IRONVIEW NETWORK MANAGER
t Delivers on the promise of Fault,Configuration,Accounting,Performance,
Foundry’s IronView Network Manager
Foundry’s IronView Network Manager (INM) allows today’s
networks to run at maximum efficiency by allowing network
operators to effectively track and perform configuration changes
and software updates, and identify and resolve network failures.
Changes to complex network-wide features such as Access
Control Lists (ACL),Rate Limiting policies,VLANs,software and
configuration updates, and network alarms and events, are
becoming impossible to track and deploy consistently without
intelligent network management applications. Without these
web-based management tools,networks are prone to outages due
to mis-configuration or invalid software upgrades.Built on top of
a Java-base platform, Foundry’s INM empowers network
operators to seamlessly control software and configuration
updates for any Foundry product from anywhere, allowing for
complete management of networks.
and Security Management – FCAPS – for managing Foundry’s high
performance networking products
t Enterprise-wide business application monitoring on every port from
10Mbps up to 10Gbps,without any impact to network performance
t Pin-point troubleshooting,targeted fault analysis,and proactive
management and removal of any abusive application network flows
t Deploy network changes anywhere and anytime on any Foundry
product that spans from Layer 2 up to Layer 7
t Enforced user-based bandwidth and access control list policy network-wide
t Rapidly deploy Metro Ethernet services,and accurately meter usage and SLA
t Standards-based and highly secure network management system built
upon Java,SNMP,and sFlow (RFC 3176) – the industry standard
protocol for network management
Empowers businesses to
C o n t r o l t h e I m pa c t o f C h a n g e
With IronView Network Manager,network managers can now
automatically discover networks that contain Foundry’s high
performance network equipment that spans from Layer 2 to
Layer7,and immediately acquire and view theirVLAN and ACL
configurations. IronView Network Manager’s ACL Manager,
coupled with Foundry’s universal support of ACL feature
throughout its product line from Layer 2 to Layer 7, makes the
deployment of network policies and business application
priorities trouble-free and simple from the core backbone
network down to the edge network or wiring closet.
IronView Network Manager takes advantage of Foundry’s
JetCore ASIC, which integrated Hewlett-Packards XRMON
Packet SamplingTechnology and sFlowTechnology,described in
RFC 3176, to deliver hardware-based and real-time network
monitoring and accounting capabilities.This ensures wire-speed
switching and routing performance with “always-on” fault and
performance management, capacity planning, intrusion
detection, security policing and precise network traffic
accounting on all ports from Layer 2 up to Layer 7.
INM Key Features and Benefits
IronView Network Manager comes with the following key
application managers:
t User and Role Manager
t Network Object Manager
t VLAN Manager
t Access Control List Manager
t Event Manager
t Configuration Manager
t Bandwidth Manager
t Service Director
All of INM’s application managers uses SNMPv3 (Simple
Network Management Protocol), the standard protocol for
element management. SNMPv3, which comes standard with
IronWare release 7.5.02 and above,allows network managers the
flexibility to separate SNMP OIDs (Object Identifier) into a
user-based classification.For example,a classification name called
“network operations” can be created and all “READ-ONLY”
SNMP OIDs can be associated into the “network operations”
classification. This flexibility of grouping SNMP OIDs allows
network managers to control SNMP access down to the simplest
unit of an SNMP.
SNMPv3 enables encryption of SNMP PDUs (Packet Data
Unit), ensuring greater security for managing networks. Earlier
versions of SNMP uses clear-text to send SNMP PDUs, which
can be easily deciphered by any hacker and breach network
security. Encrypting SNMP PDUs makes it very difficult to
decrypt device or network configurations. Foundry’s
implementation of SNMP v3 supports Data Encryption
Standard (DES) encryption key
In addition,INM’s application managers are web-based,allowing
network managers to access control of their network from
anywhere using any well-known browser and at the same time
allowing access to be operating system independent. This
convenience allows network operational activities to be
performed at any time or at times when critical changes to the
network are required.
Finally, each INM application managers are composed of sub-
application managers and each sub-application manager can be
“bundled”together to create group partition and ownership.This
flexibility enables network managers to group sub-application
for varying groups within an IT organizations,based on their role
within the organization.
User and Role Manager
INM’s User and Role Manager allow network managers to
create “role” access accounts and access levels for each accounts.
Network managers can use the User and Role Manager to create
groups, with each group having their own access into any
sub-applications. This ensures task separation common within
an IT organization.
Assign INM
applications for
each AAA or
TACACS+
privileges
Figure 1: User and Role Manager
Network managers can manage each User accounts, such as add
new users, set passwords for users, and apply roles to the users,
giving them specific access and configuration authority. In
addition, actions performed by each user are logged to account
for any configurations deployed within a Foundry device or
devices. This security feature enables network managers to
troubleshoot any network problems caused by erroneous
configuration deployments, and deliver detailed configurations
used during the deployment.
INM’s User and Role Manager also includes features that allow
users to be authenticated using external authentication solution
like TACACS+ or AAA, which simplifies and combines the
security system for INM users and for users accessing any
Foundry products.Network managers can also use this feature to
assign privileges for each TACACS+ or AAA user groups,giving
multi-level security system for configuration changes to any
device on the network.
Network Object Manager VLAN Manager
INM’s Network Object Manager enables the creation of a Foundry’s INM comes with a VLAN Manager, which enables
Device Group and a Port Group.As shown in figure 2, network network managers to discover already configuredVLANs within
managers can group Core network devices together to allow their network and to perform Adds/Moves/Changes to any
network managers to load common configurations or perform VLANs within their network.VLAN Manager can create, view,
common monitoring facilities on these Core network devices. update, and deploy changes to port-based VLANs, protocol-
Likewise, network managers can group ports together across basedVLANs,andVoIPVLANs.
network devices to perform the same activities.
VLAN Manager for Metro
Providers and Carriers
Allowing network managers to create groups based on devices or
ports enables rapid deployment of configuration changes
throughout the network. For example, network managers can
easily deploy security policies using Foundry’s Access Control
List feature to a group of ports within the wiring closet. In
addition, network managers can perform real-time network
traffic accounting on these ports to monitor and verify
deployment of security policies.

Device configurations can also be created that spans ports and

devices,enabling network manager to deploy or schedule service
changes within a set of devices or a set of ports.

VLAN Manager for Enterprise

Figure 2: Device Group and Port Group

within the Network Object Manager

Figure 3: VLAN Manager


Foundry’s VLAN Manager supports IPv6 VLANs, allowing
network managers to support aVLAN with hosts that have IPv6
enabled operating systems. Enabling support for IPv6, the next
generation IP protocol, allows network managers to manage
together VLANs that contains IPv4 hosts and IPv6 hosts within
the single management system.
Metro Service Providers,who deploy Transparent LAN Services
and use VLANs to create service separation, can easily associate
QoS to any VLAN that spans across the providers’ network. For
example,a Metro Service Provider can designateVLAN 99 to be
the VLAN used for their voice services. Metro Service Provider
can then easily associate a QoS priority for VLAN 99, the voice
service VLAN, to ensure higher priority for voice traffic across
the provider’s network. This feature allows Metro Service
Providers to offer toll-quality voice services for any of their
customers.
With the help of the Service Director (see “Service Director”
section for details), network managers can view VLAN-based
traffic matrix in real-time. For Enterprise customers, they can
easily manage and review the network for any bottlenecks. For
Service Providers,they can use theVLAN-based traffic matrix to
easily create billing information about their customers. Both
Enterprise and Service Provider, with the use of Foundry’s
JetCore ASIC, are assured of wire-speed network performance,
while performing real-time and “always-on” network traffic
accounting within their network.
Access Control List Manager
The Access Control List Manager (ACL Manager) allows
network managers to easily configure Access Control Lists
(ACLs), which allows network managers to permit or deny
packets based on source and destination IP address, IP protocol
information,or TCP or UDP protocol information.It also allows
network managers to easily import ACLs from a Foundry device
or a group of Foundry devices, allowing network managers to
easily create existing ACLs within the ACL Manager.
As shown in figure 4, the ACL Manager comes with two sub-
applications; the Service Manager and the Network Manager.
The Service Manager, which allows network managers to add
other UDP or TCP ports, comes with pre-defined and well-
known services allowing network managers to easily create,add,
and deploy ACLs using “named” services.The Network Manger
allows users to add and group IP subnet or IP address.These sub-
application managers deliver flexibility in associating a Service
Rule and a Network Rule within an Access Control List.
Figure 4: Access Control List Manager
 Event Manager
The ACL Manager supports configuration for the following Network managers can easily troubleshoot network problems using
types of ACLs,and apply them to interfaces to filter traffic sent or INM’s Event Manager.The Event Manager receives both SNMP
received on those interfaces: Traps and Syslog messages, giving network managers a single
t Standard – Permits or denies packets based on source IP address. application to view, validate, and troubleshoot network events.
t Extended – Permits or denies packets based on source and
destination IP address and based on IP protocol information.
These extensions include:
— Source/destination host names
— IP subnet and range
— Source/destination TCP or UDP port/socket
— Well-known port numbers (0 – 1023)
— Priority ToS or DiffServ Control Point information

Figure 5: Event Manager

The Event Manager also comes with extensive “Search Criteria”

for network events based on the following:
t Syslog and/or SNMP Trap events
t Individual Device,Device Groups or Port Groups
t Event Severity (emergency,alert,critical,error,warning,notice,
info,debug,and unknown)
t Acknowledge and/or Unacknowledged Events
With an expansive “Search Criteria”, network managers can
easily drill-down to the cause and effect of any network problems.

The Event Manager also comes with an Event Email Tool,which

network managers can configure to send email of any
de-duplicated network events.

As shown in figure 6, network managers create email alerts with

the following information:
t Alert Identification – allows network managers to supply the
name of the email alert.
t Alert Recipient – allows network managers to supply a list of
email addresses of those that needs to receive the email alert.
Registered users within the User and Role Manager can be
immediately acquired within the Email Tool.
 Bandwidth Manager
Foundry’s rate limiting feature is robust and INM supports the
following rate limiting capabilities:
t Fixed Rate Limiting
t Adaptive Rate Limiting
t JetCore Adaptive Rate Limiting features,which includes the following
— Fixed port-based rate limiting
— Port-and-priority based rate limiting
— Port-and-ACL based rate limiting
Figure 7 shows how INM users can now make bulk deployments
of Foundry’s rate limiting feature.

Network managers can use INM’s Bandwidth Manager to

deploy any Foundry rate limiting policies into their network,
allowing seamless deployment of their business policies to their
users. Policies for higher priority applications like VoIP can now
be deployed easily across a network. Universities, who require
Figure 6: Event Manager’s Email Tool rate-limiting a student’s network access, can also take advantage
t Email Content – allows network managers to include text of bulk deployments.
messages for the “Subject”and the “Body”of the email.
t Trap Specification – allows network managers to configure the
following to further refine the network events:
— Event Severity ((emergency,alert,critical,error,warning,
notice,info,debug,and unknown)
— Event Frequency Count
— Source of the network events,which can be based on an the
following:
– Individual Device
– Device Groups
– Port Groups

Figure 7: Bandwidth Manager

Service Director
Service Director comes with the following sub-applications:
1. Monitoring – Allows for both SNMP and sFlow collection
and presentation.sFlow,which is based on RFC 3176,is
embedded into Foundry’s JetCore ASIC and delivers the
following features without any impact to network performance:
t Accurate network traffic accounting,from Layer 2 up to Layer 7,
including traffic accounting based on 802.1X username.
t Integration with industry-leading accounting and billing applications
t Intrusion Detection and deliver full visibility of any network
traffic,regardless of protocol (e.g.,IPv4,IPX,AppleTalk,and IPv6)
t Precise network policing of network traffic everywhere,from the
network Edge up to the network Core
t Identification of network bottlenecks within a network and
complete packet header decode,from Layer 2 up to Layer 7
Figure 8 shows the Monitoring tool, which allows network
managers to view, monitor, and account for SNMP data
collection and sFlow collection.
Figure 8: Service Director’s Monitoring Facility
2. Accounting – Allows network managers to create a Summary
or Detail Traffic Report,which can be used by Metro
Providers,who offer Transparent LAN Services,for their
billing solution or to feed into their billing system.
Metro Service Providers (MSPs) or Carriers can now deliver
detailed traffic network report (see figure 9) that shows Layer
2 up to Layer 7 information about their customer’s traffic.With
Foundry's robust usage management and network traffic
accounting features,MSPs and Carriers can now build
revenue based on their customer's usage data and use the
following benefits:
t Collect,correlate,and aggregate customer usage data - enabling
integrated billing and data mining solutions.
t Create new services and accurately bill for them - leading to new
and increased revenues.
t Standardize usage data and allow multiple applications easy
access to the data.
t Increase revenues and customer satisfaction by implementing the
following:
— Simplify advertiser billing by tracking subscriber usage and
hit rates.
— Develop focused marketing programs based on knowledge of
subscriber behavior.
— Model new billing plans against actual subscriber usage data.
— Exploit other data mining opportunities including capacity
planning,fraud management,and network latency analysis.
Figure 9: Service Director’s Accounting Facility
sFlow is supported in the Foundry products shown figure 10,
including Foundry’s 10GbE module. Support for sFlow from
10Mbps up to 10Gbps ensures delivery of detailed network
traffic flow accounting without any impact to network
performance.High speed computing (HPC),which uses Gigabit
Ethernet and 10 Gigabit Ethernet for server and switch
aggregation, respectively, require real-time and cumulative
historical information about their business application traffic.
Foundry’s networking products deliver low network latency,
Jumbo Frames,Gigabit Over Ethernet (GbECu),and 10 Gigabit
Ethernet switches and routers for use within an enterprise’s Data
Center and Backbone. Coupled with sFlow, real-time network
monitoring of business application traffic offers tangible benefits
to an HPC environment.

FastIron Layer 2/3 BigIron Layer 3 NetIron Metro

Enterprise Switches Backbone Switches Routers

NetIron 4802

FastIron 400/800/1500
BigIron 4000/8000/15000
NetIron 400/800/1500
FastIron 4802

IronView Network ServerIron Web

Management Switches
FastIron Edge 2402POE/4802POE

FastIron Edge 12GCF

ServerIron 400 ServerIron 800

FastIron Edge 2402/4802/9604

Figure 10: Shows Foundry Products that Support sFlow

Architecture for IronView
Network Manager
Figure 11 shows the architecture of Foundry’s IronView Foundry’s IronShield Security includes the following:
Network Manager,which delivers the essential requirements for t Support for 4000 Wire-speed Access Control Lists (ACL),
network management – FCAPS. Foundry’s solution covers each which includes the following:
of the following layer,which combines to deliver FCAPS within — Standard ACL – Permits or denies packets based on an IP
the Element Layer, the Network Management Layer, and the address,an IP subnet,or a range.
Service Management Layer. — Extended ACL – In addition to the standard access control
list configuration,it permits or denies packets based on the
Each layer is addressed by the following features, which reside following:
within Foundry’s network equipment and within INM: – Source/Destination host names
1. Element Layer – All of Foundry’s products support a robust set – Source/Destination TCP or UDP port (socket)
of feature that allows network management systems to deliver – Well known port numbers (0-1024)
FCAPS.These sets of features include Foundry’s IronShield t Secure Shell (SSH) and Secure Copy (SCP) with the following
Security and Foundry’s IronClad Network Traffic Accounting. encryption:
— Arcfour
— IDEA
— Blowfish
— DES (56-bit) and Triple DES (168-bit)

Fault Configuration Accounting Performance Security

Fault Mgmt = Config Mgmt = Accounting Performance Policy

Event Mgr + Config Mgr + Services = Mgnt = Verification =
Service Event Email ACL Mgr + Service Service Service
Mgmt. Tool + VLAN Mgr + Director + Director + Director +
Layer Network Network Network Network Network
Object Mgr Object Mgr Object Mgr Object Mgr Object Mgr

Network Web-based Applications: Network Discovery Manager, user and Role

Mgmt. Manager, Configuration Manager, Network Object Manager, VLAN
Layer Manager, Access Control List Manager, Event Email Tool, Address Finder,
Device Manager, Bandwidth Manager, and Service Director

IRONSHIELD SECURITY
Secure Copy, Secure Shell, Access Control Lists (up to 4096 ACL entries), AAA,
Element
Management VLAN, RADIUS, TACACS/TACACS+, and SNMPv3
Mgmt.
Layer IRONCLAD NETWORK ACCOUNTING
SNMPv3, RMON (EtherStats, history, etherHistory, and alarm), NetFlow, and sFlow

Figure 11: INM Architecture

 t Security features that protects the network against Denial of
Service such as TCP SYN and Smurf attacks,which help in
eliminating unnecessary network downtime caused by malicious
hacker attacks.
t Element security systems based on the following:
— Two-level password security system
— Username and Password security system
— RADIUS
— TACACS/TACACS+
— AAA (Authentication,Authorization,and Accounting)
Foundry’s IronClad Network Traffic accounting includes the
following:
t Simple Network Management Protocol ver.3
t RMON – I (EtherStats (1),history (2),etherHistory (3),and
alarm (9))
t RFC-3176,which supported within Foundry’s JetCore ASIC
and available within Foundry’s FastIron Edge Family,FastIron
family,BigIron family,and NetIron family.
2. Network Management Layer – The IronView Network
Manager,which delivers the Network Management Layer,
consists of the following:
t The INM Server – The INM Server comes with the following
essential features:
— Supports all well-known operating system,including Solaris
2.7 and above,Windows NT,2000 (SP1 is required),and
XP,HP-UX 11.0 and above,and Linux RedHat release
8.0 (kernel 2.4.18) and above.
— It’s a Java-based,which is based on Java Runtime
Environment (JRE) 1.4,allowing any applications to be
accessed via the web or any standard web-based browser.
— Includes a Sybase Database (iAnywhere Relational
Database),allowing for any dynamic reporting using the
Sybase per module.
— Supports HP OpenView and Aprisma network
management systems.
t The INM Web-based Application – comes with the web-based
applications,which have the following common features.
— Web-based,allowing for any standard browser to access any of
INM’s application from anywhere.
— Uses a revision control system,which tells “who made the
change”,“what changes were made and the differences with
previous configuration”,and “when was the change made”.
— Allows for partitioned access for any of the sub-application
within each INM application.
3. Service Management Layer – Combining any INM’s
application enables Carriers to create “error-free”service flow
processes for Network Operations to use when deploying
network configurations for service provisioning.
In addition,Network Operations can employ INM’s application
to perform Fault, Performance, Accounting, and Security. For
example,Network Operations can create a port groups using the
Device Manager and then allow the Service Director to create a
Summary and Detail Report of traffic coming in and out of each
ports associated within the port group.
System Requirements
The IronView Network Manager software and documentation are shipped on a CD-ROM. In addition to a CD-ROM drive, your
system needs to meet the following requirements to install and run IronView Network Manager.Table 1 shows the server requirements
needed to successfully install INM.

Table 1: INM Server Requirements

Windows Solaris HP-UX Linux
Minimum OS version NT 4.0 Server 2.8 and above 11/11i on both 32-bit Linux RedHat release 8.0
(with Service Pack 6) and 64-bit systems with kernel 2.4.18
2000 Server
(with Service Pack 2)
Windows XP
Minimum CPU Speed Pentium IV 1Ghz 800MHz 800Mhz 800Mhz
Minimum RAM 512MB 512MB 512MB 512MB
Requirement
Minimum Disk 40GB 40GB 40GB 40GB
Requirement1

Table 2 shows the requirement for client browser, which is required to access any of INM’s web-based application.

Table 2: INM Client Requirements

Netscape Internet Explorer Java Plug-in
Supported Version 6.2 and above 5.5 and above 1.4.1-01 or 1.4.1-02

IronView Network Manager release 1.6 is now available and supports IronWare release 7.6.03 and above.

1
Enabling the Accounting sub-application within Service Director will require periodic database administration for data extraction of flows.It is recommended that disk space
requirement be expanded up to 100GB.
Ordering Information
Table 3 shows the product information for ordering IronView Network Manager.

Table 3: INM Ordering Information

Product Part Number Product Description

IVIEW-NT IronView Network Manager for Windows NT,Windows 2000,and Windows XP platform.This is
a standalone user license, which allows for only one (1) concurrent user.
IVIEW-SOLARIS IronView Network Manager for Sun’s Solaris platform.This is a standalone user license, which
allows for only one (1) concurrent user.
IVIEW-LINUX IronView Network Manager for Linux (RedHat) platform.This is a standalone user license,which
allows for only one (1) concurrent user.
IVIEW-HPUX IronView Network Manager for HPUX platform.This is a standalone user license, which allows
for only one (1) concurrent user.
IVIEW-SW IronView Network Manager yearly support fee.This entitles a customer to product upgrades, for
major and minor “dot” releases, for one (1) year or 1year after the date purchase.
IVIEW-LIC IronView Network Manager 5-user license,which allows 5 concurrent users (or 5 simultaneous users).

Specifications subject to change without notice.

Foundry Networks,Inc. U.S.and Canada Toll-free:

Corporate Headquarters (888) TURBOLAN (887-2652)
2100 Gold Street Direct:(408) 586-1700
P.O.Box 649100 Fax:(408) 586-1900
San Jose,CA 95164-9100 info@foundrynet.com
www.foundrynetworks.com

Although Foundry has attempted to provide accurate information in these materials, Foundry assumes no legal responsibility for the accuracy or
completeness of the information.More specific information is available on request from Foundry.Please note that Foundry’s product information does
not constitute or contain any guarantee,warranty or legal binding representation,unless expressly identified as such in duly signed writing.

© 2003 Foundry Networks, Inc.All Rights Reserved. Foundry Networks, EdgeIron, and the Foundry Logo are trademarks or
registered trademarks of Foundry Networks, Inc. in the United States and other countries. DS-013/Rev2/04-03