S1
The S1 quick start guide provides guidance for initial deployment, verifying connectivity, and next steps to take after the appliance is connected to your network.
Introduction
This document is intended to help customers or partners with the initial configuration of a physical Vectra Sensor appliance. This is limited to basic network connectivity. This appliance can only be deployed in Sensor mode. Modes are discussed further in the deployment guide for your chosen UX. One of the below guides should be the starting point for your overall Vectra deployment:
Full details on firewall requirements for your entire Vectra deployment are available in those guides or in firewall requirements.
After you have completed the initial deployment of your Sensor following this guide, you can move on to paring your Sensor with your Brain appliance. Pairing for all Vectra appliances is covered in pairing appliances.
Guide for other appliances are located in NDR physical appliances and NDR virtual / cloud appliances.
Package Contents
1 S1 system
1 Wall mount bracket
1 Micro USB to USB-A cable for serial console access
1 External power supply unit
SFPs (matching details of your order)
See SFPs and QSFPs supported in Vectra appliances for options and additional detail.
Physical Connections
Please note that there are 2 fans in the system that pull air in the bottom of the unit and push it out the back and sides. Take care to not block the airflow to ensure proper cooling of the system.
Please see Port Option Settings for details on additional port configuration options to allow the SFP+ ports to be used for management and/or capture.
Physical Connections Added Guidance
For details on mounting options (desktop placement, wall mount, and rack mount option), please see Virtual Edge Platform (VEP) 1405 Series Technology Guide (Chassis mounting).
The 10 GbE SFP+ ports can be configured to support MGT1 and/or capture capability.
Please see Port Option Settings below for details on how to configure this and what the interface assignments would become after configuration. The diagram above only represents the default port options that the S1 appliance comes setup for.
There are additional USB ports on sides that are unused and can be ignored.
The S1 has a single 960 GB SSD drive.
Should it ever require replacement, please work with Vectra support.
If you will use USB serial console for initial configuration, please see the following external articles:
CP210x USB to UART Bridge VCP Drivers (if required for your application)
Minimum Connections Required
Any SFPs that were included in your order will be in the top cardboard tray above the appliance itself.
Power
The S1 has an external 65W power supply. Auto-sensing, 100-240 VAC, at 50 or 60 Hz.
MGT1 - RJ-45 ethernet (1 Gbps copper)
This is the port that will need to be configured with an IP address in your network for communication with your Vectra Brain.
Capture - RJ-45 ethernet (1 Gbps copper), or SFP+ depending on your port option settings.
At least one of the capture interfaces (ports) must be connected when you are ready to begin capturing traffic for analysis.
Performance
Sensor Mode
Sensor (Match) Mode
1 Gbps
400 Mbps
Definitions:
Sensor Mode – Bandwidth number shown refers to the amount of network traffic observed that the appliance can produce metadata for (capture bandwidth).
Sensor (Match) Mode – Performance as a Sensor with Match or Suspect Protocol Activity Detections enabled.
Please Note:
While considering performance for the Sensor it is important to understand that the traffic mix at customer sites varies widely. Some customers have traffic mixes that skew towards larger flows (think file transfers), and some will skew towards smaller flows (think DNS).
Performance may be higher when the traffic mix skews towards larger flows.
Performance will be lower when the traffic mix skews towards smaller flows as this produces more metadata for analysis.
The stated performance is for average traffic mixes and should not be considered absolute.
Port Option Settings
While the S1 appliance supports a maximum throughput of 1Gbps for traffic capture and analysis, some customers may not have 1 GbE cooper connections available for management or capture in the deployment location. The S1 supports reconfiguring the assignment of the interfaces shown in the diagram at the start of the Physical Connections section. This will allow the configuration of the SFP+ interfaces that are unused in the default configuration to be assigned to management (MGT1) and/or capture use.
This reconfiguration is accomplished by two commands that create a total of 4 different port mappings (4 total configurations including the default):
set managementCan be used to set the management port (MGT1) to SFP or default.
show managementWill show the configuration of SFP or default.
set captureCan be used to set SFP+ port(s) to be used for capture (SFP) or the default of unused.
show captureWill show the configuration of SFP or default.
Using any of the capture ports (SFP+ or copper) does not change the max performance supported by the S1 appliance. Even though the interface might support 10 Gbps, the max throughput of the appliance is lower than the line speed of the interface, and care should be taken to only send a supported amount of traffic to the capture ports to avoid incomplete analysis.
When configuring any of the options to change management or capture, other ports that are supported in the default configuration will change. The diagrams below will show the assignment of each port in each supported port option configuration.
To make any of the changes, you will first need to acces the CLI so that you can execute the commands.
Please see below the syntax for using these commands:
Example Usage:
Management Default, Capture Default
This is the default configuration of the appliance, and the interface assignments are shown in the diagram at the start of the Physical Connections section.
Management SFP, Capture Default
In this configuration, MGT1 is now the right SFP+ port. The port that was MGT1 in the default configuration is now assigned as eth4 and is unused.
Management Default, Capture SFP
In this configuration, both SFP+ ports are configured for capture, and are assigned eth3 and eth2 from left to right. The copper ports that were eth2 and eth3 in the default configuration are now assigned eth4 and eth5 from top to bottom and are unused.
Management SFP, Capture SFP
In this configuration, MGT1 is the right SFP+ port, the left SFP+ port is assigned to eth3 and is configured for capture. The port that was eth3 in the default configuration is now assigned to eth5 and is unused. The port that was MGT1 in the default configuration is now assigned to eth4 and is unused.
Performance
Sensor Mode
Sensor (Match) Mode
1 Gbps
400 Mbps
Please Note:
Even though there are multiple capture ports on the S1 appliance and you can configure the Port Option Settings to allow the SFP+ ports to be used for capture, any combination of capture interfaces used still have the above limitations for the overall performance for the S1 appliance. Care should be taken to only send a supported amount of traffic to the capture ports to avoid incomplete analysis.
Definitions:
Sensor Mode – Bandwidth number shown refers to the amount of network traffic observed that the appliance can produce metadata for (capture bandwidth).
Sensor (Match) Mode – Performance as a Sensor with Match or Suspect Protocol Activity Detections enabled.
Accessing the CLI
The Command Line Interface (CLI) of a physical Vectra appliance is accessible in multiple ways. All appliances will not always have all methods available. See physical connections to see the options available for your specific model.
KVM or “crash cart”
Direct connection to "Support" (MGT2) port
iDRAC/IPMI - not all appliance types will have iDRAC/IPMI
MGT1 port once configured
Serial console - only supported officially on S1, S2 (EOL), X29/M29, and the X80 (EOL) appliances.
Once you have connected to the CLI login prompt on the appliance, use the default credentials to login.
Username:
vectraand password:changethispasswordPlease change the password immediately after logging in using the
set passwordcommand.
KVM or “crash cart”
If your appliance has USB and VGA ports, a KVM (Keyboard, Video, Mouse) switch or “crash cart” can be used to connect to the appliance console.
Direct Connection to "Support" (MGT2) Port
A direct connection to the MGT2 port on your appliance.
If you can physically connect to your MGT2 port, then you can direct connect to the MGT2 port via SSH to do the initial configuration.
The appliance MGT2 port is factory configured with a 169.254.0.10/16 (255.255.0.0) address.
Configure your host’s IP to 169.254.0.11 with subnet mask of 255.255.0.0.
Use SSH to connect to the appliance from your host using the default credentials from above.
iDRAC/IPMI
If your appliance has a built in Dell iDRAC / IPMI interface you can access the CLI through it.
Vectra strongly recommends that customers configure iDRAC / IPMI access permanently for all platforms supporting this interface.
Benefits:
Easier access in case of network connectivity issues or DHCP mishaps.
Simpler remote IP address changes.
Reduced resolution time during Vectra support engagements requiring console access.
Please expand for iDRAC/IPMI configuration details:
The default username / password for iDRAC/IPMI is vectra / changethispassword.
To access the interface, point your web browser to http://your_iDRAC_IP
Initially, your iDRAC interface will default to DHCP.
At the login screen enter your credentials:
Click on the Virtual Console:
And you will be presented with a login prompt for the CLI:
To set a static IP for iDRAC you must 1st be logged in to the CLI of the Sensor as the vectra user:
Serial Console
Serial console is only supported on S1, S2 (EOL), X29/M29, and X80 (EOL) appliances.
If supported on your appliance model, the serial settings should be 115,200, 8, N, 1
115,200 baud data rate
8 data bits
No parity bit
1 stop bit
Do not enable flow control
Initial Network Configuration
DHCP
The appliance can obtain its network configuration from a DHCP server in your network. The MGT1 port functions as a DHCP client by default.
Connect the management port (MGT1) of the appliance to the network switch.
Find the IP address that was assigned to MGT1 from your DHCP server logs.
You can also find the IP address at the CLI of your appliance if you can access it another way .
Use the
show interfacecommand to display the address that was assigned to MGT1 via DHCP once you are logged onto the appliance.See Accessing the Command Line Interface (CLI) of the Appliance above for instructions on how to log on).
Static Addressing
Configuration Checklist for Static Addressing
Below is a list of information needed for the initial configuration:
IP address to be used for the MGT1 interface
Default gateway IP address
DNS nameserver IP addresses
DNS servers for the Sensor must be configured at the CLI if you are not using DHCP. This cannot be done in your Brain.
Setting a Static MGT1 IP Address
Once logged in to the appliance you can view the syntax for the "set interface" command:
Setting the IP address example:
IPv6 Support:
IPv6 is supported for the MGT1 and MGT2 interfaces. For full details, including information regarding dual stack support, please IPv6 Management Support for Vectra Appliances on the Vectra support portal. Below we will show how to enable IPv6 support (its off by default) and the syntax to use when setting an IPv6 address.
To enable/disable IPv6 support:
Setting IPv4 and IPv6 syntax examples:
Execute the following command to set the MGT1 or MGT2 (a gateway address cannot be configured for MGT2, the gateway on MGT1 will be used) interface to the desired static IP address:
Configuring DNS for the appliance:
Command syntax to set DNS (up to 3 nameservers are supported):
Configuring DNS Example:
Verifying DNS Configuration:
Verifying your Connectivity:
Once you have configured an IP statically or via DHCP you can verify connectivity by pinging known IPs in your environment from the CLI with the debug ping command.
If your Sensor is already configured with an IP, it is recommended to ping the Brain IP to verify reachability before attempting pairing. Sensors must have port 22 and 443 open from the Sensor to your Brain for successful pairing and ongoing communication. Connectivity can be tested with the debug connectivity command.
For more detail, please see Checking brain or sensor network connectivity.
Example:
Next Steps
Brain and Sensor Communications Requirements
A Sensor (or Stream appliance) can pair with any Vectra Brain type. For example, the Brain can be a physical appliance, a Brain deployed in a IaaS cloud, or a Brain deployed in a traditional hypervisor environment on customer premises.
Sensors must be able to reach the Brain over the below ports. It is recommended to enable these ports bidirectionally to aid in troubleshooting.
TCP/443 (HTTPS) - Used for Sensor discovery and initial pairing connection.
TCP/22 (SSH) - Used for Paired Sensor connections.
Additionally, for online pairing (physical Sensors only), both the Sensor and Brain must be able to communicate with:
update2.vectranetworks.com or 54.200.156.238 over TCP/443 (HTTPS)
Please work with your security and networking contacts to ensure that the Sensor will be able to initiate a connection to the Brain. Sensors only communicate with the Vectra Brain and do not need to communicate to Vectra directly. Software updates for the Sensor will come from the Brain.
For full details on all potential firewall requirements in Vectra deployments, please see firewall requirements.
Pairing the Sensor to the Brain
After base configuration, it is suggested to pair your Sensor with your Brain appliance.
Pairing appliances covers pairing of all physical Vectra appliances.
Traffic Capture Guidance
If capture ports are connected before pairing is completed, the Sensor will not buffer any traffic.
Simply point the traffic to be captured to your Sensor capture interfaces (ports). The Sensor will begin creating a metadata stream that will be analyzed by your Brain appliance. Sensors also have a rolling capture buffer that the Brain will request PCAPs from. The PCAPs will be attached as evidence with network detections as they are created.
Additionally, Vectra packet capture allows users to configure PCAPs to be downloaded from the Brain for analysis with 3rd party tools such as Wireshark.
Guidance:
See physical connections for the interfaces supported for capture use.
Out of band deployment is the only supported method of traffic capture.
There is no inline mode for currently supported Vectra Sensor appliances.
Traffic is typically forwarded to the Sensor via SPAN/COPY/MIRROR, traditional network TAPs, or 3rd party packet brokers.
Capture ports do not get assigned IP addresses.
The
show traffic statscommand, available at the Sensor’s CLI, may be useful to see if your traffic capture is successful before you can see the traffic graphs in your Brain’s GUI.See Traffic Graph showing no traffic (0 Mbps) for more details.
See Vectra NDR (Detect) and Network Identity Architecture Overview for architecture guidance.
See Vectra Platform Network Traffic Recommendations for what to capture.
See Asymmetry concerns in Vectra sensor feeds for guidance around asymmetric flows.
See Traffic Validation (ENTV) for details on validating your traffic quality.
If required, Sensors can be configued to not allow PCAP creation when there are regulatory or privacy concerns. Navigate to Configuration → COVERAGE → Data Sources → Network → Sensors in your Vectra UI and edit the desired Sensor. Ensure the checkbox shown below is checked for Sensors you do not wish to perform any PCAP functions and then save your Sensor configuration:
Worldwide Support Contact Information
Support portal: https://support.vectra.ai
Email: [email protected] (preferred contact method)
Additional information: https://www.vectra.ai/support
Last updated
Was this helpful?