You are on page 1of 519

ACTE Technical Training

Student Guide
Level 1
Document Version 4.1
2012

ACTE Training
Table of Contents

1. Introduction
2. Introducing In-Line Platforms
3. Introducing NetXplorer
4. Monitoring and Reporting
5. Condition Catalogs

6. Action Catalogs
7. Building the Enforcement Policy
8. Events and Alarms
9. Steering and Mirroring
10. Basic System Troubleshooting

Module 1
Introduction

ACTE Technical Training

In this introductory module, we will begin with an overview of DART - the


technology that lies at the core of Allots solutions. We will then discuss
the needs of different types of customers and will review the different use
cases Allot has to offer. We end this introductory module by introducing
some key terms together with Allots NetXplorer solution architecture.

Introduction

1-2

ACTE Technical Training

Allot Communications is a leading provider of intelligent IP service


optimization and revenue generation solutions for fixed and mobile service
providers and high-end enterprises.
Without Allots intelligent solutions, networks are typically uncontrolled and
effectively invisible. Allot provides visibility into these networks at an
application, subscriber, and device level, and then acts on this visibility to
deliver quality of experience (QoE), contain costs and maximize revenue
as well as enabling operators to personalize their service offering.

Introduction

1-3

ACTE Technical Training

Allots rich portfolio of solutions transforms broadband pipes into smart


networks that can rapidly and efficiently deploy value added Internet
services for both the network and the subscriber.
Allot's scalable, carrier-grade solutions provide the visibility, network
topology awareness, security, application control and subscriber
management that are vital to managing Internet service delivery,
enhancing user experience, containing operating costs, and maximizing
revenue in broadband networks.
In this particular example, intelligent application-aware pipes enable a
service provider to offer different grades of services. Alternatively,
subscriber-aware pipes enable the service provider to personalize its
offering.
There are many other ways to use Allots smart pipes to optimize network
bandwidth, generate revenues and personalize services, as we will see in
next few slides.

Introduction

1-4

ACTE Technical Training

At the core of Allots expertise is a technology called Dynamic Actionable


Recognition Technology (DART). DART integrates Allots vast expertise
in IP traffic identification and policy enforcement into a highly effective
technology toolkit for managing bandwidth consumption and service
performance in mobile and fixed broadband networks.
Dynamic refers to the ability of the system to constantly learn the network
behavior, based on both behavioral and statistical techniques.
Recognition refers to Allots Deep Packet Inspection capabilities which
provide enhanced network awareness at different levels: application,
subscriber, device and topology.
Actionable refers to the different types of action one can choose to apply
to a traffic flow once it has been recognized. These actions will most
typically be to assign Quality of Service (QoS) or to steer traffic to a
network or subscriber service.

Introduction

1-5

ACTE Technical Training

DART employs multiple inspection and analytical methods to identify


specific applications. From straightforward Layer-7 monitoring of individual
traffic flows, to complex analysis of application behavior, this synergy of
inspection methods greatly improves recognition capabilities and reduces
unidentified traffic even at maximum speeds and peak loads. Through
proactive learning, DART is able to adapt to changing tactics as
applications attempt to evade detection through encryption or by altering
their connection behavior or flow patterns. Frequent and ongoing updates
to Allots extensive signature library are designed to keep pace with
developments and advances in Internet applications.
Lets consider the positioning of Allot devices among other categories of
devices in the industry. Switches and routers are essentially situated at L2
and L3. Typically, they look at the source and destination address of a
packet, plus other easily-accessible information such as the ToS field.
Such equipment answers the question where do I send this packet?.
However, if we sit at L4 and even higher at L7, as Allots DART driven
devices do, we first address the question what is actually being sent
here? And given the complexity of current P2P applications, and all the
tricky mechanisms they use to hide themselves, the real question that Allot
addresses is am I really sure this traffic is what it appears to be? And if
not, what is it in reality?. The purpose and the technical challenge of a
DART engine is to answer this question with the highest possible
accuracy.

Introduction

1-6

ACTE Technical Training

DART offers network providers the following solutions:


Reporting & Analytics: Accurate and meaningful network business
intelligence for key decision-makers. Allot distills the real-time monitoring
data into a full complement of performance and activity metrics that allow
you to understand network usage and subscriber behavior at very granular
levels and to correlate that information with data from other network
systems. E.g: Operators can now make informed decisions to roll out new
service plans based on concrete data about subscriber usage patterns
Traffic Management: Operators can regulate bandwidth consumption and
service delivery based on network conditions, subscriber profiles and
desired outcomes. Armed with the data retrieves from reports, operators
can pinpoint areas of capacity cost control and can implement dynamic
Quality of Service (QoS) policies.
Policy Control & Charging: Enable you to embrace more personalized
service plans and charging models as you anticipate and satisfy the
requirements of your increasingly sophisticated subscribers.
Service Enablement: Operators can leverage Allots solutions to deploy
value-added services that go above and beyond high-speed connections
to the Internet. For example, they may wish to direct relevant subscriberapplication traffic to media caching, video optimization and other services
(subscriber services) or to improve the overall efficiency of the network,
cut costs and reduce threats (network services). Services may be hosted
within the platform or deployed externally.

Introduction

1-7

ACTE Technical Training

Lets see now a selection of real network use cases that leverage the power and
innovation of Allots technology and products:
Cut Costs by deploying Network Services:
Fair Use Management: ensures fair & consistent QoE for all subscribers.
Video Caching & Optimization: steer video traffic to a caching / optimization
device to reduce bandwidth costs at the peering point
DDoS Mitigation & Blacklist Avoidance: protection against attacks on network
elements and outgoing attacks launched from within the network which without
proper mitigation can lead to subscriber domains being blacklisted.
Generate Revenues by deploying Subscriber Services:
Service Tiering: tailor different service plans for subscriber groups
Bill Shock Prevention: notify subscribers of data session costs in real time
Happy Hour: reduce network congestion and improve overall QoE by
encouraging usage and applying different QoS at different time of day
Volume Charging (Quota): offer a choice of different priced quota packages,
and meter the bandwidth consumed by each subscriber
Application-Based Charging: classification of traffic on the basis of application
type to allow personalized and tailored packages
Turbo Boost: allow subscribers to temporarily boost service plans
Each use case can be implemented to cut cost as well as generate revenues. For
example: Happy hour can reduce traffic load during peak hours, as well as
generate revenues from customers subscribing to the happy hour package. The
operator can choose how exactly they want to implement each use case.

Introduction

1-8

ACTE Technical Training

In this section, we will examine the needs of the customers in more detail
and review a few of the use cases which you can offer to your subscribers
using Allot technology.

Introduction

1-9

ACTE Technical Training

Before being introduced to Allot solutions, typical service provider


customers have minimal visibility on their network. Subscribers complain
of poor quality of experience, as the network is constantly clogged up with
bandwidth-hungry peer to peer applications and streaming video. Every
time the network is expanded to free up more bandwidth, costs increase,
and the congestion is quick to return. With internet access fast becoming a
commodity, pricing is flat and access based, and revenue growth declines.
The solutions for service providers which you will encounter in this training
course give them insight at an application level, a subscriber level, a
device level and a topology level. Applications can be controlled to free up
bandwidth on the existing infrastructure and enhance quality of experience
for subscribers. Furthermore, providers can add unique, differentiated
service plans to their customer offering which increases revenues through
new tiered pricing systems.

Introduction

1-10

ACTE Technical Training

Before being introduced to Allot solutions, typical enterprise customers


also have minimal visibility on their network. The network is congested and
users are complaining of poor quality of experience. The IT manager has
few tools at his disposal to properly analyze the cause of this congestion
and to mitigate it. Each time more bandwidth is purchased, it is quickly
used up. The constant and growing threat of denial of service attacks only
adds to the IT managers headache.
The solutions for enterprises which you will encounter in this training
course give the IT manager the visibility he or she needs to understand
the reasons for network congestion and to act accordingly. By intelligent
allocation of bandwidth, the IT manager can ensure that mission-critical
applications are protected and employee productivity is maintained.
Furthermore, rapid detection of abnormal network behavior enables a
quicker and more informed reaction to network attacks.

Introduction

1-11

ACTE Technical Training

Throughout this ACTE training course, we will be encountering several key


terms. In this section, we define these key terms, so that their meaning will
be clear from the outset.

Introduction

1-12

ACTE Technical Training

In order to control the network traffic, we must first of all, classify it. Allots
traffic management solutions are based on a clear classification hierarchy.
The first level of classification is the line. Multiple lines can be defined, and
each line is divided into several pipes. Each pipe is further divided into
virtual channels which we will refer to from now on as VCs.
The user can define any number of Lines, Pipes or VCs up to the
maximum allowed by his license, and all traffic is classified into a Line, a
Pipe and a VC. For each Line, Pipe and VC that you create, you may
define a rule.

Introduction

1-13

ACTE Technical Training

Here we see an example of how the structure of lines, pipes and VCs
serves the needs of a service provider. This particular service provider has
chosen to use three levels of hierarchy. Its aims are to guarantee a quality
of experience for each of its subscriber types, and to control the heavy
traffic generated by peer to peer applications.
At the line level it divides its traffic between domestic users and business
users. Each line is divided between two pipes, based on the importance of
the business subscriber or the location of the domestic subscriber. Virtual
Channels are then used to distinguish between different applications.

Introduction

1-14

ACTE Technical Training

Here we see a second example, this time from an enterprise customer


using 2 levels of hierarchy. In this case, the enterprise classifies traffic to
and from its different branch offices into pipes. VCs are used for the
different applications.

Introduction

1-15

ACTE Technical Training

A traffic policy is made up of a series of Rules.


In order to create rules, we use predefined conditions and actions that
have been stored in catalogs. Catalogs can therefore be seen as the
building blocks of rules. There are several different types of catalogs - host
or service catalogs for example, are used for conditions, while the quality
of service catalog is used as an action. The ToS catalog can be used to
define both conditions and actions.
A rule consists of one or more conditions plus one or more action.
The catalog entries that you define can be global. This means that the
same catalog entries can be used in the definition of different pipe or
virtual channel rules
We will examine how to create condition and action catalog entries in
module 5 and 6 respectively.
The different rules are created in the policy table in the NetXplorer User
Interface and are organized in a hierarchy. Together, these different rules
form what is know as a policy
In module 7, we will show how to build a traffic policy.

Introduction

1-16

ACTE Technical Training

Here we see an example that illustrates how to create a rule. The first step
is to define catalog entries. These catalog entries will serve as either
conditions or actions, and they are centrally defined so that they can be
used and re-used to create any number of different rules.
We then take the conditions and actions that have been defined, and put
them together to create rules.

Introduction

1-17

ACTE Technical Training

Here you can see the enforcement policy table in the NetXplorer with the
default line, pipe and VC rules.

Introduction

1-18

ACTE Technical Training

In this final section, we will introduce the basic architecture of the


NetXplorer managed solution

Introduction

1-19

ACTE Technical Training

This is the basic core architecture for Allot Solution. The architecture
consists of three layers:
The DART layer. There can be several NetEnforcers or Service Gateway
devices that implement the network management policies and collect
network usage data, directly from the physical lines.
The Server Layer. This incorporates the actual NetXplorer application,
including the databases. Managing and communicating with the different
clients that access the system, it facilitates NetEnforcer or Service
Gateway configuration, policy provisioning, alarms, monitoring and
reporting. The NetXplorer also includes an integrated data collector, that
streamlines the required collection of data from the managed in-line
platforms.
User Interface Layer. The user interface can be installed on any
computer on the network that can connect to the NetXplorer server, and
allow NetXplorer users full access to NetXplorer functionalities.
An additional element, the distributed short term collector, is an
optional element (mandatory when using Service Gateways) that enables
more NetEnforcer devices to be supported by a single NetXplorer server.
This element is discussed in full in the advanced ACPP training course.

Introduction

1-20

ACTE Technical Training

In addition to the core functionally described in previous slide, Allot offers


subscriber aware solutions. Here is a basic representation of the
architecture required to make the solution subscriber aware:
Subscriber Management Platform (SMP) allows to dynamically map
allocated IP addresses to the individual subscribers using them. This
information can then be used to create tiered subscriber service plans and
to provision different Quality of Service (QoS) policies per each
subscribers group. It is also possible to configure quota based service
plans that allow providers to meter and control individual use of
applications and services. The SMP can also serve as a PCEF (Policy and
Charging Enforcement Function) in 3GPP mobile networks.
This element is discussed in full in the advanced SMP training course.

Introduction

1-21

ACTE Technical Training

In addition to the core functionally described in previous slides, Allot offers


many value added services for both the network level and subscribers
level. Lets review some of them:
Service Protector is an attack detection and mitigation service that
protects commercial networks against Denial of Service (DoS/DDoS)
attacks, zero day attacks, worms, zombies and spambot behavior. It
consists of the controller (SP-C) which is the management server, and the
sensor (SP-S) which is reading mirrored traffic from the physical line itself
and is normally embedded into the in-line platform itself.
This element is discussed in full in the advanced CSPA training course.
Media Swift (MSW) is an intelligent media caching and acceleration
service that significantly enhances the user experience and dramatically
reduces operational costs associated with delivery of over-the-top video
applications, HTTP file downloads and P2P traffic.
This element is discussed in full in the advanced CMSA training course.

Introduction

1-22

ACTE Technical Training

Fill the gaps

Introduction

1-23

ACTE Technical Training

Match the architecture layer with the component parts

Introduction

1-24

Module 2
Introducing In-Line
Platforms

ACTE Technical Training

In this module, we will introduce you to the Allot In-Line Platforms the
NetEnforcer and Service Gateway families. By the end of this module,
you will:
Be familiar with the main functions of the NetEnforcer and Service
Gateway
Know how to differentiate between the different NetEnforcer and
Service Gateway models and how to decide which model is suitable for
which case
Understand the factors to take into consideration when deciding where
in a network to place the products.
Know how to connect the product to its bypass unit (where relevant)
and to the network.
Be able to perform initial and advanced configuration

Introducing Allot In-Line Platforms

2-2

ACTE Technical Training

What is the NetEnforcer? The NetEnforcer is an in-line platform which


collects traffic statistics and can implement quality of service on a network
per application and per subscriber.
Traffic statistics are collected in order to provide both real-time and longterm data about the network. Real-time monitoring information, enables
the customer to know exactly what is happening on the network at any
given moment. It provides the customer with a tool for troubleshooting the
network should any unexplained delays be experienced. The NetEnforcer
also provides long term data about the network. Customers can use this
data to generate long-term usage reports to gain a detailed insight into
usage patterns and trends. This data can also be exported to other
databases and billing applications, extending the benefits of the
information provided.
As well as collecting detailed information about the traffic passing through
it, the NetEnforcer can also shape that traffic, applying quality of service
parameters which have been pre-defined by the user. The methods of
implementing the quality of service are varied and include guaranteeing
and limiting throughput, as well as prioritizing between different types of
traffic. These and other methods will be discussed in detail later on.

Introducing Allot In-Line Platforms

2-3

ACTE Technical Training

What is the Service Gateway? Based on Allot's DART engine, the Service
Gateway platform is used for enhanced service optimization and service
deployment. In addition to the features of the NetEnforcer described
earlier, (the ability to collect network and subscriber statistics and shape
network and subscriber traffic), the Service Gateway is used by service
providers to deploy new services for the network as a whole and for
subscribers who have signed up to them. Application and subscriber
information within the Service Gateway are identified for each traffic flow
and the flows are subsequently dispatched to an array of additional
services and actions using a single process. The Service Gateway is a
powerful solution to optimize, monetize and personalize fixed/mobile
broadband services.

Introducing Allot In-Line Platforms

2-4

ACTE Technical Training

Here we can see the different performance levels offered by Allot in-line
platforms. Starting at 400Mbps, with the NetEnforcer AC-500 and reaching
up to 160Gbps with a fully populated SG-Sigma E14. We will examine
each series in detail.
Each in-line platform runs Allot Operating System (AOS) software
versions.

Introducing Allot In-Line Platforms

2-5

ACTE Technical Training

Before we start reviewing each series, lets review some basic


terminology.
Each physical link on the NetEnforcer or Service Gateway is represented
by two ports, one labeled internal and the other, external. You will see that
the different models of the in-line platforms support different number of
physical links.
The NetEnforcer or Service Gateway can view all of the traffic passing
through it as one entity, irrespective of the number of physical links on the
unit and irrespective of the specific port through which the network traffic
enters and leaves the unit.
If required, the in-line platform can classify traffic by one or more physical
interfaces. This is done by using the interface catalog, which we will
review in Module 05: Condition Catalogs.
In every model, a single management link serves for the management of
all of the traffic flowing through the in-line platform

Introducing Allot In-Line Platforms

2-6

ACTE Technical Training

The Bypass module is a mission-critical subsystem designed to ensure


network connectivity at all times. The Bypass mechanism provides
"connectivity insurance" in the event of a NetEnforcer or Service Gateway
subsystem failure.
While the NetEnforcers in the AC-500 series come with built-in bypass
support, all other products require an external bypass unit and it is a
compulsory part of the product installation. For Service Gateway it is
possible to have the Bypass module as an internal blade or as an external
unit.
The Bypass module is connected to the in-line platform by a series of
leads and cables.
When the in-line platform is powered on it validates that it is connected to
a bypass. If you attempt to power on an in-line platform that is not
connected to a Bypass, boot will fail.
The SYSTEM LED on the NetEnforcer will light up when the NetEnforcer
is in active mode, and will be extinguished when the NetEnforcer goes into
bypass mode. For Service Gateway, each blade has an Out of Service
LED to indicate when the blade is in bypass mode.

Introducing Allot In-Line Platforms

2-7

ACTE Technical Training

Here we see examples of the multiport copper and fiber bypass units.
Each bypass unit has 4 pairs of connectors (internal and external) which
are connected to the network.
For each pair of connectors to the network, there is also a pair of
connectors labeled To NetEnforcer, which are connected to the
NetEnforcer (or Service Gateway)
In addition, each bypass unit has a primary connector for connection to
the NetEnforcer backup port, and a secondary connector which is
used in some of the redundant configurations discussed in later in this
module.
Allot bypass works as a passive bypass. This means it does not consume
power on its own, and will allow traffic to pass through in cases of power
outage for the in-line platform.

Introducing Allot In-Line Platforms

2-8

ACTE Technical Training

We will now focus on the NetEnforcer platform. Lets examine its


features, models and functionality.

Introducing Allot In-Line Platforms

2-9

ACTE Technical Training

The Allot NetEnforcer Series comes with speed ranges between 10Mbps
(the entry level of bandwidth control for an AC-500) up to 8Gbps (the
maximum bandwidth control of an AC-3040). There are three different
NetEnforcer product series:
The AC-500 series of entry level management devices are especially
suitable for small to medium enterprises. Different levels of bandwidth
control can be ordered up to a maximum of 400 Mbps. Each product in the
series can support up to 256,000 connections, 256 lines, 4,096 Pipes and
32,768 VCs.
The AC-1400 series of bandwidth management devices are particularly
suited to medium and large enterprises. The maximum bandwidth control
that can be ordered is 2Gbps.
The AC-3000 series of bandwidth management devices are suited to
medium and large enterprises and small broadband service providers. The
maximum bandwidth control is 8 Gbps. Both the AC-1400 and AC-3000
series products support up to 2 million connections. The products come by
default with support for a full policy of up to 256 lines, 40,000 Pipes and
80,000 VCs.

Introducing Allot In-Line Platforms

2-10

ACTE Technical Training

The AC-500 offers high-end bandwidth management on a small scale


platform. It is targeted at enterprise networks, universities, satellite
environments and small service providers.
The AC-500 series consists of the AC-502 which has a single physical link
to the network and the AC-504 with two physical links.
Different levels of bandwidth control can be ordered on both units up to a
maximum of 200 Mbps full duplex (400 Mbps in total).
AC-500 is a 1U 19 rack mountable product
Unlike the other NetEnforcers, the AC-500 series products are available
only with copper interfaces. The network interfaces are
10/100/1000BaseT. AC-500 supports only copper cables.
Additional ports are available for active redundancy. This configuration is
covered at the last section of this module.
Note also that the AC-500 series products can only be ordered with an AC
power supply. Their other main distinguishing feature is a built-in bypass
unit. This will be discussed later.

Introducing Allot In-Line Platforms

2-11

ACTE Technical Training

Here we see the front view of the AC-502. Lets examine the front panel
from left to right.
On the left side, we see two LEDs system and PS. The system LED
shows the current status of the system (steady green functioning
normally; steady red error; off bypass mode), while the PS LEDs show
the status of the two power supplies (steady green functioning normally;
steady red not providing power; off malfunction)
Next to the LEDs is the console port and the 10/100/1000BaseT
management port. Next to that are the 2 copper interfaces of the
redundancy ports, followed by the 2 network ports (one for internal and
one for external). The bypass D-type connector on the far right side of the
front panel is not in use.
AC-504 has 2 additional redundancy ports and 2 more network links.
Otherwise its front panel is identical to the AC-502 we see here.

Introducing Allot In-Line Platforms

2-12

ACTE Technical Training

The AC-1440 and AC-3040 are similar products both have 8 network
ports for support of up to 4 physical links to the network. They also both
include an additional 4 copper ports which may be used when steering
traffic to external services or when connecting to an additional NetEnforcer
in a redundant configuration.
The main feature that distinguishes between the two products is the
different maximum throughput and the levels of QoS enforcement that are
supported. The AC-1440 supports up to 2Gbps, meaning 1Gbps full
duplex, with QoS enforcement steps of 45Mbps, 100Mbps, 200Mbps,
400Mbps and 1Gbps. The AC-3000 supports up to 8Gbps, meaning
4Gbps full duplex with QoS enforcement steps of 1, 2 or 4Gbps.
Both of the products in the series can support up to 2,000,000 connections
(4,000,000 flows) and a total of 256 lines, 40,000 Pipes and 80,000 VCs.
The 8 network interfaces can be 10/100/1000Base-T Copper (autonegotiation) or 1000Base-SX/LX/ZX
The 4 extra service interfaces are 10/100/1000Base-T copper only.

Introducing Allot In-Line Platforms

2-13

ACTE Technical Training

Here we see the front view of the AC-3040, which is virtually identical to
the front view of the AC-1440. Lets examine the front panel from left to
right.
On the left side, we see three LEDs system, PS-1 and PS-2. The
system LED shows the current status of the system (steady green
functioning normally; steady red error; off bypass mode), while the PS
LEDs show the status of the two power supplies (steady green
functioning normally; steady red not providing power; off malfunction)
Next to the LEDs is the console port and the 10/100/1000BaseT
management port. Next to that are the 4 copper interfaces of the service
ports, followed by the 8 network interfaces. The bypass D-type connector
on the far right side of the front panel is used to connect the NetEnforcer
to its bypass unit.

Introducing Allot In-Line Platforms

2-14

ACTE Technical Training

The Service Gateway is a separate Allot product line lets now


examine the Service Gateway, its features and functionality.

Introducing Allot In-Line Platforms

2-15

ACTE Technical Training

The Allot Service Gateway Series is a carrier-grade, highly scalable


platform for enhanced broadband service optimization based on Allots
DART technology.
Using the Advanced TCA (ATCA) standard 14 slot chassis, the SG-Sigma
series offers a throughput of up to 60 Gbps. It can support up to 20 million
connections and a policy with up to 512 lines, 500,000 pipes and
1,000,000 VCs, when fully populated with 4 CC-200 blades.
The SG-Sigma E offers extreme performance values and comes in two
models:
SG-Sigma E6, using an ATCA standard 6 slots chassis, offers up to 64
Gbps, up to 20 million connections and a policy with up to 512 lines,
400,000 pipes and 800,000 VCs, when fully populated with 4 CC-300
blades.
SG-Sigma E14, using an ATCA 14 slot chassis, offers up to 160Gbps, up
to 50 million connections and a policy with up to 512 lines, 1,000,000
pipes and 2,000,000 VCs, when fully populated with 10 CC-300 blades.
These maximum values supported depend on the number of Core
Controller blades deployed in each platform. The CC-200, used in the SGSigma, supports 15Gbps. The CC-300, used in the SG-Sigma E supports
16Gbps. Both types of blade support 5 million connections and a policy
with 512 lines, 125,000 pipes and 250,000 VCs.

Introducing Allot In-Line Platforms

2-16

ACTE Technical Training

Here we see a close-up view of the SG-Sigma chassis. The particular


chassis on view is a fully populated 60Gbps SG-Sigma. The standard
ATCA chassis has 14 slots numbered from left to right.
Each of the blades can be seen here: the SGSV-100 (the server blade),
the CC-200 (Core controller blades), the SFC-200 (Switch Fabric
Controller blades) and the FB-200 (Flow Balancer blades). We can also
see the BP-204 (internal bypass blade), although it is possible to order the
unit with an external bypass unit instead.
The Shelf Management Controller (SMC) is in the bottom left side of the
chassis, while the Shelf Alarm Display (SAD) and Shelf Alarm Panel (SAP)
are at the top. Now lets examine the role of each of the blades in turn.

Introducing Allot In-Line Platforms

2-17

ACTE Technical Training

Here are the different blades used in the SG-Sigma and their main functionalities.
The SGSV-100 is the server blade, responsible for application management of
the chassis. Statistics from each of the CC-200 blades are aggregated on the
SGSV-100 blade, and it is on this blade that administration of the chassis is
performed.
The CC-200, a double-slot blade is the core controller. It is here that DART
processes are implemented on the traffic passing through the network. When the
SG-Sigma is deployed together with the ServiceProtector, CC-200 can also
serve as SP-Sensor, which is monitoring traffic from the physical line itself
searching for network or subscriber anomalies. In addition, it stores dynamic
signatures used for attack mitigation.
The SFC-200 is the Switch Fabric Controller and serves as a backplane switch
for network & management traffic. The network traffic enters the system from the
bypass via this blade, and redirected traffic is also connected here. The ETH
management connections are also located on the SFC, which serves as an
interface to external servers (NX/SMP/STC)
The FB-200 is the Flow Balancer. This serves as the traffic dispatcher and
decides to which core controller to dispatch each traffic flow.
The NSS blades are used for Network and Subscriber Services. For example,
the NSS-MS is the MediaSwift caching engine used for caching HTTP streaming
video and/or PeertoPeer traffic.
Finally the BP-204 blade is an internal bypass blade which bypasses network
traffic on failure.

Introducing Allot In-Line Platforms

2-18

ACTE Technical Training

How many blades are required and in which slots? The answer depends on the
customer requirements, but the guidelines below help explain the logic behind
the different SG-Sigma configurations.
SGSV-100 Blades: Only one SGSV-100 blade is used in all configurations,
installed in slot number 1.
SFC-200 Blades: The minimum officially supported configuration requires two
SFC-200 blades which must be installed in slots 7 and 8.
NOTE: SFC-200 is also available with 8 x 1G ports (instead of 4 x 10G ports)
CC-200 Blades: Each CC-200 blade requires two slots in the chassis. Up to four
CC-200 blades can be installed (in slots 2/3, 4/5, 10/11 and 12/13) supporting up
to a maximum of 60Gbps. The throughput growth path is from left to right, with
each CC blade supporting 15Gbps (meaning 7.5Gbps full duplex). To deploy an
SG-Sigma with 30Gbps throughput for example, 2 x CC-200 blades must be
installed in slots 2/3 and 4/5.
FB-200 Blades: Each FB-200 blade supports up to two 10Gbps network links. If
a single FB-200 blade is required, it must be installed in slot 6. If support is
required for 3 or 4 links an additional FB-200 is required. These two FB-200
blades must be installed in slots 6 and 9. The FB-200 in slot 6 supports the
network links in port 5 & 6 of each SFC-200. The FB-200 in slot 9 supports the
network/HA link in port 7 and 8 of each SFC-200.
BP-204 Blades: For 10GE configurations, the BP-204 blade is deployed in slot
14. For 1GE fiber configurations, it is possible to deploy two BP-204 blades, in
slot 13 and slot 14.

Introducing Allot In-Line Platforms

2-19

ACTE Technical Training

The SG-Sigma is a modular platform which enables the customer to start


small and grow organically without losing any functionality. As the needs
grow, you can add additional capacity, interfaces and services. Here we
see 4 sample configurations of the SG-Sigma, and the different blades
required for each one.

Introducing Allot In-Line Platforms

2-20

ACTE Technical Training

Here we see a close-up view of the SG-Sigma E6 chassis. The particular


configuration on view is a fully populated SG-Sigma E6 supporting up to 8
x 10GE ports and a throughput of up to 64Gbps.
The standard ATCA chassis has 6 slots numbered from bottom to top.
Two types of blades can be seen here: the SFB-300 (Switch FlowBalancer Blade) and the CC-300 (Core controller blades)
The Shelf Management Controller (SMC) is in the bottom left side of the
chassis, and there are two fan trays on the left and right of the front panel
which are designed for full redundancy to meet the cooling requirements
of a full shelf in the most demanding situations.

Introducing Allot In-Line Platforms

2-21

ACTE Technical Training

Here we see a close-up view of the SG-Sigma E6 chassis rear. The RBS300 is a rear transition module blade, connecting on the rear part of the
chassis. The two RBS-300s are connected in slots 1 and 2. These blades
must be inserted BEFORE inserting the SFB-300s to the chassis. At the
bottom of the rear panel we see the 3 AC power inlets.
Now we will examine each of the blades in turn.

Introducing Allot In-Line Platforms

2-22

ACTE Technical Training

Here we see a close-up view of the SG-Sigma E14 chassis. The particular
configuration on view is a fully populated SG-Sigma E14 supporting up to
16 x 10GE ports and a throughput of up to 160Gbps.
The standard ATCA chassis has 14 slots numbered from left to right.
Two types of blades can be seen here: the SFB-300 (Switch FlowBalancer Blade) and the CC-300 (Core Controller blades)
The Shelf Management Controller (SMC) is in the bottom left side of the
chassis, while the Shelf Alarm Display (SAD) and Shelf Alarm Panel (SAP)
are at the top.

Introducing Allot In-Line Platforms

2-23

ACTE Technical Training

Here we see a close-up view of the SG-Sigma E14 chassis rear. Two
types of rear transition module blades, the RBS-300 and RBL-300 blade
connect on the rear part of the chassis. The two RBS-300s are connected
in slots 7 and 8, while the two RBL-300s (required only when there are 4 x
SFBs inserted in the front) are connected in slots 6 and 9. These blades
must be inserted BEFORE inserting the SFB-300s to the chassis. At the
top of the rear we see the 3 fan trays and at the bottom, the two Power
Entry Modules (PEMs).

Introducing Allot In-Line Platforms

2-24

ACTE Technical Training

Here are the different blades used in the SG-Sigma E and their main
functionalities.
The CC-300 is the core controller blade. It is a single slot blade. It is here that
DART processes are implemented on the traffic passing through the network.
When the SG is deployed together with the ServiceProtector, CC-300 can also
serve as an SP-Sensor, which is monitoring traffic from the physical line itself
searching for network or subscriber anomalies. In addition, it stores dynamic
signatures used for attack mitigation.
The SFB-300 is a blade combining the functionalities of the FB-200 and the
SFC-200 on the SG-Sigma. It dispatches traffic to the different core controllers
and serves as a network switch. In slot 7 the SFC-300 also serves as the host
blade, responsible for chassis application management.
RBS-300 is a rear base blade, serving as the management switch in conjunction
with the SFC-300 blade in slots 7 & 8.
RBL-300 is a rear base blade, with no switch functionality. It is required for the
proper operation of the SFC-300 in slots 6 & 9.
The NSS blades are used for Network and Subscriber Services. For example,
the NSS-MS is the MediaSwift caching engine used for streaming video and/or
Peer to Peer caching.
The 1GE-300 blades are an interface blade enabling additional 1GE ports which
can be used for network connectivity and/or external direct redirection.
Finally the BP-204 blade is an internal bypass blade which bypasses network
traffic on failure.

Introducing Allot In-Line Platforms

2-25

ACTE Technical Training

How many blades are required and in which slots? The answer depends on the
customer requirements, but the guidelines below help explain the logic behind
the different SG-Sigma E6 configurations.
Between 1 (minimum) and 4 (maximum) CC-300 blades are supported, and
these should be placed in the chassis from bottom to top (1st CC in slot #3, 2nd
CC in slot #4 etc.). All slots can be used for the core controllers except 1 and 2.
As each Core Controller supports 16Gbps, a fully populated SG-Sigma E6 with 4
Core Controller blades will support 64Gbps throughput.
Either 1 (min) or 2 (max) SFB-300 blades can be installed. A minimum
configuration of 1 x SFB-300 will enable support for 2 x 10GE links using ports
L3-L6 on each SFB. This blade must be installed in slot 1. The maximum
configuration has 2 x SFB blades installed in slots 1 and 2 and gives support for
8x10GE ports using L3-L6. Up to two RBS-300 blades will be installed in the rear
of the chassis, in accordance with the number of SFB-300 blades installed.
Between 0 (when not required) and 2 1GE-300 blades can be installed. When
used in slots 3,4, the 1GE-300 blades can be used for network ports. When used
in slots 5,6 the 1GE-300 blades can be used for external direct redirection only.
Note the impact on SFB port usage! When you use the 1GE-300 in slots 3 and 5,
ports 3 and 4 of the SFB in slot 1, can only be used as 1G. When you use the
1GE-300 in slot 4 and 6, ports 5 and 6 of the SFB in slot 1 can only be used as
1G.
A single BP-204 blade is deployed in slot 6 for up to 4X10G links.
For more guidelines, please refer to Allot SG-Sigma E6 Hardware Guide.

Introducing Allot In-Line Platforms

2-26

ACTE Technical Training

Here are the guidelines for different SG-Sigma E14 configurations.


Between 2 (minimum) and 10 (maximum) CC-300 blades are supported, and
these should be placed in the chassis from left to right (1st CC in slot #1, 2nd CC
in slot #2 etc.). All slots can be used for the core controllers except 6-9. As each
Core Controller supports 16Gbps, a fully populated SG-Sigma E14 with 10 Core
Controller blades will support 160Gbps throughput (full duplex).
Between 2 (minimum) and 4 (maximum) SFB-300 blades can be installed. A
minimum configuration of 2 x SFB-300s will enable support for 8 x 10GE ports
using L3-L6 on each SFB. These blades must be installed in slots 7 and 8. An
additional possibility is to use 3 x SFB-300s installed in slots 6,7 and 8 to ensure
support for 12 x 10GE ports using L3-L6. Finally, the maximum configuration has
4 x SFB blades installed in slots 6,7,8 and 9 and gives support for 16 x10GE
ports using L3-L6.
Between 0 (when not required) and 4 (maximum) 1GE-300 blades can be
installed. When used in slots 6,9, the 1GE-300 blades cab be used for network
ports. When used in slots 1,2 the 1GE-300 blades can be used for external direct
redirection only.
Note the impact on SFB port usage! When you use the 1GE-300 in slot 6&9,
ports 3&4 of the SFB in slot 7&8 can only be used as 1G. When you use the
1GE-300 in slot 1&2, ports 5&6 of the SFB in slot 7&8 can only be used as 1G.
For all configurations with up to four links, a BP-204 blade is deployed in slot
14. For more than 4 links, you can deploy two BP-204 blades, in slots 13&14.
For more guidelines, please refer to Allot SG-Sigma E14 Hardware Guide.

Introducing Allot In-Line Platforms

2-27

ACTE Technical Training

The SG-Sigma E is a modular platform which enables the customer to


start small and grow organically without losing any functionality. As the
needs grow, you can add additional capacity, interfaces and services.
Here we see 4 sample configurations of the SG-Sigma E, and the different
blades required for each one.

Introducing Allot In-Line Platforms

2-28

ACTE Technical Training

Lets briefly discuss the different types of fiber cables which can be used
with the in-line platforms. Multi mode fiber contains several rays of light
and travels for lesser distances. Single mode fiber contains one ray of light
and can travel longer distances. Allot products supporting 1GE fiber can
be ordered with standard SX, LX or ZX fiber.
The 1000Base-SX runs over multimode fiber. The wavelength of the
central wave transmitted/received is 850nm. SX is used for distances up
to 550m, depending on the fiber core diameter and loss/Km.
The 1000Base-LX runs over single mode fiber with a wavelength of
1310nm. The standard comes in two flavors - LX5 & LX20, used for
distances of up to 5km & 20km respectively.
The 1000Base-ZX runs over single mode fiber with a wavelength of
1550nm. It is mainly used for long distances (up to 80km) therefore the
laser beam is very powerful. If ZX is used for short distances (20 km and
less), the powerful laser beam can damage the equipment.
Allot products supporting 10GE fiber can be ordered with standard SR
(multimode) or LR (single mode) fiber. The Service Gateway also supports
ER fiber.
All 1GE cables use the SFP transceiver. All 10GE cables use the SFP+
transceiver.
Make sure both endpoint use the same interface, and bypass unit also
uses the same interface.

Introducing Allot In-Line Platforms

2-29

ACTE Technical Training

In this section, we understand the factors to take into consideration


when deciding where in a network to place the products

Introducing Allot In-Line Platforms

2-30

ACTE Technical Training

If the NetEnforcer or Service Gateway is to monitor and reshape traffic,


then the traffic that you would like to reshape must first be identified. The
in-line platform must be placed on the network where all relevant traffic
can flow through it.
The ideal location will vary depending on the network configuration and on
the customers requirements.
The first question to ask therefore is - what are we trying to achieve?
For a service provider are we trying to control traffic per application, to
deploy services on a network level or to tailor packages with value added
services per subscriber ?
For an enterprise are we trying to optimize the Internet link or the WAN
links to remote sites?
In both cases, understanding what the customer is trying to achieve is the
first step to deciding where to place the in-line platform on the network.
Lets look at the case of the service provider and the enterprise now in
turn.

Introducing Allot In-Line Platforms

2-31

ACTE Technical Training

For the Service Provider, the guiding principle is that the in-line platform
should be placed in a position on the network where as much of the traffic
as possible flows through it. Only traffic that flows through the SG or NE
can be monitored and shaped. Typically there are two placement options
in a service provider network at the access point or at the peering point.
By access point we mean deploying the in-line platform straight after the
BRAS or CMTS.
While a deployment at the Peering Point, usually requires a relatively
small number of devices, an in-line platform at the peering point will only
be able to see and control the traffic that goes outside of the SPs domain.
On the other hand, a deployment at the Access Point may require more
NEs or SGs, but the devices deployed can see and control all of the traffic,
including that which is terminated inside the providers network.

Introducing Allot In-Line Platforms

2-32

ACTE Technical Training

Here we see the typical placement of an Allot Service Gateway in a 3G


mobile network. If required, Allot Service Gateways or NetEnforcers
(working together with the SMP) can serve the purpose of a PCEF (Policy
and Charging Enforcement Function) integrated with a PCRF (Policy and
Charging Rules Function) and online or offline charging systems.
Communication takes place using protocols from the standard Diameter
stack. This topology is fully described in the SMP training course when we
discuss Allots Subscriber Management Platform (SMP).

Introducing Allot In-Line Platforms

2-33

ACTE Technical Training

In an Enterprise network, the in-line platform deployed will typically be a


NetEnforcer. The NetEnforcer should be placed at (or as close to) the
exact location of the bottleneck.
On the Internet link, the NetEnforcer is therefore placed directly before the
Internet router. Placement of the NetEnforcer in relation to a firewall will be
discussed in the next slide.
On the WAN link in a branch environment, the NetEnforcer should be
placed next to the outgoing router that links the local area network with the
remote branches. Firewalls are not usually an issue here, since the WAN
links are connected only to the branches and are therefore private. This
means that the NetEnforcer can be connected directly between the WAN
router and the LAN.

Introducing Allot In-Line Platforms

2-34

ACTE Technical Training

Where should you position the NetEnforcer with relation to the enterprise
firewall? Where the firewall performs network address translation (NAT), it
may make sense to place the NetEnforcer before the firewall. Placing the
NetEnforcer after a firewall which performs NAT means that the
NetEnforcer will not be able to filter traffic by internal host.
Placing the NetEnforcer before the firewall may not always be an
immediate choice however particularly in cases where the customer has
a DMZ connected to its firewall. A DMZ is the semi-protected area where
equipment that needs to be accessed from both outside and inside the
firewall is placed. In such a case, traffic flows from the LAN to the WAN,
and from the LAN to the DMZ.
The first possible disadvantage is that a NetEnforcer placed inside the
firewall will not be able to monitor traffic which flows from the WAN to the
DMZ without entering the LAN.
A second disadvantage relates to traffic flowing from the LAN to the DMZ
which normally flows at LAN speed, but may be unnecessarily limited. If
the NetEnforcer is set to control 10Mbps on the internal link and 2Mbps on
the external link, the NetEnforcer assumes the traffic flowing to the DMZ is
actually going out to the WAN; it therefore limits the output to a total of 2
Mbps. This can have a big impact on bandwidth management.
To overcome this problem, it is possible to define a policy (VC or Pipe) for
such traffic. The NetEnforcer can be configured to ignore it, as it is LAN
traffic and does not need to be managed. NetEnforcer comes with a
predefined ignore QoS quality of service entry.

Introducing Allot In-Line Platforms

2-35

ACTE Technical Training

In this section, we will learn the procedure for physically connecting the
NetEnforcer or Service Gateway to its bypass unit where appropriate and
to the network

Introducing Allot In-Line Platforms

2-36

ACTE Technical Training

We will begin by seeing how to connect the In-line platform. To make sure
installation of the In-line platform and its bypass does not disturb the traffic
flow, install one step at a time and validate traffic flow after each step. You
can validate traffic flow by using ping, checking if the devices are
reachable and the time it takes to reach them.
Install in the following order
1. Before installation make sure there is traffic flow in the location where
you are about to install the In-line platform
2. Connect the bypass only
3. Connect the In-line platform to the bypass with ethernet cables and
the bypass cable. Keep the In-line platform turned off. When the Inline platform is powered on it validates that it is connected to a
bypass. If you attempt to power on an In-line platform that is not
connected to a Bypass, boot will fail. Make sure cables are secure.
4. Power up the In-line platform. Verify traffic flow.

Introducing Allot In-Line Platforms

2-37

ACTE Technical Training

The exact layout of the interface status indicators depends on the


particular NetEnforcer/ or Service Gateway hardware, but the significance
of the LEDs is the same for all:
A lit LINK LED (green) indicates that a link is detected.
A blinking ACTIVITY LED (amber) indicates that traffic is detected on the
interface.

Introducing Allot In-Line Platforms

2-38

ACTE Technical Training

Here we see an example of how to connect a Copper AC-3040, which


has four physical links to the network.
1. Connect the External cable from the External port (Link 1) on the
Bypass Unit to a router (100Base-T) connector.
2. Connect the Internal cable from the Internal port (Link 1) on the Bypass
Unit, to a switch connector.
3. Repeats Steps 1 and 2 for Links 2 to 4.
4. Connect the External cable from the To NetEnforcer External port
(Link 1) on the Bypass Unit to the External port on the NetEnforcer
(Link 1).
5. Connect the Internal cable from the To NetEnforcer Internal port
(Link 1) on the Bypass Unit to the Internal port on the NetEnforcer
(Link 1).
6. Repeats Steps 4 and 5 for Links 2 to 4.
7. Connect the D-type High Density connector from the Primary port on
the Bypass Unit to the Backup port on the NetEnforcer.

Introducing Allot In-Line Platforms

2-39

ACTE Technical Training

Lets now see three examples of connecting the Service Gateway to the
Network. In the first example, 4 x 10Gbps links are connected to SGSigma via an internal bypass blade. In the second example, 2 x 10Gbps
links are connected to SG-Sigma E6 via an external bypass unit. In the
third example, 4 10Gbps links are connected to SG-Sigma E 14 via an
external bypass unit.

Introducing Allot In-Line Platforms

2-40

ACTE Technical Training

WARNING: Make sure you follow all safety instructions mentioned in the
SG-Sigma Hardware Guide. FAILURE TO COMPLY CAN RESULT IN
PERSONAL INJURY!
At the rear of the Service Gateway chassis you will find two Power Entry
Modules (PEM).
First of all connect the protective ground before connecting any external
power.
Then connect the 4 domain power cables (red) and the 4 return power
cables (black) as per instructions in the hardware guide.
NOTE: Full specifications for input and output power cables can be found
in the SG-Sigma Hardware Guide.

Introducing Allot In-Line Platforms

2-41

ACTE Technical Training

Here we see how to connect an SG-Sigma with 4 x 10GE links to the


network via an internal bypass unit. Install in the following order:
1. Connect Network links to BP-204 unit: from Internal & External port
(Link 1) of the bypass unit, to the network. Do the same for Link2-4.
2. Verify traffic flow
3. Connect FB-200 to SFC-200 using 10GE fiber cables as follows:
Connect the L1 port on the SFC-200 in Slot 7 to the 10G 1 port on the
FB-200 in slot 6
Connect the L1 port on the SFC-200 in Slot 8 to the 10G 2 port on the
FB-200 in slot 6
Connect the L2 port on the SFC-200 in slot 7 to the 10G 1 port on the
FB-200 in slot 9
Connect the L2 port on the SFC-200 in slot 8 to the 10G 2 port on the
FB-200 in slot 9
4. Connect the spider connectors on the BP-204 blade to L5-L6 and L7L8 on each of the SFC-200 blades
5. Power up chassis
6. Verify traffic flow

Introducing Allot In-Line Platforms

2-42

ACTE Technical Training

Here we see a schematic which summarizes port usage of the 8 SFC-200


ports for the SG-Sigma. For an SG-Sigma with 10GE links, L1 and L2 will
be used to connect the SFC-200 with fiber cables to the FB-200 blade. L1
connects to the left hand flow balancer (installed in slot 6), while L2
connect to the right hand flow balancer (installed in slot 9).
L3 & L4 will be used for Asymmetric Control Traffic or Media Swift
Storage.
L3 on the left hand SFC (installed in slot 7) is used for asymmetric control
traffic in asymmetric configurations. Note that asymmetric traffic comprises
approximately 5% of the total network traffic. In such configurations, using
L3 will consume some of the resources of L5. (Similarly, using L4
consumes some of the resources of L6).
L5 & L6 will be used for either network traffic, external VAS or internal
VAS resource use.
NOTE: L3 & L4 can be set to be network ports together with L4 & L5,
when only 2 ports can be active at the same time. This can be used for
specific deployments in networks with redundant links.
L7 & L8 will be used for either network traffic, external VAS or internal
VAS resource use.
Consult the SG-Sigma Hardware Guide for more guidelines.

Introducing Allot In-Line Platforms

2-43

ACTE Technical Training

Here we see how to connect an SG-Sigma E6 with 2 x 10GE ports to the


network via an external bypass unit. Install in the following order:
1. Connect Network links to bypass unit
2. Verify traffic flow
3. Connect SFB-300 fiber ports to Bypass unit (Internal or External)
4. Connect bypass PRIMARY port to the SFB-300 (slot 1) bypass port
with bypass cable
5. Power up chassis
6. Verify traffic flow
7. Add other links in a similar way

Introducing Allot In-Line Platforms

2-44

ACTE Technical Training

Here we see how to connect an SG-Sigma E14 with 4 x 10GE links to the
network via an external bypass unit. Install in the following order:
1. Connect Network links to the bypass unit
2. Verify the traffic flow
3. Connect SFB-300 fiber ports to the Bypass unit (Internal or External)
4. Connect the bypass PRIMARY port to the SFB-300 (slot 7) bypass port
with the bypass cable
5. Power up the chassis
6. Verify traffic flow
7. Add other links in a similar way

Introducing Allot In-Line Platforms

2-45

ACTE Technical Training

Here we see a schematic which summarizes port usage of the 8 SFB-300


ports for the SG-Sigma E. L1 and L2 will be used for Asymmetric Control
Traffic or Media Swift Storage.
L3,L4,L5 & L6 will be used for network links and, if required, External
Switched Redirection.
NOTE: L1 & L2 can be configured as network ports together with L3 & L4,
when only 2 ports can be active at the same time. This can be used in
specific deployments for networks with redundant links.
Consult the SG-Sigma E Hardware Guides for more guidelines.

Introducing Allot In-Line Platforms

2-46

ACTE Technical Training

The port usage of each SFC-200 and SFB-300 on the Service Gateway
can be defined from the NetXplorer GUI by choosing a NetEnforcer or
Service Gateway from the network tree and selecting configuration. On
the NIC tab, you can click any of the boards in the picture and then double
click the relevant port below to set its usage as shown in the example on
the screen.

Introducing Allot In-Line Platforms

2-47

ACTE Technical Training

Now that we have physically connected our in-line platform to the network,
we will see how to perform initial configuration.

Introducing Allot In-Line Platforms

2-48

ACTE Technical Training

Before the in-line platform can be used in a live network environment,


the network settings must be configured. For all in-line platforms:
1. A dedicated PC can be connected via a serial cable to the console port
for initial IP settings
2. The management port is an Ethernet port intended solely for managing
the in-line platform. Once the IP settings have been configured via the
console port, a management port can be connected to the network,
and any PC on that network can manage the NE or SG via Telnet or
SSH as if he or she were directly connected via the console port.
3. Once all NetXplorer components have been installed, you can edit the
NetEnforcer or Service Gateway configuration settings via the
NetXplorer user interface.

Introducing Allot In-Line Platforms

2-49

ACTE Technical Training

Initial configuration of the SG-Sigma is achieved by connecting a local


serial connection to the console port on the SGSV-100 blade (in slot 1).
Subsequent management is then achieved via the M1 (and M2 if
redundancy is required) ports on the SFC-200 blade located in slot 7.

Introducing Allot In-Line Platforms

2-50

ACTE Technical Training

Before the Service Gateway Sigma E6 can be used in a live network


environment, the network settings must be configured:
1. A dedicated PC can be connected via a serial cable to the console port
of the SFB-300 in slot 1 for initial IP settings
2. The Mgmnt1 port is an Ethernet port on the SFB-300 blade in slot 1,
intended solely for managing the SG-Sigma E6. Once the IP settings
have been configured via the console port, a management port can be
connected to the network, and any PC on that network can manage
the SG via Telnet or SSH as if it was directly connected via the console
port.
3. Once all NetXplorer components have been installed, you can edit the
Service Gateway configuration settings via the NetXplorer user
interface.

Introducing Allot In-Line Platforms

2-51

ACTE Technical Training

Likewise, before the SG-Sigma E14 can be used in a live network


environment, the network settings must be configured:
1. A dedicated PC can be connected via a serial cable to the console port
on the SFB-300 in slot 7 for initial IP settings
2. The Mgmnt1 port is an Ethernet port on the SFB-300 blade intended
solely for managing the SG. Once the IP settings have been
configured via the console port, a management port can be connected
to the network, and any PC on that network can manage the SG via
Telnet or SSH as if he or she were directly connected via the console
port.
For the SFB-300 the two management ports in the front are physically
connected via the rear RBS Base management switch. The two ports
connected will work as Active-Standby Lag sharing the same MAC and
IP addresses. Once one of the ports goes down the other port will
become active and will notify the network about the new
management path
3. Once all NetXplorer components have been installed, you can edit the
Service Gateway configuration settings via the NetXplorer user
interface.

Introducing Allot In-Line Platforms

2-52

ACTE Technical Training

The admin user initially logs in with username sysadmin and password
sysadmin. IP configuration is performed by entering the go config ips
command. Various syntax options are possible here. For example, to
configure an IP address of 10.50.1.7 with a network mask of 255.0.0.0,
you can enter: go config ips -ip 10.50.1.7:255.0.0.0.
Additional parameters you can define are as follows:
-h

Hostname

set host name of NE

-d

Domain

set domain name of NE

-g

<type:ip>

set gateway IP address

-dns

<dns1:dns2>|none

set DNS IP addresses

-ts

<ntp1:ntp2:ntp3>|none

set NTP server IP addresses

-ip

<type:ip:mask>

set IP/netmask of interface

A full list of sysadmin CLI commands is available in the Command Line


Interface chapter of the relevant NetEnforcer or Service Gateway
Hardware Guides.

Introducing Allot In-Line Platforms

2-53

ACTE Technical Training

By entering go config view, you can see a summary of the current


configuration settings.

Introducing Allot In-Line Platforms

2-54

ACTE Technical Training

Amongst the information that can be viewed in the extended output is the
current status of the device (active or bypass)

Introducing Allot In-Line Platforms

2-55

ACTE Technical Training

We will now focus on some more advanced configurations, specifically


configurations for handling asymmetric traffic and redundancy.

Introducing Allot In-Line Platforms

2-56

ACTE Technical Training

In some network topologies the traffic flows of a single connection can


take different paths in the upstream and the downstream directions. This
can lead to a situation where one in-line platform on the network sees one
flow of the connection while another in-line platform that is located
remotely sees the complementary flow of the same connection. Since
Allots DART engine needs to inspect both flows of the connection for
maximum DPI accuracy, this leads to a poor identification of the
applications running in the network.
Asymmetric Traffic support is designed to significantly increase DPI
accuracy by allowing Service Gateway or NetEnforcer platforms to share
information concerning connections. This will ensure that two different
flows may be identified as part of the same connection, even when their
traffic is handled by different in-line platforms. Ideally, using Asymmetric
Traffic should provide the same percentage of DPI accuracy with remotely
located platforms as is found when a single in-line platform sees both
sides of the connection.
Asymmetric traffic handling is not supported on the AC-500.

Introducing Allot In-Line Platforms

2-57

ACTE Technical Training

Asymmetric Traffic information is synched between all devices that belong


to the same Asymmetric Device Group (ADG) which is configured via
NetXplorer. All devices in an ADG must be assigned to the same
NetXplorer and each NetXplorer may support up to eight ADGs. An ADG
can include co-located and remotely located devices. Co-located devices
are connected with an intra-site asymmetric control link. This link passes
control information between the co-located devices to sync the DPI
information. Remotely located devices are connected over an L2/L3
network.
Each ADG may be configured with up to eight devices and has a group ID
of 0 through 7. Each in-line platform configured to an ADG has a local ID
of 0 through 7. In this example we see an asymmetric group with 2 x
Service Gateways. Different VLAN tags identify the direction of the
asymmetric control traffic flowing between the Service Gateways or
NetEnforcers in the group. If traffic is recognized as being asymmetric,
asymmetric control traffic is sent between the devices in the asymmetric
group to ensure that protocols can be correctly identified.

Introducing Allot In-Line Platforms

2-58

ACTE Technical Training

Here we see an example where a single ADG (Group ID = 0) contains


three SG-Sigma E platforms (Group IDs = 0, 1 and 2). You can see from
the diagram that asymmetric control traffic interconnects between each of
the platforms, and different VLAN tags are defined for each direction of
control traffic between each Service Gateway.
An asymmetric control traffic switch is needed when 3 or more in-line
platforms are included in the configuration. This switch will also need to be
configured, as will be shown shortly.

Introducing Allot In-Line Platforms

2-59

ACTE Technical Training

In order to setup an asymmetric configuration, steps will need to be


performed in the NetXplorer GUI, and (in cases when more than 2
NE/SGs are included in the asymmetric device group) the switch or router
will also need to be configured.
In the NetXplorer, we need to create an asymmetric group, configure the
devices to be included in it, and then configure the VLAN IDs which tag
the asymmetric control traffic in each direction between each of the in-line
platforms in the asymmetric group.
If a switch or router is required, the SG-Sigma/NetEnforcer asymmetric
control access port in the 3rd party Switch should be configured to receive
asymmetric messages with their respective VLANs.
For details on the correct ports to connect on each SG or NE, see the
port usage section of this training module.
We will now examine these configuration steps in more detail.

Introducing Allot In-Line Platforms

2-60

ACTE Technical Training

Right click on the Network in the Navigation pane and select Asymmetry
Configuration OR Highlight the Network in the Navigation pane and select
Asymmetry Configuration from the View menu. The Asymmetry
Configuration dialog appears. Click add to add a new ADG. The
Asymmetry Group New dialog appears. Enter a Group Name and
Description in the appropriate fields.
Select the Enable Health Check checkbox if you wish NetXplorer to
automatically confirm the health of all devices in the ADG.
Select the in-line platforms to add to the group from the drop down menus.
An ADG may include up to eight in-line platforms. The Device ID will be
established based on the order you place them in inside the ADG. For
example, if Sigma-1 is assigned with Number in Group = 0, then it will
have a Device ID of 0 for the purposes of Asymmetry.
Select the Asymmetry Enabled checkbox for each device.

Introducing Allot In-Line Platforms

2-61

ACTE Technical Training

Click the VLans Settings button to edit the VLAN configuration. The VLan
Settings dialog appears. A VLAN must be set for each connection between
any two in-line platforms in the group. Each direction must have a VLAN to
be used for Asymmetric control messages (however the same number can
be used for both directions). Double click in a field to enter a new VLAN
number. Click Save to save the information and return to the Asymmetry
Group New dialog. Click Save to save the new ADG.
NOTE: if you wish to verify that your asymmetric group has been setup
correctly, two CLI commands are available from the NetEnforcer or
Service Gateway that will show you the current asymmetry configuration:
go config view asymmetry
go config view asymmetry_remote_device
Last, open your NetEnforcer / Service Gateway NIC setting (right click
device icon and go to configuration, NIC tab). Set the appropriate port to
have Asymmetry port usage.

Introducing Allot In-Line Platforms

2-62

ACTE Technical Training

Finally, lets examine how active redundancy works and the in-line
platforms on which it is supported

Introducing Allot In-Line Platforms

2-63

ACTE Technical Training

Active redundancy is recommended for network topologies where at least


two network links are active in load-balancing mode. It requires two
NetEnforcers and typically, no bypass units.
In the Active Redundancy configuration, each NetEnforcer manages a
single link while duplicating that links traffic to the other NetEnforcer. Both
NetEnforcers are active. Each unit shapes the traffic of one link only, but
the shaping algorithm considers traffic of both links.
In the event that one of the links fails due to router, switch or line
malfunction, the network redundancy mechanism (for example, spanning
tree) will ensure that traffic is routed or switched via the other link and
managed by the second NetEnforcer. Since both NetEnforcers maintain a
constant view of the two links, there will be no loss of flow state and other
information required for correct shaping and application classification.
In the Active Redundancy configuration, the two NetEnforcers should
share the same policy configuration.
NOTE Users should be aware that a NetEnforcer working in Active
Redundancy mode duplicates all traffic passing through it. Therefore, the
overall throughput of each NetEnforcer in Active Redundancy will be half
of the throughput enabled by the current license key.
Supported Platforms for active redundancy are: AC-500, AC-1400 and AC3000.

Introducing Allot In-Line Platforms

2-64

ACTE Technical Training

Here we see how to connect two AC-500 NetEnforcers in Active


Redundancy mode:
Internal 1&2, External 1&2 are used to pass actual traffic these
interfaces will be used to connect the NetEnforcers to the corresponding
switches or routers.
Redundancy ports: Internal 3&4, External 3&4 are used to duplicate
traffic and pass it to the second NetEnforcer. Traffic that is passed
between NetEnforcers is not sent to adjacent network devices it is only
used for monitoring and classification purposes.
Both NetEnforcers should be running with the same software version and
the same policy.
NOTE: If the NetEnforcer Active Redundancy mechanism is implemented
the internal bypass module should be disabled. This ensures that the
network is made aware of any failure and is able to smoothly transfer
traffic to the secondary link.

Introducing Allot In-Line Platforms

2-65

ACTE Technical Training

Here we see how to connect two AC-1400/AC-3000 NetEnforcers in Active


Redundancy mode:
Link 1 and 3 are used to pass actual traffic these interfaces will be used
to connect the NetEnforcers to the corresponding switches or routers.
Link 2 and 4 are used to duplicate traffic and pass it to the second
NetEnforcer. Traffic that is passed between NetEnforcers is not sent to
adjacent network devices it is only used for monitoring and classification
purposes.
Both NetEnforcers should be running with the same software version and
the same policy.
NOTE: If the NetEnforcer Active Redundancy mechanism is implemented
a bypass unit should not be used. This ensures that the network is made
aware of any failure and is able to smoothly transfer traffic to the
secondary link.

Introducing Allot In-Line Platforms

2-66

ACTE Technical Training

Active redundancy can be configured on the NetEnforcers using the


NetXplorer GUI. Select a NetEnforcer and choose configuration. From the
Networking tab, you can now configure the NetEnforcers network
settings as seen in the screenshot:
Confirm the Enable Bypass Unit checkbox is not checked and set
Redundancy Mode to Active.

Introducing Allot In-Line Platforms

2-67

ACTE Technical Training

Open the NIC tab and in the Action on Failure field, set INTERNAL0,
EXTERNAL0, INTERNAL2 and EXTERNAL2 to fail paired port.
Set INTERNAL1, EXTERNAL1, INTERNAL3 and EXTERNAL3 to No
Action in the Action on Failure field.
Save the configuration. NetEnforcer will reboot.
This will automatically change the Port Usage of Ports 1 and 3 (2 and 4 on
the physical device) to Cloned.

Introducing Allot In-Line Platforms

2-68

ACTE Technical Training

Asymmetric traffic handling and active redundancy both offer a solution for
handling parallel links in your network running through more than one inline platform. Lets review and compare these features:
In both deployments each in-line platform sees full connection information.
Traffic is fully identified and classified, even if part of it flows through one
platform and part through the other (asymmetric environment).
In case one network link fails, the providers switches can ensure that the
traffic is switched from one link to the other. When working with active
redundancy, classification of open connections is maintained. In an
asymmetric setup, the current connection classification will not be
maintained, but new connections will be correctly classified.
With active redundancy QoS definitions for a specific IP will take into
account the traffic running through both platforms. With an Asymmetric
traffic solution, the QoS definition applies to each platform separately.
The impact on bandwidth for Active Redundancy is 50%, as both
NetEnforcers see and handle the exact same traffic. With the Asymmetric
traffic solution, only 5% of bandwidth is used for information transfer
between the in-line platforms.
The total number of NEs that can be used with Active Redundancy is 2.
You can include up to 8 NEs in the same Asymmetric group.

Introducing Allot In-Line Platforms

2-69

ACTE Technical Training

What is the specification for each of the two listed Platforms?

Introducing Allot In-Line Platforms

2-70

ACTE Technical Training

Here you see 3 steps in a typical installation procedure for connecting an


in-line platform with an external bypass to the network. What is the
recommended order of carrying out these steps?

Introducing Allot In-Line Platforms

2-71

ACTE Technical Training

How many VLAN IDs need to be defined in the NetXplorer GUI for an
asymmetric group which includes 3 SG/NEs?

Introducing Allot In-Line Platforms

2-72

ACTE Technical Training

Which of the ports on the SFB-300 inserted in slot 7 are used for the 3
purposes listed here?

Introducing Allot In-Line Platforms

2-73

ACTE Technical Training

Introducing Allot In-Line Platforms

2-74

Module 3
Introducing
NetXplorer

ACTE Technical Training

In this module, we introduce the NetXplorer. By the end of the module, you
will know how to install the NetXplorer server on both Windows and Linux
platforms, how to install and get started with the GUI and how to perform
the initial configuration. We finish with some examples of a typical
NetXplorer workflow. We begin by asking what is NetXplorer?

Introducing NetXplorer

3-2

ACTE Technical Training

NetXplorer is a scalable central management umbrella for Allot in-line


platforms and services.
Using the NetXplorer, you can configure Allots NE, SG and SMP products,
and build traffic policies for them to enforce. You can perform real time
monitoring of your network for troubleshooting and problem analysis, and
long-term reporting to help with capacity planning and understanding
longer term usage trends. NetXplorer enables you to define and manage
traffic and system alerts to assure a proactive approach to network
management. You can also use it to collect accounting information which
can then be exported for billing purposes. Finally, with NetXplorer you can
view analytics of mobile internet session. Note that the NetXplorers
accounting interface and mobile analytics are not within the scope of this
course.

Introducing NetXplorer

3-3

ACTE Technical Training

NetXplorer is shipped in 3 different ways.


When purchased as a software only license (forWindows or Linux), the
customer provides his own hardware according to Allot recommended
specifications. The software license can be purchased to enable the
NetXplorer to manage up to 3 NE/SGs, up to 15 NE/SGs or an unlimited
amount.
Alternatively, NetXplorer can be purchased as a standalone server
package (SNX-SRV), consisting of the NetXplorer software preinstalled on
an IBM server.
The third and final option (SNX-SRV-HAP) is the NetXplorer high
availability package, which consists of the NetXplorer software installed
on 2 separate IBM servers, both of which are connected to a RAID
storage device. High Availability is ensured by the Linux heartbeat
process.
In addition, add-ons can be purchased to enable NetAccountant (covered
in the ACPP training course), NetPolicy Provisioner (available as an
appendix module), Country Classification (covered in Module 5 of this
course) and WebSafe (covered in Module 6 of this course).
NOTE: The NetXplorer reporter which enables real-time monitoring
functionality on AOS driven products, is purchased as an add-on to the
NetEnforcer or Service Gateway (not the NetXplorer).

Introducing NetXplorer

3-4

ACTE Technical Training

Before looking at the installation process, we will review the hardware and
software requirements, as well as installation guidelines of NetXplorer on a
Linux server and NetXplorer on a Windows Server.

Introducing NetXplorer

3-5

ACTE Technical Training

If the software only option is chosen, the customer will need to provide
the server hardware and operating system according to Allots minimum
specifications. Allot proposes two minimum configurations. In this
minimum configuration (which may be suitable for enterprise customers),
a single NetXplorer Server supports 1 or 2 AC-500 devices, 1 or 2 AC1400 devices or 1 or 2 AC-3000 devices.
NOTE: Allot supports CentOS Linux 5.5 and RedHat Enterprise Linux
Server 5.5 (32 or 64 bit). Other types of Linux are not supported. In
addition, it should be noted that Allot does not recommend installing the
NetXplorer on a virtualized machine such architectures are not officially
supported.
Regional settings must be configured as English Only.

Introducing NetXplorer

3-6

ACTE Technical Training

In this minimum configuration (which may be suitable for service provider


customers), a single NetXplorer Server supports 1 Service Gateway,
Alternatively it can support more than 2 AC-1400, AC-3000 or AC-500
devices.
In order to know what is the required disk size use the following
assumptions:

100GB per Service Gateway

20 GB per AC-3000/AC-1400

10 GB per AC-500
NOTE: Allot supports CentOS Linux 5.5 and RedHat Enterprise Linux
Server 5.5 (32 or 64 bit). Other types of Linux are not supported. In
addition, it should be noted that Allot does not support installing the
NetXplorer on a virtualized machine. Regional settings must be configured
as English Only.

Introducing NetXplorer

3-7

ACTE Technical Training

Software requirements from the NetXplorer server are as follows:

NetXplorer Server should be installed on a dedicated server behind a


Firewall for optimal performance and security.

Any Real-Time Virus Protection programs or automatic


Defragmentation/Backup software must be disabled on the NetXplorer
server or the Allot folder needs to be excluded from
protection/defragmentation

Java JDK 7 should be installed on the Server machine. If the machine


on which you are installing NX Server is running a 64 bit OS, the Java
installation must also be 64 bit. If the server is running a 32 bit OS,
then the Java version must be 32 bit. Both JDK versions can be
downloaded from Allot FTP server.

No other database applications (for example, SQL database) should


be installed on the NetXplorer server machine

No application should be listening to port 80 at the time of the


installation.

When there is firewall between different Allot components, verify all


required ports are opened

A full procedure can be found in Allot NetXplorer Installation &


Administration Guide.

Introducing NetXplorer

3-8

ACTE Technical Training

For a successful NetXplorer installation on Linux, make sure to verify the


following:
If the CentOS/Red Hat operating system has not been installed yet,
configure the server so that the CD is the first boot device, insert
Installation CD #1 and reboot the host. Follow the on-screen
instructions for a customized installation. Make sure that the following 2
extra packages are installed: net-snmp-utils from theSystem Tools
group, and xorg-x11-server-Xvbf from the X Window system group
Hostname: give fully qualified host name (e.g., NXlinux.allot.local)
Firewall: disabled (during configuration after reboot)
SELinux: disabled (during configuration after reboot)
Time: configure correct time according to time zone chosen
NTP server: may be configured during configuration after the IP
address is configured (select synchronization checkbox before starting)
MGMT Interface: Must be set to Eth0.
Once verified, you can start the installation by downloading installation
files, or copy them from the installation CD and run the command : rpm ivh <file name> where file name is the NetXplorer installation file
name. For example: rpm -ivh netxplorer-12.3.0-10.i386.rpm.
Reboot the server, and verify you have the most recent Protocol Pack
installed

Introducing NetXplorer

3-9

ACTE Technical Training

For a successful NetXplorer installation on Windows, make sure to verify


the following:
That there is at least 4 GB of available Virtual Memory.
On Windows Server 2008, IPv6 should be disabled by going to Control
Panel > Network and Sharing Center > Manage Network Connections >
Local Area Connection Properties. Uncheck the Internet Protocol
Version 6 checkbox to disable the service.
Once verified, download installation files, or copy them from the
installation CD, and start the installation by running the setup.exe file.
You can choose to run a typical setup or a custom setup. With custom
setup you have the ability to install each of the different components in
different locations. Allot recommends that the system files and the different
monitoring files be installed on different drives.
On clicking Next, you can now choose whether the NetXplorer should
synchronize with the local clock or with an external NTP server. Allot
strongly recommends synchronization with an external NTP server. If you
choose this option, you will need to enter the NTP servers IP address
here.
Follow the installation wizard until the installation completes. The
installation may take up to 30 minutes to complete, and at the end, you will
be asked to restart your computer. Finally, verify you have the most recent
Protocol Pack installed (see ACTE Module 5)

Introducing NetXplorer

3-10

ACTE Technical Training

Here you see some of the errors that you might encounter if you do not
follow the steps outlined in the previous slides.
On a Linux server, in case the package xorg-x11-server-Xvbf was not
installed with the operating system, the installation will fail with an error:
Error: X Virtual Frame Buffer is Not Detected. Install the package from the
operating system installation CD, and run the installation once more.
On a Windows server, if one of the ports required is being used by another
application, then the installation will be aborted.
If there is less than 4G of virtual memory available, you will encounter a
warning message at the beginning of the download. Note that the virtual
memory value can be changed by choosing system from the control
panel on the server. Open the Advanced tab and click the Performance
Settings button. Then open the Advanced tab and click the Change button
under Virtual Memory to select a new value.
Note: additional troubleshooting scenarios are covered in more detail in
the ACPP Training Course.

Introducing NetXplorer

3-11

ACTE Technical Training

Now lets examine the process for connecting NetXplorer standalone


server package the SNX-SRV and NetXplorer High-Availability package
the NX-HAP.

Introducing NetXplorer

3-12

ACTE Technical Training

SNX-SRV is shipped to the customer as an Allot Appliance consisting of


the hardware with server software pre-installed on a CentOS operating
system.
After unpacking the hardware, the installation consists of 6 steps:
1. Connect a keyboard and monitor to the front panel of the NX-SRV
2. Connect the management and IMM links to the rear panel of the NXSRV. Connect the management link to port 1. You may connect an
additional management link via port 2.
3. Change the IP address of the server via the CentOS UI. After
connecting directly to the NX-SRV, you will see the CentOS User
interface. Enter root for the login and bagabu for the password.
Change the IP address via CentOS UI menus.
4. Run the set_nx_ip4ui.sh script to configure the new IP address in the
NetXplorer application server
5. Configure the IMM Settings
6. Verify you have latest Protocol Pack
The full procedure can be found in Allot NetXplorer Installation &
Administration Guide.

Introducing NetXplorer

3-13

ACTE Technical Training

NX-HAP comes pre-installed with CentOS operating system and the NetXplorer
software, but the 3 units need to be correctly connected together. The
connections are as follows:
1. A crossed copper cable is used to connect between Port 3 on one NX server
and Port 3 on the second NX server. (illustrated in green above)
2. A null modem serial cable (RS 232) is used to connect between the Serial
COM port on one NX server and the Serial COM port on the second NX
server. (illustrated in red above)
3. Two Serial SCSI (SAS) cables connect between the first controller on the
RAID storage device and the SAS HBA connection in the first PCIe low
profile slot of each NX server (illustrated in orange above)
4. Two further Serial SCSI (SAS) cables connect between the second controller
on the RAID storage device and the SAS HBA connection in the second PCIe
low profile slot of each NX server (illustrated in orange above)
5. Each NX server is connected to the management network via Port 1
(illustrated in blue above) with an additional link via Port 2, as required.
6. Each controller on the storage device is connected to the management
network by a copper Ethernet link (illustrated in blue above) for storage
management and traps
7. The IMM interface on each NetXplorer server is connected to an external
switch by an additional ethernet management cable (illustrated in blue above)
For a full explanation on how to configure the initial IP settings of the NX-HAP
see the NetXplorer Installation and Administration Guide.

Introducing NetXplorer

3-14

ACTE Technical Training

The Integrated Management Module (IMM) is provided with every IBM


server that is shipped from Allot.
The module enables an administrator to connect remotely to the server as
if connecting locally via a console connection.
Once Configured, IMM functions are divided into three groups; Monitor,
Tasks and IMM Control. These groups can be accessed from the
Navigation Pane on the left-hand side of the IMM Interface.

Introducing NetXplorer

3-15

ACTE Technical Training

Now that the NetXplorer server has been successfully installed and
connected, lets see how to install the NetXplorer GUI.

Introducing NetXplorer

3-16

ACTE Technical Training

It is recommended that the NetXplorer User Interface be installed on a


machine with the following minimum specifications: A Pentium 4
processor, 512MB RAM, Windows XP operating system and a Microsoft
Internet Explorer web browser. Note that in addition, history logs will be
kept on the NetXplorer client and can consume up to 150MB of space.
The NetXplorer GUI works with a technology known as WebStart from
Sun Microsystems. WebStart enables you to run the NetXplorer User
Interface software by simply double-clicking an icon on your computers
desktop.

Introducing NetXplorer

3-17

ACTE Technical Training

NetXplorer GUI installation comprises of two steps:


1. Installing the Java 7.0 runtime environment
2. Installing the NetXplorer applet
The installation starts at the NetXplorer home page. From your browser,
access http://<your_NetXplorer_address>.
The NetXplorer Control panel is displayed.
Click the Install Java JRE first link, to start the first step of installation.

Introducing NetXplorer

3-18

ACTE Technical Training

Click the appropriate link and follow the installation wizard instructions to
install JRE 7.0 on your computer. You can either run the installation files or
download them and then run the installation locally.

Introducing NetXplorer

3-19

ACTE Technical Training

With JRE 7.0 installed, access http://<your_NX_address> once again.


Now choose to Launch NetXplorer. The Java Web Start window is
displayed. When the loading process is complete, a Security Warning may
be displayed. Click Start to continue.
A shortcut icon of the NetXplorer server will be placed on your desktop for
convenient launching of the NetXplorer User Interface.
When the installation is complete, an icon that launches the NetXplorer
user interface appears on your desktop.
You will be prompted to log into the NetXplorer user interface.
The default username is admin; The default password is allot

Introducing NetXplorer

3-20

ACTE Technical Training

In the event that the NetXplorer GUI fails to load, consider the following
actions:
1. Disable pop-up blocking for NetXplorer.
2. For Internet Explorer users, disable 'Empty Temporary Internet Files
folder when browser closed'
a) From the Tools menu, select Internet Options.
b) Select the Advanced Tab and Scroll down to Security
c) Clear the Empty Temporary Internet Files folder when browser
closed checkbox.
d) Click OK, and attempt to access the NX through the browser.
3. Make sure the browser cache file is not saturated:
a) From the Internet Explorer tools menu, select Internet Options.
b) On the General tab, click Delete Files.
c) Select the Delete all offline content checkbox and click OK.
4. If there is a firewall between the GUI Client and the NetXplorer Server,
check that all required ports are opened. A detailed list is available in
the Allot NetXplorer Installation & Admin Guide.
5. If the problem persists, try to access the NetXplorer via the Java Web
Start Application Manager. Note that a full treatment of how to
troubleshoot problems loading the NX GUI is included in the ACPP
Advanced Course Module on Troubleshooting the NX.

Introducing NetXplorer

3-21

ACTE Technical Training

Now that we have successfully installed and connected all of the


component parts, lets see how to get started with the NetXplorer GUI.

Introducing NetXplorer

3-22

ACTE Technical Training

The NetXplorer user interface is comprised of the following sections:


The Menu bar. This provides access to the key functionality of the
NetXplorer applications.
The Toolbar. This offers shortcut buttons which provide easy access to key
NetXplorer functionality. The available shortcuts on the right side of the
window depend on the selected entity in the details area.
The Navigation pane. This is divided into two sections. The lower portion
of the Navigation pane enables you to select and open various NetXplorer
applications. The upper portion of the pane displays a tree-like list of
subcomponents or entries according to the application selected.
The Application Details pane. This displays data regarding the currently
active applications and operations.
Finally, the Alarms log displays a list of the alarms triggered by the alarm
definitions. The Alarms log is automatically refreshed every 30 seconds.

Introducing NetXplorer

3-23

ACTE Technical Training

When performing any task in the NetXplorer, you will normally work in the
following order of steps:
1. From the lower part of the navigation pane, select the area of the
product you wish to work with e.g: Network, Catalogs,
Events/Alarms etc. The upper part of the navigation pane will change
accordingly.
2. Click the entity you wish to work with from the upper part of the
navigation pane. You can now select an action to perform on the
selected entity.
3. The details area changes to reflect the selected entity and the action
performed on it.
A tab is displayed at the bottom of the pane for each open application. You
can easily navigate between the open applications by clicking the tabs.

Introducing NetXplorer

3-24

ACTE Technical Training

There are several ways to perform an action on an entity:


Later we will learn the meaning of creating a new service catalog entry.
But for now, lets see how this same action can be performed in 3
different ways:
1. By right clicking on the services entity in the navigation pane, and
selecting new service.
2. By using the add catalog shortcut on the toolbar, and choosing new
service (note that the icons, which are displayed on the right, change
according to the selected entity in the navigation pane or details area)
3. By choosing new service from the actions menu. Again, the available
options in the actions menu, depend on the selected entity in the
navigation pane or details area.

Introducing NetXplorer

3-25

ACTE Technical Training

Lets look at an example of how we can use the NetXplorer user


interface to monitor network traffic.
1. From the Navigation pane select the Network tab. The network tree is
displayed on the top section of the navigation pane.
2. Select the Network entity that you wish to monitor in this case an AC500 and choose real time monitoring.
3. Choose an object for monitoring in this case we choose protocols.
4. The Real Time Monitoring - Protocols dialog opens. Here you can
define the required graph settings
5. View the defined graph
6. You can now perform actions on the entities in the details area. For
example, you can drill down into one of the protocols illustrated in the
graph or change the display options of the whole graph.
Monitoring and Reporting is fully discussed in Module 4.

Introducing NetXplorer

3-26

ACTE Technical Training

Note that the appearance of tables in the NetXplorer can be modified. This
is particularly useful for the policy table (discussed fully in Module 7).
To resize a columns width, click the right border of the column and drag.
To change which columns in the policy table are visible and which are
hidden, right-click the table header, and select Table Column Configuration
from the shortcut menu. The Policy Columns Visibility dialog is displayed.
Now select the columns that you want to display in the table and click
Save.

Introducing NetXplorer

3-27

ACTE Technical Training

Now we will review some initial configuration parameters.

Introducing NetXplorer

3-28

ACTE Technical Training

In order to use the NetXplorer you must enable the NetXplorer Server by
entering the appropriate key.
To enable the NetXplorer Server, select Tools > NetXplorer Application
Server Registration from the NetXplorer Menu bar. The NetXplorer
Application Server Registration dialog box appears. Enter the Server
Registration Key and Serial Number provided by Allot to enable the
NetXplorer Server functionality.
An Expiration Date will be generated automatically after clicking Save.
Note that an expiry date will appear even when you have purchased a
permanent key. This reflects the expiry of the service contract and is
relevant for the APU feature only, which will cease to work once the
service contract has expired.
Click Save to enter the key and close the dialog box.

Introducing NetXplorer

3-29

ACTE Technical Training

You will see that there are two root trees in the network pane the
network tree and the servers tree. Under the network tree we add the
Service Gateway and/or NetEnforcers that are to be managed by the
NetXplorer. Under the Servers tree we can add Distributed Collectors and
SMP servers. Both of these topics are covered in the Allot advanced
courses: SMP & ACPP.
To add a NetEnforcer or Service Gateway to the Network tree, we will first
of all need its IP address.
1. In the Navigation pane, right-click the Network in the Navigation tree
and select New NetEnforcer from the popup menu. The NetEnforcer
Properties dialog is displayed.
2. Enter a name for the in-line platform. This is the name that will appear
in the Network tree. Now enter the admin user password of the in-line
platform (The default password for the admin user is allot. It is possible
to change this default password using a script on the NE/SG) and the
IP address of the in-line platform in the designated fields and click OK.
The NE/SG is added to the Navigation tree. The New NetEnforcer
operation can take up to a couple of minutes to fully complete.
Note that in certain earlier software versions, a NetEnforcer that was
added would be rebooted.

Introducing NetXplorer

3-30

ACTE Technical Training

Once you have added an in-line platform, you can view and modify its
configuration parameters remotely via the NX. To view configuration and
configure a NetEnforcer or Service Gateway:
1. In the Navigation pane, select and right-click the NetEnforcer in the
network tree and select Configuration from the popup menu. The
Configuration window for the selected entity is displayed.
2. After modifying configuration parameters, you must select Save in
order for the changes to take effect. The save process prompts a
reset of the device. Resetting is required to ensure that the saved
parameter values are committed and activated on the NE/SG.
3. When the NetEnforcer Configuration dialog is selected, Restart and
Shutdown buttons become active, on the top right of the screen. Use
these buttons to Restart or Shutdown the selected NE/SG.
The General tab includes parameters that provide system status
information. Status indicates whether or not the NE/SG is operating in
Active or in Bypass mode. Bypass Setting indicates whether the bypass
is set to standalone or active (where relevant), or if it is not connected at
all. Remote Bypass. This was relevant for a type of redundancy (parallel
redundancy) which is not longer supported on AOS platforms. Power
Supply indicates the status of the power supply on the in-line platform
(OK, Unknown or Problem). Finally, Fans shows the status of the fans on
the in-line platform (OK, Unknown, or Problem).

Introducing NetXplorer

3-31

ACTE Technical Training

The Identification & Key tab includes parameters that provide system
information and activate optional NE/SG modules. Scroll down here to
show all of the configured license fields. Note that there is no need to
reboot the NE/SG when you add a new key.

Introducing NetXplorer

3-32

ACTE Technical Training

The NIC tab includes parameters that enable you to configure the NE/SGs
ports to either automatically sense the direction and speed of traffic, or
use a predetermined duplex type and speed.
This tab also allows you to see the actual settings of the NE/SG
interfaces, and it allows you to decide what action to take immediately if
any of the NICs should fail.
The action on failure is set to Fail Paired Port by default. This ensures
that traffic will not be blocked if a single port goes down, and helps for a
trouble-free installation.
The port usage field, is particularly useful when defining the usage of
different ports on the SFC-200 or SFB-300 blades.

Introducing NetXplorer

3-33

ACTE Technical Training

The networking tab includes parameters that help you configure the
network topology.
When using AC-1400 or AC-3000 in active redundancy configuration, you
need to disable the Bypass unit. This tab is also the place to set the
redundancy mode in which you are working. These issues were explained
fully in Module 02 Introducing In-Line Platforms.
The networking tab is also the place to enable HTTP User Defined
Signatures and Tethering condition catalogs which are covered in more
detail in Module 5.

Introducing NetXplorer

3-34

ACTE Technical Training

The IP Properties tab enables you to modify the IP and host name
configuration of your network interfaces, as well as the DNS and
connection control parameters.

Introducing NetXplorer

3-35

ACTE Technical Training

The Date/Time tab includes the date, time and NTP (Network Time
Protocol) server settings for the NetEnforcer or Service Gateway. When
adding a device the primary NTP is set as the NetXplorer Server IP. The
user may change the NTP server only using CLI commands on the
NE/SG.

Introducing NetXplorer

3-36

ACTE Technical Training

The slots and boards tab will only appear in the configuration of certain inline platforms (e.g: SG-Sigma or SG-Sigma E). On these multi-blade
devices, you can choose a blade from the graphical representation on the
left side of the screen. Below the graphic you will see each sensor and its
current reading. On the right side of the screen are common chassis
sensors and telco alarms.

Introducing NetXplorer

3-37

ACTE Technical Training

The NetXplorer implements a role-based security model. The role defined


for each authorized user indicates the scope of operations that can be
performed by the user. Roles can only be defined by an administrator. The
administrator should access the Users Configuration Editor dialog from the
tools menu. There are three types of NetXplorer roles:
Monitor: A user assigned this role has read-only access. The Monitor user
can view monitoring reports, graphs and alarms. However, the monitor
cannot add, change or delete anything within the NetXplorer application.
Regular: The Regular user has complete read and write privileges in the
NetXplorer application, except reading and writing User Configuration
definitions.
Administrator: Same as Regular user, except that an Administrator user
has reading and writing privileges for User Configuration. A user that has
been assigned the Administrator role can configure new users, edit user
details, or delete users.

Introducing NetXplorer

3-38

ACTE Technical Training

By choosing advanced from the user configuration editor, you can


configure password stringency options, such as password strength and
how often a password must be changed.

Introducing NetXplorer

3-39

ACTE Technical Training

Examine the following requirements


Pentium 4
512MB RAM
Windows XP
Microsoft Internet Explorer
Which of the 4 listed options do they represent?

Introducing NetXplorer

3-40

ACTE Technical Training

Which of the tasks listed on the right can be performed by which user
types?

Introducing NetXplorer

3-41

ACTE Technical Training

How can you open a new monitoring graph?

Introducing NetXplorer

3-42

ACTE Technical Training

Introducing NetXplorer

3-43

ACTE Technical Training

Now we will see a typical workflow.

Introducing NetXplorer

3-44

ACTE Technical Training

Here we see a flow chart which represents a full provisioning process from
start to finish. The first step is to analyze business objectives. Only once
we have established what our business goals are, can we actually decide
how to classify our network traffic and what traffic policy to build. In a full
provisioning methodology, the next step will be what we call out of the
box monitoring. The NetXplorer comes with a predefined default traffic
policy which does no shaping, but classifies traffic into virtual channels
according to well known groups of services. Once our NE or SG is
connected to the network, we can use this default policy to monitor traffic
patterns and this can help us to decide which policies are needed.
Monitoring will be discussed in full in module 4 of this course.
Once we know what policies we wish to define, we define our condition
catalogs (discussed in module 5) and our action catalogs (discussed in
modules 6 and 9). We then put these building blocks together to build our
traffic policies (module 7).
At this stage, many customers go back to monitoring. Monitoring tools can
be used here to analyze which traffic is and is not classified according in
the lines, pipes and VCs we have created. The traffic policy can then be
fine-tuned accordingly.
Finally, at this stage, we will typically also define alarms and events
(discussed fully in Module 8). We may also choose to define set reports
and even schedule them to run on a regular basis (Module 4).

Introducing NetXplorer

3-45

Module 4
Monitoring and
Reporting

ACTE Technical Training

We will now review the NetXplorers monitoring and reporting capabilities.


It is worth considering first however when it is that a customer will typically
want to monitor his network. When seen in the context of the policy
provisioning process, the customer may wish to perform monitoring at
different times.
Monitoring is an ongoing process, and it can begin when you first install
NetXplorer. Performing an initial monitor of the network, using the default
NetXplorer traffic policy shows you exactly what is going on in your
network, and who is doing what. It can thus help you understand which
policy is needed.
Following Line and Pipe definition, you may wish to use the monitoring
tools to verify that the definition has the desired results. Monitoring at this
stage can also help you to decide which Virtual Channels are needed.
Once Virtual Channels are defined, monitoring can be used to verify that
the definition matches what we want to achieve with the classification, and
whether all traffic is classified as required.
Network usage patterns are constantly evolving. New protocols and
applications become popular, while others are used less frequently as time
goes on. By constantly monitoring your network traffic, you can spot
emerging usage patterns and adapt your policies accordingly.

Monitoring and Reporting

4-2

ACTE Technical Training

In this module, we will see how to use the NetXplorer to gain full Network
visibility. After a brief overview of the real time monitoring and long term
reporting capabilities, we will examine every type of graph in turn, giving
examples of typical uses. We will then look at several advanced features
including the drill-down capabilities, before moving on to see how you can
schedule pre-defined reports to run on pre-defined groups of entities.

Monitoring and Reporting

4-3

ACTE Technical Training

Allot NetXplorer offers numerous different classes of predefined graphs.


We will split all the available graphs to two main categories:
1. Essential Graphs. These are the most commonly used graphs. Using
one or more graphs from this category will give you a full picture of
your network and its behavior. This category contains the following
graphs:
Statistics: Display the bandwidth consumed over a given period of time
through your network, or specific entities within it
Policy Entities: Display the most active policy rules defined, or the
distribution of specific policy objects over time, be they Lines, Pipes or
Virtual Channels. Similar graphs also display traffic running through a
specified in-line platform (NetEnforcer or Service Gateway).
Protocols: Display the protocols consuming the most bandwidth, or a
distribution of selected protocols over a period of time.
Hosts & Conversations. Show the most active host objects (internal
and/or external) or the distribution of selected hosts over the period
defined.

Monitoring and Reporting

4-4

ACTE Technical Training


2. Additional Graphs. Using the additional graphs ensures an in-depth
view, enabling you to focus on specific details in your network. This
category contains the following graphs:
Utilization: Display the bandwidth consumed on a given entity as a
percentage of a pre-defined maximum
Percentile. Show average bandwidth and protocol usage for the top
95%, 90%, 50%, 75%, 10% and 5% of hosts or subscribers.
Popularity. Rather than displaying the amount of bandwidth, packets or
connections consumed, these graphs measure the number of
subscribers who used these protocols or were classified into these
pipes or VCs during the defined period.
Typical Time. Display the results for any of the above graphs as a
typical day or a typical week for the time period defined.
Services. Including Integrated Services graphs which show steered
traffic by service cluster or by specific server, WebSafe graphs which
show either inspected URLs or illegal URLs detected by the Websafe
service, and HTTP Monitoring graphs which show the most active
domains detected by the HTTP monitoring service
Asymmetric Traffic. Show the asymmetric traffic which is synchronized
between in-line platforms in an asymmetric traffic configuration
Subscriber / Service Plans. Show bandwidth consumption based on
subscriber name instead of host, Used when working with Allots SMP.
This is fully described in Allots SMP training course.
Mobile Analytics: Show detailed analytics when working in certain
mobile environments. For example, different mobile analytics graphs
show various session parameters, service plan metrics, mobile handset
details and more. This is fully described in Allots SMP training course.
Note that for additional information about each of the reports you may
refer to the NetXplorer Operation Guide and the Allot Report Binder.

Monitoring and Reporting

4-5

ACTE Technical Training

You can choose from several different chart styles.


Top graphs show the most active entities, based on the graph type. These
graphs, also called most active or most popular can be displayed as a
bar chart or a pie chart.
Distribution graphs shows selected objects, based on the graph type.
These can be displayed as a line chart or a stack area chart.

Monitoring and Reporting

4-6

ACTE Technical Training

All of these charts can be displayed in a table view, which displays all of
the readings and the exact values on which the chart is based.

Monitoring and Reporting

4-7

ACTE Technical Training

Traffic can be viewed from different perspectives.


The default setting of most NetXplorer graphs is to display the results by
total bandwidth. But you may wish to view something different. Most of the
graphs can be defined to display data by bandwidth, by number of
connections or number of packets depending on what you are interested
to view. When the graph is displayed, these parameters represent the
vertical y-axis on the graph.
The main exception here are the popularity graphs (pipe popularity, VC
popularity and average protocol popularity) - these graphs display their
results by number of subscribers only. This option is not available for
graphs on other objects.
If you have deployed the websafe service, you can also view inspected
requests or illegal URLs on the websafe graph.
In case you are using mobile analytics, you will be able to view graphs by
number of sessions or by mobile devices.
Note that you can only view a graph by Live Connections when data
resolution is set to the minimum 30 secs.
Note also that Dropped Connections is not available for all reports. You
may wish to view traffic statistics by dropped connections if for example
you have set a limit for the number of connections or the connection
establishment rate. If the limits have been reached, these connections will
be dropped, and this is something you may wish to monitor.

Monitoring and Reporting

4-8

ACTE Technical Training

To view a NetXplorer graph, you will first need to select the object on
which you wish to run the graph from the network tree.
There are then 3 different ways to access the graphs.
1) By clicking on the Real-Time Monitoring or Long Term Reporting shortcut buttons and then choosing the object on which you wish to run the
graph. (NOTE: there is a separate short cut button for mobile analytics)
2) By right-clicking on the network element, selecting real-time monitoring
or long-term reporting and then choosing the object on which you wish to
run the graph.
3) By selecting real time monitoring or long term reporting from the view
item on the menu bar, and then choosing the object on which you wish to
run the graph.
NOTE: the menus are context sensitive. This means that the reports
available depend on the entity selected in the network tree. For example, if
the selected entity is a pipe, you will be able to see graphs for the
distribution of objects that are inside it: VCs, protocols and hosts. If the
object selected was the top node of the network tree then NetEnforcer,
Line and Pipe distribution graphs would also be available.
Note: up to 15 graphs can be opened at the same time. When attempting
to open the 16th graph, an alert message will pop up asking you to close
one graph.

Monitoring and Reporting

4-9

ACTE Technical Training

NetXplorer has both real-time monitoring and long-term reporting tools.


The main difference between the two sets of tools is that Real-time
monitoring tools are dynamic. They can be set to auto-refresh in real-time
according to the time resolution you choose. Long-term reporting tools are
static graphs. The data resolution is also different:
Real-time monitoring graphs can be created at resolutions of 30 secs, 5
mins or 1 hr. These different resolutions of short term data are saved for 2
hrs, 36 hrs and 36 hrs respectively. Long-term reports can be created at
resolutions of 1 hr, 1 day or 1 month. These different resolutions of long
term data are saved for 2, 6 and 12 months respectively. These times can
be partially adjusted based on specific needs (See ACPP Course)
Real time monitoring is particularly useful if you wish to perform a quick
diagnosis of network problems in real-time, using a top-down approach
with intuitive drill-down capabilities. You see what happens, when it
happens which allows you to respond quickly. The auto-refresh can be
turned on and you can jump backwards and forwards to zoom in on the
period of time that most interests you, so no potential problem is missed.
NOTE: real time monitoring requires a key on the in-line platform.
Long term reporting is useful for gathering statistical data on a daily,
weekly or monthly basis. It helps you understand how bandwidth is used
(who, what, where, when), analyze network trends to learn more about
your customers profiles, and perform smart capacity planning based on
this information. This also allows postmortem analysis of problems.

Monitoring and Reporting

4-10

ACTE Technical Training

Once you have chosen whether you wish to generate a real-time or a


long-term graph, and on which entity you wish to generate it, you will be
presented with a report properties dialog.
In most cases the dialog contains 4 tabs Time, Objects, Limits and
Display. Note however that for the Statistics graph, only the Time and
Display tabs are available.
In the top right corner of each dialog, you will see a small icon which
indicates the type of graph that will be displayed, be it a most active
graph, a most active stacked graph a distribution graph a statistics
graph or a utilization type graph.

Monitoring and Reporting

4-11

ACTE Technical Training

In the Time tab, you can determine the chosen time period for the graph.
This can be either for the last given time, or for a time period spanning
between two specified times and dates. As well as determining the length
of time for which the report will be run, you can also decide (for long-term
reporting or real time monitoring with a resolution of 1hr or more) if you
want the reporting period to span back from the time the report is run, or to
span back from a defined moment N days in the past. You can also
determine the data resolution. The options here differ, depending on
whether you are defining a real-time monitoring or a long-term reporting
graph.
Finally, if you are configuring a typical time graph, an additional
configurable section will appear at the bottom of this dialog. A full
explanation on this will be provided when we come to discuss typical time
graphs.

Monitoring and Reporting

4-12

ACTE Technical Training

In the Objects tab, the radio buttons at the top allow you to choose
whether to run a top graph or a distribution graph.
To choose a top graph such as most active protocols, simply choose
the number of objects you wish to view in the report, and then the criteria
on which the most active statistics will be based. This determines the
vertical axis in the bar chart that will be initially displayed.
To choose a distribution graph, choose the specific objects radio button,
select the specific objects that you wish to see, and move them to the right
hand window. In this case, the selected objects are protocols, but they can
just as easily be NetEnforcers or Service Gateways, lines, pipes, VCs or
hosts.
Note that while the vertical axis of top graphs is set on the objects tab, the
vertical axis of a distribution report is set on the display tab.
When opening protocols graph, Service Groups will appear on top of the
list, and there is a text filter function to help you easily find the objects you
are looking for.

Monitoring and Reporting

4-13

ACTE Technical Training

In the Limits tab, you can choose to limit the scope of your report to a
specified object or objects. The objects available here depend on the
graph which you have chosen to run.
You may for example, wish to view the most popular protocols from within
a particular service group (e.g: P2P protocols). Or, you may wish to view
the most active hosts on specified VCs only. We will discuss this further in
the advanced features section of this module.

Monitoring and Reporting

4-14

ACTE Technical Training

Here we see the Display tab.


Data Structure options, available for top protocols graph only, allow you
to determine whether you want to see the data displayed as a single time
slice for the period of time as a whole, or how the data changed over time
during the selected time period. This will be discussed further in the
protocol graph section of this module.
In the default data box, you can set the vertical axis of a distribution
graph. You can also choose here if you want to see the all other group in
the graph or not.
In the data splitting box, you can choose to split or stack the results.
The splitting option is only relevant if you have chosen in the limits tab to
limit the objects on which you are running the report.
The stacking option gives you the ability to add an additional dimension to
your graph. This is an extremely powerful feature, which will be discussed
further in the advanced features section of this module.
Finally, you also have the option to show data by volume instead of by
rate. This can be useful if for example you wish to calculate the total
amount of bandwidth consumed by a particular subscriber over a given
time period.

Monitoring and Reporting

4-15

ACTE Technical Training

Once a graph has been opened, there are several options available by
right clicking on it. Using these options, you can do the following:
Use the show data by option to change the vertical axis without
redefining the graph properties. The chart style option is used to switch
between different chart styles (e.g: bar to pie chart). Display changes the
way in which data is displayed on the graph. You can change the units of
measurement from kbps to Mbps or change the order in which bars on a
most active graph are displayed between value, alphabet, percentage and
more. You can also show the exact values on the graph or on the legend.
Switching to a table view gives an exact list of the values displayed in the
graph. In case of errors displaying graphs, the errors log button provides
information that can help troubleshoot the problem. For a real-time
monitoring graph, you can start the automatic update so the graph will
refresh itself, or you can scroll backward and forward through time
ranges. You can also drill down from a graph to other graphs for quick,
intuitive, context-based analysis. When working with a distribution graph,
you can choose to hide specific instances. Graphs can be exported for
viewing or editing by other applications. You may export graphs to any of
the following file formats: CSV, PNG, PDF, JPG or HTML. Note that if you
export to CSV, you can overcome the limitation of 50 items which are
available on a graph.
Finally, the properties menu item (which is also accessed by a shortcut
button) returns you to the graph parameters dialog and enables you to
refine your graph definitions as required.

Monitoring and Reporting

4-16

ACTE Technical Training

There are several other useful tips that can help you get the most out of
the graphs that you are displaying.
When a graph opens, double clicking on it will maximize its size
You will notice that the graph will be opened up in a tab according to
whether it is real-time monitoring graph, a long-term reporting graph, or
part of the favorites view.
A left click on any area on the graph reveals a tooltip detailing the specific
data reading for that point on the graph.
You can expand and collapse the legend, and you can expand or reduce
the size of the legend box to fit your requirements
Note that you can switch between the different graphs open on a given tab
by choosing the graphs list shortcut button.
Note also that the open graphs in the tab can be tiled or cascaded on the
screen.

Monitoring and Reporting

4-17

ACTE Technical Training

You may wish to save a particular graph or an arrangement of graphs as


your favorite view. This is done by right clicking on the graph and choosing
add to favorite view or simply clicking on the add to favorite shortcut
button.
You can display up to ten windows at the same time and arrange them as
required.

Monitoring and Reporting

4-18

ACTE Technical Training

Your favorite view can be easily accessed from the view menu.

Monitoring and Reporting

4-19

ACTE Technical Training

In this next section, we will see examples of each of the different types of
graphs and how they are used.

Monitoring and Reporting

4-20

ACTE Technical Training

We will look in turn at each of these different Essential graph types

Monitoring and Reporting

4-21

ACTE Technical Training

The statistics graph can help you answer questions such as:
How much traffic is passing through my network right now?
When were the peaks/troughs in my network traffic?
How much of my network traffic was inbound or outbound?
When were the most new connections reported?

Monitoring and Reporting

4-22

ACTE Technical Training

The statistics graph shows the total inbound and outbound traffic passing
through the whole network or any entity on it over a defined period of time.
By default the graph shows inbound bandwidth, outbound bandwidth and
total bandwidth, but it can be modified to display live or new connections,
inbound or outbound packets.
We can now see the following examples:
Example#1: How much traffic has been passing through my network?
Select network on the navigation tree, and choose to run a Real-Time
monitoring statistics graph. Keep the default settings and choose OK.
Right click on the graph and choose Display Bandwidth Units - Mbps
Example#2: When were the most new connections reported? Choose a
NetEnforcer on the navigation tree, and run a Long Term statistics graph;
On the time tab, choose to view data for the last day at 1hour intervals; On
the display tab, under default data choose to open the graph on the new
connections. Under data mode, choose show data by volume

Monitoring and Reporting

4-23

ACTE Technical Training

Graphs showing the distribution or top results for NetEnforcers, Lines,


Pipes or VCs can help us answer questions such as:
How much traffic is passing through each NetEnforcer or Service
Gateway on the network?
What different types of traffic are running through the network according
to the traffic Ive classified in my policy?
When were the peaks and troughs of different types of traffic?
How well have my Pipes / VCs been defined do they catch and
classify most of the network traffic?

Monitoring and Reporting

4-24

ACTE Technical Training

For NetEnforcers, Lines, Pipes or VCs, we can run either a most active
objects graph or an object distribution graph.
The distribution graphs display by default the total bandwidth passing
through the NetEnforcer, Line, Pipe or VC over the defined time period.
Aside from the default of total bandwidth, they can be based on inbound
bandwidth, outbound bandwidth, live, new or dropped connections,
inbound packets or outbound packets.
The top graphs display the NetEnforcers, Lines, Pipes or VCs through
which the most bandwidth has passed over the defined time period. The
graph can display up to 50 objects, and as with the distribution graphs, the
vertical access can be modified to display a number of other criteria.
The type of objects graphs which are available depend on the network
entity which you are investigating, as shown in the table on the slide.
Now, lets see some examples:
Example: How much traffic is passing through each NetEnforcer or
Service Gateway on the network? Select the network at the top of the
network tree and choose to run a real-time monitoring graph on
NetEnforcers. On the objects tab, choose the Specific NetEnforcers
radio button, select all of the NetEnforcers you wish to analyze and click
on OK. Click on table view to see the exact total bandwidth figures for
each NetEnforcer over the last 30 second period.

Monitoring and Reporting

4-25

ACTE Technical Training


Example #2: How well have my Pipes / VCs been defined do they catch
and classify most of the network traffic? Select a pipe which contains a
large number of VCs. Choose to run a real-time monitoring graph on
Virtual Channels. On the objects tab, choose the Specific Virtual
Channels radio button, select all of the VCs in the pipe and click on OK.
Drill down from the fallback VC into most active protocols.

Monitoring and Reporting

4-26

ACTE Technical Training

The protocols graphs can help you answer questions such as:
How much bandwidth has been taken up by specific protocols?
Which protocols have been taking up most bandwidth on your network?
Which protocols have not been classified in the VCs you have created?
Is there any suspicious network activity that could indicate a DoS
attack?

Monitoring and Reporting

4-27

ACTE Technical Training

The bandwidth consumed by specific protocols can be tracked over time


in protocol distribution graphs, and the protocols which consumed the
most amount of bandwidth can be displayed in the most active protocols
graph.
These two graphs can be run on any network entity, and aside from the
default choice of defining protocol activity on the basis of total bandwidth,
the graphs can be based on inbound bandwidth, outbound bandwidth, live,
new or dropped connections, inbound packets or outbound packets.
You can choose to display either individual applications or service groups
to display in the protocol distribution graph.
Now, lets see some examples:
Example #1: How much bandwidth has been taken up by HTTP and
HTTPS? Select the network at the top of the network tree and choose to
run a real-time monitoring graph on Protocols. On the time tab, choose to
view the last day at a resolution of 1hr. On the objects tab, choose the
Specific Protocols radio button, select HTTP and HTTPS and click on
OK.
Example #2: Is there any suspicious network activity that could indicate a
DoS attack? Select the network at the top of the network tree and choose
to run a real-time monitoring graph on Protocols. On the objects tab,
choose to view the 5 most active protocols based on New Connections
and click on OK.

Monitoring and Reporting

4-28

ACTE Technical Training

When you open most active protocol you can choose to see top X
protocols (up to 50).
The display can be set to data for the period as a whole. This will result
in a bar graph, showing you the total bandwidth consumption of the top
used protocols for the selected time period.
Alternatively, you can choose to display data over time. This will result
with a stack area graph, showing you protocols distribution, over the
selected period of time. You can then scroll back to a previous time slot,
which may change the result you see.

Monitoring and Reporting

4-29

ACTE Technical Training

When you open distribution graph you can choose to see specific
protocols or protocols groups from the list.
The display can be set to data for the period as a whole. This will result
in a pie chart, showing you 100% of the services or service groups
selected. You can also choose to display all others which will group all
the non-selected services for you.
Alternatively, you can choose to display data over time. This will
generate a stack area graph, showing you how specific protocols are
distributed over the selected period of time. You can then scroll back to a
previous time slot, which may change the result you see.

Monitoring and Reporting

4-30

ACTE Technical Training

The next group of objects on which you can run graphs is hosts. Before
discussing this group in more detail, it is important to clarify what we mean
by internal and external hosts.
Internal hosts are defined as those originating from the side of the network
that is connected to the internal interface on the bypass unit or blade of
the NetEnforcer or Service Gateway. External hosts originate from the
side of the network that is connected to the external interface. NOTE: In
the case of the AC-500 where the bypass function is internal, hosts are
defined as internal or external on the basis of which network interface they
are connected to.

Monitoring and Reporting

4-31

ACTE Technical Training

Running a graph on hosts can help you answer questions such as:
Which IP addresses are taking up the most bandwidth?
Who should be targeted for special service package offers?
Which IPs are using particular protocols?
NOTE: Service providers typically operate in a dynamic IP environment
where IP addresses are dynamically allocated to subscribers from an
available pool. In order to monitor subscriber usage patterns in a dynamic
IP environment, you will need to deploy Allots Subscriber Management
Platform (SMP) which integrates with the IP allocation system to ensure
real-time mapping between subscriber, allocated IP and purchased service
plan. Dedicated graphs are used when working with SMP and these are
discussed in the SMP training course.

Monitoring and Reporting

4-32

ACTE Technical Training

You can run a graph on internal hosts, external hosts, on conversations or


simply on hosts. These graphs can be run on any network entity.
In most cases, users are interested in graphs run on internal hosts so
that they can for example see who are the main hosts generating traffic.
Many users are also interested in conversations. The results of a graph
run on conversations are displayed as a pair, showing which internal hosts
have been speaking with which external hosts. The hosts graph
meanwhile, shows both internal and external hosts together, without
distinguishing between the two, and the external hosts graph.
Note that by default external host data is not collected. In order to view
external host and/or conversation graphs external host collection must be
enabled. You will need help from Allot customer support in order to
undertake this procedure, but bear in mind that it should be done with
caution, especially in service provider environments, where the number of
external host records produced can be very large indeed.
The vertical axis of each of these graphs will by default, display total
bandwidth, but it can be reconfigured to display in / out bandwidth, live /
new connections, in / out packets.
Now lets see an example: Which IP addresses are taking up the most
bandwidth? Select the network at the top of the network tree and choose
to run a real-time monitoring graph on Internal Hosts. On the objects tab,
choose the 10 most active internal hosts and click on OK.

Monitoring and Reporting

4-33

ACTE Technical Training

Additional Graphs enable you to focus on specific details that are relevant
in your network. In the following section you will find detailed explanations
about each graph type. Note: subscriber graphs, service plan graphs and
mobile analytics are covered in the SMP course.

Monitoring and Reporting

4-34

ACTE Technical Training

The utilization graph can help you answer questions such as:
Is my network approaching full capacity?
Are the limits I have defined for different applications or users realistic?
Are my network resources being over or under-used?

Monitoring and Reporting

4-35

ACTE Technical Training

The utilization graph shows the percentage of inbound and outbound


bandwidth utilized on a particular line, pipe or VC. The graph reading is a
percentage of the bandwidth maximum that has been defined for that
entity in the policy table. It can therefore only be run on an entity for which
a maximum has been defined.
Note: If a minimum is also defined, traffic generated below this minimum
will also be shown on the graph
Now lets see an example:
Example #1: Is my network approaching full capacity? Select a line on the
network tree and choose real time monitoring utilization graph.

Monitoring and Reporting

4-36

ACTE Technical Training

Running a Percentile graph can help you answer questions such as how
much bandwidth is being used on average by the top 5% of subscribers
(Bandwidth Usage Percentile Report), or what is the web usage profile of
the most active 10% of subscribers (Percentile Protocols graph).
Alternatively, a carrier might use the 95th percentile report to determine
how much to bill a service provider for wholesale bandwidth consumed
over a month.

Monitoring and Reporting

4-37

ACTE Technical Training

The bandwidth usage percentiles graph shows the average bandwidth


usage for different subscriber groups. The subscriber groups that are
represented in the graph are the top 95%, 90%, 50%, 25%, 10% and 5%
of subscribers. The legend displayed in parentheses is the number of
hosts or subscribers included in each percentile group.
What this powerful graph gives the marketing or operations departments
at a service provider is the ability to profile different types of network
users, to understand their needs and how much network resources they
are consuming.
The bandwidth usage percentiles graph is available both as a long term
reporting and a real-time monitoring graph. It can be run on NetEnforcers,
Lines, Pipes or VCs. It cannot be run on a network level.

Monitoring and Reporting

4-38

ACTE Technical Training

Lets now briefly examine how the bandwidth usage percentiles graph is
calculated.
1. Lets suppose that for the chosen period of time, there are 2564
different hosts on the network.
2. The NetXplorer extracts the bandwidth each host is generating.
3. The NetXplorer takes these 2564 hosts and arranges them in a table
from the heaviest user to the lightest user.
4. Once the users are arranged in this way, different percentiles can be
identified. First we need to know what is one percentile. We will take
the total number of users, and divide it by 100. In this example, it will
be 26 users (25.64, rounded up).
Percentile 1 will represent the bottom 26 users. It will be calculated as the
average bandwidth used by the 26 hosts with the lowest bandwidth (or
numbers 2539 2564 on our list).
Percentile 100 will represent the top 26 users. It will be calculated as the
average bandwidth used by the 26 hosts with the highest bandwidth (or
numbers 1 26 on our list).
All other percentiles will be calculated the same.

Monitoring and Reporting

4-39

ACTE Technical Training

NetXplorer then goes on to calculate the average bandwidth between


certain sets of percentiles.
It calculates the average bandwidth between:
- Percentiles 95-100, or the top 5% of users
This means the average bandwidth used by the 129 (25.64 * 5) hosts with
the highest bandwidth (or numbers 1 129 on our list).
- Percentiles 90-100
- Percentiles 75-100
- Percentiles 50-100
This means the average bandwidth used by the 1282 (25.64 * 50) hosts
with the highest bandwidth (or numbers 1 - 1282 on our list).
- Percentiles 10-100
- Percentiles 5-100, or the top 95% of users
This means the average bandwidth used by the 2435 (25.64 * 95) hosts
with the highest bandwidth (or numbers 1 2435 on our list).
The resulting graph is typically skewed, and shows us clearly how the
average bandwidth being consumed by the top 5% of users is many times
greater than the average bandwidth of all users on the network.

Monitoring and Reporting

4-40

ACTE Technical Training

Just like the bandwidth usage percentile graph, the Percentile Protocols
graph is available both as a long term reporting and a real-time monitoring
graph. It can be run on NetEnforcers, Lines, Pipes or VCs. It cannot be
run on a network level. It can also be accessed by drilling down from a bar
in the Bandwidth Usage Percentiles graph.
When generating the graph, you must specify in the Objects tab, which
percentile group you wish to analyze. You are then presented with a graph
showing the average bandwidth used for each of the top protocols (10 by
default) within that percentile group. The number of hosts (or subscribers,
depending on the graph definition) that use each protocol is recorded on
the legend in parentheses.
Now lets see an example:
Example #1: How much bandwidth is being used on average by the top
5% of subscribers ? Select the NetEnforcer or Service Gateway on the
network tree through which runs the traffic that needs to be analyzed.
Choose to run a real-time monitoring graph on Bandwidth Usage
Percentiles. Click on OK.

Monitoring and Reporting

4-41

ACTE Technical Training

The 95th Percentile graph is used for billing purposes by Operators and
Carriers who are charging for internet access based on bandwidth usage.
This may be a carrier who is renting wholesale bandwidth to a Service
Provider, or it may be a Service Provider renting bandwidth to an
Enterprise.
It uses the de-facto industry standard for calculating bandwidth usage,
where the top 5% of samples are discarded, and an average is taken of
the remaining 95%. The 95th percentile allows a customer to have a short
(e.g: less than 36 hours, given a monthly billing period) burst in traffic
without overage charges. The 95th percentile says that 95% of the time,
the usage is at or below this amount. Conversely, 5% of the samples may
be bursting above this rate.
The graph is available for monthly periods of time as a long term reporting
and hourly periods as a real-time monitoring graph. It can only be run on
Lines, Pipes or VCs. It cannot be run on a network or a NetEnforcer level

Monitoring and Reporting

4-42

ACTE Technical Training

The average protocol popularity graph may be of particular use for


example, to the marketing department of a service provider. It can help
you answer questions such as:
How many subscribers are generating the protocols which consume the
most bandwidth on my network?
What are the long-term usage patterns of subscribers on my network?

Monitoring and Reporting

4-43

ACTE Technical Training

Popularity graphs differ from other graphs in that they measure not the
amount of bandwidth, but rather the number of subscribers using
particular protocols, pipes or VCs.
Three different popularity graphs are available as long term reports only:
Average Protocol Popularity (which can be run at the Network or
NetEnforcer level only), Pipe Popularity (which can be run at the Network,
NetEnforcer or Line level) and VC popularity (which can be run on all
network entities except for the VC itself)
As with the other object reports, the user can choose to view either most
popular graphs, showing the protocols, pipes or VCs used by the most
number of IPs, or popularity distribution graphs, which show the
distribution of protocols, pipes or VCs by number of IPs over a defined
period of time.
NOTE: This graph uses a large amount of system resources and is
disabled by default. To enable this graph, please contact
support@allot.com

Monitoring and Reporting

4-44

ACTE Technical Training

The key difference between the most active protocols graph and the
average protocol popularity graph is illustrated by the juxtaposition of the
two pie charts above, which were generated on the same network entity
over exactly the same period of time.
The chart on the left (most active protocols) displays the 6 protocols which
consumed the most bandwidth on the network. The chart on the right
(average protocol popularity) displays the 6 protocols which were used by
the largest number of subscribers on the network. The differences are
striking.
It is clear that the protocols which were responsible for the most amount of
bandwidth on the network (eDonkey, Gnutella, KaZaA in the most active
protocols graph on the left) were being generated by a very small
percentage of the subscribers (as shown in the average protocols
popularity graph on the right). In fact, the overwhelming majority of
subscribers was generating HTTP traffic which accounted for a relatively
small share of the bandwidth load on the network.
Lets see an example:
Example #1: How many subscribers have been generating the protocols
which consume the most bandwidth on my network? Select the network at
the top of the network tree and choose to run a long-term reporting graph
for Average Protocol Popularity. On the objects tab, choose the 10 most
popular protocols and click on OK.

Monitoring and Reporting

4-45

ACTE Technical Training

The typical time graph can help you answer questions such as:
What are the most popular protocols over a typical weekend?
What is the distribution of different types of protocols over the course of
a typical day?
What are the typical usage patterns of subscribers during evening peak
surfing hours?

Monitoring and Reporting

4-46

ACTE Technical Training

Typical time graphs are very useful to give indicators of typical network
and subscriber behavior in a typical day or week over a defined period of
time.
They can be used to create top graphs but they are most relevant in the
context of distribution graphs. In this case you can choose to see the
distribution of objects you select over the course either of a typical day or
a typical week for a defined period of time. Note, that the time resolution
field does not appear in a typical day or week report. The resolution for a
typical day and typical week report will always be 1 hour.
For a most active report, the button to choose between typical day and
week is grayed out as it has no relevance. A typical time most active
report where all the hours in the week have been chosen is in fact the
same as a regular most active report with a resolution of 1hr. In both
cases the graph displays the traffic that existed in the indicated timeperiod, divided by the time length (hence displaying in fact 'rate'). There is
one difference between a typical time most active report and a regular
most active report. This is the ability to choose specific days and hours
during the week to run the report on. This means that for the same period
of time say the last month, you could run a typical day report to see the
top 10 protocols inside work hours, and a different graph for the top 10
protocols outside work hours.

Monitoring and Reporting

4-47

ACTE Technical Training

As we see here, for a typical day distribution graph, the hours of the
typical day appear on the horizontal axis. Total bandwidth, or whatever
other parameter has been defined, appears on the vertical axis. This
particular graph shows the distribution of selected groups of protocols over
the course of a typical day from midnight to midnight.
If the period defined for this graph was the last month, then NetXplorer
creates this graph by computing an average total bandwidth for each
protocol group at every hour. The average is calculated from the total
bandwidth figures on that protocol group at that particular hour, every day
over the course of the last month.
Now lets see an example:
Example #1: What is the distribution of different types of protocols over the
course of a typical day? Select a pipe from the network tree containing
VCs which classify traffic by groups of services. Choose long-term
reporting, typical time, and virtual channels. On the time tab, choose to
show data for the last month. On the objects tab, choose the Select
Specific Virtual Channels radio button, select all of the VCs in the pipe
and click on OK.

Monitoring and Reporting

4-48

ACTE Technical Training

The different service graphs can help you answer questions such as:
How much subscriber traffic was being steered to a newly deployed
service?
How steered traffic is balanced between the different content servers
deployed?
Which websites were most accessed by my subscribers? (Most Active
Domains Graph)
How many illegal URLs were accessed by my subscribers? (WebSafe
Graph)

Monitoring and Reporting

4-49

ACTE Technical Training

This report shows the traffic which is steered to the various Integrated
Services deployed. The report is available on a NE or SG level (as long as
Integrated Services are enabled) as a Long-Term or Real Time graph.
Most Active Integrated Services, Most Active Integrated Services by
Server, Integrated Services Distribution and Integrated Services Server
Distribution graphs are available, showing Total Bandwidth, In Bandwidth,
Out Bandwidth and Live Connections.

Monitoring and Reporting

4-50

ACTE Technical Training

To run the Most Active Domains you must first enable the service (The
service can be set to Always Enabled, Always Disabled or Policy Based
from the Integrated Service tab in the Network Configuration window). The
report shows the most active domain names for all the network traffic (if in
always enabled mode) or for the policy entities on which HTTP
Monitoring is selected as an action (if in policy based mode). The report
is available at the in-line platform level as a Long-Term or Real Time Most
Active graph, showing In Bandwidth, Out Bandwidth, Total Bandwidth,
Live Connections, New Connections, Packets In, Packets Out and
Number of Subscribers.

Monitoring and Reporting

4-51

ACTE Technical Training

The WebSafe traffic report shows the HTTP traffic being checked and
filtered by WebSafe (if WebSafe is enabled). This report is available on an
in-line platform level or network level as a Long Term or Real Time
Report, showing Inspected Requests or Illegal URLs per second
Now lets see an example:
Example #1: How many illegal URLs were accessed by my subscribers
over the last 24 hours? Select the network level from the network tree.
Choose long-term reporting and websafe. On the time tab, choose to
show data for the day. On the display tab, choose to display data by
illegal URLs and click on OK.

Monitoring and Reporting

4-52

ACTE Technical Training

This report shows the traffic being used between the selected in-line
platform and each Asymmetry Group member. This report is available on a
device level (as long as the in-line platform has Asymmetry enabled) as a
Long-Term or Real Time Distribution graph, showing Asymmetry In
Bandwidth, Asymmetry Out Bandwidth and Number of Asymmetry
Sessions. The meaning and usage of this report was discussed fully in
Module 02 of this course: Introducing In-line platforms.

Monitoring and Reporting

4-53

ACTE Technical Training

The VOIP minutes of use can help you answer questions such as:
How many minutes of use were consumed by OTT VOIP applications?
How much potential revenue was lost due to VOIP delivered to
subscribers over the top of your network?

Monitoring and Reporting

4-54

ACTE Technical Training

In order to be able to view VOIP minutes of use graph, it must be enabled.


To enable it go to the NetEnforcer / Service Gateway Configuration
window. The Service Activation tab has a section for VOIP Reports.
Choose Enable for VOIP Data Collection and save this configuration.
The graph will be available after 5 minutes.

Monitoring and Reporting

4-55

ACTE Technical Training

This report shows the total minutes of use for specific VOIP protocols. It is
available as a Long-Term or Real Time graph. For Real Time it is only
available at 5 minutes or 1 hour data resolutions.
Available filters for graph limitations are:

Protocols. The following protocols are supported: Skype, MSN RTP,


Yahoo SIP, Yahoo RTP, Yahoo voice, AOL VoIP ,GoogleTalk, Google
Talk RTP, Ventrilo, SIP, SIP-RTP, H.323

Service Plans. Service Plans are discussed more fully in the SMP
training course.

Here is an example to explain how the graph results are presented. if I


have 10 calls running in parallel between 13:00 and 13:12 then the graph
will show:
At 13:05 10x5=50 Minutes of use
At 13:10 10x5=50 Minutes of use
At 13:15 10x2=20 Minutes of use
At 13:20 10x0=0 Minutes of use

Monitoring and Reporting

4-56

ACTE Technical Training

In this next section, we focus on some of the more advanced features of


NetXplorer monitoring.

Monitoring and Reporting

4-57

ACTE Technical Training

The NetXplorers powerful drilling down capabilities enable you to start by


looking at the big picture, and then zoom in further to learn more about a
particular Host, Protocol, Pipe anything that grabs your attention. In fact,
you can drill down from any NetXplorer graph to all related graphs in
context.
For example, while viewing a VC distribution graph, you might select a
particular VC that interests you and drill down into the Most Active
Protocols graph. This will show you the most active protocols on the
particular VC that you were hovering over. Furthermore, you can then
select a protocol you wish to further investigate, right-click it, and drill
down to see the Most Active Hosts for this particular protocol. And this is
just a single example.

Monitoring and Reporting

4-58

ACTE Technical Training

The NetXplorers powerful drilldown feature can help you answer


questions such as: How can I reduce the size of my fallback VC? Who is
generating the most streamed traffic? What is the source of most of my
bandwidth consumption?
Example #1: Who is generating the most streamed traffic on the most
active streamed protocol? From real-time monitoring, choose protocols.
On the limits tab, choose to limit the graph to the streaming applications
service group. Now click on OK to display the most active protocols graph.
From the top protocol drill down to Internal Hosts. (the functionality of the
Limits tab is fully explained later in this module).
Example #2: What is the source of most of my bandwidth consumption?
Select the network from the top of the network tree. From real-time
monitoring, choose a statistics graph and click on OK to display the graph
with its default settings. From any point on the network, drill down to
Protocols. From the top protocol in the graph, drill down to Internal Hosts.
From the top Internal Host in the graph, drill down to Conversations.

Monitoring and Reporting

4-59

ACTE Technical Training

From the display tab on the graph properties dialog, you can choose to
stack any of the top graphs by various parameters. Depending on the
graph selected, you may be able to stack your graph by NetEnforcer, Line,
Pipe, VC, Protocol or Host.
Using the stacking function creates a third dimension to your top graphs.
You can choose the number of instances your graph will be stacked by, up
to 50 instances. The default value is to stack by 4 instances.
Lets see an example of what we mean.

Monitoring and Reporting

4-60

ACTE Technical Training

Here we see an example where we have created a most active VCs


graph, measured by total bandwidth and stacked by protocol. The third
dimension of the graph is represented by the colors within each bar on the
graph.
Instead of just seeing the most active VCs by total bandwidth, we now see
the most active VCs by total bandwidth and the breakdown of the most
active protocols within each VC. This literally opens up a whole new
dimension to our graphs.

Monitoring and Reporting

4-61

ACTE Technical Training

Lets see some examples of questions that can be answered using a single
multi-dimensional NetXplorer graph.
Example #1: Which protocols made up the most active VCs on my
network? Solution: Most Active VCs, Stacked by Protocol
Example #2: Who have been the heaviest bandwidth consumers on my
network and what protocols have they been using? Solution: Most Active
Internal Hosts, Stacked by Protocol
Example #3: Which protocols have been taking up the most bandwidth
and how have they been split between the NetEnforcers or Service
Gateways on my network? Solution: Most Active Protocols stacked by NE

Monitoring and Reporting

4-62

ACTE Technical Training

From the Limits tab on the graph properties dialog, you can choose
additional filters to limit the scope of your chosen graph. The graphs can
be limited by parameters such as NetEnforcer, Line, Pipe, VC, Host or
Protocol depending on the chosen graph. This enables you to home in
on the specific objects which you are interested in.
Note that when you use the limiting functionality, the display separately
for each option becomes active on the Display tab. We will see an
example of this shortly.

Monitoring and Reporting

4-63

ACTE Technical Training

Lets take a case for example, where a service provider is interested to


know who are the 10 heaviest Skype users on its network, in order to
approach them with a targeted marketing campaign.
To view this graph, the service provider simply chooses to see the 10 most
active hosts on the network limited to the Skype protocol.

Monitoring and Reporting

4-64

ACTE Technical Training

Here is a second example where we have limited most active protocols to


two specific VCs streaming applications and VoIP applications. The two
graphs here show us the two display options.
The regular display option will present the 5 most active protocols over the
two VCs
If you choose to display each VC separately (in the display tab), then we
see the most active protocols in each VC separately

Monitoring and Reporting

4-65

ACTE Technical Training

Lets see some examples of questions that can be answered with the help
of the limiting filter on a NetXplorer graph
Example #1: Who are the heaviest BitTorrent users on my network?
Solution: Create a most active internal hosts graph, limited to the
BitTorrent protocol.
Example #2: Which of all the gaming and streaming protocols are taking
up the most bandwidth on my network? Solution: Create a most active
protocols graph, limited to the gaming and the streaming applications
service groups.
Example #3: Is subscriber 10.10.10.10 the source of malicious traffic?
Solution: Create a statistics graph, measuring new connections and limited
to the particular internal host 10.10.10.10
Example #4: How has subscriber 10.10.10.11 been using the BitTorrent
protocol over the course of a typical day? Solution: Run a typical day
protocol distribution graph, selecting BitTorrent as the object for analysis.
Limit the graph by internal host, to 10.10.10.11.

Monitoring and Reporting

4-66

ACTE Technical Training

In this next section, we will examine the reports and groups functions of
the NetXplorer

Monitoring and Reporting

4-67

ACTE Technical Training

Reports are saved definitions of either real time monitoring or long-term


reporting graphs. Reports can be set to run at scheduled times, and can
be distributed automatically, in one of the export formats, to a predefined
list of email addresses.
By default, reports can be defined on a single NetEnforcer or Service
Gateway, or on any one of its Lines, Pipes and Virtual Channels. If you
want to define a report on several NE/SGs, or for Lines, Pipes and Virtual
Channels that belong to different NetEnforcers, you must first define a
group and then use this group in the report definition. You can define a
group that will take for example particular VCs from several different NEs
or SGs and group them together for the purposes of monitoring.

Monitoring and Reporting

4-68

ACTE Technical Training

Several pre-defined reports are available in the System Reports folder,


which is viewed after clicking the Reports tab.
The pre-defined reports are:
Most active protocols in the last day in hourly intervals
Most active protocols in the last hr in 5 minute intervals
Most active hosts in the last day in hourly intervals, stacked by protocols
Most active hosts in the last hr in 5 minute intervals, stacked by protocols
Network statistics for the last day in hourly intervals
Network statistics for the last hr in 5 minute intervals
You can view the pre-defined reports or any other reports that you create
at any time by right clicking on the report name and choosing show in
monitoring

Monitoring and Reporting

4-69

ACTE Technical Training

The simplest way to save graph definitions as a report is if you are already
viewing the particular graph. If you are currently displaying a real-time
monitoring graph or a long-term reporting graph, you can easily save its
definitions.
To save the graph you are viewing as a report, either
Right-click the graph, and from the shortcut menu, select Add to
Reports.
Or simply click on the Add to Reports shortcut button
A new report is defined and can be accessed, edited and scheduled
from the reports tab.

Monitoring and Reporting

4-70

ACTE Technical Training

Alternatively, you can define a new report using the report wizard.
1. In the left pane, select the Reports tab.
2. Right-click, and from the shortcut menu, select New Report. The
Report Definition wizard is displayed.
3. Set the report name and description as relevant.
4. Click Next to continue defining the report.

Monitoring and Reporting

4-71

ACTE Technical Training

Here you decide on which entity to run the report. This can be a single
entity or a pre-defined group. We will see later how to create a group of
entities.

Monitoring and Reporting

4-72

ACTE Technical Training

Now you choose the report subject and term. Note that if you wish to
create a typical time report, this is indicated in the report term section.

Monitoring and Reporting

4-73

ACTE Technical Training

You select the number of objects to be included in a top report, or the


specific objects to be included in a distribution report.

Monitoring and Reporting

4-74

ACTE Technical Training

You then select the date and time range and data resolution. For long term
reports and reports with a resolution of 1 hour and up, there is also the
ability to determine when the reporting period should work back from (e.g:
show data for the last day starting from the time the report is run, or from
midnight x days ago)

Monitoring and Reporting

4-75

ACTE Technical Training

Here you can decide if you wish to limit the scope of the report

Monitoring and Reporting

4-76

ACTE Technical Training

Here you can decide if you wish to stack the results

Monitoring and Reporting

4-77

ACTE Technical Training

Reports can be scheduled here to run automatically, either periodically or


at a specific time and date. You need to define the format in which the
reports will be sent: JPG, CSV, HTML or PDF.
Remember that any report that you create, whether you choose to
schedule it or not, can also be run manually from the reports tab, by rightclicking on the relevant report and selecting show in monitoring.
To send reports via email, define the following:
1. Email address to send the reports to. This is defined for each report
using the Report Definition Wizard.
2. An email server to be used for sending the email with the report. This
is defined once for all reports, in the Network Configuration settings.

Monitoring and Reporting

4-78

ACTE Technical Training

To configure the SMTP server used for sending report notifications:


1. In the navigation pane, Select Network.
2. In the navigation tree, select Network.
3. Right-click, and from the shortcut menu, select Configuration. The
network configuration is displayed.
4. Define the SMTP servers address, user name and password for the
connection, and the address from which the notification is to be sent.

Monitoring and Reporting

4-79

ACTE Technical Training

Upon completing the definition of the report, a summary is displayed.

Monitoring and Reporting

4-80

ACTE Technical Training

You can organize the reports that you define into folders for your
convenience. The folders allow the user to categorize the reports by time
period, policy, devices, etc.
To create a new folder, simply right click on the folder under which you
wish to create a new one, choose New and then Report folder.
You will be asked to enter the folder name and then to Save it.
Reports can be copied and pasted between the different folders.

Monitoring and Reporting

4-81

ACTE Technical Training

Using compound reports you can combine several reports together into a
single PDF file. The compound pdf can be generated periodically and sent
by email to the customer.
You can only choose to combine together in this way reports in the userdefined folder whose output is already in PDF.
Right click on the folder in which you wish to create the compound report
and choose New. Now choose Compound Report.
The Compound Report Properties dialog opens. Here you can give a
name to the new compound report. You will see a list of the existing
reports that you have in PDF format. You can choose which of them to
include in the report, and then if and when to schedule the report and who
to send it to.

Monitoring and Reporting

4-82

ACTE Technical Training

A group is a collection of several policy entities that is used for reporting


purposes only.
A group can be comprised of elements from the same in-line platform or it
can be cross-NE/SG. For example: all P2P traffic from all NetEnforcers, or
traffic generated from all support departments worldwide.
Groups cannot be of mixed hierarchy. All the group members must be at
the same level. It is not possible to include a P2P Pipe and a P2P Virtual
Channel in the same group. Therefore, it is recommended to streamline
policy structure between devices.
Note that you can also group instances of a specific template, both with
each other and with other policy entities at the same hierarchy level.

Monitoring and Reporting

4-83

ACTE Technical Training

In this example, a group of Pipes is defined. Entities that have already


been included in the group are grayed out on the left side of the display.

Monitoring and Reporting

4-84

ACTE Technical Training

In this example, a new group called Global P2P has been set up,
grouping together the Peer to Peer VCs on each of the in-line
platforms in the Network. To view a graph on this group:
1. On the Groups tab, right-click the relevant group.
2. From the shortcut menu, select the required graph type.

Monitoring and Reporting

4-85

ACTE Technical Training

What is the function of each of these shortcut buttons?

Monitoring and Reporting

4-86

ACTE Technical Training

Which graph can help you answer each of the following questions?

Monitoring and Reporting

4-87

ACTE Technical Training

Monitoring and Reporting

4-88

Module 5
Condition Catalogs

ACTE Technical Training

Catalog entries are the building blocks that we use to make the rules that
comprise our traffic policy. Catalog entries may be conditions or actions. In
this module, we will learn about the catalogs you can use to define
conditions for traffic classification.

Condition Catalogs

5-2

ACTE Technical Training

We will begin by asking why is it important to classify at all?

Condition Catalogs

5-3

ACTE Technical Training

Why do we need to classify network traffic? The answer is twofold.


Firstly, classifying gives us a better understanding of the traffic. For
example, to see which subscriber is consuming the most bandwidth, we
must first classify the network traffic by subscriber (the subscriber can be
identified by the host that initiates the traffic). Once we have a clear view
of the network traffic, we can analyze it over time and spot trends and new
behavior patterns
Secondly, classifying allows us to apply different QoS to different types of
traffic. If traffic was not classified into identifiable groups, it would be
impossible to apply quality of service for every different traffic instance.

Condition Catalogs

5-4

ACTE Technical Training

The need for classifying traffic may be clear, but what methods should we
use? To take the example of street traffic, we can see that there are many
different categories by which we can classify cars. The car manufacturer,
its color and its maximum speed are just a few possibilities. Which one is
the best?
How we classify depends on what we want to achieve. Classifying by car
color for example may be suitable if you manufacture paint for cars, but
this type of classification is of little use if your aim is to manage the road
system.

Condition Catalogs

5-5

ACTE Technical Training

The first step of implementation will therefore be to define your business


objectives. Ask yourself what it is you want to achieve with the Allot
solution. How would you classify your network traffic to meet the desired
outcome? For example, if a different quality of service is to be
implemented for different users, we need to classify our subscribers into
categories. If you want to define different service parameters for different
applications, then classification needs to be per application type.
We will now review the different classification condition catalogs available.

Condition Catalogs

5-6

ACTE Technical Training

Traffic classification is performed by defining condition catalogs in the


NetXplorer. With an understanding of your business aims, you can choose
the appropriate type of condition catalog to define.
We will now examine each of the different types of conditions in turn,
beginning with the Host Catalogs.

Condition Catalogs

5-7

ACTE Technical Training

Hosts may be internal or external. Whether a host will be recognized by


the NetEnforcer or Service Gateway as internal or external depends on
the interface of the bypass unit or blade to which that host is connected.

Condition Catalogs

5-8

ACTE Technical Training

Host catalog entries are defined in the NetXplorer interface, irrespective of


whether they are to be used as internal or external host conditions. The
decision to define a host catalog as an internal host condition or an
external one, is made at a later stage, when you build your policy in the
NetXplorer policy editor (see Module 7: Building The Policy Table)

Condition Catalogs

5-9

ACTE Technical Training

There are several types of Host catalog entries, and it is important to


understand the hierarchical relationship between them in particular
between a host list and a host group.
A Host List is a list of hosts defined by IP address, IP range, IP subnet, or
any combination of these attributes. (Note: NetXplorer GUI has two more
options: Host Name or MAC Address. These option are available only in
the legacy product, AC-400, which is no longer sold). A Host List can
represent an individual subscriber, a corporate branch or a network
subnet. How you use a Host List depends on the policies you define to
implement the relevant network business objective.
Once you have defined Host Lists, you can group several of them into a
Host Group.
Here is an example of using hosts to represent different locations. One
Host Group will represent North America. Inside this Host Group we can
have multiple Host Lists, each one representing a major city.
The city Host List represents the actual IP addresses, subnets and ranges
used in the specific city. Chicago is a Host List consisting of a simple IP
subnet. New York is a Host List made up of an IP range and an additional
IP address outside of that range.

Condition Catalogs

5-10

ACTE Technical Training

To define a host list:


1. In the Navigation pane, right-click Hosts and select New Host List from
the shortcut menu.
2. The Host List Entry Properties dialog box is displayed.
3. Enter a name and description as appropriate.
4. To add items to the host list, click Add. The Add Host Item dialog box is
displayed.
5. From the Item Type drop-down list, select the type of item to be
included in the host list (Host Name, IP Address, IP Subnet, IP Range,
or MAC Address).
6. Define the additional parameters in the dialog box. The parameters
change according to the selected Item Type. For example, if you are
configuring an IP Address, then one additional parameter is defined in
the dialog the IP Address; if you are configuring an IP Range, two
parameters are defined the From and To IP addresses of the range.
7. Click Apply. The item is added to the host list.
Repeat steps 5-7 to add more hosts to the list.

Condition Catalogs

5-11

ACTE Technical Training

By default, host lists which you define are global. This means that they are
sent to each NetEnforcer and Service Gateway in the network and can be
used by them. If you are working with large numbers of long and detailed
host lists though, this might unnecessarily compromise the performance of
your in-line platform. If you know therefore that the catalogs you have
defined are only relevant to a specific in-line platform on the network, it
may be worth while limiting the scope of the catalog to the relevant
NetEnforcer or Service Gateway.
To set the scope of the entry to a specific device:
1. Click the Scope browse button. The Entry Scope Properties dialog box
is displayed.
2. To make the entry available to a selected device only, select Specific
Device and then select the device from the drop-down list.
3. Click OK. The Host List Entry Properties dialog box is displayed.
4. Click Save.

Condition Catalogs

5-12

ACTE Technical Training

To join existing host lists into a single host group:


1. In the Navigation pane, right-click Hosts and select New Host Group
from the shortcut menu. The Host Group Entry Properties dialog box is
displayed.
2. Enter the name of the host group, together with a description if
required.
3. To add host lists to the host group, click Add. The Add Group Items
dialog box is displayed. This dialog box lists all available Host List
Catalog entries that can be added to the host group.
4. Select one or more entries and click OK to add them to the host group.
5. As with Host Lists, you can set the scope of the Host Group to be
either Global or NetEnforcer-specific.

Condition Catalogs

5-13

ACTE Technical Training

It is also possible to import large groups of hosts from an external text file.
The user updates this text file and the NetXplorer checks for changes
every 10 minutes. As long as the text file is not updated, no NX resources
are used. Note the default value of 10 minutes can be changed. Contact
customer support to enable this change.
Make sure you have the file on the NX at all times (if you delete it, the host
entry based on this file will have no data in it).
There are 3 different methods for importing external text files. The user
can create:
- A new external text file host list
- A new external text file host group
- A new dynamic external text file host group

Condition Catalogs

5-14

ACTE Technical Training

What is the difference between the regular External Text File Host Group
(or List) and the DYNAMIC External Text File Host Group?
The dynamic external text file host group functionality was developed to
help customers who wish regularly to use particularly large text files
containing tens of thousands of entries.
With the regular external text file host group we can only support a few
thousand hosts, but the Dynamic version enables us to support many
more 20,000 for the AC-500; 160,000 for the AC-1400/3000 devices;
2,000,000 for a fully populated SG-Sigma or SG-Sigma E6, 5,000,000 for
a fully populated SG-Sigma E14 (500,000 per CC).
There are however, several limitations when using the dynamic
mechanism:
1) It can only be used to support internal hosts.
2) It only supports individual IPs (ranges and subnets will be ignored)
Note that another side effect of the dynamic system is that the IPs
updated with the Dynamic text file are deleted when the NE/SG reboots.
The NetXplorer server will update the IPs again after approximately 10
minutes, but until then there will be no rule matching to the pipes and VCs
in the policy that use those text files in their conditions.

Condition Catalogs

5-15

ACTE Technical Training

For example, lets see how to create a new external text file host group.
From the Hosts item in the catalogs pane, choose New External Text File
Host Group. Now, enter a file path to the text file.

Condition Catalogs

5-16

ACTE Technical Training

Using this feature, you can import long lists of hosts from an external text
file into a Host Group or Host List Catalog on the NetXplorer.
There are three types of hosts that can be imported: IP address, IP range
and IP subnet. When using the dynamic method, IP address is the only
type of field that can be imported.
Create a text file according to the guidelines defined below, making sure
that you enter each host entry on a separate line. The text file format for
each of the three types of hosts is as follows:
IP address: Name;IP
IP subnet:

Name;IP/Mask

IP range:

Name;IP-IP

NOTE: This method creates individual hosts with corresponding names


but they are all added to a single group. They cannot be separated.

Condition Catalogs

5-17

ACTE Technical Training

Here we see an example. A text file is created which includes two host
names: IP1 and IP2. IP1 contains two IP addresses and one IP subnet,
and IP2 contains one IP and one IP range.
The External Text File Host Entry Properties dialog is opened and the path
of the text file is entered. In this case the text file has been placed directly
onto the servers C drive. However the file can be located on any machine
that the NetXplorer Server can access.
Here we see the imported host group, consisting of 2 host entries.
Clicking each host entry will show us what it contains.
We can also see an imported host list, which simply extract all instances
of the file to be host items in this host list.
This difference has important implications later when we come to work
with templates (in Module 7).

Condition Catalogs

5-18

ACTE Technical Training

A further type of host catalog is the Country Classification catalog, which is


aimed primarily at Service Provider customers. Why do ISPs need to
classify traffic by country?
For their subscribers, the internet is one huge entity or cloud. It makes no
difference to them if the service they requested is provided from next door
or half way across the globe. The subscribers ISP has a completely
different view. For the ISP, the internet is a set of links with different
capacity and different price.
ISPs require country based classification to differentiate domestic-bound
traffic from international-bound traffic. The ISP is typically charged a
higher rate for traffic that is directed to international networks. Country
classification enables the ISP to identify and limit international traffic and
thus cut expenses with minimal impact on the subscribers QoE.
Additionally, monitoring traffic by country of origin / destination helps the
ISP to perform long-term capacity planning on its network. For example if
the ISP observes that traffic to a certain country has increased throughout
the year, they might want to upgrade their capacity to that country.

Condition Catalogs

5-19

ACTE Technical Training

To enable the country classification feature you need a special key for the
NetXplorer Server.

Condition Catalogs

5-20

ACTE Technical Training

Lets see how to create a new country based host file.


First choose New Country Classification from the host catalog list. Now
select the countries to be added to the Country Classification host list.
Once you have defined your country based classification catalog, the NX
periodically consults with a central, updated database in order to translate
the country or countries you have chosen into IP subnet ranges.

Condition Catalogs

5-21

ACTE Technical Training

When you are working with long lists of hosts, you might lose track of
individual host entries. The host search is used to find a host definition
from within a host list.
1. Select Catalogs and right-click Hosts in the Navigation pane and select
Host Search from the popup menu.
OR
In the Application Details pane, right-click an entry in the Host Catalog and
select Host Search from the popup menu.
The Host Search Properties dialog is displayed.
2. A Host Entry can be searched for by Host Name, IP or MAC address.
Enter the details of the host which you are looking for.
3. Click Search. Results are shown in the Search Results list.
4. Click Close to close the dialog.
Note that the search does not search within host groups.

Condition Catalogs

5-22

ACTE Technical Training

Knowing your business objectives, you can use the host catalog to group
different users groups. For example: per geographical location, per
importance to the organization, per packages purchased, per country, etc.
On the other hand you can use host catalog to identify crucial network
elements. Later, you can build your policy to ensure that enough
bandwidth is allocated to each of these network elements.
Can you think of other uses for host catalogs? Share your thoughts with
your trainer and the training class.

Condition Catalogs

5-23

ACTE Technical Training

Service catalog entries are used to classify traffic by application or


protocol. Applications may be anything from an instant messaging
application to a business ERP application. Protocol entries include
network protocols, transport protocols and application protocols.

Condition Catalogs

5-24

ACTE Technical Training

The standard packet inspection process (shallow packet inspection)


extracts basic protocol information such as IP addresses (source,
destination) and other low-level connection states. This information
typically resides in the packet header itself and reveals the principal
communication intent. The inspection level in the shallow inspection
process is insufficient to reach any application-related conclusions. For
example, if a packet is the result of an application trying to set up
additional connections for its core operation, an examination of the source
or destination addresses as they appear within the packet header itself will
not reveal any useful information regarding the connections to be used in
the future, as requested by the application. Furthermore, it is very
common that the necessary information is spread over several packet
transactions; and once again, examination of the header information alone
overlooks the complete transaction perspective.
DART, on the other hand, provides application awareness. This is
achieved by analyzing the content in both the packet header and the
payload over a series of packet transactions. At the heart of Allots
solutions is a DPI engine which feeds off a comprehensive library of
signatures and behavior.

Condition Catalogs

5-25

ACTE Technical Training

By default the connection is identified and classified according to the


application signature. The DART engine looks inside the connection, at the
first data connection in which the application signature is located. This is
also called Layer 7 classification DPI, because the identification and
classification is done on the application level (layer 7). Use of signature
identification might for example, enable an HTTP connection on another
port besides TCP 80 to be correctly recognized and classified.
Note that for the Allot in-line platform to recognize a signature, it needs to
see the 3 way handshake. This makes recognizing application signatures
in an asymmetric environment all the more challenging.

Condition Catalogs

5-26

ACTE Technical Training

The Allot in-line platform recognizes the signatures of a vast range of


protocols and applications from Peer to Peer applications such as
BitTorrent, Winny and Gnutella to VoIP protocols such as Skinny, SIP and
Skype.
In addition, NE and SG recognizes the following tagging and
encapsulation methods: MPLS, L2TP, PPPoR, GREoIP and VLAN or
802.1q. After recognizing the tagging and encapsulation method, it looks
deeper into the IP frame to identify the different classification criteria: host,
application in use etc.

Condition Catalogs

5-27

ACTE Technical Training

There are 3 different types of service objects - Service Groups, Services


and HTTP User Defines Signatures (UDS). The 3 types are organized
hierarchically.
Service groups enable you to efficiently assign multiple services to
policies, instead of defining separate policies on a service-by-service
basis.
Services are the protocol or application-based criteria for traffic
classification. Services can exist in only one location in the hierarchy at
any given time.
HTTP UDS objects give huge flexibility to define signatures using any of
the HTTP header fields.

Condition Catalogs

5-28

ACTE Technical Training

NetXplorer comes with pre-defined services to incorporate the growing


number of protocols representing the same or similar applications. These
services are organized into several generic service groups such as
Games, Instant Messaging, Mail, Network Operation etc.
Note that these services can be updated, either manually or automatically,
using the Allot Protocol Update (APU) feature. The procedure for doing
this is described fully at the end of this module.
The default traffic policy classifies traffic into different VCs according to the
principal service groups, and this helps you to get an initial picture of the
type of traffic running through your network when you perform out of the
box monitoring.

Condition Catalogs

5-29

ACTE Technical Training

To better understand services and service groups, lets look at the Web
Applications Service group.
This group includes several services: HTTP, HTTP Proxy, HTTPS and
more. Each service is defined by its application signature and by its port
numbers.
HTTP is based on the HTTP application signature, and it includes both a
signature and a port number (80).
HTTPS is based on the Other TCP application and it includes a port only
(443).
We will now review the steps to create a new service, and explain all the
different options available.

Condition Catalogs

5-30

ACTE Technical Training

While NetXplorer comes with an extensive set of common services, you


may want to define additional services. There are two methods for defining
additional services:
1.

Creating a new service based on an existing application type


recognized by Allots DPI engine.

2.

Selecting a known service from the protocol library containing over


1000 protocols recognized by IANA (Internet Assigned Names
Authority) assigned ports.

Condition Catalogs

5-31

ACTE Technical Training

Lets first see how to create a new service based on an existing


application. From the Service Catalog, we select new service, and choose
our application type; In this case we choose for example Skype. We can
now assign additional properties to it, such as port number. This is useful if
a home-grown application needs to be handled by NetXplorer.

Condition Catalogs

5-32

ACTE Technical Training

For every new service we need to define the entry identification method.
We can also take a recognized application, and re-define the way in which
the NetXplorer tries to recognize it. From the Application Type drop-down
list, select the basic application type, and choose ADD. You can now
manually configure the identification method to either default, signature or
port based. Lets now see what each of these means.
Default: First check all other signatures. If no signature is matched, then
traffic will be identified according to the port specified in the ports
section of this dialog.
Signature: Identifies the traffic according to the signature of origin,
regardless of the port. You can choose to check for this signature on
particular ports or on all ports. By using this method, you can distinguish
between applications which use the same signature on different ports. The
trade off is that before traffic can be identified, the 3 way handshake must
take place at the very least. This means that in some cases, tens of data
packets may pass before the traffic is positively identified.
Port-based: This method is also sometimes called parse by port. If you
choose this method, traffic on this destination port will be identified as the
service you have defined. The application signature on this port will not be
checked. Consequently, the traffic is identified as soon as the first packet
enters the classification engine. This makes it very useful for syn attacks
and other malicious traffic.

Condition Catalogs

5-33

ACTE Technical Training

The second way to create a new service is by using the port-based


protocol library. The protocol library is based on the IANA list. You can
import entries from the library to the main service list.
The service protocol library can be sorted by protocol name, ID or port
number to search for a particular protocol. It can also be filtered to display
only particular protocols.
To add a new service using the protocol library:
1. In the Navigation pane, right-click Services and select New. The
Service Entry Properties dialog box is displayed.
2. To select a publicly recognized port assignment for the application,
click Library in the Service Entry Properties dialog box. The Service
Protocols Library dialog box is displayed.
3. Select one or more entries in the library and click Commit. The
selected entries are added to the port list in the Service Entry
Properties dialog box.
4. In the Service Entry Properties dialog box, click Save.
These library-based services use layer 4 identification, based on standard
port usage for specific applications.

Condition Catalogs

5-34

ACTE Technical Training

You can define your own service groups by combining several services
into a single group. Similar services can be grouped if you want to apply
the same QoS policy to them. An example of this is seen on the screen,
where a service group called: Business Applicaitons is created,
consisting of Oracle, SAP and Vonage, with a view to giving this group a
guaranteed quality of service.
Groups are defined for classification purposes, and the NetXplorer
enables you to produce monitoring graphs on service groups, as seen in
Module 4.
Groups combine port recognition and Layer 7 analysis. Within a group, the
identification of one service might be based on Layer 7 analysis, while
another might be identified by port number alone.

Condition Catalogs

5-35

ACTE Technical Training

To define a service group:


1. In the Navigation pane, right-click Services and select Add Service
Group from the shortcut menu. The Service Group Entry Properties
dialog box is displayed.
2. In the Name field, edit the name of the service group, and add a
description if required.
3. To add items to the Service Entry Name List, click Add. The Add Group
Items dialog box is displayed.
4. Select one or more services using standard Windows multiple
selection methods, and click OK. The services are added to the
Service Entry Name list in the Service Entry Properties dialog box.
5. Click Save to save the new Service Group.

Condition Catalogs

5-36

ACTE Technical Training

Adding a service to an existing service group is also a simple process. For


example, here we see how to add H.323 to the Business Applications
Group that we defined earlier.
To move a service into an existing Service Group:
1. In the Service Catalog, right-click the service that you want to move,
and select Move from the shortcut menu. The Move Service Select target
dialog is displayed.
2. Select the location to which you want to move the selected Service.
3. Click Save.
Note that you cannot move a group into another group. If you wish to
classify traffic from different service groups into a single Pipe or VC, this
can be done using the add rule function when building the traffic policy.
This procedure is explained in Module 7: Building the Policy Table.

Condition Catalogs

5-37

ACTE Technical Training

These days HTTP is used for a lot more than traditional browsing. HTTP is
commonly used for file sharing application such as MegaUpload,
Rapidshare and more. It is used to view streaming videos via dedicated
web sites such as YouTube and Zulu. It is used for instant messaging
applications, voice over IP, on line gaming, P2P and a lot more. In order to
be able to identify what traffic is flowing over a specific HTTP session, a
more granular classification is required.

Condition Catalogs

5-38

ACTE Technical Training

Lets see how Allots in-line platform classifies HTTP traffic. When there is
a matching application, traffic will be classified as the specific application.
For example: Youtube, Rapidshare, etc.
When there is no matched application, traffic will be classified by behavior
to one of the HTTP categories, such as HTTP File Transfer.
When there is no matched application or behavior, traffic will be classified
as generic HTTP.
In case you want to use a more granular HTTP classification, define a
User Defined Signature, based on HTTP header fields. A UDS match is
stronger than all signatures and HTTP categories.
Lets see now what HTTP Header fields can you use to define an HTTP
User Defined Signature.

Condition Catalogs

5-39

ACTE Technical Training

Here we see the 5 different request headers that can be defined in the
HTTP UDS with examples for each one.
Host is used for the domain name of the server requested. For example
you can use it to identify all traffic going to www.cnn.com, or all traffic
going to your own home web site. This is a free text field.
Method is used for the desired action to be performed on the resource
identified by the requester. This is a multiple choice field where you can
choose: GET, CONNECT or POST.
Referer is used for the address of the previous web page from which a
link to the currently requested page was followed. For example, when
opening cnn.com from a google search the Referer will show:
http://www.google.com/search?hl=en&q=cnn.com&rlz=1I7RNTN_en <CR>
<LF>. This is a free text field.
URL (URI) is string of characters which identify and locate resources on
the Internet. For example, when opening the Tolly Report from
http://www.allot.com then the URI is: /Tolly_Report.html. This is a free
text field.
User-Agent is used to obtain information about the web-browser or the
type of mobile handset originating the request. For example: Browser e.g:
Mozilla/5.0, Mobile handset e.g: Nokia. This is a free text field.
NOTE: Each field in a UDS may contain a maximum of 69 characters.

Condition Catalogs

5-40

ACTE Technical Training

Here we see the 4 different response headers that can be defined in the
HTTP UDS with examples for each one.
Content-Encoding is used for the type of encoding used on the data. For
example: gzip. This is a free text field.
Content-Length is used for the length of the response body in octets (8bit bytes). This field can be set to greater than or lower than.
Content-Type is used for the MIME type of this content (Multipurpose
Internet Mail Extensions). For example: text/html, image/gif, image/jpeg.
This field has predefined values to select.
Location is used for an alternate location for the returned data. For
example: http://edition.cnn.com, http://www.bbc.co.uk/. This is a free text
field.

Condition Catalogs

5-41

ACTE Technical Training

HTTP User Defined Signatures (hereinafter UDS), can be used on all AOS
driven products.
HTTP UDS must first of all be activated from the Networking tab which is
accessed by choosing configuration from the NetEnforcer or Service
Gateway. After activating the UDS, create a new HTTP UDS from the Host
Catalog category. You can now add HTTP header fields (up to a maximum
of 16) and define the parameters required for each one. The relationship
between each header is AND, so a match will be made with this UDS if
the flow matches all of the header filters created.
Note: when you create a new UDS, you are actually adding a new service
to the service catalog. Therefore any connection with a matching service
to this new UDS will not match any other service even when there is no
rule for this UDS in the policy. This means that if a UDS is defined but not
added to the policy matching traffic might be classified to the Fallback VC.
UDS cannot be used in an asymmetric environment.

Condition Catalogs

5-42

ACTE Technical Training

Here we see a defined UDS to identify all traffic going towards bbc.com or
foxnews.com or cnn.com and the request is for a sport page.
NOTE: UDS is stronger than any other service in your service catalog.
When a session matches both a UDS and an additional service, such as
HTTP Browsing, the session will be identified as the matching UDS.

Condition Catalogs

5-43

ACTE Technical Training

It is possible to identify VOIP traffic based on different codecs. This is


done using New Content in the service catalog.
The available services are:
H323-RTP
RTP
SIP-RTP
Supported codecs are G723, G729, GSM and G711A/U. You can add one
or more codecs to each content entry.
This capability allows for accurate QoS control for VoIP traffic based on
the specific codec used. NOTE: other content services are available only
with AC-400, which is not based on AOS.

Condition Catalogs

5-44

ACTE Technical Training

Knowing your business objectives, you can use service catalogs to identify
services and application and control them. For example:
Identify your critical business applications to ensure high quality of
experience for them at all times.
Identify video traffic in your network and optimize your resources using
a video caching service such as Allot MediaSwift.
Identify your own home web site traffic to ensure high priority so you will
always be available.
Identify high bandwidth consuming applications, such as P2P and limit
the available bandwidth for them during peak hours.
We will learn more about how to configure such policies in modules 6 & 7
of this training course.
Can you think of other uses for service catalogs? Share your thoughts with
your trainer and the training class.

Condition Catalogs

5-45

ACTE Technical Training

In this section we will examine the time catalog.

Condition Catalogs

5-46

ACTE Technical Training

The Time Catalog contains entries that are used to define the period of
time during which a particular rule is active.
Time Catalog entries are useful when you want to apply conditions to
traffic only on specific days or at specific times. For example, you might
differentiate between work and non-work hours, or give priority to
maintenance jobs run at scheduled times. NOTE: You can use time
catalogs to divide time up as you wish, for example by defining as many
time cycles as you want within a 24 hour period.
If a time catalog has been assigned to a Line, Pipe or Virtual Channel,
what happens when the expiration time is reached?
Both new and existing connections will be reclassified into other Lines,
Pipes or Virtual Channels.

Condition Catalogs

5-47

ACTE Technical Training

To define a time period:


1. In the Navigation pane, right-click Time and select New Time from the
shortcut menu. The Time Entry Properties dialog box is displayed.
2. In the Name field, edit the name of the entry and add a description as
required.
3. Click Add. The Add Time Item dialog box is displayed.
4. In the Frequency area, select the frequency of the time period. The
parameters available in the When area vary according to the
frequency selected. Select the required time period in the When and
the Recurrence areas.
5. Click OK and then Save.

Condition Catalogs

5-48

ACTE Technical Training

Here is an example of using Time Catalog entries to define a time-based


policy. In this example, Peer to Peer traffic is limited to 256kbps during
work hours and has a much more liberal limit outside work hours.

Condition Catalogs

5-49

ACTE Technical Training

Knowing your business objectives, you can use time catalogs to define
different time slots and control them. For example:
Define peak hours in your network to avoid congestion and allow fair
usage to all subscribers all day long.
Create unique Happy Hour offerings for your subscribers allowing them
to enjoy special bandwidth rates at specific hours of the day.
Define your organization working hours to ensure high quality of
experience for your business applications.
We will see more about how to configure such policies in modules 6 & 7 of
this training course.
Can you think of other uses for time catalogs? Share your thoughts with
your trainer and the training class.

Condition Catalogs

5-50

ACTE Technical Training

In this section, we examine the ToS catalog. ToS can serve as a condition
or as an action in your policy table.
Lets begin with a few words of explanation about the Type of Service Byte
in the IP header, and how it can be used.

Condition Catalogs

5-51

ACTE Technical Training

The Type of Service, or TOS field, is one of the fields of IPv4 header. It
can be used to differentiate traffic flows one from another. It was originally
designed to support classification of different services by the designers of
the IP protocol. It is an 8 bit field. We will see now common usages of the
TOS field.

Condition Catalogs

5-52

ACTE Technical Training

The ToS Standard, defined by RFC 1349, is divided into 3 fields


precedence, ToS and MBZ. Precedence is defined by bits 0-2. There are 8
possible precedence values: from 000 (decimal 0) through 111 (decimal
7). Generally decimal 0 is treated as the lowest priority traffic, and decimal
7 is treated as the highest priority traffic. The four bits in the ToS field are
very rarely used. MBZ, the must be zero field, was never used.
DiffServ standard defined by RFC 2474 & 2475 is 6 bits long and can
range from 000000 to 111111 giving a total of 64 possible values.
Assured Forwarding, defined by RFC 2597, was designed to provide
different levels of forwarding assurances for customer traffic. There are 4
classes defined from 1 to 4. Within each class, packets are marked with
3 levels of drop precedence low, medium and high. The higher the level
of drop precedence the more likely the packet is to get dropped. These 4
class level and 3 drop precedence levels offer 12 possible values for
assured forwarding (AF). Layer 4 network elements can allocate different
resources to each level.
The NetXplorer ToS catalog comes with these 12 values pre-defined. Note
that the decimal values shown in the NetXplorer ToS catalog for each AF
service type, are calculated from all 8 bits.
In addition, you can use the NetXplorer to define any value you wish,
based on any combination of the 8 bits including the last two.

Condition Catalogs

5-53

ACTE Technical Training

In the TOS Catalog, you can view the properties of predefined entries and
can create entries that classify the TOS byte using any or all of the 8 bits.
To define a TOS using free format:
1. In the Navigation pane, right-click ToS and select New ToS from the
shortcut menu. The ToS Entry Properties dialog box is displayed.
2. In the Name field, edit the name of the entry and add a description if
required.
3. Define the TOS value by inserting bit values in one of the following
ways:
Click the bit value field boxes (grey indicates 0, black indicates 1).
The decimal equivalent is displayed in the Selected TOS Byte Bit
Settings area.
Enter the decimal or hexadecimal representation of the bit in the
Decimal or Hex fields, respectively.
4.Click Save. The new entry is saved in the TOS Catalog.

Condition Catalogs

5-54

ACTE Technical Training

The next condition catalog which we will examine is the encapsulation


catalog.

Condition Catalogs

5-55

ACTE Technical Training

By default, the NE/SG identifies different types of encapsulation protocols,


and knows how to read the data inside. For example, when a user is
browsing the web via a GRE Tunnel, the connection will be identified as
HTTP Browsing.
Allots DART engine knows how to unwrap many different encapsulation
methods, including VLAN, MPLS, L2TP v2, PPPoE, GTP, GRE and more.
The encapsulation catalog for VLAN or GRE covers a different use case.
Using this catalog you can actually classify traffic based on the
encapsulation tunnel used e.g: to assign a specific QoS for all GRE
tunnel traffic. Connections inside the tunnel will be identified based on the
actual data packet, yet all GRE tunnel traffic will be classified according to
the pre-defined rule.
We will see now how to configure VLAN and GRE catalogs.

Condition Catalogs

5-56

ACTE Technical Training

The VLAN Catalog contains Virtual LAN entities defined according to the
802.1q standard.
Allots In-Line platforms support VLAN traffic classification according to
VLAN Identifier (VLAN ID) tags, consisting of 12 bits, and according to
tagging priority bits, consisting of three bits.
VLAN catalogs can be used in the policy to assign each VLAN tag its own
priority and QoS definition according to the policies you define.
In order to define a new VLAN catalog, go to the navigation pane, rightclick Encapsulation and select New VLAN from the shortcut menu. The
VLAN Entry Properties dialog box is displayed.
The VLAN ID is computed from the values chosen for Bits 1-12
Bit 13 is the reserved bit
The User Priority value is computed from the values chosen in Bits 14-16
and can be used to specify user priority (where 7 is considered highest
priority, and 1 is considered lowest priority).
Note also that the In-Line platform is transparent to Cisco ISL tagging
(Cisco uses his own proprietary VLAN IDs). In other words, the in-line
platform detects that there is an ISL tag and while it cannot classify traffic
based on that tag ID, the NE/SG can go deeper into the frame to check
regular criteria such as hosts and applications (just as it does with GRE
and MPLS encapsulation).

Condition Catalogs

5-57

ACTE Technical Training

GRE (Generic Routing Encapsulation) is a tunneling protocol designed to


encapsulate different network layer protocols inside virtual point to point
links over the internet.
In order to define a new GRE catalog, go to the navigation pane, rightclick Encapsulation and select New GRE from the shortcut menu. The
GRE Entry Properties dialog box is displayed.
Complete the Name and Description fields, if required.
Define an Internal (source) IP for the GRE by selecting the relevant radio
button. You may select Any IP (which will include GRE tunnels originating
from all internal IPs) or enter a specific IP. Follow the same step for
External IP. Click Save. The new entry is saved in the Encapsulation
Catalog.
A GRE catalog can be used in the policy to assign each GRE tunnel its
own priority and QoS definition according to the policies you define.

Condition Catalogs

5-58

ACTE Technical Training

After defining the different encapsulation catalogs you can define a new
encapsulation group with one or more VLAN or GRE catalogs.
To create an Encapsulation Group Catalog entry:
1. Select and right-click Encapsulation in the Navigation pane and select
New Encapsulation Group from the popup menu. Define if you wish to
create a New VLAN Group or a New GRE Group.
2. Complete the Name and Description fields, if required.
3. Select GREs or VLANS in the Available list and use the arrow keys to
move them into the Selected list.
4. Click Save. The new Group entry is saved in the Encapsulation
Catalog.

Condition Catalogs

5-59

ACTE Technical Training

Now we will examine the interface catalog

Condition Catalogs

5-60

ACTE Technical Training

The Interface Catalog enables you to define individual physical ports or


groups of ports (called Interface Groups) on your NetEnforcer or Service
Gateway for use in policies.
To define a physical port:
1. Select and right-click Interface in the Navigation pane and select New
Physical Port from the popup menu. The Physical Port Entry Properties
dialog is displayed.
2. Select the NetEnforcer or Service Gateway you wish to define a port on
in the Device drop-down menu.
3. Select the individual port on the selected NetEnforcer or Service
Gateway in the Port drop-down menu.
4. Click Save. The new entry is saved in the Interface Catalog.
To define an interface group:
(used for classifying traffic from several ports. These ports may be spread
over different blades)
1. Select and right-click Interface in the Navigation pane and select New
Interface Group from the popup menu. The Interface Group Entry
Properties dialog is displayed.
2. Select previously defined physical interfaces in the Available list and
use the arrow keys to move them into the Selected list.
3. Click Save. The new entry is saved in the Interface Catalog.

Condition Catalogs

5-61

ACTE Technical Training

The final condition catalog which we will examine is the tethering catalog.

Condition Catalogs

5-62

ACTE Technical Training

Tethering is a term used to describe sharing of a mobile device internet


connection with other devices.
The most common example is a laptop that is connected to a mobile
device using Wi-Fi and connecting to the internet over the 3G network via
the mobile device. Tethering has an impact on the internet usage profile of
mobile subscribers and impacts the planning of the mobile operator
network and his charging plans. The tethering catalog allows the Service
Provider to identify tethering traffic and apply priority and QoS rules to it.
(NOTE: Integration with SMP is not necessary to classify traffic by
tethering).

Condition Catalogs

5-63

ACTE Technical Training

In order to be able to use tethering, you need a special key for the
NetEnforcer/ Service Gateway.
Once you have tethering enabled, go to the Configuration window,
Networking tab. Make sure Enable Tethering Detection is checked.

Condition Catalogs

5-64

ACTE Technical Training

In order to use tethering in the policy, first you have to add the tethering
column to the policy table. Right-click title and select Table Column
Configuration. Make sure Tethering is checked and click save.
Now you can double click the tethering column on any policy rule and
choose one of three options:
Ignore: This condition is not activated. Traffic is matched to the rule based
on the other conditions and irrespective of whether traffic is tethered or
not. This is the default choice for policy rules.
Yes: Match only if traffic was identified as tethered
No: Match only if traffic was identified as not tethered
NOTE: The Fallback Line, Fallback Pipe and Fallback VC cannot be set to
use tethering.

Condition Catalogs

5-65

ACTE Technical Training

Knowing your business objectives, you can use ToS, Encapsulation,


Interface and Tethering catalogs to define the following
Your management network using ToS/VLAN tagging to ensure constant
access to your network elements. You can achieve this by setting policy
rule to allow minimum bandwidth.
Physical Interfaces coming from a specific branch to ensure high quality
of experience for this specific branch.
Tethering to generate more revenues creating a special offering for your
subscribers who are using tethering.
We will see more about how to configure such policies in modules 6 & 7 of
this training course.
Can you think of other uses for these catalogs? Share with your trainer &
training class.

Condition Catalogs

5-66

ACTE Technical Training

Finally, lets examine Allots Protocol Update capability

Condition Catalogs

5-67

ACTE Technical Training

The NetXplorer operates in a constantly evolving Network environment.


New protocols constantly appear, and existing applications evolve.
The Allot Protocol Updates (APU) are designed to update the service
catalog, so that additional protocols can be identified. APU does not
upgrade the software, and no re-boot is required.

Condition Catalogs

5-68

ACTE Technical Training

In order to access Web updates you need a valid support contract as well
as an appropriate key for both the NetXplorer server and all the in-line
platforms which it manages. You obtain these keys by renewing your
support contract.
To check that APU is included in your NetXplorer key (and to enter a new
one if it is not), from the Tools menu select NetXplorer Application
server registration
To perform the same check for the NE or SG, from the Network tree select
the NE / SG and choose Configuration. Go to the Identification & Key
tab. Here you can see if APU is enabled and you can identify the currently
installed protocol pack.

Condition Catalogs

5-69

ACTE Technical Training

The upgrade process consists of the following 3 steps:


1) Downloading the protocol pack to the NetXplorer server
2) Updating the NetXplorer server
3) Updating the NetEnforcers or Service Gateways
Note: it is possible to update the NetXplorer or the NE/SG in isolation. If
however, a policy is created based on a service that is only updated in the
server, the NE/SG will ignore it and the user will see mis-classified traffic.
Updating the protocol pack does not require any reboot to the NetXplorer
or in-line platform.

Condition Catalogs

5-70

ACTE Technical Training

If your NetXplorer server can access the Allot WebSite on the internet, the
simplest way to perform manual updates is by using the protocol updates
wizard.
The wizard is accessed from the protocol updates item on the Tools menu.
Choose From Allot Web Site

Condition Catalogs

5-71

ACTE Technical Training

The first stage is to check for updates.


The wizard will display a list of changes to be made to the service catalog.
This screen is for display only. You will see the protocol pack number
displayed at the top of the window. The pending changes are divided into
applications, services and service groups. Each one is split up into
Create for new applications/services and groups and Update for
updating existing ones.
When you click on update now the protocol pack is downloaded to the
NetXplorer and all of the listed changes are made to the service catalogs
of the NetXplorer.
When the service catalog has been successfully updated, the list of
changes will be displayed. In addition, the successful installation will be
recorded in the alarms log.

Condition Catalogs

5-72

ACTE Technical Training

The 3rd and final stage of the process is to update the NetEnforcers or
Service Gateways.
Select the NetEnforcers or Service Gateways that you wish to update. In
the example above there is only one NetEnforcer available. For each NE /
SG you can see the services to be changed by clicking the Advanced
button.
Clicking Next one more time brings you to the end of the process.

Condition Catalogs

5-73

ACTE Technical Training

Stages 1 and 2 of the process can be configured to run automatically.


In the Network tree, right-click Network and select Configuration from
the menu. In the network configuration dialog, select the Protocol
Updates tab.
Here you can configure the NetXplorer to check for updates periodically
(stage 1). If there is an update, the protocol pack will be downloaded to
the NetXplorer server, and an alarm will be displayed in the alarm log.
You can also choose to automatically install the new update on the
NetXplorer server (stage 2).
Note that in any event, the update of the service catalogs on the NE/SGs
(stage 3) must be done manually.
Once a Protocol Pack is updated, an alert will show up in the alarm log
indicating a successful update.

Condition Catalogs

5-74

ACTE Technical Training

We have seen how the upgrade package is downloaded using the wizard
and how this process can be configured to run automatically.
There are additional ways to download the update package to the
NetXplorer server which can be particularly useful when the NetXplorer
has no direct access to the internet.
In this case, the package can be downloaded from Allot Support Area and
copied to another server or a CD.
After you have it, go to Tools menu in the NetXplorer GUI, and choose
Protocol Updates from local package to update the NetXplorer. Choose
Install to Device to update the in-line platforms.
Follow the full procedure in the Protocol Pack Release Notes.

Condition Catalogs

5-75

ACTE Technical Training

What condition catalogs do you need to define in order to create a rule


which limits Mpeg download traffic from Bronze level subscribers during
peak surfing hours?

Condition Catalogs

5-76

ACTE Technical Training

Look at the entry identification definitions for the service displayed here.
How will the in-line platform identify this service?

Condition Catalogs

5-77

ACTE Technical Training

Condition Catalogs

5-78

Module 6
Action Catalogs

ACTE Technical Training

As we have seen, catalog entries are the building blocks that we use to
make the rules that comprise our traffic policy. Catalog entries may be
conditions or actions. In this module, we will learn about the catalogs you
can use to define actions which enforce your traffic policies.

Action Catalogs

6-2

ACTE Technical Training

Once traffic has been classified into Lines, Pipes and Virtual Channels, we
can take actions on that specific traffic. This represents the A in Allots
Dynamic Actionable Recognition (DART) Technology.
In this module we will look at the different actions which can be taken on
specific traffic flows. We begin by looking at the access control
mechanism, which consists of three pre-defined values, before examining
the Quality of Service engine which is used to shape traffic running
through the NetEnforcer or Service Gateway. We will then explore some of
the service activation options we can use. This action is used to steer
traffic to different services, and also to define WebSafe, HTTP Monitoring
and Captive portal Redirection. Other service activation options will be
covered in the Steering module in more detail. Later we will see how we
can use ToS catalog as an action. We will finish by exploring Denial of
Service and its usage. We begin by looking at the Access Control
mechanism

Action Catalogs

6-3

ACTE Technical Training

The access control mechanism is applied to traffic before the actions


which have been assigned from the action catalogs.
The in-line platform first identifies traffic that should be accepted. By
default, it accepts the traffic and allows it to pass through. Two other
options exist:
It may be bypassed, in which case the traffic will pass through the
system but without undergoing DPI and QoS. In the Service
Gateway, this means that traffic will bypass the core controller blade.
It may be dropped, in which case the in-line platform simply ignores
the sender and throws the packets away, much like a firewall. The
Drop option is provided for environments such as UDP, in which a
client does not expect acknowledgements (ACKs). You can also drop
a TCP connection - it will just take longer for the client to realize that
the conversation with its desired server cant be established.
Access Control is used for specific policy rules, based on the condition
catalogs defined for a rule.
Note: There is an additional Access Control option: Reject. This option is
available only in the AC-400, a legacy platform, which is no longer sold.

Action Catalogs

6-4

ACTE Technical Training

There are two ways to define an access control to a policy rule:


1. Open the policy table, and double click the access control tab. This will
open a radio button list. Chose the desired access control option.
2. Double click a policy rule name. This will open the rule properties
update window. The first action will be the access control. Click the drill
down menu and choose the desired option. Click OK.
Remember to Save the policy so that the change will take effect.

Action Catalogs

6-5

ACTE Technical Training

In case you wish some of the traffic to bypass the NE/SG without a
defined a rule in the policy, you can use the Selective Bypass feature.
Traffic matching a predefined group of VLAN tags bypasses the DART
engine of the system. This, of course requires that all traffic you wish to
bypass should arrive to the NetEnforcer/ Service Gateway with the VLAN
tag you configured.
The bypassed traffic will not be counted in policy rules, connection
establishment rate limitations and total number of connections. It will be
counted towards bandwidth limitations.
To configure selective bypass you first have to define a VLAN Group. This
is explained in details in Module 5: Condition Catalogs. Then go to the
configuration window of the NetEnforcer/Service Gateway, Networking
Tab. Mark the checkbox for Enable Selective Bypass, and choose the
VLAN group for the traffic you wish to bypass. Click save to save this new
configuration.

Action Catalogs

6-6

ACTE Technical Training

Lets now review how we can use access control, together with condition
catalogs to serve our business requirements:
Large enterprises can drop all P2P traffic during working hours to free
up bandwidth for business applications
Operators can set their management VLAN to Selective in order to
ensure that important management traffic is not run through the QoS
engine
Can you think of other uses for access control? Share your ideas with your
trainer and the training class.

Action Catalogs

6-7

ACTE Technical Training

Lets now focus on the Allot Quality of Service engine and catalogs.
Before we see how to define QoS catalogs, lets first look at why we need
to enforce quality of service at all.

Action Catalogs

6-8

ACTE Technical Training

Why is quality of service important for a service provider?


Endless different applications run over Service Provider networks, and
each application has its own characteristics and requirements.
Furthermore, these applications often have to run on legacy
infrastructures. IP-based infrastructures, cable, WiFi and 3G were not
really designed to support the needs of real-time content these transport
technologies are firstly, asymmetrical, and secondly - not sensitive to
delays. A basic IP network is not only unaware of the criticality of an
application for a specific subscriber, but also unable to allocate the
resource, the priority and the appropriate real-time treatment that these
rich applications require.
Of course, subscribers will be quick to switch to a different provider if their
service provider cannot deliver the Quality of Experience that they expect.
In short, if service providers wish to offer particular services, they need to
manage each service differently to ensure the subscribers quality of
experience.

Action Catalogs

6-9

ACTE Technical Training

Why is quality of service important for the enterprise?


Each type of traffic that runs over an enterprise network has its own
inherent Quality of Service requirements too. In addition though, each type
of application may be more or less important to the business as a whole.
When analyzing network traffic on the basis of both of these parameters,
the enterprise can develop an understanding of how to prioritize its
network traffic.
Just because the content of certain data is important to an enterprise, it
doesnt mean that it has to go through the network quickly. Lets look at
an example: You send an email to your boss requesting a raise. Although
the content of the email is very important, it does not need to go through
the network at real-time speed. If your boss reads the email 5 seconds
later, this does not affect the communication in any way.
On the other hand, if two people are playing a flight simulator game on the
Internet, game updates must pass through the network with little delay. If
there is too much delay, the game will be unplayable. Yet gaming is hardly
what most would describe as business critical.
In a typical reality, different applications and users are competing for the
same network resources. Network managers need to take into account
both the inherent requirements of each application, together with their
importance to the business, before deciding what quality of service to
assign them.

Action Catalogs

6-10

ACTE Technical Training

At the heart of Allots quality of Service mechanism lies the QoS Engine.
Based on user definitions, the QoS engine makes a decision for each
frame whether to transmit that frame to the network, to store it in the buffer
or to drop it.

Action Catalogs

6-11

ACTE Technical Training

Lets examine the concepts of minimum and maximum bandwidth.


Applying a minimum to certain traffic guarantees that the traffic receives at
least the amount of bandwidth requested. For example, a QoS entry with
a minimum of 64kbps specifies that the traffic receives a guaranteed
bandwidth of at least 64kbps. It may very well receive more than 64kbps,
depending on the amount of available bandwidth and other QoS settings.
Minimum bandwidth guarantees are only enforced in cases of congestion.
If the minimum guaranteed bandwidth is not in use at a particular moment,
it can be used temporarily by another Line, Pipe or Virtual Channel.
Applying a maximum simply limits the amount of bandwidth. For example,
a QoS entry with a maximum of 64kbps specifies that the traffic is limited
to 64kbps, and receives no more than 64kbps. Just as a minimum
definition may receive more that the defined value, a maximum definition
may receive less. Traffic to which a maximum value is assigned is
smoothed throughout the course of a second while small portions of the
traffic are allowed to be transmitted before their time.
Bandwidth that is assigned between the minimum guaranteed and the
maximum applied is calculated in competition with the other rules based
on the priority levels set. Priority levels make up part of the assured
forwarding feature which will be discussed now.

Action Catalogs

6-12

ACTE Technical Training

Allots enhanced QoS engine provides support for RFC 2597 (Assured
Forwarding) by offering 4 levels of priority and 3 levels of drop precedence
(supported at the VC level only). When viewed together, this gives us the
12 levels of service stipulated in the assured forwarding RFC.
When traffic exceeds the maximum rate set, the decision on whether to
buffer or drop packets will be taken according to the drop precedence
value assigned to each packet. Packets with a high drop precedence will
be dropped before packets with a low drop precedence.

Action Catalogs

6-13

ACTE Technical Training

The four different priority level will be activated in the following way:
Once a minimum was assigned to all objects, the spare bandwidth
allocation will be distributed between the different rules based on priority.
Bandwidth will be allocated by priority weighting only, irrespective of
ingress. This means that the system will ignore how much bandwidth each
rule is asking for, and will divide bandwidth accurately based on the
priority. The calculation of how much bandwidth to assign to each policy
level is proportional to other elements at the same level.
Policy elements with a higher weight will be allocated a bigger share of
bandwidth.
Lets now see an example. Imagine we have 200Mbps of HTTP traffic and
100Mpbs of FTP traffic which must be shaped into a pipe with a maximum
rate of 100Mbps. If the NetXplorer operator assigns a priority of 1 to the
HTTP VC and a priority of 4 to the FTP VC, the HTTP VC will be assigned
20Mbps and the FTP VC will be assigned 80Mbps.
The allocation of bandwidth is performed irrespective of the ingress rates.
The bandwidth allocated to each element is determined by dividing the
element weight (e.g: 1 for the HTTP VC or 4 for the FTP VC) by the total
weight, which in this example is 5 (1+4) and multiplying by the total
available bandwidth (in this case 100Mbps as determined by the pipe
maximum).

Action Catalogs

6-14

ACTE Technical Training

Quality of Service can be assigned per Line, Pipe and Virtual Channel.
These assignments can be combined to provide a more granular quality of
service.
The NetXplorer QoS catalog offers 6 options. The Line, Pipe and QoS
catalogs are for use with all non-AOS products (e.g: AC-400). The
enhanced QoS catalogs are for use with all AOS driven products (e.g: SGSigma, SG-Sigma E, AC-1400, AC-3000, AC-500)

Action Catalogs

6-15

ACTE Technical Training

Here we see the Enhanced Line QoS entry properties dialog.


By default, when a QoS policy is defined in a full duplex environment
whether it is for a Line, Pipe or VC, the same values are applied to both
the inbound and outbound channels. In some cases though, the user may
want to define a different Quality of Service policy for inbound and
outbound traffic within the same Line, Pipe or VC.
To define different policies for each direction, simply select each direction
defined separately from the Line-Based QoS Coverage field in the Quality
of Service Catalog editor. Two dialog boxes are displayed: one for inbound
traffic, and one for outbound traffic.
Note that a best effort priority is defined by default. Note also, that in order
to define a maximum bandwidth for Line, Pipe or VC Quality of Service,
you must first mark the radio button for Maximum Bandwidth.

Action Catalogs

6-16

ACTE Technical Training

In addition to the 4 standard levels of priority, Best Effort priority is also


available for Line, Pipe and VC Enhanced QoS catalogs. If objects at the
same policy level (e.g: pipes) are set to best effort there will be no
prioritization between them and bandwidth will be allocated to each one in
proportion to the amount of traffic which each object receives. This is to be
distinguished from giving both objects the same priority level. In such a
case, each object will be allocated the same amount of bandwidth
irrespective of how much traffic each one receives.

Action Catalogs

6-17

ACTE Technical Training

When setting some elements to have priority, and some to best effort at
the same policy level this could cause a situation known as bandwidth
starvation. When the traffic assigned by each rule competes for the spare
bandwidth, the rules set to best effort will be given an element weight of
zero.
Looking at the equation we use when we calculate the allocated
bandwidth for each rule, we can see that for element weight zero, the
allocated bandwidth will also be zero. This means that no bandwidth will
be allocated to this rule at all.
In case you try to save such a policy, where at the same policy level you
are combining priorities and best effort QoS, the NetXplorer will alert you
to this. Click Yes to save the policy as it is, or No to adjust the policy.
Important Note: Default QoS values (Normal Line QoS, Normal Pipe QoS
and Normal Virtual Channel QoS) are all set to Best Effort. Make sure not
to mix them with priority QoS on the same level.

Action Catalogs

6-18

ACTE Technical Training

In this example we again have 200Mbps of HTTP traffic and 100Mpbs of


FTP traffic which must be shaped into a pipe with a maximum rate of
100Mbps. Now we compare two mechanisms. In the example at the top,
both VCs are given the same priority rating. Bandwidth will be assigned
equally to each service irrespective of the ingress bandwidth. In this case,
each VC will receive an equal share of the 100Mbps > 50Mbps each.
In the second example, the NetXplorer operator assigns each VC with
best effort priority. Best effort priority means there is no fair distribution
between the VCs, and eventually a VC with higher bandwidth will
probably receive a larger portion of the bandwidth. As a result, in our case
HTTP will receive twice as much bandwidth as FTP. We would expect
HTTP to receive 66.66Mbps [200/(200+100)]*100M=66.66Mbps, while
FTP would receive 33.33Mbps [100/(200+100)]*100M=33.33Mbps.

Action Catalogs

6-19

ACTE Technical Training

Lets now see a final example which includes minimum bandwidth


guarantees. In this case we have 200Mbps of HTTP and 200Mpbs of FTP
traffic which must be shaped into a Pipe with a maximum of 200Mbps. The
operator wishes to ensure that HTTP receives a guaranteed minimum of
20Mbps, while FTP receives a guaranteed minimum of 80Mbps.
If the NetXplorer operator assigns each VC with the default best effort
priority alongside the minimum, then as long as the maximum bandwidth is
larger than the total of guaranteed bandwidth, bandwidth will be divided in
proportion to the ingress traffic in this case, both VCs will be assigned
100Mbps. If there was no minimum defined, the expected total Bandwidth
for each pipe would be [200/(200+200)]*200M=100Mbps. If the minimum
guaranteed for each VC is less than the expected value, then the output
will be the same as if there was no minimum.
If the NetXplorer Operator assigned each VC with the same priority level
in addition to the minimum, bandwidth would be assigned unequally
between the pipes, even though the ingress rate was the same. In this
case, HTTP would receive 130Mbps, while FTP would receive 70Mbps.
The allocation is based on the equations below:
HTTP: Remaining bandwidth after min allocation =200-(80+20)=100Mbps;
Total Bandwidth = 80+ 100/2=130Mbps
FTP: Remaining bandwidth after min allocation =200-(80+20)=100Mbps;
Total Bandwidth = 20+ 100/2=70Mbps

Action Catalogs

6-20

ACTE Technical Training

Here we see the Enhanced Pipe QoS entry properties dialog. Note the If
Minimum Pipe Bandwidth is not Allocated field. This feature is available
for Enhanced Lines, Pipes and VCs and will be discussed now.

Action Catalogs

6-21

ACTE Technical Training

Service providers often commit to giving subscribers more bandwidth than


is available. They work on the assumption that not all users are connected
at all times and that the bandwidth will usually be sufficient to
accommodate the subscribers that are connected.
Each subscriber is assigned a Pipe with guaranteed minimum bandwidth.
But what happens when the minimum guaranteed bandwidth cannot be
allocated? When more subscribers than expected try to connect, the total
bandwidth allocated for the Pipes may exceed the maximum bandwidth
defined for the line. If this happens, connections for new subscribers
cannot be established.

Action Catalogs

6-22

ACTE Technical Training

In such a case, you can use conditional admission to determine what to


do. You can instruct the in-line platform to drop or accept according to the
priority value. If you choose to Admit by Priority, the in-line platform will
accept the new connection, but will not assign the minimum bandwidth.
The new connection gets bandwidth per priority. If you choose to Drop, all
new packets will be dropped. The user is disconnected and may see the
message Connection Timed-Out.

Action Catalogs

6-23

ACTE Technical Training

Here we see the Enhanced VC QoS entry properties dialog. Note the
Expedited Forwarding option and the Drop Precedence field. These
features are available for Enhanced VC QoS catalogs only and will be
discussed now.

Action Catalogs

6-24

ACTE Technical Training

Expedited forwarding enables first-class service level for real time traffic
which is loss-sensitive, delay-sensitive and jitter-sensitive and can also
handle traffic bursts efficiently. With this feature users can ensure QoE for
real-time applications such as VoIP and Videoconferencing services.
Allots implementation of this feature is in accordance with RFC2598.
How does the feature work? Expedited forwarding traffic (unlike traffic for
which a regular maximum is defined) is not smoothed. Unlike traffic for
which a regular maximum is defined, the Expedited forwarding defined
rate can be allocated entirely in the first millisecond (burst). When starting
to transmit in the middle of the second the traffic is allowed to breach the
maximum of the hierarchy object above. In order to provide the specified
rate to be Expedited, the QoS engine provides this rate at the expense of
other VCs in the subsequent second.

Action Catalogs

6-25

ACTE Technical Training

Here we see how to define Expedited forwarding. Again this is a feature


supported for VC level only. This is intended for services such as VoIP and
IPTV which are sensitive to loss, delay and jitter. When traffic is allocated
to the EF quality of service, no buffering is used in order to minimize jitter
and delay. Therefore, minimum and maximum are defined with the same
value. Traffic that cannot be assigned the EF required bandwidth, will be
dropped.

Action Catalogs

6-26

ACTE Technical Training

If a packet is not transmitted to the network, it will be dropped or buffered.


The drop precedence value determines the importance of the packet
before making the decision to buffer or not. Packets with higher drop
precedence values are discarded before packets with lower drop
precedence values. The Allot QoS engine uses the standard WRED
algorithm to make this decision. The feature is available at the Enhanced
VC QoS level only.
The default drop precedence value is Application Based, whereby
high, medium and low values are pre-defined in the software code per
application type. When set to No Buffering no packets will be buffered
at all for the policy rule.

Action Catalogs

6-27

ACTE Technical Training

This flow diagram summarizes the allocation of bandwidth in the Allot


Enhanced QoS engine. The total bandwidth available is first allocated to
policy elements with a Minimum or Expedited Forwarding setting. The
spare bandwidth will be divided among the rest of the policy elements as
required. If there is insufficient bandwidth available, the bandwidth will be
divided based on priority settings, unless the user has chosen to drop all
bandwidth not allocated by minimum.
NOTE: When you make on the fly QOS change on a regular (nonprioritized) object (Line/Pipe/VC), these changes will take effect for new
sessions only. In case you make on the fly QOS change on a prioritized
object (Line/Pipe/VC) these changes will take effect immediately.

Action Catalogs

6-28

ACTE Technical Training

On occasion, traffic that does not require any shaping must pass through
the NetEnforcer or Service Gateway. Lets see an example of this from the
enterprise field. A customer may have a DMZ connected to its firewall. A
DMZ is the semi-protected area where equipment that needs to be
accessed from both inside and outside the firewall is placed. In this
example, traffic flows from the LAN to the WAN and from the LAN to the
DMZ. If the NetEnforcer is configured to limit internal bandwidth to
10Mbps and external bandwidth to 2Mbps, the NetEnforcer assumes the
traffic flowing to the DMZ is actually going out to the WAN, and therefore
limits the output to a total of 2 Mbps instead of 10Mbps.
To overcome this problem, You can use the predefined "Ignore QoS" entry
in the QoS catalog. The traffic will go through the NetEnforcer at wire
speed and will not be calculated as part of the allowed bandwidth in the
NetEnforcer.
It is recommended to create a pipe or VC and set the QoS level to Ignore
QoS for traffic going from the LAN to the DMZ and vice versa, or for other
LAN traffic passing through the NetEnforcer that does not require shaping.
"Ignore QoS" can also be used in a service provider environment, for
example, some providers choose to set up a pipe or VC for BGP traffic
and set it to ignore QoS.
Note: The Allot default policy applies ignore QoS on the network
operation VC.

Action Catalogs

6-29

ACTE Technical Training

The QoS catalog is the heart of all Action Catalogs. This is the catalog
which allows you to apply all the different principles we have reviewed
throughout this module. With the various options of this catalog you can
tailor your bandwidth to maximize every single bit of traffic.
For example:
Set a minimum bandwidth level in order to ensure available bandwidth
for important traffic
Set maximum Bandwidth in order to limit P2P traffic
Set expedited forwarding to ensure VoIP quality
Set priority to ensure desired precedence in times of congestion
Can you think of other uses for QoS control? Share your ideas with your
trainer and the training class.

Action Catalogs

6-30

ACTE Technical Training

To summarize this section of the module, have a look at this Policy table,
which implements the example from the previous slide.

Action Catalogs

6-31

ACTE Technical Training

We will now examine different services which can be activated using the
service activation catalog. This includes steering both to external
services and to integrated services such as WebSafe and HTTP
Monitoring. We will begin by taking a brief look at how to steer traffic to
services using the local service and integrated services catalogs. This will
be examined only at a conceptual level here. A separate training module
covers steering in more detail.

Action Catalogs

6-32

ACTE Technical Training

A service may be a network service or a subscriber service. By network


service we mean a service which benefits the whole network.
ServiceProtector is a good example of such a service, as it serves to
protect the network as a whole. By subscriber service we mean a service
which benefits specific subscribers typically those who have paid for it.
WebSafe for example, might be offered as a service to subscribers who
pay an extra monthly fee to benefit from the service. A service such as
MediaSwift can be deployed across the board as a network service with
the aim being to reduce operating costs for the Service Provider.
Alternatively it may be deployed as a subscriber service and offered to
subscribers who are willing to pay to increase the speed of their
downloads.
Services may be internal or external. Internal services are deployed on
Service Gateway blades, while external services are deployed on servers
situated outside in-line platform chassis. Some services (such as
WebSafe, or URL monitoring) can only be deployed internally. Other third
party services can only be deployed externally. Services such as
MediaSwift and ServiceProtector can be deployed either as internal or
external services. MediaSwift deployments above a certain size for
example, must be deployed externally.
Finally, a service can be one which is offered by Allot, or a third party
service offered by a different vendor altogether.

Action Catalogs

6-33

ACTE Technical Training

Traffic steering may be policy based redirection, where specific application


or subscriber flows are redirected to an internal or external service.
Alternatively, the steering may be policy based mirroring, where specific
application or subscriber flows are mirrored to an internal or external
service and terminated there. The original traffic continues to its
destination. An example of the latter approach is where a network service
is deployed to monitor the quality of VoIP calls running through the
network. VoIP traffic is identified by the in-line platform, and then mirrored
to the external service where the mirrored traffic is terminated.

Action Catalogs

6-34

ACTE Technical Training

The concept of the service chain is a simple one. Different subscribers


may sign up to different service plans. Particular traffic flows may be
redirected through different services in different orders, depending on the
service plan to which the subscriber has signed up. This can be seen in
the example here, where traffic from subscribers to the gold service plan is
steered through services 1, 2 and 3 respectively, while traffic from
subscribers in the red service plan is steered only through service 1.

Action Catalogs

6-35

ACTE Technical Training

There are 7 stages involved in configuring steering. Firstly, you need to


configure the port usage on the in-line platform, setting the ports
connected to the service for steering. Then you create a new local
service from the service activation catalog, and associate this local
service with a particular in-line platform. Typically a service consists of a
farm of servers. So for each service, you then define the servers that
make it up. The fourth stage is to combine all local services into a new
integrated service. If required, you can then build service chains by
combining different integrated services. The integrated service you require
is then inserted into the chosen service plan (as described in the SMP
course). Finally, the service plan is inserted into the policy table (as
described in module 7).

Action Catalogs

6-36

ACTE Technical Training

We will now look at Websafe and HTTP monitoring, both of which are Allot
services, integrated into the AOS software. We will then see how to define
a captive portal for redirection.

Action Catalogs

6-37

ACTE Technical Training

WebSafe and HTTP Monitoring are additional services available with Allot
in-line platforms. HTTP Monitoring allows you to see the Most Active
Domains graph. It holds up to 1000 most active domains. The service
must be enabled and does not require a special key.

Action Catalogs

6-38

ACTE Technical Training

WebSafe is a URL filtering service, which allows you to block or allow


specific content.
It allows multiple enforcement actions: report only, redirect or block (with a
notification web page). WebSafe is managed by the NetXplorer, and
includes enhanced monitoring and reporting capabilities. WebSafe must
be enabled in order to function, and requires a special key on the
NetEnforcer/Service Gateway.
On the screen you will see a table presenting the maximum number of
Domains/Paths per in-line platform. When, for example, you have just
www.youtube.com in the black list, it counts as one domain. When you
have www.youtube.com/abcd/grdgf/ it counts as one domain AND one
path.
Lets see now how to enable these WebSafe & HTTP Monitoring services.

Action Catalogs

6-39

ACTE Technical Training

Right click on Network to open the Configuration dialog and select the
Integrated Service Tab
At the bottom of the tab you can choose the default policy action for
WebSafe and HTTP Monitoring.
If always disabled is chosen, the service will not be activated
If always enabled is chosen, the service will be activated on all traffic
running through the Service Gateway or NetEnforcer. This means, for
WebSafe, that HTTP traffic from all subscribers will be inspected,
irrespective of their Service plans.
For HTTP Monitoring, this means that the graph that will be generated
will sum up the Most Active URLs for all traffic running through the system.
If policy based is chosen, the service will be activated only on traffic that
is classified into those policy entities (lines, pipes or VCs) for which the
action catalog is chosen in the policy.
This means, for WebSafe, that HTTP traffic from only those subscribers
whose service plans include this action will be inspected. For HTTP
Monitoring, this means that the graph that will be generated will sum up
the Most Active URLs for all of the lines, pipes and VCs with which this
action is associated.

Action Catalogs

6-40

ACTE Technical Training

If working in policy based mode, you will be able to use the predefined
HTTP Monitoring and WebSafe catalog entries that can be found in the
Service Activation catalog type. These entries cannot be altered they
should simply be added to the appropriate line, pipe or VC as required.
Here we can see an example based on the policy table we saw earlier at
the end of QoS section of this module, with the addition of WebSafe &
HTTP Monitoring service activation catalogs.
HTTP Monitoring enables the Most Active Domains graph which was
introduced on Module 04 Monitoring and Reporting.
We will now see how to configure the different options for WebSafe.

Action Catalogs

6-41

ACTE Technical Training

WebSafe manages the lists of URL with two files:


Blacklist: All the illegal URLs.
Whitelist: Overrides the black list.
For example: you can have www.badsite.com in the blacklist. However if a
specific page such as: www.badsite/goodpage is in the whitelist, this will
allow you to access the specific page.
Here we see a flow diagram indicating how WebSafe works. If a user
requests a forbidden page (1), WebSafe processes the request and
extracts the URL (2). The URL is then matched to the blacklist (which may
be user defined, or downloaded from a third party source) (3). If the URL
can be found on the blacklist AND is not on the whitelist, WebSafe
performs an action (for example, to block access to this URL and send a
warning page) (4).

Action Catalogs

6-42

ACTE Technical Training

From the integrated services tab, the operator can define different options for the
WebSafe Service. (The Integrated Service Tab is accessed by right clicking on
the network and choosing configuration)
The Blacklist Source definition enables the operator to define an external
blacklist source. You can then determine how often to download the list, how to
track the server availability, and enable event notification of Allot server
reachability. All of this functionality equires an additional NetXplorer license.
User Defined Files refer to the blacklist, whitelist and the warning page (which
we will explain later). The default location of these files on a Linux server is:
/opt/allot/NetXplorer/jboss-5.1.0.GA/server/allot/websafe. On a Windows server
the path is: \Allot\netxplorer\jboss-5.1.0.GA\server\allot\webSafe. You can
change the location from the dialog here.
Using the Action on match field you can define what you want to do to a
connection which matches one of the blacklist URLs. The options are:
Monitor. The connection will be allowed, and the operator will be able to see it in
the NetXplorer WebSafe Graphs.
Block. In this case the connection will not be established.
Block and send subscriber to a warning page. In this case, the subscriber will
see a warning page configured by the operator. We will see how to create this
page shortly.
Block and redirect subscriber to a Captive Portal. In this case, the subscriber will
be redirected to a specific URL

Action Catalogs

6-43

ACTE Technical Training

Here we see a list of the acceptable formats for the black or whitelist text
files. Each NE/SG holds one blacklist file and one whitelist file. Any legal
URLs are acceptable (there should be no white spaces within paths).
WebSafe considers www.badsite.com and badsite.com to be different
sites. The URL entered may be with or without the http:// prefix. URL paths
(after domain name) may include anything. NOTE: HTTPS and FTP sites
are not currently supported.

Action Catalogs

6-44

ACTE Technical Training

The option to block and send warning page refers to the warning.html
file located on the NetXplorer server.
The default warning page is shown here. The warning.html file is
customizable, but must be less than 900 bytes. Any HTML syntax may be
used (e.g: reference to scripts, images). NOTE: if you add a new
warning.html to the NetXplorer at C:\Allot\netxplorer\jboss5.1.0.GA\server\allot\webSafe , this will replace the default Allot warning
file with no option to revert to the default warning page

Action Catalogs

6-45

ACTE Technical Training

Whenever you change one of the user defined files, it is possible to


distribute them manually at any fixed moment in time by choosing
distribute operator files from the Websafe item of the tools menu. When
working with a Service Gateway, the operator files will be distributed to
each core controller blade.

Action Catalogs

6-46

ACTE Technical Training

HTTP redirection is typically used in conjunction with Allots SMP and is


covered in more detail in the SMP course.
HTTP redirection can be used in various scenarios for example to
redirect infected subscribers to a portal where they have to purchase
cleaning software. Alternatively, when working with quota based service
plans, a subscriber whose daily or monthly quota has expired can be
redirected to a captive portal to purchase a top-up.
When applied as an action on a Line, Pipe or a VC, all HTTP traffic will be
redirected. The NetEnforcer or Service Gateway first identifies that a
subscriber has generated HTTP traffic. It then sends the subscriber an
HTTP error-code 303 telling him to access a new URL instead. In other
words, the mechanism changes the site that the subscriber is trying to
access.
In order for the in-line platform to be able to redirect traffic to the captive
portal, it must have an internet connection.

Action Catalogs

6-47

ACTE Technical Training

To define a new captive portal from the Service Activation catalog, choose
New Captive Portal, enter the name and description, the URL to redirect to and an action in case HTTP redirect fails. You can choose HTTP
or HTTPS as the redirection protocol.
When working in mobile environments, you can send the customers
original URI and/or MSISDN to the portal. To do this you will need to set
the Captive Portal URI as follows: www.captive.com/landpage?ms=
<Fill in> Fill in {ORIG_URI} or {MSISDN} or {MSISDN}{ORIG_URI}. You
can add up to 16 characters here. The customer will need to configure his
portal to parse these fields to extract the MSISDN or ORIG_URI.
In the Http Redirection Fail Action field, configure what will be done with
non-HTTP traffic passing through this particular pipe or VC (i.e: VoIP
traffic). If you select Pass As Is then it will be allowed to pass and reach
its destination (i.e: allow VoIP sessions, but redirect HTTP traffic to the
active portal). If you select Drop then non-HTTP traffic will be blocked.
In the NE/SG configuration window it is possible to define the redirection
technique. Choose one of 3 options: On Request: The session is
redirected to the predefined portal when the NE/SG sees the HTTP
request. On Reply: The NE/SG tries to learn potentially asymmetric
encapsulation environment in order to figure out the Reply encapsulation
which needs to be used for the packet sent to the client. Example: MPLS,
where the MPLS tag is different between the Request and Answer of the
same connection Default: Chooses the appropriate method per session.

Action Catalogs

6-48

ACTE Technical Training

Both WebSafe and HTTP Monitoring help the operator generate more
revenues and better meet subscriber or regulatory requirements. For
example:
HTTP Monitoring can be set by the policy to monitor all HTTP traffic.
The marketing department will then check what are the most popular
sites, and create unique packages for them, approach particular sites
with a view to revenue sharing agreements or publish advertisements in
those sites.
Websafe can be used to offer a parental control package to the
subscriber or to meet regulatory requirements for blocking illegal
content.
Can you think of other uses for these services? Share your thoughts with
your trainer and the rest of the training class.

Action Catalogs

6-49

ACTE Technical Training

Now we will see how to use the ToS catalog, which we have seen as a
Condition Catalog in Module 5, as an action catalog as well.

Action Catalogs

6-50

ACTE Technical Training

The ToS Marking action catalog is defined in exactly the same way as the
ToS condition catalog. ToS marking might be used for example to let an
MPLS network know which applications to prioritize.

Action Catalogs

6-51

ACTE Technical Training

Finally, we will see the Denial Of Service action catalog

Action Catalogs

6-52

ACTE Technical Training

The DoS (Denial of Service) Catalog enables you to control the number of
connections and the rate of connections established per policy. For
example, if the user wants to limit the number of Voice over IP
connections, a maximum can be placed on the number of connections
allowed in the Voice over IP Virtual Channel. Connections above the limit
can simply be dropped.

Action Catalogs

6-53

ACTE Technical Training

The number of new connections established per second can also be


limited. A subscriber that has a high connection rate might consume all
available resources, starving subscribers with low connection rates. To
prevent such cases, you can limit the connection establishment rate.

Action Catalogs

6-54

ACTE Technical Training

From the DoS entry properties dialog, you can limit the total number of
connections and the number of connections that can be established per
second. You can also specify the action to be taken when these limits are
exceeded: Drop or Reject (Reject is available only in the Allot Legacy
product, the AC-400, which is no longer sold).
This DoS catalog can then be assigned to a Line, Pipe or Virtual Channel.
You can, for example, limit the number of simultaneous connections for
specific users by creating a catalog entry and applying the policy to those
users.
The In-line platforms also have a CLI command (go config cer) which can
set a maximum Connection Establishment Rate limit for the in-line
platform. When this value is reached it is possible to select one of two
actions to take place:
Drop: Every session over the CER limit will be dropped.
Bypass: Every session above the CER limit will be bypassed and will
not go through any of the DPI mechanisms.
NOTE: The maximum value entered in the CLI command cannot be
greater than 10,000 for an AC-500, 50,000 for an AC-1400 or AC-3000
and 150,000 per Core Controller on a Service Gateway.

Action Catalogs

6-55

ACTE Technical Training

ToS used as an action catalog allows you to take advantage of DART to


tag specific applications. This traffic can later on be dropped by a lower
layer network element. For example, to set a specific ToS bit for all P2P
traffic and drop it, or route it to a different network path.
The DoS action catalog allows you to have another layer of control over
your traffic. Not only can you limit bandwidth, you can also limit the total
number of connections, or connection establishment rate. For example,
set a maximum of 1000 connections for file transfer to save your
bandwidth resources.
Can you think of other uses for the ToS and DoS catalogs? Share your
thoughts with your trainer and the rest of the training class.

Action Catalogs

6-56

ACTE Technical Training

Connect the access control values on the left with their definitions on the
right

Action Catalogs

6-57

ACTE Technical Training

For each of the 4 different enhanced QoS settings, what bandwidth would
you expect to be allocated to the HTTP VC and the VoIP VC in the AC1400 in the picture? Bear in mind that the Pipe in which these VCs reside
is set to a maximum of 10Mbps, HTTP traffic is being received at 20Mbps
and VoIP at 10Mbps.

Action Catalogs

6-58

Module 7
Building the
Enforcement Policy

ACTE Technical Training

The catalog entries are the building blocks of your policy. Once the
required catalog entries have been created, you can now put them
together to define your policy.

Building the Enforcement Policy

7-2

ACTE Technical Training

In this module, we will see how to create traffic policies for different
customer scenarios. By the end of this module you will know how to create
the rules that make up your policy, how to position them correctly in the
policy hierarchy, how to use pipe and VC templates, and how to distribute
an existing traffic policy to additional NetEnforcers or Service Gateways.
After explaining the principles, we will explore different implementation
concepts and see how to take it from training class to real live networks.
First, lets understand the hierarchical structure of the traffic policy.

Building the Enforcement Policy

7-3

ACTE Technical Training

NetXplorer monitors and controls a network that may include one or many
NetEnforcers or Service Gateways.
Traffic flowing through these in-line platforms falls into different pre-defined
lines. Each line is further divided into Pipes that break down into Virtual
Channels. Each Line, Pipe or Virtual Channel has a set of conditions that
can be defined for it.
When traffic flows through a NetEnforcer or Service Gateway, it is
compared to the conditions of the first Line. If the conditions apply, the
traffic is then tested against the conditions of the pipes within that line. If
the condition of the first line does not apply, the traffic is not classified into
the first line; the condition of the second Line is tested.
The policy table always consists of at least one line, the Fallback line.
This line is the last one listed in the Policy table, and its conditions are set
to accept all traffic. Traffic that does not meet the conditions of any other
Line is classified into the Fallback Line, and then into one of that Lines
Pipes. The same classification takes place for pipes within the line and
virtual channels within the pipe. In each case, if no match is found, traffic
falls into the fallback line, pipe or VC. In this way, every traffic flow finds its
home in a Line, a Pipe and a Virtual Channel. The fallback rule is like the
palm of a hand, catching all unmatched traffic from higher rules. It is
marked with a palm icon.
Each line, pipe or Virtual Channel has a set of actions that can be
performed on the traffic that is classified into it.

Building the Enforcement Policy

7-4

ACTE Technical Training

Here we see an example of the classification process in action. The traffic


flowing through the NetEnforcer or Service Gateway is compared to the
conditions of the first line. When it does not match these conditions, it
moves on to check the conditions of the second line. Here we have a
match
Now, the traffic is compared to the Pipes within Line 2. The conditions of
the first 2 pipes do not match, but when we reach the third pipe, we find
our match.
In pipe 3, we must now find a VC whose conditions match those of our
traffic. Having compared the traffic to VCs 1, 2 and 3 in turn and not found
a match, the traffic is classified into the fallback virtual channel.
This is the classification process which every new connection goes
through. In our example, the traffic is classified into the Fallback VC of
Pipe 3, Line 2.

Building the Enforcement Policy

7-5

ACTE Technical Training

Because of the way in which traffic is classified from the top of the policy
table to the bottom, the order in which you place Lines, Pipes and Virtual
Channels in the Policy table is of the utmost importance.
Lets take a small service provider example. The North line represents all
users from the northern area, using a designated IP range.
A pipe can be defined for the business user with the specific sub-range of
only the business users, or by a ToS for example. This pipe is placed at
the top of the pipes table to ensure that all business users are classified
here regardless of the applications which they are using. All other northern
users, not part of the business users group, will be classified to the pipes
below Business pipe.
Another example is a Flickr pipe, which classifies Flickr traffic. The Flickr
service is included in the Web Applications Service Group. If the web
applications pipe was placed above the Flickr pipe, all of the Flickr traffic
would be classified in the web applications pipe and the flickr pipe would
remain empty. Hence the importance of placing more specific conditions
higher in the hierarchy table than more general conditions.
The exception to this rule is a condition based on User Defined
Signatures. As soon as a UDS is defined, it is excluded from the web
applications (even if it is not added as a condition to a rule). If a rule is
created classifying UDS traffic therefore, it is of no consequence where in
the hierarchy that rule sits.

Building the Enforcement Policy

7-6

ACTE Technical Training

Now lets see how to create the rules which make up our policy table.

Building the Enforcement Policy

7-7

ACTE Technical Training

The Enforcement Policy table displays the Lines, Pipes and Virtual
Channels defined for each NetEnforcer or Service Gateway. By default,
the Fallback Line and fallback Pipe are defined. Within the fallback pipe
are a number of virtual channels which classify traffic according to popular
service groups. A fallback Virtual Channel catches all other traffic.
For each entity in the Policy tree, the classification conditions and actions
are displayed as columns. The conditions and actions that can be selected
here are those which have been defined in the catalogs section of
NetXplorer.
Note that the following catalogs: Quota, Service Plan, Charging
Application, Charging Plan and Mobile Device are used only in conjunction
with the Subscriber Management Platform (SMP). This is covered in detail
in the SMP training course.

Building the Enforcement Policy

7-8

ACTE Technical Training

To add new lines, pipes or VCs, from the network view, select an entity
and choose Enforcement policy editor.
To add a Line, select an existing line and choose the insert line icon.
Alternatively, you can simply right click on the existing line and choose add
line. A new line will be added directly above the line you selected.
To add a Pipe, select an existing pipe and choose the insert pipe icon.
Alternatively, you can simply right-click on the existing pipe and choose
add pipe. A new pipe will be added directly above the pipe you selected.
Finally, to add a VC, select an existing VC and choose the insert VC icon.
Alternatively, you can simply right-click on the existing VC and choose add
VC. A new VC will be added directly above the VC you selected.

Building the Enforcement Policy

7-9

ACTE Technical Training

After choosing to add a Line, Pipe or VC, its properties dialog opens, with
a default rule that accepts all IP based traffic irrespective of host, service
and time, and passes it through the NE or SG without applying QoS.
The top part of the dialog displays the conditions. The conditions are
edited by clicking on the edit button. A conditions properties dialog opens
with drop down lists for each type of condition. Here you can choose from
the different condition catalog entries available. Alternatively, you can
double click on one of the conditions in the pipe properties dialog, to
choose a different condition.
The direction field has 3 options: bidirectional, int to ext and ext to int.
Whichever option you choose here, the rule will contain both directions of
traffic (inbound and outbound). The direction field is a criteria of
classification on connection establishment, not the direction of the traffic
flow. Internal to External means that the internal host is the client. It sends
the TCP SYN while the external host is the server. If the direction is
External to Internal, the external host is the client, and it will send the TCP
SYN, while the internal host is the server. When bidirectional is chosen,
the policy doesnt care what side has established the connection.
The bottom part of the dialog displays the actions. Different actions can be
chosen from the drop down lists for the access control and each type of
action catalog. Note that if you are defining actions for a pipe, then only
pipe QoS catalogs will be displayed in the Quality of Service drop down
list. The same is true of course, for lines and VCs.

Building the Enforcement Policy

7-10

ACTE Technical Training

Here we see an example of a rule that has been created, called Gold 2.5.
Lets follow the logical relationship between the different conditions and
actions in this rule. The rule states that IF the internal host matches with
the gold users catalog, AND the service is one of the services contained in
the P2P Applications service group AND the time is over the weekend, as
defined in the time catalog, THEN the traffic will be accepted and shaped
according to the chosen QoS catalog, to a maximum of 2.5Mbps.

Building the Enforcement Policy

7-11

ACTE Technical Training

We can also add an additional set of conditions to the same rule. This is
done by clicking on the add button.

Building the Enforcement Policy

7-12

ACTE Technical Training

After selecting the extra set of conditions for our rule, we now see a
second line in the conditions section of the dialog. The logical relationship
between these conditions is as follows IF all of the conditions in the first
line are met OR all of the conditions in the second line are met, THEN the
common set of actions should be applied.

Building the Enforcement Policy

7-13

ACTE Technical Training

When the rule is saved it appears in the policy table as follows. Note how
the actions are common for both sets of conditions and the pipe name is
also carried over from one line to the next.
The rule will appear in blue until it is saved on the NetXplorer and
accepted on the NetEnforcer or Service Gateway
Its position in the policy table can be moved up and down by the arrow
icons.

Building the Enforcement Policy

7-14

ACTE Technical Training

If you create a policy rule where both the Internal and External hosts are
based on country classification host catalogs, this generates a large
number of internal rules that may slow down the NetEnforcer/Service
Gateway or cause it to exceed its inbuilt number of internal rules.
For better performance it is recommended to create a rule for which the
Internal host is Any and the External host is a selected country or the
other way around.
Consequently, traffic that passes through the NetEnforcer or Service
Gateway and is targeted to a country that appears in the host entry of the
configured policy will be automatically assigned to this policy.

Building the Enforcement Policy

7-15

ACTE Technical Training

Lets now see how you can create pipe templates and VC templates, and
in what circumstances this can help you.

Building the Enforcement Policy

7-16

ACTE Technical Training

A Pipe or Virtual Channel template enables the fast creation of Pipes and
VCs which are differentiated by source or destination. This means that you
do not need to define similar Pipes and Virtual Channels when the only
difference between them is the IP address in the source or destination.
All that is required is to create a single master pipe or VC called a
template. You then simply define a set of hosts which will expand the
template. Whenever traffic is generated to or from one of the specified
hosts, the template creates a new pipe or VC. When the conversation
finishes, the pipe or VC is deleted.

Building the Enforcement Policy

7-17

ACTE Technical Training

Lets now look at two examples which contrast the two methods for
creating a Pipe. In the first example, we create a set of Pipes into which
traffic is classified. In the second example, we create Pipe templates that
expand into Pipes based on current traffic.
A company that only has three branches can define a Pipe for each
branch, to apply different QoS for each branch. NetXplorer analyzes the
network traffic and classifies it into a Pipe representing the branch from
which the traffic originated.
A retail chain with hundreds of branches that wants to apply the same
QoS to each branch need not define each branch as a Pipe. In this case,
a Pipe template can be defined for all branches. When a subscriber
connects, NetXplorer applies the appropriate Pipe template and creates a
new Pipe for that branch.
Pipe templates can cut the time involved in defining individual Pipes. They
also make it easy to apply changes. Lets suppose that in our template
example, each branch was allocated a maximum bandwidth of 1.5 Mbps.
The network has now been improved and each branch can be given
2Mbps. You need only change the Pipe template to apply the changes to
all Pipes within the template.

Building the Enforcement Policy

7-18

ACTE Technical Training

The Pipe Template properties dialog is the same as the Pipe Properties
Dialog, with one difference. You will see in the template settings area, you
have the choice to set the template instances to expand by internal or
external hosts.
Select Internal if you wish a new instance to be generated for each new
Internal connection (default).
Select External if you wish a new instance to be generated for each new
External connection.
Note that there may be some cases where you wish to expand a pipe or
VC template by Any internal or external hosts. If for example you want to
protect your email server (internal) from spam (external). You can create a
pipe based on the email server, with a VC template underneath it. The VC
template will be set to expand on any external hosts and you limit the VC
to 5 or 10 live connections.

Building the Enforcement Policy

7-19

ACTE Technical Training

Here we see the VC template properties dialog, which is much the same
as the Pipe template properties dialog. Note however that you cannot
insert a VC template inside a pipe template.

Building the Enforcement Policy

7-20

ACTE Technical Training

Host lists and host groups are treated differently when used to expand a
template.
When a Pipe template is expanded by a host list, a separate Pipe is
created for each individual host on the host list. This option can be useful,
for example, when a host list includes a list of addresses used by home
subscribers, in which each subscriber needs to be allocated a Pipe with a
QoS definition based on the subscribers SLA.
When a Pipe template is expanded by a host group, one Pipe is created
for each host list in the group. For example, a host group Large
Branches can includes 50 host lists. Each host list represents a branch,
and can include many individual hosts. This would be used for example, in
cases where a Pipe needs to be created to manage the traffic for each
branch, not for each host within a branch.

Building the Enforcement Policy

7-21

ACTE Technical Training

Pipe and VC service plan templates enable service providers to quickly


roll-out new service plans to their subscribers. Service Plan Templates are
only used in conjunction with Allots Subscriber Management Platform
(SMP) and this is discussed fully in the SMP training course.

Building the Enforcement Policy

7-22

ACTE Technical Training

Once your policy has been defined, it can be easily distributed to other
NetEnforcers or Service Gateways on the network. Lets now briefly see
how this is done.

Building the Enforcement Policy

7-23

ACTE Technical Training

Using the Policy Distribution feature it is possible to create or update the


policy of one NetEnforcer or Service Gateway and then distribute it to all
other NetEnforcer or Service Gateway units on the Network or to a select
few.
Note that you can only distribute a policy to NEs or SGs of the same
series, running the same major software version. For example, an AC-502
device running version AOS12.3.1 could distribute polices to AC-502 or
AC-504 devices running software version AOS12.3.1

Building the Enforcement Policy

7-24

ACTE Technical Training

From the Network view, right click on the NE or SG whose policy you wish
to distribute and choose policy distribution.
The policy distribution dialog opens. The dialog will be populated only with
those NEs that are of the same series and have the same version
installed.
By selecting the checkboxes, you can choose to which NEs or SGs to
distribute the policy. You can also choose to abort the distribution on the
first error, should one occur.
Click on distribute to distribute the policy.

Building the Enforcement Policy

7-25

ACTE Technical Training

In order to understand the power and flexibility of the policy building


process, lets now examine some examples.

Building the Enforcement Policy

7-26

ACTE Technical Training

The first step of building the policy is planning what you want to achieve.
You should first ask a few guideline questions. Answering these questions
will give you the baselines for building your policy.
What do you want to achieve? Put differently, what are your business
objectives? Lets take a small service provider as an example. This
service provider wishes to offer different quality of service guarantees
for two subscriber groups: domestic and business.
How many policy levels will you need? 2 levels will be enough here: one
for the subscriber groups. As we will want to control bandwidth per
subscriber, templates must be used. The second level will be for
internet activities. So you will choose Pipes & VCs. Alternatively, you
can and use Lines & Pipes, which will allow you to have another level
for further classification.
How will you classify traffic? In this example, we will use IP subnet
classification for subscriber groups and application-based classification
for internet activities. This answer will guide you in creating your
condition catalogs.
What actions will you apply? QoS will be used for different packages
and applications inside the packages. Access Control will be used for
dropping some traffic. This answer will guide you in creating your action
catalogs.
Lets see now how to implement this.

Building the Enforcement Policy

7-27

ACTE Technical Training

How would you build your policy? Share ideas with your trainer and the
training class.
Refer to the different catalogs you will have to define, the structure of the
policy (which rules will be on top?) and the policy rules themselves.

Building the Enforcement Policy

7-28

ACTE Technical Training

Have a look at this Policy table, which implements the example from
previous slides.
The following catalogs were used to build this policy:
Host Catalogs are used at the pipe level, with three catalogs defined
(Business, VIP and Home). Each catalog includes the IP subnet allocated
to the subscribers. In addition, pre-defined service catalogs are used to
classify traffic at the VC level.

Building the Enforcement Policy

7-29

ACTE Technical Training

The instructor will now split you up into groups. On the next 3 pages of
your Student Guide you will see 3 different policy structures.
Each one uses templates to achieve different goals.
Examine each policy structure in your group and discuss for each one,
what it enables the Service Provider to control and what the Service
Provider cannot control. Write down any further advantages or
disadvantages that you see with each policy.
When you have finished, you will be asked to present your findings to the
class.

Building the Enforcement Policy

7-30

ACTE Technical Training

Building the Enforcement Policy

7-31

ACTE Technical Training

Building the Enforcement Policy

7-32

ACTE Technical Training

Building the Enforcement Policy

7-33

ACTE Technical Training

Based on the policy below, into which pipe and VC will a bronze
subscriber using a peer to peer application on a week day fall?

Building the Enforcement Policy

7-34

ACTE Technical Training

Fill in the correct words (AND, THEN, IF, OR) to describe the rule that you
see in the screenshot.

Building the Enforcement Policy

7-35

ACTE Technical Training

Building the Enforcement Policy

7-36

Module 8
Events and Alarms

ACTE Technical Training

Now that we have defined our basic traffic policy, we can also decide
when and how we would like to be informed about abnormal network
activity or particular scenarios that require our intervention.

Alarms and Events

8-2

ACTE Technical Training

Avoiding problems that affect service to end users is of prime concern.


NetXplorer constantly monitors your network and notifies you of any
change in normal network behavior, so that you can quickly implement
corrective action.
You can define the conditions for which you want to receive such
notification; that is, what is considered normal behavior and which
thresholds should not be crossed unnoticed.

Alarms and Events

8-3

ACTE Technical Training

In this module, we will explain the process for defining alarms, defining
alarm actions and then assigning them to the relevant entity on your
network. We also show how to configure events, and how to view both
events and alarms from the NetXplorer GUI.

Alarms and Events

8-4

ACTE Technical Training

An alarm is set when a user-defined threshold is reached. The same alarm


can be cleared automatically when a lower user-defined value is reached.
For example, users can set an alarm to identify when the bandwidth for a
particular link or customer is nearing its maximum, so action can be taken
before the link is fully utilized. An ISP might want to be aware that
important customers are nearing their defined limits. Within a corporation,
the same may apply to a particular application.
You can define the alarm to clear automatically when bandwidth usage
recedes below a level lower than the original threshold.

Alarms and Events

8-5

ACTE Technical Training

To use alarms, you must first define the following:


1. Define Alarms. Here you define the conditions under which each alarm
will be set, as well as its severity.
2. Alarm actions. In addition to displaying the alarm in the Alarms log and
relevant Events log, you can specify additional action to be taken when an
alarm is set. This action can be sending an email notification to a userdefined address.
3. Assign to a network entity. Once alarms and alarm action entries are
defined, they can be associated to a network entity, such as a Pipe or
Virtual Channel.
One alarm entry can be associated with different Lines, Pipes or Virtual
Channels, with the same or different alarm actions for each.

Alarms and Events

8-6

ACTE Technical Training

To define a new alarm:


1. In the navigation pane, select Events/Alarms.
2. In the navigation tree, select Alarm Definition.
3. Right-click and select New Alarm Definition. The Alarm Definition Entry
Properties dialog box is displayed.
4. In the Name field, edit the name of the entry, if required.
5. Click the Browse button adjacent to the Type field. The Alarm Wizard Select Alarm Type dialog box is displayed.
6. Continue to edit additional parameters as required.
Note: The parameters configured in the Alarm Wizard - Select Values
dialog box are determined by the selected alarm type.
Lets have a look at the different type of alarms that can be defined

Alarms and Events

8-7

ACTE Technical Training

Alarm entries must be of a predefined type. Threshold crossing alarms


can be defined for each of the alarm types in the table on the screen.
There is one set of alarm types that can be assigned to NetEnforcer or
Service Gateway, and a different one that can be assigned to a Line, Pipe
or Virtual Channel.
Alarm types that can be assigned to the in-line platform are:
Disk usage
Memory usage
Number of active Lines
Number of active Pipes
Number of active Virtual Channels
Alarm types that can be assigned to a Line, Pipe or VC are:
Number of dropped connections (by policy definition)
Number of live connections
Number of new connections
Bandwidth
Once you select a type, you can configure the alarms set and clear
values, and additional parameters depending on the alarm type.

Alarms and Events

8-8

ACTE Technical Training

Here we see examples of the types of alarms that you can define.
This particular user has defined the following:
A minor alarm to notify when total bandwidth on the entity chosen rises
above 950Mbps
A critical alarm to notify when disk usage on the in-line platform rises
above 85%
A major alarm to notify when more than 90% of the in-line platforms
memory is being used
A major alarm to notify when more than 35,000 VCs are active
A warning alarm to notify when more than 100 new connections are
established per second

Alarms and Events

8-9

ACTE Technical Training

In addition to having the alarm displayed in the Alarms and Events log,
you can define an alarm action. The alarm action can be an email
notification that is sent when the alarm is triggered, or a script that is run.
For an email notification, you can define the email address to which the
email notification is sent.
In order to send email notifications, an SMTP server to be used for
sending the email must first be configured.

Alarms and Events

8-10

ACTE Technical Training

To configure the SMTP server:


1. In the navigation pane, select Network.
2. In the navigation tree, select Network.
3. Right-click and select Configuration or click on the configuration icon
from the shortcut menu. The Network Configuration is displayed in the
main workspace.
4. Define the SMTP servers address, user name and password for
connecting, and the address from which the email is sent.

Alarms and Events

8-11

ACTE Technical Training

For a script action, you should define the alarm script path and the cancel
alarm script path. Scripts can be used to notify other systems or people,
trigger activities on other network elements, use Allots Server CLI to
change policy configuration or any other action you choose to take.
The New Alarm Action dialog opens. Set a name for the action, and enter
a path to the script in the Alarm Script Path field (and a script for ending
the action if applicable, in the Cancel Alarm Script Path field) Click Save
to set the action
The NetXplorer sends device ID, line ID, pipe ID, VC ID and Mediator
Device (SMP/STC) ID for use in the script. The parameters are sent in the
order and format shown below:
DEV_ID:<id> LINE_ID:<id> PIPE_ID:<id> VC_ID:<id>
MD_ID:<id>
In case a particular parameter is not defined, a value of none will be
returned. So an example of the parameters sent might be: DEV_ID:16
LINE_ID:1 PIPE_ID:6 VC_ID:0 MD_ID:none

Alarms and Events

8-12

ACTE Technical Training

Once alarm entries and actions have been defined, you can assign them
to different network entities. There are separate procedures for assigning
alarms to a NetEnforcer or Service Gateway, and for assigning alarms to
Lines, Pipes and VCs within that NetEnforcer or Service Gateway.
To assign an alarm to a NetEnforcer or Service Gateway:
1. From the Network view on the Navigation pane, right-click the
relevant NetEnforcer in the Network tree and select Alarm Definition
Assignment. The Alarm Entries Assignment Editor dialog box is
displayed.
2. From the Alarm drop-down list, select the required alarm. This list
only includes alarm entries that can be assigned to an in-line
platform.
3. Set the action to occur when the alarm is generated by selecting the
Alarm Action or No Alarm Action option, as relevant. If you select
Alarm Action, select the type of action from the drop-down list.
4. Click Save.

Alarms and Events

8-13

ACTE Technical Training

The alarm which we have created is added to the Alarm Assignment list
for the selected NetEnforcer or Service Gateway.
To view alarms currently assigned to the NetEnforcer or Service Gateway,
right click the relevant NetEnforcer from the Network tree in the Network
navigation pane. Once again, choose Alarm Definition Assignment but this
time choose to view the Alarm Definition Assignment List.

Alarms and Events

8-14

ACTE Technical Training

The procedure for assigning an alarm to a Line, Pipe or Virtual


Channel is slightly different:
1. You must first of all open the Policy Editor
2. In the Policy Editor, right-click the Line, Pipe or Virtual Channel, and
select Alarm Assignments. The Properties dialog box is displayed, with
the Alarm Assignments tab selected.
2. Click on ADD and define the properties according to the following
guidelines:

You can pair together alarms and alarm actions and add them to
each network entity.

You can only choose alarms that are applicable for that network
entity.

If you do not choose an alarm action, the alarm, when triggered,


will only be recorded in the Alarms and Events logs.

Alarms and Events

8-15

ACTE Technical Training

The Alarms column of the policy editor indicates which Line, Pipe or Virtual
Channel has an alarm assigned to it.
Note that a quick way of assigning a new alarm to a Line, Pipe or VC is
simply to click on the relevant alarm icon.

Alarms and Events

8-16

ACTE Technical Training

Now lets see what events are and how we can configure them

Alarms and Events

8-17

ACTE Technical Training

All Allot elements in the network send events to the NetXplorer server
which are recorded in the NX events log. A subsection of these events
not all of them - can be configured by the NetXplorer Operator from the
NX GUI. For particular events, the operator can decide to record alarms,
and set their severity. Alternatively, the operator may write a script which is
triggered when the event occurs. Finally, the operator can determine that
certain events are forwarded by the NX to an external trap receiver. This is
particularly useful for some service providers who prefer that SNMP traps
are sent from a single point of integration to the Network Management
System. This may prove a more efficient or cost-effective alternative to
opening SNMP interfaces opposite every Service Gateway, Distributed
Collector and SMP server in the network.
NOTE: Some of the events are forwarded automatically, while for others,
the system administrator can configure whether or not to forward the trap
to the trap server. For a full list of User Defined and Automatic Traps that
can be forwarded from the NX, see the SNMP Integration Guide

Alarms and Events

8-18

ACTE Technical Training

Events are specific occurrences that are recorded for network elements.
NetXplorer comes with a set of predefined events that are automatically
logged by the system and can be viewed in the Events log. Events are
assigned predefined types, and can be configured to trigger alarms. To do
this, go to Events/Alarm pane in the NetXplorer GUI, and open Event
Types Configuration screen. There you can double click the Alarmable
column.
The severity of the alarm can also be configured, by double clicking the
Severity column in the same screen. Alarms triggered by events are
displayed in the Alarms log.
All events created by the in-line platforms, STC and SMP are
automatically sent to the Allot NetXplorer Server, and appear in the server
events log. If an external trap server has been defined, some of these
events are automatically sent to it. For other events, the administrator can
decide whether to send traps or not. This is done by clicking the External
Trap checkboxes.

Alarms and Events

8-19

ACTE Technical Training

Select the Action checkbox for any event you wish to trigger a script
action for. Configure the script action by right clicking the event and
selecting New Alarm Action Definition from the drop down menu. The
New Action Alarm dialog opens. Set a name for the action, and enter a
path to the script in the Event Script Path field (and a script for ending the
action if applicable, in the Cancel Event Script Path field) Click Save to
set the action. Once assigned, the action will appear in the Action on
Alarm field at the bottom of the Event Type Configuration window when
the relevant event is selected. An action can be deleted, edited and
copy/pasted to another event.
NOTE: The NetXplorer sends device ID, line ID, pipe ID, VC ID and
Mediator Device (SMP/STC) ID for use in the script. The parameters are
sent in the order and format shown below:
DEV_ID:<id> LINE_ID:<id> PIPE_ID:<id> VC_ID:<id>
MD_ID:<id>
In case a particular parameter is not defined, a value of none will be
returned. So an example of the parameters sent might be:
DEV_ID:16 LINE_ID:1 PIPE_ID:6 VC_ID:0 MD_ID:none

Alarms and Events

8-20

ACTE Technical Training

To configure the external server to which traps from the NetXplorer should
be forwarded, follow the procedure below. From the network pane in the
NetXplorer GUI, choose Network. Right click and select Configuration.
Select the SNMP Tab. Set the appropriate community for the external trap
server by filling in the Community field in the NX Agent window. The
default community is public. Click on Add and enter the target IP address
of the external trap server and the target port. The default target port is
162. Choose OK. The chosen external trap server will appear in the Trap
Target dialog.

Alarms and Events

8-21

ACTE Technical Training

Now lets see how to view both alarms and events

Alarms and Events

8-22

ACTE Technical Training

The Alarms log tab is displayed in the NetXplorer window and provides a
list of all open alarms generated by the system (both user-defined and
event-based). An alarm remains open until the condition that generated it
is no longer valid, or it is manually removed by an operator.
In the Network tree, you can see an indication of the highest state of alarm
or event for each entity.
To view events and alarms for a specific entity on the Network tree, use
the Events log. The Events log displays events and alarms only for the
selected entity, excluding its child entities. For example, when you view
network events, events on NetEnforcers are not displayed.

Alarms and Events

8-23

ACTE Technical Training

Each entity on the Network tree can have two alarm indications:
1. An alarm indication about itself. This is represented by a colored ball in
the lower right. The color of the ball represents the highest state of
alarm for this entity. Here we can see that NetEnforcer HQ 1 has a
major alarm, and that the Fallback Pipe has a critical alarm.
2. An alarm indication about the state of the entities below it. This is
represented by an exclamation mark to the left of the entity. In the
example, we can see the critical alarm on the Fallback Pipe is reflected
in the network, NetEnforcer HQ1 and its Fallback Line. Below the
network there is both a major alarm (on NetEnforcer HQ1) and a
critical alarm (on the Fallback Pipe). The color of the exclamation mark
is red, since it is the higher state of the two alarms.

Alarms and Events

8-24

ACTE Technical Training

Lets see in more detail how to view events. You can view the Events
log entries for any specific network component.
To view event log entries:
1. In the navigation pane, click to select a network component in the
navigation tree.
2. Right-click and select Events from the shortcut menu. The Events Date
Coverage dialog box is displayed.
3. To view events from a specific point in time and forward, select the
Show Events for Last option. Then enter the relevant quantity of time
and select the unit of time (weeks, days, hours, minutes, or seconds) in
the designated fields.
OR
To set a definite starting and end point for events, select the Show
Events in Range option. Then enter the relevant dates and times in the
From Date/Time and To Date/Time areas.
4. Click OK. The events for the designated time period are displayed in
the Application Details pane.

Alarms and Events

8-25

ACTE Technical Training

The Events log displays only events for the selected entity. For example,
when you view network events, events on in-line platforms are not
displayed. Furthermore, you cannot view events on several in-line
platforms at the same time.
You can sort the events in the events log by clicking the header according
to which you want to sort them.
Notice that many events and alarms have a matching canceling event.
Before you start to investigate an event, check that it has not been
cleared.
To view additional information about an event, double-click it. The Event
Properties dialog box is displayed.

Alarms and Events

8-26

ACTE Technical Training

Lets now see some tips about viewing alarms in the alarm log at the
bottom of the NX GUI screen.
When you select an alarm in the Alarms log and right-click, a shortcut
menu with several options is displayed:
Acknowledge Select to indicate that you have seen the alarm. This
option does not indicate that any action has been taken in response
to the alarm. Selecting Acknowledge does not remove the alarm from
the alarms log.
Remove Select to remove an alarm from the active alarms log.
Show <entity> in Network Tree Select to quickly locate the
NetEnforcer, Line, Pipe or Virtual Channel for which the alarm was
activated, for further investigation and action.
Note: These options are available only for the Alarms log, not the Events
log.

Alarms and Events

8-27

ACTE Technical Training

You can apply a filter to the Alarms Log so that only alarms matching the
filter are displayed. This is particularly useful because the Alarms Log may
include up to 5,000 alarms.
Right click in the alarms log and select filter. Alternatively, you can choose
the filter shortcut button at the top of the screen.
The Alarm Log Filter Definitions Dialog is displayed.
From each of the different tabs you can choose to filter an alarm by any of
the following factors:
Its severity (critical, major, minor, warning or info)
Whether or not it has been acknowledged
The alarm type (threshold crossing or not)
When the alarm was triggered
The name and description of the alarm
When you click OK, the filter is applied. Only the alarms that match the
filter parameters are displayed in the Alarms Log. Note: If two or more filter
parameters are selected, the results will include all alarms that answer at
least one of the parameters.
You will see also that the word Filtered is displayed in the status bar. To
clear filters, reenter the Filters dialog box and select the Show All Alarms
(No Filter) radio button, then click OK. The log then refreshes without any
filter.

Alarms and Events

8-28

ACTE Technical Training

Here are a few examples of how you can use events and alarms in your
network:
Assuming your physical line is of 1Gbps, you can define an alarm to notify
you when BW is almost 1Gbps, so you will know you are almost at your
network limits. This may indicate you should re-define your policy, or
expand your physical line.
In addition, you can set an alarm action to reduce the max bandwidth
allocated to Peer to Peer applications for example, so your web users will
have more available bandwidth, and will not feel the congestion on your
network.
All events can be configured to be sent to an external SNMP server, which
will be monitored by your NOC team at all times.
What other uses can you think of?
Lets see now these examples.

Alarms and Events

8-29

ACTE Technical Training

Lets now summarize the differences between events and alarms.


Events are pre-defined. They give indications of various operational
changes and failures in different system components. These include
NetEnforcer, Service Gateway or Collector events, management system
events, RADIUS events, etc.
In addition to pre-defined alarms, the user can also define additional
alarms. They may be triggered by particular events or may be based on
thresholds defined by the user for various rules. When the user defines a
threshold crossing alarm, this essentially defines two events with a
sequential relationship: an alarm-generating event and a clearing event.
Typically, these relate to traffic and rule policies.

Alarms and Events

8-30

ACTE Technical Training

Match the alarm color coding with its severity level

Alarms and Events

8-31

ACTE Technical Training

Once defined, which of the alarms below can be associated with a virtual
channel?

Alarms and Events

8-32

ACTE Technical Training

Alarms and Events

8-33

Module 9
Steering and
Mirroring

ACTE Technical Training

In this module we will focus on steering configurations. We begin by


reviewing Allots steering functionality before discussing 4 different service
scenarios using steering. At the end of the module, we will examine the
configuration steps required in order to work with each steering type.

Steering and Mirroring

9-2

ACTE Technical Training

Allot in-line platforms offer the ability to steer or mirror traffic to additional
services. We will review now the steering functionalities supported by each
platform.
The AC-1400 and AC-3000 can steer or mirror traffic to an external server.
The maximum throughput of an AC-3000 is 8Gbps. Both the network
traffic and the steered traffic throughput count towards this capacity limit.
This means that the maximum amount of traffic that can be steered is
4Gbps (4Gbps network traffic and 4Gbps steered traffic).
Steering is performed either through the 4 available copper service ports
or from the network ports (which may be copper or fiber depending on the
NetEnforcer model ordered). When using service ports, you maintain the
ability to manage up to 4x1GE network links.
These platforms can be directly connected to an external server, or
indirectly connected via a switch.
Note: AC-500 does not support steering.

Steering and Mirroring

9-3

ACTE Technical Training

The Service Gateway can steer traffic to an external server or to internal


services which are housed on blades in the Service Gateway chassis.
The maximum overall throughput of a fully populated SG-Sigma is
60Gbps. This means that the maximum amount of traffic that can be
steered is 30Gbps (30Gbps network traffic and 30Gbps steered traffic).
The maximum overall throughput of a fully populated SG-Sigma E is
160Gbps. This means that the maximum amount of traffic that can be
steered within a fully populated SG-Sigma is 80Gbps (40Gbps network
traffic and 40Gbps steered traffic). Note that when working with service
chains, processing capacity will be used up for each service which is
applied to the same flow of traffic, thus reducing the maximum possible
steering throughout. When mirroring traffic, the SG-Sigma can operate
with approaching a full 60Gbps throughput (160Gbps for SG-Sigma E14)
with mirroring possible on all of the throughput traffic.
The SG-Sigma uses the 4 lower ports of the SFC-200 for
steering/mirroring. SG-Sigma E uses the lower 4 ports on the SFB-300 for
steering/ mirroring. In addition 1GE-300 ports can be used for this. When
using the 1GE-300 blade, it is possible to steer traffic directly to the
external service. All other ports will be connected to the external servers
via an external switch.

Steering and Mirroring

9-4

ACTE Technical Training

The Service Gateway and NetEnforcer can balance the traffic load
between all of the deployed service servers to which it is connected. Load
balancing is performed per session, and there are three load balancing
options:
Session Based Cyclic Load Balancing: Each new steered session is
dispatched to the next server in a cyclic or round robin manner.
Subscriber Stickiness Load Balancing: Each session will be steered
based on its internal IP. All connections coming from the same IP will be
steered to the same server.
Server Stickiness Load Balancing: All sessions will be steered based
on the external IP. All connections going to the same destination will be
steered to the same server.
We will see later on how to configure load balancing for each service.

Steering and Mirroring

9-5

ACTE Technical Training

Allots solution provides different mechanisms to ensure:


The resiliency of the service itself together with the servers that
comprise it
The resiliency of the connectivity between the NE/SG and the service
cluster
The available tracking options for server health checks are as follows:
BFD, Bidirectional Forwarding Detection. BFD is a network protocol
which aims to detect failures in the path between two forwarding
agents. This method is sometimes required where for example, servers
are working in transparent mode and are therefore not responding to
any communication.
Ping (In band). Using this method an ICMP request is sent to the
server in question. An ICMP reply is accepted if it is received on the
same physical interface on which the request was transmitted.
HTTP Request. Using this method, an HTTP GET request is sent to the
server IP address (the destination port is configurable per service, with
the default set to port 80). If an HTTP response is received with
Response Code = 200 (OK), this is considered to be a success, and the
connection is then closed.

Steering and Mirroring

9-6

ACTE Technical Training

Now we will examine several different deployments schemes. Each


service can be deployed on multiple servers (here we display 3 servers
per service).
Option #1 describes a Single Leg Connection to Single Switch. In this
deployment one NE/SG port is used to steer/mirror traffic to external
servers. Both internal traffic and external traffic is being steered/mirrored
on this one port. This allows you to use other ports for other services.
VLANs are used to distinguish between sessions sent to each of the
servers, and to distinguish between traffic flowing in each direction. Traffic
is flowing via a switch.
Option #2 describes Two Leg Connection to Single Switch. In this
deployment the in-line platform uses a different port for internal traffic and
another one for external traffic. Traffic is flowing via a switch.

Steering and Mirroring

9-7

ACTE Technical Training

Option #3 describes Connection to Two Switches for IPMC Resiliency.


This option offers advanced cluster possibilities. In this deployment the inline platform uses the same port for internal traffic and external traffic.
Traffic is flowing via 2 switches for IPMP resiliency.
IP multipath (IPMP) is a resiliency mechanism which defines one or more
redundant L3 paths for connectivity between the in-line platform and the
service platform servers.
When working with this deployment scheme, each service should be
configured with 2 sets of internal & external ports. We will see how to
configure it later on.
Option #4 describes Direct 1GE Connectivity. In this deployment, the inline platform uses a port for internal traffic and a port for external traffic.
Each physical port connects directly to a server without the need for an
external intermediate switch. This option is only available for AC-1400, AC3000 and for the 1GE-300 blade ports of the SG-Sigma E.

Steering and Mirroring

9-8

ACTE Technical Training

Video optimization is an example of a service which must receive a video


session from the first packet in order to function correctly. Traditional DPI
behavioral analysis mechanisms may take several packets before a
session is identified.
In order to be able to identify and steer video traffic from the first packet,
Allot has developed a unique predication algorithm, called PDPI
(Predictive Deep Packet Inspection). Within the DART engine, a special
utility collects information about all traffic classified as video, and learns its
characteristics. For each server accessed, the PDPI engine then decides
whether this is a video server or not. The decision is dynamic and is
updated in real-time, based on new classification decisions made by the
DART engine. Once a decision has been made, new connections
accessing a video server will then be classified as video from the first
packet and traffic can be steered accordingly.

Steering and Mirroring

9-9

ACTE Technical Training

Steering and Mirroring can be used in many different ways to achieve


different goals. Can you think of examples of different services and which
types of traffic would need to be steered or mirrored to them?
Here are some examples:
Steering mail traffic to an anti-virus service. This can be a value added
service which subscribers must purchase, the aim being to generate
further revenues for the operator.
Steering HTTP traffic to a parental control service. This could be a
network service benefitting all, or a subscriber service to which
subscribers must sign up.
Steering Streaming video traffic to a video optimization server to ensure
high quality of experience as well as to cut costs.
Mirroring VOIP traffic to analyze it.
What other uses can you think of?

Steering and Mirroring

9-10

ACTE Technical Training

Lets now review the four central service scenarios for steering and
mirroring.

Steering and Mirroring

9-11

ACTE Technical Training

The letter A in DART (Dynamic Actionable Recognition Technology)


represents the ability to assign QoS and the ability to Steer Traffic.
Steering traffic allows operators to deploy network and subscriber services
that go above and beyond high-speed connections to the Internet.
Through intelligent traffic steering, Allots in-line platforms direct relevant
subscriber and/or application traffic to different services.
In the graph here we see a collection of typical services that might be
offered by mobile or fixed operators. We have mapped these services
based on the market they suit: mobile networks or fixed networks, as well
as the main advantage gained by using a service: cutting costs or
generating revenues.

Steering and Mirroring

9-12

ACTE Technical Training

There are 4 steering methods supported by Allot:


Generic Transparent Redirection, used for example for caching
services.
Generic Proxy Redirection, used for example for video optimization,
parental control, ad-insertion or anti-virus services.
Generic Mirroring, used for example for VOIP quality analysis or session
analysis.
Media Swift, used for internal or external steering to Allots MediaSwift
media caching service.
The difference between the methods can be seen in what happens to the
original connection. We will now examine each method in detail.

Steering and Mirroring

9-13

ACTE Technical Training

Using Generic Transparent Redirection the original connection is


steered to the 3rd party server. This server applies the service on the
connection and sends it back to the in-line platform, where it continues its
path.
Two modes of non-proxy based servers are supported:
Layer 2 Transparent Servers. The server inspects incoming traffic
whatever the destination MAC address may be. Typically in this mode, 2
interfaces are assigned to each link, representing different sides of the
network (internal/external)
Layer 2 Non-Transparent Servers. The server only inspects incoming
traffic with the destination MAC address of its receiving interface. Typically
in this mode, a single interface is used to receive and send the traffic on
both sides of the network (internal/external)

Steering and Mirroring

9-14

ACTE Technical Training

With Generic Proxy Redirection, the original connection is steered to the


3rd party server. This server is terminating this connection and originate a
new connection with the service applied to it.
The new connection will have the 3rd party server as its source MAC
address, the NE/SG MAC address as the destination MAC, and the same
source IP. Destination IP may change, depends on the service
implemented by the 3rd party server.
Typically two types of proxy-based servers are seen:
Layer 3 Transparent Proxy Servers. Server will intercept all traffic
received, including traffic that is not designated to its own IP address. The
connection is terminated and a new connection is opened to the internet.
Client IP address is used in order for the new connection to stay
transparent.
Layer 3 Non-Transparent Proxy Servers. Allot can currently steer
traffic only to Layer 3 transparent proxy servers. Layer 3 non-transparent
proxy server steering is not currently supported.

Steering and Mirroring

9-15

ACTE Technical Training

As the service to which traffic is being steered works as a proxy, the in-line
platform will occasionally need to make routing decisions. The NE/SG
must therefore be configured to work as a next hop router (gateway).
It will have 2 sets of configured default gateway IPs for this purpose:
A default gateway for the NE/SG (in both directions) is configured by
using the go config next_hop_router CLI command. This is
configured per in-line platform (Labeled here MAC/VLAN)
A default gateway for the service running back into the NE/SG and
then out to the network (labeled here: Local IP Address). This is
configured via the NetXplorer GUI (in the local ip address fields) as we
will see later on.
In order to execute the go config next_hop_router command, the following
should be specified:
Direction. Acceptable values are internal or external
Switch id. This is the SFC/SFB slot ID to which the NHR is connected.
This can be between 0-1 for the SG-Sigma or 0-3 for the SG-Sigma E.
Port. This is the SFC port to which the NHR is connected, between 18.
Vlan. This is the VLAN ID used to carry control packets to the NHR,
between 14094.
Mac. This is the MAC address of the next hop router.
For example when the SFC ID is 0, the SFC port connected to the next
hop router is 7, and its MAC address is AA:AA:AA:AA:AA:11, the correct
command will be: go config next_hop_router internal -switch_id 0 port 7 -mac AA:AA:AA:AA:AA:11

Steering and Mirroring

9-16

ACTE Technical Training

With Generic Mirroring, the original connection flows as is. In parallel it is


also copied and sent to the 3rd party server where it can be analyzed.
Generic mirroring can be used to analyze VOIP session quality, or to
analysis sessions in any other way.

Steering and Mirroring

9-17

ACTE Technical Training

With Media Swift, connection flow is similar to the first method: generic
transparent redirection. The original connection is steered to the internal
cache engine blade or external MediaSwift cache engine, where a
decision is made about whether to access the file from the cache or from
the internet. The connection is then sent back to the in-line platform. A
connection with the remote media server is kept alive even when the
media file is being downloaded from the local cache.

Steering and Mirroring

9-18

ACTE Technical Training

We will now see what are the different steps to configure steering or
mirroring.

Steering and Mirroring

9-19

ACTE Technical Training

Before we start to configure steering in our network, it is important to


understand the hierarchy.
Local Services are defined per NE/SG and include the specific port
used for steering on the NE/SG.
Integrated Services combine one or more local services into one
service. Later on this service will be defined in the policy, or service
plan.
Service Chains combine several integrated services to allow steering
to more than one service for the same connection. Later on this service
chain will be defined in the policy, or service plan.
3rd party servers can be used by one local service or more.

Steering and Mirroring

9-20

ACTE Technical Training

The steps to create a new steering service are:


1. Configure Port Usage. This is done via the NE/SG configuration menu.
2. Configure VLAN on switch. This is done on the network switch itself.
3. Create Local Service. This is done via the Service Activation catalog in
the NetXplorer GUI.
4. Add Servers to Local Service. This is done via the Local Service entry
window.
5. Combine Local Services into a new Integrated Service. This is done
via the Service Activation catalog in the NetXplorer GUI.
6. Build service chains. This is done via the Service Activation catalog in
the NetXplorer GUI. This is an optional step, only required when you
want apply several different services to the same connection.
7. Insert into service plan. This is done via the Service Plan catalog in the
NetXplorer GUI. This is only relevant when working with SMP, and only
for subscriber services.
8. Insert into policy table. This is done via the Enforcement Policy Table.
This is the last step of the configuration.
9. Configure PDPI Service (optional). This is done via the Service
Catalog, and only in supported cases where video traffic needs to be
steered from the first packet.

Steering and Mirroring

9-21

ACTE Technical Training

The first step of configuration is to set the relevant port or ports on the inline platform to the correct steering mode. There are two methods for port
usage configuration:
1. External Switched Redirection
With this mode the NE/SG will be connected to the 3rd party server or
servers via a switch. In order to route the connection to the correct server
a VLAN tag will be used to tag the connection. Another VLAN tag will be
used to tag the connection flowing back to the NE/SG.
2. External Direct Redirection
With this mode the NE/SG is connected directly to the server. There is no
need to connect a switch in between. There is also no need to tag the
connection with VLAN tags.
Direct connection can be used for the AC-3000/1400 when connecting the
copper service ports, and for the SG-Sigma E when using the 1GE-300
blade in slots 1-2.

Steering and Mirroring

9-22

ACTE Technical Training

In order to configure the relevant ports, open the NE/SG configuration


window (by right clicking the NE/SG icon in the navigation pane of the
NetXplorer GUI).
Go to the NIC tab. Here we can see an example of the NIC tab for an SGSigma E14. Choosing one of the SFB blades reveals a table with all the
interfaces available. Double click the relevant interface and change its
usage to External Switched Redirect or External Direct Redirection as
appropriate.

Steering and Mirroring

9-23

ACTE Technical Training

The second step of configuration is defining the VLAN on the network


switch. Lets review the VLAN tagging used to define 3rd party servers.
VLAN settings are required when the port is configured as External
Switched Redirection. Each 3rd party server will have two VLAN tags: one
for the internal interface, and another one for the external interface. The
VLAN can be set to any number between 1 and 4094.
A packet will be tagged with the VLAN tag when it leaves the NE/SG
towards the switch. The switch will be configured to forward the packet to
the 3rd party server which has this tag, after removing the tag. All these
VLAN tags must therefore be pre-configured on the switch.
Lets review an example:
We will use VLAN tags 11 and 22 for the first server, and 33 and 44 for the
second server (internal and external).
The switch will therefore be configured as follows:
The internal interface of SRV1 has VLAN tag 11. Its external interface
has VLAN tag 22.
The internal interface of SRV2 has VLAN tag 33. Its external interface
has VLAN tag 44.
The internal interface of the NE/SG will be tagged with 11,33.
The external interface of the NE/SG will be tagged with 22,44.

Steering and Mirroring

9-24

ACTE Technical Training

The next step is to create the Local Service catalog. To define a new Local
Service:
In the Navigation pane, click Catalogs and right-click Service Activation.
Select New Local Service from the shortcut menu. The Local Service
Entry Properties dialog box is displayed.
Enter a name and description as appropriate. Choose the device name
from the drop down menu. NOTE: Each local service must be associated
to a specific in-line platform. Later on, when configuring the 3rd party
server, we will specify the NE/SG ports to be used for this local service.
The Service Type field will determine the steering method used by this
local service. You can choose one of the four options explained before:
Generic Transparent Redirection, Generic Proxy Redirection, Generic
Mirroring or MediaSwift. There is also a fifth option: Service Protector to
support the NSS-SP blade, which is now EOS. Once you choose a service
type, this will affect some of the other field options.
The other fields in this dialog are used to set Load Balancing & Health
Monitoring parameters. These parameters will determine whether the
service is considered up and how the connections should be steered
between multiple 3rd party servers.
The bottom part of this window is where we will define the 3rd party
steering servers configuration, which is the next configuration step. Each
service can be configured to contain up to 256 logical non-proxy servers,
or up to 128 logical proxy servers. We will now review the different
parameters for load balancing and health monitoring.

Steering and Mirroring

9-25

ACTE Technical Training

Here we see the different parameters for configuring the server load
balancing and health monitoring.
The first parameter is Service Admin Status. This can be set to Active
(default) or Inactive, which is used for maintenance. Next is the Load
Balancing Method. This determines which method will be used to steer
connections to the different steering servers. Here you can choose:
Cyclic (round robin) for session based cyclic load balancing
Hash by Internal IP for subscriber stickiness load balancing
Hash by External IP for server stickiness load balancing
Server Failure Action defines what to do when a particular server is
down. The options are as follows - Bypass: traffic flow will be returned to
the NE/SG. Re-dispatch: traffic flow will be returned to the load balancing
mechanism and re-dispatched to another server. Block: traffic will be
dropped.
Service Unavailability Action defines what to do if all servers of a
specific local service are not available. The options are Bypass or Block
(behaves the same as explained for Server Failure Action).

Steering and Mirroring

9-26

ACTE Technical Training

Tracking Method defines how the NetXplorer confirms that a service is


available on a certain server. The available tracking options are as follows:
BFD
Ping (In band)
HTTP Request
NOTE: when the Service Type is set to MediaSwift, only BFD is
supported.
Local IPV4 Address (internal & External) is used for:
Tracking source IP when Tracking method is set to Ping. Make sure to
set the IP within the same subnet of the 3rd party server IP.
When Service Type is set to Generic Proxy Redirection, this
represents the default IPs of steered/ traffic coming back to NE/SG (as
described on the earlier slide Setting MAC Address of the Network
Routers).
NOTE: These fields are not used when the Tracking Method is set to BFD,
however you must supply IPs in order to save the new local service

Steering and Mirroring

9-27

ACTE Technical Training


Tracking Intervals (sec) defines the interval between monitoring checks.
Tracking Retries defines the number of tracking retries required before
the system reached the conclusion that the server is down.
Server Capacity Reached Action defines what to do when a particular
server reached its capacity. Bypass: traffic flow will be returned to the
NE/SG. Re-dispatch: traffic flow will be returned to the load balancing
mechanism and re-dispatched to another server. Block: traffic will be
dropped.
Minimum Active Servers defines the minimum number of servers which
must be active for the service as a whole to be considered up.

Steering and Mirroring

9-28

ACTE Technical Training

The fourth steering configuration step is adding the server to the local
service. With this step we define the actual servers which will be used by
the local service.
In order to add a new server, click the Add button at the bottom of the
local service window. The Add Server dialog box will appear.
The following parameters should be set:
General
Name should be a meaningful name, so this server is easily identified in
the servers list.
Admin Status can be set to either Active or In-active.
Deployment can be set to External Switched, or External Direct as per
port configuration, or Internal when working with a service blade. Each
service blade must be configured as a server.
When working with an Internal deployment, the Server Slot should be
configured as well.

Steering and Mirroring

9-29

ACTE Technical Training

Network Configuration parameters are used for load balancing and health
monitoring this server.
The MAC address will allow the NE/SG to identify traffic flowing back from
the server. When the tracking server method is set to Ping (in band) or
HTTP Request, the MAC is also used to identify if the server is up.
The IP addresses will be used for monitoring this server.
NOTE the following:
When the service type is set to Generic Proxy Redirection, there is no
need to configure a MAC address as the NE/SG will send an ARP to
retrieve it.
When BFD is used as a tracking method for the local service, there is
no need to define an IP here.
When deployment is set to Internal, only MAC address should be
configured.
Interface Connectivity parameters will define the port used to reach this
server, and the VLAN tagging to be used.
You can configure either an IPV4 or an IPV6 address.
SFC Port Id/Line is a drop down list allowing you to choose from all the
ports configured as External Switched Redirection or External Direct
Redirection.
In the VLAN Tag field, specify the chosen VLAN tags for this server.
Remember: these VLAN tags must also be configured on the switch.
Alternative Connectivity parameters are used to define the SFC ports for
IPMP Resiliency.

Steering and Mirroring

9-30

ACTE Technical Training

The fifth step of configuration is to combine the local services we have


created to a new integrated service.
In the Navigation pane, click Catalogs and right-click Service Activation.
Select New Integrated Service from the shortcut menu. The Integrated
Service Entry Properties dialog box will be displayed.

Steering and Mirroring

9-31

ACTE Technical Training

Enter a Name for your integrated service. You can also write a short
Description for it.
Choose the Service Type from the drop down list. This is the same list as
we have seen before:

Generic Transparent Redirection


Generic Proxy Redirection
Generic Mirroring
MediaSwift

Local services matching the selected service type will be shown under
Available. Select the relevant ones from the desired devices to create a
general Service. For example, when the service type is Media Swift,
choose local services SG1- Media Swift (External) and SG2- Media
Swift (Internal) to create one MediaSwift service in your NetXplorer.
Save the new Integrated Service

Steering and Mirroring

9-32

ACTE Technical Training

The sixth configuration step is to create a service chain. This is an optional


step. You will create a chain only when you want different services to be
applied to the same connection.
Remember there are 2 predefined services in the service activation
catalog which are built-in to Allots AOS:
WebSafe
HTTP Monitoring
These services do not need to be configured as local or integrated
services.
In the Navigation pane, click Catalogs and right-click Service Activation.
Select New Integrated Service Chain from the shortcut menu. The
Integrated Service Chain Entry Properties dialog box will be displayed.
All your defined Integrated Services, as well as WebSafe and HTTP
Monitoring will appear in the list.
Choose the desired services. Note: WebSafe & HTTP Monitoring will
appear under services and your defined integrated services will appear
under Ordered Services. You can change the order of the services using
the arrows.

Steering and Mirroring

9-33

ACTE Technical Training

In order to add a new Service Plan, go to Catalogs in the navigation pane


and right click Service Plan catalog. Select New Pipe Service Plan or New
VC Service plan. The new service plan rule dialog box will be displayed.
On the Condition/Action tab you will see the Service Activation action.
Choose the desired integrated service from the drop down menu.

Steering and Mirroring

9-34

ACTE Technical Training

The last configuration step is to apply the integrated service in the


enforcement policy.
In order to add the service or service chain to the enforcement policy
table, open the table (by right clicking the NE/SG icon in the navigation
pane, and choosing Enforcement Policy). The policy table will be
displayed.
Add a new rule or edit an existing one. Set the service via the Service
Activation column. Either double click the column in the policy table, which
will open up a drill down menu with all the defined integrated services and
chains, or double click a rule name to open up its properties dialog box,
and set the service activation via this dialog box. Make sure to save the
policy.

Steering and Mirroring

9-35

ACTE Technical Training

In case you are working with a video optimization service, you may want
to configure PDPI on specific services, in order to allow steering video
traffic from the first packet.
In order to enable PDPI, open the NE/SG configuration window, and go to
the Networking tab.

Steering and Mirroring

9-36

ACTE Technical Training

Next create a new service via the service catalog.


1. Via the navigation pane, go to catalogs, and right click service. Choose
new service from the menu.
2. Supply a name to your service.
3. Set the application type to be HTTP_Video. This is the application
type using the PDPI utility. Once you do so, you will see the predictive
DPI combo box is automatically set to exclusive. Any connections
attempting to access a server listed as Video in the PDPI ranking
table, will be classified as this new service you create. Once enough
packets pass to identify the protocol completely, reclassification will
change the connection matching protocol to a different one.
4. Add a ports entry for this service as per your network. Adding the TCP
signature only means that all connections towards the video server will
be classified as this new service. Save the service.
Now you can configure your steering policy based on this service, and
ensure video traffic will be steered from the 1st packet.

Steering and Mirroring

9-37

ACTE Technical Training

Connect the service to the appropriate service type

Steering and Mirroring

9-38

Module 10
Basic System
Troubleshooting

ACTE Technical Training

In this module, we will introduce you to the basic troubleshooting steps for
Allot systems. We will start with the first questions that you should ask
yourself before beginning any troubleshooting process. Next we will see
how to verify that all the system elements are functioning and
communicating as they should. We will then see how to check if
connections are being correctly classified and bandwidth is being allocated
according to the configuration and our expectations. We will review some
common tasks such as verifying the key, checking software version and
more. At the end of this module we will present how to proceed with the
next step: how to create a snapshot file, search the online knowledgebase
and open a support case.

Basic System Troubleshooting

10-2

ACTE Technical Training

Before starting to troubleshooting a scenario in the network, you should


ask yourself three basic questions.
Firstly, what exactly is wrong? What do you expect to see and how is this
different than actual behavior? When did it start?
Secondly, you should check the environment. Have any recent changes
been made to the network environment or to the Allot solution itself? Make
sure to check the Allot solution architecture as well as other network
elements which may affect Allot solution.
Finally, make sure you check the events log and alarm pane in the
NetXplorer GUI to see if the management system holds any clues as to
the problem being experienced.

Basic System Troubleshooting

10-3

ACTE Technical Training

We will now review several key steps which can be taken to ensure that
the system is functioning correctly.

Basic System Troubleshooting

10-4

ACTE Technical Training

You should take particular care when working in a firewall environment, to


ensure that the appropriate ports are open in between all of the network
elements. If not, then the different elements of the Allot solution will not be
able to communicate and functionality will be impaired. Here we see a
summary of the different communication protocols used.
Communication between the NX Client and the NX Server can take place
either over TCP:80 (HTTP), or over TCP:443 (HTTPS). GUI Browsing to
the server is performed by the Java RMI protocol. Java communication
between the NX Client and Server requires that TCP ports 1098, 1099 and
4446 are open. In addition, TCP:4457 and TCP:50010 is used for
communicating alarms and port TCP:3873 for catalogs.
The transfer of monitoring and reporting data between NE/SG and the
NetXplorer databases is performed over TCP:80 by default. It is possible
to configure port TCP:443 instead. Communication between the NX
Server and NE/SG for configuration purposes is performed by SNMP over
UDP:161. UDP:162 is used for sending events from the NE/SG to the
NetXplorer. In addition, UDP:123 must be open to enable NTP clock
synchronization. In case you define an SNMP client to retrieve SNMP
KPIs, this information will be sent over UDP:161.
Finally, the databases on the NX server used TCP ports 50000, 50001,
50002. NOTE: when working with additional components such as SMP,
SP or CSC additional ports may be required. Check the appendix section
of the NX Installation & Administration guide for more details.

Basic System Troubleshooting

10-5

ACTE Technical Training

All Allot solution elements must be synchronized to the same time. Time
zones may differ between one element and another, yet absolute time
must be the same.
When a NetEnforcer or Service Gateway is added to the NetXplorer it is
configured to use the NetXplorer server as its NTP server (with stratum
level 13)
It is recommended however to synchronize the NetEnforcer or Service
Gateway, the NetXplorer server, distributed collector and any other Allot
solution element with two servers an external NTP server and the NX
server (in case connectivity with the internet is lost). The server with the
lowest stratum will always take precedence.
When there is no synchronization between the different elements it may
lead to unexpected graph behavior, or to problems in saving policy
changes. NTP related issued are discussed in much greater detail in the
ACPP Allot advanced training course.

Basic System Troubleshooting

10-6

ACTE Technical Training

To define an external NTP on a NetXplorer Server, edit the following file:


/etc/ntp.conf on a Linux server and c:\Allot\ntp\ntp.conf on a Windows
server. Modify this file and add this line:
server <NTP SERVER IP> minpoll 6 maxpoll 8 iburst
The minimum time interval between sending packets is defined
using minpoll. The maximum time interval between sending the packets is
defined by maxpoll. These options specify the minimum and maximum poll
intervals for NTP messages, as a power of 2 in seconds. (minpoll 6 = 2^6
= 64sec, maxpoll 8 = 2^8 = 256sec ). iburst speeds up the initial
synchronization by sending a burst of eight packets instead of the usual
one, The packet spacing is normally 2s.
When working on a Windows based NX server, you should also:
1. Disable automatic synchronization with the internet time server. From
the control panel open Date & Time. On the Internet Time tab uncheck
the Automatic synchronization with internet time server check box
2. Disable the Windows time synchronization service. Open the Services
control panel, Double click Windows Time service. The Properties
dialog appears. Now change the startup type to Disabled
3. Finally, restart the NTP service on the NetXplorer server. On a Linux
server type the command: service ntpd restart. On a Windows server:
open the Services control panel. Right click the Startup type column of
the Network Time Protocol service and select Restart

Basic System Troubleshooting

10-7

ACTE Technical Training

Next, you will need to configure each NE/SG synchronize with the external
NTP Server.
To do so use the go config ips command with the ts parameter:
go config ips ts <ntp1:ntp2:ntp3>
ntp1, ntp2, and ntp3 represent IPs of different NTP servers that the NE/SG
can synchronize with. The NetEnforcer or Service Gateway will
automatically synchronize with the NTP server that has the lowest stratum
value (stratum levels define the accuracy of the NTP server).
For example, if you have two external NTP servers with IP addresses of
10.31.68.48 and 10.0.120.1, the command would be: go config ips ts
10.31.68.48:10.0.120.1
Remember, the NX server is not a reliable NTP server, and it is strongly
recommended to use external NTP servers if they are available.
Note: in case the time difference between the NE/SG and the new
configured NTP server is more than 30 seconds backwards, the NE/SG
may reboot in order to synchronize.

Basic System Troubleshooting

10-8

ACTE Technical Training

In order to verify that the NE/SG is up and running, open its configuration
window. In the Navigation pane, select and right-click the NE/SG in the
network tree and select Configuration from the popup menu. The
Configuration window for the selected entity is displayed.
On the General tab, the Status field will show you if the system is active
or in bypass. For the Service Gateway you can also check the status of
each blade via the Slots&Boards tab. Choose a blade from the graphical
representation of the screen. Below the graphic you will see each sensor
and its current reading as well as the overall board status for that blade.

Basic System Troubleshooting

10-9

ACTE Technical Training

Alternatively, you can check system and blades status using a CLI
command. The go config view network command can be run on any
NE/SG. In the system status field, you will see if the system is active or
in bypass mode. In the SG output you will see a column called card
status which indicates the status of each blade in the system.
NOTE: Instructions for connecting to the in-line platform and logging into
the CLI are provided in Module 2: Introducing In-Line Platforms.

Basic System Troubleshooting

10-10

ACTE Technical Training

Now that we know the system is up and running, we will check what is
happening to the connections flowing through it. How are they classified?
What is the allocated bandwidth?

Basic System Troubleshooting

10-11

ACTE Technical Training

When you want to check connection classification, NetXplorer monitoring


is the place to start. Open an NE/Line/Pipe/VC graph to see if each rule is
getting the expected bandwidth. Open a host graph when you are looking
for information on a specific IP. You can then drill down or limit the graph
to see additional details.

Basic System Troubleshooting

10-12

ACTE Technical Training

To check connection classification via CLI, use the acstat command. The
acstat CLI command is a tool for troubleshooting classification of traffic by
the NetEnforcer or Service Gateway. The information can be viewed either
as a total number of connections, in an extended and detailed form, or in a
specific, filtered format. Full details of acstat usage are discussed in the
advanced ACPP Allot training course.
In order to view the total number of connections on an NE/SG, type the
CLI command acstat. This will show you the current total number of
connections, and will also break them down into protocol type categories:
TCP, UDP, any IP and non IP.
The output will be displayed per XLR, which is the processor of the NE/CC
on the SG.
Running acstat on a multi blade devices will display the total number of
connections per Core Controller, and per each XLR on each Core
Controller. (The CC-200 of the SG-Sigma has one XLR and the CC-300 of
the SG-Sigma E has 2 XLRs).

Basic System Troubleshooting

10-13

ACTE Technical Training

Running acstat ix displays an extended view of all connections.


You can see the protocol that this connection was classified as, its
internal and external IP address and port, and the VC each connection
was classified to.
The state of the connection is also displayed. The options are:
DROP Allots DART engine has decided to drop this session as per
policy configuration.
WIRE4EVER Allots DART engine has completed the matching process,
and a decision was made about the service of this session.
PARSED Allots DART engine completed the matching process, and is
keeping track on the session in order to retrieve more information.
Example: FTP sessions in active mode will stay parsed, since we are
waiting for the data connections
UNWIRED Allots DART engine has seen the Syn packet but has not
yet completed the matching process. This means that it is in the middle of
identification.
Other fields supply enhanced information about the connection. Details
about these fields are discussed in the advanced ACPP Allot training
course.
In case you see connections are not classified as you expect them to be
this is the time to contact Allot Support.

Basic System Troubleshooting

10-14

ACTE Technical Training

Another display option for the acstat command is to display connections


per rule. You can list connections per active VCs: acstat -lvc, Pipes:
acstat lpipe, or Lines: acstat -lline.
Here we can see an example of the command acstat lvc which displays
all active VCs in the system. You can see the total number of connections
classified to this rule, and which connections were accepted / dropped.
In the column furthest to the left, you can see the rule QID. This is an ID
number which is assigned to each specific rule. We will see later on when
this ID can be used for troubleshooting. This ID is a set of 5 numbers:
The first number is the ID of the defined Line.
The second number is the ID of the defined pipe or pipe template
If the pipe is created from a pipe template, the pipe ID (template ID) will
be followed by the pipe instance ID.
The next (4th) number is the ID of the virtual channel within the pipe.
If the VC is created from a VC template, the VC ID (template ID) will be
followed by a 5th number representing the VC instance within the
template.
A Pipe ID will only include the first 3 numbers, and a Line ID will only
include the first number.
Note: The fallback rule ID will always be 1.

Basic System Troubleshooting

10-15

ACTE Technical Training

When you want to check if bandwidth was allocated correctly as per the
enforcement policy you have configured, NetXplorer monitoring is the
place to start. Open an NE/Line/Pipe/VC graph to check the rate of traffic
which is flowing through each of the policy entities. Open a utilization
graph for the rules configured with a maximum bandwidth QoS, to check
the rule behavior. You can then drill down or limit the graph to see
additional details.

Basic System Troubleshooting

10-16

ACTE Technical Training

To check current bandwidth allocation via CLI, use the acmon command.
This command is a central tool for troubleshooting quality of service
issues.
Running this command will display the inbound/outbound traffic per
physical interface.
You can use this command to verify that all links see traffic.
This command will run continuously until stopped. You can stop it using
the keyboard Ctrl button together with the c button.
As with the acstat command, acmon has different filter and display
options. We will review one of them now.

Basic System Troubleshooting

10-17

ACTE Technical Training

In case you want to check the allocated bandwidth at a specific moment


for a specific rule, you can type one of the following:
acmon v <VC ID>
acmon p <pipe ID>
acmon l <line ID>
The ID is the same ID as seen earlier with the acstat command. The
output is displayed per Core Controller (for the Service Gateway) and per
XLR. It runs once and then stops.

Basic System Troubleshooting

10-18

ACTE Technical Training

Now we will see few common tasks which should be performed before
contacting Allot Support.

Basic System Troubleshooting

10-19

ACTE Technical Training

The first thing to verify is the existence of a valid license key. The NE/SG
license key can be checked by selecting the NE/SG from the network tree,
right clicking and choosing configuration. The details of the license and
its expiration date are listed in the Identification and Key tab. Here you
can see the key expiration date. Verify that the key expiration date is valid,
and that all features you purchased are enabled.
Note: The NE/SG license expiration date is synchronized with the NE/SG
support contract expiration date. If a support contract has expired for a
particular in-line platform then APU will be disabled for it. Protocol Pack
updates can only be pushed from the NetXplorer to in-line platforms for
which APU is enabled.

Basic System Troubleshooting

10-20

ACTE Technical Training

Alternatively, the in-line platform license can be checked via CLI. The go
config view key command can be entered on any Service Gateway or
NetEnforcer. The output displays the activation key, followed by a list of
features. For each feature you will see whether or not they are enabled or
disabled. If the feature you require is listed as disabled, this is because the
key entered does not enable it.
To get a new license for an additional feature, you will be asked to provide
your box key. This is done by entering the boxkey command, as seen on
the screen.

Basic System Troubleshooting

10-21

ACTE Technical Training

The NX License key can be checked by selecting NetXplorer Application


Server Registration from the tools menu. Here you can see the key
expiration date. Verify that the key expiration date is valid, and that all
features you purchased are enabled.
Note: The NX license expiration date is synchronized with the NX support
contract expiration date. In case the NX license has expired, APU will be
disabled and protocol updates cannot be downloaded to the NetXplorer.

Basic System Troubleshooting

10-22

ACTE Technical Training

Next check what software version is running on your NE/SG. Via the GUI
open the configuration window of the NE/SG, and go to the Identification &
Key tab. At the bottom of this dialog box, you can see the software version
and protocol pack currently used by the NE/SG. Alternately, you can check
the software version using the CLI command actype.

Basic System Troubleshooting

10-23

ACTE Technical Training

In order to check the NetXplorer software version, go to the Tools menu


and choose About NetXplorer. The window displayed here will be shown,
with the current software version of the NetXplorer.

Basic System Troubleshooting

10-24

ACTE Technical Training

Finally, in case you need additional assistance with troubleshooting the


Allot Solution, now is the time to contact Allot Support. In this section we
will see how to do that.

Basic System Troubleshooting

10-25

ACTE Technical Training

A snapshot is a zip file that can be produced for both the NE/SG and the
NetXplorer.
The snapshot contains log files, Virtual Channel definitions, system
settings and much more.
The snapshot gives us a precise picture of what was happening inside
NE/SG and/or NetXplorer when a particular event occurred and as such, it
is an essential troubleshooting tool for customer support.

Basic System Troubleshooting

10-26

ACTE Technical Training

To create a snapshot on a Linux server, enter create_snapshot_logs.sh


This script takes all the relevant logs and prepares a snapshot file that can
be sent via e-mail. Please note that this file can be large at times (approx.
9MB). The snapshot will be created in
/opt/allot/tmp/snapshot_<date>.tar.gz
On a Windows server, the \allot\bin directory contains a batch file called
create_snapshot_logs.bat. The snapshot will be created under
\allot\tmp\snapshot_<date>.tar.gz

Basic System Troubleshooting

10-27

ACTE Technical Training

Using the CLI command snapshot, you can generate a snapshot


command on an in-line platform.
For a NetEnforcer the file name will be: snapshot.date_time.tgz.
For a Service Gateway, the file name will be:
snapshot.system.date_time.tgz and it will include logs from all blades.
The snapshot file will be created in the following directory:
/usr/local/SWG/snapshots/.

Basic System Troubleshooting

10-28

ACTE Technical Training

In order to use the Allot Online Knowledge base, first you have to login to
Allot Support Area. In order to do so, open Allot support page:
http://www.allot.com/support.html. Type in your user (email address) and
password.
In case you dont have user and password yet, register at the bottom of
the screen and you will receive your login details by email once you have
been verified as an Allot partner or customer.

Basic System Troubleshooting

10-29

ACTE Technical Training

Here you can see the Support Area home page. Other than the knowledge
base, you can find in the support area information about your in-line
platforms, register new products, generate new keys for your products and
more. We will focus on the Knowledgebase and Support Cases.
In order to open the Knowledgebase, choose the knowledgebase tab.

Basic System Troubleshooting

10-30

ACTE Technical Training

The Allot Knowledgebase has 4 main parts:


Free Text search: enter any phrase here to search the answer to your
question.
FAQs: Frequently Asked Questions. This section holds some of the most
common questions seen by Allot support teams. View this section to see if
your question was asked before.
Documentation: This sections hold all Allot official documentation. This
includes Operation Guides, Installation and Administration Guides,
Hardware Guides and more for all Allot Products. A documentation CD will
accompany every shipped product. However Allot user guides are
regularly updated. Check here for the most up to date version of the guide
you seek.
Recently Updated: All items recently updated or created will appear here.
In case you still cannot find the answer to your question, contact Allot
Support.

Basic System Troubleshooting

10-31

ACTE Technical Training

You can also use the Allot Support Area to generate new keys for your
Allot products. You will normally want to generate new keys when you
upgrade to a newer version which requires a new key, or in order to test a
new feature.
From the registration page, you can click one of 4 buttons:
NetEnforcer Key which will lead you to a page displaying a new
permanent key for your in-line platform. The key will have the same
add-ons as per the original purchase.
NetEnforcer Temp Key which will lead you to a key generation page
for your in-line platform. Here you will be able to change some
configuration parameters of the key. The key generated via this page
will be temporary.
NetXplorer Key which will lead you to a page displaying a new
permanent key for your NetXplorer. The key will have the same add-ons
as per the original purchase.
NetXplorer Temp Key which will lead you to a key generation page
for your NetXplorer. Here you will be able to change some configuration
parameters of the key. The key generated via this page will be
temporary.
NOTE: In order to be able to generate a key your product must have a
valid support contract.

Basic System Troubleshooting

10-32

ACTE Technical Training

Here we see the permanent key generation page. You see the key string
itself, which can be copied from here to the in-line platform or the
NetXplorer. You can also see the S/W version of the generated key. In
case you want to update the software version, make sure to do so from
the registration page, before you click the New Key button.
In addition, the support contact end date is displayed here. Note: The Allot
Protocol Update (APU) expiration date will be set to the end date of the
support contract.

Basic System Troubleshooting

10-33

ACTE Technical Training

Here we see the temporary key generation page.


Via this page you can change the software version of the key, or choose
additional add-ons for it. The key string will appear only after you click the
button Generate Temporary Key. The generated key will be valid for one
month. This means all key features will expire after a month.
Note: it is possible to generate up to 3 temporary keys for the same
software version.

Basic System Troubleshooting

10-34

ACTE Technical Training

Finally we will see how to open a new case with Allot Customer Support.
Go to the Cases tab and click the New Case button. This page will be
displayed.
Fill in the serial number or boxkey of the NE/SG or NetXplorer you want
report in Registration. Specify the issue in the Subject filed. Supply full
details of the issue in the Description field. Share all the troubleshooting
steps you have performed so far. Supply additional information in the
Case Details section.
It is important to attach snapshot in order to allow Allot Support teams to
fully investigate the issue. Click Submit.
The case will now be seen by one of Allot Support teams around the
world.

Basic System Troubleshooting

10-35

ACTE Technical Training

Which CLI command will you use to troubleshoot the following?

Basic System Troubleshooting

10-36

You might also like