloud-Init to Initialize vAED

This section describes how to use cloud-init to initialize a vAED on supported hypervisors
the first time that you start the system.

In this section
This section contains the following topics:

About Using Cloud-Init to Initialize vAED 35

Creating a User Data File for cloud-init 37
Configuring Cloud-Init Modules in the User Data File 38
Creating a Password Hash for vAED 41
About the Default User Data File 42
Using Cloud-Init with an Orchestration Environment 43
Using Cloud-Init without an Orchestration Environment 44
Viewing the Cloud-Init Log 47

© NETSCOUT Confidential and Proprietary 34

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

About Using Cloud-Init to Initialize vAED

The vAED disk image includes the cloud-init platform. Cloud-init provides a quick way to
initialize vAED the first time that you start the system by passing configuration settings in
a user data file to vAED.

After you create a user data file, you create a data source that vAED supports. Cloud-init
uses the data source to pass the configuration settings in the user data file to vAED.

You can use an orchestration environment such as OpenStack to create the data source.
You also can use the NoCloud data source, which does not require an orchestration
environment. See “Using Cloud-Init with an Orchestration Environment” on page 43 and
“Using Cloud-Init without an Orchestration Environment” on page 44.

Requirements
To use cloud-init to initialize vAED, ensure that you meet the requirements for installing
and running vAED on a supported hypervisor. See “Preparing to Install vAED on VMware”
on page 26 and “Preparing to Install vAED on KVM” on page 17

About the user data file

The user data file is a YAML file to which you add the vAED configuration settings. Cloud-
init locates this file through a supported data source.

For information about the YAML format, see http://www.yaml.org/.

For information about data sources, see “Supported cloud-init data sources” below.

In the user data file, you can include any of the AED CLI commands. For example, you can
use CLI commands in the user data file to perform the following actions:
n Add a password for the system administrator
n Add user accounts and passwords
n Add SSH keys
n Create API tokens
n Set the IP access rules
n Set the deployment mode
n Assign IP addresses to the protection interfaces and configure routes
n Configure the protection ports
n Start AED services

See “Creating a User Data File for cloud-init” on page 37.

Supported cloud-init data sources

To locate a user data file, cloud-init searches for each of the data sources that vAED
supports. If cloud-init finds a supported data source, then cloud-init applies the
configuration settings that are in the associated user data file to vAED.

© NETSCOUT Confidential and Proprietary 35

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

The data sources that vAED supports, in the order in which cloud-init searches for them,
are as follows:
Supported data sources

Data source Description

ConfigDrive Mounts a file system when you start vAED. Cloud-init finds the
mounted drive and uses the configuration settings on the drive to
initialize vAED. You configure the ConfigDrive data source in the
OpenStack orchestration environment.
For instructions on how to create the drive and attach it to vAED,
see the OpenStack documentation: http://docs.openstack.org/

OpenStack Provides user data through the OpenStack Metadata Service.

Cloud-init uses the configuration settings in the metadata service
to initialize vAED. You configure the Open-Stack Metadata Service
in the OpenStack orchestration environment.
For instructions on how to configure the metadata service, see the
OpenStack documentation: http://docs.openstack.org/

None/Fallback Provides the default configuration settings for vAED if cloud-init

cannot find a data source that vAED supports. NETSCOUT
provides this read-only data source.
For a description of the default settings in the user data file for
the None/Fallback data source, see “About the Default User Data
File” on page 42.

© NETSCOUT Confidential and Proprietary 36

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

Creating a User Data File for cloud-init

To use cloud-init, you create a user data file that includes the configuration settings for
vAED. The user data file can include several cloud-init modules and keys.
vAED supports the following cloud-init modules:
n users module — see “About the users module” on the next page
n comsh module — see “About the comsh module” on page 39

In addition to the keys in the supported modules, vAED supports the fqdn and final_
message keys. See “About the fqdn key and final_message key” on page 40.

You create the user data file in the YAML format, and save the file with a .yaml extension.
For information about the YAML format, see http://www.yaml.org/.

After you create a user data file, cloud-init uses a data source to pass the configuration
settings in the file to vAED. See “Supported cloud-init data sources” on page 35.

Example of a user data file

The following code provides an example of a user data file that contains the cloud-init
modules that vAED supports.
#cloud-config
users:
- default
- name: user_1
priv: system_admin
passwd: passwordHash
lock_passwd: False
ssh_authorized_keys:
- ssh-rsa publicKey user@host
comsh:
- ip access add http all 192.0.2.0/24
- ip access add https all 192.0.2.0/24
- ip access add ping all 192.0.2.0/24
- ip access add ping all 198.51.100.0/24
- ip access add ssh all 192.0.2.0/24
- ip access add ssh all 198.51.100.0/24
- ip access commit
- services aaa local password admin encrypted 'passwordHash'
- services aaa local add user_2 ddos_admin encrypted 'passwordHash'
- services aaa local apitoken generate user_2 'token for user_2' -
services ssh key generate
- services ssh start
- services start
- config write
fqdn: myhost.example.com
final_message: “Finished initializing with cloud-init.”

© NETSCOUT Confidential and Proprietary 37

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

Configuring Cloud-Init Modules in the User Data File

vAED supports the following cloud-init modules, which you can configure in the user data
file:
Supported cloud-init modules

Module Purpose
users: To create user accounts on vAED.

comsh: To run CLI commands.

In addition to the keys in the supported modules, vAED supports the following keys:

Additional keys

Key Purpose
fqdn: To specify a fully qualified domain name for vAED.

final_message: To add a message that appears in the orchestration environment

console and in the cloud-init log after the cloud-init process is
complete.

These modules and keys are optional, and you can add them to the YAML file in any
order.

Important
These modules are the only cloud-init modules that are supported in a user data file.

About the users module

Add the users module to configure vAED user accounts. The users module keys that you
can add are as follows:
Supported keys for the users module

Key Description
name: Enter the name of the user account.

passwd: Enter a password hash for the user account. See “Creating a
password hash” on page 41.

priv: Enter the user's level of privileges (user group) on vAED.

Valid user groups are as follows:
n system_admin

n ddos_admin

n system_user

n system_none

© NETSCOUT Confidential and Proprietary 38

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

Supported keys for the users module (continued)

Key Description
lock_passwd: Enter False for this command to allow the user to access
vAED. To lock access to the account, enter True for this
command.

ssh_authorized_ Add this section to define public SSH key pairs for the user.
keys: You can enter key pairs in the following forms:
n ssh-rsa publicKey

n ssh-dsa publicKey

The following example shows the keys in the users module that you can add to a user
data file:
#cloud-config
users:
- default
- name: user_1
priv: system_admin
passwd: passwordHash
lock_passwd: False
ssh_authorized_keys:
- ssh-rsa publicKey user@host

About the comsh module

Add the comsh module to include AED CLI commands that initialize vAED. This module
supports all of the AED CLI commands, plus the following command that is only available
through cloud-init.

Command Description

license --license-server-id idNum --mbps Configure a cloud-based license for vAED by

rate --aif-level {None | Standard | Advanced} specifying the license server ID and the
--proxy-enable {on | off} --proxy-host mitigation capacity of the license in megabits per
ipAddress --proxy-port portNum second. You also can specify the level for an
--proxy-auth-type {anyauth | basic | digest | ATLAS Intelligence Feed license.
negotiate | ntlm} --proxy-username name To configure an optional proxy server, provide
--proxy-password pw the following information:
n IP address or fully-qualified domain name

n port number

n authentication method

You also might need to provide a username

and password, if the authentication method
requires them.
Important
The double hyphens in front of the options are
required for this command.

© NETSCOUT Confidential and Proprietary 39

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

Important
When you use cloud-init to initialize vAED, DHCP is enabled by default for management
port mgt0 only.

The following example shows how to use CLI commands in the comsh module:
#cloud-config
comsh:
- ip access add http all 192.0.2.0/24
- ip access add https all 192.0.2.0/24
- ip access add ping all 192.0.2.0/24
- ip access add ping all 198.51.100.0/24
- ip access add ssh all 192.0.2.0/24
- ip access add ssh all 198.51.100.0/24
- ip access commit
- services aaa local password admin encrypted 'passwordHash'
- services aaa local add user_2 ddos_admin encrypted 'passwordHash'
- services aaa local apitoken generate api token for user_2
- services ssh key generate
- services ssh start
- services start - license --license-server-id 12345678901 --mbps
1000 --aif-level Advanced
- config write

About the fqdn key and final_message key

You can use the fqdn key and final_message key without specifying a module.

Use the fqdn key to specify a fully qualified domain name for vAED. For example: fqdn:
myhost.example.com

Use the final_message key to display a message that appears after the cloud-init process
is complete. This message appears in the orchestration environment console and in the
cloud-init log. See “Viewing the Cloud-Init Log” on page 47.

For example: final_message: “Finished initializing vAED with cloud-init.”

© NETSCOUT Confidential and Proprietary 40

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

Creating a Password Hash for vAED

Before you can start SSH or AED services on vAED, you must change the default
password. To change the vAED password with cloud-init, you enter the password as a
password hash in the user data file.
See “Creating a User Data File for cloud-init” on page 37.
Although the password hash does not have to adhere to the vAED password
requirements, we recommend that you create a strong password as follows:
n Use from 7 to 72 characters, which can include special characters, spaces, and
quotation marks.
n Do not use all digits.
n Do not use all lowercase letters or all uppercase letters.
n Do not use only letters followed by only digits (for example, abcd123).
n Do not use only digits followed by only letters (for example, 123abcd).

Creating a password hash

To create a password hash for vAED:
1. Copy the following python script and then modify the code to create your script:

#!/usr/bin/env python
from __future_ _ import print_ function
import sys
# Using bcrypt
# https://pypi.python.org/pypi/bcrypt
from bcrypt import gensalt
from bcrypt import hashpw
# Generate a hash for each argument passed in.
for pw in sys.argv [1:]:
# Explicitly using 12 rounds.
salt = gensalt (prefix=b"2a")
print("{0}:\t {1}".format (pw, hashpw (pw.encode ('utf- 8'), salt).decode ("utf- 8")))

2. Run the script.

3. To view the password hashes, pass in plain text passwords as a list of arguments, as
shown in the following example. The example assumes that the name of the script is
passwordHashes.py.
./passwordHashes.py password1 password2 password3
An example of the output is as follows:
password1:
$2a$12$D2hAeuKZahxtUAV7PDnEOe1w8ZozjcvxPcG6Vs0dsF7nVOWyH9XL2
password2:
$2a$12$yDmDzpBLefk11hOBikbO2O3qZ3WcIBQU9vGgtlSMfHstyUYucSFPe
password3:
$2a$12$JVVae6BEQjXmoAkycxLkyebbUA2BO95.A3O/LqGf.W.mmPXQIg18y

© NETSCOUT Confidential and Proprietary 41

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

About the Default User Data File

If cloud-init does not find a data source that vAED supports, then cloud-init uses the
None/Fallback data source automatically. This data source passes a user data file that
contains default configuration settings to vAED. You can find this read-only data source
and its associated user data file on the vAED image.
For information about the user data file, see “Creating a User Data File for cloud-init” on
page 37.

Configuration settings in the default user data file

The None/Fallback data source uses the following user data file to initialize vAED:
#cloud-config
comsh:
- services aed mode set l3
- config write
final_message: "Finished cloud-init.

This user data file sets the deployment mode to layer 3 (Inline Routed).
Important
The user data file that the None/Fallback data source uses does not start AED services.
You must change the default password on vAED before you can start SSH and AED
services.

© NETSCOUT Confidential and Proprietary 42

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

Using Cloud-Init with an Orchestration Environment

After you create a user data file and configure a data source that vAED supports, you can
use cloud-init to initialize vAED. You can initialize vAED by using a data source with an
orchestration environment, such as OpenStack.

For information about creating a user data file and data sources, see “Creating a User
Data File for cloud-init” on page 37 and “Supported cloud-init data sources” on page 35.

For information about the hypervisors that vAED supports, see the AED Release Notes.

Note
You also can use cloud-init without an orchestration environment. See “Using Cloud-Init
without an Orchestration Environment” on the next page.

After you use cloud-init to initialize vAED, you can view the cloud-init log. See “Viewing the
Cloud-Init Log” on page 47.

Using an orchestration environment to initialize vAED

Note
For instructions that are specific to your orchestration environment, refer to the
documentation for the orchestration environment.

To use an orchestration environment to initialize vAED:

1. Open the orchestration environment.

2. Upload a copy of the vAED image file.
See “Preparing to Install vAED on KVM” on page 17 and “Preparing to Install vAED on
VMware” on page 26.
3. Configure the appropriate settings to create a vAED instance.
4. Upload a user data file or enter the configuration settings in the appropriate fields in
the orchestration environment.
5. Create the vAED instance.
6. Access vAED in any of the following ways:
n Open it from your orchestration environment.
n SSH to the vAED command line interface.
n Open vAED in a web browser.

© NETSCOUT Confidential and Proprietary 43

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

Using Cloud-Init without an Orchestration Environment

If you do not have access to an orchestration environment, then you can create a disk
image to use as a NoCloud data source.

For an overview of data sources, see “Supported cloud-init data sources” on page 35.

About the NoCloud data source

To use the NoCloud data source, you must create a disk image that contains a metadata
file and a user data file. Create these files in the YAML format and save them with a .yaml
extension.

The disk image requires a metadata file, but the metadata file can be empty. For
information about the metadata file, see the cloud-init documentation at
https://cloudinit.readthedocs.io/en/latest/

Creating a disk image for the NoCloud data source

To create a disk image for the NoCloud data source:

1. Create the user data file, and name the file user-data.
See “Creating a User Data File for cloud-init” on page 37.
2. Create the metadata file and name the file meta-data. This file can be empty, but
you must include a metadata file in the disk image.
3. Save the user-data file and the meta-data file in the same folder.
4. At the same level as the folder in which you saved the files, enter $ genisoimage -
output seed.iso -volid cidata -joliet -rock user-data meta-data
This command creates a disk image for an ISO 9660 file system or a VFAT file system
with the system label cidata.
Note
This command is for use with a Linux operating system. If you use a different
operating system, then see the operating system documentation for the correct
command.

Using a NoCloud disk image to initialize vAED on KVM

After you create a disk image, you can use the NoCloud data source to initialize vAED.

To initialize a new vAED instance on KVM:

1. To start the installer, on the host server command line, enter sudo virt-install
--connect qemu:///system \
2. Enter the following commands to install and configure vAED on KVM. Press ENTER
after each command.

© NETSCOUT Confidential and Proprietary 44

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

Command Description

-n VM_hostname\ Indicates the hostname for the virtual

machine. Enter a simple host name or a
fully qualified domain name.
For example: host.example.com

-r 6144 \ Allocates 6 GB of memory to the virtual

machine.

--vcpus=2,sockets=1,cores=2,maxvcpus=2 \ Specifies the number of virtual CPUs that

are allocated to the virtual machine.

--arch=x86_64 \ Indicates that the virtual machine uses a

64-bit architecture.

--os-type linux \ Specifies the operating system type.

--import \ Indicates the use of a disk image.

--disk path=filepath/filename.qcow2, Specifies the path and file name of the

device=disk,bus=virtio,size=100,format=qcow2 vAED disk image and the size and bus type
of the image.

--disk path=filepath/filename.iso, device=cd- Specifies the path and file name of the
rom,perfs=ro NoCloud disk image that contains the
user-data file and the meta-data file.
See “Creating a disk image for the
NoCloud data source” on the previous
page.

--network bridge=vmbr0,model=virtio \ Assigns virtual bridges to the virtual

--network bridge=vmbr1,model=virtio \ machine and assigns the virtual network.
--network bridge=vmbr2,model=virtio \
--network bridge=vmbr3,model=virtio \

--vnc --noautoconsole Allows virtual network computing (VNC)

access to the KVM console.

After cloud-init executes the commands, you should see the following output, which
indicates that the virtual machine is running:
# virt-install --connect qemu:///system --name <vm-hostname> -r 6144 --
vcpus=2,sockets=1,cores=2,maxvcpus=2 --arch=x86_64 --import --os-type
linux --disk path=/var/lib/libvirt/images/Arbor-vaed-#.#.#-
xxxx.qcow2,bus=virtio,size=100,format=qcow2 --disk
path=/var/lib/libvirt/images/filename.iso,device=cdrom,perms=ro --
network bridge=vmbr0,model=virtio --network bridge=vmbr1,model=virtio -
-network bridge=vmbr3,model=virtio --network bridge=vmbr4,model=virtio
--vnc --noautoconsole

© NETSCOUT Confidential and Proprietary 45

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

Using the NoCloud disk image to initialize vAED on VMware

Use these instructions immediately after you deploy vAED on VMware, but before you
start vAED. When you deploy the .ova file, do not select Power On After Deployment.

To initialize vAED on VMware:

1. Deploy the virtual template file (.ova) for VMware. See “Installing vAED on VMware”
on page 30.
2. Open the VMware vSphere Client and, in the left navigation bar, select the host
server on which the vAED resides.
3. In the right pane, click the Configuration tab, and then select Datastores as the
View.
4. From the list of datastores, right-click the datastore in which you want to store the
NoCloud disk image, and then select Browse Datastore.
5. In the left navigation pane of the Datastore Browser window, select the folder in
which you stored your NoCloud disk image.
6. From the toolbar, click (upload) and select Upload File.

7. In the Upload Items window, select the disk image file (.iso) and click Open. If an
upload warning message appears, then click Yes to continue.
8. In the left navigation pane, expand the host server section in which the vAED resides.
9. Under the host server name, right-click the vAED name and click Edit Settings.
10. In the Virtual Machine Properties window, select the Hardware tab and click Add.
11. In the Add Hardware wizard, on the Device Type page, select CD/DVD Drive, and then
click Next.
12. On the CD/DVD Media Type page, select the Use ISO Image option, and then click
Next.
13. On the Select ISO Image page, click Browse, and then select your NoCloud disk image.
14. Select the Connect at power on option, and then click Next.
15. In the Virtual Device Node box, select IDE (1:0), and then click Next.
16. On the Ready to Complete page, click Finish
17. To save your settings and close the Virtual Machine Properties window, click OK.

© NETSCOUT Confidential and Proprietary 46

Section 4: Using Cloud-Init to Initialize vAED
vAED Installation Guide, Version 7.1.0.0

Viewing the Cloud-Init Log

After you use cloud-init to initialize vAED, you can view the cloud-init log on vAED. The log
shows all of the cloud-init commands, as well as information that is specific to the vAED
instance.

To view the cloud-init log on vAED:

1. Log in to the CLI with your administrator user name and password.
2. Use one of the following commands to view the cloud-init log:
n To view the entire log, enter / services log view cloud-init-output.log
n To view only vAED information in the log, enter / services log view cloud-
init-output.log tail #
# = (Optional) The number of lines of text that you want to view. If you do not
specify a number, this command displays a maximum of 10 lines.
An example of the information that might appear in the cloud-init log is as
follows:
################################################################
##
Local users:
admin system_admin Password set
user1 system_admin Password set
user2 system_user Password set
Apitokens:
user1:
apiToken# apitoken for user1
user2:
apiToken# apitoken for user2
Management IP:
Inet: 198.51.100.8
Inet6: 2001:DB8::2
System name:
vaed_1
################################################################
##

© NETSCOUT Confidential and Proprietary 47

Section 5:
Licensing vAED

This section describes how to license vAED.

In this section
This section contains the following topics:

About Cloud-Based Licensing 49

Configuring Cloud-Based Licenses 52
Viewing Cloud-Based License Information 56
Viewing License Details in the CLI 59

© NETSCOUT Confidential and Proprietary 48

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

About Cloud-Based Licensing

vAED uses cloud-based flexible licenses that allow you to configure the licensed
capabilities for the vAED instance.

You can license the following capabilities:

n The throughput limit
The throughput limit is enforced on the clean traffic that vAED forwards. Clean traffic
refers to traffic that is not dropped by a protection setting. For details, see “About the
Licensed Throughput Limit” in the AED User Guide.
n The ATLAS Intelligence Feed (AIF) level
The subscription level determines the components that your AIF updates include.

Without a valid license in layer 3 mode, vAED does not pass traffic or process mitigations.

You configure the cloud-based licenses on the Licenses page (Administration >
Licenses). See “Configuring Cloud-Based Licenses” on page 52.

About cloud-based flexible licensing

When you purchase a cloud-based flexible license for a given amount of throughput, your
license is managed by a cloud-based license server.

On each vAED, you connect to the license server and request a portion of the total
licensed throughput, which the server allocates. The license information on a specific
vAED is referred to as the local license.

When you purchase an AIF subscription, you can configure access to a cloud-based AIF
license that corresponds to the subscription level (Standard or Advanced). The
subscription level determines which components of the AIF are included when you
receive AIF updates.

Because you do not need to download and install a license file, you can change and
upgrade your deployment’s capabilities and capacities easily. You can add multiple
licenses to the cloud-based license server to reach the desired throughput for a
deployment.

vAED requires contact with the cloud-based license server to function correctly. vAED
communicates with the license server every 24 hours to refresh the local license
information.

When you change your licenses in any way, the updated capabilities or capacities are
applied to your deployment during the refresh. You also can force a license refresh.

Communicating with the cloud-based license server

vAED communicates with the cloud-based license server on the standard HTTPS port,
443. If vAED is behind a firewall, then we recommend that you configure a proxy server
through which vAED accesses the license server. If vAED cannot communicate with the
license server, then the local licenses expire 10 days after they were last refreshed.

© NETSCOUT Confidential and Proprietary 49

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

How to obtain cloud-based licenses

To obtain the correct throughput license and AIF license for your deployment, contact
your account team.
When you purchase a cloud-based license, you receive an email message that contains
your cloud-based license server ID. You use this ID to configure access to the cloud-based
license server and request a throughput amount for each vAED. The license server
allocates the requested amount of throughput to each vAED, up to the amount that is
available.

Expiration of cloud-based licenses

You can view information about the licensed capabilities on the Licenses page and the
About page in the UI. You also can view this information in the command line interface
(CLI). See the following topics:
n “Viewing Cloud-Based License Information” on page 56
n “Viewing License Details in the CLI” on page 59

On the Licenses page, the Expiration fields display the dates on which the licenses expire
on the cloud-based license server. If the license server contains multiple licenses for a
capability, then the Expiration field reflects the first date on which a licensed capability
expires. After a license expires, the Expiration field reflects the next date on which a
license for that capability expires.

If no licenses for a capability are available on the license server, then the Expiration field is
cleared. If the local throughput licenses expire, then vAED does not pass traffic or process
mitigations.

Important
Before you decommission a vAED, release its local licenses. If you do not release the
licenses first, then the capacity that is assigned to the instance is unavailable until its
local licenses expire.
The licenses expire 10 days after you decommission the vAED. See “Releasing local
licenses” on page 55.

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

License-related messages and alerts

You receive information about the status of your cloud-based licenses in the following
ways:
License-related messages and alerts

Method Description

Expiration If a license expires within the next 30 days, then a message

messages appears on the Licenses page, in the Licensed Capabilities section.
This message displays one of the following warnings:
n the date and time when the throughput license expires or

expired, and the throughput limit that is available after the

expiration date
n the date and time when the current AIF level expires or

expired, and the AIF level that is available after the expiration
date (Standard, Advanced, or None)
(Cloud-based licenses only) If a local license expires within the
next 9 days, then a message appears on the Licenses page, in the
Cloud-Based License Server section. This message provides the
following information:
n the date and time of the last successful refresh

n the date and time when the local license expires or expired

System alerts and If license issues occur, then alerts appear on the Summary page
notifications and System Alerts page. For example, a system alert is generated
when a license expires or when the amount of traffic that the
instance forwards exceeds 90 percent of its licensed limit. See
“Viewing Alerts” in the AED User Guide.
You can configure notifications to send messages when a license
alert occurs. License alerts are included when you configure
bandwidth notifications. See “Configuring Notifications” in the AED
User Guide.

Status messages Status messages indicate the result of an event: success, failure,
or already in progress. Any messages about problems that need
further action remain until the problem is resolved.
Status messages appear in the following locations on the Licenses
page:
n Messages that indicate the result of an event, such as a request

for a different throughput amount, appear at the top of the

Licenses page.
n Throughput issues and AIF issues appear in the Licensed

Capabilities section.
n (Cloud-based licenses only) Server connection issues appear in

the Cloud-Based License Server section.

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

Configuring Cloud-Based Licenses

On the Licenses page, system administrators can configure the throughput limit and the
ATLAS Intelligence Feed (AIF) level for vAED. The licenses are available through a cloud-
based license server. See “About Cloud-Based Licensing” on page 49.

Process for configuring licenses

The process to license vAED consists of the following steps. You perform these steps on
each vAED.

Step Action

1 Configure access to the cloud-based license server. See “Configuring access to

the cloud-based license server” below.

2 Request a local license for a throughput limit. This limit is the amount of clean
traffic that a vAED is licensed to forward.
Clean traffic refers to traffic that is not dropped by a protection setting.
See “Requesting a throughput limit” on the next page.

3 Request a local license for an AIF level. See “Requesting an AIF license” on
page 54.

4 (Optional) Refresh the local license information when needed. See “Refreshing
local license information” on page 54.

Process for upgrading the throughput limit

After you purchase a license upgrade, perform the following steps to request new
throughput limits per device as needed.

Step Action

1 Refresh the local license information. See “Refreshing local license

information” on page 54.

2 Request a new throughput limit. This limit is the amount of clean traffic that a
vAED is licensed to forward. See “Requesting a throughput limit” on the next
page.

Configuring access to the cloud-based license server

When you purchase a cloud-based license, you receive an email message that contains
your cloud-based license server ID. You use this ID to configure access to the cloud-based
license server and request a throughput amount for each vAED. The license server
allocates the requested amount of throughput to each vAED, up to the amount that is
available.

To configure access to the license server:

1. Select Administration > Licenses.
2. On the Licenses page, in the Cloud-Based License Server section, specify the server
settings. See “License server settings” on the next page.

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

To change any of the license server settings that you configured previously, click
Edit.
3. Click Save.

License server settings

The Cloud-Based License Server section of the Licenses page contains the following settings:
License server settings

Setting Description

Cloud-Based License Type the license server ID that you received after you
Server ID box purchased a cloud-based license.

Use Proxy Server check Select this check box to connect to the license server
box through a proxy server.

Proxy Server box Type the IP address or the hostname for the proxy server.

Port box Type the port number for the proxy server.

Proxy Username box If necessary, type the user name that is required to access
the proxy server.

Proxy Password box If necessary, type the password that is required to access
Verify box the proxy server, and then re-type the password to confirm
it. To delete an existing password and leave the password
empty, click (Clear Password).

Proxy Authentication If necessary, select the authentication method that the

Method options proxy server uses:
n Automatic

n Basic

n Digest

n NTLM

Automatic is the default setting. If you select Automatic,

then vAED identifies the authentication method that the
proxy server uses. If vAED cannot identify the correct
authentication method automatically, then select another
authentication method.

Requesting a throughput limit

After you configure access to the license server, you can request a throughput limit. A
vAED can obtain the requested throughput limit from one throughput license or from
multiple throughput licenses on the configured cloud-based license server.

To request a throughput limit:

1. Select Administration > Licenses.
2. On the Licenses page, in the Requested Throughput Limit box, specify the amount
of throughput to license on the vAED. This throughput amount represents the
amount of clean traffic that the vAED can forward.

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

You can request from 20 Mbps up to 1 Gbps. The amount of available throughput
depends on the throughput limit that you purchased.
3. Click a throughput rate: Mbps or Gbps.
4. Click Save.
If the cloud-based license server is processing a request from another user, then a
message notifies you that your request cannot be saved. When this message
disappears, click Save again.

The Throughput Limit for Clean Traffic field displays the throughput limit that was acquired.
If the throughput limit that you request is not available, then a message displays the
throughput limit that was acquired instead.

In this case, your original throughput request remains in the Requested Throughput
Limit box. If more throughput becomes available, then the vAED increases the
throughput, up to the requested amount.

To increase the throughput limit, you can purchase additional throughput licenses. You
also can reduce the throughput limit on other vAED instances that are connected to the
same license server.

Requesting an AIF license

After you configure access to the license server, you can request an AIF license.

To request an AIF license:

1. Select Administration > Licenses.
2. On the Licenses page, under Requested AIF Level, click Standard or Advanced.
Note
To turn off access to the AIF, click None.
3. Click Save.
If the cloud-based license server is processing a request from another user, then a
message notifies you that your request cannot be saved. When this message
disappears, click Save again.

If the license server cannot acquire the requested AIF level, then a message displays the
level that the vAED can acquire. The Current AIF Level field displays the AIF level that was
acquired or None, if no AIF license is available.

Your original AIF request remains in the Requested AIF Level field. This allows the vAED
to change to the requested level if it becomes available on the license server.

To obtain a different AIF level, you can purchase additional AIF licenses.

Refreshing local license information

vAED communicates with the cloud license server every 24 hours to refresh the local
license information. However, you might want to refresh the local licenses yourself in the
following situations:
n after a network change occurs, to ensure that the vAED still can contact the license
server
n after you add more throughput capacity to the server or update the AIF license level,
so that the vAED can access it immediately
n after you resolve any issues that might have caused a license refresh to fail

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

To refresh the local license:

1. Select Administration > Licenses.
2. On the Licenses page, in the Cloud-Based License Server section, click Refresh Local
Copy of License.
If a license request from another user is pending, then a message notifies you that
you cannot refresh your licenses at this time. You must wait until the message
disappears before you try to refresh again.

A refresh might take several minutes. If the vAED can communicate with the cloud-based
license server, then the Last Successful Refresh section of the Licenses page displays the
new date and time.

If the vAED cannot communicate with the license server, then a message notifies you that
the refresh was unsuccessful. In this situation, contact the Arbor Technical Assistance
Center (ATAC) at https://my.netscout.com.

Releasing local licenses

If you no longer need a license on a particular vAED, then you can release the license so
that its throughput amount is available for other vAED instances.
Important
Release local licenses before you decommission a vAED. If you do not release the
licenses first, then the capacity that is assigned to the instance is unavailable until its
local licenses expire.
The licenses expire 10 days after you decommission the vAED.

To release a throughput license:

1. Select Administration > Licenses.
2. On the Licenses page, in the Requested Throughput Limit box, enter 0.
3. Click Save.

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

Viewing Cloud-Based License Information

If you are a system administrator, then you can view information about the cloud-based
flexible licenses on the Licenses page. vAED uses cloud-based flexible licenses.

You also can view information about the cloud-based license server.

Navigating to the Licenses page

To view information about the licensed capabilities for vAED:
n Select Administration > Licenses.

Note
You also can access the Licenses page from any license limit alerts that might appear on
the Summary page and System Alerts page. If you are a system administrator, then a
(context menu) icon appears to the right of the alert name on these pages. The View
Limit option on this context menu opens the Licenses page.

Information about cloud-based flexible licenses

On the Licenses page, you can view the following information about the cloud-based
flexible licenses.
Additional information in the Licensed Capabilities section

Information Description

Throughput Limit The amount of clean traffic that the instance is licensed to
for Clean Traffic forward. Clean traffic refers to traffic that is not dropped by a
protection setting. See “About the throughput information on the
Licenses page” on page 58.

Requested The amount of license throughput that you requested. If the

Throughput Limit requested amount is not available, then this value differs from
the Throughput Limit for Clean Traffic.
See “Requesting a throughput limit” on page 53.

Expiration The first date on which a throughput license will expire on the
cloud-based license server. If no throughput license was
requested or if no throughput license is available, then this field is
empty. If the throughput license on the license server does not
have an expiration date, then this field shows No Expiration.

Current AIF Level The AIF level that is configured for your system (None, Standard, or
Advanced).

Requested AIF Level The AIF level that you requested. If the requested level is not
available, then this level differs from the Current AIF Level.
See “Requesting an AIF license” on page 54.

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

Additional information in the Licensed Capabilities section (continued)

Information Description

Expiration The first date on which an AIF license will expire on the cloud-
based license server. If no AIF license level was requested or if no
AIF license is available, then this field is empty. If the AIF license
on the license server does not have an expiration date, then this
field shows No Expiration.

Information about the cloud-based license server

On the Licenses page, you can view the following information about the cloud-based
license server.
Information in the Cloud-Based License Server section

Information Description

Last Successful The last date on which vAED was able to connect to the cloud-
Refresh based license server, to refresh the local license information. If
vAED cannot connect to the license server, then a message
displays the amount of time, in days and hours, until the local
licenses expire.

Refresh Local Click this button to refresh the connection to the cloud-based
Copy of License license server. You might want to refresh the connection in the
following situations:
n after a network change occurs, to ensure that vAED still can

contact the license server

n after you add more throughput capacity to the server or

update the AIF license level, so that vAED can access it

immediately
n after you resolve any issues that might have caused a license

refresh to fail
See “Refreshing local license information” on page 54.

Cloud-Based License The ID of the cloud-based license server on which the licenses
Server ID reside.

Proxy Server, Port, If you configure a proxy server for the cloud-based license
Proxy Authentication server, then these fields show the IP address or hostname, port
Method number, and authentication method for the server.

Note
To view additional details about licenses, use the command line interface (CLI). See
“Viewing License Details in the CLI” on page 59.

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

About the throughput information on the Licenses page

The Throughput for Clean Traffic graph represents the amount of clean traffic that vAED
forwarded over the previous week. Use this information to monitor vAED and determine
when it is near or above the licensed capacity.

You also can use this information to verify the success of an upgrade to a license that has
a higher throughput limit.

Below the graph, the Throughput Limit for Clean Traffic section indicates the amount of
throughput for which vAED is licensed. A black horizontal line identifies this limit on the
graph. This throughput limit is not absolute; it allows for a buffer that accommodates
occasional traffic spikes.

Note
If you restart your system, then the horizontal line might drop to zero. After the restart is
complete, the correct limit is restored.

vAED continues to forward clean traffic until the traffic exceeds the buffer. At that point,
vAED might start to drop clean traffic. The traffic segments in blue represent the clean
traffic that vAED forwarded. The traffic segments in red represent the clean traffic that
vAED dropped after the buffer was exceeded.

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

Viewing License Details in the CLI

After you install the licenses, you can view the following information about the licensed
capabilities by using the command line interface (CLI):
n the aggregated amount of throughput that is associated with each of the licensed
capabilities
n the AIF level that is licensed
n the expiration dates for all of the licenses on the cloud-based license server
n the expiration dates for the local licenses on instances of vAED

Viewing the licensed capabilities

To view the throughput limits that are configured for each of the licensed capabilities:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system license capability

Showing the license information

To show information about the licenses in the system:
n In the CLI, enter / system license show

Information about flexible licenses

The / system license show command displays information about licenses. On a vAED,
the information represents the available licenses on the cloud-based license server. You
can view this information from the CLI only.

To view this information for a specific local license:

n Enter / system license show #
# = the license ID number that appears in the # column on the screen, as
described in the following table.

Information about flexible licenses

Field Description

# (number) The ID that is associated with each license. Append this ID

number to the / system license show command to view
details about a specific license.

License Name The licenses that are available on the cloud-based license server:
n AED.mbps – a license for the throughput limit

n AIF.advanced – a license to access the Advanced AIF

n AIF.standard – a license to access the Standard AIF

Entitlements The amount of throughput, in Mbps, that is assigned to each of

the licenses.

Section 5: Licensing vAED
vAED Installation Guide, Version 7.1.0.0

Information about flexible licenses (continued)

Field Description
Expires The date at which the licensed capability expires on the cloud-
based license server.
If the license does not have an expiration date, then permanent
appears instead of a date.

Total The combined throughput amount for all of the licenses on this
Throughput vAED.

Throughput The amount of throughput that a single license provides. This

information appears only when you view a specific local license.

Borrowed until The expiration date for a local cloud-based license. This
information appears only when you view a specific local license.

Capabilities This field is not used.

Appendix A:
vAED Performance Benchmarks

This section provides information about the vAED performance benchmark tests.

In this section
This section contains the following topics:

vAED Performance Benchmarks 62

Appendix A: vAED Performance Benchmarks
vAED Installation Guide, Version 7.1.0.0

vAED Performance Benchmarks

To obtain information about the performance of vAED, we ran benchmark tests on
several vendor platforms and in the following virtualization environments:
n KVM
For information about the KVM installation, see “Installing vAED on KVM” on page 21.
n VMware
For information about the VMware installation, see “Installing vAED on VMware” on
page 30.

For information about vAED, see “About Virtual AED” on page 9.

Vendor platforms and host server configuration

We performed the tests on the following platforms:
Vendor platforms for benchmark testing

Vendor and Model CPU Cores RAM Storage

Cisco® UCS B200 M4 2x E5-2640 v3 @ 2.60 GHz 16 64 GB 2 TB SAS

Dell™ PowerEdge™ R420 2x E5-2470 v2 @ 2.40 GHz 10 256 GB 2 TB non-SSD

HP® ProLiant DL380 G2 2x E5-2690 v3 @ 2.60GHz 12 256 GB 2 TB non-SSD

We configured the host server for the vAED benchmark tests as follows:
CPU configuration

Component Configuration

CPUs 4

Hard disk space 100 GB

RAM 12 GB

Interfaces VMware: 4 x E1000

KVM: 4 x Virtio

Performance benchmark test metrics

We used the following metrics for the vAED benchmark tests.

Test Setup
The test components consisted of an Ixia appliance and the device under test (DUT). The
DUT was vAED on VMware or KVM. The Ixia chassis was connected directly to the DUT
with no physical switch between the two devices. The physical cabling varied, based on
the DUT and the test that was being run.

Each vAED interface used its own virtual switch or Linux bridge, which was bound to a
physical interface on the host server. The virtual switches were not shared among vAED
virtual machines.

Appendix A: vAED Performance Benchmarks
vAED Installation Guide, Version 7.1.0.0

Throughput testing
The purpose of the inspection throughput metric is to establish and illustrate the
maximum traffic throughput that the vAED can inspect.

Note
This test differs from a pure network throughput test, in which the raw packet handling
capacity is determined without inspection.

We performed the following throughput tests:

n 64-byte fixed packet size
This test determines the maximum frames per second (fps) that vAED can handle while
it inspects packets. The fps values in the following tables are the results from this test.
n random packet size
For this test, we used IMIX traffic to determine the maximum bps that vAED can handle
while it inspects packets. The bps values in the tables below are the results from this
test.
The IMIX traffic uses the ratio [64:7, 570:4, 1518:1]. For example, in this case, 12
(7+4+1) is the total of the weights. Frames are randomly generated:
l 64-byte frames are 7/12 of the total
l 570-byte frames are 4/12 of the total
l 1518-byte frames are 1/12 of the total

Latency testing
Traffic delays can trigger timeout conditions, which may cause critical applications to fail.
In some cases, time-to-live values may cause traffic to be re-sent, which can make traffic
problems worse. For these reasons, latency is an important consideration for an inline
network security device.

Note
Latency can vary due to the hardware configuration of the virtual machine’s host server
and the number of virtual machines that the server is hosting.

We performed the following latency tests:

n 64-byte fixed packet size
This test determines the average latency and minimum latency on vAED while it
inspects 64-byte packets.
n random packet size
This test determines the average latency and minimum latency on vAED while it
inspects IMIX traffic.

Note
We incorporated latency improvement measures during the installation process.

Appendix A: vAED Performance Benchmarks
vAED Installation Guide, Version 7.1.0.0

VMware performance benchmarks

To obtain the VMware results, the testers used VMware 5.5. The numbers may vary
slightly if you use a different VMware version.

The performance benchmark results for VMware on a host server with 4 CPUs are as
follows:
VMware results

Throughput Latency (ms)

64-byte fixed packet size Random packet size

Platform Mfps Mbps Average Minimum Average Minimum

UCS 0.562 946.5 (100%) 0.245 0.088 0.229 0.115

(37.78%)

HP 0.561 946.500 0.337 0.03 0.697 0.055

(37.70%) (100%)

Dell 0.91 (61.40%) 946.500 0.729 0.35 0.333 0.05

(100%)

KVM performance benchmarks

The performance benchmark results for KVM on a host server with 4 CPUs are as follows:
KVM results

Throughput Latency (ms)

64-byte fixed packet size Random packet size

Platform Mfps Mbps Average Minimum Average Minimum

UCS 0.416 943.265 0.395 0.046 0.14 0.018

(27.96%) (99.65%)

HP 0.385 924.316 0.168 0.026 0.332 0.042

(26.00%) (97.65%)

Dell 0.485 946.500 (100%) 0.200 0.019 0.355 0.033

(32.62%)

Index
password hash for user data file 41
A supported data sources 35
user data file 35, 37, 42
AIF level, configuring 54
Cloud-Init modules
AIF license
supported 38
expiration messages 51
command syntax 6
requesting 54
configuration, vAED 23, 31
viewing details in the CLI 59
conventions, typographic
viewing local licenses 56
commands 6
API Guide online 5
CPU instructions sets for vAED 10
Arbor Technical Assistance Center, contacting 7
customer support, contacting 7
ATAC, contacting 7
ATLAS Intelligence Feed license
expiration messages 51 D
requesting 54 data sources for Cloud-Init 35
viewing details in the CLI 59 deployment mode
viewing local licenses 56 layer 3 11

B E
benchmark testing 62 expiration, licenses
bypass, software 14 cloud-based licenses 50
messages 51
C viewing 56
cloud-based license
srequesting throughput limit 53 F
cloud-based license server flexible license
communications 49 viewing 56, 59
configuring access for AED 52
configuring access for vAED 52 H
proxy server 53
hardware requirements for vAED 10
viewing information 57
cloud-based licenses
about 49 I
configuring 52 inspected throughput
expiration 50 limits, viewing for local license 56
expiration messages 51 installation
local licenses, viewing 59 vAED on KVM virtual machine 17, 21
refreshing local copies 54 vAED on VMware 26, 30
releasing 55 interfaces
status 51 vAED 9
throughput, viewing 56 interfaces, protection
viewing 56 configuring 12
viewing details in the CLI 59 IP addresses 12
Cloud-Init IP addresses
about 35, 43-44, 47 protection interfaces 12

Index: KVM – user input, syntax

K O
KVM overview of vAED 9
using QEMU guest agent with 22
KVM virtual machine P
configuring network bridges 19
password hash for Cloud-Init 41
installing vAED on 17, 21
performance benchmarks 62
performance benchmarks 64
KVM virtual machine 64
VMware virtual machine 64
L protection interfaces
layer 3 mode configuring 12
about 11 IP addresses 12
deleting 13 proxy server
deleting settings and routes 13 cloud-based license server 53
license
cloud-based licenses 49 Q
expiration 50
QEMU guest agent, using with KVM 22
expiration messages 51
expiration, viewing 56
refreshing local copies 54 R
status 51, 56 routes
throughput, viewing 56 deleting for layer 3 13
viewing 56
viewing details in the CLI 59 S
license server server, license
about 49 about 49
communications 49 software bypass 9, 14
configuring access for AED 52 status
configuring access for vAED 52 cloud-based license 51
configuring access for vAED 52 support, contacting 7
proxy server 53 syntax, commands 6
viewing information 57
license, ATLAS Intelligence Feed (AIF)
expiration messages 51
T
requesting 54 throughput
viewing 56 limits, viewing for local license 56
viewing details in the CLI 59 viewing licensed amount 56
license, local throughput limit
viewing information 56 requesting 53
viewing throughput limit 56 typographic conventions
Licenses page commands 6
configuring cloud-based licenses 52
viewing license information 56 U
licensing 52 user data file
limits creating for Cloud-Init 37, 42
throughput, viewing for local license 56 password hash 41
local license supported Cloud-Init modules 38
releasing 55 user data file for Cloud-Init 35
user input, syntax 6
N
network bridges
configuring for KVM virtual machine 19

Index: vAED – VMware

V
vAED
about 9
accessing 15
configuring VMware virtual network 28
CPU instruction sets 10
hardware requirements 10
initializing with Cloud-Init 35
installation on KVM virtual machine 17, 21
installation on VMware 26, 30
performance benchmarks 62
supported interfaces 9
VMware virtual network configuration 33
vAED license
local licenses, viewing 59
virtual machine (vAED)
about 9
Also see vAED 9
installing on KVM 17
installing on VMware 26, 30
VMware
installing vAED on 26, 30
performance benchmarks 64
remapping virtual networks 33
requirements for virtual network 28

End User License Agreement
vAED Installation Guide, Version 7.1.0.0

End User License Agreement

The end user license agreement (EULA) contains updated terms and conditions with
respect to your license of NETSCOUT product and services and is deemed to replace any
previous license terms provided with respect thereto; provided, however, if you and
NETSCOUT have executed a direct agreement, such direct agreement shall govern your
license of NETSCOUT product and services.

You can read the complete end user license agreement online at
https://www.netscout.com/sites/default/files/2018-06/NetScout-Systems-End-User-
Product-License-Agreement.pdf.

EV10 API Reference
No ratings yet
EV10 API Reference
654 pages
Overview of Dell Digital Locker
No ratings yet
Overview of Dell Digital Locker
14 pages
MWG Product 11.0, X PG-PRODUCT-1021-En
No ratings yet
MWG Product 11.0, X PG-PRODUCT-1021-En
941 pages
DLP 15.1 Install Guide PDF
No ratings yet
DLP 15.1 Install Guide PDF
160 pages
PaloAlto - CustomAppSignatures
100% (1)
PaloAlto - CustomAppSignatures
13 pages
Roller 230 en
No ratings yet
Roller 230 en
4 pages
AEM 7.0.0.0 User Guide
No ratings yet
AEM 7.0.0.0 User Guide
390 pages
Virtual AEM 7.0.0.0 Installation Guide
No ratings yet
Virtual AEM 7.0.0.0 Installation Guide
17 pages
Irule CONFIGUR
No ratings yet
Irule CONFIGUR
10 pages
f5 Vmware Nsx t Deployment Guide
No ratings yet
f5 Vmware Nsx t Deployment Guide
115 pages
How To Block IP Address by Irule
No ratings yet
How To Block IP Address by Irule
3 pages
CP R81.10 Multi-DomainSecurityManagement AdminGuide
No ratings yet
CP R81.10 Multi-DomainSecurityManagement AdminGuide
622 pages
NE - 8 - Apply Profile Capture
No ratings yet
NE - 8 - Apply Profile Capture
3 pages
Fortiadc-V5 2 0-Handbook PDF
No ratings yet
Fortiadc-V5 2 0-Handbook PDF
669 pages
B Ise Upgrade Guide 3 1 PDF
No ratings yet
B Ise Upgrade Guide 3 1 PDF
58 pages
Infoblox ActiveTrust Datasheet
No ratings yet
Infoblox ActiveTrust Datasheet
4 pages
CDCA-81-Lab-Guide
No ratings yet
CDCA-81-Lab-Guide
362 pages
Cors
No ratings yet
Cors
3 pages
TenableCOre Nessus
No ratings yet
TenableCOre Nessus
84 pages
Mcafee Web Gateway 7.7.2 Product Guide (Unmanaged) 1-6-2020 PDF
No ratings yet
Mcafee Web Gateway 7.7.2 Product Guide (Unmanaged) 1-6-2020 PDF
387 pages
EipPingSweeper v2.3 Setup Guide
No ratings yet
EipPingSweeper v2.3 Setup Guide
13 pages
Illumio Core NEN Installation and Usage Guide 2.2.0
No ratings yet
Illumio Core NEN Installation and Usage Guide 2.2.0
39 pages
CIS Palo Alto Firewall 10 Benchmark v1.1.0
No ratings yet
CIS Palo Alto Firewall 10 Benchmark v1.1.0
210 pages
NE - 7 - Working With Protection Groups
No ratings yet
NE - 7 - Working With Protection Groups
6 pages
Lab Guide Hardcopy Proof PAN-EDU-220 10.2 Version A LAB
No ratings yet
Lab Guide Hardcopy Proof PAN-EDU-220 10.2 Version A LAB
294 pages
DNS Appliance Architecture: Domain Name System Best Practices
No ratings yet
DNS Appliance Architecture: Domain Name System Best Practices
10 pages
B Ise 27 Admin Guide
No ratings yet
B Ise 27 Admin Guide
1,288 pages
BCCPP Ebook
No ratings yet
BCCPP Ebook
424 pages
BloxOne Threat Defense Essentials Datasheet
No ratings yet
BloxOne Threat Defense Essentials Datasheet
2 pages
Untitled
No ratings yet
Untitled
730 pages
Symantec Data Loss Prevention Installation Guide For Linux: Last Updated: September 24, 2020
No ratings yet
Symantec Data Loss Prevention Installation Guide For Linux: Last Updated: September 24, 2020
105 pages
fortiadc
No ratings yet
fortiadc
317 pages
CP R80.20 RemoteAccessVPN AdminGuide
No ratings yet
CP R80.20 RemoteAccessVPN AdminGuide
161 pages
NE - 2 - AED System Configuration
No ratings yet
NE - 2 - AED System Configuration
4 pages
Illumio Core: Security Policy Guide
No ratings yet
Illumio Core: Security Policy Guide
179 pages
McAfee Threat Prevention White Paper
No ratings yet
McAfee Threat Prevention White Paper
12 pages
Bigip LTM
No ratings yet
Bigip LTM
220 pages
DNS in Computer Forensics
No ratings yet
DNS in Computer Forensics
33 pages
Zen Load Balancer Administration Guide
100% (2)
Zen Load Balancer Administration Guide
40 pages
Waf DG
No ratings yet
Waf DG
541 pages
BlueCoat Roger Gotthardsson
No ratings yet
BlueCoat Roger Gotthardsson
81 pages
FortiOS 7.6.2 CLI Reference
No ratings yet
FortiOS 7.6.2 CLI Reference
3,400 pages
Vyatta VPNRef R6.1 v02
No ratings yet
Vyatta VPNRef R6.1 v02
321 pages
Palo Alto Networks PANOS 6 0 CEF Configuration Guide 2014
No ratings yet
Palo Alto Networks PANOS 6 0 CEF Configuration Guide 2014
18 pages
Best Practices - DDoS Protector
No ratings yet
Best Practices - DDoS Protector
4 pages
101.1 101-Backup and Restore
No ratings yet
101.1 101-Backup and Restore
9 pages
Infoblox Ebook Top Ten Dns Attacks
No ratings yet
Infoblox Ebook Top Ten Dns Attacks
14 pages
Sans Detecting Application Layer Ddos Attacks Using Tls Fingerprinting
No ratings yet
Sans Detecting Application Layer Ddos Attacks Using Tls Fingerprinting
25 pages
Ping and Trace Route
No ratings yet
Ping and Trace Route
28 pages
Fiddler Intro
No ratings yet
Fiddler Intro
22 pages
Cisco Umbrella Secure Internet Gateway Sig Advantage Package
No ratings yet
Cisco Umbrella Secure Internet Gateway Sig Advantage Package
9 pages
Tech Note - QoS - in - PAN-OS
No ratings yet
Tech Note - QoS - in - PAN-OS
21 pages
Configuring Cisco ACS 5.2 For Use With Palo Alto VSA
No ratings yet
Configuring Cisco ACS 5.2 For Use With Palo Alto VSA
10 pages
Cisco Secure Firewall 3100 Getting Started Guide: Americas Headquarters
No ratings yet
Cisco Secure Firewall 3100 Getting Started Guide: Americas Headquarters
176 pages
Palo Alto Networks Firewall Initial Configuration Tech Note PAN
No ratings yet
Palo Alto Networks Firewall Initial Configuration Tech Note PAN
8 pages
Infoblox White Paper Creating A Best of Breed Ddi Solution in A Microsoft Environment
No ratings yet
Infoblox White Paper Creating A Best of Breed Ddi Solution in A Microsoft Environment
16 pages
Radware Installation and Maintenance Guide-Feb-2011
No ratings yet
Radware Installation and Maintenance Guide-Feb-2011
115 pages
Netscout University - Lab - Payload Regular Expression - DNS
No ratings yet
Netscout University - Lab - Payload Regular Expression - DNS
6 pages
How To Enable Netflow On FirePower Using FDM
No ratings yet
How To Enable Netflow On FirePower Using FDM
2 pages
Checkpoint DDOS
No ratings yet
Checkpoint DDOS
48 pages
Configuration of Microsoft ISA Proxy Server and Linux Squid Proxy Server
From Everand
Configuration of Microsoft ISA Proxy Server and Linux Squid Proxy Server
Dr. Hidaia Mahmood Alassouli
No ratings yet
Catalog Solax Inverter
No ratings yet
Catalog Solax Inverter
32 pages
Defects in Concrete
No ratings yet
Defects in Concrete
9 pages
Term 2 Assignment
No ratings yet
Term 2 Assignment
5 pages
EtaUltra Modbus Map
No ratings yet
EtaUltra Modbus Map
63 pages
Dimensional Analysis (Rayleigh Dan Buckingham PI)
No ratings yet
Dimensional Analysis (Rayleigh Dan Buckingham PI)
8 pages
Systems of Two Equations PDF
No ratings yet
Systems of Two Equations PDF
4 pages
Semi LP g7 1st Observation INTRODUCTION TO STATISTICS
No ratings yet
Semi LP g7 1st Observation INTRODUCTION TO STATISTICS
6 pages
Formulas and Calculations For Drilling, Production and Work-Over - Norton J. Lapeyrouse
No ratings yet
Formulas and Calculations For Drilling, Production and Work-Over - Norton J. Lapeyrouse
6 pages
Semi Automated Paddy Thresher
No ratings yet
Semi Automated Paddy Thresher
26 pages
Amenity Lighting
No ratings yet
Amenity Lighting
18 pages
Hema I Chapter 7 - Hemocytometry
100% (2)
Hema I Chapter 7 - Hemocytometry
83 pages
12th Maths Probability Distribution & Binomial Distribution
No ratings yet
12th Maths Probability Distribution & Binomial Distribution
2 pages
58202-mt - Advanced Process Control
No ratings yet
58202-mt - Advanced Process Control
2 pages
Lecture 19 Steady-State Error For Nonunity Feedback Systems
No ratings yet
Lecture 19 Steady-State Error For Nonunity Feedback Systems
19 pages
VPT 607 Veterinary Chemotherapy Lab Manual
No ratings yet
VPT 607 Veterinary Chemotherapy Lab Manual
26 pages
Choosing A Line Size
No ratings yet
Choosing A Line Size
13 pages
Dart
No ratings yet
Dart
4 pages
Bayesian Statistics: Thomas Bayes
No ratings yet
Bayesian Statistics: Thomas Bayes
22 pages
32877.TOC - CHO 3rd Sem
No ratings yet
32877.TOC - CHO 3rd Sem
9 pages
Article On Screen Grounding
No ratings yet
Article On Screen Grounding
6 pages
Misconception of Heat and Temperature Among Physics Students (Assoc Prof. Dr. Almahdi Ali Alwan, 2011)
No ratings yet
Misconception of Heat and Temperature Among Physics Students (Assoc Prof. Dr. Almahdi Ali Alwan, 2011)
3 pages
VMC Double Flux
No ratings yet
VMC Double Flux
48 pages
Mock Test 5 With Solutions PDF
No ratings yet
Mock Test 5 With Solutions PDF
14 pages
PC 817
No ratings yet
PC 817
4 pages
Chemoprotective and Antiobesity Effects of Tocols From Seed - 2020 - Food and CH
No ratings yet
Chemoprotective and Antiobesity Effects of Tocols From Seed - 2020 - Food and CH
10 pages
MURLIDHAR DESHMUKH@ESSAR COM-5616-analysis - Report PDF
No ratings yet
MURLIDHAR DESHMUKH@ESSAR COM-5616-analysis - Report PDF
2 pages
Merit Profile
No ratings yet
Merit Profile
16 pages
JEE Main Booklet Chemistry Question
No ratings yet
JEE Main Booklet Chemistry Question
27 pages
Www Eng Tips Com Threads Awwa Tank Design 506324
No ratings yet
Www Eng Tips Com Threads Awwa Tank Design 506324
4 pages