NEOX NETWORKS - Solution Provider für Netzwerk-Monitoring & -Security Lösungen
User Guide for NEOX NETWORKS models including: NEOXPacketRaven, NEOXPacketRaven Hybrid Singlemode Multimode 1G Fiber TAPs, Hybrid Singlemode Multimode 1G Fiber TAPs, Singlemode Multimode 1G Fiber TAPs, Multimode 1G Fiber TAPs, Fiber TAPs
PacketRaven - Portable Copper, SFP & Fiber Network TAPs
File Info : application/pdf, 9 Pages, 2.05MB
DocumentDocumentQUICK USER GUIDE // NEOXPacketRaven NEOXPacketRaven Hybrid Singlemode/Multimode 1G Fiber TAPs with Data Diode Function QUICK USER GUIDE Hybrid Fiber Network TAPs with media conversion and signal regeneration are decoupling elements for passive, secure and reliable tapping of network data in optical networks. These TAPs are looped into the fibre-optic line to be monitored and route out the entire data traffic while maintaining data integrity, without interruption and without packet loss. Using conventional SPAN ports, also known as mirror ports, on the other hand, can distort the result, as this copying process works in store-and-forward mode and, for example, discards FCS/CRC faulty packets on OSI layer 2 instead of providing these Ethernet frames to the security or monitoring tool. Our Network TAPs do not have a MAC or IP address, but work entirely on OSI Layer 1 and cannot be traced in the network without special and expensive measuring equipment. Hackers and attackers therefore have no chance. As the integrity of the outgoing data remains unaltered due to this tapping method, our Network TAPs are increasingly used in the areas of network forensics, security and monitoring. Furthermore, our hybrid 1000Base Fiber TAPs behave passively on the network side, which means that there is no interruption of network traffic in the event of a TAP power supply failure. In order to ensure the highest possible reliability on the monitoring side, our hybrid Fiber TAPs have redundant power supplies, but can also be additionally operated or fused with 12-48V DC voltage. Additionally, our TAPs work like a Data Diode and the monitoring ports are physically isolated from the network ports, which prevents access to the network via the monitoring ports on the hardware side for security reasons. Therefore, our hybrid Fiber TAPs guarantee a reliable network analysis or security investigation without compromise. This range of our PacketRaven Network TAPs are designed as portable TAPs, but can also be installed in a 19" mounting frame in data centres via a mounting kit and support a network speed of 1000Mbps (1000Base-SX, 1000Base-LX and 1000Base-ZX). With PacketRaven Fiber TAPs you get permanent network access without risk and provide e.g. your monitoring tools with 100% reliable network data - without introducing a single point of failure. QUICK USER GUIDE // NEOXPacketRaven 1. More Highlights - Plug-n-Play, no complex configuration necessary - Secure, rock-solid FPGA-based design - Support for up to 16k jumbo frames - Mirrors 100% of traffic including FCS/CRC errored packets that may be dropped by SPANs discarded - Can be powered by redundant AC/DC power supplies (5V) - Designed, assembled, certified and tested in Germany 2. Front View - Connections and LEDs (A) LC Network ports A & B (B) RJ45/SFP Monitoring ports A & B and Status LEDs (see section 2.1) (C) 12-48V DC power LED (see section 3.) If power is supplied via the 12-48V DC connection, this LED lights up. (D) 2 power LEDs for AC/DC 5V (see section 3.) It is possible to connect up to 2 power supply units to ensure power supply redundancy. (E) Aggregation-Modus LED (see section 6.1) If the Aggregation mode is activated instead of the standard Breakout mode, this LED lights up. 2.1 Front View - Meaning of the Port LEDs The right-hand port LED lights up if there is a functioning 1G connection. If network data is also being transmitted, the right-hand port LED starts flashing. 3. Back View (A) DIP switch for setting the TAP mode (see section 6.) (B) Connection for 12-48V DC voltage. The polarity at the DC connection is irrelevant, since the TAP automatically detects the live wire and supplies the power supply to the TAP in the required form! (C) Redundant connections for AC/DC power supplies (5V) For reasons of compatibility and EMC protection, our TAPS may only be operated with the supplied power supplies certified together with the TAP. If the TAP is nevertheless operated with power supplies other than those supplied, any warranty claim granted for the TAP will be voided! QUICK USER GUIDE // NEOXPacketRaven 4. Front panel - mobile or mounting kit / mounting frame version Our TAPs are available with a front panel for mobile use - as well as with mounting frames (-ERW versions) for permanent installation in our PRP-1U3 server cabinet mounting frame, which provides space for three of our portable TAPs each. Server rack mounting frame PRP-1U3 for portable TAPs TAP with front panel for server rack mounting frame PRP-1U3 TAP for mobile use Of course, TAPs with mounting frames can also be used in mobile applications! 5. Advanced functions of Hardened TAPs Preconfigured Our Network TAPs with RJ45 monitoring output work like a data diode and thus physically isolate the monitoring ports from the network ports. This ensures that, for security reasons, access to the network via the monitoring ports is prevented on the hardware side. PacketRaven Network TAPs are therefore already in the standard version among the network components through which an attack vector is excluded. Secure Boot For high-security areas according to IEC 62443 and critical infrastructures (CRITIS), however, even this is sometimes not sufficient, which is why NEOX Networks now also offers a specially hardened version of its TAPs. Security Seal If desired, these TAPs can be delivered pre-configured and then do not allow any subsequent configuration changes. In addition, they are secured against unwanted or unnoticed opening by special screws and security seals. Safety Screws And to round it all off, these TAPs also have a specially secured and encrypted firmware. Secureboot checks each time the TAP is started whether the firmware to be executed has a valid signature and an authorised public key. If this is not the case, the TAP cannot be put into operation. 6. Connection reliability in case of power loss With all our active Hybrid Network TAPs it is guaranteed that a loss of the TAP power supply will not lead to a failure of the active network line. Only the devices connected to the monitoring port may no longer be supplied with data. QUICK USER GUIDE // NEOXPacketRaven 7. Split Ratios / Light Extraction In order to tap data from an optical network connection, it is necessary to decouple or split a part of the available light signal. The split ratio is the ratio of the amount of light that is still available for the fiber optic network connection in relation to the amount of light that is diverted or split off to the monitoring ports of the (passive) fiber optic Network TAPs. A split ratio of e.g. 70/30 means that 70% of the light is still available for the network connection and 30% is split off for the monitoring ports. However, as these TAPs have a copper or SFP-based monitoring output, 100% signal strength is available by means of OEO conversion - i.e. conversion of the optical signal into an electrical signal - in contrast to fiber-based monitoring ports. Fiber TAP 50/50 Split Ratio Fiber TAP 60/40 Split Ratio Fiber TAP 70/30 Split Ratio 8. Data Diode Function Data diodes ensure unidirectional communication and ensure that data traffic can only flow in one direction. Unidirectional network devices are typically used to ensure information security or the protection of critical digital systems, such as industrial control systems or production networks from cyber attacks. Our TAPs work like a diode and do not allow access to the network via the monitoring ports for security reasons. By adding this further layer of security, it is therefore not possible to compromise the network connection and the productive network. 9. Individually configured available Due to the FPGA chipset on which our active TAPs are based, it is possible to programme these models according to customer-specific requirements. For example, TAPs with fixed operating mode and/or fixed speed, time stamping of outgoing packets, and much more. QUICK USER GUIDE // NEOXPacketRaven 10. DIP Switch Configuration As shown in the figure on the left, the second and third switches are used to select the operating mode. The switches numbered 1, 4, 5, 6, 7 and 8 are ignored and left for future use. The desired configuration should be set before plugging in the network cable. If an invalid configuration has been selected, all LEDs on the unit light up and the relay switches are not activated. In this case, switch off the unit and check the DIP switches. When changing the configuration by means of DIP switches, it is always necessary to perform a restart by disconnecting the power supply so that the new settings are activated! In case of a restart, however, there is no interruption of the network traffic! 10.1 Operating Mode Configuration Please note that no matter which operating mode you set, the link speed of the RJ45 monitoring port will always be negotiated with 1000Base-T. In the case of a TAP with SFP monitoring port the link speed is negotiated with 1000Base-T, 1000Base-SX, 1000Base-LX or 1000Base-ZX, depending on the transceiver type. When selecting the operating mode (switches 2 & 3), the configuration is as follows: · Aggregation: In this mode, the data streams are bundled and output aggregated on both of the monitoring ports. This allows you to evaluate the network data of a full duplex line simultaneously with a single network interface on your analyzer. Due to the aggregation in hardware (FPGA), faulty packet sequences during recording are a thing of the past in this mode. Switch value 01 · Breakout: Each Ethernet packet transmitted via the network line is mirrored separately in this mode while maintaining data integrity in the TAP. The send and receive directions are output separately on the two monitoring ports so that the network traffic can be analysed per data direction in this case. Another great advantage of the Breakout mode is the visibility of the network traffic even with a fully loaded network connection. In this mode, the set network speed is transferred to the monitoring ports. Switch value 00 · Regeneration: Regeneration is used to capture 100% full duplex traffic that can be sent to multiple monitoring devices (up to 3 in this case) for analysis of your network. In this mode, the network speed settings are synchronised as in Breakout mode and the setting on the DIP switch is applied to all ports. Switch value 10 QUICK USER GUIDE // NEOXPacketRaven Aggregation Mode Breakout Mode 10.2 Passive / Power Off Mode If the power supply fails, the active network connection is not interrupted. Only the devices connected to the monitoring port are no longer supplied with data. Regeneration Mode 11. Technical Specifications Dimensions: Weight: Consumption: Storage Temperature: Operating Temperature: Certifications: NETWORK TAP 10.60 cm x 3.50 cm x 16.40 cm 460g max. 3 Watt at 5V/0.6A -40° to 70°C 0° to 40°C CE, FCC, RoHS, WEEE, EN55032 KL. A/B, EN55035, EN61000-3-2, EN61000-3-3, EN61000-6-2 Input Voltage: Output Voltage: Output Current: Power: Power Plug: 5V Cable 5V Plug POWER SUPPLY 110V-240V AC 50-60Hz 5V DC 2A max. 10 Watt with interchangeable plug head with ferrite ring - Screwable hollow plug - 5.5 mm outer diameter - 2.1 mm inner diameter SPLIT RATIO (OTHERS ON REQUEST) Singlemode OS1, OS2 Multimode OM3, OM4, OM5 ATTENUATION VALUES 50:50 60:40 3.4 dB / 3.4 dB 2.5 dB / 4.5 dB 3.8 dB / 3.8 dB 2.8 dB / 4.8 dB 70:30 1.7 dB / 5.8 dB 2.2 dB / 6.1 dB WAVELENGTH 1310nm/1550 nm 850nm QUICK USER GUIDE // NEOXPacketRaven 12. Models - Network TAPs 1000BASE-LX - STANDARD SINGLEMODE MODELS All TAPs for fiber type OS2 are also OS1 compatible! The TAPs whose item numbers end in ,,-ERW" have a special front panel to allow them to be installed in our server cabinet mounting frame! ITEM NO. MEDIA TYPE NETWORK FIBER TYPE WAVELENGTH CONNECTOR NETWORK CONNECTOR MONITOR. PRP-OS2-SLC-* 1000Base-LX 1G OS2 1310 nm LC Singlemode RJ45 PRP-OS2-SLC-*-ERW 1000Base-LX 1G OS2 1310 nm LC Singlemode RJ45 PRP-OS2-SLS-* 1000Base-LX 1G OS2 1310 nm LC Singlemode SFP PRP-OS2-SLS-*-ERW 1000Base-LX 1G OS2 1310 nm LC Singlemode SFP * respective split ratio - e.g. ,,70" for a split ratio of 70:30, ,,60" for 60:40, and ,,50" for 50:50 1000BASE-ZX - STANDARD SINGLEMODE MODELS All TAPs for fiber type OS2 are also OS1 compatible! The TAPs whose item numbers end in ,,-ERW" have a special front panel to allow them to be installed in our server cabinet mounting frame! ITEM NO. MEDIA TYPE NETWORK FIBER TYPE WAVELENGTH CONNECTOR NETWORK CONNECTOR MONITOR. PRP-OS2-SLZC-* 1000Base-ZX 1G OS2 1550 nm LC Singlemode RJ45 PRP-OS2-SLZC-*-ERW 1000Base-ZX 1G OS2 1550 nm LC Singlemode RJ45 PRP-OS2-SLZS-* 1000Base-ZX 1G OS2 1550 nm LC Singlemode SFP PRP-OS2-SLZS-*-ERW 1000Base-ZX 1G OS2 1550 nm LC Singlemode SFP * respective split ratio - e.g. ,,70" for a split ratio of 70:30, ,,60" for 60:40, and ,,50" for 50:50 1000BASE-LX/ZX - HARDENED SINGLEMODE MODELS All TAPs for fiber type OS2 are also OS1 compatible! The TAPs whose item numbers end in ,,-ERW" have a special front panel to allow them to be installed in our server cabinet mounting frame! ITEM NO. PRP-OS2-SLC-*-1GA-S MEDIA NETTYPE WORK 1000Base-LX 1G FIBER TYPE OS2 WAVE- CONN. LENGTH NET. 1310 nm LC Singlemode CONN. MON. RJ45 SUPPORTED TAP MODES Aggregation, Breakout, Regen. PRP-OS2-SLC-*-1GA-S-ERW 1000Base-LX 1G OS2 1310 nm LC Singlemode RJ45 Aggregation, Breakout, Regen. PRP-OS2-SLC-*-1GAO-S 1000Base-LX 1G OS2 1310 nm LC Singlemode RJ45 Aggregation PRP-OS2-SLC-*-1GAO-S-ERW 1000Base-LX 1G OS2 1310 nm LC Singlemode RJ45 Aggregation PRP-OS2-SLC-*-1GBO-S 1000Base-LX 1G OS2 1310 nm LC Singlemode RJ45 Breakout PRP-OS2-SLC-*-1GBO-S-ERW 1000Base-LX 1G OS2 1310 nm LC Singlemode RJ45 Breakout PRP-OS2-SLZC-*-1GA-S 1000Base-ZX 1G OS2 PRP-OS2-SLZC-*-1GA-S-ERW 1000Base-ZX 1G OS2 PRP-OS2-SLZC-*-1GAO-S 1000Base-ZX 1G OS2 PRP-OS2-SLZC-*-1GAO-S-ERW 1000Base-ZX 1G OS2 PRP-OS2-SLZC-*-1GBO-S 1000Base-ZX 1G OS2 PRP-OS2-SLZC-*-1GBO-S-ERW 1000Base-ZX 1G OS2 * respective split ratio - e.g. ,,70" for a split ratio of 70:30, ,,60" for 60:40, and ,,50" for 50:50 1550 nm LC Singlemode RJ45 Aggregation, Breakout, Regen. 1550 nm LC Singlemode RJ45 Aggregation, Breakout, Regen. 1550 nm LC Singlemode RJ45 Aggregation 1550 nm LC Singlemode RJ45 Aggregation 1550 nm LC Singlemode RJ45 Breakout 1550 nm LC Singlemode RJ45 Breakout QUICK USER GUIDE // NEOXPacketRaven 1000BASE-SX - STANDARD MULTIMODE MODELS All TAPs for fiber type OM4 are also OM3 compatible! The TAPs whose item numbers end in ,,-ERW" have a special front panel to allow them to be installed in our server cabinet mounting frame! ITEM NO. PRP-OM4-SLC-* MEDIA TYPE 1000Base-SX NETWORK 1G FIBER TYPE OM4 WAVELENGTH 850 nm CONN . NET. LC Multimode CONN. MON. RJ45 PRP-OM4-SLC-*-ERW 1000Base-SX 1G OM4 850 nm LC Multimode RJ45 PRP-OM4-SLS-* 1000Base-SX 1G OM4 850 nm LC Multimode SFP PRP-OM4-SLS-*-ERW 1000Base-SX 1G OM4 850 nm LC Multimode SFP PRP-OM5-SLC-* 1000Base-SX 1G OM5 850 nm 950 nm LC Multimode RJ45 PRP-OM5-SLC-ERW 1000Base-SX 1G OM5 850 nm 950 nm LC Multimode RJ45 PRP-OM5-SLS-* 1000Base-SX 1G OM5 850 nm 950 nm LC Multimode SFP PRP-OM5-SLS-ERW 1000Base-SX 1G OM5 850 nm 950 nm LC Multimode SFP * respective split ratio - e.g. ,,70" for a split ratio of 70:30, ,,60" for 60:40, and ,,50" for 50:50 1000BASE-SX - HARDENED MULTIMODE MODELS All TAPs for fiber type OM4 are also OM3 compatible! The TAPs whose item numbers end in ,,-ERW" have a special front panel to allow them to be installed in our server cabinet mounting frame! ITEM NO. PRP-OM4-SLC-*-1GA-S MEDIA NET- FIBER TYPE WORK TYPE 1000Base-SX 1G OM4 WAVE- CONN . CONN. LENGTH NET. MON. 850 nm LC Multimode RJ45 AVAILABLE TAP MODES Aggregation, Breakout, Regen. PRP-OM4-SLC-*-1GA-S-ERW 1000Base-SX 1G OM4 850 nm LC Multimode RJ45 Aggregation, Breakout, Regen. PRP-OM4-SLC-*-1GAO-S 1000Base-SX 1G OM4 850 nm LC Multimode RJ45 Aggregation PRP-OM4-SLC-*-1GAO-S-ERW 1000Base-SX 1G OM4 850 nm LC Multimode RJ45 Aggregation PRP-OM4-SLC-*-1GBO-S 1000Base-SX 1G OM4 850 nm LC Multimode RJ45 Breakout PRP-OM4-SLC-*-1GBO-S-ERW 1000Base-SX 1G OM4 850 nm LC Multimode RJ45 Breakout PRP-OM5-SLC-*-1GA-S 1000Base-SX 1G OM5 850 nm 950 nm LC Multimode RJ45 Aggregation, Breakout, Regen. PRP-OM5-SLC-*-1GA-S-ERW 1000Base-SX 1G OM5 850 nm 950 nm LC Multimode RJ45 Aggregation, Breakout, Regen. PRP-OM5-SLC-*-1GAO-S 1000Base-SX 1G OM5 850 nm 950 nm LC Multimode RJ45 Aggregation PRP-OM5-SLC-*-1GAO-S-ERW 1000Base-SX 1G OM5 850 nm 950 nm LC Multimode RJ45 Aggregation PRP-OM5-SLC-*-1GBO-S 1000Base-SX 1G OM5 850 nm 950 nm LC Multimode RJ45 Breakout PRP-OM5-SLC-*-1GBO-S-ERW 1000Base-SX 1G OM5 850 nm 950 nm LC Multimode RJ45 Breakout * respective split ratio - e.g. ,,70" for a split ratio of 70:30, ,,60" for 60:40, and ,,50" for 50:50 QUICK USER GUIDE // NEOXPacketRaven PRP-OS2-SLC-x / PRP-OS2-SLZC-x PRP-OM4-SLC-x PRP-OM5-SLC-x PRP-OS2-SLS-x / PRP-OS2-SLZS-x PRP-OM4-SLS-x ITEM NO. PRP-1U3 PRP-1U3-BP ACCESSORIES Server rack mounting frame for 3 portable TAPs Blind plate for mounting frame PRP-OM5-SLS-x PRP-1U3-BP ITEM NO. PRP-PS-INT PRP-PS-*-A PRP-PS-EU PRP-PS-UK PRP-PS-US ACCESSORIES PSU with EU, UK, and US plug head Plug head *EU, *UK or *US Power supply unit with EU plug (head) Power supply unit with UK plug (head) Power supply unit with US plug (head) PRP-1U3 PRP-PS-INT ITEM NO. NX-SFP-TX-1G NX-SFP-FX-100M NX-SFP-SX-1G NX-SFP-LX10-1G NX-SFP-LX20-1G NX-SFP-LX40-1G NX-SFP-ZX80-1G NX-SFP-ZX120-1G NX-SFP-ZX160-1G SFP TRANSCEIVER 10/100/1000Base-T SFP transceiver, supports connection lengths of up to 100 m 100Base-FX SFP transceiver, Multimode, 1310nm, supports connection lengths of up to 2 km 1000Base-SX SFP transceiver, Multimode, 850nm, supports connection lengths of up to 550 m 1000Base-LX SFP transceiver, Singlemode, 1310nm, supports connection lengths of up to 10 km 1000Base-LX SFP transceiver, Singlemode, 1310nm, supports connection lengths of up to 20 km 1000Base-LX SFP transceiver, Singlemode, 1310nm, supports connection lengths of up to 40 km 1000Base-ZX SFP transceiver, Singlemode, 1550nm, supports connection lengths of up to 80 km 1000Base-ZX SFP transceiver, Singlemode, 1550nm, supports connection lengths of up to 120 km 1000Base-ZX SFP transceiver, Singlemode, 1550nm, supports connection lengths of up to 160 km NEOX NETWORKS GmbH Monzastr. 4 · 63225 Langen · Germany +49 6103 / 37 215 910 solutions@neox-networks.com www.neox-networks.com